commit c5cf09a65425c37863538c07326bbc23b72010b6
Author: zyppe <210hcl@gmail.com>
Date:   Wed Feb 28 21:52:45 2024 +0800

    Initialize for openssl-1_1

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..92263e3
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+openssl-1.1.1l.tar.gz
diff --git a/.openssl-1_1.metadata b/.openssl-1_1.metadata
new file mode 100644
index 0000000..cef6487
--- /dev/null
+++ b/.openssl-1_1.metadata
@@ -0,0 +1 @@
+2452ddc26647c031e5c7e4b1988b9d69dc5c48953807536b7ac2e46fad2606d3 openssl-1.1.1l.tar.gz
diff --git a/0001-s390x-assembly-pack-perlasm-support.patch b/0001-s390x-assembly-pack-perlasm-support.patch
new file mode 100644
index 0000000..640243c
--- /dev/null
+++ b/0001-s390x-assembly-pack-perlasm-support.patch
@@ -0,0 +1,3089 @@
+From c66bb88cb08adbc848271dd388aa9695c7e200be Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Wed, 7 Dec 2016 12:58:34 +0100
+Subject: [PATCH] s390x assembly pack: perlasm support.
+
+Added crypto/perlasm/s390x.pm Perl module. Its primary use is to be
+independent of binutils version, that is to write byte codes of
+instructions that are not part of the base instruction set.
+Currently only gas format is supported.
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/6919)
+---
+ crypto/perlasm/s390x.pm | 3060 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 3060 insertions(+)
+ create mode 100644 crypto/perlasm/s390x.pm
+
+diff --git a/crypto/perlasm/s390x.pm b/crypto/perlasm/s390x.pm
+new file mode 100644
+index 0000000000..5f3a49dd0c
+--- /dev/null
++++ b/crypto/perlasm/s390x.pm
+@@ -0,0 +1,3060 @@
++#!/usr/bin/env perl
++# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
++#
++# Licensed under the OpenSSL license (the "License").  You may not use
++# this file except in compliance with the License.  You can obtain a copy
++# in the file LICENSE in the source distribution or at
++# https://www.openssl.org/source/license.html
++
++# Copyright IBM Corp. 2018
++# Author: Patrick Steuer <patrick.steuer@de.ibm.com>
++
++package perlasm::s390x;
++
++use strict;
++use warnings;
++use Carp qw(confess);
++use Exporter qw(import);
++
++our @EXPORT=qw(PERLASM_BEGIN PERLASM_END);
++our @EXPORT_OK=qw(AUTOLOAD LABEL INCLUDE stfle);
++our %EXPORT_TAGS=(
++	MSA => [qw(kmac km kmc kimd klmd)],
++	MSA4 => [qw(kmf kmo pcc kmctr)],
++	MSA5 => [qw(ppno prno)],
++	MSA8 => [qw(kma)],
++	VX => [qw(vgef vgeg vgbm vzero vone vgm vgmb vgmh vgmf vgmg
++	    vl vlr vlrep vlrepb vlreph vlrepf vlrepg vleb vleh vlef vleg vleib
++	    vleih vleif vleig vlgv vlgvb vlgvh vlgvf vlgvg vllez vllezb vllezh
++	    vllezf vllezg vlm vlbb vlvg vlvgb vlvgh vlvgf vlvgg vlvgp
++	    vll vmrh vmrhb vmrhh vmrhf vmrhg vmrl vmrlb vmrlh vmrlf vmrlg vpk
++	    vpkh vpkf vpkg vpks vpksh vpksf vpksg vpkshs vpksfs vpksgs vpkls
++	    vpklsh vpklsf vpklsg vpklshs vpklsfs vpklsgs vperm vpdi vrep vrepb
++	    vreph vrepf vrepg vrepi vrepib vrepih vrepif vrepig vscef vsceg
++	    vsel vseg vsegb vsegh vsegf vst vsteb vsteh vstef vsteg vstm vstl
++	    vuph vuphb vuphh vuphf vuplh vuplhb vuplhh vuplhf vupl vuplb vuplhw
++	    vuplf vupll vupllb vupllh vupllf va vab vah vaf vag vaq vacc vaccb
++	    vacch vaccf vaccg vaccq vac vacq vaccc vacccq vn vnc vavg vavgb
++	    vavgh vavgf vavgg vavgl vavglb vavglh vavglf vavglg vcksm vec_ vecb
++	    vech vecf vecg vecl veclb veclh veclf veclg vceq vceqb vceqh vceqf
++	    vceqg vceqbs vceqhs vceqfs vceqgs vch vchb vchh vchf vchg vchbs
++	    vchhs vchfs vchgs vchl vchlb vchlh vchlf vchlg vchlbs vchlhs vchlfs
++	    vchlgs vclz vclzb vclzh vclzf vclzg vctz vctzb vctzh vctzf vctzg
++	    vx vgfm vgfmb vgfmh vgfmf vgfmg vgfma vgfmab vgfmah vgfmaf vgfmag
++	    vlc vlcb vlch vlcf vlcg vlp vlpb vlph vlpf vlpg vmx vmxb vmxh vmxf
++	    vmxg vmxl vmxlb vmxlh vmxlf vmxlg vmn vmnb vmnh vmnf vmng vmnl
++	    vmnlb vmnlh vmnlf vmnlg vmal vmalb vmalhw vmalf vmah vmahb vmahh
++	    vmahf vmalh vmalhb vmalhh vmalhf vmae vmaeb vmaeh vmaef vmale
++	    vmaleb vmaleh vmalef vmao vmaob vmaoh vmaof vmalo vmalob vmaloh
++	    vmalof vmh vmhb vmhh vmhf vmlh vmlhb vmlhh vmlhf vml vmlb vmlhw
++	    vmlf vme vmeb vmeh vmef vmle vmleb vmleh vmlef vmo vmob vmoh vmof
++	    vmlo vmlob vmloh vmlof vno vnot vo vpopct verllv verllvb verllvh
++	    verllvf verllvg verll verllb verllh verllf verllg verim verimb
++	    verimh verimf verimg veslv veslvb veslvh veslvf veslvg vesl veslb
++	    veslh veslf veslg vesrav vesravb vesravh vesravf vesravg vesra
++	    vesrab vesrah vesraf vesrag vesrlv vesrlvb vesrlvh vesrlvf vesrlvg
++	    vesrl vesrlb vesrlh vesrlf vesrlg vsl vslb vsldb vsra vsrab vsrl
++	    vsrlb vs vsb vsh vsf vsg vsq vscbi vscbib vscbih vscbif vscbig
++	    vscbiq vsbi vsbiq vsbcbi vsbcbiq vsumg vsumgh vsumgf vsumq vsumqf
++	    vsumqg vsum vsumb vsumh vtm vfae vfaeb vfaeh vfaef vfaebs vfaehs
++	    vfaefs vfaezb vfaezh vfaezf vfaezbs vfaezhs vfaezfs vfee vfeeb
++	    vfeeh vfeef vfeebs vfeehs vfeefs vfeezb vfeezh vfeezf vfeezbs
++	    vfeezhs vfeezfs vfene vfeneb vfeneh vfenef vfenebs vfenehs vfenefs
++	    vfenezb vfenezh vfenezf vfenezbs vfenezhs vfenezfs vistr vistrb
++	    vistrh vistrf vistrbs vistrhs vistrfs vstrc vstrcb vstrch vstrcf
++	    vstrcbs vstrchs vstrcfs vstrczb vstrczh vstrczf vstrczbs vstrczhs
++	    vstrczfs vfa vfadb wfadb wfc wfcdb wfk wfkdb vfce vfcedb wfcedb
++	    vfcedbs wfcedbs vfch vfchdb wfchdb vfchdbs wfchdbs vfche vfchedb
++	    wfchedb vfchedbs wfchedbs vcdg vcdgb wcdgb vcdlg vcdlgb wcdlgb vcgd
++	    vcgdb wcgdb vclgd vclgdb wclgdb vfd vfddb wfddb vfi vfidb wfidb
++	    vlde vldeb wldeb vled vledb wledb vfm vfmdb wfmdb vfma vfmadb
++	    wfmadb vfms vfmsdb wfmsdb vfpso vfpsodb wfpsodb vflcdb wflcdb
++	    vflndb wflndb vflpdb wflpdb vfsq vfsqdb wfsqdb vfs vfsdb wfsdb
++	    vftci vftcidb wftcidb)],
++	VXE => [qw(vbperm vllezlf vmsl vmslg vnx vnn voc vpopctb vpopcth
++	    vpopctf vpopctg vfasb wfasb wfaxb wfcsb wfcxb wfksb wfkxb vfcesb
++	    vfcesbs wfcesb wfcesbs wfcexb wfcexbs vfchsb vfchsbs wfchsb wfchsbs
++	    wfchxb wfchxbs vfchesb vfchesbs wfchesb wfchesbs wfchexb wfchexbs
++	    vfdsb wfdsb wfdxb vfisb wfisb wfixb vfll vflls wflls wflld vflr
++	    vflrd wflrd wflrx vfmax vfmaxsb vfmaxdb wfmaxsb wfmaxdb wfmaxxb
++	    vfmin vfminsb vfmindb wfminsb wfmindb wfminxb vfmsb wfmsb wfmxb
++	    vfnma vfnms vfmasb wfmasb wfmaxb vfmssb wfmssb wfmsxb vfnmasb
++	    vfnmadb wfnmasb wfnmadb wfnmaxb vfnmssb vfnmsdb wfnmssb wfnmsdb
++	    wfnmsxb vfpsosb wfpsosb vflcsb wflcsb vflnsb wflnsb vflpsb wflpsb
++	    vfpsoxb wfpsoxb vflcxb wflcxb vflnxb wflnxb vflpxb wflpxb vfsqsb
++	    wfsqsb wfsqxb vfssb wfssb wfsxb vftcisb wftcisb wftcixb)],
++	VXD => [qw(vlrlr vlrl vstrlr vstrl vap vcp vcvb vcvbg vcvd vcvdg vdp
++	    vlip vmp vmsp vpkz vpsop vrp vsdp vsrp vsp vtp vupkz)],
++);
++Exporter::export_ok_tags(qw(MSA MSA4 MSA5 MSA8 VX VXE VXD));
++
++our $AUTOLOAD;
++
++my $GR='(?:%r)?([0-9]|1[0-5])';
++my $VR='(?:%v)?([0-9]|1[0-9]|2[0-9]|3[0-1])';
++
++my ($file,$out);
++
++sub PERLASM_BEGIN
++{
++	($file,$out)=(shift,"");
++}
++sub PERLASM_END
++{
++	if (defined($file)) {
++		open(my $fd,'>',$file)||die("can't open $file: $!");
++		print({$fd}$out);
++		close($fd);
++	} else {
++		print($out);
++	}
++}
++
++sub AUTOLOAD {
++	confess(err("PARSE")) if (grep(!defined($_),@_));
++	my $token;
++	for ($AUTOLOAD) {
++		$token=".$1" if (/^.*::([A-Z_]+)$/);	# uppercase: directive
++		$token="\t$1" if (/^.*::([a-z]+)$/);	# lowercase: mnemonic
++		confess(err("PARSE")) if (!defined($token));
++	}
++	$token.="\t" if ($#_>=0);
++	$out.=$token.join(',',@_)."\n";
++}
++
++sub LABEL {						# label directive
++	confess(err("ARGNUM")) if ($#_!=0);
++	my ($label)=@_;
++	$out.="$label:\n";
++}
++
++sub INCLUDE {
++	confess(err("ARGNUM")) if ($#_!=0);
++	my ($file)=@_;
++	$out.="#include \"$file\"\n";
++}
++
++#
++# Mnemonics
++#
++
++sub stfle {
++	confess(err("ARGNUM")) if ($#_!=0);
++	S(0xb2b0,@_);
++}
++
++# MSA
++
++sub kmac {
++	confess(err("ARGNUM")) if ($#_!=1);
++	RRE(0xb91e,@_);
++}
++
++sub km {
++	confess(err("ARGNUM")) if ($#_!=1);
++	RRE(0xb92e,@_);
++}
++
++sub kmc {
++	confess(err("ARGNUM")) if ($#_!=1);
++	RRE(0xb92f,@_);
++}
++
++sub kimd {
++	confess(err("ARGNUM")) if ($#_!=1);
++	RRE(0xb93e,@_);
++}
++
++sub klmd {
++	confess(err("ARGNUM")) if ($#_!=1);
++	RRE(0xb93f,@_);
++}
++
++# MSA4
++
++sub kmf {
++	confess(err("ARGNUM")) if ($#_!=1);
++	RRE(0xb92a,@_);
++}
++
++sub kmo {
++	confess(err("ARGNUM")) if ($#_!=1);
++	RRE(0xb92b,@_);
++}
++
++sub pcc {
++	confess(err("ARGNUM")) if ($#_!=-1);
++	RRE(0xb92c,@_);
++}
++
++sub kmctr {
++	confess(err("ARGNUM")) if ($#_!=2);
++	RRFb(0xb92d,@_);
++}
++
++# MSA5
++
++sub prno {
++	ppno(@_);
++}
++
++sub ppno {						# deprecated, use prno
++	confess(err("ARGNUM")) if ($#_!=1);
++	RRE(0xb93c,@_);
++}
++
++# MSA8
++
++sub kma {
++	confess(err("ARGNUM")) if ($#_!=2);
++	RRFb(0xb929,@_);
++}
++
++# VX - Support Instructions
++
++sub vgef {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRV(0xe713,@_);
++}
++sub vgeg {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRV(0xe712,@_);
++}
++
++sub vgbm {
++	confess(err("ARGNUM")) if ($#_!=1);
++	VRIa(0xe744,@_);
++}
++sub vzero {
++	vgbm(@_,0);
++}
++sub vone {
++	vgbm(@_,0xffff);
++}
++
++sub vgm {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRIb(0xe746,@_);
++}
++sub vgmb {
++	vgm(@_,0);
++}
++sub vgmh {
++	vgm(@_,1);
++}
++sub vgmf {
++	vgm(@_,2);
++}
++sub vgmg {
++	vgm(@_,3);
++}
++
++sub vl {
++	confess(err("ARGNUM")) if ($#_!=1);
++	VRX(0xe706,@_);
++}
++
++sub vlr {
++	confess(err("ARGNUM")) if ($#_!=1);
++	VRRa(0xe756,@_);
++}
++
++sub vlrep {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRX(0xe705,@_);
++}
++sub vlrepb {
++	vlrep(@_,0);
++}
++sub vlreph {
++	vlrep(@_,1);
++}
++sub vlrepf {
++	vlrep(@_,2);
++}
++sub vlrepg {
++	vlrep(@_,3);
++}
++
++sub vleb {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRX(0xe700,@_);
++}
++sub vleh {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRX(0xe701,@_);
++}
++sub vlef {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRX(0xe703,@_);
++}
++sub vleg {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRX(0xe702,@_);
++}
++
++sub vleib {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRIa(0xe740,@_);
++}
++sub vleih {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRIa(0xe741,@_);
++}
++sub vleif {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRIa(0xe743,@_);
++}
++sub vleig {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRIa(0xe742,@_);
++}
++
++sub vlgv {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRSc(0xe721,@_);
++}
++sub vlgvb {
++	vlgv(@_,0);
++}
++sub vlgvh {
++	vlgv(@_,1);
++}
++sub vlgvf {
++	vlgv(@_,2);
++}
++sub vlgvg {
++	vlgv(@_,3);
++}
++
++sub vllez {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRX(0xe704,@_);
++}
++sub vllezb {
++	vllez(@_,0);
++}
++sub vllezh {
++	vllez(@_,1);
++}
++sub vllezf {
++	vllez(@_,2);
++}
++sub vllezg {
++	vllez(@_,3);
++}
++
++sub vlm {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRSa(0xe736,@_);
++}
++
++sub vlbb {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRX(0xe707,@_);
++}
++
++sub vlvg {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRSb(0xe722,@_);
++}
++sub vlvgb {
++	vlvg(@_,0);
++}
++sub vlvgh {
++	vlvg(@_,1);
++}
++sub vlvgf {
++	vlvg(@_,2);
++}
++sub vlvgg {
++	vlvg(@_,3);
++}
++
++sub vlvgp {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRf(0xe762,@_);
++}
++
++sub vll {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRSb(0xe737,@_);
++}
++
++sub vmrh {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe761,@_);
++}
++sub vmrhb {
++	vmrh(@_,0);
++}
++sub vmrhh {
++	vmrh(@_,1);
++}
++sub vmrhf {
++	vmrh(@_,2);
++}
++sub vmrhg {
++	vmrh(@_,3);
++}
++
++sub vmrl {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe760,@_);
++}
++sub vmrlb {
++	vmrl(@_,0);
++}
++sub vmrlh {
++	vmrl(@_,1);
++}
++sub vmrlf {
++	vmrl(@_,2);
++}
++sub vmrlg {
++	vmrl(@_,3);
++}
++
++sub vpk {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe794,@_);
++}
++sub vpkh {
++	vpk(@_,1);
++}
++sub vpkf {
++	vpk(@_,2);
++}
++sub vpkg {
++	vpk(@_,3);
++}
++
++sub vpks {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRb(0xe797,@_);
++}
++sub vpksh {
++	vpks(@_,1,0);
++}
++sub vpksf {
++	vpks(@_,2,0);
++}
++sub vpksg {
++	vpks(@_,3,0);
++}
++sub vpkshs {
++	vpks(@_,1,1);
++}
++sub vpksfs {
++	vpks(@_,2,1);
++}
++sub vpksgs {
++	vpks(@_,3,1);
++}
++
++sub vpkls {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRb(0xe795,@_);
++}
++sub vpklsh {
++	vpkls(@_,1,0);
++}
++sub vpklsf {
++	vpkls(@_,2,0);
++}
++sub vpklsg {
++	vpkls(@_,3,0);
++}
++sub vpklshs {
++	vpkls(@_,1,1);
++}
++sub vpklsfs {
++	vpkls(@_,2,1);
++}
++sub vpklsgs {
++	vpkls(@_,3,1);
++}
++
++sub vperm {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRe(0xe78c,@_);
++}
++
++sub vpdi {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe784,@_);
++}
++
++sub vrep {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRIc(0xe74d,@_);
++}
++sub vrepb {
++	vrep(@_,0);
++}
++sub vreph {
++	vrep(@_,1);
++}
++sub vrepf {
++	vrep(@_,2);
++}
++sub vrepg {
++	vrep(@_,3);
++}
++
++sub vrepi {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRIa(0xe745,@_);
++}
++sub vrepib {
++	vrepi(@_,0);
++}
++sub vrepih {
++	vrepi(@_,1);
++}
++sub vrepif {
++	vrepi(@_,2);
++}
++sub vrepig {
++	vrepi(@_,3);
++}
++
++sub vscef {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRV(0xe71b,@_);
++}
++sub vsceg {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRV(0xe71a,@_);
++}
++
++sub vsel {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRe(0xe78d,@_);
++}
++
++sub vseg {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRa(0xe75f,@_);
++}
++sub vsegb {
++	vseg(@_,0);
++}
++sub vsegh {
++	vseg(@_,1);
++}
++sub vsegf {
++	vseg(@_,2);
++}
++
++sub vst {
++	confess(err("ARGNUM")) if ($#_!=1);
++	VRX(0xe70e,@_);
++}
++
++sub vsteb {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRX(0xe708,@_);
++}
++sub vsteh {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRX(0xe709,@_);
++}
++sub vstef {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRX(0xe70b,@_);
++}
++sub vsteg {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRX(0xe70a,@_);
++}
++
++sub vstm {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRSa(0xe73e,@_);
++}
++
++sub vstl {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRSb(0xe73f,@_);
++}
++
++sub vuph {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRa(0xe7d7,@_);
++}
++sub vuphb {
++	vuph(@_,0);
++}
++sub vuphh {
++	vuph(@_,1);
++}
++sub vuphf {
++	vuph(@_,2);
++}
++
++sub vuplh {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRa(0xe7d5,@_);
++}
++sub vuplhb {
++	vuplh(@_,0);
++}
++sub vuplhh {
++	vuplh(@_,1);
++}
++sub vuplhf {
++	vuplh(@_,2);
++}
++
++sub vupl {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRa(0xe7d6,@_);
++}
++sub vuplb {
++	vupl(@_,0);
++}
++sub vuplhw {
++	vupl(@_,1);
++}
++sub vuplf {
++	vupl(@_,2);
++}
++
++sub vupll {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRa(0xe7d4,@_);
++}
++sub vupllb {
++	vupll(@_,0);
++}
++sub vupllh {
++	vupll(@_,1);
++}
++sub vupllf {
++	vupll(@_,2);
++}
++
++# VX - Integer Instructions
++
++sub va {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe7f3,@_);
++}
++sub vab {
++	va(@_,0);
++}
++sub vah {
++	va(@_,1);
++}
++sub vaf {
++	va(@_,2);
++}
++sub vag {
++	va(@_,3);
++}
++sub vaq {
++	va(@_,4);
++}
++
++sub vacc {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe7f1,@_);
++}
++sub vaccb {
++	vacc(@_,0);
++}
++sub vacch {
++	vacc(@_,1);
++}
++sub vaccf {
++	vacc(@_,2);
++}
++sub vaccg {
++	vacc(@_,3);
++}
++sub vaccq {
++	vacc(@_,4);
++}
++
++sub vac {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRd(0xe7bb,@_);
++}
++sub vacq {
++	vac(@_,4);
++}
++
++sub vaccc {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRd(0xe7b9,@_);
++}
++sub vacccq {
++	vaccc(@_,4);
++}
++
++sub vn {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRc(0xe768,@_);
++}
++
++sub vnc {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRc(0xe769,@_);
++}
++
++sub vavg {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe7f2,@_);
++}
++sub vavgb {
++	vavg(@_,0);
++}
++sub vavgh {
++	vavg(@_,1);
++}
++sub vavgf {
++	vavg(@_,2);
++}
++sub vavgg {
++	vavg(@_,3);
++}
++
++sub vavgl {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe7f0,@_);
++}
++sub vavglb {
++	vavgl(@_,0);
++}
++sub vavglh {
++	vavgl(@_,1);
++}
++sub vavglf {
++	vavgl(@_,2);
++}
++sub vavglg {
++	vavgl(@_,3);
++}
++
++sub vcksm {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRc(0xe766,@_);
++}
++
++sub vec_ {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRa(0xe7db,@_);
++}
++sub vecb {
++	vec_(@_,0);
++}
++sub vech {
++	vec_(@_,1);
++}
++sub vecf {
++	vec_(@_,2);
++}
++sub vecg {
++	vec_(@_,3);
++}
++
++sub vecl {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRa(0xe7d9,@_);
++}
++sub veclb {
++	vecl(@_,0);
++}
++sub veclh {
++	vecl(@_,1);
++}
++sub veclf {
++	vecl(@_,2);
++}
++sub veclg {
++	vecl(@_,3);
++}
++
++sub vceq {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRb(0xe7f8,@_);
++}
++sub vceqb {
++	vceq(@_,0,0);
++}
++sub vceqh {
++	vceq(@_,1,0);
++}
++sub vceqf {
++	vceq(@_,2,0);
++}
++sub vceqg {
++	vceq(@_,3,0);
++}
++sub vceqbs {
++	vceq(@_,0,1);
++}
++sub vceqhs {
++	vceq(@_,1,1);
++}
++sub vceqfs {
++	vceq(@_,2,1);
++}
++sub vceqgs {
++	vceq(@_,3,1);
++}
++
++sub vch {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRb(0xe7fb,@_);
++}
++sub vchb {
++	vch(@_,0,0);
++}
++sub vchh {
++	vch(@_,1,0);
++}
++sub vchf {
++	vch(@_,2,0);
++}
++sub vchg {
++	vch(@_,3,0);
++}
++sub vchbs {
++	vch(@_,0,1);
++}
++sub vchhs {
++	vch(@_,1,1);
++}
++sub vchfs {
++	vch(@_,2,1);
++}
++sub vchgs {
++	vch(@_,3,1);
++}
++
++sub vchl {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRb(0xe7f9,@_);
++}
++sub vchlb {
++	vchl(@_,0,0);
++}
++sub vchlh {
++	vchl(@_,1,0);
++}
++sub vchlf {
++	vchl(@_,2,0);
++}
++sub vchlg {
++	vchl(@_,3,0);
++}
++sub vchlbs {
++	vchl(@_,0,1);
++}
++sub vchlhs {
++	vchl(@_,1,1);
++}
++sub vchlfs {
++	vchl(@_,2,1);
++}
++sub vchlgs {
++	vchl(@_,3,1);
++}
++
++sub vclz {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRa(0xe753,@_);
++}
++sub vclzb {
++	vclz(@_,0);
++}
++sub vclzh {
++	vclz(@_,1);
++}
++sub vclzf {
++	vclz(@_,2);
++}
++sub vclzg {
++	vclz(@_,3);
++}
++
++sub vctz {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRa(0xe752,@_);
++}
++sub vctzb {
++	vctz(@_,0);
++}
++sub vctzh {
++	vctz(@_,1);
++}
++sub vctzf {
++	vctz(@_,2);
++}
++sub vctzg {
++	vctz(@_,3);
++}
++
++sub vx {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRc(0xe76d,@_);
++}
++
++sub vgfm {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe7b4,@_);
++}
++sub vgfmb {
++	vgfm(@_,0);
++}
++sub vgfmh {
++	vgfm(@_,1);
++}
++sub vgfmf {
++	vgfm(@_,2);
++}
++sub vgfmg {
++	vgfm(@_,3);
++}
++
++sub vgfma {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRd(0xe7bc,@_);
++}
++sub vgfmab {
++	vgfma(@_,0);
++}
++sub vgfmah {
++	vgfma(@_,1);
++}
++sub vgfmaf {
++	vgfma(@_,2);
++}
++sub vgfmag {
++	vgfma(@_,3);
++}
++
++sub vlc {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRa(0xe7de,@_);
++}
++sub vlcb {
++	vlc(@_,0);
++}
++sub vlch {
++	vlc(@_,1);
++}
++sub vlcf {
++	vlc(@_,2);
++}
++sub vlcg {
++	vlc(@_,3);
++}
++
++sub vlp {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRa(0xe7df,@_);
++}
++sub vlpb {
++	vlp(@_,0);
++}
++sub vlph {
++	vlp(@_,1);
++}
++sub vlpf {
++	vlp(@_,2);
++}
++sub vlpg {
++	vlp(@_,3);
++}
++
++sub vmx {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe7ff,@_);
++}
++sub vmxb {
++	vmx(@_,0);
++}
++sub vmxh {
++	vmx(@_,1);
++}
++sub vmxf {
++	vmx(@_,2);
++}
++sub vmxg {
++	vmx(@_,3);
++}
++
++sub vmxl {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe7fd,@_);
++}
++sub vmxlb {
++	vmxl(@_,0);
++}
++sub vmxlh {
++	vmxl(@_,1);
++}
++sub vmxlf {
++	vmxl(@_,2);
++}
++sub vmxlg {
++	vmxl(@_,3);
++}
++
++sub vmn {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe7fe,@_);
++}
++sub vmnb {
++	vmn(@_,0);
++}
++sub vmnh {
++	vmn(@_,1);
++}
++sub vmnf {
++	vmn(@_,2);
++}
++sub vmng {
++	vmn(@_,3);
++}
++
++sub vmnl {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe7fc,@_);
++}
++sub vmnlb {
++	vmnl(@_,0);
++}
++sub vmnlh {
++	vmnl(@_,1);
++}
++sub vmnlf {
++	vmnl(@_,2);
++}
++sub vmnlg {
++	vmnl(@_,3);
++}
++
++sub vmal {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRd(0xe7aa,@_);
++}
++sub vmalb {
++	vmal(@_,0);
++}
++sub vmalhw {
++	vmal(@_,1);
++}
++sub vmalf {
++	vmal(@_,2);
++}
++
++sub vmah {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRd(0xe7ab,@_);
++}
++sub vmahb {
++	vmah(@_,0);
++}
++sub vmahh {
++	vmah(@_,1);
++}
++sub vmahf {
++	vmah(@_,2);
++}
++
++sub vmalh {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRd(0xe7a9,@_);
++}
++sub vmalhb {
++	vmalh(@_,0);
++}
++sub vmalhh {
++	vmalh(@_,1);
++}
++sub vmalhf {
++	vmalh(@_,2);
++}
++
++sub vmae {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRd(0xe7ae,@_);
++}
++sub vmaeb {
++	vmae(@_,0);
++}
++sub vmaeh {
++	vmae(@_,1);
++}
++sub vmaef {
++	vmae(@_,2);
++}
++
++sub vmale {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRd(0xe7ac,@_);
++}
++sub vmaleb {
++	vmale(@_,0);
++}
++sub vmaleh {
++	vmale(@_,1);
++}
++sub vmalef {
++	vmale(@_,2);
++}
++
++sub vmao {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRd(0xe7af,@_);
++}
++sub vmaob {
++	vmao(@_,0);
++}
++sub vmaoh {
++	vmao(@_,1);
++}
++sub vmaof {
++	vmao(@_,2);
++}
++
++sub vmalo {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRd(0xe7ad,@_);
++}
++sub vmalob {
++	vmalo(@_,0);
++}
++sub vmaloh {
++	vmalo(@_,1);
++}
++sub vmalof {
++	vmalo(@_,2);
++}
++
++sub vmh {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe7a3,@_);
++}
++sub vmhb {
++	vmh(@_,0);
++}
++sub vmhh {
++	vmh(@_,1);
++}
++sub vmhf {
++	vmh(@_,2);
++}
++
++sub vmlh {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe7a1,@_);
++}
++sub vmlhb {
++	vmlh(@_,0);
++}
++sub vmlhh {
++	vmlh(@_,1);
++}
++sub vmlhf {
++	vmlh(@_,2);
++}
++
++sub vml {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe7a2,@_);
++}
++sub vmlb {
++	vml(@_,0);
++}
++sub vmlhw {
++	vml(@_,1);
++}
++sub vmlf {
++	vml(@_,2);
++}
++
++sub vme {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe7a6,@_);
++}
++sub vmeb {
++	vme(@_,0);
++}
++sub vmeh {
++	vme(@_,1);
++}
++sub vmef {
++	vme(@_,2);
++}
++
++sub vmle {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe7a4,@_);
++}
++sub vmleb {
++	vmle(@_,0);
++}
++sub vmleh {
++	vmle(@_,1);
++}
++sub vmlef {
++	vmle(@_,2);
++}
++
++sub vmo {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe7a7,@_);
++}
++sub vmob {
++	vmo(@_,0);
++}
++sub vmoh {
++	vmo(@_,1);
++}
++sub vmof {
++	vmo(@_,2);
++}
++
++sub vmlo {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe7a5,@_);
++}
++sub vmlob {
++	vmlo(@_,0);
++}
++sub vmloh {
++	vmlo(@_,1);
++}
++sub vmlof {
++	vmlo(@_,2);
++}
++
++sub vno {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRc(0xe76b,@_);
++}
++sub vnot {
++	vno(@_,$_[1]);
++}
++
++sub vo {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRc(0xe76a,@_);
++}
++
++sub vpopct {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRa(0xe750,@_);
++}
++
++sub verllv {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe773,@_);
++}
++sub verllvb {
++	verllv(@_,0);
++}
++sub verllvh {
++	verllv(@_,1);
++}
++sub verllvf {
++	verllv(@_,2);
++}
++sub verllvg {
++	verllv(@_,3);
++}
++
++sub verll {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRSa(0xe733,@_);
++}
++sub verllb {
++	verll(@_,0);
++}
++sub verllh {
++	verll(@_,1);
++}
++sub verllf {
++	verll(@_,2);
++}
++sub verllg {
++	verll(@_,3);
++}
++
++sub verim {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRId(0xe772,@_);
++}
++sub verimb {
++	verim(@_,0);
++}
++sub verimh {
++	verim(@_,1);
++}
++sub verimf {
++	verim(@_,2);
++}
++sub verimg {
++	verim(@_,3);
++}
++
++sub veslv {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe770,@_);
++}
++sub veslvb {
++	veslv(@_,0);
++}
++sub veslvh {
++	veslv(@_,1);
++}
++sub veslvf {
++	veslv(@_,2);
++}
++sub veslvg {
++	veslv(@_,3);
++}
++
++sub vesl {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRSa(0xe730,@_);
++}
++sub veslb {
++	vesl(@_,0);
++}
++sub veslh {
++	vesl(@_,1);
++}
++sub veslf {
++	vesl(@_,2);
++}
++sub veslg {
++	vesl(@_,3);
++}
++
++sub vesrav {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe77a,@_);
++}
++sub vesravb {
++	vesrav(@_,0);
++}
++sub vesravh {
++	vesrav(@_,1);
++}
++sub vesravf {
++	vesrav(@_,2);
++}
++sub vesravg {
++	vesrav(@_,3);
++}
++
++sub vesra {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRSa(0xe73a,@_);
++}
++sub vesrab {
++	vesra(@_,0);
++}
++sub vesrah {
++	vesra(@_,1);
++}
++sub vesraf {
++	vesra(@_,2);
++}
++sub vesrag {
++	vesra(@_,3);
++}
++
++sub vesrlv {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe778,@_);
++}
++sub vesrlvb {
++	vesrlv(@_,0);
++}
++sub vesrlvh {
++	vesrlv(@_,1);
++}
++sub vesrlvf {
++	vesrlv(@_,2);
++}
++sub vesrlvg {
++	vesrlv(@_,3);
++}
++
++sub vesrl {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRSa(0xe738,@_);
++}
++sub vesrlb {
++	vesrl(@_,0);
++}
++sub vesrlh {
++	vesrl(@_,1);
++}
++sub vesrlf {
++	vesrl(@_,2);
++}
++sub vesrlg {
++	vesrl(@_,3);
++}
++
++sub vsl {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRc(0xe774,@_);
++}
++
++sub vslb {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRc(0xe775,@_);
++}
++
++sub vsldb {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRId(0xe777,@_);
++}
++
++sub vsra {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRc(0xe77e,@_);
++}
++
++sub vsrab {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRc(0xe77f,@_);
++}
++
++sub vsrl {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRc(0xe77c,@_);
++}
++
++sub vsrlb {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRc(0xe77d,@_);
++}
++
++sub vs {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe7f7,@_);
++}
++sub vsb {
++	vs(@_,0);
++}
++sub vsh {
++	vs(@_,1);
++}
++sub vsf {
++	vs(@_,2);
++}
++sub vsg {
++	vs(@_,3);
++}
++sub vsq {
++	vs(@_,4);
++}
++
++sub vscbi {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe7f5,@_);
++}
++sub vscbib {
++	vscbi(@_,0);
++}
++sub vscbih {
++	vscbi(@_,1);
++}
++sub vscbif {
++	vscbi(@_,2);
++}
++sub vscbig {
++	vscbi(@_,3);
++}
++sub vscbiq {
++	vscbi(@_,4);
++}
++
++sub vsbi {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRd(0xe7bf,@_);
++}
++sub vsbiq {
++	vsbi(@_,4);
++}
++
++sub vsbcbi {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRd(0xe7bd,@_);
++}
++sub vsbcbiq {
++	vsbcbi(@_,4);
++}
++
++sub vsumg {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe765,@_);
++}
++sub vsumgh {
++	vsumg(@_,1);
++}
++sub vsumgf {
++	vsumg(@_,2);
++}
++
++sub vsumq {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe767,@_);
++}
++sub vsumqf {
++	vsumq(@_,2);
++}
++sub vsumqg {
++	vsumq(@_,3);
++}
++
++sub vsum {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRc(0xe764,@_);
++}
++sub vsumb {
++	vsum(@_,0);
++}
++sub vsumh {
++	vsum(@_,1);
++}
++
++sub vtm {
++	confess(err("ARGNUM")) if ($#_!=1);
++	VRRa(0xe7d8,@_);
++}
++
++# VX - String Instructions
++
++sub vfae {
++	confess(err("ARGNUM")) if ($#_<3||$#_>4);
++	VRRb(0xe782,@_);
++}
++sub vfaeb {
++	vfae(@_[0..2],0,$_[3]);
++}
++sub vfaeh {
++	vfae(@_[0..2],1,$_[3]);
++}
++sub vfaef {
++	vfae(@_[0..2],2,$_[3]);
++}
++sub vfaebs {
++	$_[3]=0 if (!defined($_[3]));
++	vfae(@_[0..2],0,0x1|$_[3]);
++}
++sub vfaehs {
++	$_[3]=0 if (!defined($_[3]));
++	vfae(@_[0..2],1,0x1|$_[3]);
++}
++sub vfaefs {
++	$_[3]=0 if (!defined($_[3]));
++	vfae(@_[0..2],2,0x1|$_[3]);
++}
++sub vfaezb {
++	$_[3]=0 if (!defined($_[3]));
++	vfae(@_[0..2],0,0x2|$_[3]);
++}
++sub vfaezh {
++	$_[3]=0 if (!defined($_[3]));
++	vfae(@_[0..2],1,0x2|$_[3]);
++}
++sub vfaezf {
++	$_[3]=0 if (!defined($_[3]));
++	vfae(@_[0..2],2,0x2|$_[3]);
++}
++sub vfaezbs {
++	$_[3]=0 if (!defined($_[3]));
++	vfae(@_[0..2],0,0x3|$_[3]);
++}
++sub vfaezhs {
++	$_[3]=0 if (!defined($_[3]));
++	vfae(@_[0..2],1,0x3|$_[3]);
++}
++sub vfaezfs {
++	$_[3]=0 if (!defined($_[3]));
++	vfae(@_[0..2],2,0x3|$_[3]);
++}
++
++sub vfee {
++	confess(err("ARGNUM")) if ($#_<3||$#_>4);
++	VRRb(0xe780,@_);
++}
++sub vfeeb {
++	vfee(@_[0..2],0,$_[3]);
++}
++sub vfeeh {
++	vfee(@_[0..2],1,$_[3]);
++}
++sub vfeef {
++	vfee(@_[0..2],2,$_[3]);
++}
++sub vfeebs {
++	vfee(@_,0,1);
++}
++sub vfeehs {
++	vfee(@_,1,1);
++}
++sub vfeefs {
++	vfee(@_,2,1);
++}
++sub vfeezb {
++	vfee(@_,0,2);
++}
++sub vfeezh {
++	vfee(@_,1,2);
++}
++sub vfeezf {
++	vfee(@_,2,2);
++}
++sub vfeezbs {
++	vfee(@_,0,3);
++}
++sub vfeezhs {
++	vfee(@_,1,3);
++}
++sub vfeezfs {
++	vfee(@_,2,3);
++}
++
++sub vfene {
++	confess(err("ARGNUM")) if ($#_<3||$#_>4);
++	VRRb(0xe781,@_);
++}
++sub vfeneb {
++	vfene(@_[0..2],0,$_[3]);
++}
++sub vfeneh {
++	vfene(@_[0..2],1,$_[3]);
++}
++sub vfenef {
++	vfene(@_[0..2],2,$_[3]);
++}
++sub vfenebs {
++	vfene(@_,0,1);
++}
++sub vfenehs {
++	vfene(@_,1,1);
++}
++sub vfenefs {
++	vfene(@_,2,1);
++}
++sub vfenezb {
++	vfene(@_,0,2);
++}
++sub vfenezh {
++	vfene(@_,1,2);
++}
++sub vfenezf {
++	vfene(@_,2,2);
++}
++sub vfenezbs {
++	vfene(@_,0,3);
++}
++sub vfenezhs {
++	vfene(@_,1,3);
++}
++sub vfenezfs {
++	vfene(@_,2,3);
++}
++
++sub vistr {
++	confess(err("ARGNUM")) if ($#_<2||$#_>3);
++	VRRa(0xe75c,@_[0..2],0,$_[3]);
++}
++sub vistrb {
++	vistr(@_[0..1],0,$_[2]);
++}
++sub vistrh {
++	vistr(@_[0..1],1,$_[2]);
++}
++sub vistrf {
++	vistr(@_[0..1],2,$_[2]);
++}
++sub vistrbs {
++	vistr(@_,0,1);
++}
++sub vistrhs {
++	vistr(@_,1,1);
++}
++sub vistrfs {
++	vistr(@_,2,1);
++}
++
++sub vstrc {
++	confess(err("ARGNUM")) if ($#_<4||$#_>5);
++	VRRd(0xe78a,@_);
++}
++sub vstrcb {
++	vstrc(@_[0..3],0,$_[4]);
++}
++sub vstrch {
++	vstrc(@_[0..3],1,$_[4]);
++}
++sub vstrcf {
++	vstrc(@_[0..3],2,$_[4]);
++}
++sub vstrcbs {
++	$_[4]=0 if (!defined($_[4]));
++	vstrc(@_[0..3],0,0x1|$_[4]);
++}
++sub vstrchs {
++	$_[4]=0 if (!defined($_[4]));
++	vstrc(@_[0..3],1,0x1|$_[4]);
++}
++sub vstrcfs {
++	$_[4]=0 if (!defined($_[4]));
++	vstrc(@_[0..3],2,0x1|$_[4]);
++}
++sub vstrczb {
++	$_[4]=0 if (!defined($_[4]));
++	vstrc(@_[0..3],0,0x2|$_[4]);
++}
++sub vstrczh {
++	$_[4]=0 if (!defined($_[4]));
++	vstrc(@_[0..3],1,0x2|$_[4]);
++}
++sub vstrczf {
++	$_[4]=0 if (!defined($_[4]));
++	vstrc(@_[0..3],2,0x2|$_[4]);
++}
++sub vstrczbs {
++	$_[4]=0 if (!defined($_[4]));
++	vstrc(@_[0..3],0,0x3|$_[4]);
++}
++sub vstrczhs {
++	$_[4]=0 if (!defined($_[4]));
++	vstrc(@_[0..3],1,0x3|$_[4]);
++}
++sub vstrczfs {
++	$_[4]=0 if (!defined($_[4]));
++	vstrc(@_[0..3],2,0x3|$_[4]);
++}
++
++# VX - Floating-point Instructions
++
++sub vfa {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRc(0xe7e3,@_);
++}
++sub vfadb {
++	vfa(@_,3,0);
++}
++sub wfadb {
++	vfa(@_,3,8);
++}
++
++sub wfc {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRa(0xe7cb,@_);
++}
++sub wfcdb {
++	wfc(@_,3,0);
++}
++
++sub wfk {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRa(0xe7ca,@_);
++}
++sub wfksb {
++	wfk(@_,2,0);
++}
++sub wfkdb {
++	wfk(@_,3,0);
++}
++sub wfkxb {
++	wfk(@_,4,0);
++}
++
++sub vfce {
++	confess(err("ARGNUM")) if ($#_!=5);
++	VRRc(0xe7e8,@_);
++}
++sub vfcedb {
++	vfce(@_,3,0,0);
++}
++sub vfcedbs {
++	vfce(@_,3,0,1);
++}
++sub wfcedb {
++	vfce(@_,3,8,0);
++}
++sub wfcedbs {
++	vfce(@_,3,8,1);
++}
++
++sub vfch {
++	confess(err("ARGNUM")) if ($#_!=5);
++	VRRc(0xe7eb,@_);
++}
++sub vfchdb {
++	vfch(@_,3,0,0);
++}
++sub vfchdbs {
++	vfch(@_,3,0,1);
++}
++sub wfchdb {
++	vfch(@_,3,8,0);
++}
++sub wfchdbs {
++	vfch(@_,3,8,1);
++}
++
++sub vfche {
++	confess(err("ARGNUM")) if ($#_!=5);
++	VRRc(0xe7ea,@_);
++}
++sub vfchedb {
++	vfche(@_,3,0,0);
++}
++sub vfchedbs {
++	vfche(@_,3,0,1);
++}
++sub wfchedb {
++	vfche(@_,3,8,0);
++}
++sub wfchedbs {
++	vfche(@_,3,8,1);
++}
++
++sub vcdg {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRa(0xe7c3,@_);
++}
++sub vcdgb {
++	vcdg(@_[0..1],3,@_[2..3]);
++}
++sub wcdgb {
++	vcdg(@_[0..1],3,0x8|$_[2],$_[3]);
++}
++
++sub vcdlg {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRa(0xe7c1,@_);
++}
++sub vcdlgb {
++	vcdlg(@_[0..1],3,@_[2..3]);
++}
++sub wcdlgb {
++	vcdlg(@_[0..1],3,0x8|$_[2],$_[3]);
++}
++
++sub vcgd {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRa(0xe7c2,@_);
++}
++sub vcgdb {
++	vcgd(@_[0..1],3,@_[2..3]);
++}
++sub wcgdb {
++	vcgd(@_[0..1],3,0x8|$_[2],$_[3]);
++}
++
++sub vclgd {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRa(0xe7c0,@_);
++}
++sub vclgdb {
++	vclgd(@_[0..1],3,@_[2..3]);
++}
++sub wclgdb {
++	vclgd(@_[0..1],3,0x8|$_[2],$_[3]);
++}
++
++sub vfd {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRc(0xe7e5,@_);
++}
++sub vfddb {
++	vfd(@_,3,0);
++}
++sub wfddb {
++	vfd(@_,3,8);
++}
++
++sub vfi {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRa(0xe7c7,@_);
++}
++sub vfidb {
++	vfi(@_[0..1],3,@_[2..3]);
++}
++sub wfidb {
++	vfi(@_[0..1],3,0x8|$_[2],$_[3]);
++}
++
++sub vlde {	# deprecated, use vfll
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRa(0xe7c4,@_);
++}
++sub vldeb {	# deprecated, use vflls
++	vlde(@_,2,0);
++}
++sub wldeb {	# deprecated, use wflls
++	vlde(@_,2,8);
++}
++
++sub vled {	# deprecated, use vflr
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRa(0xe7c5,@_);
++}
++sub vledb {	# deprecated, use vflrd
++	vled(@_[0..1],3,@_[2..3]);
++}
++sub wledb {	# deprecated, use wflrd
++	vled(@_[0..1],3,0x8|$_[2],$_[3]);
++}
++
++sub vfm {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRc(0xe7e7,@_);
++}
++sub vfmdb {
++	vfm(@_,3,0);
++}
++sub wfmdb {
++	vfm(@_,3,8);
++}
++
++sub vfma {
++	confess(err("ARGNUM")) if ($#_!=5);
++	VRRe(0xe78f,@_);
++}
++sub vfmadb {
++	vfma(@_,0,3);
++}
++sub wfmadb {
++	vfma(@_,8,3);
++}
++
++sub vfms {
++	confess(err("ARGNUM")) if ($#_!=5);
++	VRRe(0xe78e,@_);
++}
++sub vfmsdb {
++	vfms(@_,0,3);
++}
++sub wfmsdb {
++	vfms(@_,8,3);
++}
++
++sub vfpso {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRa(0xe7cc,@_);
++}
++sub vfpsodb {
++	vfpso(@_[0..1],3,0,$_[2]);
++}
++sub wfpsodb {
++	vfpso(@_[0..1],3,8,$_[2]);
++}
++sub vflcdb {
++	vfpso(@_,3,0,0);
++}
++sub wflcdb {
++	vfpso(@_,3,8,0);
++}
++sub vflndb {
++	vfpso(@_,3,0,1);
++}
++sub wflndb {
++	vfpso(@_,3,8,1);
++}
++sub vflpdb {
++	vfpso(@_,3,0,2);
++}
++sub wflpdb {
++	vfpso(@_,3,8,2);
++}
++
++sub vfsq {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRRa(0xe7ce,@_);
++}
++sub vfsqdb {
++	vfsq(@_,3,0);
++}
++sub wfsqdb {
++	vfsq(@_,3,8);
++}
++
++sub vfs {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRRc(0xe7e2,@_);
++}
++sub vfsdb {
++	vfs(@_,3,0);
++}
++sub wfsdb {
++	vfs(@_,3,8);
++}
++
++sub vftci {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRIe(0xe74a,@_);
++}
++sub vftcidb {
++	vftci(@_,3,0);
++}
++sub wftcidb {
++	vftci(@_,3,8);
++}
++
++# VXE - Support Instructions
++
++sub vbperm {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRc(0xe785,@_);
++}
++
++sub vllezlf {
++	vllez(@_,6);
++}
++
++# VXE - Integer Instructions
++
++sub vmsl {
++	confess(err("ARGNUM")) if ($#_!=5);
++	VRRd(0xe7b8,@_);
++}
++sub vmslg {
++	vmsl(@_[0..3],3,$_[4]);
++}
++
++sub vnx {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRc(0xe76c,@_);
++}
++
++sub vnn {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRc(0xe76e,@_);
++}
++
++sub voc {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRc(0xe76f,@_);
++}
++
++sub vpopctb {
++	vpopct(@_,0);
++}
++sub vpopcth {
++	vpopct(@_,1);
++}
++sub vpopctf {
++	vpopct(@_,2);
++}
++sub vpopctg {
++	vpopct(@_,3);
++}
++
++# VXE - Floating-Point Instructions
++
++sub vfasb {
++	vfa(@_,2,0);
++}
++sub wfasb {
++	vfa(@_,2,8);
++}
++sub wfaxb {
++	vfa(@_,4,8);
++}
++
++sub wfcsb {
++	wfc(@_,2,0);
++}
++sub wfcxb {
++	wfc(@_,4,0);
++}
++
++sub vfcesb {
++	vfce(@_,2,0,0);
++}
++sub vfcesbs {
++	vfce(@_,2,0,1);
++}
++sub wfcesb {
++	vfce(@_,2,8,0);
++}
++sub wfcesbs {
++	vfce(@_,2,8,1);
++}
++sub wfcexb {
++	vfce(@_,4,8,0);
++}
++sub wfcexbs {
++	vfce(@_,4,8,1);
++}
++
++sub vfchsb {
++	vfch(@_,2,0,0);
++}
++sub vfchsbs {
++	vfch(@_,2,0,1);
++}
++sub wfchsb {
++	vfch(@_,2,8,0);
++}
++sub wfchsbs {
++	vfch(@_,2,8,1);
++}
++sub wfchxb {
++	vfch(@_,4,8,0);
++}
++sub wfchxbs {
++	vfch(@_,4,8,1);
++}
++
++sub vfchesb {
++	vfche(@_,2,0,0);
++}
++sub vfchesbs {
++	vfche(@_,2,0,1);
++}
++sub wfchesb {
++	vfche(@_,2,8,0);
++}
++sub wfchesbs {
++	vfche(@_,2,8,1);
++}
++sub wfchexb {
++	vfche(@_,4,8,0);
++}
++sub wfchexbs {
++	vfche(@_,4,8,1);
++}
++
++sub vfdsb {
++	vfd(@_,2,0);
++}
++sub wfdsb {
++	vfd(@_,2,8);
++}
++sub wfdxb {
++	vfd(@_,4,8);
++}
++
++sub vfisb {
++	vfi(@_[0..1],2,@_[2..3]);
++}
++sub wfisb {
++	vfi(@_[0..1],2,0x8|$_[2],$_[3]);
++}
++sub wfixb {
++	vfi(@_[0..1],4,0x8|$_[2],$_[3]);
++}
++
++sub vfll {
++	vlde(@_);
++}
++sub vflls {
++	vfll(@_,2,0);
++}
++sub wflls {
++	vfll(@_,2,8);
++}
++sub wflld {
++	vfll(@_,3,8);
++}
++
++sub vflr {
++	vled(@_);
++}
++sub vflrd {
++	vflr(@_[0..1],3,@_[2..3]);
++}
++sub wflrd {
++	vflr(@_[0..1],3,0x8|$_[2],$_[3]);
++}
++sub wflrx {
++	vflr(@_[0..1],4,0x8|$_[2],$_[3]);
++}
++
++sub vfmax {
++	confess(err("ARGNUM")) if ($#_!=5);
++	VRRc(0xe7ef,@_);
++}
++sub vfmaxsb {
++	vfmax(@_[0..2],2,0,$_[3]);
++}
++sub vfmaxdb {
++	vfmax(@_[0..2],3,0,$_[3]);
++}
++sub wfmaxsb {
++	vfmax(@_[0..2],2,8,$_[3]);
++}
++sub wfmaxdb {
++	vfmax(@_[0..2],3,8,$_[3]);
++}
++sub wfmaxxb {
++	vfmax(@_[0..2],4,8,$_[3]);
++}
++
++sub vfmin {
++	confess(err("ARGNUM")) if ($#_!=5);
++	VRRc(0xe7ee,@_);
++}
++sub vfminsb {
++	vfmin(@_[0..2],2,0,$_[5]);
++}
++sub vfmindb {
++	vfmin(@_[0..2],3,0,$_[5]);
++}
++sub wfminsb {
++	vfmin(@_[0..2],2,8,$_[5]);
++}
++sub wfmindb {
++	vfmin(@_[0..2],3,8,$_[5]);
++}
++sub wfminxb {
++	vfmin(@_[0..2],4,8,$_[5]);
++}
++
++sub vfmsb {
++	vfm(@_,2,0);
++}
++sub wfmsb {
++	vfm(@_,2,8);
++}
++sub wfmxb {
++	vfm(@_,4,8);
++}
++
++sub vfmasb {
++	vfma(@_,0,2);
++}
++sub wfmasb {
++	vfma(@_,8,2);
++}
++sub wfmaxb {
++	vfma(@_,8,4);
++}
++
++sub vfmssb {
++	vfms(@_,0,2);
++}
++sub wfmssb {
++	vfms(@_,8,2);
++}
++sub wfmsxb {
++	vfms(@_,8,4);
++}
++
++sub vfnma {
++	confess(err("ARGNUM")) if ($#_!=5);
++	VRRe(0xe79f,@_);
++}
++sub vfnmasb {
++	vfnma(@_,0,2);
++}
++sub vfnmadb {
++	vfnma(@_,0,3);
++}
++sub wfnmasb {
++	vfnma(@_,8,2);
++}
++sub wfnmadb {
++	vfnma(@_,8,3);
++}
++sub wfnmaxb {
++	vfnma(@_,8,4);
++}
++
++sub vfnms {
++	confess(err("ARGNUM")) if ($#_!=5);
++	VRRe(0xe79e,@_);
++}
++sub vfnmssb {
++	vfnms(@_,0,2);
++}
++sub vfnmsdb {
++	vfnms(@_,0,3);
++}
++sub wfnmssb {
++	vfnms(@_,8,2);
++}
++sub wfnmsdb {
++	vfnms(@_,8,3);
++}
++sub wfnmsxb {
++	vfnms(@_,8,4);
++}
++
++sub vfpsosb {
++	vfpso(@_[0..1],2,0,$_[2]);
++}
++sub wfpsosb {
++	vfpso(@_[0..1],2,8,$_[2]);
++}
++sub vflcsb {
++	vfpso(@_,2,0,0);
++}
++sub wflcsb {
++	vfpso(@_,2,8,0);
++}
++sub vflnsb {
++	vfpso(@_,2,0,1);
++}
++sub wflnsb {
++	vfpso(@_,2,8,1);
++}
++sub vflpsb {
++	vfpso(@_,2,0,2);
++}
++sub wflpsb {
++	vfpso(@_,2,8,2);
++}
++sub vfpsoxb {
++	vfpso(@_[0..1],4,0,$_[2]);
++}
++sub wfpsoxb {
++	vfpso(@_[0..1],4,8,$_[2]);
++}
++sub vflcxb {
++	vfpso(@_,4,0,0);
++}
++sub wflcxb {
++	vfpso(@_,4,8,0);
++}
++sub vflnxb {
++	vfpso(@_,4,0,1);
++}
++sub wflnxb {
++	vfpso(@_,4,8,1);
++}
++sub vflpxb {
++	vfpso(@_,4,0,2);
++}
++sub wflpxb {
++	vfpso(@_,4,8,2);
++}
++
++sub vfsqsb {
++	vfsq(@_,2,0);
++}
++sub wfsqsb {
++	vfsq(@_,2,8);
++}
++sub wfsqxb {
++	vfsq(@_,4,8);
++}
++
++sub vfssb {
++	vfs(@_,2,0);
++}
++sub wfssb {
++	vfs(@_,2,8);
++}
++sub wfsxb {
++	vfs(@_,4,8);
++}
++
++sub vftcisb {
++	vftci(@_,2,0);
++}
++sub wftcisb {
++	vftci(@_,2,8);
++}
++sub wftcixb {
++	vftci(@_,4,8);
++}
++
++# VXD - Support Instructions
++
++sub vlrlr {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRSd(0xe637,@_);
++}
++
++sub vlrl {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VSI(0xe635,@_);
++}
++
++sub vstrlr {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRSd(0xe63f,@_);
++}
++
++sub vstrl {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VSI(0xe63d,@_);
++}
++
++sub vap {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRIf(0xe671,@_);
++}
++
++sub vcp {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRh(0xe677,@_);
++}
++
++sub vcvb {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRi(0xe650,@_);
++}
++
++sub vcvbg {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRRi(0xe652,@_);
++}
++
++sub vcvd {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRIi(0xe658,@_);
++}
++
++sub vcvdg {
++	confess(err("ARGNUM")) if ($#_!=3);
++	VRIi(0xe65a,@_);
++}
++
++sub vdp {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRIf(0xe67a,@_);
++}
++
++sub vlip {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VRIh(0xe649,@_);
++}
++
++sub vmp {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRIf(0xe678,@_);
++}
++
++sub vmsp {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRIf(0xe679,@_);
++}
++
++sub vpkz {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VSI(0xe634,@_);
++}
++
++sub vpsop {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRIg(0xe65b,@_);
++}
++
++sub vrp {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRIf(0xe67b,@_);
++}
++
++sub vsdp {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRIf(0xe67e,@_);
++}
++
++sub vsrp {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRIg(0xe659,@_);
++}
++
++sub vsp {
++	confess(err("ARGNUM")) if ($#_!=4);
++	VRIf(0xe673,@_);
++}
++
++sub vtp {
++	confess(err("ARGNUM")) if ($#_!=0);
++	VRRg(0xe65f,@_);
++}
++
++sub vupkz {
++	confess(err("ARGNUM")) if ($#_!=2);
++	VSI(0xe63c,@_);
++}
++
++#
++# Instruction Formats
++#
++
++sub RRE {
++	confess(err("ARGNUM")) if ($#_<0||2<$#_);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$r1,$r2)=(shift,get_R(shift),get_R(shift));
++
++	$out.="\t.long\t".sprintf("%#010x",($opcode<<16|$r1<<4|$r2));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub RRFb {
++	confess(err("ARGNUM")) if ($#_<3||4<$#_);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$r1,$r3,$r2,$m4)=(shift,get_R(shift),get_R(shift)
++	    ,get_R(shift),get_M(shift));
++
++	$out.="\t.long\t"
++	    .sprintf("%#010x",($opcode<<16|$r3<<12|$m4<<8|$r1<<4|$r2));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub S {
++	confess(err("ARGNUM")) if ($#_<0||1<$#_);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$d2,$b2)=(shift,get_DB(shift));
++
++	$out.="\t.long\t".sprintf("%#010x",($opcode<<16|$b2<<12|$d2));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRIa {
++	confess(err("ARGNUM")) if ($#_<2||3<$#_);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$i2,$m3)=(shift,get_V(shift),get_I(shift,16),
++	    get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)).",";
++	$out.=sprintf("%#06x",$i2).",";
++	$out.=sprintf("%#06x",($m3<<12|RXB($v1)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRIb {
++	confess(err("ARGNUM")) if ($#_!=4);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$i2,$i3,$m4)=(shift,get_V(shift),get_I(shift,8),
++	    ,get_I(shift,8),get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)).",";
++	$out.=sprintf("%#06x",($i2<<8|$i3)).",";
++	$out.=sprintf("%#06x",($m4<<12|RXB($v1)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRIc {
++	confess(err("ARGNUM")) if ($#_!=4);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$v3,$i2,$m4)=(shift,get_V(shift),get_V(shift),
++	    ,get_I(shift,16),get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)|($v3&0xf)).",";
++	$out.=sprintf("%#06x",$i2).",";
++	$out.=sprintf("%#06x",($m4<<12|RXB($v1,$v3)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRId {
++	confess(err("ARGNUM")) if ($#_<4||$#_>5);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$v2,$v3,$i4,$m5)=(shift,get_V(shift),get_V(shift),
++	    ,get_V(shift),get_I(shift,8),get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)|($v2&0xf)).",";
++	$out.=sprintf("%#06x",(($v3&0xf)<<12|$i4)).",";
++	$out.=sprintf("%#06x",($m5<<12|RXB($v1,$v2,$v3)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRIe {
++	confess(err("ARGNUM")) if ($#_!=5);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$v2,$i3,$m4,$m5)=(shift,get_V(shift),get_V(shift),
++	    ,get_I(shift,12),get_M(shift),get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)|($v2&0xf)).",";
++	$out.=sprintf("%#06x",($i3<<4|$m5)).",";
++	$out.=sprintf("%#06x",($m4<<12|RXB($v1,$v2)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRIf {
++	confess(err("ARGNUM")) if ($#_!=5);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$v2,$v3,$i4,$m5)=(shift,get_V(shift),get_V(shift),
++	    ,get_V(shift),get_I(shift,8),get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)|($v2&0xf)).",";
++	$out.=sprintf("%#06x",(($v3&0xf)<<12|$m5<<4)|$i4>>4).",";
++	$out.=sprintf("%#06x",(($i4&0xf)<<12|RXB($v1,$v2,$v3)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRIg {
++	confess(err("ARGNUM")) if ($#_!=5);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$v2,$i3,$i4,$m5)=(shift,get_V(shift),get_V(shift),
++	    ,get_I(shift,8),get_I(shift,8),get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)|($v2&0xf)).",";
++	$out.=sprintf("%#06x",($i4<<8|$m5<<4|$i3>>4)).",";
++	$out.=sprintf("%#06x",(($i3&0xf)<<12|RXB($v1,$v2)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRIh {
++	confess(err("ARGNUM")) if ($#_!=3);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$i2,$i3)=(shift,get_V(shift),get_I(shift,16),
++	    get_I(shift,4));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)).",";
++	$out.=sprintf("%#06x",$i2).",";
++	$out.=sprintf("%#06x",($i3<<12|RXB($v1)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRIi {
++	confess(err("ARGNUM")) if ($#_!=4);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$r2,$i3,$m4)=(shift,get_V(shift),get_R(shift),
++	    ,get_I(shift,8),get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4)|$r2).",";
++	$out.=sprintf("%#06x",($m4<<4|$i3>>4)).",";
++	$out.=sprintf("%#06x",(($i3&0xf)<<12|RXB($v1)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRRa {
++	confess(err("ARGNUM")) if ($#_<2||5<$#_);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$v2,$m3,$m4,$m5)=(shift,get_V(shift),get_V(shift),
++	    get_M(shift),get_M(shift),get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v2&0xf))).",";
++	$out.=sprintf("%#06x",($m5<<4|$m4)).",";
++	$out.=sprintf("%#06x",($m3<<12|RXB($v1,$v2)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRRb {
++	confess(err("ARGNUM")) if ($#_<3||5<$#_);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$v2,$v3,$m4,$m5)=(shift,get_V(shift),get_V(shift),
++	    get_V(shift),get_M(shift),get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v2&0xf))).",";
++	$out.=sprintf("%#06x",(($v3&0xf)<<12|$m5<<4)).",";
++	$out.=sprintf("%#06x",($m4<<12|RXB($v1,$v2,$v3)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRRc {
++	confess(err("ARGNUM")) if ($#_<3||6<$#_);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$v2,$v3,$m4,$m5,$m6)=(shift,get_V(shift),get_V(shift),
++	    get_V(shift),get_M(shift),get_M(shift),get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v2&0xf))).",";
++	$out.=sprintf("%#06x",(($v3&0xf)<<12|$m6<<4|$m5)).",";
++	$out.=sprintf("%#06x",($m4<<12|RXB($v1,$v2,$v3)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRRd {
++	confess(err("ARGNUM")) if ($#_<4||6<$#_);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$v2,$v3,$v4,$m5,$m6)=(shift,get_V(shift),get_V(shift),
++	    get_V(shift),get_V(shift),get_M(shift),get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v2&0xf))).",";
++	$out.=sprintf("%#06x",(($v3&0xf)<<12|$m5<<8|$m6<<4)).",";
++	$out.=sprintf("%#06x",(($v4&0xf)<<12|RXB($v1,$v2,$v3,$v4)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRRe {
++	confess(err("ARGNUM")) if ($#_<4||6<$#_);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$v2,$v3,$v4,$m5,$m6)=(shift,get_V(shift),get_V(shift),
++	    get_V(shift),get_V(shift),get_M(shift),get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v2&0xf))).",";
++	$out.=sprintf("%#06x",(($v3&0xf)<<12|$m6<<8|$m5)).",";
++	$out.=sprintf("%#06x",(($v4&0xf)<<12|RXB($v1,$v2,$v3,$v4)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRRf {
++	confess(err("ARGNUM")) if ($#_!=3);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$r2,$r3)=(shift,get_V(shift),get_R(shift),
++	    get_R(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|$r2)).",";
++	$out.=sprintf("%#06x",($r3<<12)).",";
++	$out.=sprintf("%#06x",(RXB($v1)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRRg {
++	confess(err("ARGNUM")) if ($#_!=1);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1)=(shift,get_V(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf))).",";
++	$out.=sprintf("%#06x",0x0000).",";
++	$out.=sprintf("%#06x",(RXB(0,$v1)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRRh {
++	confess(err("ARGNUM")) if ($#_<2||$#_>3);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$v2,$m3)=(shift,get_V(shift),get_V(shift),
++	    get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf))).",";
++	$out.=sprintf("%#06x",(($v2&0xf)<<12|$m3<<4)).",";
++	$out.=sprintf("%#06x",(RXB(0,$v1,$v2)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRRi {
++	confess(err("ARGNUM")) if ($#_!=3);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$r1,$v2,$m3)=(shift,get_R(shift),get_V(shift),
++	    get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|$r1<<4|($v2&0xf))).",";
++	$out.=sprintf("%#06x",($m3<<4))."\,";
++	$out.=sprintf("%#06x",(RXB(0,$v2)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRSa {
++	confess(err("ARGNUM")) if ($#_<3||$#_>4);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$v3,$d2,$b2,$m4)=(shift,get_V(shift),get_V(shift),
++	    get_DB(shift),get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v3&0xf))).",";
++	$out.=sprintf("%#06x",($b2<<12|$d2)).",";
++	$out.=sprintf("%#06x",($m4<<12|RXB($v1,$v3)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRSb {
++	confess(err("ARGNUM")) if ($#_<3||$#_>4);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$r3,$d2,$b2,$m4)=(shift,get_V(shift),get_R(shift),
++	    get_DB(shift),get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|$r3)).",";
++	$out.=sprintf("%#06x",($b2<<12|$d2)).",";
++	$out.=sprintf("%#06x",($m4<<12|RXB($v1)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRSc {
++	confess(err("ARGNUM")) if ($#_!=4);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$r1,$v3,$d2,$b2,$m4)=(shift,get_R(shift),get_V(shift),
++	    get_DB(shift),get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|$r1<<4|($v3&0xf))).",";
++	$out.=sprintf("%#06x",($b2<<12|$d2)).",";
++	$out.=sprintf("%#06x",($m4<<12|RXB(0,$v3)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRSd {
++	confess(err("ARGNUM")) if ($#_!=3);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$r3,$d2,$b2)=(shift,get_V(shift),get_R(shift),
++	    get_DB(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|$r3)).",";
++	$out.=sprintf("%#06x",($b2<<12|$d2)).",";
++	$out.=sprintf("%#06x",(($v1&0xf)<<12|RXB(0,0,0,$v1)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRV {
++	confess(err("ARGNUM")) if ($#_<2||$#_>3);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$d2,$v2,$b2,$m3)=(shift,get_V(shift),get_DVB(shift),
++	    get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($v2&0xf))).",";
++	$out.=sprintf("%#06x",($b2<<12|$d2)).",";
++	$out.=sprintf("%#06x",($m3<<12|RXB($v1,$v2)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VRX {
++	confess(err("ARGNUM")) if ($#_<2||$#_>3);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$d2,$x2,$b2,$m3)=(shift,get_V(shift),get_DXB(shift),
++	    get_M(shift));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|($v1&0xf)<<4|($x2))).",";
++	$out.=sprintf("%#06x",($b2<<12|$d2)).",";
++	$out.=sprintf("%#06x",($m3<<12|RXB($v1)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++sub VSI {
++	confess(err("ARGNUM")) if ($#_!=3);
++	my $ops=join(',',@_[1..$#_]);
++	my $memn=(caller(1))[3];
++	$memn=~s/^.*:://;
++	my ($opcode,$v1,$d2,$b2,$i3)=(shift,get_V(shift),get_DB(shift),
++	    get_I(shift,8));
++
++	$out.="\t.word\t";
++	$out.=sprintf("%#06x",($opcode&0xff00|$i3)).",";
++	$out.=sprintf("%#06x",($b2<<12|$d2)).",";
++	$out.=sprintf("%#06x",(($v1&0xf)<<12|RXB(0,0,0,$v1)<<8|$opcode&0xff));
++	$out.="\t# $memn\t$ops\n"
++}
++
++#
++# Internal
++#
++
++sub get_R {
++	confess(err("ARGNUM")) if ($#_!=0);
++	my $r;
++
++	for (shift) {
++		if (!defined) {
++			$r=0;
++		} elsif (/^$GR$/) {
++			$r=$1;
++		} else {
++			confess(err("PARSE"));
++		}
++	}
++	confess(err("ARGRANGE")) if ($r&~0xf);
++
++	return $r;
++}
++
++sub get_V {
++	confess(err("ARGNUM")) if ($#_!=0);
++	my $v;
++
++	for (shift) {
++		if (!defined) {
++			$v=0;
++		} elsif (/^$VR$/) {
++			$v=$1;
++		} else {
++			confess(err("PARSE"));
++		}
++	}
++	confess(err("ARGRANGE")) if ($v&~0x1f);
++
++	return $v;
++}
++
++sub get_I {
++	confess(err("ARGNUM")) if ($#_!=1);
++	my ($i,$bits)=(shift,shift);
++
++	$i=defined($i)?(eval($i)):(0);
++	confess(err("PARSE")) if (!defined($i));
++	confess(err("ARGRANGE")) if (abs($i)&~(2**$bits-1));
++
++	return $i&(2**$bits-1);
++}
++
++sub get_M {
++	confess(err("ARGNUM")) if ($#_!=0);
++	my $m=shift;
++
++	$m=defined($m)?(eval($m)):(0);
++	confess(err("PARSE")) if (!defined($m));
++	confess(err("ARGRANGE")) if ($m&~0xf);
++
++	return $m;
++}
++
++sub get_DB
++{
++	confess(err("ARGNUM")) if ($#_!=0);
++	my ($d,$b);
++
++	for (shift) {
++		if (!defined) {
++			($d,$b)=(0,0);
++		} elsif (/^(.+)\($GR\)$/) {
++			($d,$b)=(eval($1),$2);
++			confess(err("PARSE")) if (!defined($d));
++		} elsif (/^(.+)$/) {
++			($d,$b)=(eval($1),0);
++			confess(err("PARSE")) if (!defined($d));
++		} else {
++			confess(err("PARSE"));
++		}
++	}
++	confess(err("ARGRANGE")) if ($d&~0xfff||$b&~0xf);
++
++	return ($d,$b);
++}
++
++sub get_DVB
++{
++	confess(err("ARGNUM")) if ($#_!=0);
++	my ($d,$v,$b);
++
++	for (shift) {
++		if (!defined) {
++			($d,$v,$b)=(0,0,0);
++		} elsif (/^(.+)\($VR,$GR\)$/) {
++			($d,$v,$b)=(eval($1),$2,$3);
++			confess(err("PARSE")) if (!defined($d));
++		} elsif (/^(.+)\($GR\)$/) {
++			($d,$v,$b)=(eval($1),0,$2);
++			confess(err("PARSE")) if (!defined($d));
++		} elsif (/^(.+)$/) {
++			($d,$v,$b)=(eval($1),0,0);
++			confess(err("PARSE")) if (!defined($d));
++		} else {
++			confess(err("PARSE"));
++		}
++	}
++	confess(err("ARGRANGE")) if ($d&~0xfff||$v&~0x1f||$b&~0xf);
++
++	return ($d,$v,$b);
++}
++
++sub get_DXB
++{
++	confess(err("ARGNUM")) if ($#_!=0);
++	my ($d,$x,$b);
++
++	for (shift) {
++		if (!defined) {
++			($d,$x,$b)=(0,0,0);
++		} elsif (/^(.+)\($GR,$GR\)$/) {
++			($d,$x,$b)=(eval($1),$2,$3);
++			confess(err("PARSE")) if (!defined($d));
++		} elsif (/^(.+)\($GR\)$/) {
++			($d,$x,$b)=(eval($1),0,$2);
++			confess(err("PARSE")) if (!defined($d));
++		} elsif (/^(.+)$/) {
++			($d,$x,$b)=(eval($1),0,0);
++			confess(err("PARSE")) if (!defined($d));
++		} else {
++			confess(err("PARSE"));
++		}
++	}
++	confess(err("ARGRANGE")) if ($d&~0xfff||$x&~0xf||$b&~0xf);
++
++	return ($d,$x,$b);
++}
++
++sub RXB
++{
++	confess(err("ARGNUM")) if ($#_<0||3<$#_);
++	my $rxb=0;
++
++	$rxb|=0x08 if (defined($_[0])&&($_[0]&0x10));
++	$rxb|=0x04 if (defined($_[1])&&($_[1]&0x10));
++	$rxb|=0x02 if (defined($_[2])&&($_[2]&0x10));
++	$rxb|=0x01 if (defined($_[3])&&($_[3]&0x10));
++
++	return $rxb;
++}
++
++sub err {
++	my %ERR		=
++	(
++		ARGNUM	=>	'Wrong number of arguments',
++		ARGRANGE=>	'Argument out of range',
++		PARSE	=>	'Parse error',
++	);
++	confess($ERR{ARGNUM}) if ($#_!=0);
++
++	return $ERR{$_[0]};
++}
++
++1;
+-- 
+2.21.0
+
diff --git a/0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch b/0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
new file mode 100644
index 0000000..f478e13
--- /dev/null
+++ b/0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
@@ -0,0 +1,867 @@
+From f760137b2144740916afd9ff381451fa16c710de Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Sat, 4 Aug 2018 00:10:06 +0200
+Subject: [PATCH] crypto/chacha/asm/chacha-s390x.pl: add vx code path.
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/6919)
+---
+ crypto/chacha/asm/chacha-s390x.pl | 816 ++++++++++++++++++++----------
+ crypto/chacha/build.info          |   1 +
+ 2 files changed, 558 insertions(+), 259 deletions(-)
+
+Index: openssl-1.1.1c/crypto/chacha/asm/chacha-s390x.pl
+===================================================================
+--- openssl-1.1.1c.orig/crypto/chacha/asm/chacha-s390x.pl	2019-06-06 12:15:57.271195550 +0200
++++ openssl-1.1.1c/crypto/chacha/asm/chacha-s390x.pl	2019-06-06 12:16:43.787489780 +0200
+@@ -20,41 +20,46 @@
+ #
+ # 3 times faster than compiler-generated code.
+ 
+-$flavour = shift;
++#
++# August 2018
++#
++# Add vx code path.
++#
++# Copyright IBM Corp. 2018
++# Author: Patrick Steuer <patrick.steuer@de.ibm.com>
++
++use strict;
++use FindBin qw($Bin);
++use lib "$Bin/../..";
++use perlasm::s390x qw(:DEFAULT :VX AUTOLOAD LABEL INCLUDE);
++
++my $flavour = shift;
+ 
++my ($z,$SIZE_T);
+ if ($flavour =~ /3[12]/) {
++	$z=0;	# S/390 ABI
+ 	$SIZE_T=4;
+-	$g="";
+ } else {
++	$z=1;	# zSeries ABI
+ 	$SIZE_T=8;
+-	$g="g";
+ }
+ 
++my $output;
+ while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
+-open STDOUT,">$output";
+-
+-sub AUTOLOAD()		# thunk [simplified] x86-style perlasm
+-{ my $opcode = $AUTOLOAD; $opcode =~ s/.*:://;
+-    $code .= "\t$opcode\t".join(',',@_)."\n";
+-}
+ 
+ my $sp="%r15";
+-
+ my $stdframe=16*$SIZE_T+4*8;
+-my $frame=$stdframe+4*20;
+-
+-my ($out,$inp,$len,$key,$counter)=map("%r$_",(2..6));
+ 
+ my @x=map("%r$_",(0..7,"x","x","x","x",(10..13)));
+ my @t=map("%r$_",(8,9));
++my @v=map("%v$_",(16..31));
+ 
+ sub ROUND {
+ my ($a0,$b0,$c0,$d0)=@_;
+ my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0));
+ my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1));
+ my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2));
+-my ($xc,$xc_)=map("\"$_\"",@t);
+-my @x=map("\"$_\"",@x);
++my ($xc,$xc_)=map("$_",@t);
+ 
+ 	# Consider order in which variables are addressed by their
+ 	# index:
+@@ -78,249 +83,542 @@ my @x=map("\"$_\"",@x);
+ 	# 'c' stores and loads in the middle, but none in the beginning
+ 	# or end.
+ 
+-	(
+-	"&alr	(@x[$a0],@x[$b0])",	# Q1
+-	 "&alr	(@x[$a1],@x[$b1])",	# Q2
+-	"&xr	(@x[$d0],@x[$a0])",
+-	 "&xr	(@x[$d1],@x[$a1])",
+-	"&rll	(@x[$d0],@x[$d0],16)",
+-	 "&rll	(@x[$d1],@x[$d1],16)",
+-
+-	"&alr	($xc,@x[$d0])",
+-	 "&alr	($xc_,@x[$d1])",
+-	"&xr	(@x[$b0],$xc)",
+-	 "&xr	(@x[$b1],$xc_)",
+-	"&rll	(@x[$b0],@x[$b0],12)",
+-	 "&rll	(@x[$b1],@x[$b1],12)",
+-
+-	"&alr	(@x[$a0],@x[$b0])",
+-	 "&alr	(@x[$a1],@x[$b1])",
+-	"&xr	(@x[$d0],@x[$a0])",
+-	 "&xr	(@x[$d1],@x[$a1])",
+-	"&rll	(@x[$d0],@x[$d0],8)",
+-	 "&rll	(@x[$d1],@x[$d1],8)",
+-
+-	"&alr	($xc,@x[$d0])",
+-	 "&alr	($xc_,@x[$d1])",
+-	"&xr	(@x[$b0],$xc)",
+-	 "&xr	(@x[$b1],$xc_)",
+-	"&rll	(@x[$b0],@x[$b0],7)",
+-	 "&rll	(@x[$b1],@x[$b1],7)",
+-
+-	"&stm	($xc,$xc_,'$stdframe+4*8+4*$c0($sp)')",	# reload pair of 'c's
+-	"&lm	($xc,$xc_,'$stdframe+4*8+4*$c2($sp)')",
+-
+-	"&alr	(@x[$a2],@x[$b2])",	# Q3
+-	 "&alr	(@x[$a3],@x[$b3])",	# Q4
+-	"&xr	(@x[$d2],@x[$a2])",
+-	 "&xr	(@x[$d3],@x[$a3])",
+-	"&rll	(@x[$d2],@x[$d2],16)",
+-	 "&rll	(@x[$d3],@x[$d3],16)",
+-
+-	"&alr	($xc,@x[$d2])",
+-	 "&alr	($xc_,@x[$d3])",
+-	"&xr	(@x[$b2],$xc)",
+-	 "&xr	(@x[$b3],$xc_)",
+-	"&rll	(@x[$b2],@x[$b2],12)",
+-	 "&rll	(@x[$b3],@x[$b3],12)",
+-
+-	"&alr	(@x[$a2],@x[$b2])",
+-	 "&alr	(@x[$a3],@x[$b3])",
+-	"&xr	(@x[$d2],@x[$a2])",
+-	 "&xr	(@x[$d3],@x[$a3])",
+-	"&rll	(@x[$d2],@x[$d2],8)",
+-	 "&rll	(@x[$d3],@x[$d3],8)",
+-
+-	"&alr	($xc,@x[$d2])",
+-	 "&alr	($xc_,@x[$d3])",
+-	"&xr	(@x[$b2],$xc)",
+-	 "&xr	(@x[$b3],$xc_)",
+-	"&rll	(@x[$b2],@x[$b2],7)",
+-	 "&rll	(@x[$b3],@x[$b3],7)"
+-	);
+-}
+-
+-$code.=<<___;
+-.text
+-
+-.globl	ChaCha20_ctr32
+-.type	ChaCha20_ctr32,\@function
+-.align	32
+-ChaCha20_ctr32:
+-	lt${g}r	$len,$len			# $len==0?
+-	bzr	%r14
+-	a${g}hi	$len,-64
+-	l${g}hi	%r1,-$frame
+-	stm${g}	%r6,%r15,`6*$SIZE_T`($sp)
+-	sl${g}r	$out,$inp			# difference
+-	la	$len,0($inp,$len)		# end of input minus 64
+-	larl	%r7,.Lsigma
+-	lgr	%r0,$sp
+-	la	$sp,0(%r1,$sp)
+-	st${g}	%r0,0($sp)
+-
+-	lmg	%r8,%r11,0($key)		# load key
+-	lmg	%r12,%r13,0($counter)		# load counter
+-	lmg	%r6,%r7,0(%r7)			# load sigma constant
+-
+-	la	%r14,0($inp)
+-	st${g}	$out,$frame+3*$SIZE_T($sp)
+-	st${g}	$len,$frame+4*$SIZE_T($sp)
+-	stmg	%r6,%r13,$stdframe($sp)		# copy key schedule to stack
+-	srlg	@x[12],%r12,32			# 32-bit counter value
+-	j	.Loop_outer
+-
+-.align	16
+-.Loop_outer:
+-	lm	@x[0],@x[7],$stdframe+4*0($sp)		# load x[0]-x[7]
+-	lm	@t[0],@t[1],$stdframe+4*10($sp)		# load x[10]-x[11]
+-	lm	@x[13],@x[15],$stdframe+4*13($sp)	# load x[13]-x[15]
+-	stm	@t[0],@t[1],$stdframe+4*8+4*10($sp)	# offload x[10]-x[11]
+-	lm	@t[0],@t[1],$stdframe+4*8($sp)		# load x[8]-x[9]
+-	st	@x[12],$stdframe+4*12($sp)		# save counter
+-	st${g}	%r14,$frame+2*$SIZE_T($sp)		# save input pointer
+-	lhi	%r14,10
+-	j	.Loop
+-
+-.align	4
+-.Loop:
+-___
+-	foreach (&ROUND(0, 4, 8,12)) { eval; }
+-	foreach (&ROUND(0, 5,10,15)) { eval; }
+-$code.=<<___;
+-	brct	%r14,.Loop
+-
+-	l${g}	%r14,$frame+2*$SIZE_T($sp)		# pull input pointer
+-	stm	@t[0],@t[1],$stdframe+4*8+4*8($sp)	# offload x[8]-x[9]
+-	lm${g}	@t[0],@t[1],$frame+3*$SIZE_T($sp)
+-
+-	al	@x[0],$stdframe+4*0($sp)	# accumulate key schedule
+-	al	@x[1],$stdframe+4*1($sp)
+-	al	@x[2],$stdframe+4*2($sp)
+-	al	@x[3],$stdframe+4*3($sp)
+-	al	@x[4],$stdframe+4*4($sp)
+-	al	@x[5],$stdframe+4*5($sp)
+-	al	@x[6],$stdframe+4*6($sp)
+-	al	@x[7],$stdframe+4*7($sp)
+-	lrvr	@x[0],@x[0]
+-	lrvr	@x[1],@x[1]
+-	lrvr	@x[2],@x[2]
+-	lrvr	@x[3],@x[3]
+-	lrvr	@x[4],@x[4]
+-	lrvr	@x[5],@x[5]
+-	lrvr	@x[6],@x[6]
+-	lrvr	@x[7],@x[7]
+-	al	@x[12],$stdframe+4*12($sp)
+-	al	@x[13],$stdframe+4*13($sp)
+-	al	@x[14],$stdframe+4*14($sp)
+-	al	@x[15],$stdframe+4*15($sp)
+-	lrvr	@x[12],@x[12]
+-	lrvr	@x[13],@x[13]
+-	lrvr	@x[14],@x[14]
+-	lrvr	@x[15],@x[15]
+-
+-	la	@t[0],0(@t[0],%r14)		# reconstruct output pointer
+-	cl${g}r	%r14,@t[1]
+-	jh	.Ltail
+-
+-	x	@x[0],4*0(%r14)			# xor with input
+-	x	@x[1],4*1(%r14)
+-	st	@x[0],4*0(@t[0])		# store output
+-	x	@x[2],4*2(%r14)
+-	st	@x[1],4*1(@t[0])
+-	x	@x[3],4*3(%r14)
+-	st	@x[2],4*2(@t[0])
+-	x	@x[4],4*4(%r14)
+-	st	@x[3],4*3(@t[0])
+-	 lm	@x[0],@x[3],$stdframe+4*8+4*8($sp)	# load x[8]-x[11]
+-	x	@x[5],4*5(%r14)
+-	st	@x[4],4*4(@t[0])
+-	x	@x[6],4*6(%r14)
+-	 al	@x[0],$stdframe+4*8($sp)
+-	st	@x[5],4*5(@t[0])
+-	x	@x[7],4*7(%r14)
+-	 al	@x[1],$stdframe+4*9($sp)
+-	st	@x[6],4*6(@t[0])
+-	x	@x[12],4*12(%r14)
+-	 al	@x[2],$stdframe+4*10($sp)
+-	st	@x[7],4*7(@t[0])
+-	x	@x[13],4*13(%r14)
+-	 al	@x[3],$stdframe+4*11($sp)
+-	st	@x[12],4*12(@t[0])
+-	x	@x[14],4*14(%r14)
+-	st	@x[13],4*13(@t[0])
+-	x	@x[15],4*15(%r14)
+-	st	@x[14],4*14(@t[0])
+-	 lrvr	@x[0],@x[0]
+-	st	@x[15],4*15(@t[0])
+-	 lrvr	@x[1],@x[1]
+-	 lrvr	@x[2],@x[2]
+-	 lrvr	@x[3],@x[3]
+-	lhi	@x[12],1
+-	 x	@x[0],4*8(%r14)
+-	al	@x[12],$stdframe+4*12($sp)	# increment counter
+-	 x	@x[1],4*9(%r14)
+-	 st	@x[0],4*8(@t[0])
+-	 x	@x[2],4*10(%r14)
+-	 st	@x[1],4*9(@t[0])
+-	 x	@x[3],4*11(%r14)
+-	 st	@x[2],4*10(@t[0])
+-	 st	@x[3],4*11(@t[0])
+-
+-	cl${g}r	%r14,@t[1]			# done yet?
+-	la	%r14,64(%r14)
+-	jl	.Loop_outer
+-
+-.Ldone:
+-	xgr	%r0,%r0
+-	xgr	%r1,%r1
+-	xgr	%r2,%r2
+-	xgr	%r3,%r3
+-	stmg	%r0,%r3,$stdframe+4*4($sp)	# wipe key copy
+-	stmg	%r0,%r3,$stdframe+4*12($sp)
+-
+-	lm${g}	%r6,%r15,`$frame+6*$SIZE_T`($sp)
+-	br	%r14
+-
+-.align	16
+-.Ltail:
+-	la	@t[1],64($t[1])
+-	stm	@x[0],@x[7],$stdframe+4*0($sp)
+-	sl${g}r	@t[1],%r14
+-	lm	@x[0],@x[3],$stdframe+4*8+4*8($sp)
+-	l${g}hi	@x[6],0
+-	stm	@x[12],@x[15],$stdframe+4*12($sp)
+-	al	@x[0],$stdframe+4*8($sp)
+-	al	@x[1],$stdframe+4*9($sp)
+-	al	@x[2],$stdframe+4*10($sp)
+-	al	@x[3],$stdframe+4*11($sp)
+-	lrvr	@x[0],@x[0]
+-	lrvr	@x[1],@x[1]
+-	lrvr	@x[2],@x[2]
+-	lrvr	@x[3],@x[3]
+-	stm	@x[0],@x[3],$stdframe+4*8($sp)
+-
+-.Loop_tail:
+-	llgc	@x[4],0(@x[6],%r14)
+-	llgc	@x[5],$stdframe(@x[6],$sp)
+-	xr	@x[5],@x[4]
+-	stc	@x[5],0(@x[6],@t[0])
+-	la	@x[6],1(@x[6])
+-	brct	@t[1],.Loop_tail
+-
+-	j	.Ldone
+-.size	ChaCha20_ctr32,.-ChaCha20_ctr32
+-
+-.align	32
+-.Lsigma:
+-.long	0x61707865,0x3320646e,0x79622d32,0x6b206574	# endian-neutral
+-.asciz	"ChaCha20 for s390x, CRYPTOGAMS by <appro\@openssl.org>"
+-.align	4
+-___
++	alr	(@x[$a0],@x[$b0]);	# Q1
++	 alr	(@x[$a1],@x[$b1]);	# Q2
++	xr	(@x[$d0],@x[$a0]);
++	 xr	(@x[$d1],@x[$a1]);
++	rll	(@x[$d0],@x[$d0],16);
++	 rll	(@x[$d1],@x[$d1],16);
++
++	alr	($xc,@x[$d0]);
++	 alr	($xc_,@x[$d1]);
++	xr	(@x[$b0],$xc);
++	 xr	(@x[$b1],$xc_);
++	rll	(@x[$b0],@x[$b0],12);
++	 rll	(@x[$b1],@x[$b1],12);
++
++	alr	(@x[$a0],@x[$b0]);
++	 alr	(@x[$a1],@x[$b1]);
++	xr	(@x[$d0],@x[$a0]);
++	 xr	(@x[$d1],@x[$a1]);
++	rll	(@x[$d0],@x[$d0],8);
++	 rll	(@x[$d1],@x[$d1],8);
++
++	alr	($xc,@x[$d0]);
++	 alr	($xc_,@x[$d1]);
++	xr	(@x[$b0],$xc);
++	 xr	(@x[$b1],$xc_);
++	rll	(@x[$b0],@x[$b0],7);
++	 rll	(@x[$b1],@x[$b1],7);
++
++	stm	($xc,$xc_,"$stdframe+4*8+4*$c0($sp)");	# reload pair of 'c's
++	lm	($xc,$xc_,"$stdframe+4*8+4*$c2($sp)");
++
++	alr	(@x[$a2],@x[$b2]);	# Q3
++	 alr	(@x[$a3],@x[$b3]);	# Q4
++	xr	(@x[$d2],@x[$a2]);
++	 xr	(@x[$d3],@x[$a3]);
++	rll	(@x[$d2],@x[$d2],16);
++	 rll	(@x[$d3],@x[$d3],16);
++
++	alr	($xc,@x[$d2]);
++	 alr	($xc_,@x[$d3]);
++	xr	(@x[$b2],$xc);
++	 xr	(@x[$b3],$xc_);
++	rll	(@x[$b2],@x[$b2],12);
++	 rll	(@x[$b3],@x[$b3],12);
++
++	alr	(@x[$a2],@x[$b2]);
++	 alr	(@x[$a3],@x[$b3]);
++	xr	(@x[$d2],@x[$a2]);
++	 xr	(@x[$d3],@x[$a3]);
++	rll	(@x[$d2],@x[$d2],8);
++	 rll	(@x[$d3],@x[$d3],8);
++
++	alr	($xc,@x[$d2]);
++	 alr	($xc_,@x[$d3]);
++	xr	(@x[$b2],$xc);
++	 xr	(@x[$b3],$xc_);
++	rll	(@x[$b2],@x[$b2],7);
++	 rll	(@x[$b3],@x[$b3],7);
++}
++
++sub VX_ROUND {
++my ($a0,$b0,$c0,$d0)=@_;
++my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0));
++my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1));
++my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2));
++
++	vaf	(@v[$a0],@v[$a0],@v[$b0]);
++	vaf	(@v[$a1],@v[$a1],@v[$b1]);
++	vaf	(@v[$a2],@v[$a2],@v[$b2]);
++	vaf	(@v[$a3],@v[$a3],@v[$b3]);
++	vx	(@v[$d0],@v[$d0],@v[$a0]);
++	vx	(@v[$d1],@v[$d1],@v[$a1]);
++	vx	(@v[$d2],@v[$d2],@v[$a2]);
++	vx	(@v[$d3],@v[$d3],@v[$a3]);
++	verllf	(@v[$d0],@v[$d0],16);
++	verllf	(@v[$d1],@v[$d1],16);
++	verllf	(@v[$d2],@v[$d2],16);
++	verllf	(@v[$d3],@v[$d3],16);
++
++	vaf	(@v[$c0],@v[$c0],@v[$d0]);
++	vaf	(@v[$c1],@v[$c1],@v[$d1]);
++	vaf	(@v[$c2],@v[$c2],@v[$d2]);
++	vaf	(@v[$c3],@v[$c3],@v[$d3]);
++	vx	(@v[$b0],@v[$b0],@v[$c0]);
++	vx	(@v[$b1],@v[$b1],@v[$c1]);
++	vx	(@v[$b2],@v[$b2],@v[$c2]);
++	vx	(@v[$b3],@v[$b3],@v[$c3]);
++	verllf	(@v[$b0],@v[$b0],12);
++	verllf	(@v[$b1],@v[$b1],12);
++	verllf	(@v[$b2],@v[$b2],12);
++	verllf	(@v[$b3],@v[$b3],12);
++
++	vaf	(@v[$a0],@v[$a0],@v[$b0]);
++	vaf	(@v[$a1],@v[$a1],@v[$b1]);
++	vaf	(@v[$a2],@v[$a2],@v[$b2]);
++	vaf	(@v[$a3],@v[$a3],@v[$b3]);
++	vx	(@v[$d0],@v[$d0],@v[$a0]);
++	vx	(@v[$d1],@v[$d1],@v[$a1]);
++	vx	(@v[$d2],@v[$d2],@v[$a2]);
++	vx	(@v[$d3],@v[$d3],@v[$a3]);
++	verllf	(@v[$d0],@v[$d0],8);
++	verllf	(@v[$d1],@v[$d1],8);
++	verllf	(@v[$d2],@v[$d2],8);
++	verllf	(@v[$d3],@v[$d3],8);
++
++	vaf	(@v[$c0],@v[$c0],@v[$d0]);
++	vaf	(@v[$c1],@v[$c1],@v[$d1]);
++	vaf	(@v[$c2],@v[$c2],@v[$d2]);
++	vaf	(@v[$c3],@v[$c3],@v[$d3]);
++	vx	(@v[$b0],@v[$b0],@v[$c0]);
++	vx	(@v[$b1],@v[$b1],@v[$c1]);
++	vx	(@v[$b2],@v[$b2],@v[$c2]);
++	vx	(@v[$b3],@v[$b3],@v[$c3]);
++	verllf	(@v[$b0],@v[$b0],7);
++	verllf	(@v[$b1],@v[$b1],7);
++	verllf	(@v[$b2],@v[$b2],7);
++	verllf	(@v[$b3],@v[$b3],7);
++}
++
++PERLASM_BEGIN($output);
+ 
+-foreach (split("\n",$code)) {
+-	s/\`([^\`]*)\`/eval $1/ge;
++INCLUDE	("s390x_arch.h");
++TEXT	();
+ 
+-	print $_,"\n";
++################
++# void ChaCha20_ctr32(unsigned char *out, const unsigned char *inp, size_t len,
++#                     const unsigned int key[8], const unsigned int counter[4])
++{
++my ($out,$inp,$len,$key,$counter)=map("%r$_",(2..6));
++
++# VX CODE PATH
++{
++my $off=$z*8*16+8;	# offset(initial state)
++my $frame=$stdframe+4*16+$off;
++
++GLOBL	("ChaCha20_ctr32");
++TYPE	("ChaCha20_ctr32","\@function");
++ALIGN	(32);
++LABEL	("ChaCha20_ctr32");
++	larl	("%r1","OPENSSL_s390xcap_P");
++
++	lghi	("%r0",64);
++&{$z?	\&cgr:\&cr}	($len,"%r0");
++	jle	("_s390x_chacha_novx");
++
++	lg	("%r0","S390X_STFLE+16(%r1)");
++	tmhh	("%r0",0x4000);	# check for vector facility
++	jz	("_s390x_chacha_novx");
++
++if (!$z) {
++	llgfr   ($len,$len);
++	std	("%f4","16*$SIZE_T+2*8($sp)");
++	std	("%f6","16*$SIZE_T+3*8($sp)");
++}
++&{$z?	\&stmg:\&stm}	("%r6","%r7","6*$SIZE_T($sp)");
++
++	lghi	("%r1",-$frame);
++	lgr	("%r0",$sp);
++	la	($sp,"0(%r1,$sp)");	# allocate stack frame
++
++	larl	("%r7",".Lsigma");
++&{$z?	\&stg:\&st}	("%r0","0($sp)");	# backchain
++
++	vstm	("%v8","%v15","8($sp)") if ($z);
++
++	vlm	("%v1","%v2","0($key)");	# load key
++	vl	("%v0","0(%r7)");	# load sigma constant
++	vl	("%v3","0($counter)");	# load iv (counter||nonce)
++	l	("%r0","0($counter)");	# load counter
++	vstm	("%v0","%v3","$off($sp)");	# copy initial state to stack
++
++	srlg	("%r1",$len,8);
++	ltgr	("%r1","%r1");
++	jz	(".Lvx_4x_done");
++
++ALIGN	(16);	# process 4 64-byte blocks
++LABEL	(".Lvx_4x");
++	vlrepf	("%v$_",($_*4)."+$off($sp)") for (0..15);	# load initial
++								#  state
++	vl	("%v31","16(%r7)");
++	vaf	("%v12","%v12","%v31");	# increment counter
++
++	vlr	(@v[$_],"%v$_") for (0..15);	# copy initial state
++
++	lhi	("%r6",10);
++	j	(".Loop_vx_4x");
++
++ALIGN	(16);
++LABEL	(".Loop_vx_4x");
++	VX_ROUND( 0, 4, 8,12);	# column round
++	VX_ROUND( 0, 5,10,15);	# diagonal round
++	brct	("%r6",".Loop_vx_4x");
++
++	vaf	(@v[$_],@v[$_],"%v$_") for (0..15);	# state += initial
++							#  state (mod 32)
++	vlm	("%v6","%v7","32(%r7)");	# load vperm operands
++
++for (0..3) {	# blocks 1,2
++	vmrhf	("%v0",@v[$_*4+0],@v[$_*4+1]);	# ks = serialize(state)
++	vmrhf	("%v1",@v[$_*4+2],@v[$_*4+3]);
++	vperm	("%v".($_+ 8),"%v0","%v1","%v6");
++	vperm	("%v".($_+12),"%v0","%v1","%v7");
++}
++	vlm	("%v0","%v7","0($inp)");	# load in
++	vx	("%v$_","%v$_","%v".($_+8)) for (0..7);	# out = in ^ ks
++	vstm	("%v0","%v7","0($out)");	# store out
++
++	vlm	("%v6","%v7","32(%r7)");	# restore vperm operands
++
++for (0..3) {	# blocks 2,3
++	vmrlf	("%v0",@v[$_*4+0],@v[$_*4+1]);	# ks = serialize(state)
++	vmrlf	("%v1",@v[$_*4+2],@v[$_*4+3]);
++	vperm	("%v".($_+ 8),"%v0","%v1","%v6");
++	vperm	("%v".($_+12),"%v0","%v1","%v7");
++}
++	vlm	("%v0","%v7","128($inp)");	# load in
++	vx	("%v$_","%v$_","%v".($_+8)) for (0..7);	# out = in ^ ks
++	vstm	("%v0","%v7","128($out)");	# store out
++
++	ahi	("%r0",4);
++	st	("%r0","48+$off($sp)");	# update initial state
++
++	la	($inp,"256($inp)");
++	la	($out,"256($out)");
++	brctg	("%r1",".Lvx_4x");
++
++ALIGN	(16);
++LABEL	(".Lvx_4x_done");
++	lghi	("%r1",0xff);
++	ngr	($len,"%r1");
++	jnz	(".Lvx_rem");
++
++ALIGN	(16);
++LABEL	(".Lvx_done");
++	vzero	("%v$_") for (16..31);	# wipe ks and key copy
++	vstm	("%v16","%v17","16+$off($sp)");
++	vlm	("%v8","%v15","8($sp)") if ($z);
++
++	la	($sp,"$frame($sp)");
++&{$z?	\&lmg:\&lm}	("%r6","%r7","6*$SIZE_T($sp)");
++
++if (!$z) {
++	ld	("%f4","16*$SIZE_T+2*8($sp)");
++	ld	("%f6","16*$SIZE_T+3*8($sp)");
++	vzero	("%v$_") for (8..15);
++}
++	br	("%r14");
++ALIGN	(16);
++LABEL	(".Lvx_rem");
++	lhi	("%r0",64);
++
++	sr	($len,"%r0");
++	brc	(2,".Lvx_rem_g64");	# cc==2?
++
++	lghi	("%r1",-$stdframe);
++
++	la	($counter,"48+$off($sp)");	# load updated iv
++	ar	($len,"%r0");	# restore len
++
++	lgr	("%r7",$counter);
++&{$z?	\&stg:\&st}	("%r14","14*$SIZE_T+$frame($sp)");
++	la	($sp,"0(%r1,$sp)");
++
++	bras	("%r14","_s390x_chacha_novx");
++
++	la	($sp,"$stdframe($sp)");
++&{$z?	\&lg:\&l}	("%r14","14*$SIZE_T+$frame($sp)");
++	lgr	($counter,"%r7");
++	j	(".Lvx_done");
++
++ALIGN	(16);
++LABEL	(".Lvx_rem_g64");
++	vlrepf	("%v$_",($_*4)."+$off($sp)") for (0..15);	# load initial
++								#  state
++	vl	("%v31","16(%r7)");
++	vaf	("%v12","%v12","%v31");	# increment counter
++
++	vlr	(@v[$_],"%v$_") for (0..15);	# state = initial state
++
++	lhi	("%r6",10);
++	j	(".Loop_vx_rem");
++
++ALIGN	(16);
++LABEL	(".Loop_vx_rem");
++	VX_ROUND( 0, 4, 8,12);	# column round
++	VX_ROUND( 0, 5,10,15);	# diagonal round
++	brct	("%r6",".Loop_vx_rem");
++
++	vaf	(@v[$_],@v[$_],"%v$_") for (0..15);	# state += initial
++							#  state (mod 32)
++	vlm	("%v6","%v7","32(%r7)");	# load vperm operands
++
++for (0..3) {	# blocks 1,2
++	vmrhf	("%v0",@v[$_*4+0],@v[$_*4+1]);	# ks = serialize(state)
++	vmrhf	("%v1",@v[$_*4+2],@v[$_*4+3]);
++	vperm	("%v".($_+8),"%v0","%v1","%v6");
++	vperm	("%v".($_+12),"%v0","%v1","%v7");
++}
++	vlm	("%v0","%v3","0($inp)");	# load in
++	vx	("%v$_","%v$_","%v".($_+8)) for (0..3);	# out = in ^ ks
++	vstm	("%v0","%v3","0($out)");	# store out
++
++	la	($inp,"64($inp)");
++	la	($out,"64($out)");
++
++	sr	($len,"%r0");
++	brc	(4,".Lvx_tail");	# cc==4?
++
++	vlm	("%v0","%v3","0($inp)");	# load in
++	vx	("%v$_","%v$_","%v".($_+12)) for (0..3);	# out = in ^ ks
++	vstm	("%v0","%v3","0($out)");	# store out
++	jz	(".Lvx_done");
++
++for (0..3) {	# blocks 3,4
++	vmrlf	("%v0",@v[$_*4+0],@v[$_*4+1]);	# ks = serialize(state)
++	vmrlf	("%v1",@v[$_*4+2],@v[$_*4+3]);
++	vperm	("%v".($_+12),"%v0","%v1","%v6");
++	vperm	("%v".($_+8),"%v0","%v1","%v7");
++}
++	la	($inp,"64($inp)");
++	la	($out,"64($out)");
++
++	sr	($len,"%r0");
++	brc	(4,".Lvx_tail");	# cc==4?
++
++	vlm	("%v0","%v3","0($inp)");	# load in
++	vx	("%v$_","%v$_","%v".($_+12)) for (0..3);	# out = in ^ ks
++	vstm	("%v0","%v3","0($out)");	# store out
++	jz	(".Lvx_done");
++
++	la	($inp,"64($inp)");
++	la	($out,"64($out)");
++
++	sr	($len,"%r0");
++	vlr	("%v".($_+4),"%v$_") for (8..11);
++	j	(".Lvx_tail");
++
++ALIGN	(16);
++LABEL	(".Lvx_tail");
++	ar	($len,"%r0");	# restore $len
++	ahi	($len,-1);
++
++	lhi	("%r0",16);
++for (0..2) {
++	vll	("%v0",$len,($_*16)."($inp)");
++	vx	("%v0","%v0","%v".($_+12));
++	vstl	("%v0",$len,($_*16)."($out)");
++	sr	($len,"%r0");
++	brc	(4,".Lvx_done");	# cc==4?
++}
++	vll	("%v0",$len,"3*16($inp)");
++	vx	("%v0","%v0","%v15");
++	vstl	("%v0",$len,"3*16($out)");
++	j	(".Lvx_done");
++SIZE	("ChaCha20_ctr32",".-ChaCha20_ctr32");
++}
++
++# NOVX CODE PATH
++{
++my $frame=$stdframe+4*20;
++
++TYPE	("_s390x_chacha_novx","\@function");
++ALIGN	(32);
++LABEL	("_s390x_chacha_novx");
++&{$z?	\&ltgr:\&ltr}	($len,$len);	# $len==0?
++	bzr	("%r14");
++&{$z?	\&aghi:\&ahi}	($len,-64);
++&{$z?	\&lghi:\&lhi}	("%r1",-$frame);
++&{$z?	\&stmg:\&stm}	("%r6","%r15","6*$SIZE_T($sp)");
++&{$z?	\&slgr:\&slr}	($out,$inp);	# difference
++	la	($len,"0($inp,$len)");	# end of input minus 64
++	larl	("%r7",".Lsigma");
++	lgr	("%r0",$sp);
++	la	($sp,"0(%r1,$sp)");
++&{$z?	\&stg:\&st}	("%r0","0($sp)");
++
++	lmg	("%r8","%r11","0($key)");	# load key
++	lmg	("%r12","%r13","0($counter)");	# load counter
++	lmg	("%r6","%r7","0(%r7)");	# load sigma constant
++
++	la	("%r14","0($inp)");
++&{$z?	\&stg:\&st}	($out,"$frame+3*$SIZE_T($sp)");
++&{$z?	\&stg:\&st}	($len,"$frame+4*$SIZE_T($sp)");
++	stmg	("%r6","%r13","$stdframe($sp)");# copy key schedule to stack
++	srlg	(@x[12],"%r12",32);	# 32-bit counter value
++	j	(".Loop_outer");
++
++ALIGN	(16);
++LABEL	(".Loop_outer");
++	lm	(@x[0],@x[7],"$stdframe+4*0($sp)");	# load x[0]-x[7]
++	lm	(@t[0],@t[1],"$stdframe+4*10($sp)");	# load x[10]-x[11]
++	lm	(@x[13],@x[15],"$stdframe+4*13($sp)");	# load x[13]-x[15]
++	stm	(@t[0],@t[1],"$stdframe+4*8+4*10($sp)");# offload x[10]-x[11]
++	lm	(@t[0],@t[1],"$stdframe+4*8($sp)");	# load x[8]-x[9]
++	st	(@x[12],"$stdframe+4*12($sp)");	# save counter
++&{$z?	\&stg:\&st}	("%r14","$frame+2*$SIZE_T($sp)");# save input pointer
++	lhi	("%r14",10);
++	j	(".Loop");
++
++ALIGN	(4);
++LABEL	(".Loop");
++	ROUND	(0, 4, 8,12);
++	ROUND	(0, 5,10,15);
++	brct	("%r14",".Loop");
++
++&{$z?	\&lg:\&l}	("%r14","$frame+2*$SIZE_T($sp)");# pull input pointer
++	stm	(@t[0],@t[1],"$stdframe+4*8+4*8($sp)");	# offload x[8]-x[9]
++&{$z?	\&lmg:\&lm}	(@t[0],@t[1],"$frame+3*$SIZE_T($sp)");
++
++	al	(@x[0],"$stdframe+4*0($sp)");	# accumulate key schedule
++	al	(@x[1],"$stdframe+4*1($sp)");
++	al	(@x[2],"$stdframe+4*2($sp)");
++	al	(@x[3],"$stdframe+4*3($sp)");
++	al	(@x[4],"$stdframe+4*4($sp)");
++	al	(@x[5],"$stdframe+4*5($sp)");
++	al	(@x[6],"$stdframe+4*6($sp)");
++	al	(@x[7],"$stdframe+4*7($sp)");
++	lrvr	(@x[0],@x[0]);
++	lrvr	(@x[1],@x[1]);
++	lrvr	(@x[2],@x[2]);
++	lrvr	(@x[3],@x[3]);
++	lrvr	(@x[4],@x[4]);
++	lrvr	(@x[5],@x[5]);
++	lrvr	(@x[6],@x[6]);
++	lrvr	(@x[7],@x[7]);
++	al	(@x[12],"$stdframe+4*12($sp)");
++	al	(@x[13],"$stdframe+4*13($sp)");
++	al	(@x[14],"$stdframe+4*14($sp)");
++	al	(@x[15],"$stdframe+4*15($sp)");
++	lrvr	(@x[12],@x[12]);
++	lrvr	(@x[13],@x[13]);
++	lrvr	(@x[14],@x[14]);
++	lrvr	(@x[15],@x[15]);
++
++	la	(@t[0],"0(@t[0],%r14)");	# reconstruct output pointer
++&{$z?	\&clgr:\&clr}	("%r14",@t[1]);
++	jh	(".Ltail");
++
++	x	(@x[0],"4*0(%r14)");	# xor with input
++	x	(@x[1],"4*1(%r14)");
++	st	(@x[0],"4*0(@t[0])");	# store output
++	x	(@x[2],"4*2(%r14)");
++	st	(@x[1],"4*1(@t[0])");
++	x	(@x[3],"4*3(%r14)");
++	st	(@x[2],"4*2(@t[0])");
++	x	(@x[4],"4*4(%r14)");
++	st	(@x[3],"4*3(@t[0])");
++	 lm	(@x[0],@x[3],"$stdframe+4*8+4*8($sp)");	# load x[8]-x[11]
++	x	(@x[5],"4*5(%r14)");
++	st	(@x[4],"4*4(@t[0])");
++	x	(@x[6],"4*6(%r14)");
++	 al	(@x[0],"$stdframe+4*8($sp)");
++	st	(@x[5],"4*5(@t[0])");
++	x	(@x[7],"4*7(%r14)");
++	 al	(@x[1],"$stdframe+4*9($sp)");
++	st	(@x[6],"4*6(@t[0])");
++	x	(@x[12],"4*12(%r14)");
++	 al	(@x[2],"$stdframe+4*10($sp)");
++	st	(@x[7],"4*7(@t[0])");
++	x	(@x[13],"4*13(%r14)");
++	 al	(@x[3],"$stdframe+4*11($sp)");
++	st	(@x[12],"4*12(@t[0])");
++	x	(@x[14],"4*14(%r14)");
++	st	(@x[13],"4*13(@t[0])");
++	x	(@x[15],"4*15(%r14)");
++	st	(@x[14],"4*14(@t[0])");
++	 lrvr	(@x[0],@x[0]);
++	st	(@x[15],"4*15(@t[0])");
++	 lrvr	(@x[1],@x[1]);
++	 lrvr	(@x[2],@x[2]);
++	 lrvr	(@x[3],@x[3]);
++	lhi	(@x[12],1);
++	 x	(@x[0],"4*8(%r14)");
++	al	(@x[12],"$stdframe+4*12($sp)");	# increment counter
++	 x	(@x[1],"4*9(%r14)");
++	 st	(@x[0],"4*8(@t[0])");
++	 x	(@x[2],"4*10(%r14)");
++	 st	(@x[1],"4*9(@t[0])");
++	 x	(@x[3],"4*11(%r14)");
++	 st	(@x[2],"4*10(@t[0])");
++	 st	(@x[3],"4*11(@t[0])");
++
++&{$z?	\&clgr:\&clr}	("%r14",@t[1]);	# done yet?
++	la	("%r14","64(%r14)");
++	jl	(".Loop_outer");
++
++LABEL	(".Ldone");
++	xgr	("%r0","%r0");
++	xgr	("%r1","%r1");
++	xgr	("%r2","%r2");
++	xgr	("%r3","%r3");
++	stmg	("%r0","%r3","$stdframe+4*4($sp)");	# wipe key copy
++	stmg	("%r0","%r3","$stdframe+4*12($sp)");
++
++&{$z?	\&lmg:\&lm}	("%r6","%r15","$frame+6*$SIZE_T($sp)");
++	br	("%r14");
++
++ALIGN	(16);
++LABEL	(".Ltail");
++	la	(@t[1],"64($t[1])");
++	stm	(@x[0],@x[7],"$stdframe+4*0($sp)");
++&{$z?	\&slgr:\&slr}	(@t[1],"%r14");
++	lm	(@x[0],@x[3],"$stdframe+4*8+4*8($sp)");
++&{$z?	\&lghi:\&lhi}	(@x[6],0);
++	stm	(@x[12],@x[15],"$stdframe+4*12($sp)");
++	al	(@x[0],"$stdframe+4*8($sp)");
++	al	(@x[1],"$stdframe+4*9($sp)");
++	al	(@x[2],"$stdframe+4*10($sp)");
++	al	(@x[3],"$stdframe+4*11($sp)");
++	lrvr	(@x[0],@x[0]);
++	lrvr	(@x[1],@x[1]);
++	lrvr	(@x[2],@x[2]);
++	lrvr	(@x[3],@x[3]);
++	stm	(@x[0],@x[3],"$stdframe+4*8($sp)");
++
++LABEL	(".Loop_tail");
++	llgc	(@x[4],"0(@x[6],%r14)");
++	llgc	(@x[5],"$stdframe(@x[6],$sp)");
++	xr	(@x[5],@x[4]);
++	stc	(@x[5],"0(@x[6],@t[0])");
++	la	(@x[6],"1(@x[6])");
++	brct	(@t[1],".Loop_tail");
++
++	j	(".Ldone");
++SIZE	("_s390x_chacha_novx",".-_s390x_chacha_novx");
++}
+ }
+-close STDOUT or die "error closing STDOUT: $!";
++################
++
++ALIGN	(64);
++LABEL	(".Lsigma");
++LONG	(0x61707865,0x3320646e,0x79622d32,0x6b206574);	# endian-neutral sigma
++LONG	(0x00000000,0x00000001,0x00000002,0x00000003);	# vaf counter increment
++LONG	(0x03020100,0x07060504,0x13121110,0x17161514);	# vperm serialization
++LONG	(0x0b0a0908,0x0f0e0d0c,0x1b1a1918,0x1f1e1d1c);	# vperm serialization
++ASCIZ	("\"ChaCha20 for s390x, CRYPTOGAMS by <appro\@openssl.org>\"");
++ALIGN	(4);
++
++PERLASM_END();
diff --git a/0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch b/0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
new file mode 100644
index 0000000..4f51aa2
--- /dev/null
+++ b/0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
@@ -0,0 +1,1006 @@
+From d6f4b0a8bfbe901c72294d8923eb5b6f54ca7732 Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Mon, 6 Feb 2017 10:54:54 +0100
+Subject: [PATCH] crypto/poly1305/asm/poly1305-s390x.pl: add vx code path.
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/7991)
+---
+ crypto/poly1305/asm/poly1305-s390x.pl | 944 +++++++++++++++++++++-----
+ 1 file changed, 780 insertions(+), 164 deletions(-)
+
+diff --git a/crypto/poly1305/asm/poly1305-s390x.pl b/crypto/poly1305/asm/poly1305-s390x.pl
+index 21ca86055e..390f9eefe7 100755
+--- a/crypto/poly1305/asm/poly1305-s390x.pl
++++ b/crypto/poly1305/asm/poly1305-s390x.pl
+@@ -24,204 +24,820 @@
+ #
+ # On side note, z13 enables vector base 2^26 implementation...
+ 
+-$flavour = shift;
++#
++# January 2019
++#
++# Add vx code path (base 2^26).
++#
++# Copyright IBM Corp. 2019
++# Author: Patrick Steuer <patrick.steuer@de.ibm.com>
+ 
++use strict;
++use FindBin qw($Bin);
++use lib "$Bin/../..";
++use perlasm::s390x qw(:DEFAULT :VX AUTOLOAD LABEL);
++
++my $flavour = shift;
++
++my ($z,$SIZE_T);
+ if ($flavour =~ /3[12]/) {
++	$z=0;	# S/390 ABI
+ 	$SIZE_T=4;
+-	$g="";
+ } else {
++	$z=1;	# zSeries ABI
+ 	$SIZE_T=8;
+-	$g="g";
+ }
+ 
++my $output;
+ while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
+-open STDOUT,">$output";
+ 
+-$sp="%r15";
++my $sp="%r15";
++
++# novx code path ctx layout
++# ---------------------------------
++# var		value	base	off
++# ---------------------------------
++# u64 h[3]	hash	2^64	  0
++# u32 pad[2]
++# u64 r[2]	key	2^64	 32
++
++# vx code path ctx layout
++# ---------------------------------
++# var		value	base	off
++# ---------------------------------
++# u32 acc1[5]	r^2-acc	2^26	  0
++# u32 pad
++# u32 acc2[5]	r-acc	2^26	 24
++# u32 pad
++# u32 r1[5]	r	2^26	 48
++# u32 r15[5]	5*r	2^26	 68
++# u32 r2[5]	r^2	2^26	 88
++# u32 r25[5]	5*r^2	2^26	108
++# u32 r4[5]	r^4	2^26	128
++# u32 r45[5]	5*r^4	2^26	148
++
++PERLASM_BEGIN($output);
++
++TEXT	();
++
++################
++# static void poly1305_init(void *ctx, const unsigned char key[16])
++{
++my ($ctx,$key)=map("%r$_",(2..3));
++my ($r0,$r1,$r2)=map("%r$_",(9,11,13));
+ 
+-my ($ctx,$inp,$len,$padbit) = map("%r$_",(2..5));
++sub MUL_RKEY {	# r*=key
++my ($d0hi,$d0lo,$d1hi,$d1lo)=map("%r$_",(4..7));
++my ($t0,$t1,$s1)=map("%r$_",(8,10,12));
++
++	lg	("%r0","32($ctx)");
++	lg	("%r1","40($ctx)");
++
++	srlg	($s1,"%r1",2);
++	algr	($s1,"%r1");
++
++	lgr	($d0lo,$r0);
++	lgr	($d1lo,$r1);
++
++	mlgr	($d0hi,"%r0");
++	lgr	($r1,$d1lo);
++	mlgr	($d1hi,$s1);
++
++	mlgr	($t0,"%r1");
++	mlgr	($t1,"%r0");
++
++	algr	($d0lo,$d1lo);
++	lgr	($d1lo,$r2);
++	alcgr	($d0hi,$d1hi);
++	lghi	($d1hi,0);
++
++	algr	($r1,$r0);
++	alcgr	($t1,$t0);
++
++	msgr	($d1lo,$s1);
++	msgr	($r2,"%r0");
++
++	algr	($r1,$d1lo);
++	alcgr	($t1,$d1hi);
++
++	algr	($r1,$d0hi);
++	alcgr	($r2,$t1);
++
++	lghi	($r0,-4);
++	ngr	($r0,$r2);
++	srlg	($t0,$r2,2);
++	algr	($r0,$t0);
++	lghi	($t1,3);
++	ngr	($r2,$t1);
++
++	algr	($r0,$d0lo);
++	alcgr	($r1,$d1hi);
++	alcgr	($r2,$d1hi);
++}
++
++sub ST_R5R {	# store r,5*r -> base 2^26
++my @d=map("%r$_",(4..8));
++my @off=@_;
++
++	lgr	(@d[2],$r0);
++	lr	("%r1",@d[2]);
++	nilh	("%r1",1023);
++	lgr	(@d[3],$r1);
++	lr	(@d[0],"%r1");
++	srlg	("%r1",@d[2],52);
++	lgr	(@d[4],$r2);
++	srlg	("%r0",@d[2],26);
++	sll	(@d[4],24);
++	lr	(@d[2],@d[3]);
++	nilh	("%r0",1023);
++	sll	(@d[2],12);
++	lr	(@d[1],"%r0");
++	&or	(@d[2],"%r1");
++	srlg	("%r1",@d[3],40);
++	nilh	(@d[2],1023);
++	&or	(@d[4],"%r1");
++	srlg	(@d[3],@d[3],14);
++	nilh	(@d[4],1023);
++	nilh	(@d[3],1023);
++
++	stm	(@d[0],@d[4],"@off[0]($ctx)");
++	mhi	(@d[$_],5) for (0..4);
++	stm	(@d[0],@d[4],"@off[1]($ctx)");
++}
+ 
+-$code.=<<___;
+-.text
+-
+-.globl	poly1305_init
+-.type	poly1305_init,\@function
+-.align	16
+-poly1305_init:
+-	lghi	%r0,0
+-	lghi	%r1,-1
+-	stg	%r0,0($ctx)		# zero hash value
+-	stg	%r0,8($ctx)
+-	stg	%r0,16($ctx)
+-
+-	cl${g}r	$inp,%r0
+-	je	.Lno_key
+-
+-	lrvg	%r4,0($inp)		# load little-endian key
+-	lrvg	%r5,8($inp)
+-
+-	nihl	%r1,0xffc0		# 0xffffffc0ffffffff
+-	srlg	%r0,%r1,4		# 0x0ffffffc0fffffff
+-	srlg	%r1,%r1,4
+-	nill	%r1,0xfffc		# 0x0ffffffc0ffffffc
+-
+-	ngr	%r4,%r0
+-	ngr	%r5,%r1
+-
+-	stg	%r4,32($ctx)
+-	stg	%r5,40($ctx)
+-
+-.Lno_key:
+-	lghi	%r2,0
+-	br	%r14
+-.size	poly1305_init,.-poly1305_init
+-___
++GLOBL	("poly1305_init");
++TYPE	("poly1305_init","\@function");
++ALIGN	(16);
++LABEL	("poly1305_init");
++	lghi	("%r0",0);
++	lghi	("%r1",-1);
++	stg	("%r0","0($ctx)");	# zero hash value / acc1
++	stg	("%r0","8($ctx)");
++	stg	("%r0","16($ctx)");
++
++&{$z?	\&clgr:\&clr}	($key,"%r0");
++	je	(".Ldone");
++
++	lrvg	("%r4","0($key)");	# load little-endian key
++	lrvg	("%r5","8($key)");
++
++	nihl	("%r1",0xffc0);		# 0xffffffc0ffffffff
++	srlg	("%r0","%r1",4);	# 0x0ffffffc0fffffff
++	srlg	("%r1","%r1",4);
++	nill	("%r1",0xfffc);		# 0x0ffffffc0ffffffc
++
++	ngr	("%r4","%r0");
++	ngr	("%r5","%r1");
++
++	stg	("%r4","32($ctx)");
++	stg	("%r5","40($ctx)");
++
++	larl	("%r1","OPENSSL_s390xcap_P");
++	lg	("%r0","16(%r1)");
++	tmhh	("%r0",0x4000);		# check for vector facility
++	jz	(".Ldone");
++
++	larl	("%r4","poly1305_blocks_vx");
++	larl	("%r5","poly1305_emit_vx");
++
++&{$z?	\&stmg:\&stm}	("%r6","%r13","6*$SIZE_T($sp)");
++&{$z?	\&stmg:\&stm}	("%r4","%r5","4*$z+228($ctx)");
++
++	lg	($r0,"32($ctx)");
++	lg	($r1,"40($ctx)");
++	lghi	($r2,0);
++
++	ST_R5R	(48,68);	# store r,5*r
++
++	MUL_RKEY();
++	ST_R5R	(88,108);	# store r^2,5*r^2
++
++	MUL_RKEY();
++	MUL_RKEY();
++	ST_R5R	(128,148);	# store r^4,5*r^4
++
++	lghi	("%r0",0);
++	stg	("%r0","24($ctx)");	# zero acc2
++	stg	("%r0","32($ctx)");
++	stg	("%r0","40($ctx)");
++
++&{$z?	\&lmg:\&lm}	("%r6","%r13","6*$SIZE_T($sp)");
++	lghi	("%r2",1);
++	br	("%r14");
++
++LABEL	(".Ldone");
++	lghi	("%r2",0);
++	br	("%r14");
++SIZE	("poly1305_init",".-poly1305_init");
++}
++
++# VX CODE PATH
+ {
+-my ($d0hi,$d0lo,$d1hi,$d1lo,$t0,$h0,$t1,$h1,$h2) = map("%r$_",(6..14));
+-my ($r0,$r1,$s1) = map("%r$_",(0..2));
++my $frame=8*16;
++my @m01=map("%v$_",(0..4));
++my @m23=map("%v$_",(5..9));
++my @tmp=@m23;
++my @acc=map("%v$_",(10..14));
++my @r=map("%v$_",(15..19));
++my @r5=map("%v$_",(20..24));
++my $padvec="%v26";
++my $mask4="%v27";
++my @vperm=map("%v$_",(28..30));
++my $mask="%v31";
++
++sub REDUCE {
++	vesrlg	(@tmp[0],@acc[0],26);
++	vesrlg	(@tmp[3],@acc[3],26);
++	vn	(@acc[0],@acc[0],$mask);
++	vn	(@acc[3],@acc[3],$mask);
++	vag	(@acc[1],@acc[1],@tmp[0]);	# carry 0->1
++	vag	(@acc[4],@acc[4],@tmp[3]);	# carry 3->4
++
++	vesrlg	(@tmp[1],@acc[1],26);
++	vesrlg	(@tmp[4],@acc[4],26);
++	vn	(@acc[1],@acc[1],$mask);
++	vn	(@acc[4],@acc[4],$mask);
++	veslg	(@tmp[0],@tmp[4],2);
++	vag	(@tmp[4],@tmp[4],@tmp[0]);	# h[4]*=5
++	vag	(@acc[2],@acc[2],@tmp[1]);	# carry 1->2
++	vag	(@acc[0],@acc[0],@tmp[4]);	# carry 4->0
++
++	vesrlg	(@tmp[2],@acc[2],26);
++	vesrlg	(@tmp[0],@acc[0],26);
++	vn	(@acc[2],@acc[2],$mask);
++	vn	(@acc[0],@acc[0],$mask);
++	vag	(@acc[3],@acc[3],@tmp[2]);	# carry 2->3
++	vag	(@acc[1],@acc[1],@tmp[0]);	# carry 0->1
++
++	vesrlg	(@tmp[3],@acc[3],26);
++	vn	(@acc[3],@acc[3],$mask);
++	vag	(@acc[4],@acc[4],@tmp[3]);	# carry 3->4
++}
+ 
+-$code.=<<___;
+-.globl	poly1305_blocks
+-.type	poly1305_blocks,\@function
+-.align	16
+-poly1305_blocks:
+-	srl${g}	$len,4			# fixed-up in 64-bit build
+-	lghi	%r0,0
+-	cl${g}r	$len,%r0
+-	je	.Lno_data
++################
++# static void poly1305_blocks_vx(void *ctx, const unsigned char *inp,
++#                                size_t len, u32 padbit)
++{
++my ($ctx,$inp,$len) = map("%r$_",(2..4));
++my $padbit="%r0";
++
++GLOBL	("poly1305_blocks_vx");
++TYPE	("poly1305_blocks_vx","\@function");
++ALIGN	(16);
++LABEL	("poly1305_blocks_vx");
++if ($z) {
++	aghi	($sp,-$frame);
++	vstm	("%v8","%v15","0($sp)");
++} else {
++	std	("%f4","16*$SIZE_T+2*8($sp)");
++	std	("%f6","16*$SIZE_T+3*8($sp)");
++	llgfr	($len,$len);
++}
++	llgfr	($padbit,"%r5");
++	vlef	(@acc[$_],"4*$_($ctx)",1) for (0..4);	# load acc1
++	larl	("%r5",".Lconst");
++	vlef	(@acc[$_],"24+4*$_($ctx)",3) for (0..4);	# load acc2
++	sllg	($padbit,$padbit,24);
++	vlm	(@vperm[0],$mask,"0(%r5)");	# load vperm ops, mask
++	vgbm	($mask4,0x0707);
++	vlvgp	($padvec,$padbit,$padbit);
++
++	srlg	("%r1",$len,6);
++	ltgr	("%r1","%r1");
++	jz	(".Lvx_4x_done");
++
++ALIGN	(16);
++LABEL	(".Lvx_4x");
++	vlm	("%v20","%v23","0($inp)");	# load m0,m1,m2,m3
++
++	# m01,m23 -> base 2^26
++
++	vperm	(@m01[0],"%v20","%v21",@vperm[0]);
++	vperm	(@m23[0],"%v22","%v23",@vperm[0]);
++	vperm	(@m01[2],"%v20","%v21",@vperm[1]);
++	vperm	(@m23[2],"%v22","%v23",@vperm[1]);
++	vperm	(@m01[4],"%v20","%v21",@vperm[2]);
++	vperm	(@m23[4],"%v22","%v23",@vperm[2]);
++
++	vesrlg	(@m01[1],@m01[0],26);
++	vesrlg	(@m23[1],@m23[0],26);
++	vesrlg	(@m01[3],@m01[2],30);
++	vesrlg	(@m23[3],@m23[2],30);
++	vesrlg	(@m01[2],@m01[2],4);
++	vesrlg	(@m23[2],@m23[2],4);
++
++	vn	(@m01[4],@m01[4],$mask4);
++	vn	(@m23[4],@m23[4],$mask4);
++for (0..3) {
++	vn	(@m01[$_],@m01[$_],$mask);
++	vn	(@m23[$_],@m23[$_],$mask);
++}
++	vaf	(@m01[4],@m01[4],$padvec);	# pad m01
++	vaf	(@m23[4],@m23[4],$padvec);	# pad m23
++
++	# acc = acc * r^4 + m01 * r^2 + m23
++
++	vlrepf	(@r5[$_],"4*$_+108($ctx)") for (0..4);	# load 5*r^2
++	vlrepf	(@r[$_],"4*$_+88($ctx)") for (0..4);	# load r^2
++
++	vmalof	(@tmp[0],@m01[4],@r5[1],@m23[0]);
++	vmalof	(@tmp[1],@m01[4],@r5[2],@m23[1]);
++	vmalof	(@tmp[2],@m01[4],@r5[3],@m23[2]);
++	vmalof	(@tmp[3],@m01[4],@r5[4],@m23[3]);
++	vmalof	(@tmp[4],@m01[4],@r[0],@m23[4]);
++
++	vmalof	(@tmp[0],@m01[3],@r5[2],@tmp[0]);
++	vmalof	(@tmp[1],@m01[3],@r5[3],@tmp[1]);
++	vmalof	(@tmp[2],@m01[3],@r5[4],@tmp[2]);
++	vmalof	(@tmp[3],@m01[3],@r[0],@tmp[3]);
++	vmalof	(@tmp[4],@m01[3],@r[1],@tmp[4]);
++
++	vmalof	(@tmp[0],@m01[2],@r5[3],@tmp[0]);
++	vmalof	(@tmp[1],@m01[2],@r5[4],@tmp[1]);
++	vmalof	(@tmp[2],@m01[2],@r[0],@tmp[2]);
++	vmalof	(@tmp[3],@m01[2],@r[1],@tmp[3]);
++	vmalof	(@tmp[4],@m01[2],@r[2],@tmp[4]);
++
++	vmalof	(@tmp[0],@m01[1],@r5[4],@tmp[0]);
++	vmalof	(@tmp[1],@m01[1],@r[0],@tmp[1]);
++	vmalof	(@tmp[2],@m01[1],@r[1],@tmp[2]);
++	vmalof	(@tmp[3],@m01[1],@r[2],@tmp[3]);
++	vmalof	(@tmp[4],@m01[1],@r[3],@tmp[4]);
++
++	vmalof	(@tmp[0],@m01[0],@r[0],@tmp[0]);
++	vmalof	(@tmp[1],@m01[0],@r[1],@tmp[1]);
++	vmalof	(@tmp[2],@m01[0],@r[2],@tmp[2]);
++	vmalof	(@tmp[3],@m01[0],@r[3],@tmp[3]);
++	vmalof	(@tmp[4],@m01[0],@r[4],@tmp[4]);
++
++	vlrepf	(@r5[$_],"4*$_+148($ctx)") for (0..4);	# load 5*r^4
++	vlrepf	(@r[$_],"4*$_+128($ctx)") for (0..4);	# load r^4
++
++	vmalof	(@tmp[0],@acc[4],@r5[1],@tmp[0]);
++	vmalof	(@tmp[1],@acc[4],@r5[2],@tmp[1]);
++	vmalof	(@tmp[2],@acc[4],@r5[3],@tmp[2]);
++	vmalof	(@tmp[3],@acc[4],@r5[4],@tmp[3]);
++	vmalof	(@tmp[4],@acc[4],@r[0],@tmp[4]);
++
++	vmalof	(@tmp[0],@acc[3],@r5[2],@tmp[0]);
++	vmalof	(@tmp[1],@acc[3],@r5[3],@tmp[1]);
++	vmalof	(@tmp[2],@acc[3],@r5[4],@tmp[2]);
++	vmalof	(@tmp[3],@acc[3],@r[0],@tmp[3]);
++	vmalof	(@tmp[4],@acc[3],@r[1],@tmp[4]);
++
++	vmalof	(@tmp[0],@acc[2],@r5[3],@tmp[0]);
++	vmalof	(@tmp[1],@acc[2],@r5[4],@tmp[1]);
++	vmalof	(@tmp[2],@acc[2],@r[0],@tmp[2]);
++	vmalof	(@tmp[3],@acc[2],@r[1],@tmp[3]);
++	vmalof	(@tmp[4],@acc[2],@r[2],@tmp[4]);
++
++	vmalof	(@tmp[0],@acc[1],@r5[4],@tmp[0]);
++	vmalof	(@tmp[1],@acc[1],@r[0],@tmp[1]);
++	vmalof	(@tmp[2],@acc[1],@r[1],@tmp[2]);
++	vmalof	(@tmp[3],@acc[1],@r[2],@tmp[3]);
++	vmalof	(@tmp[4],@acc[1],@r[3],@tmp[4]);
++
++	vmalof	(@acc[1],@acc[0],@r[1],@tmp[1]);
++	vmalof	(@acc[2],@acc[0],@r[2],@tmp[2]);
++	vmalof	(@acc[3],@acc[0],@r[3],@tmp[3]);
++	vmalof	(@acc[4],@acc[0],@r[4],@tmp[4]);
++	vmalof	(@acc[0],@acc[0],@r[0],@tmp[0]);
++
++	REDUCE	();
++
++	la	($inp,"64($inp)");
++	brctg	("%r1",".Lvx_4x");
++
++ALIGN	(16);
++LABEL	(".Lvx_4x_done");
++	tml	($len,32);
++	jz	(".Lvx_2x_done");
++
++	vlm	("%v20","%v21","0($inp)");	# load m0,m1
++
++	# m01 -> base 2^26
++
++	vperm	(@m01[0],"%v20","%v21",@vperm[0]);
++	vperm	(@m01[2],"%v20","%v21",@vperm[1]);
++	vperm	(@m01[4],"%v20","%v21",@vperm[2]);
++
++	vesrlg	(@m01[1],@m01[0],26);
++	vesrlg	(@m01[3],@m01[2],30);
++	vesrlg	(@m01[2],@m01[2],4);
++
++	vn	(@m01[4],@m01[4],$mask4);
++	vn	(@m01[$_],@m01[$_],$mask) for (0..3);
++
++	vaf	(@m01[4],@m01[4],$padvec);	# pad m01
++
++	# acc = acc * r^2+ m01
++
++	vlrepf	(@r5[$_],"4*$_+108($ctx)") for (0..4);	# load 5*r^2
++	vlrepf	(@r[$_],"4*$_+88($ctx)") for (0..4);	# load r^2
++
++	vmalof	(@tmp[0],@acc[4],@r5[1],@m01[0]);
++	vmalof	(@tmp[1],@acc[4],@r5[2],@m01[1]);
++	vmalof	(@tmp[2],@acc[4],@r5[3],@m01[2]);
++	vmalof	(@tmp[3],@acc[4],@r5[4],@m01[3]);
++	vmalof	(@tmp[4],@acc[4],@r[0],@m01[4]);
++
++	vmalof	(@tmp[0],@acc[3],@r5[2],@tmp[0]);
++	vmalof	(@tmp[1],@acc[3],@r5[3],@tmp[1]);
++	vmalof	(@tmp[2],@acc[3],@r5[4],@tmp[2]);
++	vmalof	(@tmp[3],@acc[3],@r[0],@tmp[3]);
++	vmalof	(@tmp[4],@acc[3],@r[1],@tmp[4]);
++
++	vmalof	(@tmp[0],@acc[2],@r5[3],@tmp[0]);
++	vmalof	(@tmp[1],@acc[2],@r5[4],@tmp[1]);
++	vmalof	(@tmp[2],@acc[2],@r[0],@tmp[2]);
++	vmalof	(@tmp[3],@acc[2],@r[1],@tmp[3]);
++	vmalof	(@tmp[4],@acc[2],@r[2],@tmp[4]);
++
++	vmalof	(@tmp[0],@acc[1],@r5[4],@tmp[0]);
++	vmalof	(@tmp[1],@acc[1],@r[0],@tmp[1]);
++	vmalof	(@tmp[2],@acc[1],@r[1],@tmp[2]);
++	vmalof	(@tmp[3],@acc[1],@r[2],@tmp[3]);
++	vmalof	(@tmp[4],@acc[1],@r[3],@tmp[4]);
++
++	vmalof	(@acc[1],@acc[0],@r[1],@tmp[1]);
++	vmalof	(@acc[2],@acc[0],@r[2],@tmp[2]);
++	vmalof	(@acc[3],@acc[0],@r[3],@tmp[3]);
++	vmalof	(@acc[4],@acc[0],@r[4],@tmp[4]);
++	vmalof	(@acc[0],@acc[0],@r[0],@tmp[0]);
++
++	REDUCE	();
++
++	la	($inp,"32($inp)");
++
++ALIGN	(16);
++LABEL	(".Lvx_2x_done");
++	tml	($len,16);
++	jz	(".Lvx_done");
++
++	vleig	($padvec,0,0);
++
++	vzero	("%v20");
++	vl	("%v21","0($inp)");	# load m0
++
++	# m0 -> base 2^26
++
++	vperm	(@m01[0],"%v20","%v21",@vperm[0]);
++	vperm	(@m01[2],"%v20","%v21",@vperm[1]);
++	vperm	(@m01[4],"%v20","%v21",@vperm[2]);
++
++	vesrlg	(@m01[1],@m01[0],26);
++	vesrlg	(@m01[3],@m01[2],30);
++	vesrlg	(@m01[2],@m01[2],4);
++
++	vn	(@m01[4],@m01[4],$mask4);
++	vn	(@m01[$_],@m01[$_],$mask) for (0..3);
++
++	vaf	(@m01[4],@m01[4],$padvec);	# pad m0
++
++	# acc = acc * r + m01
++
++	vlrepf	(@r5[$_],"4*$_+68($ctx)") for (0..4);	# load 5*r
++	vlrepf	(@r[$_],"4*$_+48($ctx)") for (0..4);	# load r
++
++	vmalof	(@tmp[0],@acc[4],@r5[1],@m01[0]);
++	vmalof	(@tmp[1],@acc[4],@r5[2],@m01[1]);
++	vmalof	(@tmp[2],@acc[4],@r5[3],@m01[2]);
++	vmalof	(@tmp[3],@acc[4],@r5[4],@m01[3]);
++	vmalof	(@tmp[4],@acc[4],@r[0],@m01[4]);
++
++	vmalof	(@tmp[0],@acc[3],@r5[2],@tmp[0]);
++	vmalof	(@tmp[1],@acc[3],@r5[3],@tmp[1]);
++	vmalof	(@tmp[2],@acc[3],@r5[4],@tmp[2]);
++	vmalof	(@tmp[3],@acc[3],@r[0],@tmp[3]);
++	vmalof	(@tmp[4],@acc[3],@r[1],@tmp[4]);
++
++	vmalof	(@tmp[0],@acc[2],@r5[3],@tmp[0]);
++	vmalof	(@tmp[1],@acc[2],@r5[4],@tmp[1]);
++	vmalof	(@tmp[2],@acc[2],@r[0],@tmp[2]);
++	vmalof	(@tmp[3],@acc[2],@r[1],@tmp[3]);
++	vmalof	(@tmp[4],@acc[2],@r[2],@tmp[4]);
++
++	vmalof	(@tmp[0],@acc[1],@r5[4],@tmp[0]);
++	vmalof	(@tmp[1],@acc[1],@r[0],@tmp[1]);
++	vmalof	(@tmp[2],@acc[1],@r[1],@tmp[2]);
++	vmalof	(@tmp[3],@acc[1],@r[2],@tmp[3]);
++	vmalof	(@tmp[4],@acc[1],@r[3],@tmp[4]);
++
++	vmalof	(@acc[1],@acc[0],@r[1],@tmp[1]);
++	vmalof	(@acc[2],@acc[0],@r[2],@tmp[2]);
++	vmalof	(@acc[3],@acc[0],@r[3],@tmp[3]);
++	vmalof	(@acc[4],@acc[0],@r[4],@tmp[4]);
++	vmalof	(@acc[0],@acc[0],@r[0],@tmp[0]);
++
++	REDUCE	();
++
++ALIGN	(16);
++LABEL	(".Lvx_done");
++	vstef	(@acc[$_],"4*$_($ctx)",1) for (0..4);	# store acc
++	vstef	(@acc[$_],"24+4*$_($ctx)",3) for (0..4);
++
++if ($z) {
++	vlm	("%v8","%v15","0($sp)");
++	la	($sp,"$frame($sp)");
++} else {
++	ld	("%f4","16*$SIZE_T+2*8($sp)");
++	ld	("%f6","16*$SIZE_T+3*8($sp)");
++}
++	br	("%r14");
++SIZE	("poly1305_blocks_vx",".-poly1305_blocks_vx");
++}
+ 
+-	stm${g}	%r6,%r14,`6*$SIZE_T`($sp)
++################
++# static void poly1305_emit_vx(void *ctx, unsigned char mac[16],
++#                              const u32 nonce[4])
++{
++my ($ctx,$mac,$nonce) = map("%r$_",(2..4));
++
++GLOBL	("poly1305_emit_vx");
++TYPE	("poly1305_emit_vx","\@function");
++ALIGN	(16);
++LABEL	("poly1305_emit_vx");
++if ($z) {
++	aghi	($sp,-$frame);
++	vstm	("%v8","%v15","0($sp)");
++} else {
++	std	("%f4","16*$SIZE_T+2*8($sp)");
++	std	("%f6","16*$SIZE_T+3*8($sp)");
++}
++	larl	("%r5",".Lconst");
+ 
+-	llgfr   $padbit,$padbit		# clear upper half, much needed with
++	vlef	(@acc[$_],"4*$_($ctx)",1) for (0..4);	# load acc1
++	vlef	(@acc[$_],"24+4*$_($ctx)",3) for (0..4);	# load acc2
++	vlef	(@r5[$_],"108+4*$_($ctx)",1) for (0..4);	# load 5*r^2
++	vlef	(@r[$_],"88+4*$_($ctx)",1) for (0..4);	# load r^2
++	vlef	(@r5[$_],"68+4*$_($ctx)",3) for (0..4);	# load 5*r
++	vlef	(@r[$_],"48+4*$_($ctx)",3) for (0..4);	# load r
++	vl	($mask,"48(%r5)");	# load mask
++
++	# acc = acc1 * r^2 + acc2 * r
++
++	vmlof	(@tmp[0],@acc[4],@r5[1]);
++	vmlof	(@tmp[1],@acc[4],@r5[2]);
++	vmlof	(@tmp[2],@acc[4],@r5[3]);
++	vmlof	(@tmp[3],@acc[4],@r5[4]);
++	vmlof	(@tmp[4],@acc[4],@r[0]);
++
++	vmalof	(@tmp[0],@acc[3],@r5[2],@tmp[0]);
++	vmalof	(@tmp[1],@acc[3],@r5[3],@tmp[1]);
++	vmalof	(@tmp[2],@acc[3],@r5[4],@tmp[2]);
++	vmalof	(@tmp[3],@acc[3],@r[0],@tmp[3]);
++	vmalof	(@tmp[4],@acc[3],@r[1],@tmp[4]);
++
++	vmalof	(@tmp[0],@acc[2],@r5[3],@tmp[0]);
++	vmalof	(@tmp[1],@acc[2],@r5[4],@tmp[1]);
++	vmalof	(@tmp[2],@acc[2],@r[0],@tmp[2]);
++	vmalof	(@tmp[3],@acc[2],@r[1],@tmp[3]);
++	vmalof	(@tmp[4],@acc[2],@r[2],@tmp[4]);
++
++	vmalof	(@tmp[0],@acc[1],@r5[4],@tmp[0]);
++	vmalof	(@tmp[1],@acc[1],@r[0],@tmp[1]);
++	vmalof	(@tmp[2],@acc[1],@r[1],@tmp[2]);
++	vmalof	(@tmp[3],@acc[1],@r[2],@tmp[3]);
++	vmalof	(@tmp[4],@acc[1],@r[3],@tmp[4]);
++
++	vmalof	(@acc[1],@acc[0],@r[1],@tmp[1]);
++	vmalof	(@acc[2],@acc[0],@r[2],@tmp[2]);
++	vmalof	(@acc[3],@acc[0],@r[3],@tmp[3]);
++	vmalof	(@acc[4],@acc[0],@r[4],@tmp[4]);
++	vmalof	(@acc[0],@acc[0],@r[0],@tmp[0]);
++
++	vzero	("%v27");
++	vsumqg	(@acc[$_],@acc[$_],"%v27") for (0..4);
++
++	REDUCE	();
++
++	vesrlg	(@tmp[1],@acc[1],26);
++	vn	(@acc[1],@acc[1],$mask);
++	vag	(@acc[2],@acc[2],@tmp[1]);	# carry 1->2
++
++	vesrlg	(@tmp[2],@acc[2],26);
++	vn	(@acc[2],@acc[2],$mask);
++	vag	(@acc[3],@acc[3],@tmp[2]);	# carry 2->3
++
++	vesrlg	(@tmp[3],@acc[3],26);
++	vn	(@acc[3],@acc[3],$mask);
++	vag	(@acc[4],@acc[4],@tmp[3]);	# carry 3->4
++
++	# acc -> base 2^64
++	vleib	("%v30",6*8,7);
++	vleib	("%v29",13*8,7);
++	vleib	("%v28",3*8,7);
++
++	veslg	(@acc[1],@acc[1],26);
++	veslg	(@acc[3],@acc[3],26);
++	vo	(@acc[0],@acc[0],@acc[1]);
++	vo	(@acc[2],@acc[2],@acc[3]);
++
++	veslg	(@acc[2],@acc[2],4);
++	vslb	(@acc[2],@acc[2],"%v30");	# <<52
++	vo	(@acc[0],@acc[0],@acc[2]);
++
++	vslb	(@tmp[4],@acc[4],"%v29");	# <<104
++	vo	(@acc[0],@acc[0],@tmp[4]);
++
++	vsrlb	(@acc[1],@acc[4],"%v28");	# >>24
++
++	# acc %= 2^130-5
++	vone	("%v26");
++	vleig	("%v27",5,1);
++	vone	("%v29");
++	vleig	("%v26",-4,1);
++
++	vaq	(@tmp[0],@acc[0],"%v27");
++	vaccq	(@tmp[1],@acc[0],"%v27");
++
++	vaq	(@tmp[1],@tmp[1],"%v26");
++	vaccq	(@tmp[1],@tmp[1],@acc[1]);
++
++	vaq	(@tmp[1],@tmp[1],"%v29");
++
++	vn	(@tmp[2],@tmp[1],@acc[0]);
++	vnc	(@tmp[3],@tmp[0],@tmp[1]);
++	vo	(@acc[0],@tmp[2],@tmp[3]);
++
++	# acc += nonce
++	vl	(@vperm[0],"64(%r5)");
++	vlef	(@tmp[0],"4*$_($nonce)",3-$_) for (0..3);
++
++	vaq	(@acc[0],@acc[0],@tmp[0]);
++
++	vperm	(@acc[0],@acc[0],@acc[0],@vperm[0]);
++	vst	(@acc[0],"0($mac)");	# store mac
++
++if ($z) {
++	vlm	("%v8","%v15","0($sp)");
++	la	($sp,"$frame($sp)");
++} else {
++	ld	("%f4","16*$SIZE_T+2*8($sp)");
++	ld	("%f6","16*$SIZE_T+3*8($sp)");
++}
++	br	("%r14");
++SIZE	("poly1305_emit_vx",".-poly1305_emit_vx");
++}
++}
++
++# NOVX CODE PATH
++{
++################
++# static void poly1305_blocks(void *ctx, const unsigned char *inp, size_t len,
++#                             u32 padbit)
++{
++my ($ctx,$inp,$len,$padbit) = map("%r$_",(2..5));
++
++my ($d0hi,$d0lo,$d1hi,$d1lo,$t0,$h0,$t1,$h1,$h2) = map("%r$_",(6..14));
++my ($r0,$r1,$s1) = map("%r$_",(0..2));
++GLOBL	("poly1305_blocks");
++TYPE	("poly1305_blocks","\@function");
++ALIGN	(16);
++LABEL	("poly1305_blocks");
++$z?	srlg	($len,$len,4)	:srl	($len,4);
++	lghi	("%r0",0);
++&{$z?	\&clgr:\&clr}	($len,"%r0");
++	je	(".Lno_data");
++
++&{$z?	\&stmg:\&stm}	("%r6","%r14","6*$SIZE_T($sp)");
++
++	llgfr	($padbit,$padbit);	# clear upper half, much needed with
+ 					# non-64-bit ABI
+-	lg	$r0,32($ctx)		# load key
+-	lg	$r1,40($ctx)
++	lg	($r0,"32($ctx)");	# load key
++	lg	($r1,"40($ctx)");
+ 
+-	lg	$h0,0($ctx)		# load hash value
+-	lg	$h1,8($ctx)
+-	lg	$h2,16($ctx)
++	lg	($h0,"0($ctx)");	# load hash value
++	lg	($h1,"8($ctx)");
++	lg	($h2,"16($ctx)");
+ 
+-	st$g	$ctx,`2*$SIZE_T`($sp)	# off-load $ctx
+-	srlg	$s1,$r1,2
+-	algr	$s1,$r1			# s1 = r1 + r1>>2
+-	j	.Loop
++&{$z?	\&stg:\&st}	($ctx,"2*$SIZE_T($sp)");	# off-load $ctx
++	srlg	($s1,$r1,2);
++	algr	($s1,$r1);			# s1 = r1 + r1>>2
++	j	(".Loop");
+ 
+-.align	16
+-.Loop:
+-	lrvg	$d0lo,0($inp)		# load little-endian input
+-	lrvg	$d1lo,8($inp)
+-	la	$inp,16($inp)
++ALIGN	(16);
++LABEL	(".Loop");
++	lrvg	($d0lo,"0($inp)");	# load little-endian input
++	lrvg	($d1lo,"8($inp)");
++	la	($inp,"16($inp)");
+ 
+-	algr	$d0lo,$h0		# accumulate input
+-	alcgr	$d1lo,$h1
++	algr	($d0lo,$h0);		# accumulate input
++	alcgr	($d1lo,$h1);
+ 
+-	lgr	$h0,$d0lo
+-	mlgr	$d0hi,$r0		# h0*r0	  -> $d0hi:$d0lo
+-	lgr	$h1,$d1lo
+-	mlgr	$d1hi,$s1		# h1*5*r1 -> $d1hi:$d1lo
++	lgr	($h0,$d0lo);
++	mlgr	($d0hi,$r0);		# h0*r0	  -> $d0hi:$d0lo
++	lgr	($h1,$d1lo);
++	mlgr	($d1hi,$s1);		# h1*5*r1 -> $d1hi:$d1lo
+ 
+-	mlgr	$t0,$r1			# h0*r1   -> $t0:$h0
+-	mlgr	$t1,$r0			# h1*r0   -> $t1:$h1
+-	alcgr	$h2,$padbit
++	mlgr	($t0,$r1);		# h0*r1   -> $t0:$h0
++	mlgr	($t1,$r0);		# h1*r0   -> $t1:$h1
++	alcgr	($h2,$padbit);
+ 
+-	algr	$d0lo,$d1lo
+-	lgr	$d1lo,$h2
+-	alcgr	$d0hi,$d1hi
+-	lghi	$d1hi,0
++	algr	($d0lo,$d1lo);
++	lgr	($d1lo,$h2);
++	alcgr	($d0hi,$d1hi);
++	lghi	($d1hi,0);
+ 
+-	algr	$h1,$h0
+-	alcgr	$t1,$t0
++	algr	($h1,$h0);
++	alcgr	($t1,$t0);
+ 
+-	msgr	$d1lo,$s1		# h2*s1
+-	msgr	$h2,$r0			# h2*r0
++	msgr	($d1lo,$s1);		# h2*s1
++	msgr	($h2,$r0);		# h2*r0
+ 
+-	algr	$h1,$d1lo
+-	alcgr	$t1,$d1hi		# $d1hi is zero
++	algr	($h1,$d1lo);
++	alcgr	($t1,$d1hi);		# $d1hi is zero
+ 
+-	algr	$h1,$d0hi
+-	alcgr	$h2,$t1
++	algr	($h1,$d0hi);
++	alcgr	($h2,$t1);
+ 
+-	lghi	$h0,-4			# final reduction step
+-	ngr	$h0,$h2
+-	srlg	$t0,$h2,2
+-	algr	$h0,$t0
+-	lghi	$t1,3
+-	ngr	$h2,$t1
++	lghi	($h0,-4);		# final reduction step
++	ngr	($h0,$h2);
++	srlg	($t0,$h2,2);
++	algr	($h0,$t0);
++	lghi	($t1,3);
++	ngr	($h2,$t1);
+ 
+-	algr	$h0,$d0lo
+-	alcgr	$h1,$d1hi		# $d1hi is still zero
+-	alcgr	$h2,$d1hi		# $d1hi is still zero
++	algr	($h0,$d0lo);
++	alcgr	($h1,$d1hi);		# $d1hi is still zero
++	alcgr	($h2,$d1hi);		# $d1hi is still zero
+ 
+-	brct$g	$len,.Loop
++&{$z?	\&brctg:\&brct}	($len,".Loop");
+ 
+-	l$g	$ctx,`2*$SIZE_T`($sp)	# restore $ctx
++&{$z?	\&lg:\&l}	($ctx,"2*$SIZE_T($sp)");# restore $ctx
+ 
+-	stg	$h0,0($ctx)		# store hash value
+-	stg	$h1,8($ctx)
+-	stg	$h2,16($ctx)
++	stg	($h0,"0($ctx)");	# store hash value
++	stg	($h1,"8($ctx)");
++	stg	($h2,"16($ctx)");
+ 
+-	lm${g}	%r6,%r14,`6*$SIZE_T`($sp)
+-.Lno_data:
+-	br	%r14
+-.size	poly1305_blocks,.-poly1305_blocks
+-___
++&{$z?	\&lmg:\&lm}	("%r6","%r14","6*$SIZE_T($sp)");
++LABEL	(".Lno_data");
++	br	("%r14");
++SIZE	("poly1305_blocks",".-poly1305_blocks");
+ }
++
++################
++# static void poly1305_emit(void *ctx, unsigned char mac[16],
++#                           const u32 nonce[4])
+ {
+-my ($mac,$nonce)=($inp,$len);
++my ($ctx,$mac,$nonce) = map("%r$_",(2..4));
+ my ($h0,$h1,$h2,$d0,$d1)=map("%r$_",(5..9));
+ 
+-$code.=<<___;
+-.globl	poly1305_emit
+-.type	poly1305_emit,\@function
+-.align	16
+-poly1305_emit:
+-	stm${g}	%r6,%r9,`6*$SIZE_T`($sp)
+-
+-	lg	$h0,0($ctx)
+-	lg	$h1,8($ctx)
+-	lg	$h2,16($ctx)
+-
+-	lghi	%r0,5
+-	lghi	%r1,0
+-	lgr	$d0,$h0
+-	lgr	$d1,$h1
+-
+-	algr	$h0,%r0			# compare to modulus
+-	alcgr	$h1,%r1
+-	alcgr	$h2,%r1
+-
+-	srlg	$h2,$h2,2		# did it borrow/carry?
+-	slgr	%r1,$h2			# 0-$h2>>2
+-	lg	$h2,0($nonce)		# load nonce
+-	lghi	%r0,-1
+-	lg	$ctx,8($nonce)
+-	xgr	%r0,%r1			# ~%r1
+-
+-	ngr	$h0,%r1
+-	ngr	$d0,%r0
+-	ngr	$h1,%r1
+-	ngr	$d1,%r0
+-	ogr	$h0,$d0
+-	rllg	$d0,$h2,32		# flip nonce words
+-	ogr	$h1,$d1
+-	rllg	$d1,$ctx,32
+-
+-	algr	$h0,$d0			# accumulate nonce
+-	alcgr	$h1,$d1
+-
+-	strvg	$h0,0($mac)		# write little-endian result
+-	strvg	$h1,8($mac)
+-
+-	lm${g}	%r6,%r9,`6*$SIZE_T`($sp)
+-	br	%r14
+-.size	poly1305_emit,.-poly1305_emit
+-
+-.string	"Poly1305 for s390x, CRYPTOGAMS by <appro\@openssl.org>"
+-___
+-}
+-
+-$code =~ s/\`([^\`]*)\`/eval $1/gem;
+-$code =~ s/\b(srlg\s+)(%r[0-9]+\s*,)\s*([0-9]+)/$1$2$2$3/gm;
+-
+-print $code;
+-close STDOUT or die "error closing STDOUT: $!";
++GLOBL	("poly1305_emit");
++TYPE	("poly1305_emit","\@function");
++ALIGN	(16);
++LABEL	("poly1305_emit");
++&{$z?	\&stmg:\&stm}	("%r6","%r9","6*$SIZE_T($sp)");
++
++	lg	($h0,"0($ctx)");
++	lg	($h1,"8($ctx)");
++	lg	($h2,"16($ctx)");
++
++	lghi	("%r0",5);
++	lghi	("%r1",0);
++	lgr	($d0,$h0);
++	lgr	($d1,$h1);
++
++	algr	($h0,"%r0");		# compare to modulus
++	alcgr	($h1,"%r1");
++	alcgr	($h2,"%r1");
++
++	srlg	($h2,$h2,2);		# did it borrow/carry?
++	slgr	("%r1",$h2);		# 0-$h2>>2
++	lg	($h2,"0($nonce)");	# load nonce
++	lghi	("%r0",-1);
++	lg	($ctx,"8($nonce)");
++	xgr	("%r0","%r1");		# ~%r1
++
++	ngr	($h0,"%r1");
++	ngr	($d0,"%r0");
++	ngr	($h1,"%r1");
++	ngr	($d1,"%r0");
++	ogr	($h0,$d0);
++	rllg	($d0,$h2,32);		# flip nonce words
++	ogr	($h1,$d1);
++	rllg	($d1,$ctx,32);
++
++	algr	($h0,$d0);		# accumulate nonce
++	alcgr	($h1,$d1);
++
++	strvg	($h0,"0($mac)");	# write little-endian result
++	strvg	($h1,"8($mac)");
++
++&{$z?	\&lmg:\&lm}	("%r6","%r9","6*$SIZE_T($sp)");
++	br	("%r14");
++SIZE	("poly1305_emit",".-poly1305_emit");
++}
++}
++################
++
++ALIGN	(128);
++LABEL	(".Lconst");
++LONG	(0x00060504,0x03020100,0x00161514,0x13121110);	# vperm op[m[1],m[0]]
++LONG	(0x000c0b0a,0x09080706,0x001c1b1a,0x19181716);	# vperm op[m[3],m[2]]
++LONG	(0x00000000,0x000f0e0d,0x00000000,0x001f1e1d);	# vperm op[  - ,m[4]]
++LONG	(0x00000000,0x03ffffff,0x00000000,0x03ffffff);	# [0,2^26-1,0,2^26-1]
++LONG	(0x0f0e0d0c,0x0b0a0908,0x07060504,0x03020100);	# vperm op endian
++STRING	("\"Poly1305 for s390x, CRYPTOGAMS by <appro\@openssl.org>\"");
++
++PERLASM_END();
+-- 
+2.21.0
+
diff --git a/0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch b/0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
new file mode 100644
index 0000000..e12cc9f
--- /dev/null
+++ b/0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
@@ -0,0 +1,31 @@
+From b2b580fe445e064da50c13d3e00f71022da16ece Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Fri, 15 Feb 2019 22:59:09 +0100
+Subject: [PATCH] s390x assembly pack: fix formal interface bug in chacha
+ module
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/8257)
+---
+ crypto/chacha/asm/chacha-s390x.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/chacha/asm/chacha-s390x.pl b/crypto/chacha/asm/chacha-s390x.pl
+index 005c810e20..abf7283dd8 100755
+--- a/crypto/chacha/asm/chacha-s390x.pl
++++ b/crypto/chacha/asm/chacha-s390x.pl
+@@ -225,7 +225,7 @@ LABEL	("ChaCha20_ctr32");
+ 	larl	("%r1","OPENSSL_s390xcap_P");
+ 
+ 	lghi	("%r0",64);
+-&{$z?	\&cgr:\&cr}	($len,"%r0");
++&{$z?	\&clgr:\&clr}	($len,"%r0");
+ 	jle	("_s390x_chacha_novx");
+ 
+ 	lg	("%r0","S390X_STFLE+16(%r1)");
+-- 
+2.21.0
+
diff --git a/0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch b/0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
new file mode 100644
index 0000000..c0efc62
--- /dev/null
+++ b/0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
@@ -0,0 +1,1094 @@
+From d1229190bfbb19439589557e4d65f9bccab09b2d Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Mon, 25 Feb 2019 18:55:04 +0100
+Subject: [PATCH] s390x assembly pack: import chacha from cryptogams repo
+
+featuring 6x"horizontal" code path which is up to 25%
+faster than present 4x"vertical" for larger blocks.
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/8287)
+---
+ crypto/chacha/asm/chacha-s390x.pl | 1006 +++++++++++++++++++++--------
+ 1 file changed, 719 insertions(+), 287 deletions(-)
+
+diff --git a/crypto/chacha/asm/chacha-s390x.pl b/crypto/chacha/asm/chacha-s390x.pl
+index abf7283dd8..51efe64408 100755
+--- a/crypto/chacha/asm/chacha-s390x.pl
++++ b/crypto/chacha/asm/chacha-s390x.pl
+@@ -23,11 +23,20 @@
+ #
+ # August 2018
+ #
+-# Add vx code path.
++# Add vx code path: 4x"vertical".
+ #
+ # Copyright IBM Corp. 2018
+ # Author: Patrick Steuer <patrick.steuer@de.ibm.com>
+ 
++#
++# February 2019
++#
++# Add 6x"horizontal" VX implementation. It's ~25% faster than IBM's
++# 4x"vertical" submission [on z13] and >3 faster than scalar code.
++# But to harness overheads revert to transliteration of VSX code path
++# from chacha-ppc module, which is also 4x"vertical", to handle inputs
++# not longer than 256 bytes.
++
+ use strict;
+ use FindBin qw($Bin);
+ use lib "$Bin/../..";
+@@ -50,11 +59,9 @@ while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
+ my $sp="%r15";
+ my $stdframe=16*$SIZE_T+4*8;
+ 
++sub ROUND {
+ my @x=map("%r$_",(0..7,"x","x","x","x",(10..13)));
+ my @t=map("%r$_",(8,9));
+-my @v=map("%v$_",(16..31));
+-
+-sub ROUND {
+ my ($a0,$b0,$c0,$d0)=@_;
+ my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0));
+ my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1));
+@@ -143,63 +150,92 @@ my ($xc,$xc_)=map("$_",@t);
+ 	 rll	(@x[$b3],@x[$b3],7);
+ }
+ 
+-sub VX_ROUND {
++sub VX_lane_ROUND {
+ my ($a0,$b0,$c0,$d0)=@_;
+ my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0));
+ my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1));
+ my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2));
++my @x=map("%v$_",(0..15));
++
++	vaf	(@x[$a0],@x[$a0],@x[$b0]);	# Q1
++	vx	(@x[$d0],@x[$d0],@x[$a0]);
++	verllf	(@x[$d0],@x[$d0],16);
++	vaf	(@x[$a1],@x[$a1],@x[$b1]);	# Q2
++	vx	(@x[$d1],@x[$d1],@x[$a1]);
++	verllf	(@x[$d1],@x[$d1],16);
++	vaf	(@x[$a2],@x[$a2],@x[$b2]);	# Q3
++	vx	(@x[$d2],@x[$d2],@x[$a2]);
++	verllf	(@x[$d2],@x[$d2],16);
++	vaf	(@x[$a3],@x[$a3],@x[$b3]);	# Q4
++	vx	(@x[$d3],@x[$d3],@x[$a3]);
++	verllf	(@x[$d3],@x[$d3],16);
++
++	vaf	(@x[$c0],@x[$c0],@x[$d0]);
++	vx	(@x[$b0],@x[$b0],@x[$c0]);
++	verllf	(@x[$b0],@x[$b0],12);
++	vaf	(@x[$c1],@x[$c1],@x[$d1]);
++	vx	(@x[$b1],@x[$b1],@x[$c1]);
++	verllf	(@x[$b1],@x[$b1],12);
++	vaf	(@x[$c2],@x[$c2],@x[$d2]);
++	vx	(@x[$b2],@x[$b2],@x[$c2]);
++	verllf	(@x[$b2],@x[$b2],12);
++	vaf	(@x[$c3],@x[$c3],@x[$d3]);
++	vx	(@x[$b3],@x[$b3],@x[$c3]);
++	verllf	(@x[$b3],@x[$b3],12);
++
++	vaf	(@x[$a0],@x[$a0],@x[$b0]);
++	vx	(@x[$d0],@x[$d0],@x[$a0]);
++	verllf	(@x[$d0],@x[$d0],8);
++	vaf	(@x[$a1],@x[$a1],@x[$b1]);
++	vx	(@x[$d1],@x[$d1],@x[$a1]);
++	verllf	(@x[$d1],@x[$d1],8);
++	vaf	(@x[$a2],@x[$a2],@x[$b2]);
++	vx	(@x[$d2],@x[$d2],@x[$a2]);
++	verllf	(@x[$d2],@x[$d2],8);
++	vaf	(@x[$a3],@x[$a3],@x[$b3]);
++	vx	(@x[$d3],@x[$d3],@x[$a3]);
++	verllf	(@x[$d3],@x[$d3],8);
++
++	vaf	(@x[$c0],@x[$c0],@x[$d0]);
++	vx	(@x[$b0],@x[$b0],@x[$c0]);
++	verllf	(@x[$b0],@x[$b0],7);
++	vaf	(@x[$c1],@x[$c1],@x[$d1]);
++	vx	(@x[$b1],@x[$b1],@x[$c1]);
++	verllf	(@x[$b1],@x[$b1],7);
++	vaf	(@x[$c2],@x[$c2],@x[$d2]);
++	vx	(@x[$b2],@x[$b2],@x[$c2]);
++	verllf	(@x[$b2],@x[$b2],7);
++	vaf	(@x[$c3],@x[$c3],@x[$d3]);
++	vx	(@x[$b3],@x[$b3],@x[$c3]);
++	verllf	(@x[$b3],@x[$b3],7);
++}
+ 
+-	vaf	(@v[$a0],@v[$a0],@v[$b0]);
+-	vaf	(@v[$a1],@v[$a1],@v[$b1]);
+-	vaf	(@v[$a2],@v[$a2],@v[$b2]);
+-	vaf	(@v[$a3],@v[$a3],@v[$b3]);
+-	vx	(@v[$d0],@v[$d0],@v[$a0]);
+-	vx	(@v[$d1],@v[$d1],@v[$a1]);
+-	vx	(@v[$d2],@v[$d2],@v[$a2]);
+-	vx	(@v[$d3],@v[$d3],@v[$a3]);
+-	verllf	(@v[$d0],@v[$d0],16);
+-	verllf	(@v[$d1],@v[$d1],16);
+-	verllf	(@v[$d2],@v[$d2],16);
+-	verllf	(@v[$d3],@v[$d3],16);
+-
+-	vaf	(@v[$c0],@v[$c0],@v[$d0]);
+-	vaf	(@v[$c1],@v[$c1],@v[$d1]);
+-	vaf	(@v[$c2],@v[$c2],@v[$d2]);
+-	vaf	(@v[$c3],@v[$c3],@v[$d3]);
+-	vx	(@v[$b0],@v[$b0],@v[$c0]);
+-	vx	(@v[$b1],@v[$b1],@v[$c1]);
+-	vx	(@v[$b2],@v[$b2],@v[$c2]);
+-	vx	(@v[$b3],@v[$b3],@v[$c3]);
+-	verllf	(@v[$b0],@v[$b0],12);
+-	verllf	(@v[$b1],@v[$b1],12);
+-	verllf	(@v[$b2],@v[$b2],12);
+-	verllf	(@v[$b3],@v[$b3],12);
+-
+-	vaf	(@v[$a0],@v[$a0],@v[$b0]);
+-	vaf	(@v[$a1],@v[$a1],@v[$b1]);
+-	vaf	(@v[$a2],@v[$a2],@v[$b2]);
+-	vaf	(@v[$a3],@v[$a3],@v[$b3]);
+-	vx	(@v[$d0],@v[$d0],@v[$a0]);
+-	vx	(@v[$d1],@v[$d1],@v[$a1]);
+-	vx	(@v[$d2],@v[$d2],@v[$a2]);
+-	vx	(@v[$d3],@v[$d3],@v[$a3]);
+-	verllf	(@v[$d0],@v[$d0],8);
+-	verllf	(@v[$d1],@v[$d1],8);
+-	verllf	(@v[$d2],@v[$d2],8);
+-	verllf	(@v[$d3],@v[$d3],8);
+-
+-	vaf	(@v[$c0],@v[$c0],@v[$d0]);
+-	vaf	(@v[$c1],@v[$c1],@v[$d1]);
+-	vaf	(@v[$c2],@v[$c2],@v[$d2]);
+-	vaf	(@v[$c3],@v[$c3],@v[$d3]);
+-	vx	(@v[$b0],@v[$b0],@v[$c0]);
+-	vx	(@v[$b1],@v[$b1],@v[$c1]);
+-	vx	(@v[$b2],@v[$b2],@v[$c2]);
+-	vx	(@v[$b3],@v[$b3],@v[$c3]);
+-	verllf	(@v[$b0],@v[$b0],7);
+-	verllf	(@v[$b1],@v[$b1],7);
+-	verllf	(@v[$b2],@v[$b2],7);
+-	verllf	(@v[$b3],@v[$b3],7);
++sub VX_ROUND {
++my @a=@_[0..5];
++my @b=@_[6..11];
++my @c=@_[12..17];
++my @d=@_[18..23];
++my $odd=@_[24];
++
++	vaf		(@a[$_],@a[$_],@b[$_]) for (0..5);
++	vx		(@d[$_],@d[$_],@a[$_]) for (0..5);
++	verllf		(@d[$_],@d[$_],16) for (0..5);
++
++	vaf		(@c[$_],@c[$_],@d[$_]) for (0..5);
++	vx		(@b[$_],@b[$_],@c[$_]) for (0..5);
++	verllf		(@b[$_],@b[$_],12) for (0..5);
++
++	vaf		(@a[$_],@a[$_],@b[$_]) for (0..5);
++	vx		(@d[$_],@d[$_],@a[$_]) for (0..5);
++	verllf		(@d[$_],@d[$_],8) for (0..5);
++
++	vaf		(@c[$_],@c[$_],@d[$_]) for (0..5);
++	vx		(@b[$_],@b[$_],@c[$_]) for (0..5);
++	verllf		(@b[$_],@b[$_],7) for (0..5);
++
++	vsldb		(@c[$_],@c[$_],@c[$_],8) for (0..5);
++	vsldb		(@b[$_],@b[$_],@b[$_],$odd?12:4) for (0..5);
++	vsldb		(@d[$_],@d[$_],@d[$_],$odd?4:12) for (0..5);
+ }
+ 
+ PERLASM_BEGIN($output);
+@@ -210,13 +246,11 @@ TEXT	();
+ ################
+ # void ChaCha20_ctr32(unsigned char *out, const unsigned char *inp, size_t len,
+ #                     const unsigned int key[8], const unsigned int counter[4])
+-{
+ my ($out,$inp,$len,$key,$counter)=map("%r$_",(2..6));
+-
+-# VX CODE PATH
+ {
+-my $off=$z*8*16+8;	# offset(initial state)
+-my $frame=$stdframe+4*16+$off;
++my $frame=$stdframe+4*20;
++my @x=map("%r$_",(0..7,"x","x","x","x",(10..13)));
++my @t=map("%r$_",(8,9));
+ 
+ GLOBL	("ChaCha20_ctr32");
+ TYPE	("ChaCha20_ctr32","\@function");
+@@ -225,230 +259,16 @@ LABEL	("ChaCha20_ctr32");
+ 	larl	("%r1","OPENSSL_s390xcap_P");
+ 
+ 	lghi	("%r0",64);
++&{$z?	\&ltgr:\&ltr}	($len,$len);		# len==0?
++	bzr	("%r14");
++	lg	("%r1","S390X_STFLE+16(%r1)");
+ &{$z?	\&clgr:\&clr}	($len,"%r0");
+-	jle	("_s390x_chacha_novx");
+-
+-	lg	("%r0","S390X_STFLE+16(%r1)");
+-	tmhh	("%r0",0x4000);	# check for vector facility
+-	jz	("_s390x_chacha_novx");
+-
+-if (!$z) {
+-	llgfr   ($len,$len);
+-	std	("%f4","16*$SIZE_T+2*8($sp)");
+-	std	("%f6","16*$SIZE_T+3*8($sp)");
+-}
+-&{$z?	\&stmg:\&stm}	("%r6","%r7","6*$SIZE_T($sp)");
++	jle	(".Lshort");
+ 
+-	lghi	("%r1",-$frame);
+-	lgr	("%r0",$sp);
+-	la	($sp,"0(%r1,$sp)");	# allocate stack frame
++	tmhh	("%r1",0x4000);			# check for vx bit
++	jnz	(".LChaCha20_ctr32_vx");
+ 
+-	larl	("%r7",".Lsigma");
+-&{$z?	\&stg:\&st}	("%r0","0($sp)");	# backchain
+-
+-	vstm	("%v8","%v15","8($sp)") if ($z);
+-
+-	vlm	("%v1","%v2","0($key)");	# load key
+-	vl	("%v0","0(%r7)");	# load sigma constant
+-	vl	("%v3","0($counter)");	# load iv (counter||nonce)
+-	l	("%r0","0($counter)");	# load counter
+-	vstm	("%v0","%v3","$off($sp)");	# copy initial state to stack
+-
+-	srlg	("%r1",$len,8);
+-	ltgr	("%r1","%r1");
+-	jz	(".Lvx_4x_done");
+-
+-ALIGN	(16);	# process 4 64-byte blocks
+-LABEL	(".Lvx_4x");
+-	vlrepf	("%v$_",($_*4)."+$off($sp)") for (0..15);	# load initial
+-								#  state
+-	vl	("%v31","16(%r7)");
+-	vaf	("%v12","%v12","%v31");	# increment counter
+-
+-	vlr	(@v[$_],"%v$_") for (0..15);	# copy initial state
+-
+-	lhi	("%r6",10);
+-	j	(".Loop_vx_4x");
+-
+-ALIGN	(16);
+-LABEL	(".Loop_vx_4x");
+-	VX_ROUND( 0, 4, 8,12);	# column round
+-	VX_ROUND( 0, 5,10,15);	# diagonal round
+-	brct	("%r6",".Loop_vx_4x");
+-
+-	vaf	(@v[$_],@v[$_],"%v$_") for (0..15);	# state += initial
+-							#  state (mod 32)
+-	vlm	("%v6","%v7","32(%r7)");	# load vperm operands
+-
+-for (0..3) {	# blocks 1,2
+-	vmrhf	("%v0",@v[$_*4+0],@v[$_*4+1]);	# ks = serialize(state)
+-	vmrhf	("%v1",@v[$_*4+2],@v[$_*4+3]);
+-	vperm	("%v".($_+ 8),"%v0","%v1","%v6");
+-	vperm	("%v".($_+12),"%v0","%v1","%v7");
+-}
+-	vlm	("%v0","%v7","0($inp)");	# load in
+-	vx	("%v$_","%v$_","%v".($_+8)) for (0..7);	# out = in ^ ks
+-	vstm	("%v0","%v7","0($out)");	# store out
+-
+-	vlm	("%v6","%v7","32(%r7)");	# restore vperm operands
+-
+-for (0..3) {	# blocks 2,3
+-	vmrlf	("%v0",@v[$_*4+0],@v[$_*4+1]);	# ks = serialize(state)
+-	vmrlf	("%v1",@v[$_*4+2],@v[$_*4+3]);
+-	vperm	("%v".($_+ 8),"%v0","%v1","%v6");
+-	vperm	("%v".($_+12),"%v0","%v1","%v7");
+-}
+-	vlm	("%v0","%v7","128($inp)");	# load in
+-	vx	("%v$_","%v$_","%v".($_+8)) for (0..7);	# out = in ^ ks
+-	vstm	("%v0","%v7","128($out)");	# store out
+-
+-	ahi	("%r0",4);
+-	st	("%r0","48+$off($sp)");	# update initial state
+-
+-	la	($inp,"256($inp)");
+-	la	($out,"256($out)");
+-	brctg	("%r1",".Lvx_4x");
+-
+-ALIGN	(16);
+-LABEL	(".Lvx_4x_done");
+-	lghi	("%r1",0xff);
+-	ngr	($len,"%r1");
+-	jnz	(".Lvx_rem");
+-
+-ALIGN	(16);
+-LABEL	(".Lvx_done");
+-	vzero	("%v$_") for (16..31);	# wipe ks and key copy
+-	vstm	("%v16","%v17","16+$off($sp)");
+-	vlm	("%v8","%v15","8($sp)") if ($z);
+-
+-	la	($sp,"$frame($sp)");
+-&{$z?	\&lmg:\&lm}	("%r6","%r7","6*$SIZE_T($sp)");
+-
+-if (!$z) {
+-	ld	("%f4","16*$SIZE_T+2*8($sp)");
+-	ld	("%f6","16*$SIZE_T+3*8($sp)");
+-	vzero	("%v$_") for (8..15);
+-}
+-	br	("%r14");
+-ALIGN	(16);
+-LABEL	(".Lvx_rem");
+-	lhi	("%r0",64);
+-
+-	sr	($len,"%r0");
+-	brc	(2,".Lvx_rem_g64");	# cc==2?
+-
+-	lghi	("%r1",-$stdframe);
+-
+-	la	($counter,"48+$off($sp)");	# load updated iv
+-	ar	($len,"%r0");	# restore len
+-
+-	lgr	("%r7",$counter);
+-&{$z?	\&stg:\&st}	("%r14","14*$SIZE_T+$frame($sp)");
+-	la	($sp,"0(%r1,$sp)");
+-
+-	bras	("%r14","_s390x_chacha_novx");
+-
+-	la	($sp,"$stdframe($sp)");
+-&{$z?	\&lg:\&l}	("%r14","14*$SIZE_T+$frame($sp)");
+-	lgr	($counter,"%r7");
+-	j	(".Lvx_done");
+-
+-ALIGN	(16);
+-LABEL	(".Lvx_rem_g64");
+-	vlrepf	("%v$_",($_*4)."+$off($sp)") for (0..15);	# load initial
+-								#  state
+-	vl	("%v31","16(%r7)");
+-	vaf	("%v12","%v12","%v31");	# increment counter
+-
+-	vlr	(@v[$_],"%v$_") for (0..15);	# state = initial state
+-
+-	lhi	("%r6",10);
+-	j	(".Loop_vx_rem");
+-
+-ALIGN	(16);
+-LABEL	(".Loop_vx_rem");
+-	VX_ROUND( 0, 4, 8,12);	# column round
+-	VX_ROUND( 0, 5,10,15);	# diagonal round
+-	brct	("%r6",".Loop_vx_rem");
+-
+-	vaf	(@v[$_],@v[$_],"%v$_") for (0..15);	# state += initial
+-							#  state (mod 32)
+-	vlm	("%v6","%v7","32(%r7)");	# load vperm operands
+-
+-for (0..3) {	# blocks 1,2
+-	vmrhf	("%v0",@v[$_*4+0],@v[$_*4+1]);	# ks = serialize(state)
+-	vmrhf	("%v1",@v[$_*4+2],@v[$_*4+3]);
+-	vperm	("%v".($_+8),"%v0","%v1","%v6");
+-	vperm	("%v".($_+12),"%v0","%v1","%v7");
+-}
+-	vlm	("%v0","%v3","0($inp)");	# load in
+-	vx	("%v$_","%v$_","%v".($_+8)) for (0..3);	# out = in ^ ks
+-	vstm	("%v0","%v3","0($out)");	# store out
+-
+-	la	($inp,"64($inp)");
+-	la	($out,"64($out)");
+-
+-	sr	($len,"%r0");
+-	brc	(4,".Lvx_tail");	# cc==4?
+-
+-	vlm	("%v0","%v3","0($inp)");	# load in
+-	vx	("%v$_","%v$_","%v".($_+12)) for (0..3);	# out = in ^ ks
+-	vstm	("%v0","%v3","0($out)");	# store out
+-	jz	(".Lvx_done");
+-
+-for (0..3) {	# blocks 3,4
+-	vmrlf	("%v0",@v[$_*4+0],@v[$_*4+1]);	# ks = serialize(state)
+-	vmrlf	("%v1",@v[$_*4+2],@v[$_*4+3]);
+-	vperm	("%v".($_+12),"%v0","%v1","%v6");
+-	vperm	("%v".($_+8),"%v0","%v1","%v7");
+-}
+-	la	($inp,"64($inp)");
+-	la	($out,"64($out)");
+-
+-	sr	($len,"%r0");
+-	brc	(4,".Lvx_tail");	# cc==4?
+-
+-	vlm	("%v0","%v3","0($inp)");	# load in
+-	vx	("%v$_","%v$_","%v".($_+12)) for (0..3);	# out = in ^ ks
+-	vstm	("%v0","%v3","0($out)");	# store out
+-	jz	(".Lvx_done");
+-
+-	la	($inp,"64($inp)");
+-	la	($out,"64($out)");
+-
+-	sr	($len,"%r0");
+-	vlr	("%v".($_+4),"%v$_") for (8..11);
+-	j	(".Lvx_tail");
+-
+-ALIGN	(16);
+-LABEL	(".Lvx_tail");
+-	ar	($len,"%r0");	# restore $len
+-	ahi	($len,-1);
+-
+-	lhi	("%r0",16);
+-for (0..2) {
+-	vll	("%v0",$len,($_*16)."($inp)");
+-	vx	("%v0","%v0","%v".($_+12));
+-	vstl	("%v0",$len,($_*16)."($out)");
+-	sr	($len,"%r0");
+-	brc	(4,".Lvx_done");	# cc==4?
+-}
+-	vll	("%v0",$len,"3*16($inp)");
+-	vx	("%v0","%v0","%v15");
+-	vstl	("%v0",$len,"3*16($out)");
+-	j	(".Lvx_done");
+-SIZE	("ChaCha20_ctr32",".-ChaCha20_ctr32");
+-}
+-
+-# NOVX CODE PATH
+-{
+-my $frame=$stdframe+4*20;
+-
+-TYPE	("_s390x_chacha_novx","\@function");
+-ALIGN	(32);
+-LABEL	("_s390x_chacha_novx");
+-&{$z?	\&ltgr:\&ltr}	($len,$len);	# $len==0?
+-	bzr	("%r14");
++LABEL	(".Lshort");
+ &{$z?	\&aghi:\&ahi}	($len,-64);
+ &{$z?	\&lghi:\&lhi}	("%r1",-$frame);
+ &{$z?	\&stmg:\&stm}	("%r6","%r15","6*$SIZE_T($sp)");
+@@ -607,17 +427,629 @@ LABEL	(".Loop_tail");
+ 	brct	(@t[1],".Loop_tail");
+ 
+ 	j	(".Ldone");
+-SIZE	("_s390x_chacha_novx",".-_s390x_chacha_novx");
++SIZE	("ChaCha20_ctr32",".-ChaCha20_ctr32");
++}
++
++########################################################################
++# 4x"vertical" layout minimizes amount of instructions, but pipeline
++# runs underutilized [because of vector instructions' high latency].
++# On the other hand minimum amount of data it takes to fully utilize
++# the pipeline is higher, so that effectively, short inputs would be
++# processed slower. Hence this code path targeting <=256 bytes lengths.
++#
++{
++my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3,
++    $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3)=map("%v$_",(0..15));
++my @K=map("%v$_",(16..19));
++my $CTR="%v26";
++my ($xt0,$xt1,$xt2,$xt3)=map("%v$_",(27..30));
++my $beperm="%v31";
++my ($x00,$x10,$x20,$x30)=(0,map("r$_",(8..10)));
++my $FRAME=$stdframe+4*16;
++
++ALIGN	(32);
++LABEL	("ChaCha20_ctr32_4x");
++LABEL	(".LChaCha20_ctr32_4x");
++&{$z?	\&stmg:\&stm}	("%r6","%r7","6*$SIZE_T($sp)");
++if (!$z) {
++	std	("%f4","16*$SIZE_T+2*8($sp)");
++	std	("%f6","16*$SIZE_T+3*8($sp)");
++}
++&{$z?	\&lghi:\&lhi}	("%r1",-$FRAME);
++	lgr	("%r0",$sp);
++	la	($sp,"0(%r1,$sp)");
++&{$z?	\&stg:\&st}	("%r0","0($sp)");	# back-chain
++if ($z) {
++	std	("%f8","$stdframe+8*0($sp)");
++	std	("%f9","$stdframe+8*1($sp)");
++	std	("%f10","$stdframe+8*2($sp)");
++	std	("%f11","$stdframe+8*3($sp)");
++	std	("%f12","$stdframe+8*4($sp)");
++	std	("%f13","$stdframe+8*5($sp)");
++	std	("%f14","$stdframe+8*6($sp)");
++	std	("%f15","$stdframe+8*7($sp)");
++}
++	larl	("%r7",".Lsigma");
++	lhi	("%r0",10);
++	lhi	("%r1",0);
++
++	vl	(@K[0],"0(%r7)");		# load sigma
++	vl	(@K[1],"0($key)");		# load key
++	vl	(@K[2],"16($key)");
++	vl	(@K[3],"0($counter)");		# load counter
++
++	vl	($beperm,"0x40(%r7)");
++	vl	($xt1,"0x50(%r7)");
++	vrepf	($CTR,@K[3],0);
++	vlvgf	(@K[3],"%r1",0);		# clear @K[3].word[0]
++	vaf	($CTR,$CTR,$xt1);
++
++#LABEL	(".Loop_outer_4x");
++	vlm	($xa0,$xa3,"0x60(%r7)");	# load [smashed] sigma
++
++	vrepf	($xb0,@K[1],0);			# smash the key
++	vrepf	($xb1,@K[1],1);
++	vrepf	($xb2,@K[1],2);
++	vrepf	($xb3,@K[1],3);
++
++	vrepf	($xc0,@K[2],0);
++	vrepf	($xc1,@K[2],1);
++	vrepf	($xc2,@K[2],2);
++	vrepf	($xc3,@K[2],3);
++
++	vlr	($xd0,$CTR);
++	vrepf	($xd1,@K[3],1);
++	vrepf	($xd2,@K[3],2);
++	vrepf	($xd3,@K[3],3);
++
++LABEL	(".Loop_4x");
++	VX_lane_ROUND(0, 4, 8,12);
++	VX_lane_ROUND(0, 5,10,15);
++	brct	("%r0",".Loop_4x");
++
++	vaf	($xd0,$xd0,$CTR);
++
++	vmrhf	($xt0,$xa0,$xa1);		# transpose data
++	vmrhf	($xt1,$xa2,$xa3);
++	vmrlf	($xt2,$xa0,$xa1);
++	vmrlf	($xt3,$xa2,$xa3);
++	vpdi	($xa0,$xt0,$xt1,0b0000);
++	vpdi	($xa1,$xt0,$xt1,0b0101);
++	vpdi	($xa2,$xt2,$xt3,0b0000);
++	vpdi	($xa3,$xt2,$xt3,0b0101);
++
++	vmrhf	($xt0,$xb0,$xb1);
++	vmrhf	($xt1,$xb2,$xb3);
++	vmrlf	($xt2,$xb0,$xb1);
++	vmrlf	($xt3,$xb2,$xb3);
++	vpdi	($xb0,$xt0,$xt1,0b0000);
++	vpdi	($xb1,$xt0,$xt1,0b0101);
++	vpdi	($xb2,$xt2,$xt3,0b0000);
++	vpdi	($xb3,$xt2,$xt3,0b0101);
++
++	vmrhf	($xt0,$xc0,$xc1);
++	vmrhf	($xt1,$xc2,$xc3);
++	vmrlf	($xt2,$xc0,$xc1);
++	vmrlf	($xt3,$xc2,$xc3);
++	vpdi	($xc0,$xt0,$xt1,0b0000);
++	vpdi	($xc1,$xt0,$xt1,0b0101);
++	vpdi	($xc2,$xt2,$xt3,0b0000);
++	vpdi	($xc3,$xt2,$xt3,0b0101);
++
++	vmrhf	($xt0,$xd0,$xd1);
++	vmrhf	($xt1,$xd2,$xd3);
++	vmrlf	($xt2,$xd0,$xd1);
++	vmrlf	($xt3,$xd2,$xd3);
++	vpdi	($xd0,$xt0,$xt1,0b0000);
++	vpdi	($xd1,$xt0,$xt1,0b0101);
++	vpdi	($xd2,$xt2,$xt3,0b0000);
++	vpdi	($xd3,$xt2,$xt3,0b0101);
++
++	#vrepif	($xt0,4);
++	#vaf	($CTR,$CTR,$xt0);		# next counter value
++
++	vaf	($xa0,$xa0,@K[0]);
++	vaf	($xb0,$xb0,@K[1]);
++	vaf	($xc0,$xc0,@K[2]);
++	vaf	($xd0,$xd0,@K[3]);
++
++	vperm	($xa0,$xa0,$xa0,$beperm);
++	vperm	($xb0,$xb0,$xb0,$beperm);
++	vperm	($xc0,$xc0,$xc0,$beperm);
++	vperm	($xd0,$xd0,$xd0,$beperm);
++
++	#&{$z?	\&clgfi:\&clfi} ($len,0x40);
++	#jl	(".Ltail_4x");
++
++	vlm	($xt0,$xt3,"0($inp)");
++
++	vx	($xt0,$xt0,$xa0);
++	vx	($xt1,$xt1,$xb0);
++	vx	($xt2,$xt2,$xc0);
++	vx	($xt3,$xt3,$xd0);
++
++	vstm	($xt0,$xt3,"0($out)");
++
++	la	($inp,"0x40($inp)");
++	la	($out,"0x40($out)");
++&{$z?	\&aghi:\&ahi}	($len,-0x40);
++	#je	(".Ldone_4x");
++
++	vaf	($xa0,$xa1,@K[0]);
++	vaf	($xb0,$xb1,@K[1]);
++	vaf	($xc0,$xc1,@K[2]);
++	vaf	($xd0,$xd1,@K[3]);
++
++	vperm	($xa0,$xa0,$xa0,$beperm);
++	vperm	($xb0,$xb0,$xb0,$beperm);
++	vperm	($xc0,$xc0,$xc0,$beperm);
++	vperm	($xd0,$xd0,$xd0,$beperm);
++
++&{$z?	\&clgfi:\&clfi} ($len,0x40);
++	jl	(".Ltail_4x");
++
++	vlm	($xt0,$xt3,"0($inp)");
++
++	vx	($xt0,$xt0,$xa0);
++	vx	($xt1,$xt1,$xb0);
++	vx	($xt2,$xt2,$xc0);
++	vx	($xt3,$xt3,$xd0);
++
++	vstm	($xt0,$xt3,"0($out)");
++
++	la	($inp,"0x40($inp)");
++	la	($out,"0x40($out)");
++&{$z?	\&aghi:\&ahi}	($len,-0x40);
++	je	(".Ldone_4x");
++
++	vaf	($xa0,$xa2,@K[0]);
++	vaf	($xb0,$xb2,@K[1]);
++	vaf	($xc0,$xc2,@K[2]);
++	vaf	($xd0,$xd2,@K[3]);
++
++	vperm	($xa0,$xa0,$xa0,$beperm);
++	vperm	($xb0,$xb0,$xb0,$beperm);
++	vperm	($xc0,$xc0,$xc0,$beperm);
++	vperm	($xd0,$xd0,$xd0,$beperm);
++
++&{$z?	\&clgfi:\&clfi} ($len,0x40);
++	jl	(".Ltail_4x");
++
++	vlm	($xt0,$xt3,"0($inp)");
++
++	vx	($xt0,$xt0,$xa0);
++	vx	($xt1,$xt1,$xb0);
++	vx	($xt2,$xt2,$xc0);
++	vx	($xt3,$xt3,$xd0);
++
++	vstm	($xt0,$xt3,"0($out)");
++
++	la	($inp,"0x40($inp)");
++	la	($out,"0x40($out)");
++&{$z?	\&aghi:\&ahi}	($len,-0x40);
++	je	(".Ldone_4x");
++
++	vaf	($xa0,$xa3,@K[0]);
++	vaf	($xb0,$xb3,@K[1]);
++	vaf	($xc0,$xc3,@K[2]);
++	vaf	($xd0,$xd3,@K[3]);
++
++	vperm	($xa0,$xa0,$xa0,$beperm);
++	vperm	($xb0,$xb0,$xb0,$beperm);
++	vperm	($xc0,$xc0,$xc0,$beperm);
++	vperm	($xd0,$xd0,$xd0,$beperm);
++
++&{$z?	\&clgfi:\&clfi} ($len,0x40);
++	jl	(".Ltail_4x");
++
++	vlm	($xt0,$xt3,"0($inp)");
++
++	vx	($xt0,$xt0,$xa0);
++	vx	($xt1,$xt1,$xb0);
++	vx	($xt2,$xt2,$xc0);
++	vx	($xt3,$xt3,$xd0);
++
++	vstm	($xt0,$xt3,"0($out)");
++
++	#la	$inp,0x40($inp));
++	#la	$out,0x40($out));
++	#lhi	%r0,10);
++	#&{$z?	\&aghi:\&ahi}	$len,-0x40);
++	#jne	.Loop_outer_4x);
++
++LABEL	(".Ldone_4x");
++if (!$z) {
++	ld	("%f4","$FRAME+16*$SIZE_T+2*8($sp)");
++	ld	("%f6","$FRAME+16*$SIZE_T+3*8($sp)");
++} else {
++	ld	("%f8","$stdframe+8*0($sp)");
++	ld	("%f9","$stdframe+8*1($sp)");
++	ld	("%f10","$stdframe+8*2($sp)");
++	ld	("%f11","$stdframe+8*3($sp)");
++	ld	("%f12","$stdframe+8*4($sp)");
++	ld	("%f13","$stdframe+8*5($sp)");
++	ld	("%f14","$stdframe+8*6($sp)");
++	ld	("%f15","$stdframe+8*7($sp)");
++}
++&{$z?	\&lmg:\&lm}	("%r6","%r7","$FRAME+6*$SIZE_T($sp)");
++	la	($sp,"$FRAME($sp)");
++	br	("%r14");
++
++ALIGN	(16);
++LABEL	(".Ltail_4x");
++if (!$z) {
++	vlr	($xt0,$xb0);
++	ld	("%f4","$FRAME+16*$SIZE_T+2*8($sp)");
++	ld	("%f6","$FRAME+16*$SIZE_T+3*8($sp)");
++
++	vst	($xa0,"$stdframe+0x00($sp)");
++	vst	($xt0,"$stdframe+0x10($sp)");
++	vst	($xc0,"$stdframe+0x20($sp)");
++	vst	($xd0,"$stdframe+0x30($sp)");
++} else {
++	vlr	($xt0,$xc0);
++	ld	("%f8","$stdframe+8*0($sp)");
++	ld	("%f9","$stdframe+8*1($sp)");
++	ld	("%f10","$stdframe+8*2($sp)");
++	ld	("%f11","$stdframe+8*3($sp)");
++	vlr	($xt1,$xd0);
++	ld	("%f12","$stdframe+8*4($sp)");
++	ld	("%f13","$stdframe+8*5($sp)");
++	ld	("%f14","$stdframe+8*6($sp)");
++	ld	("%f15","$stdframe+8*7($sp)");
++
++	vst	($xa0,"$stdframe+0x00($sp)");
++	vst	($xb0,"$stdframe+0x10($sp)");
++	vst	($xt0,"$stdframe+0x20($sp)");
++	vst	($xt1,"$stdframe+0x30($sp)");
+ }
++	lghi	("%r1",0);
++
++LABEL	(".Loop_tail_4x");
++	llgc	("%r5","0(%r1,$inp)");
++	llgc	("%r6","$stdframe(%r1,$sp)");
++	xr	("%r6","%r5");
++	stc	("%r6","0(%r1,$out)");
++	la	("%r1","1(%r1)");
++	brct	($len,".Loop_tail_4x");
++
++&{$z?	\&lmg:\&lm}	("%r6","%r7","$FRAME+6*$SIZE_T($sp)");
++	la	($sp,"$FRAME($sp)");
++	br	("%r14");
++SIZE	("ChaCha20_ctr32_4x",".-ChaCha20_ctr32_4x");
++}
++
++########################################################################
++# 6x"horizontal" layout is optimal fit for the platform in its current
++# shape, more specifically for given vector instructions' latency. Well,
++# computational part of 8x"vertical" would be faster, but it consumes
++# all registers and dealing with that will diminish the return...
++#
++{
++my ($a0,$b0,$c0,$d0, $a1,$b1,$c1,$d1,
++    $a2,$b2,$c2,$d2, $a3,$b3,$c3,$d3,
++    $a4,$b4,$c4,$d4, $a5,$b5,$c5,$d5)=map("%v$_",(0..23));
++my @K=map("%v$_",(27,24..26));
++my ($t0,$t1,$t2,$t3)=map("%v$_",27..30);
++my $beperm="%v31";
++my $FRAME=$stdframe + 4*16;
++
++GLOBL	("ChaCha20_ctr32_vx");
++ALIGN	(32);
++LABEL	("ChaCha20_ctr32_vx");
++LABEL	(".LChaCha20_ctr32_vx");
++&{$z?	\&clgfi:\&clfi}	($len,256);
++	jle	(".LChaCha20_ctr32_4x");
++&{$z?	\&stmg:\&stm}	("%r6","%r7","6*$SIZE_T($sp)");
++if (!$z) {
++	std	("%f4","16*$SIZE_T+2*8($sp)");
++	std	("%f6","16*$SIZE_T+3*8($sp)");
++}
++&{$z?	\&lghi:\&lhi}	("%r1",-$FRAME);
++	lgr	("%r0",$sp);
++	la	($sp,"0(%r1,$sp)");
++&{$z?	\&stg:\&st}	("%r0","0($sp)");	# back-chain
++if ($z) {
++	std	("%f8","$FRAME-8*8($sp)");
++	std	("%f9","$FRAME-8*7($sp)");
++	std	("%f10","$FRAME-8*6($sp)");
++	std	("%f11","$FRAME-8*5($sp)");
++	std	("%f12","$FRAME-8*4($sp)");
++	std	("%f13","$FRAME-8*3($sp)");
++	std	("%f14","$FRAME-8*2($sp)");
++	std	("%f15","$FRAME-8*1($sp)");
++}
++	larl	("%r7",".Lsigma");
++	lhi	("%r0",10);
++
++	vlm	(@K[1],@K[2],"0($key)");	# load key
++	vl	(@K[3],"0($counter)");		# load counter
++
++	vlm	(@K[0],"$beperm","0(%r7)");	# load sigma, increments, ...
++
++LABEL	(".Loop_outer_vx");
++	vlr	($a0,@K[0]);
++	vlr	($b0,@K[1]);
++	vlr	($a1,@K[0]);
++	vlr	($b1,@K[1]);
++	vlr	($a2,@K[0]);
++	vlr	($b2,@K[1]);
++	vlr	($a3,@K[0]);
++	vlr	($b3,@K[1]);
++	vlr	($a4,@K[0]);
++	vlr	($b4,@K[1]);
++	vlr	($a5,@K[0]);
++	vlr	($b5,@K[1]);
++
++	vlr	($d0,@K[3]);
++	vaf	($d1,@K[3],$t1);		# K[3]+1
++	vaf	($d2,@K[3],$t2);		# K[3]+2
++	vaf	($d3,@K[3],$t3);		# K[3]+3
++	vaf	($d4,$d2,$t2);			# K[3]+4
++	vaf	($d5,$d2,$t3);			# K[3]+5
++
++	vlr	($c0,@K[2]);
++	vlr	($c1,@K[2]);
++	vlr	($c2,@K[2]);
++	vlr	($c3,@K[2]);
++	vlr	($c4,@K[2]);
++	vlr	($c5,@K[2]);
++
++	vlr	($t1,$d1);
++	vlr	($t2,$d2);
++	vlr	($t3,$d3);
++
++ALIGN	(4);
++LABEL	(".Loop_vx");
++
++	VX_ROUND($a0,$a1,$a2,$a3,$a4,$a5,
++		 $b0,$b1,$b2,$b3,$b4,$b5,
++		 $c0,$c1,$c2,$c3,$c4,$c5,
++		 $d0,$d1,$d2,$d3,$d4,$d5,
++		 0);
++
++	VX_ROUND($a0,$a1,$a2,$a3,$a4,$a5,
++		 $b0,$b1,$b2,$b3,$b4,$b5,
++		 $c0,$c1,$c2,$c3,$c4,$c5,
++		 $d0,$d1,$d2,$d3,$d4,$d5,
++		 1);
++
++	brct	("%r0",".Loop_vx");
++
++	vaf	($a0,$a0,@K[0]);
++	vaf	($b0,$b0,@K[1]);
++	vaf	($c0,$c0,@K[2]);
++	vaf	($d0,$d0,@K[3]);
++	vaf	($a1,$a1,@K[0]);
++	vaf	($d1,$d1,$t1);			# +K[3]+1
++
++	vperm	($a0,$a0,$a0,$beperm);
++	vperm	($b0,$b0,$b0,$beperm);
++	vperm	($c0,$c0,$c0,$beperm);
++	vperm	($d0,$d0,$d0,$beperm);
++
++&{$z?	\&clgfi:\&clfi}	($len,0x40);
++	jl	(".Ltail_vx");
++
++	vaf	($d2,$d2,$t2);			# +K[3]+2
++	vaf	($d3,$d3,$t3);			# +K[3]+3
++	vlm	($t0,$t3,"0($inp)");
++
++	vx	($a0,$a0,$t0);
++	vx	($b0,$b0,$t1);
++	vx	($c0,$c0,$t2);
++	vx	($d0,$d0,$t3);
++
++	vlm	(@K[0],$t3,"0(%r7)");		# re-load sigma and increments
++
++	vstm	($a0,$d0,"0($out)");
++
++	la	($inp,"0x40($inp)");
++	la	($out,"0x40($out)");
++&{$z?	\&aghi:\&ahi}	($len,-0x40);
++	je	(".Ldone_vx");
++
++	vaf	($b1,$b1,@K[1]);
++	vaf	($c1,$c1,@K[2]);
++
++	vperm	($a0,$a1,$a1,$beperm);
++	vperm	($b0,$b1,$b1,$beperm);
++	vperm	($c0,$c1,$c1,$beperm);
++	vperm	($d0,$d1,$d1,$beperm);
++
++&{$z?	\&clgfi:\&clfi} ($len,0x40);
++	jl	(".Ltail_vx");
++
++	vlm	($a1,$d1,"0($inp)");
++
++	vx	($a0,$a0,$a1);
++	vx	($b0,$b0,$b1);
++	vx	($c0,$c0,$c1);
++	vx	($d0,$d0,$d1);
++
++	vstm	($a0,$d0,"0($out)");
++
++	la	($inp,"0x40($inp)");
++	la	($out,"0x40($out)");
++&{$z?	\&aghi:\&ahi}	($len,-0x40);
++	je	(".Ldone_vx");
++
++	vaf	($a2,$a2,@K[0]);
++	vaf	($b2,$b2,@K[1]);
++	vaf	($c2,$c2,@K[2]);
++
++	vperm	($a0,$a2,$a2,$beperm);
++	vperm	($b0,$b2,$b2,$beperm);
++	vperm	($c0,$c2,$c2,$beperm);
++	vperm	($d0,$d2,$d2,$beperm);
++
++&{$z?	\&clgfi:\&clfi}	($len,0x40);
++	jl	(".Ltail_vx");
++
++	vlm	($a1,$d1,"0($inp)");
++
++	vx	($a0,$a0,$a1);
++	vx	($b0,$b0,$b1);
++	vx	($c0,$c0,$c1);
++	vx	($d0,$d0,$d1);
++
++	vstm	($a0,$d0,"0($out)");
++
++	la	($inp,"0x40($inp)");
++	la	($out,"0x40($out)");
++&{$z?	\&aghi:\&ahi}	($len,-0x40);
++	je	(".Ldone_vx");
++
++	vaf	($a3,$a3,@K[0]);
++	vaf	($b3,$b3,@K[1]);
++	vaf	($c3,$c3,@K[2]);
++	vaf	($d2,@K[3],$t3);		# K[3]+3
++
++	vperm	($a0,$a3,$a3,$beperm);
++	vperm	($b0,$b3,$b3,$beperm);
++	vperm	($c0,$c3,$c3,$beperm);
++	vperm	($d0,$d3,$d3,$beperm);
++
++&{$z?	\&clgfi:\&clfi}	($len,0x40);
++	jl	(".Ltail_vx");
++
++	vaf	($d3,$d2,$t1);			# K[3]+4
++	vlm	($a1,$d1,"0($inp)");
++
++	vx	($a0,$a0,$a1);
++	vx	($b0,$b0,$b1);
++	vx	($c0,$c0,$c1);
++	vx	($d0,$d0,$d1);
++
++	vstm	($a0,$d0,"0($out)");
++
++	la	($inp,"0x40($inp)");
++	la	($out,"0x40($out)");
++&{$z?	\&aghi:\&ahi}	($len,-0x40);
++	je	(".Ldone_vx");
++
++	vaf	($a4,$a4,@K[0]);
++	vaf	($b4,$b4,@K[1]);
++	vaf	($c4,$c4,@K[2]);
++	vaf	($d4,$d4,$d3);			# +K[3]+4
++	vaf	($d3,$d3,$t1);			# K[3]+5
++	vaf	(@K[3],$d2,$t3);		# K[3]+=6
++
++	vperm	($a0,$a4,$a4,$beperm);
++	vperm	($b0,$b4,$b4,$beperm);
++	vperm	($c0,$c4,$c4,$beperm);
++	vperm	($d0,$d4,$d4,$beperm);
++
++&{$z?	\&clgfi:\&clfi}	($len,0x40);
++	jl	(".Ltail_vx");
++
++	vlm	($a1,$d1,"0($inp)");
++
++	vx	($a0,$a0,$a1);
++	vx	($b0,$b0,$b1);
++	vx	($c0,$c0,$c1);
++	vx	($d0,$d0,$d1);
++
++	vstm	($a0,$d0,"0($out)");
++
++	la	($inp,"0x40($inp)");
++	la	($out,"0x40($out)");
++&{$z?	\&aghi:\&ahi}	($len,-0x40);
++	je	(".Ldone_vx");
++
++	vaf	($a5,$a5,@K[0]);
++	vaf	($b5,$b5,@K[1]);
++	vaf	($c5,$c5,@K[2]);
++	vaf	($d5,$d5,$d3);			# +K[3]+5
++
++	vperm	($a0,$a5,$a5,$beperm);
++	vperm	($b0,$b5,$b5,$beperm);
++	vperm	($c0,$c5,$c5,$beperm);
++	vperm	($d0,$d5,$d5,$beperm);
++
++&{$z?	\&clgfi:\&clfi} ($len,0x40);
++	jl	(".Ltail_vx");
++
++	vlm	($a1,$d1,"0($inp)");
++
++	vx	($a0,$a0,$a1);
++	vx	($b0,$b0,$b1);
++	vx	($c0,$c0,$c1);
++	vx	($d0,$d0,$d1);
++
++	vstm	($a0,$d0,"0($out)");
++
++	la	($inp,"0x40($inp)");
++	la	($out,"0x40($out)");
++	lhi	("%r0",10);
++&{$z?	\&aghi:\&ahi}	($len,-0x40);
++	jne	(".Loop_outer_vx");
++
++LABEL	(".Ldone_vx");
++if (!$z) {
++	ld	("%f4","$FRAME+16*$SIZE_T+2*8($sp)");
++	ld	("%f6","$FRAME+16*$SIZE_T+3*8($sp)");
++} else {
++	ld	("%f8","$FRAME-8*8($sp)");
++	ld	("%f9","$FRAME-8*7($sp)");
++	ld	("%f10","$FRAME-8*6($sp)");
++	ld	("%f11","$FRAME-8*5($sp)");
++	ld	("%f12","$FRAME-8*4($sp)");
++	ld	("%f13","$FRAME-8*3($sp)");
++	ld	("%f14","$FRAME-8*2($sp)");
++	ld	("%f15","$FRAME-8*1($sp)");
++}
++&{$z?	\&lmg:\&lm}	("%r6","%r7","$FRAME+6*$SIZE_T($sp)");
++	la	($sp,"$FRAME($sp)");
++	br	("%r14");
++
++ALIGN	(16);
++LABEL	(".Ltail_vx");
++if (!$z) {
++	ld	("%f4","$FRAME+16*$SIZE_T+2*8($sp)");
++	ld	("%f6","$FRAME+16*$SIZE_T+3*8($sp)");
++} else {
++	ld	("%f8","$FRAME-8*8($sp)");
++	ld	("%f9","$FRAME-8*7($sp)");
++	ld	("%f10","$FRAME-8*6($sp)");
++	ld	("%f11","$FRAME-8*5($sp)");
++	ld	("%f12","$FRAME-8*4($sp)");
++	ld	("%f13","$FRAME-8*3($sp)");
++	ld	("%f14","$FRAME-8*2($sp)");
++	ld	("%f15","$FRAME-8*1($sp)");
++}
++	vstm	($a0,$d0,"$stdframe($sp)");
++	lghi	("%r1",0);
++
++LABEL	(".Loop_tail_vx");
++	llgc	("%r5","0(%r1,$inp)");
++	llgc	("%r6","$stdframe(%r1,$sp)");
++	xr	("%r6","%r5");
++	stc	("%r6","0(%r1,$out)");
++	la	("%r1","1(%r1)");
++	brct	($len,".Loop_tail_vx");
++
++&{$z?	\&lmg:\&lm}	("%r6","%r7","$FRAME+6*$SIZE_T($sp)");
++	la	($sp,"$FRAME($sp)");
++	br	("%r14");
++SIZE	("ChaCha20_ctr32_vx",".-ChaCha20_ctr32_vx");
+ }
+ ################
+ 
+-ALIGN	(64);
++ALIGN	(32);
+ LABEL	(".Lsigma");
+ LONG	(0x61707865,0x3320646e,0x79622d32,0x6b206574);	# endian-neutral sigma
+-LONG	(0x00000000,0x00000001,0x00000002,0x00000003);	# vaf counter increment
+-LONG	(0x03020100,0x07060504,0x13121110,0x17161514);	# vperm serialization
+-LONG	(0x0b0a0908,0x0f0e0d0c,0x1b1a1918,0x1f1e1d1c);	# vperm serialization
++LONG	(1,0,0,0);
++LONG	(2,0,0,0);
++LONG	(3,0,0,0);
++LONG	(0x03020100,0x07060504,0x0b0a0908,0x0f0e0d0c);	# byte swap
++
++LONG	(0,1,2,3);
++LONG	(0x61707865,0x61707865,0x61707865,0x61707865);	# smashed sigma
++LONG	(0x3320646e,0x3320646e,0x3320646e,0x3320646e);
++LONG	(0x79622d32,0x79622d32,0x79622d32,0x79622d32);
++LONG	(0x6b206574,0x6b206574,0x6b206574,0x6b206574);
++
+ ASCIZ	("\"ChaCha20 for s390x, CRYPTOGAMS by <appro\@openssl.org>\"");
+ ALIGN	(4);
+ 
+-- 
+2.21.0
+
diff --git a/0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch b/0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
new file mode 100644
index 0000000..86ed650
--- /dev/null
+++ b/0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
@@ -0,0 +1,1631 @@
+From 2e6b615f795e8ca8ae830a00079c4ea064eaae42 Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Sat, 23 Mar 2019 00:03:24 +0100
+Subject: [PATCH] s390x assembly pack: import poly from cryptogams repo
+
+>=20% faster than present code.
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/8560)
+---
+ crypto/poly1305/asm/poly1305-s390x.pl | 1455 ++++++++++++++-----------
+ crypto/poly1305/build.info            |    1 +
+ 2 files changed, 799 insertions(+), 657 deletions(-)
+
+Index: openssl-1.1.1c/crypto/poly1305/asm/poly1305-s390x.pl
+===================================================================
+--- openssl-1.1.1c.orig/crypto/poly1305/asm/poly1305-s390x.pl	2019-06-06 12:18:53.384309579 +0200
++++ openssl-1.1.1c/crypto/poly1305/asm/poly1305-s390x.pl	2019-06-06 12:18:54.556316994 +0200
+@@ -32,10 +32,20 @@
+ # Copyright IBM Corp. 2019
+ # Author: Patrick Steuer <patrick.steuer@de.ibm.com>
+ 
++#
++# January 2019
++#
++# Add vector base 2^26 implementation. It's problematic to accurately
++# measure performance, because reference system is hardly idle. But
++# it's sub-cycle, i.e. less than 1 cycle per processed byte, and it's
++# >=20% faster than IBM's submission on long inputs, and much faster on
++# short ones, because calculation of key powers is postponed till we
++# know that input is long enough to justify the additional overhead.
++
+ use strict;
+ use FindBin qw($Bin);
+ use lib "$Bin/../..";
+-use perlasm::s390x qw(:DEFAULT :VX AUTOLOAD LABEL);
++use perlasm::s390x qw(:DEFAULT :VX AUTOLOAD LABEL INCLUDE);
+ 
+ my $flavour = shift;
+ 
+@@ -51,666 +61,98 @@ if ($flavour =~ /3[12]/) {
+ my $output;
+ while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
+ 
++my $stdframe=16*$SIZE_T+4*8;
+ my $sp="%r15";
+ 
+-# novx code path ctx layout
+-# ---------------------------------
+-# var		value	base	off
+-# ---------------------------------
+-# u64 h[3]	hash	2^64	  0
+-# u32 pad[2]
+-# u64 r[2]	key	2^64	 32
+-
+-# vx code path ctx layout
+-# ---------------------------------
+-# var		value	base	off
+-# ---------------------------------
+-# u32 acc1[5]	r^2-acc	2^26	  0
+-# u32 pad
+-# u32 acc2[5]	r-acc	2^26	 24
+-# u32 pad
+-# u32 r1[5]	r	2^26	 48
+-# u32 r15[5]	5*r	2^26	 68
+-# u32 r2[5]	r^2	2^26	 88
+-# u32 r25[5]	5*r^2	2^26	108
+-# u32 r4[5]	r^4	2^26	128
+-# u32 r45[5]	5*r^4	2^26	148
++my ($ctx,$inp,$len,$padbit) = map("%r$_",(2..5));
+ 
+ PERLASM_BEGIN($output);
+ 
++INCLUDE	("s390x_arch.h");
+ TEXT	();
+ 
+ ################
+ # static void poly1305_init(void *ctx, const unsigned char key[16])
+ {
+-my ($ctx,$key)=map("%r$_",(2..3));
+-my ($r0,$r1,$r2)=map("%r$_",(9,11,13));
+-
+-sub MUL_RKEY {	# r*=key
+-my ($d0hi,$d0lo,$d1hi,$d1lo)=map("%r$_",(4..7));
+-my ($t0,$t1,$s1)=map("%r$_",(8,10,12));
+-
+-	lg	("%r0","32($ctx)");
+-	lg	("%r1","40($ctx)");
+-
+-	srlg	($s1,"%r1",2);
+-	algr	($s1,"%r1");
+-
+-	lgr	($d0lo,$r0);
+-	lgr	($d1lo,$r1);
+-
+-	mlgr	($d0hi,"%r0");
+-	lgr	($r1,$d1lo);
+-	mlgr	($d1hi,$s1);
+-
+-	mlgr	($t0,"%r1");
+-	mlgr	($t1,"%r0");
+-
+-	algr	($d0lo,$d1lo);
+-	lgr	($d1lo,$r2);
+-	alcgr	($d0hi,$d1hi);
+-	lghi	($d1hi,0);
+-
+-	algr	($r1,$r0);
+-	alcgr	($t1,$t0);
+-
+-	msgr	($d1lo,$s1);
+-	msgr	($r2,"%r0");
+-
+-	algr	($r1,$d1lo);
+-	alcgr	($t1,$d1hi);
+-
+-	algr	($r1,$d0hi);
+-	alcgr	($r2,$t1);
+-
+-	lghi	($r0,-4);
+-	ngr	($r0,$r2);
+-	srlg	($t0,$r2,2);
+-	algr	($r0,$t0);
+-	lghi	($t1,3);
+-	ngr	($r2,$t1);
+-
+-	algr	($r0,$d0lo);
+-	alcgr	($r1,$d1hi);
+-	alcgr	($r2,$d1hi);
+-}
+-
+-sub ST_R5R {	# store r,5*r -> base 2^26
+-my @d=map("%r$_",(4..8));
+-my @off=@_;
+-
+-	lgr	(@d[2],$r0);
+-	lr	("%r1",@d[2]);
+-	nilh	("%r1",1023);
+-	lgr	(@d[3],$r1);
+-	lr	(@d[0],"%r1");
+-	srlg	("%r1",@d[2],52);
+-	lgr	(@d[4],$r2);
+-	srlg	("%r0",@d[2],26);
+-	sll	(@d[4],24);
+-	lr	(@d[2],@d[3]);
+-	nilh	("%r0",1023);
+-	sll	(@d[2],12);
+-	lr	(@d[1],"%r0");
+-	&or	(@d[2],"%r1");
+-	srlg	("%r1",@d[3],40);
+-	nilh	(@d[2],1023);
+-	&or	(@d[4],"%r1");
+-	srlg	(@d[3],@d[3],14);
+-	nilh	(@d[4],1023);
+-	nilh	(@d[3],1023);
+-
+-	stm	(@d[0],@d[4],"@off[0]($ctx)");
+-	mhi	(@d[$_],5) for (0..4);
+-	stm	(@d[0],@d[4],"@off[1]($ctx)");
+-}
+-
+ GLOBL	("poly1305_init");
+ TYPE	("poly1305_init","\@function");
+ ALIGN	(16);
+ LABEL	("poly1305_init");
+ 	lghi	("%r0",0);
+ 	lghi	("%r1",-1);
+-	stg	("%r0","0($ctx)");	# zero hash value / acc1
++	stg	("%r0","0($ctx)");		# zero hash value
+ 	stg	("%r0","8($ctx)");
+ 	stg	("%r0","16($ctx)");
++	st	("%r0","24($ctx)");		# clear is_base2_26
++	lgr	("%r5",$ctx);			# reassign $ctx
++	lghi	("%r2",0);
+ 
+-&{$z?	\&clgr:\&clr}	($key,"%r0");
+-	je	(".Ldone");
++&{$z?	\&clgr:\&clr}	($inp,"%r0");
++	je	(".Lno_key");
+ 
+-	lrvg	("%r4","0($key)");	# load little-endian key
+-	lrvg	("%r5","8($key)");
++	lrvg	("%r2","0($inp)");		# load little-endian key
++	lrvg	("%r3","8($inp)");
+ 
+-	nihl	("%r1",0xffc0);		# 0xffffffc0ffffffff
+-	srlg	("%r0","%r1",4);	# 0x0ffffffc0fffffff
++	nihl	("%r1",0xffc0);			# 0xffffffc0ffffffff
++	srlg	("%r0","%r1",4);		# 0x0ffffffc0fffffff
+ 	srlg	("%r1","%r1",4);
+-	nill	("%r1",0xfffc);		# 0x0ffffffc0ffffffc
++	nill	("%r1",0xfffc);			# 0x0ffffffc0ffffffc
+ 
+-	ngr	("%r4","%r0");
+-	ngr	("%r5","%r1");
++	ngr	("%r2","%r0");
++	ngr	("%r3","%r1");
+ 
+-	stg	("%r4","32($ctx)");
+-	stg	("%r5","40($ctx)");
++	stmg	("%r2","%r3","32(%r5)");
+ 
+ 	larl	("%r1","OPENSSL_s390xcap_P");
+ 	lg	("%r0","16(%r1)");
+-	tmhh	("%r0",0x4000);		# check for vector facility
+-	jz	(".Ldone");
+-
+-	larl	("%r4","poly1305_blocks_vx");
+-	larl	("%r5","poly1305_emit_vx");
+-
+-&{$z?	\&stmg:\&stm}	("%r6","%r13","6*$SIZE_T($sp)");
+-&{$z?	\&stmg:\&stm}	("%r4","%r5","4*$z+228($ctx)");
+-
+-	lg	($r0,"32($ctx)");
+-	lg	($r1,"40($ctx)");
+-	lghi	($r2,0);
+-
+-	ST_R5R	(48,68);	# store r,5*r
+-
+-	MUL_RKEY();
+-	ST_R5R	(88,108);	# store r^2,5*r^2
+-
+-	MUL_RKEY();
+-	MUL_RKEY();
+-	ST_R5R	(128,148);	# store r^4,5*r^4
+-
+-	lghi	("%r0",0);
+-	stg	("%r0","24($ctx)");	# zero acc2
+-	stg	("%r0","32($ctx)");
+-	stg	("%r0","40($ctx)");
+-
+-&{$z?	\&lmg:\&lm}	("%r6","%r13","6*$SIZE_T($sp)");
++	srlg	("%r0","%r0",62);
++	nill	("%r0",1);			# extract vx bit
++	lcgr	("%r0","%r0");
++	larl	("%r1",".Lpoly1305_blocks");
++	larl	("%r2",".Lpoly1305_blocks_vx");
++	larl	("%r3",".Lpoly1305_emit");
++&{$z?	\&xgr:\&xr}	("%r2","%r1");		# select between scalar and vector
++&{$z?	\&ngr:\&nr}	("%r2","%r0");
++&{$z?	\&xgr:\&xr}	("%r2","%r1");
++&{$z?	\&stmg:\&stm}	("%r2","%r3","0(%r4)");
+ 	lghi	("%r2",1);
+-	br	("%r14");
+-
+-LABEL	(".Ldone");
+-	lghi	("%r2",0);
++LABEL	(".Lno_key");
+ 	br	("%r14");
+ SIZE	("poly1305_init",".-poly1305_init");
+ }
+ 
+-# VX CODE PATH
+-{
+-my $frame=8*16;
+-my @m01=map("%v$_",(0..4));
+-my @m23=map("%v$_",(5..9));
+-my @tmp=@m23;
+-my @acc=map("%v$_",(10..14));
+-my @r=map("%v$_",(15..19));
+-my @r5=map("%v$_",(20..24));
+-my $padvec="%v26";
+-my $mask4="%v27";
+-my @vperm=map("%v$_",(28..30));
+-my $mask="%v31";
+-
+-sub REDUCE {
+-	vesrlg	(@tmp[0],@acc[0],26);
+-	vesrlg	(@tmp[3],@acc[3],26);
+-	vn	(@acc[0],@acc[0],$mask);
+-	vn	(@acc[3],@acc[3],$mask);
+-	vag	(@acc[1],@acc[1],@tmp[0]);	# carry 0->1
+-	vag	(@acc[4],@acc[4],@tmp[3]);	# carry 3->4
+-
+-	vesrlg	(@tmp[1],@acc[1],26);
+-	vesrlg	(@tmp[4],@acc[4],26);
+-	vn	(@acc[1],@acc[1],$mask);
+-	vn	(@acc[4],@acc[4],$mask);
+-	veslg	(@tmp[0],@tmp[4],2);
+-	vag	(@tmp[4],@tmp[4],@tmp[0]);	# h[4]*=5
+-	vag	(@acc[2],@acc[2],@tmp[1]);	# carry 1->2
+-	vag	(@acc[0],@acc[0],@tmp[4]);	# carry 4->0
+-
+-	vesrlg	(@tmp[2],@acc[2],26);
+-	vesrlg	(@tmp[0],@acc[0],26);
+-	vn	(@acc[2],@acc[2],$mask);
+-	vn	(@acc[0],@acc[0],$mask);
+-	vag	(@acc[3],@acc[3],@tmp[2]);	# carry 2->3
+-	vag	(@acc[1],@acc[1],@tmp[0]);	# carry 0->1
+-
+-	vesrlg	(@tmp[3],@acc[3],26);
+-	vn	(@acc[3],@acc[3],$mask);
+-	vag	(@acc[4],@acc[4],@tmp[3]);	# carry 3->4
+-}
+-
+ ################
+-# static void poly1305_blocks_vx(void *ctx, const unsigned char *inp,
+-#                                size_t len, u32 padbit)
++# static void poly1305_blocks(void *ctx, const unsigned char *inp,
++#                             size_t len, u32 padbit)
+ {
+-my ($ctx,$inp,$len) = map("%r$_",(2..4));
+-my $padbit="%r0";
+-
+-GLOBL	("poly1305_blocks_vx");
+-TYPE	("poly1305_blocks_vx","\@function");
+-ALIGN	(16);
+-LABEL	("poly1305_blocks_vx");
+-if ($z) {
+-	aghi	($sp,-$frame);
+-	vstm	("%v8","%v15","0($sp)");
+-} else {
+-	std	("%f4","16*$SIZE_T+2*8($sp)");
+-	std	("%f6","16*$SIZE_T+3*8($sp)");
+-	llgfr	($len,$len);
+-}
+-	llgfr	($padbit,"%r5");
+-	vlef	(@acc[$_],"4*$_($ctx)",1) for (0..4);	# load acc1
+-	larl	("%r5",".Lconst");
+-	vlef	(@acc[$_],"24+4*$_($ctx)",3) for (0..4);	# load acc2
+-	sllg	($padbit,$padbit,24);
+-	vlm	(@vperm[0],$mask,"0(%r5)");	# load vperm ops, mask
+-	vgbm	($mask4,0x0707);
+-	vlvgp	($padvec,$padbit,$padbit);
+-
+-	srlg	("%r1",$len,6);
+-	ltgr	("%r1","%r1");
+-	jz	(".Lvx_4x_done");
+-
+-ALIGN	(16);
+-LABEL	(".Lvx_4x");
+-	vlm	("%v20","%v23","0($inp)");	# load m0,m1,m2,m3
+-
+-	# m01,m23 -> base 2^26
+-
+-	vperm	(@m01[0],"%v20","%v21",@vperm[0]);
+-	vperm	(@m23[0],"%v22","%v23",@vperm[0]);
+-	vperm	(@m01[2],"%v20","%v21",@vperm[1]);
+-	vperm	(@m23[2],"%v22","%v23",@vperm[1]);
+-	vperm	(@m01[4],"%v20","%v21",@vperm[2]);
+-	vperm	(@m23[4],"%v22","%v23",@vperm[2]);
+-
+-	vesrlg	(@m01[1],@m01[0],26);
+-	vesrlg	(@m23[1],@m23[0],26);
+-	vesrlg	(@m01[3],@m01[2],30);
+-	vesrlg	(@m23[3],@m23[2],30);
+-	vesrlg	(@m01[2],@m01[2],4);
+-	vesrlg	(@m23[2],@m23[2],4);
+-
+-	vn	(@m01[4],@m01[4],$mask4);
+-	vn	(@m23[4],@m23[4],$mask4);
+-for (0..3) {
+-	vn	(@m01[$_],@m01[$_],$mask);
+-	vn	(@m23[$_],@m23[$_],$mask);
+-}
+-	vaf	(@m01[4],@m01[4],$padvec);	# pad m01
+-	vaf	(@m23[4],@m23[4],$padvec);	# pad m23
+-
+-	# acc = acc * r^4 + m01 * r^2 + m23
+-
+-	vlrepf	(@r5[$_],"4*$_+108($ctx)") for (0..4);	# load 5*r^2
+-	vlrepf	(@r[$_],"4*$_+88($ctx)") for (0..4);	# load r^2
+-
+-	vmalof	(@tmp[0],@m01[4],@r5[1],@m23[0]);
+-	vmalof	(@tmp[1],@m01[4],@r5[2],@m23[1]);
+-	vmalof	(@tmp[2],@m01[4],@r5[3],@m23[2]);
+-	vmalof	(@tmp[3],@m01[4],@r5[4],@m23[3]);
+-	vmalof	(@tmp[4],@m01[4],@r[0],@m23[4]);
+-
+-	vmalof	(@tmp[0],@m01[3],@r5[2],@tmp[0]);
+-	vmalof	(@tmp[1],@m01[3],@r5[3],@tmp[1]);
+-	vmalof	(@tmp[2],@m01[3],@r5[4],@tmp[2]);
+-	vmalof	(@tmp[3],@m01[3],@r[0],@tmp[3]);
+-	vmalof	(@tmp[4],@m01[3],@r[1],@tmp[4]);
+-
+-	vmalof	(@tmp[0],@m01[2],@r5[3],@tmp[0]);
+-	vmalof	(@tmp[1],@m01[2],@r5[4],@tmp[1]);
+-	vmalof	(@tmp[2],@m01[2],@r[0],@tmp[2]);
+-	vmalof	(@tmp[3],@m01[2],@r[1],@tmp[3]);
+-	vmalof	(@tmp[4],@m01[2],@r[2],@tmp[4]);
+-
+-	vmalof	(@tmp[0],@m01[1],@r5[4],@tmp[0]);
+-	vmalof	(@tmp[1],@m01[1],@r[0],@tmp[1]);
+-	vmalof	(@tmp[2],@m01[1],@r[1],@tmp[2]);
+-	vmalof	(@tmp[3],@m01[1],@r[2],@tmp[3]);
+-	vmalof	(@tmp[4],@m01[1],@r[3],@tmp[4]);
+-
+-	vmalof	(@tmp[0],@m01[0],@r[0],@tmp[0]);
+-	vmalof	(@tmp[1],@m01[0],@r[1],@tmp[1]);
+-	vmalof	(@tmp[2],@m01[0],@r[2],@tmp[2]);
+-	vmalof	(@tmp[3],@m01[0],@r[3],@tmp[3]);
+-	vmalof	(@tmp[4],@m01[0],@r[4],@tmp[4]);
+-
+-	vlrepf	(@r5[$_],"4*$_+148($ctx)") for (0..4);	# load 5*r^4
+-	vlrepf	(@r[$_],"4*$_+128($ctx)") for (0..4);	# load r^4
+-
+-	vmalof	(@tmp[0],@acc[4],@r5[1],@tmp[0]);
+-	vmalof	(@tmp[1],@acc[4],@r5[2],@tmp[1]);
+-	vmalof	(@tmp[2],@acc[4],@r5[3],@tmp[2]);
+-	vmalof	(@tmp[3],@acc[4],@r5[4],@tmp[3]);
+-	vmalof	(@tmp[4],@acc[4],@r[0],@tmp[4]);
+-
+-	vmalof	(@tmp[0],@acc[3],@r5[2],@tmp[0]);
+-	vmalof	(@tmp[1],@acc[3],@r5[3],@tmp[1]);
+-	vmalof	(@tmp[2],@acc[3],@r5[4],@tmp[2]);
+-	vmalof	(@tmp[3],@acc[3],@r[0],@tmp[3]);
+-	vmalof	(@tmp[4],@acc[3],@r[1],@tmp[4]);
+-
+-	vmalof	(@tmp[0],@acc[2],@r5[3],@tmp[0]);
+-	vmalof	(@tmp[1],@acc[2],@r5[4],@tmp[1]);
+-	vmalof	(@tmp[2],@acc[2],@r[0],@tmp[2]);
+-	vmalof	(@tmp[3],@acc[2],@r[1],@tmp[3]);
+-	vmalof	(@tmp[4],@acc[2],@r[2],@tmp[4]);
+-
+-	vmalof	(@tmp[0],@acc[1],@r5[4],@tmp[0]);
+-	vmalof	(@tmp[1],@acc[1],@r[0],@tmp[1]);
+-	vmalof	(@tmp[2],@acc[1],@r[1],@tmp[2]);
+-	vmalof	(@tmp[3],@acc[1],@r[2],@tmp[3]);
+-	vmalof	(@tmp[4],@acc[1],@r[3],@tmp[4]);
+-
+-	vmalof	(@acc[1],@acc[0],@r[1],@tmp[1]);
+-	vmalof	(@acc[2],@acc[0],@r[2],@tmp[2]);
+-	vmalof	(@acc[3],@acc[0],@r[3],@tmp[3]);
+-	vmalof	(@acc[4],@acc[0],@r[4],@tmp[4]);
+-	vmalof	(@acc[0],@acc[0],@r[0],@tmp[0]);
+-
+-	REDUCE	();
+-
+-	la	($inp,"64($inp)");
+-	brctg	("%r1",".Lvx_4x");
+-
+-ALIGN	(16);
+-LABEL	(".Lvx_4x_done");
+-	tml	($len,32);
+-	jz	(".Lvx_2x_done");
+-
+-	vlm	("%v20","%v21","0($inp)");	# load m0,m1
+-
+-	# m01 -> base 2^26
+-
+-	vperm	(@m01[0],"%v20","%v21",@vperm[0]);
+-	vperm	(@m01[2],"%v20","%v21",@vperm[1]);
+-	vperm	(@m01[4],"%v20","%v21",@vperm[2]);
+-
+-	vesrlg	(@m01[1],@m01[0],26);
+-	vesrlg	(@m01[3],@m01[2],30);
+-	vesrlg	(@m01[2],@m01[2],4);
+-
+-	vn	(@m01[4],@m01[4],$mask4);
+-	vn	(@m01[$_],@m01[$_],$mask) for (0..3);
+-
+-	vaf	(@m01[4],@m01[4],$padvec);	# pad m01
+-
+-	# acc = acc * r^2+ m01
+-
+-	vlrepf	(@r5[$_],"4*$_+108($ctx)") for (0..4);	# load 5*r^2
+-	vlrepf	(@r[$_],"4*$_+88($ctx)") for (0..4);	# load r^2
+-
+-	vmalof	(@tmp[0],@acc[4],@r5[1],@m01[0]);
+-	vmalof	(@tmp[1],@acc[4],@r5[2],@m01[1]);
+-	vmalof	(@tmp[2],@acc[4],@r5[3],@m01[2]);
+-	vmalof	(@tmp[3],@acc[4],@r5[4],@m01[3]);
+-	vmalof	(@tmp[4],@acc[4],@r[0],@m01[4]);
+-
+-	vmalof	(@tmp[0],@acc[3],@r5[2],@tmp[0]);
+-	vmalof	(@tmp[1],@acc[3],@r5[3],@tmp[1]);
+-	vmalof	(@tmp[2],@acc[3],@r5[4],@tmp[2]);
+-	vmalof	(@tmp[3],@acc[3],@r[0],@tmp[3]);
+-	vmalof	(@tmp[4],@acc[3],@r[1],@tmp[4]);
+-
+-	vmalof	(@tmp[0],@acc[2],@r5[3],@tmp[0]);
+-	vmalof	(@tmp[1],@acc[2],@r5[4],@tmp[1]);
+-	vmalof	(@tmp[2],@acc[2],@r[0],@tmp[2]);
+-	vmalof	(@tmp[3],@acc[2],@r[1],@tmp[3]);
+-	vmalof	(@tmp[4],@acc[2],@r[2],@tmp[4]);
+-
+-	vmalof	(@tmp[0],@acc[1],@r5[4],@tmp[0]);
+-	vmalof	(@tmp[1],@acc[1],@r[0],@tmp[1]);
+-	vmalof	(@tmp[2],@acc[1],@r[1],@tmp[2]);
+-	vmalof	(@tmp[3],@acc[1],@r[2],@tmp[3]);
+-	vmalof	(@tmp[4],@acc[1],@r[3],@tmp[4]);
+-
+-	vmalof	(@acc[1],@acc[0],@r[1],@tmp[1]);
+-	vmalof	(@acc[2],@acc[0],@r[2],@tmp[2]);
+-	vmalof	(@acc[3],@acc[0],@r[3],@tmp[3]);
+-	vmalof	(@acc[4],@acc[0],@r[4],@tmp[4]);
+-	vmalof	(@acc[0],@acc[0],@r[0],@tmp[0]);
+-
+-	REDUCE	();
+-
+-	la	($inp,"32($inp)");
+-
+-ALIGN	(16);
+-LABEL	(".Lvx_2x_done");
+-	tml	($len,16);
+-	jz	(".Lvx_done");
+-
+-	vleig	($padvec,0,0);
+-
+-	vzero	("%v20");
+-	vl	("%v21","0($inp)");	# load m0
+-
+-	# m0 -> base 2^26
+-
+-	vperm	(@m01[0],"%v20","%v21",@vperm[0]);
+-	vperm	(@m01[2],"%v20","%v21",@vperm[1]);
+-	vperm	(@m01[4],"%v20","%v21",@vperm[2]);
+-
+-	vesrlg	(@m01[1],@m01[0],26);
+-	vesrlg	(@m01[3],@m01[2],30);
+-	vesrlg	(@m01[2],@m01[2],4);
+-
+-	vn	(@m01[4],@m01[4],$mask4);
+-	vn	(@m01[$_],@m01[$_],$mask) for (0..3);
+-
+-	vaf	(@m01[4],@m01[4],$padvec);	# pad m0
+-
+-	# acc = acc * r + m01
+-
+-	vlrepf	(@r5[$_],"4*$_+68($ctx)") for (0..4);	# load 5*r
+-	vlrepf	(@r[$_],"4*$_+48($ctx)") for (0..4);	# load r
+-
+-	vmalof	(@tmp[0],@acc[4],@r5[1],@m01[0]);
+-	vmalof	(@tmp[1],@acc[4],@r5[2],@m01[1]);
+-	vmalof	(@tmp[2],@acc[4],@r5[3],@m01[2]);
+-	vmalof	(@tmp[3],@acc[4],@r5[4],@m01[3]);
+-	vmalof	(@tmp[4],@acc[4],@r[0],@m01[4]);
+-
+-	vmalof	(@tmp[0],@acc[3],@r5[2],@tmp[0]);
+-	vmalof	(@tmp[1],@acc[3],@r5[3],@tmp[1]);
+-	vmalof	(@tmp[2],@acc[3],@r5[4],@tmp[2]);
+-	vmalof	(@tmp[3],@acc[3],@r[0],@tmp[3]);
+-	vmalof	(@tmp[4],@acc[3],@r[1],@tmp[4]);
+-
+-	vmalof	(@tmp[0],@acc[2],@r5[3],@tmp[0]);
+-	vmalof	(@tmp[1],@acc[2],@r5[4],@tmp[1]);
+-	vmalof	(@tmp[2],@acc[2],@r[0],@tmp[2]);
+-	vmalof	(@tmp[3],@acc[2],@r[1],@tmp[3]);
+-	vmalof	(@tmp[4],@acc[2],@r[2],@tmp[4]);
+-
+-	vmalof	(@tmp[0],@acc[1],@r5[4],@tmp[0]);
+-	vmalof	(@tmp[1],@acc[1],@r[0],@tmp[1]);
+-	vmalof	(@tmp[2],@acc[1],@r[1],@tmp[2]);
+-	vmalof	(@tmp[3],@acc[1],@r[2],@tmp[3]);
+-	vmalof	(@tmp[4],@acc[1],@r[3],@tmp[4]);
+-
+-	vmalof	(@acc[1],@acc[0],@r[1],@tmp[1]);
+-	vmalof	(@acc[2],@acc[0],@r[2],@tmp[2]);
+-	vmalof	(@acc[3],@acc[0],@r[3],@tmp[3]);
+-	vmalof	(@acc[4],@acc[0],@r[4],@tmp[4]);
+-	vmalof	(@acc[0],@acc[0],@r[0],@tmp[0]);
+-
+-	REDUCE	();
+-
+-ALIGN	(16);
+-LABEL	(".Lvx_done");
+-	vstef	(@acc[$_],"4*$_($ctx)",1) for (0..4);	# store acc
+-	vstef	(@acc[$_],"24+4*$_($ctx)",3) for (0..4);
+-
+-if ($z) {
+-	vlm	("%v8","%v15","0($sp)");
+-	la	($sp,"$frame($sp)");
+-} else {
+-	ld	("%f4","16*$SIZE_T+2*8($sp)");
+-	ld	("%f6","16*$SIZE_T+3*8($sp)");
+-}
+-	br	("%r14");
+-SIZE	("poly1305_blocks_vx",".-poly1305_blocks_vx");
+-}
+-
+-################
+-# static void poly1305_emit_vx(void *ctx, unsigned char mac[16],
+-#                              const u32 nonce[4])
+-{
+-my ($ctx,$mac,$nonce) = map("%r$_",(2..4));
+-
+-GLOBL	("poly1305_emit_vx");
+-TYPE	("poly1305_emit_vx","\@function");
+-ALIGN	(16);
+-LABEL	("poly1305_emit_vx");
+-if ($z) {
+-	aghi	($sp,-$frame);
+-	vstm	("%v8","%v15","0($sp)");
+-} else {
+-	std	("%f4","16*$SIZE_T+2*8($sp)");
+-	std	("%f6","16*$SIZE_T+3*8($sp)");
+-}
+-	larl	("%r5",".Lconst");
+-
+-	vlef	(@acc[$_],"4*$_($ctx)",1) for (0..4);	# load acc1
+-	vlef	(@acc[$_],"24+4*$_($ctx)",3) for (0..4);	# load acc2
+-	vlef	(@r5[$_],"108+4*$_($ctx)",1) for (0..4);	# load 5*r^2
+-	vlef	(@r[$_],"88+4*$_($ctx)",1) for (0..4);	# load r^2
+-	vlef	(@r5[$_],"68+4*$_($ctx)",3) for (0..4);	# load 5*r
+-	vlef	(@r[$_],"48+4*$_($ctx)",3) for (0..4);	# load r
+-	vl	($mask,"48(%r5)");	# load mask
+-
+-	# acc = acc1 * r^2 + acc2 * r
+-
+-	vmlof	(@tmp[0],@acc[4],@r5[1]);
+-	vmlof	(@tmp[1],@acc[4],@r5[2]);
+-	vmlof	(@tmp[2],@acc[4],@r5[3]);
+-	vmlof	(@tmp[3],@acc[4],@r5[4]);
+-	vmlof	(@tmp[4],@acc[4],@r[0]);
+-
+-	vmalof	(@tmp[0],@acc[3],@r5[2],@tmp[0]);
+-	vmalof	(@tmp[1],@acc[3],@r5[3],@tmp[1]);
+-	vmalof	(@tmp[2],@acc[3],@r5[4],@tmp[2]);
+-	vmalof	(@tmp[3],@acc[3],@r[0],@tmp[3]);
+-	vmalof	(@tmp[4],@acc[3],@r[1],@tmp[4]);
+-
+-	vmalof	(@tmp[0],@acc[2],@r5[3],@tmp[0]);
+-	vmalof	(@tmp[1],@acc[2],@r5[4],@tmp[1]);
+-	vmalof	(@tmp[2],@acc[2],@r[0],@tmp[2]);
+-	vmalof	(@tmp[3],@acc[2],@r[1],@tmp[3]);
+-	vmalof	(@tmp[4],@acc[2],@r[2],@tmp[4]);
+-
+-	vmalof	(@tmp[0],@acc[1],@r5[4],@tmp[0]);
+-	vmalof	(@tmp[1],@acc[1],@r[0],@tmp[1]);
+-	vmalof	(@tmp[2],@acc[1],@r[1],@tmp[2]);
+-	vmalof	(@tmp[3],@acc[1],@r[2],@tmp[3]);
+-	vmalof	(@tmp[4],@acc[1],@r[3],@tmp[4]);
+-
+-	vmalof	(@acc[1],@acc[0],@r[1],@tmp[1]);
+-	vmalof	(@acc[2],@acc[0],@r[2],@tmp[2]);
+-	vmalof	(@acc[3],@acc[0],@r[3],@tmp[3]);
+-	vmalof	(@acc[4],@acc[0],@r[4],@tmp[4]);
+-	vmalof	(@acc[0],@acc[0],@r[0],@tmp[0]);
+-
+-	vzero	("%v27");
+-	vsumqg	(@acc[$_],@acc[$_],"%v27") for (0..4);
+-
+-	REDUCE	();
+-
+-	vesrlg	(@tmp[1],@acc[1],26);
+-	vn	(@acc[1],@acc[1],$mask);
+-	vag	(@acc[2],@acc[2],@tmp[1]);	# carry 1->2
+-
+-	vesrlg	(@tmp[2],@acc[2],26);
+-	vn	(@acc[2],@acc[2],$mask);
+-	vag	(@acc[3],@acc[3],@tmp[2]);	# carry 2->3
+-
+-	vesrlg	(@tmp[3],@acc[3],26);
+-	vn	(@acc[3],@acc[3],$mask);
+-	vag	(@acc[4],@acc[4],@tmp[3]);	# carry 3->4
+-
+-	# acc -> base 2^64
+-	vleib	("%v30",6*8,7);
+-	vleib	("%v29",13*8,7);
+-	vleib	("%v28",3*8,7);
+-
+-	veslg	(@acc[1],@acc[1],26);
+-	veslg	(@acc[3],@acc[3],26);
+-	vo	(@acc[0],@acc[0],@acc[1]);
+-	vo	(@acc[2],@acc[2],@acc[3]);
+-
+-	veslg	(@acc[2],@acc[2],4);
+-	vslb	(@acc[2],@acc[2],"%v30");	# <<52
+-	vo	(@acc[0],@acc[0],@acc[2]);
+-
+-	vslb	(@tmp[4],@acc[4],"%v29");	# <<104
+-	vo	(@acc[0],@acc[0],@tmp[4]);
+-
+-	vsrlb	(@acc[1],@acc[4],"%v28");	# >>24
+-
+-	# acc %= 2^130-5
+-	vone	("%v26");
+-	vleig	("%v27",5,1);
+-	vone	("%v29");
+-	vleig	("%v26",-4,1);
+-
+-	vaq	(@tmp[0],@acc[0],"%v27");
+-	vaccq	(@tmp[1],@acc[0],"%v27");
+-
+-	vaq	(@tmp[1],@tmp[1],"%v26");
+-	vaccq	(@tmp[1],@tmp[1],@acc[1]);
+-
+-	vaq	(@tmp[1],@tmp[1],"%v29");
+-
+-	vn	(@tmp[2],@tmp[1],@acc[0]);
+-	vnc	(@tmp[3],@tmp[0],@tmp[1]);
+-	vo	(@acc[0],@tmp[2],@tmp[3]);
+-
+-	# acc += nonce
+-	vl	(@vperm[0],"64(%r5)");
+-	vlef	(@tmp[0],"4*$_($nonce)",3-$_) for (0..3);
+-
+-	vaq	(@acc[0],@acc[0],@tmp[0]);
+-
+-	vperm	(@acc[0],@acc[0],@acc[0],@vperm[0]);
+-	vst	(@acc[0],"0($mac)");	# store mac
+-
+-if ($z) {
+-	vlm	("%v8","%v15","0($sp)");
+-	la	($sp,"$frame($sp)");
+-} else {
+-	ld	("%f4","16*$SIZE_T+2*8($sp)");
+-	ld	("%f6","16*$SIZE_T+3*8($sp)");
+-}
+-	br	("%r14");
+-SIZE	("poly1305_emit_vx",".-poly1305_emit_vx");
+-}
+-}
+-
+-# NOVX CODE PATH
+-{
+-################
+-# static void poly1305_blocks(void *ctx, const unsigned char *inp, size_t len,
+-#                             u32 padbit)
+-{
+-my ($ctx,$inp,$len,$padbit) = map("%r$_",(2..5));
+-
+ my ($d0hi,$d0lo,$d1hi,$d1lo,$t0,$h0,$t1,$h1,$h2) = map("%r$_",(6..14));
+ my ($r0,$r1,$s1) = map("%r$_",(0..2));
++
+ GLOBL	("poly1305_blocks");
+ TYPE	("poly1305_blocks","\@function");
+ ALIGN	(16);
+ LABEL	("poly1305_blocks");
+-$z?	srlg	($len,$len,4)	:srl	($len,4);
+-	lghi	("%r0",0);
+-&{$z?	\&clgr:\&clr}	($len,"%r0");
+-	je	(".Lno_data");
++LABEL	(".Lpoly1305_blocks");
++&{$z?	\&ltgr:\&ltr}	("%r0",$len);
++	jz	(".Lno_data");
+ 
+ &{$z?	\&stmg:\&stm}	("%r6","%r14","6*$SIZE_T($sp)");
+ 
+-	llgfr	($padbit,$padbit);	# clear upper half, much needed with
+-					# non-64-bit ABI
+-	lg	($r0,"32($ctx)");	# load key
+-	lg	($r1,"40($ctx)");
+-
+-	lg	($h0,"0($ctx)");	# load hash value
++	lg	($h0,"0($ctx)");		# load hash value
+ 	lg	($h1,"8($ctx)");
+ 	lg	($h2,"16($ctx)");
+ 
++LABEL	(".Lpoly1305_blocks_entry");
++if ($z) {
++	srlg	($len,$len,4);
++} else {
++	srl	($len,4);
++}
++	llgfr   ($padbit,$padbit);		# clear upper half, much needed with
++						# non-64-bit ABI
++	lg	($r0,"32($ctx)");		# load key
++	lg	($r1,"40($ctx)");
++
+ &{$z?	\&stg:\&st}	($ctx,"2*$SIZE_T($sp)");	# off-load $ctx
+ 	srlg	($s1,$r1,2);
+ 	algr	($s1,$r1);			# s1 = r1 + r1>>2
+@@ -718,21 +160,21 @@ $z?	srlg	($len,$len,4)	:srl	($len,4);
+ 
+ ALIGN	(16);
+ LABEL	(".Loop");
+-	lrvg	($d0lo,"0($inp)");	# load little-endian input
++	lrvg	($d0lo,"0($inp)");		# load little-endian input
+ 	lrvg	($d1lo,"8($inp)");
+ 	la	($inp,"16($inp)");
+ 
+-	algr	($d0lo,$h0);		# accumulate input
++	algr	($d0lo,$h0);			# accumulate input
+ 	alcgr	($d1lo,$h1);
++	alcgr	($h2,$padbit);
+ 
+ 	lgr	($h0,$d0lo);
+-	mlgr	($d0hi,$r0);		# h0*r0	  -> $d0hi:$d0lo
++	mlgr	($d0hi,$r0);			# h0*r0	  -> $d0hi:$d0lo
+ 	lgr	($h1,$d1lo);
+-	mlgr	($d1hi,$s1);		# h1*5*r1 -> $d1hi:$d1lo
++	mlgr	($d1hi,$s1);			# h1*5*r1 -> $d1hi:$d1lo
+ 
+-	mlgr	($t0,$r1);		# h0*r1   -> $t0:$h0
+-	mlgr	($t1,$r0);		# h1*r0   -> $t1:$h1
+-	alcgr	($h2,$padbit);
++	mlgr	($t0,$r1);			# h0*r1   -> $t0:$h0
++	mlgr	($t1,$r0);			# h1*r0   -> $t1:$h1
+ 
+ 	algr	($d0lo,$d1lo);
+ 	lgr	($d1lo,$h2);
+@@ -742,16 +184,16 @@ LABEL	(".Loop");
+ 	algr	($h1,$h0);
+ 	alcgr	($t1,$t0);
+ 
+-	msgr	($d1lo,$s1);		# h2*s1
+-	msgr	($h2,$r0);		# h2*r0
++	msgr	($d1lo,$s1);			# h2*s1
++	msgr	($h2,$r0);			# h2*r0
+ 
+ 	algr	($h1,$d1lo);
+-	alcgr	($t1,$d1hi);		# $d1hi is zero
++	alcgr	($t1,$d1hi);			# $d1hi is zero
+ 
+ 	algr	($h1,$d0hi);
+ 	alcgr	($h2,$t1);
+ 
+-	lghi	($h0,-4);		# final reduction step
++	lghi	($h0,-4);			# final reduction step
+ 	ngr	($h0,$h2);
+ 	srlg	($t0,$h2,2);
+ 	algr	($h0,$t0);
+@@ -759,14 +201,14 @@ LABEL	(".Loop");
+ 	ngr	($h2,$t1);
+ 
+ 	algr	($h0,$d0lo);
+-	alcgr	($h1,$d1hi);		# $d1hi is still zero
+-	alcgr	($h2,$d1hi);		# $d1hi is still zero
++	alcgr	($h1,$d1hi);			# $d1hi is still zero
++	alcgr	($h2,$d1hi);			# $d1hi is still zero
+ 
+ &{$z?	\&brctg:\&brct}	($len,".Loop");
+ 
+ &{$z?	\&lg:\&l}	($ctx,"2*$SIZE_T($sp)");# restore $ctx
+ 
+-	stg	($h0,"0($ctx)");	# store hash value
++	stg	($h0,"0($ctx)");		# store hash value
+ 	stg	($h1,"8($ctx)");
+ 	stg	($h2,"16($ctx)");
+ 
+@@ -777,67 +219,766 @@ SIZE	("poly1305_blocks",".-poly1305_bloc
+ }
+ 
+ ################
++# static void poly1305_blocks_vx(void *ctx, const unsigned char *inp,
++#                                size_t len, u32 padbit)
++{
++my ($H0, $H1, $H2, $H3, $H4) = map("%v$_",(0..4));
++my ($I0, $I1, $I2, $I3, $I4) = map("%v$_",(5..9));
++my ($R0, $R1, $S1, $R2, $S2) = map("%v$_",(10..14));
++my      ($R3, $S3, $R4, $S4) = map("%v$_",(15..18));
++my ($ACC0, $ACC1, $ACC2, $ACC3, $ACC4) = map("%v$_",(19..23));
++my      ($T1, $T2, $T3, $T4) = map("%v$_",(24..27));
++my ($mask26,$bswaplo,$bswaphi,$bswapmi) = map("%v$_",(28..31));
++
++my ($d2,$d0,$h0,$d1,$h1,$h2)=map("%r$_",(9..14));
++
++TYPE	("poly1305_blocks_vx","\@function");
++ALIGN	(16);
++LABEL	("poly1305_blocks_vx");
++LABEL	(".Lpoly1305_blocks_vx");
++&{$z?	\&clgfi:\&clfi} ($len,128);
++	jhe	("__poly1305_blocks_vx");
++
++&{$z?	\&stmg:\&stm}	("%r6","%r14","6*$SIZE_T($sp)");
++
++	lg	($d0,"0($ctx)");
++	lg	($d1,"8($ctx)");
++	lg	($d2,"16($ctx)");
++
++	llgfr	("%r0",$d0);			# base 2^26 -> base 2^64
++	srlg	($h0,$d0,32);
++	llgfr	("%r1",$d1);
++	srlg	($h1,$d1,32);
++	srlg	($h2,$d2,32);
++
++	sllg	("%r0","%r0",26);
++	algr	($h0,"%r0");
++	sllg	("%r0",$h1,52);
++	srlg	($h1,$h1,12);
++	sllg	("%r1","%r1",14);
++	algr	($h0,"%r0");
++	alcgr	($h1,"%r1");
++	sllg	("%r0",$h2,40);
++	srlg	($h2,$h2,24);
++	lghi	("%r1",0);
++	algr	($h1,"%r0");
++	alcgr	($h2,"%r1");
++
++	llgf	("%r0","24($ctx)");		# is_base2_26
++	lcgr	("%r0","%r0");
++
++	xgr	($h0,$d0);			# choose between radixes
++	xgr	($h1,$d1);
++	xgr	($h2,$d2);
++	ngr	($h0,"%r0");
++	ngr	($h1,"%r0");
++	ngr	($h2,"%r0");
++	xgr	($h0,$d0);
++	xgr	($h1,$d1);
++	xgr	($h2,$d2);
++
++	lhi	("%r0",0);
++	st	("%r0","24($ctx)");		# clear is_base2_26
++
++	j	(".Lpoly1305_blocks_entry");
++SIZE	("poly1305_blocks_vx",".-poly1305_blocks_vx");
++
++TYPE	("__poly1305_mul","\@function");
++ALIGN	(16);
++LABEL	("__poly1305_mul");
++	vmlof		($ACC0,$H0,$R0);
++	vmlof		($ACC1,$H0,$R1);
++	vmlof		($ACC2,$H0,$R2);
++	vmlof		($ACC3,$H0,$R3);
++	vmlof		($ACC4,$H0,$R4);
++
++	vmalof		($ACC0,$H1,$S4,$ACC0);
++	vmalof		($ACC1,$H1,$R0,$ACC1);
++	vmalof		($ACC2,$H1,$R1,$ACC2);
++	vmalof		($ACC3,$H1,$R2,$ACC3);
++	vmalof		($ACC4,$H1,$R3,$ACC4);
++
++	vmalof		($ACC0,$H2,$S3,$ACC0);
++	vmalof		($ACC1,$H2,$S4,$ACC1);
++	vmalof		($ACC2,$H2,$R0,$ACC2);
++	vmalof		($ACC3,$H2,$R1,$ACC3);
++	vmalof		($ACC4,$H2,$R2,$ACC4);
++
++	vmalof		($ACC0,$H3,$S2,$ACC0);
++	vmalof		($ACC1,$H3,$S3,$ACC1);
++	vmalof		($ACC2,$H3,$S4,$ACC2);
++	vmalof		($ACC3,$H3,$R0,$ACC3);
++	vmalof		($ACC4,$H3,$R1,$ACC4);
++
++	vmalof		($ACC0,$H4,$S1,$ACC0);
++	vmalof		($ACC1,$H4,$S2,$ACC1);
++	vmalof		($ACC2,$H4,$S3,$ACC2);
++	vmalof		($ACC3,$H4,$S4,$ACC3);
++	vmalof		($ACC4,$H4,$R0,$ACC4);
++
++	################################################################
++	# lazy reduction
++
++	vesrlg		($H4,$ACC3,26);
++	vesrlg		($H1,$ACC0,26);
++	vn		($H3,$ACC3,$mask26);
++	vn		($H0,$ACC0,$mask26);
++	vag		($H4,$H4,$ACC4);	# h3 -> h4
++	vag		($H1,$H1,$ACC1);	# h0 -> h1
++
++	vesrlg		($ACC4,$H4,26);
++	vesrlg		($ACC1,$H1,26);
++	vn		($H4,$H4,$mask26);
++	vn		($H1,$H1,$mask26);
++	vag		($H0,$H0,$ACC4);
++	vag		($H2,$ACC2,$ACC1);	# h1 -> h2
++
++	veslg		($ACC4,$ACC4,2);	# <<2
++	vesrlg		($ACC2,$H2,26);
++	vn		($H2,$H2,$mask26);
++	vag		($H0,$H0,$ACC4);	# h4 -> h0
++	vag		($H3,$H3,$ACC2);	# h2 -> h3
++
++	vesrlg		($ACC0,$H0,26);
++	vesrlg		($ACC3,$H3,26);
++	vn		($H0,$H0,$mask26);
++	vn		($H3,$H3,$mask26);
++	vag		($H1,$H1,$ACC0);	# h0 -> h1
++	vag		($H4,$H4,$ACC3);	# h3 -> h4
++	br		("%r14");
++SIZE	("__poly1305_mul",".-__poly1305_mul");
++
++TYPE	("__poly1305_blocks_vx","\@function");
++ALIGN	(16);
++LABEL	("__poly1305_blocks_vx");
++&{$z?	\&lgr:\&lr}	("%r0",$sp);
++&{$z?	\&stmg:\&stm}	("%r10","%r15","10*$SIZE_T($sp)");
++if (!$z) {
++	std	("%f4","16*$SIZE_T+2*8($sp)");
++	std	("%f6","16*$SIZE_T+3*8($sp)");
++	ahi	($sp,-$stdframe);
++	st	("%r0","0($sp)");		# back-chain
++
++	llgfr	($len,$len);			# so that srlg works on $len
++} else {
++	aghi	($sp,"-($stdframe+8*8)");
++	stg	("%r0","0($sp)");		# back-chain
++
++	std	("%f8","$stdframe+0*8($sp)");
++	std	("%f9","$stdframe+1*8($sp)");
++	std	("%f10","$stdframe+2*8($sp)");
++	std	("%f11","$stdframe+3*8($sp)");
++	std	("%f12","$stdframe+4*8($sp)");
++	std	("%f13","$stdframe+5*8($sp)");
++	std	("%f14","$stdframe+6*8($sp)");
++	std	("%f15","$stdframe+7*8($sp)");
++}
++	larl	("%r1",".Lconst");
++	vgmg	($mask26,38,63);
++	vlm	($bswaplo,$bswapmi,"16(%r1)");
++
++	&lt	("%r0","24($ctx)");		# is_base2_26?
++	jnz	(".Lskip_init");
++
++	lg	($h0,"32($ctx)");		# load key base 2^64
++	lg	($h1,"40($ctx)");
++
++	risbg	($d0,$h0,38,0x80+63,38);	# base 2^64 -> 2^26
++	srlg	($d1,$h0,52);
++	risbg	($h0,$h0,38,0x80+63,0);
++	vlvgg	($R0,$h0,0);
++	risbg	($d1,$h1,38,51,12);
++	vlvgg	($R1,$d0,0);
++	risbg	($d0,$h1,38,63,50);
++	vlvgg	($R2,$d1,0);
++	srlg	($d1,$h1,40);
++	vlvgg	($R3,$d0,0);
++	vlvgg	($R4,$d1,0);
++
++	veslg	($S1,$R1,2);
++	veslg	($S2,$R2,2);
++	veslg	($S3,$R3,2);
++	veslg	($S4,$R4,2);
++	vlr	($H0,$R0);
++	vlr	($H1,$R1);
++	vlr	($H2,$R2);
++	vlr	($H3,$R3);
++	vlr	($H4,$R4);
++	vag	($S1,$S1,$R1);			# * 5
++	vag	($S2,$S2,$R2);
++	vag	($S3,$S3,$R3);
++	vag	($S4,$S4,$R4);
++
++	brasl	("%r14","__poly1305_mul");	# r^1:- * r^1:-
++
++	vpdi	($R0,$H0,$R0,0);		# r^2:r^1
++	vpdi	($R1,$H1,$R1,0);
++	vpdi	($R2,$H2,$R2,0);
++	vpdi	($R3,$H3,$R3,0);
++	vpdi	($R4,$H4,$R4,0);
++	vpdi	($H0,$H0,$H0,0);		# r^2:r^2
++	vpdi	($H1,$H1,$H1,0);
++	vpdi	($H2,$H2,$H2,0);
++	vpdi	($H3,$H3,$H3,0);
++	vpdi	($H4,$H4,$H4,0);
++	veslg	($S1,$R1,2);
++	veslg	($S2,$R2,2);
++	veslg	($S3,$R3,2);
++	veslg	($S4,$R4,2);
++	vag	($S1,$S1,$R1);			# * 5
++	vag	($S2,$S2,$R2);
++	vag	($S3,$S3,$R3);
++	vag	($S4,$S4,$R4);
++
++	brasl	("%r14,__poly1305_mul");	# r^2:r^2 * r^2:r^1
++
++	vl	($I0,"0(%r1)");			# borrow $I0
++	vperm	($R0,$R0,$H0,$I0);		# r^2:r^4:r^1:r^3
++	vperm	($R1,$R1,$H1,$I0);
++	vperm	($R2,$R2,$H2,$I0);
++	vperm	($R3,$R3,$H3,$I0);
++	vperm	($R4,$R4,$H4,$I0);
++	veslf	($S1,$R1,2);
++	veslf	($S2,$R2,2);
++	veslf	($S3,$R3,2);
++	veslf	($S4,$R4,2);
++	vaf	($S1,$S1,$R1);			# * 5
++	vaf	($S2,$S2,$R2);
++	vaf	($S3,$S3,$R3);
++	vaf	($S4,$S4,$R4);
++
++	lg	($h0,"0($ctx)");		# load hash base 2^64
++	lg	($h1,"8($ctx)");
++	lg	($h2,"16($ctx)");
++
++	vzero	($H0);
++	vzero	($H1);
++	vzero	($H2);
++	vzero	($H3);
++	vzero	($H4);
++
++	risbg	($d0,$h0,38,0x80+63,38);	# base 2^64 -> 2^26
++	srlg	($d1,$h0,52);
++	risbg	($h0,$h0,38,0x80+63,0);
++	vlvgg	($H0,$h0,0);
++	risbg	($d1,$h1,38,51,12);
++	vlvgg	($H1,$d0,0);
++	risbg	($d0,$h1,38,63,50);
++	vlvgg	($H2,$d1,0);
++	srlg	($d1,$h1,40);
++	vlvgg	($H3,$d0,0);
++	risbg	($d1,$h2,37,39,24);
++	vlvgg	($H4,$d1,0);
++
++	lhi	("%r0",1);
++	st	("%r0","24($ctx)");		# set is_base2_26
++
++	vstm	($R0,$S4,"48($ctx)");		# save key schedule base 2^26
++
++	vpdi	($R0,$R0,$R0,0);		# broadcast r^2:r^4
++	vpdi	($R1,$R1,$R1,0);
++	vpdi	($S1,$S1,$S1,0);
++	vpdi	($R2,$R2,$R2,0);
++	vpdi	($S2,$S2,$S2,0);
++	vpdi	($R3,$R3,$R3,0);
++	vpdi	($S3,$S3,$S3,0);
++	vpdi	($R4,$R4,$R4,0);
++	vpdi	($S4,$S4,$S4,0);
++
++	j	(".Loaded_hash");
++
++ALIGN	(16);
++LABEL	(".Lskip_init");
++	vllezf	($H0,"0($ctx)");		# load hash base 2^26
++	vllezf	($H1,"4($ctx)");
++	vllezf	($H2,"8($ctx)");
++	vllezf	($H3,"12($ctx)");
++	vllezf	($H4,"16($ctx)");
++
++	vlrepg	($R0,"0x30($ctx)");		# broadcast r^2:r^4
++	vlrepg	($R1,"0x40($ctx)");
++	vlrepg	($S1,"0x50($ctx)");
++	vlrepg	($R2,"0x60($ctx)");
++	vlrepg	($S2,"0x70($ctx)");
++	vlrepg	($R3,"0x80($ctx)");
++	vlrepg	($S3,"0x90($ctx)");
++	vlrepg	($R4,"0xa0($ctx)");
++	vlrepg	($S4,"0xb0($ctx)");
++
++LABEL	(".Loaded_hash");
++	vzero	($I1);
++	vzero	($I3);
++
++	vlm	($T1,$T4,"0x00($inp)");		# load first input block
++	la	($inp,"0x40($inp)");
++	vgmg	($mask26,6,31);
++	vgmf	($I4,5,5);			# padbit<<2
++
++	vperm	($I0,$T3,$T4,$bswaplo);
++	vperm	($I2,$T3,$T4,$bswapmi);
++	vperm	($T3,$T3,$T4,$bswaphi);
++
++	verimg	($I1,$I0,$mask26,6);		# >>26
++	veslg	($I0,$I0,32);
++	veslg	($I2,$I2,28);			# >>4
++	verimg	($I3,$T3,$mask26,18);		# >>14
++	verimg	($I4,$T3,$mask26,58);		# >>38
++	vn	($I0,$I0,$mask26);
++	vn	($I2,$I2,$mask26);
++	vesrlf	($I4,$I4,2);			# >>2
++
++	vgmg	($mask26,38,63);
++	vperm	($T3,$T1,$T2,$bswaplo);
++	vperm	($T4,$T1,$T2,$bswaphi);
++	vperm	($T2,$T1,$T2,$bswapmi);
++
++	verimg	($I0,$T3,$mask26,0);
++	verimg	($I1,$T3,$mask26,38);		# >>26
++	verimg	($I2,$T2,$mask26,60);		# >>4
++	verimg	($I3,$T4,$mask26,50);		# >>14
++	vesrlg	($T4,$T4,40);
++	vo	($I4,$I4,$T4);
++
++	srlg	("%r0",$len,6);
++&{$z?	\&aghi:\&ahi}	("%r0",-1);
++
++ALIGN	(16);
++LABEL	(".Loop_vx");
++	vmlef		($ACC0,$I0,$R0);
++	vmlef		($ACC1,$I0,$R1);
++	vmlef		($ACC2,$I0,$R2);
++	vmlef		($ACC3,$I0,$R3);
++	vmlef		($ACC4,$I0,$R4);
++
++	vmalef		($ACC0,$I1,$S4,$ACC0);
++	vmalef		($ACC1,$I1,$R0,$ACC1);
++	vmalef		($ACC2,$I1,$R1,$ACC2);
++	vmalef		($ACC3,$I1,$R2,$ACC3);
++	vmalef		($ACC4,$I1,$R3,$ACC4);
++
++	 vaf		($H2,$H2,$I2);
++	 vaf		($H0,$H0,$I0);
++	 vaf		($H3,$H3,$I3);
++	 vaf		($H1,$H1,$I1);
++	 vaf		($H4,$H4,$I4);
++
++	vmalef		($ACC0,$I2,$S3,$ACC0);
++	vmalef		($ACC1,$I2,$S4,$ACC1);
++	vmalef		($ACC2,$I2,$R0,$ACC2);
++	vmalef		($ACC3,$I2,$R1,$ACC3);
++	vmalef		($ACC4,$I2,$R2,$ACC4);
++
++	 vlm		($T1,$T4,"0x00($inp)");	# load next input block
++	 la		($inp,"0x40($inp)");
++	 vgmg		($mask26,6,31);
++
++	vmalef		($ACC0,$I3,$S2,$ACC0);
++	vmalef		($ACC1,$I3,$S3,$ACC1);
++	vmalef		($ACC2,$I3,$S4,$ACC2);
++	vmalef		($ACC3,$I3,$R0,$ACC3);
++	vmalef		($ACC4,$I3,$R1,$ACC4);
++
++	 vperm		($I0,$T3,$T4,$bswaplo);
++	 vperm		($I2,$T3,$T4,$bswapmi);
++	 vperm		($T3,$T3,$T4,$bswaphi);
++
++	vmalef		($ACC0,$I4,$S1,$ACC0);
++	vmalef		($ACC1,$I4,$S2,$ACC1);
++	vmalef		($ACC2,$I4,$S3,$ACC2);
++	vmalef		($ACC3,$I4,$S4,$ACC3);
++	vmalef		($ACC4,$I4,$R0,$ACC4);
++
++	 verimg		($I1,$I0,$mask26,6);	# >>26
++	 veslg		($I0,$I0,32);
++	 veslg		($I2,$I2,28);		# >>4
++	 verimg		($I3,$T3,$mask26,18);	# >>14
++
++	vmalof		($ACC0,$H0,$R0,$ACC0);
++	vmalof		($ACC1,$H0,$R1,$ACC1);
++	vmalof		($ACC2,$H0,$R2,$ACC2);
++	vmalof		($ACC3,$H0,$R3,$ACC3);
++	vmalof		($ACC4,$H0,$R4,$ACC4);
++
++	 vgmf		($I4,5,5);		# padbit<<2
++	 verimg		($I4,$T3,$mask26,58);	# >>38
++	 vn		($I0,$I0,$mask26);
++	 vn		($I2,$I2,$mask26);
++	 vesrlf		($I4,$I4,2);		# >>2
++
++	vmalof		($ACC0,$H1,$S4,$ACC0);
++	vmalof		($ACC1,$H1,$R0,$ACC1);
++	vmalof		($ACC2,$H1,$R1,$ACC2);
++	vmalof		($ACC3,$H1,$R2,$ACC3);
++	vmalof		($ACC4,$H1,$R3,$ACC4);
++
++	 vgmg		($mask26,38,63);
++	 vperm		($T3,$T1,$T2,$bswaplo);
++	 vperm		($T4,$T1,$T2,$bswaphi);
++	 vperm		($T2,$T1,$T2,$bswapmi);
++
++	vmalof		($ACC0,$H2,$S3,$ACC0);
++	vmalof		($ACC1,$H2,$S4,$ACC1);
++	vmalof		($ACC2,$H2,$R0,$ACC2);
++	vmalof		($ACC3,$H2,$R1,$ACC3);
++	vmalof		($ACC4,$H2,$R2,$ACC4);
++
++	 verimg		($I0,$T3,$mask26,0);
++	 verimg		($I1,$T3,$mask26,38);	# >>26
++	 verimg		($I2,$T2,$mask26,60);	# >>4
++
++	vmalof		($ACC0,$H3,$S2,$ACC0);
++	vmalof		($ACC1,$H3,$S3,$ACC1);
++	vmalof		($ACC2,$H3,$S4,$ACC2);
++	vmalof		($ACC3,$H3,$R0,$ACC3);
++	vmalof		($ACC4,$H3,$R1,$ACC4);
++
++	 verimg		($I3,$T4,$mask26,50);	# >>14
++	 vesrlg		($T4,$T4,40);
++	 vo		($I4,$I4,$T4);
++
++	vmalof		($ACC0,$H4,$S1,$ACC0);
++	vmalof		($ACC1,$H4,$S2,$ACC1);
++	vmalof		($ACC2,$H4,$S3,$ACC2);
++	vmalof		($ACC3,$H4,$S4,$ACC3);
++	vmalof		($ACC4,$H4,$R0,$ACC4);
++
++	################################################################
++	# lazy reduction as discussed in "NEON crypto" by D.J. Bernstein
++	# and P. Schwabe
++
++	vesrlg		($H4,$ACC3,26);
++	vesrlg		($H1,$ACC0,26);
++	vn		($H3,$ACC3,$mask26);
++	vn		($H0,$ACC0,$mask26);
++	vag		($H4,$H4,$ACC4);	# h3 -> h4
++	vag		($H1,$H1,$ACC1);	# h0 -> h1
++
++	vesrlg		($ACC4,$H4,26);
++	vesrlg		($ACC1,$H1,26);
++	vn		($H4,$H4,$mask26);
++	vn		($H1,$H1,$mask26);
++	vag		($H0,$H0,$ACC4);
++	vag		($H2,$ACC2,$ACC1);	# h1 -> h2
++
++	veslg		($ACC4,$ACC4,2);	# <<2
++	vesrlg		($ACC2,$H2,26);
++	vn		($H2,$H2,$mask26);
++	vag		($H0,$H0,$ACC4);	# h4 -> h0
++	vag		($H3,$H3,$ACC2);	# h2 -> h3
++
++	vesrlg		($ACC0,$H0,26);
++	vesrlg		($ACC3,$H3,26);
++	vn		($H0,$H0,$mask26);
++	vn		($H3,$H3,$mask26);
++	vag		($H1,$H1,$ACC0);	# h0 -> h1
++	vag		($H4,$H4,$ACC3);	# h3 -> h4
++
++&{$z?	\&brctg:\&brct}	("%r0",".Loop_vx");
++
++	vlm	($R0,$S4,"48($ctx)");		# load all powers
++
++	lghi	("%r0",0x30);
++&{$z?	\&lcgr:\&lcr}	($len,$len);
++&{$z?	\&ngr:\&nr}	($len,"%r0");
++&{$z?	\&slgr:\&slr}	($inp,$len);
++
++LABEL	(".Last");
++	vmlef	($ACC0,$I0,$R0);
++	vmlef	($ACC1,$I0,$R1);
++	vmlef	($ACC2,$I0,$R2);
++	vmlef	($ACC3,$I0,$R3);
++	vmlef	($ACC4,$I0,$R4);
++
++	vmalef	($ACC0,$I1,$S4,$ACC0);
++	vmalef	($ACC1,$I1,$R0,$ACC1);
++	vmalef	($ACC2,$I1,$R1,$ACC2);
++	vmalef	($ACC3,$I1,$R2,$ACC3);
++	vmalef	($ACC4,$I1,$R3,$ACC4);
++
++	 vaf	($H0,$H0,$I0);
++	 vaf	($H1,$H1,$I1);
++	 vaf	($H2,$H2,$I2);
++	 vaf	($H3,$H3,$I3);
++	 vaf	($H4,$H4,$I4);
++
++	vmalef	($ACC0,$I2,$S3,$ACC0);
++	vmalef	($ACC1,$I2,$S4,$ACC1);
++	vmalef	($ACC2,$I2,$R0,$ACC2);
++	vmalef	($ACC3,$I2,$R1,$ACC3);
++	vmalef	($ACC4,$I2,$R2,$ACC4);
++
++	vmalef	($ACC0,$I3,$S2,$ACC0);
++	vmalef	($ACC1,$I3,$S3,$ACC1);
++	vmalef	($ACC2,$I3,$S4,$ACC2);
++	vmalef	($ACC3,$I3,$R0,$ACC3);
++	vmalef	($ACC4,$I3,$R1,$ACC4);
++
++	vmalef	($ACC0,$I4,$S1,$ACC0);
++	vmalef	($ACC1,$I4,$S2,$ACC1);
++	vmalef	($ACC2,$I4,$S3,$ACC2);
++	vmalef	($ACC3,$I4,$S4,$ACC3);
++	vmalef	($ACC4,$I4,$R0,$ACC4);
++
++	vmalof	($ACC0,$H0,$R0,$ACC0);
++	vmalof	($ACC1,$H0,$R1,$ACC1);
++	vmalof	($ACC2,$H0,$R2,$ACC2);
++	vmalof	($ACC3,$H0,$R3,$ACC3);
++	vmalof	($ACC4,$H0,$R4,$ACC4);
++
++	vmalof	($ACC0,$H1,$S4,$ACC0);
++	vmalof	($ACC1,$H1,$R0,$ACC1);
++	vmalof	($ACC2,$H1,$R1,$ACC2);
++	vmalof	($ACC3,$H1,$R2,$ACC3);
++	vmalof	($ACC4,$H1,$R3,$ACC4);
++
++	vmalof	($ACC0,$H2,$S3,$ACC0);
++	vmalof	($ACC1,$H2,$S4,$ACC1);
++	vmalof	($ACC2,$H2,$R0,$ACC2);
++	vmalof	($ACC3,$H2,$R1,$ACC3);
++	vmalof	($ACC4,$H2,$R2,$ACC4);
++
++	vmalof	($ACC0,$H3,$S2,$ACC0);
++	vmalof	($ACC1,$H3,$S3,$ACC1);
++	vmalof	($ACC2,$H3,$S4,$ACC2);
++	vmalof	($ACC3,$H3,$R0,$ACC3);
++	vmalof	($ACC4,$H3,$R1,$ACC4);
++
++	vmalof	($ACC0,$H4,$S1,$ACC0);
++	vmalof	($ACC1,$H4,$S2,$ACC1);
++	vmalof	($ACC2,$H4,$S3,$ACC2);
++	vmalof	($ACC3,$H4,$S4,$ACC3);
++	vmalof	($ACC4,$H4,$R0,$ACC4);
++
++	################################################################
++	# horizontal addition
++
++	vzero	($H0);
++	vsumqg	($ACC0,$ACC0,$H0);
++	vsumqg	($ACC1,$ACC1,$H0);
++	vsumqg	($ACC2,$ACC2,$H0);
++	vsumqg	($ACC3,$ACC3,$H0);
++	vsumqg	($ACC4,$ACC4,$H0);
++
++	################################################################
++	# lazy reduction
++
++	vesrlg	($H4,$ACC3,26);
++	vesrlg	($H1,$ACC0,26);
++	vn	($H3,$ACC3,$mask26);
++	vn	($H0,$ACC0,$mask26);
++	vag	($H4,$H4,$ACC4);		# h3 -> h4
++	vag	($H1,$H1,$ACC1);		# h0 -> h1
++
++	vesrlg	($ACC4,$H4,26);
++	vesrlg	($ACC1,$H1,26);
++	vn	($H4,$H4,$mask26);
++	vn	($H1,$H1,$mask26);
++	vag	($H0,$H0,$ACC4);
++	vag	($H2,$ACC2,$ACC1);		# h1 -> h2
++
++	veslg	($ACC4,$ACC4,2);		# <<2
++	vesrlg	($ACC2,$H2,26);
++	vn	($H2,$H2,$mask26);
++	vag	($H0,$H0,$ACC4);		# h4 -> h0
++	vag	($H3,$H3,$ACC2);		# h2 -> h3
++
++	vesrlg	($ACC0,$H0,26);
++	vesrlg	($ACC3,$H3,26);
++	vn	($H0,$H0,$mask26);
++	vn	($H3,$H3,$mask26);
++	vag	($H1,$H1,$ACC0);		# h0 -> h1
++	vag	($H4,$H4,$ACC3);		# h3 -> h4
++
++&{$z?	\&clgfi:\&clfi} ($len,0);
++	je	(".Ldone");
++
++	vlm	($T1,$T4,"0x00($inp)");		# load last partial block
++	vgmg	($mask26,6,31);
++	vgmf	($I4,5,5);			# padbit<<2
++
++	vperm	($I0,$T3,$T4,$bswaplo);
++	vperm	($I2,$T3,$T4,$bswapmi);
++	vperm	($T3,$T3,$T4,$bswaphi);
++
++	vl	($ACC0,"0x30($len,%r1)");	# borrow $ACC0,1
++	vl	($ACC1,"0x60($len,%r1)");
++
++	verimg	($I1,$I0,$mask26,6);		# >>26
++	veslg	($I0,$I0,32);
++	veslg	($I2,$I2,28);			# >>4
++	verimg	($I3,$T3,$mask26,18);		# >>14
++	verimg	($I4,$T3,$mask26,58);		# >>38
++	vn	($I0,$I0,$mask26);
++	vn	($I2,$I2,$mask26);
++	vesrlf	($I4,$I4,2);			# >>2
++
++	vgmg	($mask26,38,63);
++	vperm	($T3,$T1,$T2,$bswaplo);
++	vperm	($T4,$T1,$T2,$bswaphi);
++	vperm	($T2,$T1,$T2,$bswapmi);
++
++	verimg	($I0,$T3,$mask26,0);
++	verimg	($I1,$T3,$mask26,38);		# >>26
++	verimg	($I2,$T2,$mask26,60);		# >>4
++	verimg	($I3,$T4,$mask26,50);		# >>14
++	vesrlg	($T4,$T4,40);
++	vo	($I4,$I4,$T4);
++
++	vperm	($H0,$H0,$H0,$ACC0);		# move hash to right lane
++	vn	($I0,$I0,$ACC1);		# mask redundant lane[s]
++	vperm	($H1,$H1,$H1,$ACC0);
++	vn	($I1,$I1,$ACC1);
++	vperm	($H2,$H2,$H2,$ACC0);
++	vn	($I2,$I2,$ACC1);
++	vperm	($H3,$H3,$H3,$ACC0);
++	vn	($I3,$I3,$ACC1);
++	vperm	($H4,$H4,$H4,$ACC0);
++	vn	($I4,$I4,$ACC1);
++
++	vaf	($I0,$I0,$H0);			# accumulate hash
++	vzero	($H0);				# wipe hash value
++	vaf	($I1,$I1,$H1);
++	vzero	($H1);
++	vaf	($I2,$I2,$H2);
++	vzero	($H2);
++	vaf	($I3,$I3,$H3);
++	vzero	($H3);
++	vaf	($I4,$I4,$H4);
++	vzero	($H4);
++
++&{$z?	\&lghi:\&lhi}	($len,0);
++	j	(".Last");
++	# I don't bother to tell apart cases when only one multiplication
++	# pass is sufficient, because I argue that mispredicted branch
++	# penalties are comparable to overhead of sometimes redundant
++	# multiplication pass...
++
++LABEL	(".Ldone");
++	vstef	($H0,"0($ctx)",3);		# store hash base 2^26
++	vstef	($H1,"4($ctx)",3);
++	vstef	($H2,"8($ctx)",3);
++	vstef	($H3,"12($ctx)",3);
++	vstef	($H4,"16($ctx)",3);
++
++if ($z) {
++	ld	("%f8","$stdframe+0*8($sp)");
++	ld	("%f9","$stdframe+1*8($sp)");
++	ld	("%f10","$stdframe+2*8($sp)");
++	ld	("%f11","$stdframe+3*8($sp)");
++	ld	("%f12","$stdframe+4*8($sp)");
++	ld	("%f13","$stdframe+5*8($sp)");
++	ld	("%f14","$stdframe+6*8($sp)");
++	ld	("%f15","$stdframe+7*8($sp)");
++&{$z?	\&lmg:\&lm}	("%r10","%r15","$stdframe+8*8+10*$SIZE_T($sp)");
++} else {
++	ld	("%f4","$stdframe+16*$SIZE_T+2*8($sp)");
++	ld	("%f6","$stdframe+16*$SIZE_T+3*8($sp)");
++&{$z?	\&lmg:\&lm}	("%r10","%r15","$stdframe+10*$SIZE_T($sp)");
++}
++	br	("%r14");
++SIZE	("__poly1305_blocks_vx",".-__poly1305_blocks_vx");
++}
++
++################
+ # static void poly1305_emit(void *ctx, unsigned char mac[16],
+ #                           const u32 nonce[4])
+ {
+-my ($ctx,$mac,$nonce) = map("%r$_",(2..4));
+-my ($h0,$h1,$h2,$d0,$d1)=map("%r$_",(5..9));
++my ($mac,$nonce)=($inp,$len);
++my ($h0,$h1,$h2,$d0,$d1,$d2)=map("%r$_",(5..10));
+ 
+ GLOBL	("poly1305_emit");
+ TYPE	("poly1305_emit","\@function");
+ ALIGN	(16);
+ LABEL	("poly1305_emit");
+-&{$z?	\&stmg:\&stm}	("%r6","%r9","6*$SIZE_T($sp)");
++LABEL	(".Lpoly1305_emit");
++&{$z?	\&stmg:\&stm}	("%r6","%r10","6*$SIZE_T($sp)");
+ 
+-	lg	($h0,"0($ctx)");
+-	lg	($h1,"8($ctx)");
+-	lg	($h2,"16($ctx)");
++	lg	($d0,"0($ctx)");
++	lg	($d1,"8($ctx)");
++	lg	($d2,"16($ctx)");
++
++	llgfr	("%r0",$d0);			# base 2^26 -> base 2^64
++	srlg	($h0,$d0,32);
++	llgfr	("%r1",$d1);
++	srlg	($h1,$d1,32);
++	srlg	($h2,$d2,32);
++
++	sllg	("%r0","%r0",26);
++	algr	($h0,"%r0");
++	sllg	("%r0",$h1,52);
++	srlg	($h1,$h1,12);
++	sllg	("%r1","%r1",14);
++	algr	($h0,"%r0");
++	alcgr	($h1,"%r1");
++	sllg	("%r0",$h2,40);
++	srlg	($h2,$h2,24);
++	lghi	("%r1",0);
++	algr	($h1,"%r0");
++	alcgr	($h2,"%r1");
++
++	llgf	("%r0","24($ctx)");		# is_base2_26
++	lcgr	("%r0","%r0");
++
++	xgr	($h0,$d0);			# choose between radixes
++	xgr	($h1,$d1);
++	xgr	($h2,$d2);
++	ngr	($h0,"%r0");
++	ngr	($h1,"%r0");
++	ngr	($h2,"%r0");
++	xgr	($h0,$d0);
++	xgr	($h1,$d1);
++	xgr	($h2,$d2);
+ 
+ 	lghi	("%r0",5);
+-	lghi	("%r1",0);
+ 	lgr	($d0,$h0);
+ 	lgr	($d1,$h1);
+ 
+-	algr	($h0,"%r0");		# compare to modulus
++	algr	($h0,"%r0");			# compare to modulus
+ 	alcgr	($h1,"%r1");
+ 	alcgr	($h2,"%r1");
+ 
+-	srlg	($h2,$h2,2);		# did it borrow/carry?
+-	slgr	("%r1",$h2);		# 0-$h2>>2
+-	lg	($h2,"0($nonce)");	# load nonce
+-	lghi	("%r0",-1);
++	srlg	($h2,$h2,2);			# did it borrow/carry?
++	slgr	("%r1",$h2);				# 0-$h2>>2
++	lg	($d2,"0($nonce)");		# load nonce
+ 	lg	($ctx,"8($nonce)");
+-	xgr	("%r0","%r1");		# ~%r1
+ 
++	xgr	($h0,$d0);
++	xgr	($h1,$d1);
+ 	ngr	($h0,"%r1");
+-	ngr	($d0,"%r0");
+ 	ngr	($h1,"%r1");
+-	ngr	($d1,"%r0");
+-	ogr	($h0,$d0);
+-	rllg	($d0,$h2,32);		# flip nonce words
+-	ogr	($h1,$d1);
++	xgr	($h0,$d0);
++	rllg	($d0,$d2,32);			# flip nonce words
++	xgr	($h1,$d1);
+ 	rllg	($d1,$ctx,32);
+ 
+-	algr	($h0,$d0);		# accumulate nonce
++	algr	($h0,$d0);			# accumulate nonce
+ 	alcgr	($h1,$d1);
+ 
+-	strvg	($h0,"0($mac)");	# write little-endian result
++	strvg	($h0,"0($mac)");		# write little-endian result
+ 	strvg	($h1,"8($mac)");
+ 
+-&{$z?	\&lmg:\&lm}	("%r6","%r9","6*$SIZE_T($sp)");
++&{$z?	\&lmg:\&lm}	("%r6","%r10","6*$SIZE_T($sp)");
+ 	br	("%r14");
+ SIZE	("poly1305_emit",".-poly1305_emit");
+ }
+-}
++
+ ################
+ 
+-ALIGN	(128);
++ALIGN	(16);
+ LABEL	(".Lconst");
+-LONG	(0x00060504,0x03020100,0x00161514,0x13121110);	# vperm op[m[1],m[0]]
+-LONG	(0x000c0b0a,0x09080706,0x001c1b1a,0x19181716);	# vperm op[m[3],m[2]]
+-LONG	(0x00000000,0x000f0e0d,0x00000000,0x001f1e1d);	# vperm op[  - ,m[4]]
+-LONG	(0x00000000,0x03ffffff,0x00000000,0x03ffffff);	# [0,2^26-1,0,2^26-1]
+-LONG	(0x0f0e0d0c,0x0b0a0908,0x07060504,0x03020100);	# vperm op endian
++LONG	(0x04050607,0x14151617,0x0c0d0e0f,0x1c1d1e1f);	# merge odd
++LONG	(0x07060504,0x03020100,0x17161514,0x13121110);	# byte swap masks
++LONG	(0x0f0e0d0c,0x0b0a0908,0x1f1e1d1c,0x1b1a1918);
++LONG	(0x00000000,0x09080706,0x00000000,0x19181716);
++
++LONG	(0x00000000,0x00000000,0x00000000,0x0c0d0e0f);	# magic tail masks
++LONG	(0x0c0d0e0f,0x00000000,0x00000000,0x00000000);
++LONG	(0x00000000,0x00000000,0x0c0d0e0f,0x00000000);
++
++LONG	(0xffffffff,0x00000000,0xffffffff,0xffffffff);
++LONG	(0xffffffff,0x00000000,0xffffffff,0x00000000);
++LONG	(0x00000000,0x00000000,0xffffffff,0x00000000);
++
+ STRING	("\"Poly1305 for s390x, CRYPTOGAMS by <appro\@openssl.org>\"");
+ 
+ PERLASM_END();
+Index: openssl-1.1.1c/crypto/poly1305/build.info
+===================================================================
+--- openssl-1.1.1c.orig/crypto/poly1305/build.info	2019-06-06 12:18:54.556316994 +0200
++++ openssl-1.1.1c/crypto/poly1305/build.info	2019-06-06 12:19:24.232504722 +0200
+@@ -17,6 +17,7 @@ GENERATE[poly1305-armv8.S]=asm/poly1305-
+ INCLUDE[poly1305-armv8.o]=..
+ GENERATE[poly1305-mips.S]=asm/poly1305-mips.pl $(PERLASM_SCHEME)
+ INCLUDE[poly1305-mips.o]=..
++INCLUDE[poly1305-s390x.o]=..
+ GENERATE[poly1305-s390x.S]=asm/poly1305-s390x.pl $(PERLASM_SCHEME)
+ 
+ BEGINRAW[Makefile(unix)]
diff --git a/baselibs.conf b/baselibs.conf
new file mode 100644
index 0000000..3631b70
--- /dev/null
+++ b/baselibs.conf
@@ -0,0 +1,10 @@
+libopenssl1_1
+  obsoletes "libopenssl1_1_0-<targettype>"
+libopenssl-1_1-devel
+  provides "libopenssl-devel-<targettype> = <version>"
+  conflicts "otherproviders(libopenssl-devel-<targettype>)"
+  requires -"openssl-1_1-<targettype>"
+  requires "libopenssl1_1-<targettype> = <version>"
+libopenssl1_1-hmac
+  requires "libopenssl1_1-<targettype> = <version>-%release"
+  obsoletes "libopenssl1_1_0-hmac-<targettype>"
diff --git a/bsc1185319-FIPS-KAT-for-ECDSA.patch b/bsc1185319-FIPS-KAT-for-ECDSA.patch
new file mode 100644
index 0000000..9ae53a3
--- /dev/null
+++ b/bsc1185319-FIPS-KAT-for-ECDSA.patch
@@ -0,0 +1,407 @@
+diff --git a/crypto/fips/fips_ecdsa_selftest.c b/crypto/fips/fips_ecdsa_selftest.c
+index 9895aa8..77a1c77 100644
+--- a/crypto/fips/fips_ecdsa_selftest.c
++++ b/crypto/fips/fips_ecdsa_selftest.c
+@@ -10,7 +10,7 @@
+  * are met:
+  *
+  * 1. Redistributions of source code must retain the above copyright
+- *    notice, this list of conditions and the following disclaimer. 
++ *    notice, this list of conditions and the following disclaimer.
+  *
+  * 2. Redistributions in binary form must reproduce the above copyright
+  *    notice, this list of conditions and the following disclaimer in
+@@ -65,102 +65,319 @@
+ #include <openssl/bn.h>
+ 
+ #ifdef OPENSSL_FIPS
++#include <openssl/rand.h>
++#include "internal/nelem.h"
++#include "fips_locl.h"
+ 
+-static const char P_256_name[] = "ECDSA P-256";
++/* functions to change the RAND_METHOD */
++static int fbytes(unsigned char *buf, int num);
+ 
+-static const unsigned char P_256_d[] = {
+-    0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f,
+-    0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87,
+-    0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64
+-};
++static RAND_METHOD fake_rand;
++static const RAND_METHOD *old_rand;
++static int use_fake = 0;
++static const unsigned char *numbers[2];
++static int numbers_len[2];
+ 
+-static const unsigned char P_256_qx[] = {
+-    0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e,
+-    0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31,
+-    0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07
+-};
++static int change_rand(void)
++{
++  /* save old rand method */
++  old_rand = RAND_get_rand_method();
++  if (!old_rand)
++    return 0;
++  
++  fake_rand = *old_rand;
++  /* use own random function */
++  fake_rand.bytes = fbytes;
++  /* set new RAND_METHOD */
++  if (!RAND_set_rand_method(&fake_rand))
++    return 0;
++  
++  return 1;
++}
+ 
+-static const unsigned char P_256_qy[] = {
+-    0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b,
+-    0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e,
+-    0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb
+-};
++static int restore_rand(void)
++{
++  if (!RAND_set_rand_method(old_rand))
++    return 0;
++  
++  return 1;
++}
++
++static int fbytes(unsigned char *buf, int num)
++{
++  int ret = 0;
++  static int fbytes_counter = 0;
++  
++  if (use_fake == 0)
++    return old_rand->bytes(buf, num);
++  
++  use_fake = 0;
++  
++  if (fbytes_counter >= OSSL_NELEM(numbers))
++    goto err;
++  
++  if (numbers_len[fbytes_counter] > num)
++    goto err;
++  
++  /* first zero out the buffer */
++  memset(buf, 0, num);
++  
++  /* Now set the "random" values */
++  memcpy(buf + (num - numbers_len[fbytes_counter]), numbers[fbytes_counter], numbers_len[fbytes_counter]);
++  
++  fbytes_counter = (fbytes_counter + 1) % OSSL_NELEM(numbers);
++  ret = 1;
++err:
++  return ret;
++}
++
++
++
++/*-
++ * NIST CAVP ECDSA KATs
++ * 2 X9.62 KATs; one for prime fields and one for binary fields.
++ *
++ * Taken from:
++ * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/dss/186-3ecdsatestvectors.zip
++ */
+ 
+ typedef struct {
+-    int curve;
+-    const char *name;
+-    const unsigned char *x;
+-    size_t xlen;
+-    const unsigned char *y;
+-    size_t ylen;
+-    const unsigned char *d;
+-    size_t dlen;
+-} EC_SELFTEST_DATA;
+-
+-# define make_ecdsa_test(nid, pr) { nid, pr##_name, \
+-                                pr##_qx, sizeof(pr##_qx), \
+-                                pr##_qy, sizeof(pr##_qy), \
+-                                pr##_d, sizeof(pr##_d)}
+-
+-static EC_SELFTEST_DATA test_ec_data[] = {
+-    make_ecdsa_test(NID_X9_62_prime256v1, P_256),
+-};
++  const int nid;                       /* curve NID */
++  const int md_nid;                    /* hash function NID */
++  const unsigned char *msg;            /* message to sign */
++  size_t msglen;
++  const unsigned char *d;              /* ECDSA private key */
++  size_t dlen;
++  const unsigned char *Q;              /* ECDSA public key: (Qx,Qy) */
++  size_t Qlen;
++  const unsigned char *k;              /* ECDSA nonce */
++  size_t klen;
++  const unsigned char *r;            /* ECDSA signature (r,s) */
++  size_t rlen;
++  const unsigned char *s;
++  size_t slen;
++} ECDSA_KAT_SELFTEST_DATA;
+ 
+-int FIPS_selftest_ecdsa()
+-{
+-    EC_KEY *ec = NULL;
+-    BIGNUM *x = NULL, *y = NULL, *d = NULL;
+-    EVP_PKEY *pk = NULL;
+-    int rv = 0;
+-    size_t i;
+ 
+-    for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) {
+-        EC_SELFTEST_DATA *ecd = test_ec_data + i;
++static const unsigned char data1_msg[] = {
++  0x59, 0x05, 0x23, 0x88, 0x77, 0xc7, 0x74, 0x21,
++  0xf7, 0x3e, 0x43, 0xee, 0x3d, 0xa6, 0xf2, 0xd9,
++  0xe2, 0xcc, 0xad, 0x5f, 0xc9, 0x42, 0xdc, 0xec,
++  0x0c, 0xbd, 0x25, 0x48, 0x29, 0x35, 0xfa, 0xaf,
++  0x41, 0x69, 0x83, 0xfe, 0x16, 0x5b, 0x1a, 0x04,
++  0x5e, 0xe2, 0xbc, 0xd2, 0xe6, 0xdc, 0xa3, 0xbd,
++  0xf4, 0x6c, 0x43, 0x10, 0xa7, 0x46, 0x1f, 0x9a,
++  0x37, 0x96, 0x0c, 0xa6, 0x72, 0xd3, 0xfe, 0xb5,
++  0x47, 0x3e, 0x25, 0x36, 0x05, 0xfb, 0x1d, 0xdf,
++  0xd2, 0x80, 0x65, 0xb5, 0x3c, 0xb5, 0x85, 0x8a,
++  0x8a, 0xd2, 0x81, 0x75, 0xbf, 0x9b, 0xd3, 0x86,
++  0xa5, 0xe4, 0x71, 0xea, 0x7a, 0x65, 0xc1, 0x7c,
++  0xc9, 0x34, 0xa9, 0xd7, 0x91, 0xe9, 0x14, 0x91,
++  0xeb, 0x37, 0x54, 0xd0, 0x37, 0x99, 0x79, 0x0f,
++  0xe2, 0xd3, 0x08, 0xd1, 0x61, 0x46, 0xd5, 0xc9,
++  0xb0, 0xd0, 0xde, 0xbd, 0x97, 0xd7, 0x9c, 0xe8
++};
+ 
+-        x = BN_bin2bn(ecd->x, ecd->xlen, x);
+-        y = BN_bin2bn(ecd->y, ecd->ylen, y);
+-        d = BN_bin2bn(ecd->d, ecd->dlen, d);
++static const unsigned char data1_d[] = {
++  0x51, 0x9b, 0x42, 0x3d, 0x71, 0x5f, 0x8b, 0x58,
++  0x1f, 0x4f, 0xa8, 0xee, 0x59, 0xf4, 0x77, 0x1a,
++  0x5b, 0x44, 0xc8, 0x13, 0x0b, 0x4e, 0x3e, 0xac,
++  0xca, 0x54, 0xa5, 0x6d, 0xda, 0x72, 0xb4, 0x64
++};
+ 
+-        if (!x || !y || !d)
+-            goto err;
++static const unsigned char data1_Q[] = {
++  0x04, 0x0c, 0xec, 0x02, 0x8e, 0xe0, 0x8d, 0x09,
++  0xe0, 0x26, 0x72, 0xa6, 0x83, 0x10, 0x81, 0x43,
++  0x54, 0xf9, 0xea, 0xbf, 0xff, 0x0d, 0xe6, 0xda,
++  0xcc, 0x1c, 0xd3, 0xa7, 0x74, 0x49, 0x60, 0x76,
++  0xae, 0xef, 0xf4, 0x71, 0xfb, 0xa0, 0x40, 0x98,
++  0x97, 0xb6, 0xa4, 0x8e, 0x88, 0x01, 0xad, 0x12,
++  0xf9, 0x5d, 0x00, 0x09, 0xb7, 0x53, 0xcf, 0x8f,
++  0x51, 0xc1, 0x28, 0xbf, 0x6b, 0x0b, 0xd2, 0x7f,
++  0xbd
++};
+ 
+-        ec = EC_KEY_new_by_curve_name(ecd->curve);
+-        if (!ec)
+-            goto err;
++static const unsigned char data1_k[] = {
++  0x94, 0xa1, 0xbb, 0xb1, 0x4b, 0x90, 0x6a, 0x61,
++  0xa2, 0x80, 0xf2, 0x45, 0xf9, 0xe9, 0x3c, 0x7f,
++  0x3b, 0x4a, 0x62, 0x47, 0x82, 0x4f, 0x5d, 0x33,
++  0xb9, 0x67, 0x07, 0x87, 0x64, 0x2a, 0x68, 0xde
++};
+ 
+-        if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y))
+-            goto err;
++static const unsigned char data1_r[] = {
++  0xe3, 0x95, 0xf6, 0xdb, 0x12, 0x71, 0x90, 0xfa,
++  0x70, 0xa6, 0x80, 0xeb, 0xf6, 0x8a, 0x18, 0x35,
++  0x6f, 0xef, 0xf2, 0x36, 0x65, 0xb9, 0x31, 0xc3,
++  0xa2, 0x14, 0x80, 0xdf, 0x86, 0xc4, 0xec, 0xbc
++};
+ 
+-        if (!EC_KEY_set_private_key(ec, d))
+-            goto err;
++static const unsigned char data1_s[] = {
++  0xa5, 0x01, 0x04, 0x78, 0x93, 0xd9, 0x60, 0xcc,
++  0x20, 0xce, 0xbd, 0xbb, 0x6f, 0x79, 0xb9, 0x7e,
++  0x45, 0x23, 0x80, 0x73, 0x87, 0x83, 0x53, 0x63,
++  0xe3, 0x80, 0x2b, 0x68, 0xcf, 0x32, 0xa1, 0xa2
++};
+ 
+-        if ((pk = EVP_PKEY_new()) == NULL)
+-            goto err;
+ 
+-        EVP_PKEY_assign_EC_KEY(pk, ec);
++# define make_ecdsa_kat_test(nid, md_nid, pr) {	\
++nid, md_nid,				\
++pr##_msg, sizeof(pr##_msg),		\
++pr##_d,   sizeof(pr##_d),			\
++pr##_Q,   sizeof(pr##_Q),		    \
++pr##_k,   sizeof(pr##_k),			\
++pr##_r,   sizeof(pr##_r),			\
++pr##_s,   sizeof(pr##_s)			\
++}
+ 
+-        if (!fips_pkey_signature_test(pk, NULL, 0,
+-                                      NULL, 0, EVP_sha256(), 0, ecd->name))
+-            goto err;
+-    }
++static ECDSA_KAT_SELFTEST_DATA test_ecdsa_data[] = {
++  make_ecdsa_kat_test(NID_secp256k1, NID_sha256, data1)
++};
+ 
+-    rv = 1;
++int FIPS_selftest_ecdsa()
++{
++  int rv;
++  size_t i, siglen, p_len;
++  
++  for (i = 0; i < sizeof(test_ecdsa_data) / sizeof(ECDSA_KAT_SELFTEST_DATA); i++) {
++    EC_KEY *ec = NULL;
++    BIGNUM *r = NULL, *s = NULL;
++    BIGNUM *sig_r = NULL, *sig_s = NULL;
++    EVP_PKEY *pk = NULL;
++    unsigned char *sig = NULL;
++    unsigned char *tsig = NULL;
++    unsigned char *p_buf = NULL;
++    ECDSA_SIG *dsa_sig = NULL;
++    rv = 0;
++    
++    ECDSA_KAT_SELFTEST_DATA *ecd = test_ecdsa_data + i;
++    
++    /* Create the Message Digest Context */
++    EVP_MD_CTX *mdctx = EVP_MD_CTX_new();
++    if (!mdctx) goto err;
++    
++    r = BN_bin2bn(ecd->r, ecd->rlen, r);
++    s = BN_bin2bn(ecd->s, ecd->slen, s);
++    
++    if (!r || !s)
++      goto err;
++
++    /* d[] will be used to generate a key. */
++    /* k[] will be used for signature generation. */
++    numbers[0] = ecd->d;
++    numbers_len[0] = ecd->dlen;
++    numbers[1] = ecd->k;
++    numbers_len[1] = ecd->klen;
++    /* swap the RNG source */
++    if (!change_rand())
++      goto err;
++    
++    ec = EC_KEY_new_by_curve_name(ecd->nid);
++    if (!ec)
++      goto err;
++    
++    /* Use d[] to generate key. */
++    use_fake = 1;
++    if (EC_KEY_generate_key(ec) != 1)
++      goto err;
++    
++    if ((pk = EVP_PKEY_new()) == NULL)
++      goto err;
++    
++    EVP_PKEY_assign_EC_KEY(pk, ec);
++    
++    p_len = EC_KEY_key2buf(ec, POINT_CONVERSION_UNCOMPRESSED, &p_buf, NULL);
++    if (!p_len)
++      goto err;
++    
++    /* Make sure generated public key matches */
++    if (p_len != ecd->Qlen)
++      goto err;
++    if (memcmp(p_buf, ecd->Q, p_len))
++      goto err;
++    
++    /* Initialise the DigestSign operation */
++    if(1 != EVP_DigestSignInit(mdctx, NULL, EVP_get_digestbynid(ecd->md_nid), NULL, pk))
++      goto err;
++    
++    /* Call update with the message */
++    if(1 != EVP_DigestSignUpdate(mdctx, ecd->msg, ecd->msglen))
++      goto err;
++    
++    /* Finalise the DigestSign operation */
++    /* First call EVP_DigestSignFinal with a NULL sig parameter to */
++    /* obtain the length of the signature. Length is returned in slen */
++    if(1 != EVP_DigestSignFinal(mdctx, NULL, &siglen))
++      goto err;
++    
++    /* Allocate memory for the signature based on size in slen */
++    if(!(sig = OPENSSL_malloc(siglen)))
++      goto err;
++    
++    /* Use k[] for signature. */
++    use_fake = 1;
++    
++    /* Obtain the signature */
++    if(1 != EVP_DigestSignFinal(mdctx, sig, &siglen))
++      goto err;
+ 
+- err:
++    /* extract r and s */
++    tsig = sig;
++    dsa_sig = d2i_ECDSA_SIG(NULL, &tsig, siglen);
++    if (dsa_sig == NULL)
++      goto err;
++    
++    sig_r = ECDSA_SIG_get0_r(dsa_sig);
++    sig_s = ECDSA_SIG_get0_s(dsa_sig);
++    if ((sig_r == NULL) || (sig_s == NULL))
++      goto err;
+ 
+-    if (x)
+-        BN_clear_free(x);
+-    if (y)
+-        BN_clear_free(y);
+-    if (d)
+-        BN_clear_free(d);
++    /* Compare r and s against known. */
++    if ((BN_cmp(sig_r, r) != 0) || (BN_cmp(sig_s, s) != 0))
++      goto err;
++    
++    /* Verify signature */
++    if(1 != EVP_DigestVerifyInit(mdctx, NULL, EVP_get_digestbynid(ecd->md_nid), NULL, pk))
++      goto err;
++    
++    if (EVP_DigestVerify(mdctx, sig, siglen, ecd->msg, ecd->msglen) != 1)
++      goto err;
++    
++    if (1 != restore_rand())
++      goto err;
++    
++    /* Success */
++    rv = 1;
++    
++    
++  err:
++    
++    if (mdctx)
++      EVP_MD_CTX_free(mdctx);
++    if (r)
++      BN_clear_free(r);
++    if (s)
++      BN_clear_free(s);
++    if (sig)
++      OPENSSL_free(sig);
++    if (dsa_sig)
++      ECDSA_SIG_free(dsa_sig);
++    if (p_buf)
++      OPENSSL_free(p_buf);
+     if (pk)
+-        EVP_PKEY_free(pk);
++      EVP_PKEY_free(pk);
+     else if (ec)
+-        EC_KEY_free(ec);
+-
+-    return rv;
++      EC_KEY_free(ec);
++    
++    if (rv != 1) {
++      FIPSerr(FIPS_F_FIPS_SELFTEST_ECDSA, FIPS_R_SELFTEST_FAILED);
++      break;
++    }
++    
++  }
+ 
++  return rv;
++  
+ }
+ 
++
+ #endif
diff --git a/bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch b/bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch
new file mode 100644
index 0000000..37a9cb3
--- /dev/null
+++ b/bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch
@@ -0,0 +1,13 @@
+diff --git a/crypto/fips/fips_post.c b/crypto/fips/fips_post.c
+index 80de6f6..46003d1 100644
+--- a/crypto/fips/fips_post.c
++++ b/crypto/fips/fips_post.c
+@@ -72,7 +72,7 @@
+ int FIPS_selftest(void)
+ {
+     int rv = 1;
+-    if (!FIPS_selftest_drbg())
++    if (!FIPS_selftest_drbg_all())
+         rv = 0;
+     if (!FIPS_selftest_sha1())
+         rv = 0;
diff --git a/openssl-1.1.0-issuer-hash.patch b/openssl-1.1.0-issuer-hash.patch
new file mode 100644
index 0000000..3a04ead
--- /dev/null
+++ b/openssl-1.1.0-issuer-hash.patch
@@ -0,0 +1,12 @@
+diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
+index 1d8d2d7..f06eb13 100644
+--- a/crypto/x509/x509_cmp.c
++++ b/crypto/x509/x509_cmp.c
+@@ -38,6 +38,7 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
+ 
+     if (ctx == NULL)
+         goto err;
++    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+     f = X509_NAME_oneline(a->cert_info.issuer, NULL, 0);
+     if (f == NULL)
+         goto err;
diff --git a/openssl-1.1.0-no-html.patch b/openssl-1.1.0-no-html.patch
new file mode 100644
index 0000000..7480703
--- /dev/null
+++ b/openssl-1.1.0-no-html.patch
@@ -0,0 +1,13 @@
+diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
+index 66617d6..5d1212a 100644
+--- a/Configurations/unix-Makefile.tmpl
++++ b/Configurations/unix-Makefile.tmpl
+@@ -543,7 +543,7 @@ install_sw: install_dev install_engines install_runtime
+ 
+ uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
+ 
+-install_docs: install_man_docs install_html_docs
++install_docs: install_man_docs
+ 
+ uninstall_docs: uninstall_man_docs uninstall_html_docs
+ 	$(RM) -r "$(DESTDIR)$(DOCDIR)"
diff --git a/openssl-1.1.1-evp-kdf.patch b/openssl-1.1.1-evp-kdf.patch
new file mode 100644
index 0000000..cea5f2d
--- /dev/null
+++ b/openssl-1.1.1-evp-kdf.patch
@@ -0,0 +1,5238 @@
+diff -up openssl-1.1.1j/crypto/err/openssl.txt.evp-kdf openssl-1.1.1j/crypto/err/openssl.txt
+--- openssl-1.1.1j/crypto/err/openssl.txt.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/err/openssl.txt	2021-03-03 14:10:13.729466935 +0100
+@@ -748,6 +748,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn
+ EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate
+ EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex
+ EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate
++EVP_F_EVP_KDF_CTRL:224:EVP_KDF_ctrl
++EVP_F_EVP_KDF_CTRL_STR:225:EVP_KDF_ctrl_str
++EVP_F_EVP_KDF_CTX_NEW_ID:226:EVP_KDF_CTX_new_id
+ EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex
+ EVP_F_EVP_MD_SIZE:162:EVP_MD_size
+ EVP_F_EVP_OPENINIT:102:EVP_OpenInit
+@@ -810,12 +813,31 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k
+ EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen
+ EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen
+ EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen
++EVP_F_PKEY_KDF_CTRL:227:pkey_kdf_ctrl
+ EVP_F_PKEY_SET_TYPE:158:pkey_set_type
+ EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth
+ EVP_F_RC5_CTRL:125:rc5_ctrl
+ EVP_F_R_32_12_16_INIT_KEY:242:r_32_12_16_init_key
+ EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl
++EVP_F_SCRYPT_ALG:228:scrypt_alg
+ EVP_F_UPDATE:173:update
++KDF_F_HKDF_EXTRACT:112:HKDF_Extract
++KDF_F_KDF_HKDF_DERIVE:113:kdf_hkdf_derive
++KDF_F_KDF_HKDF_NEW:114:kdf_hkdf_new
++KDF_F_KDF_HKDF_SIZE:115:kdf_hkdf_size
++KDF_F_KDF_MD2CTRL:116:kdf_md2ctrl
++KDF_F_KDF_PBKDF2_CTRL_STR:117:kdf_pbkdf2_ctrl_str
++KDF_F_KDF_PBKDF2_DERIVE:118:kdf_pbkdf2_derive
++KDF_F_KDF_PBKDF2_NEW:119:kdf_pbkdf2_new
++KDF_F_KDF_SCRYPT_CTRL_STR:120:kdf_scrypt_ctrl_str
++KDF_F_KDF_SCRYPT_CTRL_UINT32:121:kdf_scrypt_ctrl_uint32
++KDF_F_KDF_SCRYPT_CTRL_UINT64:122:kdf_scrypt_ctrl_uint64
++KDF_F_KDF_SCRYPT_DERIVE:123:kdf_scrypt_derive
++KDF_F_KDF_SCRYPT_NEW:124:kdf_scrypt_new
++KDF_F_KDF_TLS1_PRF_CTRL_STR:125:kdf_tls1_prf_ctrl_str
++KDF_F_KDF_TLS1_PRF_DERIVE:126:kdf_tls1_prf_derive
++KDF_F_KDF_TLS1_PRF_NEW:127:kdf_tls1_prf_new
++KDF_F_PBKDF2_SET_MEMBUF:128:pbkdf2_set_membuf
+ KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str
+ KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive
+ KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init
+@@ -827,6 +849,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc
+ KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tls1_prf_ctrl_str
+ KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive
+ KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init
++KDF_F_SCRYPT_SET_MEMBUF:129:scrypt_set_membuf
+ KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg
+ OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object
+ OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid
+@@ -2284,6 +2307,7 @@ EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_K
+ 	operation not supported for this keytype
+ EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized
+ EVP_R_OUTPUT_WOULD_OVERFLOW:184:output would overflow
++EVP_R_PARAMETER_TOO_LARGE:187:parameter too large
+ EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers
+ EVP_R_PBKDF2_ERROR:181:pbkdf2 error
+ EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\
+@@ -2320,6 +2344,7 @@ KDF_R_MISSING_SEED:106:missing seed
+ KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type
+ KDF_R_VALUE_ERROR:108:value error
+ KDF_R_VALUE_MISSING:102:value missing
++KDF_R_WRONG_OUTPUT_BUFFER_SIZE:112:wrong output buffer size
+ OBJ_R_OID_EXISTS:102:oid exists
+ OBJ_R_UNKNOWN_NID:101:unknown nid
+ OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error
+diff -up openssl-1.1.1j/crypto/evp/build.info.evp-kdf openssl-1.1.1j/crypto/evp/build.info
+--- openssl-1.1.1j/crypto/evp/build.info.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/evp/build.info	2021-03-03 14:08:02.490294839 +0100
+@@ -9,7 +9,8 @@ SOURCE[../../libcrypto]=\
+         p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
+         bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
+         c_allc.c c_alld.c evp_lib.c bio_ok.c \
+-        evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c pbe_scrypt.c \
++        evp_pkey.c kdf_lib.c evp_pbe.c p5_crpt.c p5_crpt2.c pbe_scrypt.c \
++        pkey_kdf.c \
+         e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \
+         e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \
+         e_chacha20_poly1305.c cmeth_lib.c
+diff -up openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c
+--- openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c	2021-03-03 14:08:02.490294839 +0100
+@@ -14,9 +14,9 @@
+ 
+ # include <openssl/evp.h>
+ # include <openssl/objects.h>
+-# include "evp_local.h"
+ # include "crypto/evp.h"
+ # include "crypto/chacha.h"
++# include "evp_local.h"
+ 
+ typedef struct {
+     union {
+diff -up openssl-1.1.1j/crypto/evp/encode.c.evp-kdf openssl-1.1.1j/crypto/evp/encode.c
+--- openssl-1.1.1j/crypto/evp/encode.c.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/evp/encode.c	2021-03-03 14:08:02.491294847 +0100
+@@ -11,8 +11,8 @@
+ #include <limits.h>
+ #include "internal/cryptlib.h"
+ #include <openssl/evp.h>
+-#include "evp_local.h"
+ #include "crypto/evp.h"
++#include "evp_local.h"
+ 
+ static unsigned char conv_ascii2bin(unsigned char a,
+                                     const unsigned char *table);
+diff -up openssl-1.1.1j/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1j/crypto/evp/evp_err.c
+--- openssl-1.1.1j/crypto/evp/evp_err.c.evp-kdf	2021-03-03 14:08:02.469294651 +0100
++++ openssl-1.1.1j/crypto/evp/evp_err.c	2021-03-03 14:12:08.272351600 +0100
+@@ -60,6 +60,9 @@ static const ERR_STRING_DATA EVP_str_fun
+     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0),
+      "EVP_EncryptFinal_ex"},
+     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTUPDATE, 0), "EVP_EncryptUpdate"},
++    {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_KDF_CTRL, 0), "EVP_KDF_ctrl"},
++    {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_KDF_CTRL_STR, 0), "EVP_KDF_ctrl_str"},
++    {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_KDF_CTX_NEW_ID, 0), "EVP_KDF_CTX_new_id"},
+     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_CTX_COPY_EX, 0), "EVP_MD_CTX_copy_ex"},
+     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_SIZE, 0), "EVP_MD_size"},
+     {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_OPENINIT, 0), "EVP_OpenInit"},
+@@ -151,12 +154,14 @@ static const ERR_STRING_DATA EVP_str_fun
+      "PKCS5_v2_PBKDF2_keyivgen"},
+     {ERR_PACK(ERR_LIB_EVP, EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, 0),
+      "PKCS5_v2_scrypt_keyivgen"},
++    {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_KDF_CTRL, 0), "pkey_kdf_ctrl"},
+     {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_SET_TYPE, 0), "pkey_set_type"},
+     {ERR_PACK(ERR_LIB_EVP, EVP_F_RC2_MAGIC_TO_METH, 0), "rc2_magic_to_meth"},
+     {ERR_PACK(ERR_LIB_EVP, EVP_F_RC5_CTRL, 0), "rc5_ctrl"},
+     {ERR_PACK(ERR_LIB_EVP, EVP_F_R_32_12_16_INIT_KEY, 0),
+      "r_32_12_16_init_key"},
+     {ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"},
++    {ERR_PACK(ERR_LIB_EVP, EVP_F_SCRYPT_ALG, 0), "scrypt_alg"},
+     {ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"},
+     {0, NULL}
+ };
+@@ -243,6 +248,8 @@ static const ERR_STRING_DATA EVP_str_rea
+     "operaton not initialized"},
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW),
+     "output would overflow"},
++    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE),
++    "parameter too large"},
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING),
+     "partially overlapping buffers"},
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"},
+diff -up openssl-1.1.1j/crypto/evp/evp_local.h.evp-kdf openssl-1.1.1j/crypto/evp/evp_local.h
+--- openssl-1.1.1j/crypto/evp/evp_local.h.evp-kdf	2021-03-03 14:08:02.362293695 +0100
++++ openssl-1.1.1j/crypto/evp/evp_local.h	2021-03-03 14:08:02.491294847 +0100
+@@ -41,6 +41,11 @@ struct evp_cipher_ctx_st {
+     unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */
+ } /* EVP_CIPHER_CTX */ ;
+ 
++struct evp_kdf_ctx_st {
++    const EVP_KDF_METHOD *kmeth;
++    EVP_KDF_IMPL *impl;          /* Algorithm-specific data */
++} /* EVP_KDF_CTX */ ;
++
+ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
+                              int passlen, ASN1_TYPE *param,
+                              const EVP_CIPHER *c, const EVP_MD *md,
+diff -up openssl-1.1.1j/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1j/crypto/evp/evp_pbe.c
+--- openssl-1.1.1j/crypto/evp/evp_pbe.c.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/evp/evp_pbe.c	2021-03-03 14:08:02.491294847 +0100
+@@ -12,6 +12,7 @@
+ #include <openssl/evp.h>
+ #include <openssl/pkcs12.h>
+ #include <openssl/x509.h>
++#include "crypto/evp.h"
+ #include "evp_local.h"
+ 
+ /* Password based encryption (PBE) functions */
+diff -up openssl-1.1.1j/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1j/crypto/evp/kdf_lib.c
+--- openssl-1.1.1j/crypto/evp/kdf_lib.c.evp-kdf	2021-03-03 14:08:02.491294847 +0100
++++ openssl-1.1.1j/crypto/evp/kdf_lib.c	2021-03-03 14:08:02.491294847 +0100
+@@ -0,0 +1,165 @@
++/*
++ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright (c) 2018, Oracle and/or its affiliates.  All rights reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include "internal/cryptlib.h"
++#include <openssl/engine.h>
++#include <openssl/evp.h>
++#include <openssl/x509v3.h>
++#include <openssl/kdf.h>
++#include "crypto/asn1.h"
++#include "crypto/evp.h"
++#include "internal/numbers.h"
++#include "evp_local.h"
++
++typedef int sk_cmp_fn_type(const char *const *a, const char *const *b);
++
++/* This array needs to be in order of NIDs */
++static const EVP_KDF_METHOD *standard_methods[] = {
++    &pbkdf2_kdf_meth,
++#ifndef OPENSSL_NO_SCRYPT
++    &scrypt_kdf_meth,
++#endif
++    &tls1_prf_kdf_meth,
++    &hkdf_kdf_meth
++};
++
++DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *,
++                           kmeth);
++
++static int kmeth_cmp(const EVP_KDF_METHOD *const *a,
++                     const EVP_KDF_METHOD *const *b)
++{
++    return ((*a)->type - (*b)->type);
++}
++
++IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *,
++                             kmeth);
++
++static const EVP_KDF_METHOD *kdf_meth_find(int type)
++{
++    EVP_KDF_METHOD tmp;
++    const EVP_KDF_METHOD *t = &tmp, **ret;
++
++    tmp.type = type;
++    ret = OBJ_bsearch_kmeth(&t, standard_methods,
++                            OSSL_NELEM(standard_methods));
++    if (ret == NULL || *ret == NULL)
++        return NULL;
++
++    return *ret;
++}
++
++EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id)
++{
++    EVP_KDF_CTX *ret;
++    const EVP_KDF_METHOD *kmeth;
++
++    kmeth = kdf_meth_find(id);
++    if (kmeth == NULL) {
++        EVPerr(EVP_F_EVP_KDF_CTX_NEW_ID, EVP_R_UNSUPPORTED_ALGORITHM);
++        return NULL;
++    }
++
++    ret = OPENSSL_zalloc(sizeof(*ret));
++    if (ret == NULL) {
++        EVPerr(EVP_F_EVP_KDF_CTX_NEW_ID, ERR_R_MALLOC_FAILURE);
++        return NULL;
++    }
++
++    if (kmeth->new != NULL && (ret->impl = kmeth->new()) == NULL) {
++        EVP_KDF_CTX_free(ret);
++        return NULL;
++    }
++
++    ret->kmeth = kmeth;
++    return ret;
++}
++
++void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx)
++{
++    if (ctx == NULL)
++        return;
++
++    ctx->kmeth->free(ctx->impl);
++    OPENSSL_free(ctx);
++}
++
++void EVP_KDF_reset(EVP_KDF_CTX *ctx)
++{
++    if (ctx == NULL)
++        return;
++
++    if (ctx->kmeth->reset != NULL)
++        ctx->kmeth->reset(ctx->impl);
++}
++
++int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...)
++{
++    int ret;
++    va_list args;
++
++    va_start(args, cmd);
++    ret = EVP_KDF_vctrl(ctx, cmd, args);
++    va_end(args);
++
++    if (ret == -2)
++        EVPerr(EVP_F_EVP_KDF_CTRL, EVP_R_COMMAND_NOT_SUPPORTED);
++
++    return ret;
++}
++
++int EVP_KDF_vctrl(EVP_KDF_CTX *ctx, int cmd, va_list args)
++{
++    if (ctx == NULL)
++        return 0;
++
++    return ctx->kmeth->ctrl(ctx->impl, cmd, args);
++}
++
++int EVP_KDF_ctrl_str(EVP_KDF_CTX *ctx, const char *type, const char *value)
++{
++    int ret;
++
++    if (ctx == NULL)
++        return 0;
++
++    if (ctx->kmeth->ctrl_str == NULL) {
++        EVPerr(EVP_F_EVP_KDF_CTRL_STR, EVP_R_COMMAND_NOT_SUPPORTED);
++        return -2;
++    }
++
++    ret = ctx->kmeth->ctrl_str(ctx->impl, type, value);
++    if (ret == -2)
++        EVPerr(EVP_F_EVP_KDF_CTRL_STR, EVP_R_COMMAND_NOT_SUPPORTED);
++
++    return ret;
++}
++
++size_t EVP_KDF_size(EVP_KDF_CTX *ctx)
++{
++    if (ctx == NULL)
++        return 0;
++
++    if (ctx->kmeth->size == NULL)
++        return SIZE_MAX;
++
++    return ctx->kmeth->size(ctx->impl);
++}
++
++int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen)
++{
++    if (ctx == NULL)
++        return 0;
++
++    return ctx->kmeth->derive(ctx->impl, key, keylen);
++}
++
+diff -up openssl-1.1.1j/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1j/crypto/evp/p5_crpt2.c
+--- openssl-1.1.1j/crypto/evp/p5_crpt2.c.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/evp/p5_crpt2.c	2021-03-03 14:08:02.491294847 +0100
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -10,105 +10,51 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include "internal/cryptlib.h"
+-# include <openssl/x509.h>
+-# include <openssl/evp.h>
+-# include <openssl/hmac.h>
+-# include "evp_local.h"
++#include <openssl/x509.h>
++#include <openssl/evp.h>
++#include <openssl/kdf.h>
++#include <openssl/hmac.h>
++#include "crypto/evp.h"
++#include "evp_local.h"
+ 
+ /* set this to print out info about the keygen algorithm */
+ /* #define OPENSSL_DEBUG_PKCS5V2 */
+ 
+-# ifdef OPENSSL_DEBUG_PKCS5V2
++#ifdef OPENSSL_DEBUG_PKCS5V2
+ static void h__dump(const unsigned char *p, int len);
+-# endif
+-
+-/*
+- * This is an implementation of PKCS#5 v2.0 password based encryption key
+- * derivation function PBKDF2. SHA1 version verified against test vectors
+- * posted by Peter Gutmann to the PKCS-TNG mailing list.
+- */
++#endif
+ 
+ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
+                       const unsigned char *salt, int saltlen, int iter,
+                       const EVP_MD *digest, int keylen, unsigned char *out)
+ {
+     const char *empty = "";
+-    unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
+-    int cplen, j, k, tkeylen, mdlen;
+-    unsigned long i = 1;
+-    HMAC_CTX *hctx_tpl = NULL, *hctx = NULL;
+-
+-    mdlen = EVP_MD_size(digest);
+-    if (mdlen < 0)
+-        return 0;
++    int rv = 1;
++    EVP_KDF_CTX *kctx;
+ 
+-    hctx_tpl = HMAC_CTX_new();
+-    if (hctx_tpl == NULL)
+-        return 0;
+-    p = out;
+-    tkeylen = keylen;
++    /* Keep documented behaviour. */
+     if (pass == NULL) {
+         pass = empty;
+         passlen = 0;
+     } else if (passlen == -1) {
+         passlen = strlen(pass);
+     }
+-    if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL)) {
+-        HMAC_CTX_free(hctx_tpl);
+-        return 0;
+-    }
+-    hctx = HMAC_CTX_new();
+-    if (hctx == NULL) {
+-        HMAC_CTX_free(hctx_tpl);
++    if (salt == NULL && saltlen == 0)
++        salt = (unsigned char *)empty;
++
++    kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2);
++    if (kctx == NULL)
+         return 0;
+-    }
+-    while (tkeylen) {
+-        if (tkeylen > mdlen)
+-            cplen = mdlen;
+-        else
+-            cplen = tkeylen;
+-        /*
+-         * We are unlikely to ever use more than 256 blocks (5120 bits!) but
+-         * just in case...
+-         */
+-        itmp[0] = (unsigned char)((i >> 24) & 0xff);
+-        itmp[1] = (unsigned char)((i >> 16) & 0xff);
+-        itmp[2] = (unsigned char)((i >> 8) & 0xff);
+-        itmp[3] = (unsigned char)(i & 0xff);
+-        if (!HMAC_CTX_copy(hctx, hctx_tpl)) {
+-            HMAC_CTX_free(hctx);
+-            HMAC_CTX_free(hctx_tpl);
+-            return 0;
+-        }
+-        if (!HMAC_Update(hctx, salt, saltlen)
+-            || !HMAC_Update(hctx, itmp, 4)
+-            || !HMAC_Final(hctx, digtmp, NULL)) {
+-            HMAC_CTX_free(hctx);
+-            HMAC_CTX_free(hctx_tpl);
+-            return 0;
+-        }
+-        memcpy(p, digtmp, cplen);
+-        for (j = 1; j < iter; j++) {
+-            if (!HMAC_CTX_copy(hctx, hctx_tpl)) {
+-                HMAC_CTX_free(hctx);
+-                HMAC_CTX_free(hctx_tpl);
+-                return 0;
+-            }
+-            if (!HMAC_Update(hctx, digtmp, mdlen)
+-                || !HMAC_Final(hctx, digtmp, NULL)) {
+-                HMAC_CTX_free(hctx);
+-                HMAC_CTX_free(hctx_tpl);
+-                return 0;
+-            }
+-            for (k = 0; k < cplen; k++)
+-                p[k] ^= digtmp[k];
+-        }
+-        tkeylen -= cplen;
+-        i++;
+-        p += cplen;
+-    }
+-    HMAC_CTX_free(hctx);
+-    HMAC_CTX_free(hctx_tpl);
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, pass, (size_t)passlen) != 1
++            || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
++                            salt, (size_t)saltlen) != 1
++            || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, iter) != 1
++            || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, digest) != 1
++            || EVP_KDF_derive(kctx, out, keylen) != 1)
++        rv = 0;
++
++    EVP_KDF_CTX_free(kctx);
++
+ # ifdef OPENSSL_DEBUG_PKCS5V2
+     fprintf(stderr, "Password:\n");
+     h__dump(pass, passlen);
+@@ -118,7 +64,7 @@ int PKCS5_PBKDF2_HMAC(const char *pass,
+     fprintf(stderr, "Key:\n");
+     h__dump(out, keylen);
+ # endif
+-    return 1;
++    return rv;
+ }
+ 
+ int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
+diff -up openssl-1.1.1j/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1j/crypto/evp/pbe_scrypt.c
+--- openssl-1.1.1j/crypto/evp/pbe_scrypt.c.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/evp/pbe_scrypt.c	2021-03-03 14:08:02.491294847 +0100
+@@ -7,135 +7,12 @@
+  * https://www.openssl.org/source/license.html
+  */
+ 
+-#include <stddef.h>
+-#include <stdio.h>
+-#include <string.h>
+ #include <openssl/evp.h>
+ #include <openssl/err.h>
+-#include "internal/numbers.h"
++#include <openssl/kdf.h>
+ 
+ #ifndef OPENSSL_NO_SCRYPT
+ 
+-#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
+-static void salsa208_word_specification(uint32_t inout[16])
+-{
+-    int i;
+-    uint32_t x[16];
+-    memcpy(x, inout, sizeof(x));
+-    for (i = 8; i > 0; i -= 2) {
+-        x[4] ^= R(x[0] + x[12], 7);
+-        x[8] ^= R(x[4] + x[0], 9);
+-        x[12] ^= R(x[8] + x[4], 13);
+-        x[0] ^= R(x[12] + x[8], 18);
+-        x[9] ^= R(x[5] + x[1], 7);
+-        x[13] ^= R(x[9] + x[5], 9);
+-        x[1] ^= R(x[13] + x[9], 13);
+-        x[5] ^= R(x[1] + x[13], 18);
+-        x[14] ^= R(x[10] + x[6], 7);
+-        x[2] ^= R(x[14] + x[10], 9);
+-        x[6] ^= R(x[2] + x[14], 13);
+-        x[10] ^= R(x[6] + x[2], 18);
+-        x[3] ^= R(x[15] + x[11], 7);
+-        x[7] ^= R(x[3] + x[15], 9);
+-        x[11] ^= R(x[7] + x[3], 13);
+-        x[15] ^= R(x[11] + x[7], 18);
+-        x[1] ^= R(x[0] + x[3], 7);
+-        x[2] ^= R(x[1] + x[0], 9);
+-        x[3] ^= R(x[2] + x[1], 13);
+-        x[0] ^= R(x[3] + x[2], 18);
+-        x[6] ^= R(x[5] + x[4], 7);
+-        x[7] ^= R(x[6] + x[5], 9);
+-        x[4] ^= R(x[7] + x[6], 13);
+-        x[5] ^= R(x[4] + x[7], 18);
+-        x[11] ^= R(x[10] + x[9], 7);
+-        x[8] ^= R(x[11] + x[10], 9);
+-        x[9] ^= R(x[8] + x[11], 13);
+-        x[10] ^= R(x[9] + x[8], 18);
+-        x[12] ^= R(x[15] + x[14], 7);
+-        x[13] ^= R(x[12] + x[15], 9);
+-        x[14] ^= R(x[13] + x[12], 13);
+-        x[15] ^= R(x[14] + x[13], 18);
+-    }
+-    for (i = 0; i < 16; ++i)
+-        inout[i] += x[i];
+-    OPENSSL_cleanse(x, sizeof(x));
+-}
+-
+-static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r)
+-{
+-    uint64_t i, j;
+-    uint32_t X[16], *pB;
+-
+-    memcpy(X, B + (r * 2 - 1) * 16, sizeof(X));
+-    pB = B;
+-    for (i = 0; i < r * 2; i++) {
+-        for (j = 0; j < 16; j++)
+-            X[j] ^= *pB++;
+-        salsa208_word_specification(X);
+-        memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X));
+-    }
+-    OPENSSL_cleanse(X, sizeof(X));
+-}
+-
+-static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N,
+-                        uint32_t *X, uint32_t *T, uint32_t *V)
+-{
+-    unsigned char *pB;
+-    uint32_t *pV;
+-    uint64_t i, k;
+-
+-    /* Convert from little endian input */
+-    for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) {
+-        *pV = *pB++;
+-        *pV |= *pB++ << 8;
+-        *pV |= *pB++ << 16;
+-        *pV |= (uint32_t)*pB++ << 24;
+-    }
+-
+-    for (i = 1; i < N; i++, pV += 32 * r)
+-        scryptBlockMix(pV, pV - 32 * r, r);
+-
+-    scryptBlockMix(X, V + (N - 1) * 32 * r, r);
+-
+-    for (i = 0; i < N; i++) {
+-        uint32_t j;
+-        j = X[16 * (2 * r - 1)] % N;
+-        pV = V + 32 * r * j;
+-        for (k = 0; k < 32 * r; k++)
+-            T[k] = X[k] ^ *pV++;
+-        scryptBlockMix(X, T, r);
+-    }
+-    /* Convert output to little endian */
+-    for (i = 0, pB = B; i < 32 * r; i++) {
+-        uint32_t xtmp = X[i];
+-        *pB++ = xtmp & 0xff;
+-        *pB++ = (xtmp >> 8) & 0xff;
+-        *pB++ = (xtmp >> 16) & 0xff;
+-        *pB++ = (xtmp >> 24) & 0xff;
+-    }
+-}
+-
+-#ifndef SIZE_MAX
+-# define SIZE_MAX    ((size_t)-1)
+-#endif
+-
+-/*
+- * Maximum power of two that will fit in uint64_t: this should work on
+- * most (all?) platforms.
+- */
+-
+-#define LOG2_UINT64_MAX         (sizeof(uint64_t) * 8 - 1)
+-
+-/*
+- * Maximum value of p * r:
+- * p <= ((2^32-1) * hLen) / MFLen =>
+- * p <= ((2^32-1) * 32) / (128 * r) =>
+- * p * r <= (2^30-1)
+- *
+- */
+-
+-#define SCRYPT_PR_MAX   ((1 << 30) - 1)
+-
+ /*
+  * Maximum permitted memory allow this to be overridden with Configuration
+  * option: e.g. -DSCRYPT_MAX_MEM=0 for maximum possible.
+@@ -160,107 +37,43 @@ int EVP_PBE_scrypt(const char *pass, siz
+                    uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
+                    unsigned char *key, size_t keylen)
+ {
+-    int rv = 0;
+-    unsigned char *B;
+-    uint32_t *X, *V, *T;
+-    uint64_t i, Blen, Vlen;
+-
+-    /* Sanity check parameters */
+-    /* initial check, r,p must be non zero, N >= 2 and a power of 2 */
+-    if (r == 0 || p == 0 || N < 2 || (N & (N - 1)))
+-        return 0;
+-    /* Check p * r < SCRYPT_PR_MAX avoiding overflow */
+-    if (p > SCRYPT_PR_MAX / r) {
+-        EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
+-        return 0;
+-    }
+-
+-    /*
+-     * Need to check N: if 2^(128 * r / 8) overflows limit this is
+-     * automatically satisfied since N <= UINT64_MAX.
+-     */
+-
+-    if (16 * r <= LOG2_UINT64_MAX) {
+-        if (N >= (((uint64_t)1) << (16 * r))) {
+-            EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
+-            return 0;
+-        }
+-    }
++    const char *empty = "";
++    int rv = 1;
++    EVP_KDF_CTX *kctx;
+ 
+-    /* Memory checks: check total allocated buffer size fits in uint64_t */
+-
+-    /*
+-     * B size in section 5 step 1.S
+-     * Note: we know p * 128 * r < UINT64_MAX because we already checked
+-     * p * r < SCRYPT_PR_MAX
+-     */
+-    Blen = p * 128 * r;
+-    /*
+-     * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would
+-     * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.]
+-     */
+-    if (Blen > INT_MAX) {
+-        EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
++    if (r > UINT32_MAX || p > UINT32_MAX) {
++        EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PARAMETER_TOO_LARGE);
+         return 0;
+     }
+ 
+-    /*
+-     * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t
+-     * This is combined size V, X and T (section 4)
+-     */
+-    i = UINT64_MAX / (32 * sizeof(uint32_t));
+-    if (N + 2 > i / r) {
+-        EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
+-        return 0;
++    /* Maintain existing behaviour. */
++    if (pass == NULL) {
++        pass = empty;
++        passlen = 0;
+     }
+-    Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
+-
+-    /* check total allocated size fits in uint64_t */
+-    if (Blen > UINT64_MAX - Vlen) {
+-        EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
+-        return 0;
++    if (salt == NULL) {
++        salt = (const unsigned char *)empty;
++        saltlen = 0;
+     }
+-
+     if (maxmem == 0)
+         maxmem = SCRYPT_MAX_MEM;
+ 
+-    /* Check that the maximum memory doesn't exceed a size_t limits */
+-    if (maxmem > SIZE_MAX)
+-        maxmem = SIZE_MAX;
+-
+-    if (Blen + Vlen > maxmem) {
+-        EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED);
++    kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT);
++    if (kctx == NULL)
+         return 0;
+-    }
+ 
+-    /* If no key return to indicate parameters are OK */
+-    if (key == NULL)
+-        return 1;
+-
+-    B = OPENSSL_malloc((size_t)(Blen + Vlen));
+-    if (B == NULL) {
+-        EVPerr(EVP_F_EVP_PBE_SCRYPT, ERR_R_MALLOC_FAILURE);
+-        return 0;
+-    }
+-    X = (uint32_t *)(B + Blen);
+-    T = X + 32 * r;
+-    V = T + 32 * r;
+-    if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(),
+-                          (int)Blen, B) == 0)
+-        goto err;
+-
+-    for (i = 0; i < p; i++)
+-        scryptROMix(B + 128 * r * i, r, N, X, T, V);
+-
+-    if (PKCS5_PBKDF2_HMAC(pass, passlen, B, (int)Blen, 1, EVP_sha256(),
+-                          keylen, key) == 0)
+-        goto err;
+-    rv = 1;
+- err:
+-    if (rv == 0)
+-        EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PBKDF2_ERROR);
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, pass, (size_t)passlen) != 1
++            || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
++                            salt, (size_t)saltlen) != 1
++            || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N, N) != 1
++            || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R, (uint32_t)r) != 1
++            || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P, (uint32_t)p) != 1
++            || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES, maxmem) != 1
++            || EVP_KDF_derive(kctx, key, keylen) != 1)
++        rv = 0;
+ 
+-    OPENSSL_clear_free(B, (size_t)(Blen + Vlen));
++    EVP_KDF_CTX_free(kctx);
+     return rv;
+ }
++
+ #endif
+diff -up openssl-1.1.1j/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1j/crypto/evp/pkey_kdf.c
+--- openssl-1.1.1j/crypto/evp/pkey_kdf.c.evp-kdf	2021-03-03 14:08:02.491294847 +0100
++++ openssl-1.1.1j/crypto/evp/pkey_kdf.c	2021-03-03 14:08:02.491294847 +0100
+@@ -0,0 +1,255 @@
++/*
++ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright (c) 2018, Oracle and/or its affiliates.  All rights reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include <string.h>
++#include <openssl/evp.h>
++#include <openssl/err.h>
++#include <openssl/kdf.h>
++#include "crypto/evp.h"
++
++static int pkey_kdf_init(EVP_PKEY_CTX *ctx)
++{
++    EVP_KDF_CTX *kctx;
++
++    kctx = EVP_KDF_CTX_new_id(ctx->pmeth->pkey_id);
++    if (kctx == NULL)
++        return 0;
++
++    ctx->data = kctx;
++    return 1;
++}
++
++static void pkey_kdf_cleanup(EVP_PKEY_CTX *ctx)
++{
++    EVP_KDF_CTX *kctx = ctx->data;
++
++    EVP_KDF_CTX_free(kctx);
++}
++
++static int pkey_kdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
++{
++    EVP_KDF_CTX *kctx = ctx->data;
++    uint64_t u64_value;
++    int cmd;
++    int ret;
++
++    switch (type) {
++    case EVP_PKEY_CTRL_PASS:
++        cmd = EVP_KDF_CTRL_SET_PASS;
++        break;
++    case EVP_PKEY_CTRL_HKDF_SALT:
++    case EVP_PKEY_CTRL_SCRYPT_SALT:
++        cmd = EVP_KDF_CTRL_SET_SALT;
++        break;
++    case EVP_PKEY_CTRL_TLS_MD:
++    case EVP_PKEY_CTRL_HKDF_MD:
++        cmd = EVP_KDF_CTRL_SET_MD;
++        break;
++    case EVP_PKEY_CTRL_TLS_SECRET:
++        cmd = EVP_KDF_CTRL_SET_TLS_SECRET;
++        ret = EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_RESET_TLS_SEED);
++        if (ret < 1)
++            return ret;
++        break;
++    case EVP_PKEY_CTRL_TLS_SEED:
++        cmd = EVP_KDF_CTRL_ADD_TLS_SEED;
++        break;
++    case EVP_PKEY_CTRL_HKDF_KEY:
++        cmd = EVP_KDF_CTRL_SET_KEY;
++        break;
++    case EVP_PKEY_CTRL_HKDF_INFO:
++        cmd = EVP_KDF_CTRL_ADD_HKDF_INFO;
++        break;
++    case EVP_PKEY_CTRL_HKDF_MODE:
++        cmd = EVP_KDF_CTRL_SET_HKDF_MODE;
++        break;
++    case EVP_PKEY_CTRL_SCRYPT_N:
++        cmd = EVP_KDF_CTRL_SET_SCRYPT_N;
++        break;
++    case EVP_PKEY_CTRL_SCRYPT_R:
++        cmd = EVP_KDF_CTRL_SET_SCRYPT_R;
++        break;
++    case EVP_PKEY_CTRL_SCRYPT_P:
++        cmd = EVP_KDF_CTRL_SET_SCRYPT_P;
++        break;
++    case EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES:
++        cmd = EVP_KDF_CTRL_SET_MAXMEM_BYTES;
++        break;
++    default:
++        return -2;
++    }
++
++    switch (cmd) {
++    case EVP_KDF_CTRL_SET_PASS:
++    case EVP_KDF_CTRL_SET_SALT:
++    case EVP_KDF_CTRL_SET_KEY:
++    case EVP_KDF_CTRL_SET_TLS_SECRET:
++    case EVP_KDF_CTRL_ADD_TLS_SEED:
++    case EVP_KDF_CTRL_ADD_HKDF_INFO:
++        return EVP_KDF_ctrl(kctx, cmd, (const unsigned char *)p2, (size_t)p1);
++
++    case EVP_KDF_CTRL_SET_MD:
++        return EVP_KDF_ctrl(kctx, cmd, (const EVP_MD *)p2);
++
++    case EVP_KDF_CTRL_SET_HKDF_MODE:
++        return EVP_KDF_ctrl(kctx, cmd, (int)p1);
++
++    case EVP_KDF_CTRL_SET_SCRYPT_R:
++    case EVP_KDF_CTRL_SET_SCRYPT_P:
++        u64_value = *(uint64_t *)p2;
++        if (u64_value > UINT32_MAX) {
++            EVPerr(EVP_F_PKEY_KDF_CTRL, EVP_R_PARAMETER_TOO_LARGE);
++            return 0;
++        }
++
++        return EVP_KDF_ctrl(kctx, cmd, (uint32_t)u64_value);
++
++    case EVP_KDF_CTRL_SET_SCRYPT_N:
++    case EVP_KDF_CTRL_SET_MAXMEM_BYTES:
++        return EVP_KDF_ctrl(kctx, cmd, *(uint64_t *)p2);
++
++    default:
++        return 0;
++    }
++}
++
++static int pkey_kdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
++                             const char *value)
++{
++    EVP_KDF_CTX *kctx = ctx->data;
++
++    if (strcmp(type, "md") == 0)
++        return EVP_KDF_ctrl_str(kctx, "digest", value);
++    return EVP_KDF_ctrl_str(kctx, type, value);
++}
++
++static int pkey_kdf_derive_init(EVP_PKEY_CTX *ctx)
++{
++    EVP_KDF_CTX *kctx = ctx->data;
++
++    EVP_KDF_reset(kctx);
++    return 1;
++}
++
++/*
++ * For fixed-output algorithms the keylen parameter is an "out" parameter
++ * otherwise it is an "in" parameter.
++ */
++static int pkey_kdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
++                           size_t *keylen)
++{
++    EVP_KDF_CTX *kctx = ctx->data;
++    size_t outlen = EVP_KDF_size(kctx);
++
++    if (outlen == 0 || outlen == SIZE_MAX) {
++        /* Variable-output algorithm */
++        if (key == NULL)
++            return 0;
++    } else {
++        /* Fixed-output algorithm */
++        *keylen = outlen;
++        if (key == NULL)
++            return 1;
++    }
++    return EVP_KDF_derive(kctx, key, *keylen);
++}
++
++#ifndef OPENSSL_NO_SCRYPT
++const EVP_PKEY_METHOD scrypt_pkey_meth = {
++    EVP_PKEY_SCRYPT,
++    0,
++    pkey_kdf_init,
++    0,
++    pkey_kdf_cleanup,
++
++    0, 0,
++    0, 0,
++
++    0,
++    0,
++
++    0,
++    0,
++
++    0, 0,
++
++    0, 0, 0, 0,
++
++    0, 0,
++
++    0, 0,
++
++    pkey_kdf_derive_init,
++    pkey_kdf_derive,
++    pkey_kdf_ctrl,
++    pkey_kdf_ctrl_str
++};
++#endif
++
++const EVP_PKEY_METHOD tls1_prf_pkey_meth = {
++    EVP_PKEY_TLS1_PRF,
++    EVP_PKEY_FLAG_FIPS,
++    pkey_kdf_init,
++    0,
++    pkey_kdf_cleanup,
++
++    0, 0,
++    0, 0,
++
++    0,
++    0,
++
++    0,
++    0,
++
++    0, 0,
++
++    0, 0, 0, 0,
++
++    0, 0,
++
++    0, 0,
++
++    pkey_kdf_derive_init,
++    pkey_kdf_derive,
++    pkey_kdf_ctrl,
++    pkey_kdf_ctrl_str
++};
++
++const EVP_PKEY_METHOD hkdf_pkey_meth = {
++    EVP_PKEY_HKDF,
++    EVP_PKEY_FLAG_FIPS,
++    pkey_kdf_init,
++    0,
++    pkey_kdf_cleanup,
++
++    0, 0,
++    0, 0,
++
++    0,
++    0,
++
++    0,
++    0,
++
++    0, 0,
++
++    0, 0, 0, 0,
++
++    0, 0,
++
++    0, 0,
++
++    pkey_kdf_derive_init,
++    pkey_kdf_derive,
++    pkey_kdf_ctrl,
++    pkey_kdf_ctrl_str
++};
++
+diff -up openssl-1.1.1j/crypto/kdf/build.info.evp-kdf openssl-1.1.1j/crypto/kdf/build.info
+--- openssl-1.1.1j/crypto/kdf/build.info.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/kdf/build.info	2021-03-03 14:08:02.491294847 +0100
+@@ -1,3 +1,3 @@
+ LIBS=../../libcrypto
+ SOURCE[../../libcrypto]=\
+-        tls1_prf.c kdf_err.c hkdf.c scrypt.c
++        tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c
+diff -up openssl-1.1.1j/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1j/crypto/kdf/hkdf.c
+--- openssl-1.1.1j/crypto/kdf/hkdf.c.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/kdf/hkdf.c	2021-03-03 14:08:02.492294856 +0100
+@@ -8,32 +8,33 @@
+  */
+ 
+ #include <stdlib.h>
++#include <stdarg.h>
+ #include <string.h>
+ #include <openssl/hmac.h>
+ #include <openssl/kdf.h>
+ #include <openssl/evp.h>
+ #include "internal/cryptlib.h"
+ #include "crypto/evp.h"
++#include "kdf_local.h"
+ 
+ #define HKDF_MAXBUF 1024
+ 
+-static unsigned char *HKDF(const EVP_MD *evp_md,
+-                           const unsigned char *salt, size_t salt_len,
+-                           const unsigned char *key, size_t key_len,
+-                           const unsigned char *info, size_t info_len,
+-                           unsigned char *okm, size_t okm_len);
+-
+-static unsigned char *HKDF_Extract(const EVP_MD *evp_md,
+-                                   const unsigned char *salt, size_t salt_len,
+-                                   const unsigned char *key, size_t key_len,
+-                                   unsigned char *prk, size_t *prk_len);
+-
+-static unsigned char *HKDF_Expand(const EVP_MD *evp_md,
+-                                  const unsigned char *prk, size_t prk_len,
+-                                  const unsigned char *info, size_t info_len,
+-                                  unsigned char *okm, size_t okm_len);
++static void kdf_hkdf_reset(EVP_KDF_IMPL *impl);
++static int HKDF(const EVP_MD *evp_md,
++                const unsigned char *salt, size_t salt_len,
++                const unsigned char *key, size_t key_len,
++                const unsigned char *info, size_t info_len,
++                unsigned char *okm, size_t okm_len);
++static int HKDF_Extract(const EVP_MD *evp_md,
++                        const unsigned char *salt, size_t salt_len,
++                        const unsigned char *key, size_t key_len,
++                        unsigned char *prk, size_t prk_len);
++static int HKDF_Expand(const EVP_MD *evp_md,
++                       const unsigned char *prk, size_t prk_len,
++                       const unsigned char *info, size_t info_len,
++                       unsigned char *okm, size_t okm_len);
+ 
+-typedef struct {
++struct evp_kdf_impl_st {
+     int mode;
+     const EVP_MD *md;
+     unsigned char *salt;
+@@ -42,230 +43,208 @@ typedef struct {
+     size_t key_len;
+     unsigned char info[HKDF_MAXBUF];
+     size_t info_len;
+-} HKDF_PKEY_CTX;
++};
+ 
+-static int pkey_hkdf_init(EVP_PKEY_CTX *ctx)
++static EVP_KDF_IMPL *kdf_hkdf_new(void)
+ {
+-    HKDF_PKEY_CTX *kctx;
+-
+-    if ((kctx = OPENSSL_zalloc(sizeof(*kctx))) == NULL) {
+-        KDFerr(KDF_F_PKEY_HKDF_INIT, ERR_R_MALLOC_FAILURE);
+-        return 0;
+-    }
++    EVP_KDF_IMPL *impl;
+ 
+-    ctx->data = kctx;
++    if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL)
++        KDFerr(KDF_F_KDF_HKDF_NEW, ERR_R_MALLOC_FAILURE);
++    return impl;
++}
+ 
+-    return 1;
++static void kdf_hkdf_free(EVP_KDF_IMPL *impl)
++{
++    kdf_hkdf_reset(impl);
++    OPENSSL_free(impl);
+ }
+ 
+-static void pkey_hkdf_cleanup(EVP_PKEY_CTX *ctx)
++static void kdf_hkdf_reset(EVP_KDF_IMPL *impl)
+ {
+-    HKDF_PKEY_CTX *kctx = ctx->data;
+-    OPENSSL_clear_free(kctx->salt, kctx->salt_len);
+-    OPENSSL_clear_free(kctx->key, kctx->key_len);
+-    OPENSSL_cleanse(kctx->info, kctx->info_len);
+-    OPENSSL_free(kctx);
++    OPENSSL_free(impl->salt);
++    OPENSSL_clear_free(impl->key, impl->key_len);
++    OPENSSL_cleanse(impl->info, impl->info_len);
++    memset(impl, 0, sizeof(*impl));
+ }
+ 
+-static int pkey_hkdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
++static int kdf_hkdf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)
+ {
+-    HKDF_PKEY_CTX *kctx = ctx->data;
++    const unsigned char *p;
++    size_t len;
++    const EVP_MD *md;
+ 
+-    switch (type) {
+-    case EVP_PKEY_CTRL_HKDF_MD:
+-        if (p2 == NULL)
++    switch (cmd) {
++    case EVP_KDF_CTRL_SET_MD:
++        md = va_arg(args, const EVP_MD *);
++        if (md == NULL)
+             return 0;
+ 
+-        kctx->md = p2;
++        impl->md = md;
+         return 1;
+ 
+-    case EVP_PKEY_CTRL_HKDF_MODE:
+-        kctx->mode = p1;
++    case EVP_KDF_CTRL_SET_HKDF_MODE:
++        impl->mode = va_arg(args, int);
+         return 1;
+ 
+-    case EVP_PKEY_CTRL_HKDF_SALT:
+-        if (p1 == 0 || p2 == NULL)
++    case EVP_KDF_CTRL_SET_SALT:
++        p = va_arg(args, const unsigned char *);
++        len = va_arg(args, size_t);
++        if (len == 0 || p == NULL)
+             return 1;
+ 
+-        if (p1 < 0)
++        OPENSSL_free(impl->salt);
++        impl->salt = OPENSSL_memdup(p, len);
++        if (impl->salt == NULL)
+             return 0;
+ 
+-        if (kctx->salt != NULL)
+-            OPENSSL_clear_free(kctx->salt, kctx->salt_len);
+-
+-        kctx->salt = OPENSSL_memdup(p2, p1);
+-        if (kctx->salt == NULL)
+-            return 0;
+-
+-        kctx->salt_len = p1;
++        impl->salt_len = len;
+         return 1;
+ 
+-    case EVP_PKEY_CTRL_HKDF_KEY:
+-        if (p1 < 0)
++    case EVP_KDF_CTRL_SET_KEY:
++        p = va_arg(args, const unsigned char *);
++        len = va_arg(args, size_t);
++        OPENSSL_clear_free(impl->key, impl->key_len);
++        impl->key = OPENSSL_memdup(p, len);
++        if (impl->key == NULL)
+             return 0;
+ 
+-        if (kctx->key != NULL)
+-            OPENSSL_clear_free(kctx->key, kctx->key_len);
+-
+-        kctx->key = OPENSSL_memdup(p2, p1);
+-        if (kctx->key == NULL)
+-            return 0;
++        impl->key_len  = len;
++        return 1;
+ 
+-        kctx->key_len  = p1;
++    case EVP_KDF_CTRL_RESET_HKDF_INFO:
++        OPENSSL_cleanse(impl->info, impl->info_len);
++        impl->info_len = 0;
+         return 1;
+ 
+-    case EVP_PKEY_CTRL_HKDF_INFO:
+-        if (p1 == 0 || p2 == NULL)
++    case EVP_KDF_CTRL_ADD_HKDF_INFO:
++        p = va_arg(args, const unsigned char *);
++        len = va_arg(args, size_t);
++        if (len == 0 || p == NULL)
+             return 1;
+ 
+-        if (p1 < 0 || p1 > (int)(HKDF_MAXBUF - kctx->info_len))
++        if (len > (HKDF_MAXBUF - impl->info_len))
+             return 0;
+ 
+-        memcpy(kctx->info + kctx->info_len, p2, p1);
+-        kctx->info_len += p1;
++        memcpy(impl->info + impl->info_len, p, len);
++        impl->info_len += len;
+         return 1;
+ 
+     default:
+         return -2;
+-
+     }
+ }
+ 
+-static int pkey_hkdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
+-                              const char *value)
++static int kdf_hkdf_ctrl_str(EVP_KDF_IMPL *impl, const char *type,
++                             const char *value)
+ {
+     if (strcmp(type, "mode") == 0) {
+         int mode;
+ 
+         if (strcmp(value, "EXTRACT_AND_EXPAND") == 0)
+-            mode = EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND;
++            mode = EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND;
+         else if (strcmp(value, "EXTRACT_ONLY") == 0)
+-            mode = EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY;
++            mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY;
+         else if (strcmp(value, "EXPAND_ONLY") == 0)
+-            mode = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY;
++            mode = EVP_KDF_HKDF_MODE_EXPAND_ONLY;
+         else
+             return 0;
+ 
+-        return EVP_PKEY_CTX_hkdf_mode(ctx, mode);
++        return call_ctrl(kdf_hkdf_ctrl, impl, EVP_KDF_CTRL_SET_HKDF_MODE, mode);
+     }
+ 
+-    if (strcmp(type, "md") == 0)
+-        return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_DERIVE,
+-                               EVP_PKEY_CTRL_HKDF_MD, value);
++    if (strcmp(type, "digest") == 0)
++        return kdf_md2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_MD, value);
+ 
+     if (strcmp(type, "salt") == 0)
+-        return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, value);
++        return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_SALT, value);
+ 
+     if (strcmp(type, "hexsalt") == 0)
+-        return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, value);
++        return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_SALT, value);
+ 
+     if (strcmp(type, "key") == 0)
+-        return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_KEY, value);
++        return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_KEY, value);
+ 
+     if (strcmp(type, "hexkey") == 0)
+-        return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_KEY, value);
++        return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_KEY, value);
+ 
+     if (strcmp(type, "info") == 0)
+-        return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_INFO, value);
++        return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_ADD_HKDF_INFO,
++                            value);
+ 
+     if (strcmp(type, "hexinfo") == 0)
+-        return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_INFO, value);
++        return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_ADD_HKDF_INFO,
++                            value);
+ 
+-    KDFerr(KDF_F_PKEY_HKDF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE);
+     return -2;
+ }
+ 
+-static int pkey_hkdf_derive_init(EVP_PKEY_CTX *ctx)
++static size_t kdf_hkdf_size(EVP_KDF_IMPL *impl)
+ {
+-    HKDF_PKEY_CTX *kctx = ctx->data;
++    if (impl->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY)
++        return SIZE_MAX;
+ 
+-    OPENSSL_clear_free(kctx->key, kctx->key_len);
+-    OPENSSL_clear_free(kctx->salt, kctx->salt_len);
+-    OPENSSL_cleanse(kctx->info, kctx->info_len);
+-    memset(kctx, 0, sizeof(*kctx));
+-
+-    return 1;
++    if (impl->md == NULL) {
++        KDFerr(KDF_F_KDF_HKDF_SIZE, KDF_R_MISSING_MESSAGE_DIGEST);
++        return 0;
++    }
++    return EVP_MD_size(impl->md);
+ }
+ 
+-static int pkey_hkdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
+-                            size_t *keylen)
++static int kdf_hkdf_derive(EVP_KDF_IMPL *impl, unsigned char *key,
++                           size_t keylen)
+ {
+-    HKDF_PKEY_CTX *kctx = ctx->data;
+-
+-    if (kctx->md == NULL) {
+-        KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);
++    if (impl->md == NULL) {
++        KDFerr(KDF_F_KDF_HKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);
+         return 0;
+     }
+-    if (kctx->key == NULL) {
+-        KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_KEY);
++    if (impl->key == NULL) {
++        KDFerr(KDF_F_KDF_HKDF_DERIVE, KDF_R_MISSING_KEY);
+         return 0;
+     }
+ 
+-    switch (kctx->mode) {
+-    case EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND:
+-        return HKDF(kctx->md, kctx->salt, kctx->salt_len, kctx->key,
+-                    kctx->key_len, kctx->info, kctx->info_len, key,
+-                    *keylen) != NULL;
+-
+-    case EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY:
+-        if (key == NULL) {
+-            *keylen = EVP_MD_size(kctx->md);
+-            return 1;
+-        }
+-        return HKDF_Extract(kctx->md, kctx->salt, kctx->salt_len, kctx->key,
+-                            kctx->key_len, key, keylen) != NULL;
+-
+-    case EVP_PKEY_HKDEF_MODE_EXPAND_ONLY:
+-        return HKDF_Expand(kctx->md, kctx->key, kctx->key_len, kctx->info,
+-                           kctx->info_len, key, *keylen) != NULL;
++    switch (impl->mode) {
++    case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND:
++        return HKDF(impl->md, impl->salt, impl->salt_len, impl->key,
++                    impl->key_len, impl->info, impl->info_len, key,
++                    keylen);
++
++    case EVP_KDF_HKDF_MODE_EXTRACT_ONLY:
++        return HKDF_Extract(impl->md, impl->salt, impl->salt_len, impl->key,
++                            impl->key_len, key, keylen);
++
++    case EVP_KDF_HKDF_MODE_EXPAND_ONLY:
++        return HKDF_Expand(impl->md, impl->key, impl->key_len, impl->info,
++                           impl->info_len, key, keylen);
+ 
+     default:
+         return 0;
+     }
+ }
+ 
+-const EVP_PKEY_METHOD hkdf_pkey_meth = {
+-    EVP_PKEY_HKDF,
+-    0,
+-    pkey_hkdf_init,
+-    0,
+-    pkey_hkdf_cleanup,
+-
+-    0, 0,
+-    0, 0,
+-
+-    0,
+-    0,
+-
+-    0,
+-    0,
+-
+-    0, 0,
+-
+-    0, 0, 0, 0,
+-
+-    0, 0,
+-
+-    0, 0,
+-
+-    pkey_hkdf_derive_init,
+-    pkey_hkdf_derive,
+-    pkey_hkdf_ctrl,
+-    pkey_hkdf_ctrl_str
++const EVP_KDF_METHOD hkdf_kdf_meth = {
++    EVP_KDF_HKDF,
++    kdf_hkdf_new,
++    kdf_hkdf_free,
++    kdf_hkdf_reset,
++    kdf_hkdf_ctrl,
++    kdf_hkdf_ctrl_str,
++    kdf_hkdf_size,
++    kdf_hkdf_derive
+ };
+ 
+-static unsigned char *HKDF(const EVP_MD *evp_md,
+-                           const unsigned char *salt, size_t salt_len,
+-                           const unsigned char *key, size_t key_len,
+-                           const unsigned char *info, size_t info_len,
+-                           unsigned char *okm, size_t okm_len)
++static int HKDF(const EVP_MD *evp_md,
++                const unsigned char *salt, size_t salt_len,
++                const unsigned char *key, size_t key_len,
++                const unsigned char *info, size_t info_len,
++                unsigned char *okm, size_t okm_len)
+ {
+     unsigned char prk[EVP_MAX_MD_SIZE];
+-    unsigned char *ret;
+-    size_t prk_len;
++    int ret;
++    size_t prk_len = EVP_MD_size(evp_md);
+ 
+-    if (!HKDF_Extract(evp_md, salt, salt_len, key, key_len, prk, &prk_len))
+-        return NULL;
++    if (!HKDF_Extract(evp_md, salt, salt_len, key, key_len, prk, prk_len))
++        return 0;
+ 
+     ret = HKDF_Expand(evp_md, prk, prk_len, info, info_len, okm, okm_len);
+     OPENSSL_cleanse(prk, sizeof(prk));
+@@ -273,43 +252,38 @@ static unsigned char *HKDF(const EVP_MD
+     return ret;
+ }
+ 
+-static unsigned char *HKDF_Extract(const EVP_MD *evp_md,
+-                                   const unsigned char *salt, size_t salt_len,
+-                                   const unsigned char *key, size_t key_len,
+-                                   unsigned char *prk, size_t *prk_len)
++static int HKDF_Extract(const EVP_MD *evp_md,
++                        const unsigned char *salt, size_t salt_len,
++                        const unsigned char *key, size_t key_len,
++                        unsigned char *prk, size_t prk_len)
+ {
+-    unsigned int tmp_len;
+-
+-    if (!HMAC(evp_md, salt, salt_len, key, key_len, prk, &tmp_len))
+-        return NULL;
+-
+-    *prk_len = tmp_len;
+-    return prk;
++    if (prk_len != (size_t)EVP_MD_size(evp_md)) {
++        KDFerr(KDF_F_HKDF_EXTRACT, KDF_R_WRONG_OUTPUT_BUFFER_SIZE);
++        return 0;
++    }
++    return HMAC(evp_md, salt, salt_len, key, key_len, prk, NULL) != NULL;
+ }
+ 
+-static unsigned char *HKDF_Expand(const EVP_MD *evp_md,
+-                                  const unsigned char *prk, size_t prk_len,
+-                                  const unsigned char *info, size_t info_len,
+-                                  unsigned char *okm, size_t okm_len)
++static int HKDF_Expand(const EVP_MD *evp_md,
++                       const unsigned char *prk, size_t prk_len,
++                       const unsigned char *info, size_t info_len,
++                       unsigned char *okm, size_t okm_len)
+ {
+     HMAC_CTX *hmac;
+-    unsigned char *ret = NULL;
+-
++    int ret = 0;
+     unsigned int i;
+-
+     unsigned char prev[EVP_MAX_MD_SIZE];
+-
+     size_t done_len = 0, dig_len = EVP_MD_size(evp_md);
+-
+     size_t n = okm_len / dig_len;
++
+     if (okm_len % dig_len)
+         n++;
+ 
+     if (n > 255 || okm == NULL)
+-        return NULL;
++        return 0;
+ 
+     if ((hmac = HMAC_CTX_new()) == NULL)
+-        return NULL;
++        return 0;
+ 
+     if (!HMAC_Init_ex(hmac, prk, prk_len, evp_md, NULL))
+         goto err;
+@@ -343,7 +317,7 @@ static unsigned char *HKDF_Expand(const
+ 
+         done_len += copy_len;
+     }
+-    ret = okm;
++    ret = 1;
+ 
+  err:
+     OPENSSL_cleanse(prev, sizeof(prev));
+diff -up openssl-1.1.1j/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1j/crypto/kdf/kdf_err.c
+--- openssl-1.1.1j/crypto/kdf/kdf_err.c.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/kdf/kdf_err.c	2021-03-03 14:08:02.492294856 +0100
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -14,6 +14,29 @@
+ #ifndef OPENSSL_NO_ERR
+ 
+ static const ERR_STRING_DATA KDF_str_functs[] = {
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_HKDF_EXTRACT, 0), "HKDF_Extract"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_DERIVE, 0), "kdf_hkdf_derive"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_NEW, 0), "kdf_hkdf_new"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_SIZE, 0), "kdf_hkdf_size"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_MD2CTRL, 0), "kdf_md2ctrl"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_PBKDF2_CTRL_STR, 0),
++     "kdf_pbkdf2_ctrl_str"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_PBKDF2_DERIVE, 0), "kdf_pbkdf2_derive"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_PBKDF2_NEW, 0), "kdf_pbkdf2_new"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_CTRL_STR, 0),
++     "kdf_scrypt_ctrl_str"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_CTRL_UINT32, 0),
++     "kdf_scrypt_ctrl_uint32"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_CTRL_UINT64, 0),
++     "kdf_scrypt_ctrl_uint64"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_DERIVE, 0), "kdf_scrypt_derive"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_NEW, 0), "kdf_scrypt_new"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_CTRL_STR, 0),
++     "kdf_tls1_prf_ctrl_str"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_DERIVE, 0),
++     "kdf_tls1_prf_derive"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_NEW, 0), "kdf_tls1_prf_new"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_PBKDF2_SET_MEMBUF, 0), "pbkdf2_set_membuf"},
+     {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_CTRL_STR, 0), "pkey_hkdf_ctrl_str"},
+     {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_DERIVE, 0), "pkey_hkdf_derive"},
+     {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_INIT, 0), "pkey_hkdf_init"},
+@@ -30,6 +53,7 @@ static const ERR_STRING_DATA KDF_str_fun
+     {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_TLS1_PRF_DERIVE, 0),
+      "pkey_tls1_prf_derive"},
+     {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_TLS1_PRF_INIT, 0), "pkey_tls1_prf_init"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_SCRYPT_SET_MEMBUF, 0), "scrypt_set_membuf"},
+     {ERR_PACK(ERR_LIB_KDF, KDF_F_TLS1_PRF_ALG, 0), "tls1_prf_alg"},
+     {0, NULL}
+ };
+@@ -50,6 +74,8 @@ static const ERR_STRING_DATA KDF_str_rea
+     "unknown parameter type"},
+     {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_ERROR), "value error"},
+     {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_MISSING), "value missing"},
++    {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_WRONG_OUTPUT_BUFFER_SIZE),
++    "wrong output buffer size"},
+     {0, NULL}
+ };
+ 
+diff -up openssl-1.1.1j/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1j/crypto/kdf/kdf_local.h
+--- openssl-1.1.1j/crypto/kdf/kdf_local.h.evp-kdf	2021-03-03 14:08:02.492294856 +0100
++++ openssl-1.1.1j/crypto/kdf/kdf_local.h	2021-03-03 14:08:02.492294856 +0100
+@@ -0,0 +1,22 @@
++/*
++ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright (c) 2018, Oracle and/or its affiliates.  All rights reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++int call_ctrl(int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
++              EVP_KDF_IMPL *impl, int cmd, ...);
++int kdf_str2ctrl(EVP_KDF_IMPL *impl,
++                 int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
++                 int cmd, const char *str);
++int kdf_hex2ctrl(EVP_KDF_IMPL *impl,
++                 int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
++                 int cmd, const char *hex);
++int kdf_md2ctrl(EVP_KDF_IMPL *impl,
++                int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
++                int cmd, const char *md_name);
++
+diff -up openssl-1.1.1j/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1j/crypto/kdf/kdf_util.c
+--- openssl-1.1.1j/crypto/kdf/kdf_util.c.evp-kdf	2021-03-03 14:08:02.492294856 +0100
++++ openssl-1.1.1j/crypto/kdf/kdf_util.c	2021-03-03 14:08:02.492294856 +0100
+@@ -0,0 +1,73 @@
++/*
++ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright (c) 2018, Oracle and/or its affiliates.  All rights reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include <string.h>
++#include <stdarg.h>
++#include <openssl/kdf.h>
++#include <openssl/evp.h>
++#include "internal/cryptlib.h"
++#include "crypto/evp.h"
++#include "internal/numbers.h"
++#include "kdf_local.h"
++
++int call_ctrl(int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
++              EVP_KDF_IMPL *impl, int cmd, ...)
++{
++    int ret;
++    va_list args;
++
++    va_start(args, cmd);
++    ret = ctrl(impl, cmd, args);
++    va_end(args);
++
++    return ret;
++}
++
++/* Utility functions to send a string or hex string to a ctrl */
++
++int kdf_str2ctrl(EVP_KDF_IMPL *impl,
++                 int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
++                 int cmd, const char *str)
++{
++    return call_ctrl(ctrl, impl, cmd, (const unsigned char *)str, strlen(str));
++}
++
++int kdf_hex2ctrl(EVP_KDF_IMPL *impl,
++                 int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
++                 int cmd, const char *hex)
++{
++    unsigned char *bin;
++    long binlen;
++    int ret = -1;
++
++    bin = OPENSSL_hexstr2buf(hex, &binlen);
++    if (bin == NULL)
++        return 0;
++
++    if (binlen <= INT_MAX)
++        ret = call_ctrl(ctrl, impl, cmd, bin, (size_t)binlen);
++    OPENSSL_free(bin);
++    return ret;
++}
++
++/* Pass a message digest to a ctrl */
++int kdf_md2ctrl(EVP_KDF_IMPL *impl,
++                int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args),
++                int cmd, const char *md_name)
++{
++    const EVP_MD *md;
++
++    if (md_name == NULL || (md = EVP_get_digestbyname(md_name)) == NULL) {
++        KDFerr(KDF_F_KDF_MD2CTRL, KDF_R_INVALID_DIGEST);
++        return 0;
++    }
++    return call_ctrl(ctrl, impl, cmd, md);
++}
++
+diff -up openssl-1.1.1j/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1j/crypto/kdf/pbkdf2.c
+--- openssl-1.1.1j/crypto/kdf/pbkdf2.c.evp-kdf	2021-03-03 14:08:02.492294856 +0100
++++ openssl-1.1.1j/crypto/kdf/pbkdf2.c	2021-03-03 14:08:02.492294856 +0100
+@@ -0,0 +1,264 @@
++/*
++ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include <stdlib.h>
++#include <stdarg.h>
++#include <string.h>
++#include <openssl/hmac.h>
++#include <openssl/evp.h>
++#include <openssl/kdf.h>
++#include "internal/cryptlib.h"
++#include "crypto/evp.h"
++#include "kdf_local.h"
++
++static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl);
++static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl);
++static int pkcs5_pbkdf2_alg(const char *pass, size_t passlen,
++                            const unsigned char *salt, int saltlen, int iter,
++                            const EVP_MD *digest, unsigned char *key,
++                            size_t keylen);
++
++struct evp_kdf_impl_st {
++    unsigned char *pass;
++    size_t pass_len;
++    unsigned char *salt;
++    size_t salt_len;
++    int iter;
++    const EVP_MD *md;
++};
++
++static EVP_KDF_IMPL *kdf_pbkdf2_new(void)
++{
++    EVP_KDF_IMPL *impl;
++
++    impl = OPENSSL_zalloc(sizeof(*impl));
++    if (impl == NULL) {
++        KDFerr(KDF_F_KDF_PBKDF2_NEW, ERR_R_MALLOC_FAILURE);
++        return NULL;
++    }
++    kdf_pbkdf2_init(impl);
++    return impl;
++}
++
++static void kdf_pbkdf2_free(EVP_KDF_IMPL *impl)
++{
++    kdf_pbkdf2_reset(impl);
++    OPENSSL_free(impl);
++}
++
++static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl)
++{
++    OPENSSL_free(impl->salt);
++    OPENSSL_clear_free(impl->pass, impl->pass_len);
++    memset(impl, 0, sizeof(*impl));
++    kdf_pbkdf2_init(impl);
++}
++
++static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl)
++{
++    impl->iter = PKCS5_DEFAULT_ITER;
++    impl->md = EVP_sha1();
++}
++
++static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen,
++                             const unsigned char *new_buffer,
++                             size_t new_buflen)
++{
++    if (new_buffer == NULL)
++        return 1;
++
++    OPENSSL_clear_free(*buffer, *buflen);
++
++    if (new_buflen > 0) {
++        *buffer = OPENSSL_memdup(new_buffer, new_buflen);
++    } else {
++        *buffer = OPENSSL_malloc(1);
++    }
++    if (*buffer == NULL) {
++        KDFerr(KDF_F_PBKDF2_SET_MEMBUF, ERR_R_MALLOC_FAILURE);
++        return 0;
++    }
++
++    *buflen = new_buflen;
++    return 1;
++}
++
++static int kdf_pbkdf2_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)
++{
++    int iter;
++    const unsigned char *p;
++    size_t len;
++    const EVP_MD *md;
++
++    switch (cmd) {
++    case EVP_KDF_CTRL_SET_PASS:
++        p = va_arg(args, const unsigned char *);
++        len = va_arg(args, size_t);
++        return pbkdf2_set_membuf(&impl->pass, &impl->pass_len, p, len);
++
++    case EVP_KDF_CTRL_SET_SALT:
++        p = va_arg(args, const unsigned char *);
++        len = va_arg(args, size_t);
++        return pbkdf2_set_membuf(&impl->salt, &impl->salt_len, p, len);
++
++    case EVP_KDF_CTRL_SET_ITER:
++        iter = va_arg(args, int);
++        if (iter < 1)
++            return 0;
++
++        impl->iter = iter;
++        return 1;
++
++    case EVP_KDF_CTRL_SET_MD:
++        md = va_arg(args, const EVP_MD *);
++        if (md == NULL)
++            return 0;
++
++        impl->md = md;
++        return 1;
++
++    default:
++        return -2;
++    }
++}
++
++static int kdf_pbkdf2_ctrl_str(EVP_KDF_IMPL *impl, const char *type,
++                               const char *value)
++{
++    if (value == NULL) {
++        KDFerr(KDF_F_KDF_PBKDF2_CTRL_STR, KDF_R_VALUE_MISSING);
++        return 0;
++    }
++
++    if (strcmp(type, "pass") == 0)
++        return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_PASS,
++                            value);
++
++    if (strcmp(type, "hexpass") == 0)
++        return kdf_hex2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_PASS,
++                            value);
++
++    if (strcmp(type, "salt") == 0)
++        return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_SALT,
++                            value);
++
++    if (strcmp(type, "hexsalt") == 0)
++        return kdf_hex2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_SALT,
++                            value);
++
++    if (strcmp(type, "iter") == 0)
++        return call_ctrl(kdf_pbkdf2_ctrl, impl, EVP_KDF_CTRL_SET_ITER,
++                         atoi(value));
++
++    if (strcmp(type, "digest") == 0)
++        return kdf_md2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_MD, value);
++
++    return -2;
++}
++
++static int kdf_pbkdf2_derive(EVP_KDF_IMPL *impl, unsigned char *key,
++                             size_t keylen)
++{
++    if (impl->pass == NULL) {
++        KDFerr(KDF_F_KDF_PBKDF2_DERIVE, KDF_R_MISSING_PASS);
++        return 0;
++    }
++
++    if (impl->salt == NULL) {
++        KDFerr(KDF_F_KDF_PBKDF2_DERIVE, KDF_R_MISSING_SALT);
++        return 0;
++    }
++
++    return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len,
++                            impl->salt, impl->salt_len, impl->iter,
++                            impl->md, key, keylen);
++}
++
++const EVP_KDF_METHOD pbkdf2_kdf_meth = {
++    EVP_KDF_PBKDF2,
++    kdf_pbkdf2_new,
++    kdf_pbkdf2_free,
++    kdf_pbkdf2_reset,
++    kdf_pbkdf2_ctrl,
++    kdf_pbkdf2_ctrl_str,
++    NULL,
++    kdf_pbkdf2_derive
++};
++
++/*
++ * This is an implementation of PKCS#5 v2.0 password based encryption key
++ * derivation function PBKDF2. SHA1 version verified against test vectors
++ * posted by Peter Gutmann to the PKCS-TNG mailing list.
++ */
++
++static int pkcs5_pbkdf2_alg(const char *pass, size_t passlen,
++                            const unsigned char *salt, int saltlen, int iter,
++                            const EVP_MD *digest, unsigned char *key,
++                            size_t keylen)
++{
++    int ret = 0;
++    unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
++    int cplen, j, k, tkeylen, mdlen;
++    unsigned long i = 1;
++    HMAC_CTX *hctx_tpl = NULL, *hctx = NULL;
++
++    mdlen = EVP_MD_size(digest);
++    if (mdlen < 0)
++        return 0;
++
++    hctx_tpl = HMAC_CTX_new();
++    if (hctx_tpl == NULL)
++        return 0;
++    p = key;
++    tkeylen = keylen;
++    if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL))
++        goto err;
++    hctx = HMAC_CTX_new();
++    if (hctx == NULL)
++        goto err;
++    while (tkeylen) {
++        if (tkeylen > mdlen)
++            cplen = mdlen;
++        else
++            cplen = tkeylen;
++        /*
++         * We are unlikely to ever use more than 256 blocks (5120 bits!) but
++         * just in case...
++         */
++        itmp[0] = (unsigned char)((i >> 24) & 0xff);
++        itmp[1] = (unsigned char)((i >> 16) & 0xff);
++        itmp[2] = (unsigned char)((i >> 8) & 0xff);
++        itmp[3] = (unsigned char)(i & 0xff);
++        if (!HMAC_CTX_copy(hctx, hctx_tpl))
++            goto err;
++        if (!HMAC_Update(hctx, salt, saltlen)
++                || !HMAC_Update(hctx, itmp, 4)
++                || !HMAC_Final(hctx, digtmp, NULL))
++            goto err;
++        memcpy(p, digtmp, cplen);
++        for (j = 1; j < iter; j++) {
++            if (!HMAC_CTX_copy(hctx, hctx_tpl))
++                goto err;
++            if (!HMAC_Update(hctx, digtmp, mdlen)
++                    || !HMAC_Final(hctx, digtmp, NULL))
++                goto err;
++            for (k = 0; k < cplen; k++)
++                p[k] ^= digtmp[k];
++        }
++        tkeylen -= cplen;
++        i++;
++        p += cplen;
++    }
++    ret = 1;
++
++err:
++    HMAC_CTX_free(hctx);
++    HMAC_CTX_free(hctx_tpl);
++    return ret;
++}
+diff -up openssl-1.1.1j/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1j/crypto/kdf/scrypt.c
+--- openssl-1.1.1j/crypto/kdf/scrypt.c.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/kdf/scrypt.c	2021-03-03 14:08:02.492294856 +0100
+@@ -8,25 +8,35 @@
+  */
+ 
+ #include <stdlib.h>
++#include <stdarg.h>
+ #include <string.h>
+ #include <openssl/hmac.h>
+ #include <openssl/kdf.h>
+ #include <openssl/evp.h>
+-#include "internal/cryptlib.h"
++#include <openssl/err.h>
+ #include "crypto/evp.h"
++#include "internal/numbers.h"
++#include "kdf_local.h"
+ 
+ #ifndef OPENSSL_NO_SCRYPT
+ 
++static void kdf_scrypt_reset(EVP_KDF_IMPL *impl);
++static void kdf_scrypt_init(EVP_KDF_IMPL *impl);
+ static int atou64(const char *nptr, uint64_t *result);
++static int scrypt_alg(const char *pass, size_t passlen,
++                      const unsigned char *salt, size_t saltlen,
++                      uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
++                      unsigned char *key, size_t keylen);
+ 
+-typedef struct {
++struct evp_kdf_impl_st {
+     unsigned char *pass;
+     size_t pass_len;
+     unsigned char *salt;
+     size_t salt_len;
+-    uint64_t N, r, p;
++    uint64_t N;
++    uint32_t r, p;
+     uint64_t maxmem_bytes;
+-} SCRYPT_PKEY_CTX;
++};
+ 
+ /* Custom uint64_t parser since we do not have strtoull */
+ static int atou64(const char *nptr, uint64_t *result)
+@@ -53,51 +63,53 @@ static int atou64(const char *nptr, uint
+     return 1;
+ }
+ 
+-static int pkey_scrypt_init(EVP_PKEY_CTX *ctx)
++static EVP_KDF_IMPL *kdf_scrypt_new(void)
+ {
+-    SCRYPT_PKEY_CTX *kctx;
++    EVP_KDF_IMPL *impl;
+ 
+-    kctx = OPENSSL_zalloc(sizeof(*kctx));
+-    if (kctx == NULL) {
+-        KDFerr(KDF_F_PKEY_SCRYPT_INIT, ERR_R_MALLOC_FAILURE);
+-        return 0;
++    impl = OPENSSL_zalloc(sizeof(*impl));
++    if (impl == NULL) {
++        KDFerr(KDF_F_KDF_SCRYPT_NEW, ERR_R_MALLOC_FAILURE);
++        return NULL;
+     }
++    kdf_scrypt_init(impl);
++    return impl;
++}
+ 
+-    /* Default values are the most conservative recommendation given in the
+-     * original paper of C. Percival. Derivation uses roughly 1 GiB of memory
+-     * for this parameter choice (approx. 128 * r * (N + p) bytes).
+-     */
+-    kctx->N = 1 << 20;
+-    kctx->r = 8;
+-    kctx->p = 1;
+-    kctx->maxmem_bytes = 1025 * 1024 * 1024;
+-
+-    ctx->data = kctx;
+-
+-    return 1;
++static void kdf_scrypt_free(EVP_KDF_IMPL *impl)
++{
++    kdf_scrypt_reset(impl);
++    OPENSSL_free(impl);
+ }
+ 
+-static void pkey_scrypt_cleanup(EVP_PKEY_CTX *ctx)
++static void kdf_scrypt_reset(EVP_KDF_IMPL *impl)
+ {
+-    SCRYPT_PKEY_CTX *kctx = ctx->data;
++    OPENSSL_free(impl->salt);
++    OPENSSL_clear_free(impl->pass, impl->pass_len);
++    memset(impl, 0, sizeof(*impl));
++    kdf_scrypt_init(impl);
++}
+ 
+-    OPENSSL_clear_free(kctx->salt, kctx->salt_len);
+-    OPENSSL_clear_free(kctx->pass, kctx->pass_len);
+-    OPENSSL_free(kctx);
++static void kdf_scrypt_init(EVP_KDF_IMPL *impl)
++{
++    /* Default values are the most conservative recommendation given in the
++     * original paper of C. Percival. Derivation uses roughly 1 GiB of memory
++     * for this parameter choice (approx. 128 * r * N * p bytes).
++     */
++    impl->N = 1 << 20;
++    impl->r = 8;
++    impl->p = 1;
++    impl->maxmem_bytes = 1025 * 1024 * 1024;
+ }
+ 
+-static int pkey_scrypt_set_membuf(unsigned char **buffer, size_t *buflen,
+-                                  const unsigned char *new_buffer,
+-                                  const int new_buflen)
++static int scrypt_set_membuf(unsigned char **buffer, size_t *buflen,
++                             const unsigned char *new_buffer,
++                             size_t new_buflen)
+ {
+     if (new_buffer == NULL)
+         return 1;
+ 
+-    if (new_buflen < 0)
+-        return 0;
+-
+-    if (*buffer != NULL)
+-        OPENSSL_clear_free(*buffer, *buflen);
++    OPENSSL_clear_free(*buffer, *buflen);
+ 
+     if (new_buflen > 0) {
+         *buffer = OPENSSL_memdup(new_buffer, new_buflen);
+@@ -105,7 +117,7 @@ static int pkey_scrypt_set_membuf(unsign
+         *buffer = OPENSSL_malloc(1);
+     }
+     if (*buffer == NULL) {
+-        KDFerr(KDF_F_PKEY_SCRYPT_SET_MEMBUF, ERR_R_MALLOC_FAILURE);
++        KDFerr(KDF_F_SCRYPT_SET_MEMBUF, ERR_R_MALLOC_FAILURE);
+         return 0;
+     }
+ 
+@@ -118,149 +130,378 @@ static int is_power_of_two(uint64_t valu
+     return (value != 0) && ((value & (value - 1)) == 0);
+ }
+ 
+-static int pkey_scrypt_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
++static int kdf_scrypt_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)
+ {
+-    SCRYPT_PKEY_CTX *kctx = ctx->data;
+     uint64_t u64_value;
++    uint32_t value;
++    const unsigned char *p;
++    size_t len;
++
++    switch (cmd) {
++    case EVP_KDF_CTRL_SET_PASS:
++        p = va_arg(args, const unsigned char *);
++        len = va_arg(args, size_t);
++        return scrypt_set_membuf(&impl->pass, &impl->pass_len, p, len);
++
++    case EVP_KDF_CTRL_SET_SALT:
++        p = va_arg(args, const unsigned char *);
++        len = va_arg(args, size_t);
++        return scrypt_set_membuf(&impl->salt, &impl->salt_len, p, len);
+ 
+-    switch (type) {
+-    case EVP_PKEY_CTRL_PASS:
+-        return pkey_scrypt_set_membuf(&kctx->pass, &kctx->pass_len, p2, p1);
+-
+-    case EVP_PKEY_CTRL_SCRYPT_SALT:
+-        return pkey_scrypt_set_membuf(&kctx->salt, &kctx->salt_len, p2, p1);
+-
+-    case EVP_PKEY_CTRL_SCRYPT_N:
+-        u64_value = *((uint64_t *)p2);
++    case EVP_KDF_CTRL_SET_SCRYPT_N:
++        u64_value = va_arg(args, uint64_t);
+         if ((u64_value <= 1) || !is_power_of_two(u64_value))
+             return 0;
+-        kctx->N = u64_value;
++
++        impl->N = u64_value;
+         return 1;
+ 
+-    case EVP_PKEY_CTRL_SCRYPT_R:
+-        u64_value = *((uint64_t *)p2);
+-        if (u64_value < 1)
++    case EVP_KDF_CTRL_SET_SCRYPT_R:
++        value = va_arg(args, uint32_t);
++        if (value < 1)
+             return 0;
+-        kctx->r = u64_value;
++
++        impl->r = value;
+         return 1;
+ 
+-    case EVP_PKEY_CTRL_SCRYPT_P:
+-        u64_value = *((uint64_t *)p2);
+-        if (u64_value < 1)
++    case EVP_KDF_CTRL_SET_SCRYPT_P:
++        value = va_arg(args, uint32_t);
++        if (value < 1)
+             return 0;
+-        kctx->p = u64_value;
++
++        impl->p = value;
+         return 1;
+ 
+-    case EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES:
+-        u64_value = *((uint64_t *)p2);
++    case EVP_KDF_CTRL_SET_MAXMEM_BYTES:
++        u64_value = va_arg(args, uint64_t);
+         if (u64_value < 1)
+             return 0;
+-        kctx->maxmem_bytes = u64_value;
++
++        impl->maxmem_bytes = u64_value;
+         return 1;
+ 
+     default:
+         return -2;
++    }
++}
+ 
++static int kdf_scrypt_ctrl_uint32(EVP_KDF_IMPL *impl, int cmd,
++                                  const char *value)
++{
++    int int_value = atoi(value);
++
++    if (int_value < 0 || (uint64_t)int_value > UINT32_MAX) {
++        KDFerr(KDF_F_KDF_SCRYPT_CTRL_UINT32, KDF_R_VALUE_ERROR);
++        return 0;
+     }
++    return call_ctrl(kdf_scrypt_ctrl, impl, cmd, (uint32_t)int_value);
+ }
+ 
+-static int pkey_scrypt_ctrl_uint64(EVP_PKEY_CTX *ctx, int type,
+-                                   const char *value)
++static int kdf_scrypt_ctrl_uint64(EVP_KDF_IMPL *impl, int cmd,
++                                  const char *value)
+ {
+-    uint64_t int_value;
++    uint64_t u64_value;
+ 
+-    if (!atou64(value, &int_value)) {
+-        KDFerr(KDF_F_PKEY_SCRYPT_CTRL_UINT64, KDF_R_VALUE_ERROR);
++    if (!atou64(value, &u64_value)) {
++        KDFerr(KDF_F_KDF_SCRYPT_CTRL_UINT64, KDF_R_VALUE_ERROR);
+         return 0;
+     }
+-    return pkey_scrypt_ctrl(ctx, type, 0, &int_value);
++    return call_ctrl(kdf_scrypt_ctrl, impl, cmd, u64_value);
+ }
+ 
+-static int pkey_scrypt_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
+-                                const char *value)
++static int kdf_scrypt_ctrl_str(EVP_KDF_IMPL *impl, const char *type,
++                               const char *value)
+ {
+     if (value == NULL) {
+-        KDFerr(KDF_F_PKEY_SCRYPT_CTRL_STR, KDF_R_VALUE_MISSING);
++        KDFerr(KDF_F_KDF_SCRYPT_CTRL_STR, KDF_R_VALUE_MISSING);
+         return 0;
+     }
+ 
+     if (strcmp(type, "pass") == 0)
+-        return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_PASS, value);
++        return kdf_str2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_PASS,
++                            value);
+ 
+     if (strcmp(type, "hexpass") == 0)
+-        return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_PASS, value);
++        return kdf_hex2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_PASS,
++                            value);
+ 
+     if (strcmp(type, "salt") == 0)
+-        return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_SCRYPT_SALT, value);
++        return kdf_str2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_SALT,
++                            value);
+ 
+     if (strcmp(type, "hexsalt") == 0)
+-        return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_SCRYPT_SALT, value);
++        return kdf_hex2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_SALT,
++                            value);
+ 
+     if (strcmp(type, "N") == 0)
+-        return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_N, value);
++        return kdf_scrypt_ctrl_uint64(impl, EVP_KDF_CTRL_SET_SCRYPT_N, value);
+ 
+     if (strcmp(type, "r") == 0)
+-        return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_R, value);
++        return kdf_scrypt_ctrl_uint32(impl, EVP_KDF_CTRL_SET_SCRYPT_R, value);
+ 
+     if (strcmp(type, "p") == 0)
+-        return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_P, value);
++        return kdf_scrypt_ctrl_uint32(impl, EVP_KDF_CTRL_SET_SCRYPT_P, value);
+ 
+     if (strcmp(type, "maxmem_bytes") == 0)
+-        return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES,
+-                                       value);
++        return kdf_scrypt_ctrl_uint64(impl, EVP_KDF_CTRL_SET_MAXMEM_BYTES,
++                                      value);
+ 
+-    KDFerr(KDF_F_PKEY_SCRYPT_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE);
+     return -2;
+ }
+ 
+-static int pkey_scrypt_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
+-                              size_t *keylen)
++static int kdf_scrypt_derive(EVP_KDF_IMPL *impl, unsigned char *key,
++                             size_t keylen)
+ {
+-    SCRYPT_PKEY_CTX *kctx = ctx->data;
+-
+-    if (kctx->pass == NULL) {
+-        KDFerr(KDF_F_PKEY_SCRYPT_DERIVE, KDF_R_MISSING_PASS);
++    if (impl->pass == NULL) {
++        KDFerr(KDF_F_KDF_SCRYPT_DERIVE, KDF_R_MISSING_PASS);
+         return 0;
+     }
+ 
+-    if (kctx->salt == NULL) {
+-        KDFerr(KDF_F_PKEY_SCRYPT_DERIVE, KDF_R_MISSING_SALT);
++    if (impl->salt == NULL) {
++        KDFerr(KDF_F_KDF_SCRYPT_DERIVE, KDF_R_MISSING_SALT);
+         return 0;
+     }
+ 
+-    return EVP_PBE_scrypt((char *)kctx->pass, kctx->pass_len, kctx->salt,
+-                          kctx->salt_len, kctx->N, kctx->r, kctx->p,
+-                          kctx->maxmem_bytes, key, *keylen);
++    return scrypt_alg((char *)impl->pass, impl->pass_len, impl->salt,
++                      impl->salt_len, impl->N, impl->r, impl->p,
++                      impl->maxmem_bytes, key, keylen);
+ }
+ 
+-const EVP_PKEY_METHOD scrypt_pkey_meth = {
+-    EVP_PKEY_SCRYPT,
+-    0,
+-    pkey_scrypt_init,
+-    0,
+-    pkey_scrypt_cleanup,
++const EVP_KDF_METHOD scrypt_kdf_meth = {
++    EVP_KDF_SCRYPT,
++    kdf_scrypt_new,
++    kdf_scrypt_free,
++    kdf_scrypt_reset,
++    kdf_scrypt_ctrl,
++    kdf_scrypt_ctrl_str,
++    NULL,
++    kdf_scrypt_derive
++};
+ 
+-    0, 0,
+-    0, 0,
++#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
++static void salsa208_word_specification(uint32_t inout[16])
++{
++    int i;
++    uint32_t x[16];
+ 
+-    0,
+-    0,
++    memcpy(x, inout, sizeof(x));
++    for (i = 8; i > 0; i -= 2) {
++        x[4] ^= R(x[0] + x[12], 7);
++        x[8] ^= R(x[4] + x[0], 9);
++        x[12] ^= R(x[8] + x[4], 13);
++        x[0] ^= R(x[12] + x[8], 18);
++        x[9] ^= R(x[5] + x[1], 7);
++        x[13] ^= R(x[9] + x[5], 9);
++        x[1] ^= R(x[13] + x[9], 13);
++        x[5] ^= R(x[1] + x[13], 18);
++        x[14] ^= R(x[10] + x[6], 7);
++        x[2] ^= R(x[14] + x[10], 9);
++        x[6] ^= R(x[2] + x[14], 13);
++        x[10] ^= R(x[6] + x[2], 18);
++        x[3] ^= R(x[15] + x[11], 7);
++        x[7] ^= R(x[3] + x[15], 9);
++        x[11] ^= R(x[7] + x[3], 13);
++        x[15] ^= R(x[11] + x[7], 18);
++        x[1] ^= R(x[0] + x[3], 7);
++        x[2] ^= R(x[1] + x[0], 9);
++        x[3] ^= R(x[2] + x[1], 13);
++        x[0] ^= R(x[3] + x[2], 18);
++        x[6] ^= R(x[5] + x[4], 7);
++        x[7] ^= R(x[6] + x[5], 9);
++        x[4] ^= R(x[7] + x[6], 13);
++        x[5] ^= R(x[4] + x[7], 18);
++        x[11] ^= R(x[10] + x[9], 7);
++        x[8] ^= R(x[11] + x[10], 9);
++        x[9] ^= R(x[8] + x[11], 13);
++        x[10] ^= R(x[9] + x[8], 18);
++        x[12] ^= R(x[15] + x[14], 7);
++        x[13] ^= R(x[12] + x[15], 9);
++        x[14] ^= R(x[13] + x[12], 13);
++        x[15] ^= R(x[14] + x[13], 18);
++    }
++    for (i = 0; i < 16; ++i)
++        inout[i] += x[i];
++    OPENSSL_cleanse(x, sizeof(x));
++}
+ 
+-    0,
+-    0,
++static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r)
++{
++    uint64_t i, j;
++    uint32_t X[16], *pB;
+ 
+-    0, 0,
++    memcpy(X, B + (r * 2 - 1) * 16, sizeof(X));
++    pB = B;
++    for (i = 0; i < r * 2; i++) {
++        for (j = 0; j < 16; j++)
++            X[j] ^= *pB++;
++        salsa208_word_specification(X);
++        memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X));
++    }
++    OPENSSL_cleanse(X, sizeof(X));
++}
+ 
+-    0, 0, 0, 0,
++static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N,
++                        uint32_t *X, uint32_t *T, uint32_t *V)
++{
++    unsigned char *pB;
++    uint32_t *pV;
++    uint64_t i, k;
++
++    /* Convert from little endian input */
++    for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) {
++        *pV = *pB++;
++        *pV |= *pB++ << 8;
++        *pV |= *pB++ << 16;
++        *pV |= (uint32_t)*pB++ << 24;
++    }
+ 
+-    0, 0,
++    for (i = 1; i < N; i++, pV += 32 * r)
++        scryptBlockMix(pV, pV - 32 * r, r);
+ 
+-    0, 0,
++    scryptBlockMix(X, V + (N - 1) * 32 * r, r);
+ 
+-    0,
+-    pkey_scrypt_derive,
+-    pkey_scrypt_ctrl,
+-    pkey_scrypt_ctrl_str
+-};
++    for (i = 0; i < N; i++) {
++        uint32_t j;
++        j = X[16 * (2 * r - 1)] % N;
++        pV = V + 32 * r * j;
++        for (k = 0; k < 32 * r; k++)
++            T[k] = X[k] ^ *pV++;
++        scryptBlockMix(X, T, r);
++    }
++    /* Convert output to little endian */
++    for (i = 0, pB = B; i < 32 * r; i++) {
++        uint32_t xtmp = X[i];
++        *pB++ = xtmp & 0xff;
++        *pB++ = (xtmp >> 8) & 0xff;
++        *pB++ = (xtmp >> 16) & 0xff;
++        *pB++ = (xtmp >> 24) & 0xff;
++    }
++}
++
++#ifndef SIZE_MAX
++# define SIZE_MAX    ((size_t)-1)
++#endif
++
++/*
++ * Maximum power of two that will fit in uint64_t: this should work on
++ * most (all?) platforms.
++ */
++
++#define LOG2_UINT64_MAX         (sizeof(uint64_t) * 8 - 1)
++
++/*
++ * Maximum value of p * r:
++ * p <= ((2^32-1) * hLen) / MFLen =>
++ * p <= ((2^32-1) * 32) / (128 * r) =>
++ * p * r <= (2^30-1)
++ */
++
++#define SCRYPT_PR_MAX   ((1 << 30) - 1)
++
++static int scrypt_alg(const char *pass, size_t passlen,
++                      const unsigned char *salt, size_t saltlen,
++                      uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem,
++                      unsigned char *key, size_t keylen)
++{
++    int rv = 0;
++    unsigned char *B;
++    uint32_t *X, *V, *T;
++    uint64_t i, Blen, Vlen;
++
++    /* Sanity check parameters */
++    /* initial check, r,p must be non zero, N >= 2 and a power of 2 */
++    if (r == 0 || p == 0 || N < 2 || (N & (N - 1)))
++        return 0;
++    /* Check p * r < SCRYPT_PR_MAX avoiding overflow */
++    if (p > SCRYPT_PR_MAX / r) {
++        EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
++        return 0;
++    }
++
++    /*
++     * Need to check N: if 2^(128 * r / 8) overflows limit this is
++     * automatically satisfied since N <= UINT64_MAX.
++     */
++
++    if (16 * r <= LOG2_UINT64_MAX) {
++        if (N >= (((uint64_t)1) << (16 * r))) {
++            EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
++            return 0;
++        }
++    }
++
++    /* Memory checks: check total allocated buffer size fits in uint64_t */
++
++    /*
++     * B size in section 5 step 1.S
++     * Note: we know p * 128 * r < UINT64_MAX because we already checked
++     * p * r < SCRYPT_PR_MAX
++     */
++    Blen = p * 128 * r;
++    /*
++     * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would
++     * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.]
++     */
++    if (Blen > INT_MAX) {
++        EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
++        return 0;
++    }
++
++    /*
++     * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t
++     * This is combined size V, X and T (section 4)
++     */
++    i = UINT64_MAX / (32 * sizeof(uint32_t));
++    if (N + 2 > i / r) {
++        EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
++        return 0;
++    }
++    Vlen = 32 * r * (N + 2) * sizeof(uint32_t);
++
++    /* check total allocated size fits in uint64_t */
++    if (Blen > UINT64_MAX - Vlen) {
++        EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
++        return 0;
++    }
++
++    /* Check that the maximum memory doesn't exceed a size_t limits */
++    if (maxmem > SIZE_MAX)
++        maxmem = SIZE_MAX;
++
++    if (Blen + Vlen > maxmem) {
++        EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED);
++        return 0;
++    }
++
++    /* If no key return to indicate parameters are OK */
++    if (key == NULL)
++        return 1;
++
++    B = OPENSSL_malloc((size_t)(Blen + Vlen));
++    if (B == NULL) {
++        EVPerr(EVP_F_SCRYPT_ALG, ERR_R_MALLOC_FAILURE);
++        return 0;
++    }
++    X = (uint32_t *)(B + Blen);
++    T = X + 32 * r;
++    V = T + 32 * r;
++    if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(),
++                          (int)Blen, B) == 0)
++        goto err;
++
++    for (i = 0; i < p; i++)
++        scryptROMix(B + 128 * r * i, r, N, X, T, V);
++
++    if (PKCS5_PBKDF2_HMAC(pass, passlen, B, (int)Blen, 1, EVP_sha256(),
++                          keylen, key) == 0)
++        goto err;
++    rv = 1;
++ err:
++    if (rv == 0)
++        EVPerr(EVP_F_SCRYPT_ALG, EVP_R_PBKDF2_ERROR);
++
++    OPENSSL_clear_free(B, (size_t)(Blen + Vlen));
++    return rv;
++}
+ 
+ #endif
+diff -up openssl-1.1.1j/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1j/crypto/kdf/tls1_prf.c
+--- openssl-1.1.1j/crypto/kdf/tls1_prf.c.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/kdf/tls1_prf.c	2021-03-03 14:08:02.492294856 +0100
+@@ -8,11 +8,15 @@
+  */
+ 
+ #include <stdio.h>
++#include <stdarg.h>
++#include <string.h>
+ #include "internal/cryptlib.h"
+ #include <openssl/kdf.h>
+ #include <openssl/evp.h>
+ #include "crypto/evp.h"
++#include "kdf_local.h"
+ 
++static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl);
+ static int tls1_prf_alg(const EVP_MD *md,
+                         const unsigned char *sec, size_t slen,
+                         const unsigned char *seed, size_t seed_len,
+@@ -20,9 +24,9 @@ static int tls1_prf_alg(const EVP_MD *md
+ 
+ #define TLS1_PRF_MAXBUF 1024
+ 
+-/* TLS KDF pkey context structure */
++/* TLS KDF kdf context structure */
+ 
+-typedef struct {
++struct evp_kdf_impl_st {
+     /* Digest to use for PRF */
+     const EVP_MD *md;
+     /* Secret value to use for PRF */
+@@ -31,145 +35,137 @@ typedef struct {
+     /* Buffer of concatenated seed data */
+     unsigned char seed[TLS1_PRF_MAXBUF];
+     size_t seedlen;
+-} TLS1_PRF_PKEY_CTX;
++};
+ 
+-static int pkey_tls1_prf_init(EVP_PKEY_CTX *ctx)
++static EVP_KDF_IMPL *kdf_tls1_prf_new(void)
+ {
+-    TLS1_PRF_PKEY_CTX *kctx;
++    EVP_KDF_IMPL *impl;
+ 
+-    if ((kctx = OPENSSL_zalloc(sizeof(*kctx))) == NULL) {
+-        KDFerr(KDF_F_PKEY_TLS1_PRF_INIT, ERR_R_MALLOC_FAILURE);
+-        return 0;
+-    }
+-    ctx->data = kctx;
++    if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL)
++        KDFerr(KDF_F_KDF_TLS1_PRF_NEW, ERR_R_MALLOC_FAILURE);
++    return impl;
++}
+ 
+-    return 1;
++static void kdf_tls1_prf_free(EVP_KDF_IMPL *impl)
++{
++    kdf_tls1_prf_reset(impl);
++    OPENSSL_free(impl);
+ }
+ 
+-static void pkey_tls1_prf_cleanup(EVP_PKEY_CTX *ctx)
++static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl)
+ {
+-    TLS1_PRF_PKEY_CTX *kctx = ctx->data;
+-    OPENSSL_clear_free(kctx->sec, kctx->seclen);
+-    OPENSSL_cleanse(kctx->seed, kctx->seedlen);
+-    OPENSSL_free(kctx);
++    OPENSSL_clear_free(impl->sec, impl->seclen);
++    OPENSSL_cleanse(impl->seed, impl->seedlen);
++    memset(impl, 0, sizeof(*impl));
+ }
+ 
+-static int pkey_tls1_prf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
++static int kdf_tls1_prf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)
+ {
+-    TLS1_PRF_PKEY_CTX *kctx = ctx->data;
+-    switch (type) {
+-    case EVP_PKEY_CTRL_TLS_MD:
+-        kctx->md = p2;
+-        return 1;
++    const unsigned char *p;
++    size_t len;
++    const EVP_MD *md;
+ 
+-    case EVP_PKEY_CTRL_TLS_SECRET:
+-        if (p1 < 0)
++    switch (cmd) {
++    case EVP_KDF_CTRL_SET_MD:
++        md = va_arg(args, const EVP_MD *);
++        if (md == NULL)
+             return 0;
+-        if (kctx->sec != NULL)
+-            OPENSSL_clear_free(kctx->sec, kctx->seclen);
+-        OPENSSL_cleanse(kctx->seed, kctx->seedlen);
+-        kctx->seedlen = 0;
+-        kctx->sec = OPENSSL_memdup(p2, p1);
+-        if (kctx->sec == NULL)
++
++        impl->md = md;
++        return 1;
++
++    case EVP_KDF_CTRL_SET_TLS_SECRET:
++        p = va_arg(args, const unsigned char *);
++        len = va_arg(args, size_t);
++        OPENSSL_clear_free(impl->sec, impl->seclen);
++        impl->sec = OPENSSL_memdup(p, len);
++        if (impl->sec == NULL)
+             return 0;
+-        kctx->seclen  = p1;
++
++        impl->seclen  = len;
++        return 1;
++
++    case EVP_KDF_CTRL_RESET_TLS_SEED:
++        OPENSSL_cleanse(impl->seed, impl->seedlen);
++        impl->seedlen = 0;
+         return 1;
+ 
+-    case EVP_PKEY_CTRL_TLS_SEED:
+-        if (p1 == 0 || p2 == NULL)
++    case EVP_KDF_CTRL_ADD_TLS_SEED:
++        p = va_arg(args, const unsigned char *);
++        len = va_arg(args, size_t);
++        if (len == 0 || p == NULL)
+             return 1;
+-        if (p1 < 0 || p1 > (int)(TLS1_PRF_MAXBUF - kctx->seedlen))
++
++        if (len > (TLS1_PRF_MAXBUF - impl->seedlen))
+             return 0;
+-        memcpy(kctx->seed + kctx->seedlen, p2, p1);
+-        kctx->seedlen += p1;
++
++        memcpy(impl->seed + impl->seedlen, p, len);
++        impl->seedlen += len;
+         return 1;
+ 
+     default:
+         return -2;
+-
+     }
+ }
+ 
+-static int pkey_tls1_prf_ctrl_str(EVP_PKEY_CTX *ctx,
+-                                  const char *type, const char *value)
++static int kdf_tls1_prf_ctrl_str(EVP_KDF_IMPL *impl,
++                                 const char *type, const char *value)
+ {
+     if (value == NULL) {
+-        KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR, KDF_R_VALUE_MISSING);
++        KDFerr(KDF_F_KDF_TLS1_PRF_CTRL_STR, KDF_R_VALUE_MISSING);
+         return 0;
+     }
+-    if (strcmp(type, "md") == 0) {
+-        TLS1_PRF_PKEY_CTX *kctx = ctx->data;
++    if (strcmp(type, "digest") == 0)
++        return kdf_md2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_SET_MD, value);
+ 
+-        const EVP_MD *md = EVP_get_digestbyname(value);
+-        if (md == NULL) {
+-            KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR, KDF_R_INVALID_DIGEST);
+-            return 0;
+-        }
+-        kctx->md = md;
+-        return 1;
+-    }
+     if (strcmp(type, "secret") == 0)
+-        return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_TLS_SECRET, value);
++        return kdf_str2ctrl(impl, kdf_tls1_prf_ctrl,
++                            EVP_KDF_CTRL_SET_TLS_SECRET, value);
++
+     if (strcmp(type, "hexsecret") == 0)
+-        return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_TLS_SECRET, value);
++        return kdf_hex2ctrl(impl, kdf_tls1_prf_ctrl,
++                            EVP_KDF_CTRL_SET_TLS_SECRET, value);
++
+     if (strcmp(type, "seed") == 0)
+-        return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_TLS_SEED, value);
++        return kdf_str2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_ADD_TLS_SEED,
++                            value);
++
+     if (strcmp(type, "hexseed") == 0)
+-        return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_TLS_SEED, value);
++        return kdf_hex2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_ADD_TLS_SEED,
++                            value);
+ 
+-    KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE);
+     return -2;
+ }
+ 
+-static int pkey_tls1_prf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
+-                                size_t *keylen)
++static int kdf_tls1_prf_derive(EVP_KDF_IMPL *impl, unsigned char *key,
++                               size_t keylen)
+ {
+-    TLS1_PRF_PKEY_CTX *kctx = ctx->data;
+-    if (kctx->md == NULL) {
+-        KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);
++    if (impl->md == NULL) {
++        KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);
+         return 0;
+     }
+-    if (kctx->sec == NULL) {
+-        KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_SECRET);
++    if (impl->sec == NULL) {
++        KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SECRET);
+         return 0;
+     }
+-    if (kctx->seedlen == 0) {
+-        KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED);
++    if (impl->seedlen == 0) {
++        KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED);
+         return 0;
+     }
+-    return tls1_prf_alg(kctx->md, kctx->sec, kctx->seclen,
+-                        kctx->seed, kctx->seedlen,
+-                        key, *keylen);
++    return tls1_prf_alg(impl->md, impl->sec, impl->seclen,
++                        impl->seed, impl->seedlen,
++                        key, keylen);
+ }
+ 
+-const EVP_PKEY_METHOD tls1_prf_pkey_meth = {
+-    EVP_PKEY_TLS1_PRF,
+-    0,
+-    pkey_tls1_prf_init,
+-    0,
+-    pkey_tls1_prf_cleanup,
+-
+-    0, 0,
+-    0, 0,
+-
+-    0,
+-    0,
+-
+-    0,
+-    0,
+-
+-    0, 0,
+-
+-    0, 0, 0, 0,
+-
+-    0, 0,
+-
+-    0, 0,
+-
+-    0,
+-    pkey_tls1_prf_derive,
+-    pkey_tls1_prf_ctrl,
+-    pkey_tls1_prf_ctrl_str
++const EVP_KDF_METHOD tls1_prf_kdf_meth = {
++    EVP_KDF_TLS1_PRF,
++    kdf_tls1_prf_new,
++    kdf_tls1_prf_free,
++    kdf_tls1_prf_reset,
++    kdf_tls1_prf_ctrl,
++    kdf_tls1_prf_ctrl_str,
++    NULL,
++    kdf_tls1_prf_derive
+ };
+ 
+ static int tls1_prf_P_hash(const EVP_MD *md,
+@@ -249,12 +245,11 @@ static int tls1_prf_alg(const EVP_MD *md
+                         const unsigned char *seed, size_t seed_len,
+                         unsigned char *out, size_t olen)
+ {
+-
+     if (EVP_MD_type(md) == NID_md5_sha1) {
+         size_t i;
+         unsigned char *tmp;
+         if (!tls1_prf_P_hash(EVP_md5(), sec, slen/2 + (slen & 1),
+-                         seed, seed_len, out, olen))
++                             seed, seed_len, out, olen))
+             return 0;
+ 
+         if ((tmp = OPENSSL_malloc(olen)) == NULL) {
+@@ -262,7 +257,7 @@ static int tls1_prf_alg(const EVP_MD *md
+             return 0;
+         }
+         if (!tls1_prf_P_hash(EVP_sha1(), sec + slen/2, slen/2 + (slen & 1),
+-                         seed, seed_len, tmp, olen)) {
++                             seed, seed_len, tmp, olen)) {
+             OPENSSL_clear_free(tmp, olen);
+             return 0;
+         }
+diff -up openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod
+--- openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod.evp-kdf	2021-03-03 14:08:02.492294856 +0100
++++ openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod	2021-03-03 14:08:02.492294856 +0100
+@@ -0,0 +1,217 @@
++=pod
++
++=head1 NAME
++
++EVP_KDF_CTX, EVP_KDF_CTX_new_id, EVP_KDF_CTX_free, EVP_KDF_reset,
++EVP_KDF_ctrl, EVP_KDF_vctrl, EVP_KDF_ctrl_str, EVP_KDF_size,
++EVP_KDF_derive - EVP KDF routines
++
++=head1 SYNOPSIS
++
++ #include <openssl/kdf.h>
++
++ typedef struct evp_kdf_ctx_st EVP_KDF_CTX;
++
++ EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id);
++ void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx);
++ void EVP_KDF_reset(EVP_KDF_CTX *ctx);
++ int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...);
++ int EVP_KDF_vctrl(EVP_KDF_CTX *ctx, int cmd, va_list args);
++ int EVP_KDF_ctrl_str(EVP_KDF_CTX *ctx, const char *type, const char *value);
++ size_t EVP_KDF_size(EVP_KDF_CTX *ctx);
++ int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen);
++
++=head1 DESCRIPTION
++
++The EVP KDF routines are a high level interface to Key Derivation Function
++algorithms and should be used instead of algorithm-specific functions.
++
++After creating a C<EVP_KDF_CTX> for the required algorithm using
++EVP_KDF_CTX_new_id(), inputs to the algorithm are supplied using calls to
++EVP_KDF_ctrl(), EVP_KDF_vctrl() or EVP_KDF_ctrl_str() before calling
++EVP_KDF_derive() to derive the key.
++
++=head2 Types
++
++B<EVP_KDF_CTX> is a context type that holds the algorithm inputs.
++
++=head2 Context manipulation functions
++
++EVP_KDF_CTX_new_id() creates a KDF context for the algorithm identified by the
++specified NID.
++
++EVP_KDF_CTX_free() frees up the context C<ctx>.  If C<ctx> is C<NULL>, nothing
++is done.
++
++=head2 Computing functions
++
++EVP_KDF_reset() resets the context to the default state as if the context
++had just been created.
++
++EVP_KDF_ctrl() is used to provide inputs to the KDF algorithm prior to
++EVP_KDF_derive() being called.  The inputs that may be provided will vary
++depending on the KDF algorithm or its implementation.  This functions takes
++variable arguments, the exact expected arguments depend on C<cmd>.
++See L</CONTROLS> below for a description of standard controls.
++
++EVP_KDF_vctrl() is the variant of EVP_KDF_ctrl() that takes a C<va_list>
++argument instead of variadic arguments.
++
++EVP_KDF_ctrl_str() allows an application to send an algorithm specific control
++operation to a context C<ctx> in string form.  This is intended to be used for
++options specified on the command line or in text files.
++
++EVP_KDF_size() returns the output size if the algorithm produces a fixed amount
++of output and C<SIZE_MAX> otherwise.  If an error occurs then 0 is returned.
++For some algorithms an error may result if input parameters necessary to
++calculate a fixed output size have not yet been supplied.
++
++EVP_KDF_derive() derives C<keylen> bytes of key material and places it in the
++C<key> buffer.  If the algorithm produces a fixed amount of output then an
++error will occur unless the C<keylen> parameter is equal to that output size,
++as returned by EVP_KDF_size().
++
++=head1 CONTROLS
++
++The standard controls are:
++
++=over 4
++
++=item B<EVP_KDF_CTRL_SET_PASS>
++
++This control expects two arguments: C<unsigned char *pass>, C<size_t passlen>
++
++Some KDF implementations require a password.  For those KDF implementations
++that support it, this control sets the password.
++
++EVP_KDF_ctrl_str() takes two type strings for this control:
++
++=over 4
++
++=item "pass"
++
++The value string is used as is.
++
++=item "hexpass"
++
++The value string is expected to be a hexadecimal number, which will be
++decoded before being passed on as the control value.
++
++=back
++
++=item B<EVP_KDF_CTRL_SET_SALT>
++
++This control expects two arguments: C<unsigned char *salt>, C<size_t saltlen>
++
++Some KDF implementations can take a salt.  For those KDF implementations that
++support it, this control sets the salt.
++
++The default value, if any, is implementation dependent.
++
++EVP_KDF_ctrl_str() takes two type strings for this control:
++
++=over 4
++
++=item "salt"
++
++The value string is used as is.
++
++=item "hexsalt"
++
++The value string is expected to be a hexadecimal number, which will be
++decoded before being passed on as the control value.
++
++=back
++
++=item B<EVP_KDF_CTRL_SET_ITER>
++
++This control expects one argument: C<int iter>
++
++Some KDF implementations require an iteration count. For those KDF implementations that support it, this control sets the iteration count.
++
++The default value, if any, is implementation dependent.
++
++EVP_KDF_ctrl_str() type string: "iter"
++
++The value string is expected to be a decimal number.
++
++=item B<EVP_KDF_CTRL_SET_MD>
++
++This control expects one argument: C<EVP_MD *md>
++
++For MAC implementations that use a message digest as an underlying computation
++algorithm, this control set what the digest algorithm should be.
++
++EVP_KDF_ctrl_str() type string: "md"
++
++The value string is expected to be the name of a digest.
++
++=item B<EVP_KDF_CTRL_SET_KEY>
++
++This control expects two arguments: C<unsigned char *key>, C<size_t keylen>
++
++Some KDF implementations require a key.  For those KDF implementations that
++support it, this control sets the key.
++
++EVP_KDF_ctrl_str() takes two type strings for this control:
++
++=over 4
++
++=item "key"
++
++The value string is used as is.
++
++=item "hexkey"
++
++The value string is expected to be a hexadecimal number, which will be
++decoded before being passed on as the control value.
++
++=back
++
++=item B<EVP_KDF_CTRL_SET_MAXMEM_BYTES>
++
++This control expects one argument: C<uint64_t maxmem_bytes>
++
++Memory-hard password-based KDF algorithms, such as scrypt, use an amount of
++memory that depends on the load factors provided as input.  For those KDF
++implementations that support it, this control sets an upper limit on the amount
++of memory that may be consumed while performing a key derivation.  If this
++memory usage limit is exceeded because the load factors are chosen too high,
++the key derivation will fail.
++
++The default value is implementation dependent.
++
++EVP_KDF_ctrl_str() type string: "maxmem_bytes"
++
++The value string is expected to be a decimal number.
++
++=back
++
++=head1 RETURN VALUES
++
++EVP_KDF_CTX_new_id() returns either the newly allocated C<EVP_KDF_CTX>
++structure or C<NULL> if an error occurred.
++
++EVP_KDF_CTX_free() and EVP_KDF_reset() do not return a value.
++
++EVP_KDF_size() returns the output size.  C<SIZE_MAX> is returned to indicate
++that the algorithm produces a variable amount of output; 0 to indicate failure.
++
++The remaining functions return 1 for success and 0 or a negative value for
++failure.  In particular, a return value of -2 indicates the operation is not
++supported by the KDF algorithm.
++
++=head1 SEE ALSO
++
++L<EVP_KDF_SCRYPT(7)>
++
++=head1 COPYRIGHT
++
++Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
++
++Licensed under the Apache License 2.0 (the "License").  You may not use
++this file except in compliance with the License.  You can obtain a copy
++in the file LICENSE in the source distribution or at
++L<https://www.openssl.org/source/license.html>.
++
++=cut
+diff -up openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod
+--- openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod.evp-kdf	2021-03-03 14:08:02.493294865 +0100
++++ openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod	2021-03-03 14:08:02.493294865 +0100
+@@ -0,0 +1,180 @@
++=pod
++
++=head1 NAME
++
++EVP_KDF_HKDF - The HKDF EVP_KDF implementation
++
++=head1 DESCRIPTION
++
++Support for computing the B<HKDF> KDF through the B<EVP_KDF> API.
++
++The EVP_KDF_HKDF algorithm implements the HKDF key derivation function.
++HKDF follows the "extract-then-expand" paradigm, where the KDF logically
++consists of two modules. The first stage takes the input keying material
++and "extracts" from it a fixed-length pseudorandom key K. The second stage
++"expands" the key K into several additional pseudorandom keys (the output
++of the KDF).
++
++=head2 Numeric identity
++
++B<EVP_KDF_HKDF> is the numeric identity for this implementation; it
++can be used with the EVP_KDF_CTX_new_id() function.
++
++=head2 Supported controls
++
++The supported controls are:
++
++=over 4
++
++=item B<EVP_KDF_CTRL_SET_SALT>
++
++=item B<EVP_KDF_CTRL_SET_MD>
++
++=item B<EVP_KDF_CTRL_SET_KEY>
++
++These controls work as described in L<EVP_KDF_CTX(3)/CONTROLS>.
++
++=item B<EVP_KDF_CTRL_RESET_HKDF_INFO>
++
++This control does not expect any arguments.
++
++Resets the context info buffer to zero length.
++
++=item B<EVP_KDF_CTRL_ADD_HKDF_INFO>
++
++This control expects two arguments: C<unsigned char *info>, C<size_t infolen>
++
++Sets the info value to the first B<infolen> bytes of the buffer B<info>.  If a
++value is already set, the contents of the buffer are appended to the existing
++value.
++
++The total length of the context info buffer cannot exceed 1024 bytes;
++this should be more than enough for any normal use of HKDF.
++
++EVP_KDF_ctrl_str() takes two type strings for this control:
++
++=over 4
++
++=item "info"
++
++The value string is used as is.
++
++=item "hexinfo"
++
++The value string is expected to be a hexadecimal number, which will be
++decoded before being passed on as the control value.
++
++=back
++
++=item B<EVP_KDF_CTRL_SET_HKDF_MODE>
++
++This control expects one argument: C<int mode>
++
++Sets the mode for the HKDF operation. There are three modes that are currently
++defined:
++
++=over 4
++
++=item EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND
++
++This is the default mode.  Calling L<EVP_KDF_derive(3)> on an EVP_KDF_CTX set
++up for HKDF will perform an extract followed by an expand operation in one go.
++The derived key returned will be the result after the expand operation. The
++intermediate fixed-length pseudorandom key K is not returned.
++
++In this mode the digest, key, salt and info values must be set before a key is
++derived otherwise an error will occur.
++
++=item EVP_KDF_HKDF_MODE_EXTRACT_ONLY
++
++In this mode calling L<EVP_KDF_derive(3)> will just perform the extract
++operation. The value returned will be the intermediate fixed-length pseudorandom
++key K.  The C<keylen> parameter must match the size of K, which can be looked
++up by calling EVP_KDF_size() after setting the mode and digest.
++
++The digest, key and salt values must be set before a key is derived otherwise
++an error will occur.
++
++=item EVP_KDF_HKDF_MODE_EXPAND_ONLY
++
++In this mode calling L<EVP_KDF_derive(3)> will just perform the expand
++operation. The input key should be set to the intermediate fixed-length
++pseudorandom key K returned from a previous extract operation.
++
++The digest, key and info values must be set before a key is derived otherwise
++an error will occur.
++
++=back
++
++EVP_KDF_ctrl_str() type string: "mode"
++
++The value string is expected to be one of: "EXTRACT_AND_EXPAND", "EXTRACT_ONLY"
++or "EXPAND_ONLY".
++
++=back
++
++=head1 NOTES
++
++A context for HKDF can be obtained by calling:
++
++ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF);
++
++The output length of an HKDF expand operation is specified via the C<keylen>
++parameter to the L<EVP_KDF_derive(3)> function.  When using
++EVP_KDF_HKDF_MODE_EXTRACT_ONLY the C<keylen> parameter must equal the size of
++the intermediate fixed-length pseudorandom key otherwise an error will occur.
++For that mode, the fixed output size can be looked up by calling EVP_KDF_size()
++after setting the mode and digest on the C<EVP_KDF_CTX>.
++
++=head1 EXAMPLE
++
++This example derives 10 bytes using SHA-256 with the secret key "secret",
++salt value "salt" and info value "label":
++
++ EVP_KDF_CTX *kctx;
++ unsigned char out[10];
++
++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF);
++
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
++     error("EVP_KDF_CTRL_SET_MD");
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
++     error("EVP_KDF_CTRL_SET_SALT");
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) {
++     error("EVP_KDF_CTRL_SET_KEY");
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO, "label", (size_t)5) <= 0) {
++     error("EVP_KDF_CTRL_ADD_HKDF_INFO");
++ }
++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
++     error("EVP_KDF_derive");
++ }
++
++ EVP_KDF_CTX_free(kctx);
++
++=head1 CONFORMING TO
++
++RFC 5869
++
++=head1 SEE ALSO
++
++L<EVP_KDF_CTX>,
++L<EVP_KDF_CTX_new_id(3)>,
++L<EVP_KDF_CTX_free(3)>,
++L<EVP_KDF_ctrl(3)>,
++L<EVP_KDF_size(3)>,
++L<EVP_KDF_derive(3)>,
++L<EVP_KDF_CTX(3)/CONTROLS>
++
++=head1 COPYRIGHT
++
++Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
++
++Licensed under the Apache License 2.0 (the "License").  You may not use
++this file except in compliance with the License.  You can obtain a copy
++in the file LICENSE in the source distribution or at
++L<https://www.openssl.org/source/license.html>.
++
++=cut
+diff -up openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod
+--- openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf	2021-03-03 14:08:02.493294865 +0100
++++ openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod	2021-03-03 14:08:02.493294865 +0100
+@@ -0,0 +1,78 @@
++=pod
++
++=head1 NAME
++
++EVP_KDF_PBKDF2 - The PBKDF2 EVP_KDF implementation
++
++=head1 DESCRIPTION
++
++Support for computing the B<PBKDF2> password-based KDF through the B<EVP_KDF>
++API.
++
++The EVP_KDF_PBKDF2 algorithm implements the PBKDF2 password-based key
++derivation function, as described in RFC 2898; it derives a key from a password
++using a salt and iteration count.
++
++=head2 Numeric identity
++
++B<EVP_KDF_PBKDF2> is the numeric identity for this implementation; it
++can be used with the EVP_KDF_CTX_new_id() function.
++
++=head2 Supported controls
++
++The supported controls are:
++
++=over 4
++
++=item B<EVP_KDF_CTRL_SET_PASS>
++
++=item B<EVP_KDF_CTRL_SET_SALT>
++
++=item B<EVP_KDF_CTRL_SET_ITER>
++
++=item B<EVP_KDF_CTRL_SET_MD>
++
++These controls work as described in L<EVP_KDF_CTX(3)/CONTROLS>.
++
++B<iter> is the iteration count and its value should be greater than or equal to
++1. RFC 2898 suggests an iteration count of at least 1000.  The default value is
++2048.  Any B<iter> less than 1 is treated as a single iteration.
++
++=back
++
++=head1 NOTES
++
++A typical application of this algorithm is to derive keying material for an
++encryption algorithm from a password in the B<pass>, a salt in B<salt>,
++and an iteration count.
++
++Increasing the B<iter> parameter slows down the algorithm which makes it
++harder for an attacker to perform a brute force attack using a large number
++of candidate passwords.
++
++No assumption is made regarding the given password; it is simply treated as a
++byte sequence.
++
++=head1 CONFORMING TO
++
++RFC 2898
++
++=head1 SEE ALSO
++
++L<EVP_KDF_CTX>,
++L<EVP_KDF_CTX_new_id(3)>,
++L<EVP_KDF_CTX_free(3)>,
++L<EVP_KDF_ctrl(3)>,
++L<EVP_KDF_derive(3)>,
++L<EVP_KDF_CTX(3)/CONTROLS>
++
++=head1 COPYRIGHT
++
++Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
++
++Licensed under the Apache License 2.0 (the "License").  You may not use
++this file except in compliance with the License.  You can obtain a copy
++in the file LICENSE in the source distribution or at
++L<https://www.openssl.org/source/license.html>.
++
++=cut
+diff -up openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod
+--- openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf	2021-03-03 14:08:02.493294865 +0100
++++ openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod	2021-03-03 14:08:02.493294865 +0100
+@@ -0,0 +1,149 @@
++=pod
++
++=head1 NAME
++
++EVP_KDF_SCRYPT - The scrypt EVP_KDF implementation
++
++=head1 DESCRIPTION
++
++Support for computing the B<scrypt> password-based KDF through the B<EVP_KDF>
++API.
++
++The EVP_KDF_SCRYPT algorithm implements the scrypt password-based key
++derivation function, as described in RFC 7914.  It is memory-hard in the sense
++that it deliberately requires a significant amount of RAM for efficient
++computation. The intention of this is to render brute forcing of passwords on
++systems that lack large amounts of main memory (such as GPUs or ASICs)
++computationally infeasible.
++
++scrypt provides three work factors that can be customized: N, r and p. N, which
++has to be a positive power of two, is the general work factor and scales CPU
++time in an approximately linear fashion. r is the block size of the internally
++used hash function and p is the parallelization factor. Both r and p need to be
++greater than zero. The amount of RAM that scrypt requires for its computation
++is roughly (128 * N * r * p) bytes.
++
++In the original paper of Colin Percival ("Stronger Key Derivation via
++Sequential Memory-Hard Functions", 2009), the suggested values that give a
++computation time of less than 5 seconds on a 2.5 GHz Intel Core 2 Duo are N =
++2^20 = 1048576, r = 8, p = 1. Consequently, the required amount of memory for
++this computation is roughly 1 GiB. On a more recent CPU (Intel i7-5930K at 3.5
++GHz), this computation takes about 3 seconds. When N, r or p are not specified,
++they default to 1048576, 8, and 1, respectively. The maximum amount of RAM that
++may be used by scrypt defaults to 1025 MiB.
++
++=head2 Numeric identity
++
++B<EVP_KDF_SCRYPT> is the numeric identity for this implementation; it
++can be used with the EVP_KDF_CTX_new_id() function.
++
++=head2 Supported controls
++
++The supported controls are:
++
++=over 4
++
++=item B<EVP_KDF_CTRL_SET_PASS>
++
++=item B<EVP_KDF_CTRL_SET_SALT>
++
++These controls work as described in L<EVP_KDF_CTX(3)/CONTROLS>.
++
++=item B<EVP_KDF_CTRL_SET_SCRYPT_N>
++
++=item B<EVP_KDF_CTRL_SET_SCRYPT_R>
++
++=item B<EVP_KDF_CTRL_SET_SCRYPT_P>
++
++B<EVP_KDF_CTRL_SET_SCRYPT_N> expects one argument: C<uint64_t N>
++
++B<EVP_KDF_CTRL_SET_SCRYPT_R> expects one argument: C<uint32_t r>
++
++B<EVP_KDF_CTRL_SET_SCRYPT_P> expects one argument: C<uint32_t p>
++
++These controls configure the scrypt work factors N, r and p.
++
++EVP_KDF_ctrl_str() type strings: "N", "r" and "p", respectively.
++
++The corresponding value strings are expected to be decimal numbers.
++
++=back
++
++=head1 NOTES
++
++A context for scrypt can be obtained by calling:
++
++ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT);
++
++The output length of an scrypt key derivation is specified via the
++B<keylen> parameter to the L<EVP_KDF_derive(3)> function.
++
++=head1 EXAMPLE
++
++This example derives a 64-byte long test vector using scrypt with the password
++"password", salt "NaCl" and N = 1024, r = 8, p = 16.
++
++ EVP_KDF_CTX *kctx;
++ unsigned char out[64];
++
++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT);
++
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {
++     error("EVP_KDF_CTRL_SET_PASS");
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "NaCl", (size_t)4) <= 0) {
++     error("EVP_KDF_CTRL_SET_SALT");
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N, (uint64_t)1024) <= 0) {
++     error("EVP_KDF_CTRL_SET_SCRYPT_N");
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R, (uint32_t)8) <= 0) {
++     error("EVP_KDF_CTRL_SET_SCRYPT_R");
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P, (uint32_t)16) <= 0) {
++     error("EVP_KDF_CTRL_SET_SCRYPT_P");
++ }
++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
++     error("EVP_KDF_derive");
++ }
++
++ {
++     const unsigned char expected[sizeof(out)] = {
++         0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
++         0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
++         0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
++         0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
++         0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
++         0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
++         0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
++         0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
++     };
++
++     assert(!memcmp(out, expected, sizeof(out)));
++ }
++
++ EVP_KDF_CTX_free(kctx);
++
++=head1 CONFORMING TO
++
++RFC 7914
++
++=head1 SEE ALSO
++
++L<EVP_KDF_CTX>,
++L<EVP_KDF_CTX_new_id(3)>,
++L<EVP_KDF_CTX_free(3)>,
++L<EVP_KDF_ctrl(3)>,
++L<EVP_KDF_derive(3)>,
++L<EVP_KDF_CTX(3)/CONTROLS>
++
++=head1 COPYRIGHT
++
++Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
++
++Licensed under the OpenSSL license (the "License").  You may not use
++this file except in compliance with the License.  You can obtain a copy
++in the file LICENSE in the source distribution or at
++L<https://www.openssl.org/source/license.html>.
++
++=cut
+diff -up openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod
+--- openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf	2021-03-03 14:08:02.493294865 +0100
++++ openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod	2021-03-03 14:08:02.493294865 +0100
+@@ -0,0 +1,142 @@
++=pod
++
++=head1 NAME
++
++EVP_KDF_TLS1_PRF - The TLS1 PRF EVP_KDF implementation
++
++=head1 DESCRIPTION
++
++Support for computing the B<TLS1> PRF through the B<EVP_KDF> API.
++
++The EVP_KDF_TLS1_PRF algorithm implements the PRF used by TLS versions up to
++and including TLS 1.2.
++
++=head2 Numeric identity
++
++B<EVP_KDF_TLS1_PRF> is the numeric identity for this implementation; it
++can be used with the EVP_KDF_CTX_new_id() function.
++
++=head2 Supported controls
++
++The supported controls are:
++
++=over 4
++
++=item B<EVP_KDF_CTRL_SET_MD>
++
++This control works as described in L<EVP_KDF_CTX(3)/CONTROLS>.
++
++The C<EVP_KDF_CTRL_SET_MD> control is used to set the message digest associated
++with the TLS PRF.  EVP_md5_sha1() is treated as a special case which uses the
++PRF algorithm using both B<MD5> and B<SHA1> as used in TLS 1.0 and 1.1.
++
++=item B<EVP_KDF_CTRL_SET_TLS_SECRET>
++
++This control expects two arguments: C<unsigned char *sec>, C<size_t seclen>
++
++Sets the secret value of the TLS PRF to B<seclen> bytes of the buffer B<sec>.
++Any existing secret value is replaced.
++
++EVP_KDF_ctrl_str() takes two type strings for this control:
++
++=over 4
++
++=item "secret"
++
++The value string is used as is.
++
++=item "hexsecret"
++
++The value string is expected to be a hexadecimal number, which will be
++decoded before being passed on as the control value.
++
++=back
++
++=item B<EVP_KDF_CTRL_RESET_TLS_SEED>
++
++This control does not expect any arguments.
++
++Resets the context seed buffer to zero length.
++
++=item B<EVP_KDF_CTRL_ADD_TLS_SEED>
++
++This control expects two arguments: C<unsigned char *seed>, C<size_t seedlen>
++
++Sets the seed to B<seedlen> bytes of B<seed>.  If a seed is already set it is
++appended to the existing value.
++
++The total length of the context seed buffer cannot exceed 1024 bytes;
++this should be more than enough for any normal use of the TLS PRF.
++
++EVP_KDF_ctrl_str() takes two type strings for this control:
++
++=over 4
++
++=item "seed"
++
++The value string is used as is.
++
++=item "hexseed"
++
++The value string is expected to be a hexadecimal number, which will be
++decoded before being passed on as the control value.
++
++=back
++
++=back
++
++=head1 NOTES
++
++A context for the TLS PRF can be obtained by calling:
++
++ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF, NULL);
++
++The digest, secret value and seed must be set before a key is derived otherwise
++an error will occur.
++
++The output length of the PRF is specified by the C<keylen> parameter to the
++EVP_KDF_derive() function.
++
++=head1 EXAMPLE
++
++This example derives 10 bytes using SHA-256 with the secret key "secret"
++and seed value "seed":
++
++ EVP_KDF_CTX *kctx;
++ unsigned char out[10];
++
++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF);
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
++     error("EVP_KDF_CTRL_SET_MD");
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET,
++                  "secret", (size_t)6) <= 0) {
++     error("EVP_KDF_CTRL_SET_TLS_SECRET");
++ }
++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0) {
++     error("EVP_KDF_CTRL_ADD_TLS_SEED");
++ }
++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
++     error("EVP_KDF_derive");
++ }
++ EVP_KDF_CTX_free(kctx);
++
++=head1 SEE ALSO
++
++L<EVP_KDF_CTX>,
++L<EVP_KDF_CTX_new_id(3)>,
++L<EVP_KDF_CTX_free(3)>,
++L<EVP_KDF_ctrl(3)>,
++L<EVP_KDF_derive(3)>,
++L<EVP_KDF_CTX(3)/CONTROLS>
++
++=head1 COPYRIGHT
++
++Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
++
++Licensed under the Apache License 2.0 (the "License").  You may not use
++this file except in compliance with the License.  You can obtain a copy
++in the file LICENSE in the source distribution or at
++L<https://www.openssl.org/source/license.html>.
++
++=cut
+diff -up openssl-1.1.1j/include/crypto/evp.h.evp-kdf openssl-1.1.1j/include/crypto/evp.h
+--- openssl-1.1.1j/include/crypto/evp.h.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/include/crypto/evp.h	2021-03-03 14:08:02.493294865 +0100
+@@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m
+ extern const EVP_PKEY_METHOD poly1305_pkey_meth;
+ extern const EVP_PKEY_METHOD siphash_pkey_meth;
+ 
++/* struct evp_kdf_impl_st is defined by the implementation */
++typedef struct evp_kdf_impl_st EVP_KDF_IMPL;
++typedef struct {
++    int type;
++    EVP_KDF_IMPL *(*new) (void);
++    void (*free) (EVP_KDF_IMPL *impl);
++    void (*reset) (EVP_KDF_IMPL *impl);
++    int (*ctrl) (EVP_KDF_IMPL *impl, int cmd, va_list args);
++    int (*ctrl_str) (EVP_KDF_IMPL *impl, const char *type, const char *value);
++    size_t (*size) (EVP_KDF_IMPL *impl);
++    int (*derive) (EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen);
++} EVP_KDF_METHOD;
++
++extern const EVP_KDF_METHOD pbkdf2_kdf_meth;
++extern const EVP_KDF_METHOD scrypt_kdf_meth;
++extern const EVP_KDF_METHOD tls1_prf_kdf_meth;
++extern const EVP_KDF_METHOD hkdf_kdf_meth;
++
+ struct evp_md_st {
+     int type;
+     int pkey_type;
+diff -up openssl-1.1.1j/include/openssl/evperr.h.evp-kdf openssl-1.1.1j/include/openssl/evperr.h
+--- openssl-1.1.1j/include/openssl/evperr.h.evp-kdf	2021-03-03 14:08:02.477294722 +0100
++++ openssl-1.1.1j/include/openssl/evperr.h	2021-03-03 14:13:37.587003722 +0100
+@@ -56,6 +56,9 @@ int ERR_load_EVP_strings(void);
+ # define EVP_F_EVP_ENCRYPTDECRYPTUPDATE                   219
+ # define EVP_F_EVP_ENCRYPTFINAL_EX                        127
+ # define EVP_F_EVP_ENCRYPTUPDATE                          167
++# define EVP_F_EVP_KDF_CTRL                               224
++# define EVP_F_EVP_KDF_CTRL_STR                           225
++# define EVP_F_EVP_KDF_CTX_NEW_ID                         226
+ # define EVP_F_EVP_MD_CTX_COPY_EX                         110
+ # define EVP_F_EVP_MD_SIZE                                162
+ # define EVP_F_EVP_OPENINIT                               102
+@@ -118,11 +121,13 @@ int ERR_load_EVP_strings(void);
+ # define EVP_F_PKCS5_V2_PBE_KEYIVGEN                      118
+ # define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN                   164
+ # define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN                   180
++# define EVP_F_PKEY_KDF_CTRL                              227
+ # define EVP_F_PKEY_SET_TYPE                              158
+ # define EVP_F_RC2_MAGIC_TO_METH                          109
+ # define EVP_F_RC5_CTRL                                   125
+ # define EVP_F_R_32_12_16_INIT_KEY                        242
+ # define EVP_F_S390X_AES_GCM_CTRL                         201
++# define EVP_F_SCRYPT_ALG                                 228
+ # define EVP_F_UPDATE                                     173
+ 
+ /*
+@@ -179,6 +184,7 @@ int ERR_load_EVP_strings(void);
+ # define EVP_R_ONLY_ONESHOT_SUPPORTED                     177
+ # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE   150
+ # define EVP_R_OPERATON_NOT_INITIALIZED                   151
++# define EVP_R_PARAMETER_TOO_LARGE                        187
+ # define EVP_R_OUTPUT_WOULD_OVERFLOW                      184
+ # define EVP_R_PARTIALLY_OVERLAPPING                      162
+ # define EVP_R_PBKDF2_ERROR                               181
+diff -up openssl-1.1.1j/include/openssl/kdferr.h.evp-kdf openssl-1.1.1j/include/openssl/kdferr.h
+--- openssl-1.1.1j/include/openssl/kdferr.h.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/include/openssl/kdferr.h	2021-03-03 14:08:02.493294865 +0100
+@@ -23,6 +23,23 @@ int ERR_load_KDF_strings(void);
+ /*
+  * KDF function codes.
+  */
++# define KDF_F_HKDF_EXTRACT                               112
++# define KDF_F_KDF_HKDF_DERIVE                            113
++# define KDF_F_KDF_HKDF_NEW                               114
++# define KDF_F_KDF_HKDF_SIZE                              115
++# define KDF_F_KDF_MD2CTRL                                116
++# define KDF_F_KDF_PBKDF2_CTRL_STR                        117
++# define KDF_F_KDF_PBKDF2_DERIVE                          118
++# define KDF_F_KDF_PBKDF2_NEW                             119
++# define KDF_F_KDF_SCRYPT_CTRL_STR                        120
++# define KDF_F_KDF_SCRYPT_CTRL_UINT32                     121
++# define KDF_F_KDF_SCRYPT_CTRL_UINT64                     122
++# define KDF_F_KDF_SCRYPT_DERIVE                          123
++# define KDF_F_KDF_SCRYPT_NEW                             124
++# define KDF_F_KDF_TLS1_PRF_CTRL_STR                      125
++# define KDF_F_KDF_TLS1_PRF_DERIVE                        126
++# define KDF_F_KDF_TLS1_PRF_NEW                           127
++# define KDF_F_PBKDF2_SET_MEMBUF                          128
+ # define KDF_F_PKEY_HKDF_CTRL_STR                         103
+ # define KDF_F_PKEY_HKDF_DERIVE                           102
+ # define KDF_F_PKEY_HKDF_INIT                             108
+@@ -34,6 +51,7 @@ int ERR_load_KDF_strings(void);
+ # define KDF_F_PKEY_TLS1_PRF_CTRL_STR                     100
+ # define KDF_F_PKEY_TLS1_PRF_DERIVE                       101
+ # define KDF_F_PKEY_TLS1_PRF_INIT                         110
++# define KDF_F_SCRYPT_SET_MEMBUF                          129
+ # define KDF_F_TLS1_PRF_ALG                               111
+ 
+ /*
+@@ -51,5 +69,6 @@ int ERR_load_KDF_strings(void);
+ # define KDF_R_UNKNOWN_PARAMETER_TYPE                     103
+ # define KDF_R_VALUE_ERROR                                108
+ # define KDF_R_VALUE_MISSING                              102
++# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE                   112
+ 
+ #endif
+diff -up openssl-1.1.1j/include/openssl/kdf.h.evp-kdf openssl-1.1.1j/include/openssl/kdf.h
+--- openssl-1.1.1j/include/openssl/kdf.h.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/include/openssl/kdf.h	2021-03-03 14:08:02.493294865 +0100
+@@ -10,10 +10,50 @@
+ #ifndef HEADER_KDF_H
+ # define HEADER_KDF_H
+ 
++# include <openssl/ossl_typ.h>
+ # include <openssl/kdferr.h>
+-#ifdef __cplusplus
++# ifdef __cplusplus
+ extern "C" {
+-#endif
++# endif
++
++# define EVP_KDF_PBKDF2     NID_id_pbkdf2
++# define EVP_KDF_SCRYPT     NID_id_scrypt
++# define EVP_KDF_TLS1_PRF   NID_tls1_prf
++# define EVP_KDF_HKDF       NID_hkdf
++
++EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id);
++void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx);
++
++void EVP_KDF_reset(EVP_KDF_CTX *ctx);
++int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...);
++int EVP_KDF_vctrl(EVP_KDF_CTX *ctx, int cmd, va_list args);
++int EVP_KDF_ctrl_str(EVP_KDF_CTX *ctx, const char *type, const char *value);
++size_t EVP_KDF_size(EVP_KDF_CTX *ctx);
++int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen);
++
++
++# define EVP_KDF_CTRL_SET_PASS          0x01 /* unsigned char *, size_t */
++# define EVP_KDF_CTRL_SET_SALT          0x02 /* unsigned char *, size_t */
++# define EVP_KDF_CTRL_SET_ITER          0x03 /* int */
++# define EVP_KDF_CTRL_SET_MD            0x04 /* EVP_MD * */
++# define EVP_KDF_CTRL_SET_KEY           0x05 /* unsigned char *, size_t */
++# define EVP_KDF_CTRL_SET_MAXMEM_BYTES  0x06 /* uint64_t */
++# define EVP_KDF_CTRL_SET_TLS_SECRET    0x07 /* unsigned char *, size_t */
++# define EVP_KDF_CTRL_RESET_TLS_SEED    0x08
++# define EVP_KDF_CTRL_ADD_TLS_SEED      0x09 /* unsigned char *, size_t */
++# define EVP_KDF_CTRL_RESET_HKDF_INFO   0x0a
++# define EVP_KDF_CTRL_ADD_HKDF_INFO     0x0b /* unsigned char *, size_t */
++# define EVP_KDF_CTRL_SET_HKDF_MODE     0x0c /* int */
++# define EVP_KDF_CTRL_SET_SCRYPT_N      0x0d /* uint64_t */
++# define EVP_KDF_CTRL_SET_SCRYPT_R      0x0e /* uint32_t */
++# define EVP_KDF_CTRL_SET_SCRYPT_P      0x0f /* uint32_t */
++
++# define EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND  0
++# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY        1
++# define EVP_KDF_HKDF_MODE_EXPAND_ONLY         2
++
++
++/**** The legacy PKEY-based KDF API follows. ****/
+ 
+ # define EVP_PKEY_CTRL_TLS_MD                   (EVP_PKEY_ALG_CTRL)
+ # define EVP_PKEY_CTRL_TLS_SECRET               (EVP_PKEY_ALG_CTRL + 1)
+@@ -30,9 +70,12 @@ extern "C" {
+ # define EVP_PKEY_CTRL_SCRYPT_P                 (EVP_PKEY_ALG_CTRL + 12)
+ # define EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES      (EVP_PKEY_ALG_CTRL + 13)
+ 
+-# define EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND 0
+-# define EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY       1
+-# define EVP_PKEY_HKDEF_MODE_EXPAND_ONLY        2
++# define EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND \
++            EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND
++# define EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY       \
++            EVP_KDF_HKDF_MODE_EXTRACT_ONLY
++# define EVP_PKEY_HKDEF_MODE_EXPAND_ONLY        \
++            EVP_KDF_HKDF_MODE_EXPAND_ONLY
+ 
+ # define EVP_PKEY_CTX_set_tls1_prf_md(pctx, md) \
+             EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE, \
+@@ -91,7 +134,7 @@ extern "C" {
+                             EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES, maxmem_bytes)
+ 
+ 
+-# ifdef  __cplusplus
++# ifdef __cplusplus
+ }
+ # endif
+ #endif
+diff -up openssl-1.1.1j/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1j/include/openssl/ossl_typ.h
+--- openssl-1.1.1j/include/openssl/ossl_typ.h.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/include/openssl/ossl_typ.h	2021-03-03 14:08:02.493294865 +0100
+@@ -97,6 +97,8 @@ typedef struct evp_pkey_asn1_method_st E
+ typedef struct evp_pkey_method_st EVP_PKEY_METHOD;
+ typedef struct evp_pkey_ctx_st EVP_PKEY_CTX;
+ 
++typedef struct evp_kdf_ctx_st EVP_KDF_CTX;
++
+ typedef struct evp_Encode_Ctx_st EVP_ENCODE_CTX;
+ 
+ typedef struct hmac_ctx_st HMAC_CTX;
+diff -up openssl-1.1.1j/test/build.info.evp-kdf openssl-1.1.1j/test/build.info
+--- openssl-1.1.1j/test/build.info.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/test/build.info	2021-03-03 14:08:02.493294865 +0100
+@@ -44,7 +44,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
+           ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
+           bio_callback_test bio_memleak_test \
+           bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \
+-          pkey_meth_test pkey_meth_kdf_test uitest cipherbytes_test \
++          pkey_meth_test pkey_meth_kdf_test evp_kdf_test uitest \
++          cipherbytes_test \
+           asn1_encode_test asn1_decode_test asn1_string_table_test \
+           x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \
+           recordlentest drbgtest sslbuffertest \
+@@ -336,6 +337,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I
+   INCLUDE[pkey_meth_kdf_test]=../include
+   DEPEND[pkey_meth_kdf_test]=../libcrypto libtestutil.a
+ 
++  SOURCE[evp_kdf_test]=evp_kdf_test.c
++  INCLUDE[evp_kdf_test]=../include
++  DEPEND[evp_kdf_test]=../libcrypto libtestutil.a
++
+   SOURCE[x509_time_test]=x509_time_test.c
+   INCLUDE[x509_time_test]=../include
+   DEPEND[x509_time_test]=../libcrypto libtestutil.a
+diff -up openssl-1.1.1j/test/evp_kdf_test.c.evp-kdf openssl-1.1.1j/test/evp_kdf_test.c
+--- openssl-1.1.1j/test/evp_kdf_test.c.evp-kdf	2021-03-03 14:08:02.494294874 +0100
++++ openssl-1.1.1j/test/evp_kdf_test.c	2021-03-03 14:08:02.494294874 +0100
+@@ -0,0 +1,237 @@
++/*
++ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright (c) 2018-2019, Oracle and/or its affiliates.  All rights reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++/* Tests of the EVP_KDF_CTX APIs */
++
++#include <stdio.h>
++#include <string.h>
++
++#include <openssl/evp.h>
++#include <openssl/kdf.h>
++#include "testutil.h"
++
++static int test_kdf_tls1_prf(void)
++{
++    int ret = 0;
++    EVP_KDF_CTX *kctx;
++    unsigned char out[16];
++
++    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF)) == NULL) {
++        TEST_error("EVP_KDF_TLS1_PRF");
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
++        TEST_error("EVP_KDF_CTRL_SET_MD");
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET,
++                     "secret", (size_t)6) <= 0) {
++        TEST_error("EVP_KDF_CTRL_SET_TLS_SECRET");
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0) {
++        TEST_error("EVP_KDF_CTRL_ADD_TLS_SEED");
++        goto err;
++    }
++    if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
++        TEST_error("EVP_KDF_derive");
++        goto err;
++    }
++
++    {
++        const unsigned char expected[sizeof(out)] = {
++            0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
++            0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
++        };
++        if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {
++            goto err;
++        }
++    }
++    ret = 1;
++err:
++    EVP_KDF_CTX_free(kctx);
++    return ret;
++}
++
++static int test_kdf_hkdf(void)
++{
++    int ret = 0;
++    EVP_KDF_CTX *kctx;
++    unsigned char out[10];
++
++    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF)) == NULL) {
++        TEST_error("EVP_KDF_HKDF");
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
++        TEST_error("EVP_KDF_CTRL_SET_MD");
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
++        TEST_error("EVP_KDF_CTRL_SET_SALT");
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) {
++        TEST_error("EVP_KDF_CTRL_SET_KEY");
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO,
++                     "label", (size_t)5) <= 0) {
++        TEST_error("EVP_KDF_CTRL_ADD_HKDF_INFO");
++        goto err;
++    }
++    if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
++        TEST_error("EVP_KDF_derive");
++        goto err;
++    }
++
++    {
++        const unsigned char expected[sizeof(out)] = {
++            0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
++        };
++        if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {
++            goto err;
++        }
++    }
++    ret = 1;
++err:
++    EVP_KDF_CTX_free(kctx);
++    return ret;
++}
++
++static int test_kdf_pbkdf2(void)
++{
++    int ret = 0;
++    EVP_KDF_CTX *kctx;
++    unsigned char out[32];
++
++    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) {
++        TEST_error("EVP_KDF_PBKDF2");
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {
++        TEST_error("EVP_KDF_CTRL_SET_PASS");
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
++        TEST_error("EVP_KDF_CTRL_SET_SALT");
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) {
++        TEST_error("EVP_KDF_CTRL_SET_ITER");
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
++        TEST_error("EVP_KDF_CTRL_SET_MD");
++        goto err;
++    }
++    if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
++        TEST_error("EVP_KDF_derive");
++        goto err;
++    }
++
++    {
++        const unsigned char expected[sizeof(out)] = {
++            0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
++            0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
++            0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
++            0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43
++        };
++        if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {
++            goto err;
++        }
++    }
++    ret = 1;
++err:
++    EVP_KDF_CTX_free(kctx);
++    return ret;
++}
++
++#ifndef OPENSSL_NO_SCRYPT
++static int test_kdf_scrypt(void)
++{
++    int ret = 0;
++    EVP_KDF_CTX *kctx;
++    unsigned char out[64];
++
++    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT)) == NULL) {
++        TEST_error("EVP_KDF_SCRYPT");
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {
++        TEST_error("EVP_KDF_CTRL_SET_PASS");
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "NaCl", (size_t)4) <= 0) {
++        TEST_error("EVP_KDF_CTRL_SET_SALT");
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N, (uint64_t)1024) <= 0) {
++        TEST_error("EVP_KDF_CTRL_SET_SCRYPT_N");
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R, (uint32_t)8) <= 0) {
++        TEST_error("EVP_KDF_CTRL_SET_SCRYPT_R");
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P, (uint32_t)16) <= 0) {
++        TEST_error("EVP_KDF_CTRL_SET_SCRYPT_P");
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES, (uint64_t)16) <= 0) {
++        TEST_error("EVP_KDF_CTRL_SET_MAXMEM_BYTES");
++        goto err;
++    }
++    if (EVP_KDF_derive(kctx, out, sizeof(out)) > 0) {
++        TEST_error("EVP_KDF_derive should have failed");
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES,
++                     (uint64_t)(10 * 1024 * 1024)) <= 0) {
++        TEST_error("EVP_KDF_CTRL_SET_MAXMEM_BYTES");
++        goto err;
++    }
++    if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
++        TEST_error("EVP_KDF_derive");
++        goto err;
++    }
++
++    {
++        const unsigned char expected[sizeof(out)] = {
++            0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
++            0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
++            0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
++            0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
++            0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
++            0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
++            0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
++            0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
++        };
++        if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {
++            goto err;
++        }
++    }
++    ret = 1;
++err:
++    EVP_KDF_CTX_free(kctx);
++    return ret;
++}
++#endif
++
++int setup_tests(void)
++{
++    ADD_TEST(test_kdf_tls1_prf);
++    ADD_TEST(test_kdf_hkdf);
++    ADD_TEST(test_kdf_pbkdf2);
++#ifndef OPENSSL_NO_SCRYPT
++    ADD_TEST(test_kdf_scrypt);
++#endif
++    return 1;
++}
+diff -up openssl-1.1.1j/test/evp_test.c.evp-kdf openssl-1.1.1j/test/evp_test.c
+--- openssl-1.1.1j/test/evp_test.c.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/test/evp_test.c	2021-03-03 14:08:02.494294874 +0100
+@@ -1705,13 +1705,14 @@ static const EVP_TEST_METHOD encode_test
+     encode_test_run,
+ };
+ 
++
+ /**
+ ***  KDF TESTS
+ **/
+ 
+ typedef struct kdf_data_st {
+     /* Context for this operation */
+-    EVP_PKEY_CTX *ctx;
++    EVP_KDF_CTX *ctx;
+     /* Expected output */
+     unsigned char *output;
+     size_t output_len;
+@@ -1738,16 +1739,11 @@ static int kdf_test_init(EVP_TEST *t, co
+ 
+     if (!TEST_ptr(kdata = OPENSSL_zalloc(sizeof(*kdata))))
+         return 0;
+-    kdata->ctx = EVP_PKEY_CTX_new_id(kdf_nid, NULL);
++    kdata->ctx = EVP_KDF_CTX_new_id(kdf_nid);
+     if (kdata->ctx == NULL) {
+         OPENSSL_free(kdata);
+         return 0;
+     }
+-    if (EVP_PKEY_derive_init(kdata->ctx) <= 0) {
+-        EVP_PKEY_CTX_free(kdata->ctx);
+-        OPENSSL_free(kdata);
+-        return 0;
+-    }
+     t->data = kdata;
+     return 1;
+ }
+@@ -1756,7 +1752,42 @@ static void kdf_test_cleanup(EVP_TEST *t
+ {
+     KDF_DATA *kdata = t->data;
+     OPENSSL_free(kdata->output);
+-    EVP_PKEY_CTX_free(kdata->ctx);
++    EVP_KDF_CTX_free(kdata->ctx);
++}
++
++static int kdf_test_ctrl(EVP_TEST *t, EVP_KDF_CTX *kctx,
++                         const char *value)
++{
++    int rv;
++    char *p, *tmpval;
++
++    if (!TEST_ptr(tmpval = OPENSSL_strdup(value)))
++        return 0;
++    p = strchr(tmpval, ':');
++    if (p != NULL)
++        *p++ = '\0';
++    rv = EVP_KDF_ctrl_str(kctx, tmpval, p);
++    if (rv == -2) {
++        t->err = "KDF_CTRL_INVALID";
++        rv = 1;
++    } else if (p != NULL && rv <= 0) {
++        /* If p has an OID and lookup fails assume disabled algorithm */
++        int nid = OBJ_sn2nid(p);
++
++        if (nid == NID_undef)
++             nid = OBJ_ln2nid(p);
++        if (nid != NID_undef
++                && EVP_get_digestbynid(nid) == NULL
++                && EVP_get_cipherbynid(nid) == NULL) {
++            t->skip = 1;
++            rv = 1;
++        } else {
++            t->err = "KDF_CTRL_ERROR";
++            rv = 1;
++        }
++    }
++    OPENSSL_free(tmpval);
++    return rv > 0;
+ }
+ 
+ static int kdf_test_parse(EVP_TEST *t,
+@@ -1767,7 +1798,7 @@ static int kdf_test_parse(EVP_TEST *t,
+     if (strcmp(keyword, "Output") == 0)
+         return parse_bin(value, &kdata->output, &kdata->output_len);
+     if (strncmp(keyword, "Ctrl", 4) == 0)
+-        return pkey_test_ctrl(t, kdata->ctx, value);
++        return kdf_test_ctrl(t, kdata->ctx, value);
+     return 0;
+ }
+ 
+@@ -1781,7 +1812,7 @@ static int kdf_test_run(EVP_TEST *t)
+         t->err = "INTERNAL_ERROR";
+         goto err;
+     }
+-    if (EVP_PKEY_derive(expected->ctx, got, &got_len) <= 0) {
++    if (EVP_KDF_derive(expected->ctx, got, got_len) <= 0) {
+         t->err = "KDF_DERIVE_ERROR";
+         goto err;
+     }
+@@ -1807,6 +1838,106 @@ static const EVP_TEST_METHOD kdf_test_me
+ 
+ 
+ /**
++***  PKEY KDF TESTS
++**/
++
++typedef struct pkey_kdf_data_st {
++    /* Context for this operation */
++    EVP_PKEY_CTX *ctx;
++    /* Expected output */
++    unsigned char *output;
++    size_t output_len;
++} PKEY_KDF_DATA;
++
++/*
++ * Perform public key operation setup: lookup key, allocated ctx and call
++ * the appropriate initialisation function
++ */
++static int pkey_kdf_test_init(EVP_TEST *t, const char *name)
++{
++    PKEY_KDF_DATA *kdata;
++    int kdf_nid = OBJ_sn2nid(name);
++
++#ifdef OPENSSL_NO_SCRYPT
++    if (strcmp(name, "scrypt") == 0) {
++        t->skip = 1;
++        return 1;
++    }
++#endif
++
++    if (kdf_nid == NID_undef)
++        kdf_nid = OBJ_ln2nid(name);
++
++    if (!TEST_ptr(kdata = OPENSSL_zalloc(sizeof(*kdata))))
++        return 0;
++    kdata->ctx = EVP_PKEY_CTX_new_id(kdf_nid, NULL);
++    if (kdata->ctx == NULL) {
++        OPENSSL_free(kdata);
++        return 0;
++    }
++    if (EVP_PKEY_derive_init(kdata->ctx) <= 0) {
++        EVP_PKEY_CTX_free(kdata->ctx);
++        OPENSSL_free(kdata);
++        return 0;
++    }
++    t->data = kdata;
++    return 1;
++}
++
++static void pkey_kdf_test_cleanup(EVP_TEST *t)
++{
++    PKEY_KDF_DATA *kdata = t->data;
++    OPENSSL_free(kdata->output);
++    EVP_PKEY_CTX_free(kdata->ctx);
++}
++
++static int pkey_kdf_test_parse(EVP_TEST *t,
++                               const char *keyword, const char *value)
++{
++    PKEY_KDF_DATA *kdata = t->data;
++
++    if (strcmp(keyword, "Output") == 0)
++        return parse_bin(value, &kdata->output, &kdata->output_len);
++    if (strncmp(keyword, "Ctrl", 4) == 0)
++        return pkey_test_ctrl(t, kdata->ctx, value);
++    return 0;
++}
++
++static int pkey_kdf_test_run(EVP_TEST *t)
++{
++    PKEY_KDF_DATA *expected = t->data;
++    unsigned char *got = NULL;
++    size_t got_len = expected->output_len;
++
++    if (!TEST_ptr(got = OPENSSL_malloc(got_len))) {
++        t->err = "INTERNAL_ERROR";
++        goto err;
++    }
++    if (EVP_PKEY_derive(expected->ctx, got, &got_len) <= 0) {
++        t->err = "KDF_DERIVE_ERROR";
++        goto err;
++    }
++    if (!TEST_mem_eq(expected->output, expected->output_len, got, got_len)) {
++        t->err = "KDF_MISMATCH";
++        goto err;
++    }
++    t->err = NULL;
++
++ err:
++    OPENSSL_free(got);
++    return 1;
++}
++
++static const EVP_TEST_METHOD pkey_kdf_test_method = {
++    "PKEYKDF",
++    pkey_kdf_test_init,
++    pkey_kdf_test_cleanup,
++    pkey_kdf_test_parse,
++    pkey_kdf_test_run
++};
++
++
++/**
+ ***  KEYPAIR TESTS
+ **/
+ 
+@@ -2310,6 +2441,7 @@ static const EVP_TEST_METHOD *evp_test_l
+     &digestverify_test_method,
+     &encode_test_method,
+     &kdf_test_method,
++    &pkey_kdf_test_method,
+     &keypair_test_method,
+     &keygen_test_method,
+     &mac_test_method,
+diff -up openssl-1.1.1j/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1j/test/pkey_meth_kdf_test.c
+--- openssl-1.1.1j/test/pkey_meth_kdf_test.c.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/test/pkey_meth_kdf_test.c	2021-03-03 14:08:02.494294874 +0100
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -18,30 +18,34 @@
+ 
+ static int test_kdf_tls1_prf(void)
+ {
++    int ret = 0;
+     EVP_PKEY_CTX *pctx;
+     unsigned char out[16];
+     size_t outlen = sizeof(out);
+-    pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
+ 
++    if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL)) == NULL) {
++        TEST_error("EVP_PKEY_TLS1_PRF");
++        goto err;
++    }
+     if (EVP_PKEY_derive_init(pctx) <= 0) {
+         TEST_error("EVP_PKEY_derive_init");
+-        return 0;
++        goto err;
+     }
+     if (EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_sha256()) <= 0) {
+         TEST_error("EVP_PKEY_CTX_set_tls1_prf_md");
+-        return 0;
++        goto err;
+     }
+     if (EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, "secret", 6) <= 0) {
+         TEST_error("EVP_PKEY_CTX_set1_tls1_prf_secret");
+-        return 0;
++        goto err;
+     }
+     if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, "seed", 4) <= 0) {
+         TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed");
+-        return 0;
++        goto err;
+     }
+     if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
+         TEST_error("EVP_PKEY_derive");
+-        return 0;
++        goto err;
+     }
+ 
+     {
+@@ -50,43 +54,49 @@ static int test_kdf_tls1_prf(void)
+             0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
+         };
+         if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {
+-            return 0;
++            goto err;
+         }
+     }
++    ret = 1;
++err:
+     EVP_PKEY_CTX_free(pctx);
+-    return 1;
++    return ret;
+ }
+ 
+ static int test_kdf_hkdf(void)
+ {
++    int ret = 0;
+     EVP_PKEY_CTX *pctx;
+     unsigned char out[10];
+     size_t outlen = sizeof(out);
+-    pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL);
+ 
++    if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL)) == NULL) {
++        TEST_error("EVP_PKEY_HKDF");
++        goto err;
++    }
+     if (EVP_PKEY_derive_init(pctx) <= 0) {
+         TEST_error("EVP_PKEY_derive_init");
+-        return 0;
++        goto err;
+     }
+     if (EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()) <= 0) {
+         TEST_error("EVP_PKEY_CTX_set_hkdf_md");
+-        return 0;
++        goto err;
+     }
+     if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, "salt", 4) <= 0) {
+         TEST_error("EVP_PKEY_CTX_set1_hkdf_salt");
+-        return 0;
++        goto err;
+     }
+     if (EVP_PKEY_CTX_set1_hkdf_key(pctx, "secret", 6) <= 0) {
+         TEST_error("EVP_PKEY_CTX_set1_hkdf_key");
+-        return 0;
++        goto err;
+     }
+     if (EVP_PKEY_CTX_add1_hkdf_info(pctx, "label", 5) <= 0) {
+         TEST_error("EVP_PKEY_CTX_set1_hkdf_info");
+-        return 0;
++        goto err;
+     }
+     if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
+         TEST_error("EVP_PKEY_derive");
+-        return 0;
++        goto err;
+     }
+ 
+     {
+@@ -94,60 +104,66 @@ static int test_kdf_hkdf(void)
+             0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
+         };
+         if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {
+-            return 0;
++            goto err;
+         }
+     }
++    ret = 1;
++err:
+     EVP_PKEY_CTX_free(pctx);
+-    return 1;
++    return ret;
+ }
+ 
+ #ifndef OPENSSL_NO_SCRYPT
+ static int test_kdf_scrypt(void)
+ {
++    int ret = 0;
+     EVP_PKEY_CTX *pctx;
+     unsigned char out[64];
+     size_t outlen = sizeof(out);
+-    pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL);
+ 
++    if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL)) == NULL) {
++        TEST_error("EVP_PKEY_SCRYPT");
++        goto err;
++    }
+     if (EVP_PKEY_derive_init(pctx) <= 0) {
+         TEST_error("EVP_PKEY_derive_init");
+-        return 0;
++        goto err;
+     }
+     if (EVP_PKEY_CTX_set1_pbe_pass(pctx, "password", 8) <= 0) {
+         TEST_error("EVP_PKEY_CTX_set1_pbe_pass");
+-        return 0;
++        goto err;
+     }
+     if (EVP_PKEY_CTX_set1_scrypt_salt(pctx, "NaCl", 4) <= 0) {
+         TEST_error("EVP_PKEY_CTX_set1_scrypt_salt");
+-        return 0;
++        goto err;
+     }
+     if (EVP_PKEY_CTX_set_scrypt_N(pctx, 1024) <= 0) {
+         TEST_error("EVP_PKEY_CTX_set_scrypt_N");
+-        return 0;
++        goto err;
+     }
+     if (EVP_PKEY_CTX_set_scrypt_r(pctx, 8) <= 0) {
+         TEST_error("EVP_PKEY_CTX_set_scrypt_r");
+-        return 0;
++        goto err;
+     }
+     if (EVP_PKEY_CTX_set_scrypt_p(pctx, 16) <= 0) {
+         TEST_error("EVP_PKEY_CTX_set_scrypt_p");
+-        return 0;
++        goto err;
+     }
+     if (EVP_PKEY_CTX_set_scrypt_maxmem_bytes(pctx, 16) <= 0) {
+         TEST_error("EVP_PKEY_CTX_set_maxmem_bytes");
+-        return 0;
++        goto err;
+     }
+     if (EVP_PKEY_derive(pctx, out, &outlen) > 0) {
+         TEST_error("EVP_PKEY_derive should have failed");
+-        return 0;
++        goto err;
+     }
+     if (EVP_PKEY_CTX_set_scrypt_maxmem_bytes(pctx, 10 * 1024 * 1024) <= 0) {
+         TEST_error("EVP_PKEY_CTX_set_maxmem_bytes");
+-        return 0;
++        goto err;
+     }
+     if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
+         TEST_error("EVP_PKEY_derive");
+-        return 0;
++        goto err;
+     }
+ 
+     {
+@@ -162,11 +178,13 @@ static int test_kdf_scrypt(void)
+             0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
+         };
+         if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) {
+-            return 0;
++            goto err;
+         }
+     }
++    ret = 1;
++err:
+     EVP_PKEY_CTX_free(pctx);
+-    return 1;
++    return ret;
+ }
+ #endif
+ 
+diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt
+--- openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt	2021-03-03 14:08:02.494294874 +0100
+@@ -1,5 +1,5 @@
+ #
+-# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
++# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ #
+ # Licensed under the OpenSSL license (the "License").  You may not use
+ # this file except in compliance with the License.  You can obtain a copy
+@@ -15,7 +15,7 @@
+ Title = TLS1 PRF tests (from NIST test vectors)
+ 
+ KDF=TLS1-PRF
+-Ctrl.md = md:MD5-SHA1
++Ctrl.digest = digest:MD5-SHA1
+ Ctrl.Secret = hexsecret:bded7fa5c1699c010be23dd06ada3a48349f21e5f86263d512c0c5cc379f0e780ec55d9844b2f1db02a96453513568d0
+ Ctrl.label = seed:master secret
+ Ctrl.client_random = hexseed:e5acaf549cd25c22d964c0d930fa4b5261d2507fad84c33715b7b9a864020693
+@@ -23,7 +23,7 @@ Ctrl.server_random = hexseed:135e4d557fd
+ Output = 2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f62
+ 
+ KDF=TLS1-PRF
+-Ctrl.md = md:MD5-SHA1
++Ctrl.digest = digest:MD5-SHA1
+ Ctrl.Secret = hexsecret:2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f62
+ Ctrl.label = seed:key expansion
+ Ctrl.server_random = hexseed:67267e650eb32444119d222a368c191af3082888dc35afe8368e638c828874be
+@@ -31,7 +31,7 @@ Ctrl.client_random = hexseed:d58a7b1cd4f
+ Output = 3088825988e77fce68d19f756e18e43eb7fe672433504feaf99b3c503d9091b164f166db301d70c9fc0870b4a94563907bee1a61fb786cb717576890bcc51cb9ead97e01d0a2fea99c953377b195205ff07b369589178796edc963fd80fdbe518a2fc1c35c18ae8d
+ 
+ KDF=TLS1-PRF
+-Ctrl.md = md:SHA256
++Ctrl.digest = digest:SHA256
+ Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
+ Ctrl.label = seed:master secret
+ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
+@@ -39,7 +39,7 @@ Ctrl.server_random = hexseed:f6c9575ed7d
+ Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
+ 
+ KDF=TLS1-PRF
+-Ctrl.md = md:SHA256
++Ctrl.digest = digest:SHA256
+ Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
+ Ctrl.label = seed:key expansion
+ Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f39868
+@@ -48,7 +48,7 @@ Output = d06139889fffac1e3a71865f504aa5d
+ 
+ # As above but use long name for KDF
+ KDF=tls1-prf
+-Ctrl.md = md:SHA256
++Ctrl.digest = digest:SHA256
+ Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
+ Ctrl.label = seed:key expansion
+ Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f39868
+@@ -64,7 +64,7 @@ Result = KDF_DERIVE_ERROR
+ 
+ # Missing secret.
+ KDF=TLS1-PRF
+-Ctrl.md = md:MD5-SHA1
++Ctrl.digest = digest:MD5-SHA1
+ Ctrl.Seed = hexseed:02
+ Output = 03
+ Result = KDF_DERIVE_ERROR
+@@ -72,7 +72,7 @@ Result = KDF_DERIVE_ERROR
+ Title = HKDF tests (from RFC5869 test vectors)
+ 
+ KDF = HKDF
+-Ctrl.md = md:SHA256
++Ctrl.digest = digest:SHA256
+ Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
+ Ctrl.salt = hexsalt:000102030405060708090a0b0c
+ Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
+@@ -80,20 +80,20 @@ Output = 3cb25f25faacd57a90434f64d0362f2
+ 
+ KDF = HKDF
+ Ctrl.mode = mode:EXTRACT_ONLY
+-Ctrl.md = md:SHA256
++Ctrl.digest = digest:SHA256
+ Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
+ Ctrl.salt = hexsalt:000102030405060708090a0b0c
+ Output = 077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5
+ 
+ KDF = HKDF
+ Ctrl.mode = mode:EXPAND_ONLY
+-Ctrl.md = md:SHA256
++Ctrl.digest = digest:SHA256
+ Ctrl.IKM = hexkey:077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5
+ Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
+ Output = 3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865
+ 
+ KDF = HKDF
+-Ctrl.md = md:SHA256
++Ctrl.digest = digest:SHA256
+ Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
+ Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
+ Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+@@ -101,20 +101,20 @@ Output = b11e398dc80327a1c8e7f78c596a493
+ 
+ KDF = HKDF
+ Ctrl.mode = mode:EXTRACT_ONLY
+-Ctrl.md = md:SHA256
++Ctrl.digest = digest:SHA256
+ Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
+ Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
+ Output = 06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244
+ 
+ KDF = HKDF
+ Ctrl.mode = mode:EXPAND_ONLY
+-Ctrl.md = md:SHA256
++Ctrl.digest = digest:SHA256
+ Ctrl.IKM = hexkey:06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244
+ Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+ Output = b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87
+ 
+ KDF = HKDF
+-Ctrl.md = md:SHA256
++Ctrl.digest = digest:SHA256
+ Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
+ Ctrl.salt = salt:
+ Ctrl.info = info:
+@@ -122,7 +122,7 @@ Output = 8da4e775a563c18f715f802a063c5a3
+ 
+ KDF = HKDF
+ Ctrl.mode = mode:EXTRACT_ONLY
+-Ctrl.md = md:SHA256
++Ctrl.digest = digest:SHA256
+ Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
+ Ctrl.salt = salt:
+ Ctrl.info = info:
+@@ -130,13 +130,13 @@ Output = 19ef24a32c717b167f33a91d6f648bd
+ 
+ KDF = HKDF
+ Ctrl.mode = mode:EXPAND_ONLY
+-Ctrl.md = md:SHA256
++Ctrl.digest = digest:SHA256
+ Ctrl.IKM = hexkey:19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04
+ Ctrl.info = info:
+ Output = 8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8
+ 
+ KDF = HKDF
+-Ctrl.md = md:SHA1
++Ctrl.digest = digest:SHA1
+ Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b
+ Ctrl.salt = hexsalt:000102030405060708090a0b0c
+ Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
+@@ -144,20 +144,20 @@ Output = 085a01ea1b10f36933068b56efa5ad8
+ 
+ KDF = HKDF
+ Ctrl.mode = mode:EXTRACT_ONLY
+-Ctrl.md = md:SHA1
++Ctrl.digest = digest:SHA1
+ Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b
+ Ctrl.salt = hexsalt:000102030405060708090a0b0c
+ Output = 9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243
+ 
+ KDF = HKDF
+ Ctrl.mode = mode:EXPAND_ONLY
+-Ctrl.md = md:SHA1
++Ctrl.digest = digest:SHA1
+ Ctrl.IKM = hexkey:9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243
+ Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
+ Output = 085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896
+ 
+ KDF = HKDF
+-Ctrl.md = md:SHA1
++Ctrl.digest = digest:SHA1
+ Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
+ Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
+ Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+@@ -165,20 +165,20 @@ Output = 0bd770a74d1160f7c9f12cd5912a06e
+ 
+ KDF = HKDF
+ Ctrl.mode = mode:EXTRACT_ONLY
+-Ctrl.md = md:SHA1
++Ctrl.digest = digest:SHA1
+ Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
+ Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
+ Output = 8adae09a2a307059478d309b26c4115a224cfaf6
+ 
+ KDF = HKDF
+ Ctrl.mode = mode:EXPAND_ONLY
+-Ctrl.md = md:SHA1
++Ctrl.digest = digest:SHA1
+ Ctrl.IKM = hexkey:8adae09a2a307059478d309b26c4115a224cfaf6
+ Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
+ Output = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4
+ 
+ KDF = HKDF
+-Ctrl.md = md:SHA1
++Ctrl.digest = digest:SHA1
+ Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
+ Ctrl.salt = salt:
+ Ctrl.info = info:
+@@ -186,20 +186,20 @@ Output = 0ac1af7002b3d761d1e55298da9d050
+ 
+ KDF = HKDF
+ Ctrl.mode = mode:EXTRACT_ONLY
+-Ctrl.md = md:SHA1
++Ctrl.digest = digest:SHA1
+ Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
+ Ctrl.salt = salt:
+ Output = da8c8a73c7fa77288ec6f5e7c297786aa0d32d01
+ 
+ KDF = HKDF
+ Ctrl.mode = mode:EXPAND_ONLY
+-Ctrl.md = md:SHA1
++Ctrl.digest = digest:SHA1
+ Ctrl.IKM = hexkey:da8c8a73c7fa77288ec6f5e7c297786aa0d32d01
+ Ctrl.info = info:
+ Output = 0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918
+ 
+ KDF = HKDF
+-Ctrl.md = md:SHA1
++Ctrl.digest = digest:SHA1
+ Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
+ Ctrl.salt = salt:
+ Ctrl.info = info:
+@@ -207,14 +207,14 @@ Output = 2c91117204d745f3500d636a62f64f0
+ 
+ KDF = HKDF
+ Ctrl.mode = mode:EXTRACT_ONLY
+-Ctrl.md = md:SHA1
++Ctrl.digest = digest:SHA1
+ Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
+ Ctrl.salt = salt:
+ Output = 2adccada18779e7c2077ad2eb19d3f3e731385dd
+ 
+ KDF = HKDF
+ Ctrl.mode = mode:EXPAND_ONLY
+-Ctrl.md = md:SHA1
++Ctrl.digest = digest:SHA1
+ Ctrl.IKM = hexkey:2adccada18779e7c2077ad2eb19d3f3e731385dd
+ Ctrl.info = info:
+ Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
+@@ -227,27 +227,27 @@ Output = 00
+ Result = KDF_DERIVE_ERROR
+ 
+ KDF = HKDF
+-Ctrl.md = md:SHA1
++Ctrl.digest = digest:SHA1
+ Ctrl.salt = salt:
+ Ctrl.info = info:
+ Output = 00
+ Result = KDF_DERIVE_ERROR
+ 
+ KDF = HKDF
+-Ctrl.md = md:SHA1
++Ctrl.digest = digest:SHA1
+ Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
+ Ctrl.info = info:
+ Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
+ 
+ KDF = HKDF
+-Ctrl.md = md:SHA1
++Ctrl.digest = digest:SHA1
+ Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
+ Ctrl.salt = salt:
+ Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
+ 
+ KDF = HKDF
+ Ctrl.mode = mode:EXTRACT_AND_EXPAND
+-Ctrl.md = md:SHA1
++Ctrl.digest = digest:SHA1
+ Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
+ Ctrl.salt = salt:
+ Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
+@@ -303,3 +303,133 @@ Ctrl.r = r:8
+ Ctrl.p = p:1
+ Result = INTERNAL_ERROR
+ 
++Title = PBKDF2 tests
++
++KDF = PBKDF2
++Ctrl.pass = pass:password
++Ctrl.salt = salt:salt
++Ctrl.iter = iter:1
++Ctrl.digest = digest:sha1
++Output = 0c60c80f961f0e71f3a9b524af6012062fe037a6
++
++KDF = PBKDF2
++Ctrl.pass = pass:password
++Ctrl.salt = salt:salt
++Ctrl.iter = iter:1
++Ctrl.digest = digest:sha256
++Output = 120fb6cffcf8b32c43e7225256c4f837a86548c92ccc35480805987cb70be17b
++
++KDF = PBKDF2
++Ctrl.pass = pass:password
++Ctrl.salt = salt:salt
++Ctrl.iter = iter:1
++Ctrl.digest = digest:sha512
++Output = 867f70cf1ade02cff3752599a3a53dc4af34c7a669815ae5d513554e1c8cf252c02d470a285a0501bad999bfe943c08f050235d7d68b1da55e63f73b60a57fce
++
++KDF = PBKDF2
++Ctrl.pass = pass:password
++Ctrl.salt = salt:salt
++Ctrl.iter = iter:2
++Ctrl.digest = digest:sha1
++Output = ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957
++
++KDF = PBKDF2
++Ctrl.pass = pass:password
++Ctrl.salt = salt:salt
++Ctrl.iter = iter:2
++Ctrl.digest = digest:sha256
++Output = ae4d0c95af6b46d32d0adff928f06dd02a303f8ef3c251dfd6e2d85a95474c43
++
++KDF = PBKDF2
++Ctrl.pass = pass:password
++Ctrl.salt = salt:salt
++Ctrl.iter = iter:2
++Ctrl.digest = digest:sha512
++Output = e1d9c16aa681708a45f5c7c4e215ceb66e011a2e9f0040713f18aefdb866d53cf76cab2868a39b9f7840edce4fef5a82be67335c77a6068e04112754f27ccf4e
++
++KDF = PBKDF2
++Ctrl.pass = pass:password
++Ctrl.salt = salt:salt
++Ctrl.iter = iter:4096
++Ctrl.digest = digest:sha1
++Output = 4b007901b765489abead49d926f721d065a429c1
++
++KDF = PBKDF2
++Ctrl.pass = pass:password
++Ctrl.salt = salt:salt
++Ctrl.iter = iter:4096
++Ctrl.digest = digest:sha256
++Output = c5e478d59288c841aa530db6845c4c8d962893a001ce4e11a4963873aa98134a
++
++KDF = PBKDF2
++Ctrl.pass = pass:password
++Ctrl.salt = salt:salt
++Ctrl.iter = iter:4096
++Ctrl.digest = digest:sha512
++Output = d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f87f6902e072f457b5143f30602641b3d55cd335988cb36b84376060ecd532e039b742a239434af2d5
++
++KDF = PBKDF2
++Ctrl.pass = pass:passwordPASSWORDpassword
++Ctrl.salt = salt:saltSALTsaltSALTsaltSALTsaltSALTsalt
++Ctrl.iter = iter:4096
++Ctrl.digest = digest:sha1
++Output = 3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038
++
++KDF = PBKDF2
++Ctrl.pass = pass:passwordPASSWORDpassword
++Ctrl.salt = salt:saltSALTsaltSALTsaltSALTsaltSALTsalt
++Ctrl.iter = iter:4096
++Ctrl.digest = digest:sha256
++Output = 348c89dbcbd32b2f32d814b8116e84cf2b17347ebc1800181c4e2a1fb8dd53e1c635518c7dac47e9
++
++KDF = PBKDF2
++Ctrl.pass = pass:passwordPASSWORDpassword
++Ctrl.salt = salt:saltSALTsaltSALTsaltSALTsaltSALTsalt
++Ctrl.iter = iter:4096
++Ctrl.digest = digest:sha512
++Output = 8c0511f4c6e597c6ac6315d8f0362e225f3c501495ba23b868c005174dc4ee71115b59f9e60cd9532fa33e0f75aefe30225c583a186cd82bd4daea9724a3d3b8
++
++KDF = PBKDF2
++Ctrl.hexpass = hexpass:7061737300776f7264
++Ctrl.hexsalt = hexsalt:7361006c74
++Ctrl.iter = iter:4096
++Ctrl.digest = digest:sha1
++Output = 56fa6aa75548099dcc37d7f03425e0c3
++
++KDF = PBKDF2
++Ctrl.hexpass = hexpass:7061737300776f7264
++Ctrl.hexsalt = hexsalt:7361006c74
++Ctrl.iter = iter:4096
++Ctrl.digest = digest:sha256
++Output = 89b69d0516f829893c696226650a8687
++
++KDF = PBKDF2
++Ctrl.hexpass = hexpass:7061737300776f7264
++Ctrl.hexsalt = hexsalt:7361006c74
++Ctrl.iter = iter:4096
++Ctrl.digest = digest:sha512
++Output = 9d9e9c4cd21fe4be24d5b8244c759665
++
++Title = PBKDF2 tests for empty inputs
++
++KDF = PBKDF2
++Ctrl.pass = pass:
++Ctrl.salt = salt:salt
++Ctrl.iter = iter:1
++Ctrl.digest = digest:sha1
++Output = a33dddc30478185515311f8752895d36ea4363a2
++
++KDF = PBKDF2
++Ctrl.pass = pass:
++Ctrl.salt = salt:salt
++Ctrl.iter = iter:1
++Ctrl.digest = digest:sha256
++Output = f135c27993baf98773c5cdb40a5706ce6a345cde
++
++KDF = PBKDF2
++Ctrl.pass = pass:
++Ctrl.salt = salt:salt
++Ctrl.iter = iter:1
++Ctrl.digest = digest:sha512
++Output = 00ef42cdbfc98d29db20976608e455567fdddf14
++
+diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt
+--- openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf	2021-03-03 14:08:02.494294874 +0100
++++ openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt	2021-03-03 14:08:02.494294874 +0100
+@@ -0,0 +1,305 @@
++#
++# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
++#
++# Licensed under the Apache License 2.0 (the "License").  You may not use
++# this file except in compliance with the License.  You can obtain a copy
++# in the file LICENSE in the source distribution or at
++# https://www.openssl.org/source/license.html
++
++# Tests start with one of these keywords
++#       Cipher Decrypt Derive Digest Encoding KDF PKEYKDF MAC PBE
++#       PrivPubKeyPair Sign Verify VerifyRecover
++# and continue until a blank line.  Lines starting with a pound sign,
++# like this prolog, are ignored.
++
++Title = TLS1 PRF tests (from NIST test vectors)
++
++PKEYKDF=TLS1-PRF
++Ctrl.md = md:MD5-SHA1
++Ctrl.Secret = hexsecret:bded7fa5c1699c010be23dd06ada3a48349f21e5f86263d512c0c5cc379f0e780ec55d9844b2f1db02a96453513568d0
++Ctrl.label = seed:master secret
++Ctrl.client_random = hexseed:e5acaf549cd25c22d964c0d930fa4b5261d2507fad84c33715b7b9a864020693
++Ctrl.server_random = hexseed:135e4d557fdf3aa6406d82975d5c606a9734c9334b42136e96990fbd5358cdb2
++Output = 2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f62
++
++PKEYKDF=TLS1-PRF
++Ctrl.md = md:MD5-SHA1
++Ctrl.Secret = hexsecret:2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f62
++Ctrl.label = seed:key expansion
++Ctrl.server_random = hexseed:67267e650eb32444119d222a368c191af3082888dc35afe8368e638c828874be
++Ctrl.client_random = hexseed:d58a7b1cd4fedaa232159df652ce188f9d997e061b9bf48e83b62990440931f6
++Output = 3088825988e77fce68d19f756e18e43eb7fe672433504feaf99b3c503d9091b164f166db301d70c9fc0870b4a94563907bee1a61fb786cb717576890bcc51cb9ead97e01d0a2fea99c953377b195205ff07b369589178796edc963fd80fdbe518a2fc1c35c18ae8d
++
++PKEYKDF=TLS1-PRF
++Ctrl.md = md:SHA256
++Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc
++Ctrl.label = seed:master secret
++Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c
++Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce
++Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
++
++PKEYKDF=TLS1-PRF
++Ctrl.md = md:SHA256
++Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
++Ctrl.label = seed:key expansion
++Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f39868
++Ctrl.client_random = hexseed:62e1fd91f23f558a605f28478c58cf72637b89784d959df7e946d3f07bd1b616
++Output = d06139889fffac1e3a71865f504aa5d0d2a2e89506c6f2279b670c3e1b74f531016a2530c51a3a0f7e1d6590d0f0566b2f387f8d11fd4f731cdd572d2eae927f6f2f81410b25e6960be68985add6c38445ad9f8c64bf8068bf9a6679485d966f1ad6f68b43495b10a683755ea2b858d70ccac7ec8b053c6bd41ca299d4e51928
++
++# As above but use long name for KDF
++PKEYKDF=tls1-prf
++Ctrl.md = md:SHA256
++Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf
++Ctrl.label = seed:key expansion
++Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f39868
++Ctrl.client_random = hexseed:62e1fd91f23f558a605f28478c58cf72637b89784d959df7e946d3f07bd1b616
++Output = d06139889fffac1e3a71865f504aa5d0d2a2e89506c6f2279b670c3e1b74f531016a2530c51a3a0f7e1d6590d0f0566b2f387f8d11fd4f731cdd572d2eae927f6f2f81410b25e6960be68985add6c38445ad9f8c64bf8068bf9a6679485d966f1ad6f68b43495b10a683755ea2b858d70ccac7ec8b053c6bd41ca299d4e51928
++
++# Missing digest.
++PKEYKDF=TLS1-PRF
++Ctrl.Secret = hexsecret:01
++Ctrl.Seed = hexseed:02
++Output = 03
++Result = KDF_DERIVE_ERROR
++
++# Missing secret.
++PKEYKDF=TLS1-PRF
++Ctrl.md = md:MD5-SHA1
++Ctrl.Seed = hexseed:02
++Output = 03
++Result = KDF_DERIVE_ERROR
++
++Title = HKDF tests (from RFC5869 test vectors)
++
++PKEYKDF = HKDF
++Ctrl.md = md:SHA256
++Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
++Ctrl.salt = hexsalt:000102030405060708090a0b0c
++Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
++Output = 3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865
++
++PKEYKDF = HKDF
++Ctrl.mode = mode:EXTRACT_ONLY
++Ctrl.md = md:SHA256
++Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
++Ctrl.salt = hexsalt:000102030405060708090a0b0c
++Output = 077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5
++
++PKEYKDF = HKDF
++Ctrl.mode = mode:EXPAND_ONLY
++Ctrl.md = md:SHA256
++Ctrl.IKM = hexkey:077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5
++Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
++Output = 3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865
++
++PKEYKDF = HKDF
++Ctrl.md = md:SHA256
++Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
++Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
++Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
++Output = b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87
++
++PKEYKDF = HKDF
++Ctrl.mode = mode:EXTRACT_ONLY
++Ctrl.md = md:SHA256
++Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
++Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
++Output = 06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244
++
++PKEYKDF = HKDF
++Ctrl.mode = mode:EXPAND_ONLY
++Ctrl.md = md:SHA256
++Ctrl.IKM = hexkey:06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244
++Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
++Output = b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87
++
++PKEYKDF = HKDF
++Ctrl.md = md:SHA256
++Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
++Ctrl.salt = salt:
++Ctrl.info = info:
++Output = 8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8
++
++PKEYKDF = HKDF
++Ctrl.mode = mode:EXTRACT_ONLY
++Ctrl.md = md:SHA256
++Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
++Ctrl.salt = salt:
++Ctrl.info = info:
++Output = 19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04
++
++PKEYKDF = HKDF
++Ctrl.mode = mode:EXPAND_ONLY
++Ctrl.md = md:SHA256
++Ctrl.IKM = hexkey:19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04
++Ctrl.info = info:
++Output = 8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8
++
++PKEYKDF = HKDF
++Ctrl.md = md:SHA1
++Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b
++Ctrl.salt = hexsalt:000102030405060708090a0b0c
++Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
++Output = 085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896
++
++PKEYKDF = HKDF
++Ctrl.mode = mode:EXTRACT_ONLY
++Ctrl.md = md:SHA1
++Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b
++Ctrl.salt = hexsalt:000102030405060708090a0b0c
++Output = 9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243
++
++PKEYKDF = HKDF
++Ctrl.mode = mode:EXPAND_ONLY
++Ctrl.md = md:SHA1
++Ctrl.IKM = hexkey:9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243
++Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9
++Output = 085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896
++
++PKEYKDF = HKDF
++Ctrl.md = md:SHA1
++Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
++Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
++Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
++Output = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4
++
++PKEYKDF = HKDF
++Ctrl.mode = mode:EXTRACT_ONLY
++Ctrl.md = md:SHA1
++Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
++Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf
++Output = 8adae09a2a307059478d309b26c4115a224cfaf6
++
++PKEYKDF = HKDF
++Ctrl.mode = mode:EXPAND_ONLY
++Ctrl.md = md:SHA1
++Ctrl.IKM = hexkey:8adae09a2a307059478d309b26c4115a224cfaf6
++Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
++Output = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4
++
++PKEYKDF = HKDF
++Ctrl.md = md:SHA1
++Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
++Ctrl.salt = salt:
++Ctrl.info = info:
++Output = 0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918
++
++PKEYKDF = HKDF
++Ctrl.mode = mode:EXTRACT_ONLY
++Ctrl.md = md:SHA1
++Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
++Ctrl.salt = salt:
++Output = da8c8a73c7fa77288ec6f5e7c297786aa0d32d01
++
++PKEYKDF = HKDF
++Ctrl.mode = mode:EXPAND_ONLY
++Ctrl.md = md:SHA1
++Ctrl.IKM = hexkey:da8c8a73c7fa77288ec6f5e7c297786aa0d32d01
++Ctrl.info = info:
++Output = 0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918
++
++PKEYKDF = HKDF
++Ctrl.md = md:SHA1
++Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
++Ctrl.salt = salt:
++Ctrl.info = info:
++Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
++
++PKEYKDF = HKDF
++Ctrl.mode = mode:EXTRACT_ONLY
++Ctrl.md = md:SHA1
++Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
++Ctrl.salt = salt:
++Output = 2adccada18779e7c2077ad2eb19d3f3e731385dd
++
++PKEYKDF = HKDF
++Ctrl.mode = mode:EXPAND_ONLY
++Ctrl.md = md:SHA1
++Ctrl.IKM = hexkey:2adccada18779e7c2077ad2eb19d3f3e731385dd
++Ctrl.info = info:
++Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
++
++PKEYKDF = HKDF
++Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
++Ctrl.salt = salt:
++Ctrl.info = info:
++Output = 00
++Result = KDF_DERIVE_ERROR
++
++PKEYKDF = HKDF
++Ctrl.md = md:SHA1
++Ctrl.salt = salt:
++Ctrl.info = info:
++Output = 00
++Result = KDF_DERIVE_ERROR
++
++PKEYKDF = HKDF
++Ctrl.md = md:SHA1
++Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
++Ctrl.info = info:
++Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
++
++PKEYKDF = HKDF
++Ctrl.md = md:SHA1
++Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
++Ctrl.salt = salt:
++Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
++
++PKEYKDF = HKDF
++Ctrl.mode = mode:EXTRACT_AND_EXPAND
++Ctrl.md = md:SHA1
++Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c
++Ctrl.salt = salt:
++Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48
++
++Title = id-scrypt tests (from draft-josefsson-id-scrypt-kdf-03 and others)
++
++PKEYKDF = scrypt
++Ctrl.pass = pass:
++Ctrl.salt = salt:
++Ctrl.N = N:16
++Ctrl.r = r:1
++Ctrl.p = p:1
++Output = 77d6576238657b203b19ca42c18a0497f16b4844e3074ae8dfdffa3fede21442fcd0069ded0948f8326a753a0fc81f17e8d3e0fb2e0d3628cf35e20c38d18906
++
++PKEYKDF = scrypt
++Ctrl.pass = pass:password
++Ctrl.salt = salt:NaCl
++Ctrl.N = N:1024
++Ctrl.r = r:8
++Ctrl.p = p:16
++Output = fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640
++
++PKEYKDF = scrypt
++Ctrl.hexpass = hexpass:70617373776f7264
++Ctrl.salt = salt:NaCl
++Ctrl.N = N:1024
++Ctrl.r = r:8
++Ctrl.p = p:16
++Output = fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640
++
++PKEYKDF = scrypt
++Ctrl.pass = pass:password
++Ctrl.hexsalt = hexsalt:4e61436c
++Ctrl.N = N:1024
++Ctrl.r = r:8
++Ctrl.p = p:16
++Output = fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640
++
++PKEYKDF = scrypt
++Ctrl.pass = pass:pleaseletmein
++Ctrl.salt = salt:SodiumChloride
++Ctrl.N = N:16384
++Ctrl.r = r:8
++Ctrl.p = p:1
++Output = 7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2d5432955613f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b45575887
++
++# Out of memory
++PKEYKDF = scrypt
++Ctrl.pass = pass:pleaseletmein
++Ctrl.salt = salt:SodiumChloride
++Ctrl.N = N:1048576
++Ctrl.r = r:8
++Ctrl.p = p:1
++Result = INTERNAL_ERROR
++
+diff -up openssl-1.1.1j/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_kdf.t
+--- openssl-1.1.1j/test/recipes/30-test_evp_kdf.t.evp-kdf	2021-03-03 14:08:02.494294874 +0100
++++ openssl-1.1.1j/test/recipes/30-test_evp_kdf.t	2021-03-03 14:08:02.494294874 +0100
+@@ -0,0 +1,13 @@
++#! /usr/bin/env perl
++# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
++# Copyright (c) 2018, Oracle and/or its affiliates.  All rights reserved.
++#
++# Licensed under the Apache License 2.0 (the "License").  You may not use
++# this file except in compliance with the License.  You can obtain a copy
++# in the file LICENSE in the source distribution or at
++# https://www.openssl.org/source/license.html
++
++
++use OpenSSL::Test::Simple;
++
++simple_test("test_evp_kdf", "evp_kdf_test");
+diff -up openssl-1.1.1j/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp.t
+--- openssl-1.1.1j/test/recipes/30-test_evp.t.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/test/recipes/30-test_evp.t	2021-03-03 14:08:02.495294883 +0100
+@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/
+ setup("test_evp");
+ 
+ my @files = ( "evpciph.txt", "evpdigest.txt", "evpencod.txt", "evpkdf.txt",
+-    "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt",
++    "evppkey_kdf.txt", "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt",
+     "evpcase.txt", "evpccmcavs.txt" );
+ 
+ plan tests => scalar(@files);
+diff -up openssl-1.1.1j/util/libcrypto.num.evp-kdf openssl-1.1.1j/util/libcrypto.num
+--- openssl-1.1.1j/util/libcrypto.num.evp-kdf	2021-03-03 14:08:02.481294758 +0100
++++ openssl-1.1.1j/util/libcrypto.num	2021-03-03 14:08:02.495294883 +0100
+@@ -4626,3 +4626,11 @@ FIPS_drbg_get_strength
+ FIPS_rand_strength                      6380	1_1_0g	EXIST::FUNCTION:
+ FIPS_drbg_get_blocklength               6381	1_1_0g	EXIST::FUNCTION:
+ FIPS_drbg_init                          6382	1_1_0g	EXIST::FUNCTION:
++EVP_KDF_CTX_new_id                      6590	1_1_1d	EXIST::FUNCTION:
++EVP_KDF_CTX_free                        6591	1_1_1d	EXIST::FUNCTION:
++EVP_KDF_reset                           6592	1_1_1d	EXIST::FUNCTION:
++EVP_KDF_ctrl                            6593	1_1_1d	EXIST::FUNCTION:
++EVP_KDF_vctrl                           6594	1_1_1d	EXIST::FUNCTION:
++EVP_KDF_ctrl_str                        6595	1_1_1d	EXIST::FUNCTION:
++EVP_KDF_size                            6596	1_1_1d	EXIST::FUNCTION:
++EVP_KDF_derive                          6597	1_1_1d	EXIST::FUNCTION:
+diff -up openssl-1.1.1j/util/private.num.evp-kdf openssl-1.1.1j/util/private.num
+--- openssl-1.1.1j/util/private.num.evp-kdf	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/util/private.num	2021-03-03 14:08:02.495294883 +0100
+@@ -21,6 +21,7 @@ CRYPTO_EX_dup
+ CRYPTO_EX_free                          datatype
+ CRYPTO_EX_new                           datatype
+ DTLS_timer_cb                           datatype
++EVP_KDF_CTX                             datatype
+ EVP_PKEY_gen_cb                         datatype
+ EVP_PKEY_METHOD                         datatype
+ EVP_PKEY_ASN1_METHOD                    datatype
diff --git a/openssl-1.1.1-fips-crng-test.patch b/openssl-1.1.1-fips-crng-test.patch
new file mode 100644
index 0000000..267a3ea
--- /dev/null
+++ b/openssl-1.1.1-fips-crng-test.patch
@@ -0,0 +1,408 @@
+diff -up openssl-1.1.1g/crypto/rand/build.info.crng-test openssl-1.1.1g/crypto/rand/build.info
+--- openssl-1.1.1g/crypto/rand/build.info.crng-test	2020-04-23 13:30:45.863389837 +0200
++++ openssl-1.1.1g/crypto/rand/build.info	2020-04-23 13:31:55.847069892 +0200
+@@ -1,6 +1,6 @@
+ LIBS=../../libcrypto
+ SOURCE[../../libcrypto]=\
+-        randfile.c rand_lib.c rand_err.c rand_egd.c \
++        randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
+         rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
+ 
+ INCLUDE[drbg_ctr.o]=../modes
+diff -up openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1g/crypto/rand/drbg_lib.c
+--- openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test	2020-04-23 13:30:45.818390686 +0200
++++ openssl-1.1.1g/crypto/rand/drbg_lib.c	2020-04-23 13:30:45.864389819 +0200
+@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg;
+ 
+ 
+ /* NIST SP 800-90A DRBG recommends the use of a personalization string. */
+-static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG";
++static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING;
+ 
+ static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT;
+ 
+@@ -201,8 +201,13 @@ static RAND_DRBG *rand_drbg_new(int secu
+     drbg->parent = parent;
+ 
+     if (parent == NULL) {
++#ifdef OPENSSL_FIPS
++        drbg->get_entropy = rand_crngt_get_entropy;
++        drbg->cleanup_entropy = rand_crngt_cleanup_entropy;
++#else
+         drbg->get_entropy = rand_drbg_get_entropy;
+         drbg->cleanup_entropy = rand_drbg_cleanup_entropy;
++#endif
+ #ifndef RAND_DRBG_GET_RANDOM_NONCE
+         drbg->get_nonce = rand_drbg_get_nonce;
+         drbg->cleanup_nonce = rand_drbg_cleanup_nonce;
+diff -up openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1g/crypto/rand/rand_crng_test.c
+--- openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test	2020-04-23 13:30:45.864389819 +0200
++++ openssl-1.1.1g/crypto/rand/rand_crng_test.c	2020-04-23 13:30:45.864389819 +0200
+@@ -0,0 +1,118 @@
++/*
++ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright (c) 2019, Oracle and/or its affiliates.  All rights reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++/*
++ * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests.
++ */
++
++#include <string.h>
++#include <openssl/evp.h>
++#include "crypto/rand.h"
++#include "internal/thread_once.h"
++#include "rand_local.h"
++
++static RAND_POOL *crngt_pool;
++static unsigned char crngt_prev[EVP_MAX_MD_SIZE];
++
++int (*crngt_get_entropy)(unsigned char *, unsigned char *, unsigned int *)
++    = &rand_crngt_get_entropy_cb;
++
++int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
++                              unsigned int *md_size)
++{
++    int r;
++    size_t n;
++    unsigned char *p;
++
++    n = rand_pool_acquire_entropy(crngt_pool);
++    if (n >= CRNGT_BUFSIZ) {
++        p = rand_pool_detach(crngt_pool);
++        r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
++        if (r != 0)
++            memcpy(buf, p, CRNGT_BUFSIZ);
++        rand_pool_reattach(crngt_pool, p);
++        return r;
++    }
++    return 0;
++}
++
++void rand_crngt_cleanup(void)
++{
++    rand_pool_free(crngt_pool);
++    crngt_pool = NULL;
++}
++
++int rand_crngt_init(void)
++{
++    unsigned char buf[CRNGT_BUFSIZ];
++
++    if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL)
++        return 0;
++    if (crngt_get_entropy(buf, crngt_prev, NULL)) {
++        OPENSSL_cleanse(buf, sizeof(buf));
++        return 1;
++    }
++    rand_crngt_cleanup();
++    return 0;
++}
++
++static CRYPTO_ONCE rand_crngt_init_flag = CRYPTO_ONCE_STATIC_INIT;
++DEFINE_RUN_ONCE_STATIC(do_rand_crngt_init)
++{
++    return OPENSSL_init_crypto(0, NULL)
++        && rand_crngt_init()
++        && OPENSSL_atexit(&rand_crngt_cleanup);
++}
++
++int rand_crngt_single_init(void)
++{
++    return RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init);
++}
++
++size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
++                              unsigned char **pout,
++                              int entropy, size_t min_len, size_t max_len,
++                              int prediction_resistance)
++{
++    unsigned char buf[CRNGT_BUFSIZ], md[EVP_MAX_MD_SIZE];
++    unsigned int sz;
++    RAND_POOL *pool;
++    size_t q, r = 0, s, t = 0;
++    int attempts = 3;
++
++    if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init))
++        return 0;
++
++    if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL)
++        return 0;
++
++    while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) {
++        s = q > sizeof(buf) ? sizeof(buf) : q;
++        if (!crngt_get_entropy(buf, md, &sz)
++            || memcmp(crngt_prev, md, sz) == 0
++            || !rand_pool_add(pool, buf, s, s * 8))
++            goto err;
++        memcpy(crngt_prev, md, sz);
++        t += s;
++        attempts++;
++    }
++    r = t;
++    *pout = rand_pool_detach(pool);
++err:
++    OPENSSL_cleanse(buf, sizeof(buf));
++    rand_pool_free(pool);
++    return r;
++}
++
++void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
++                                unsigned char *out, size_t outlen)
++{
++    OPENSSL_secure_clear_free(out, outlen);
++}
+diff -up openssl-1.1.1g/crypto/rand/rand_local.h.crng-test openssl-1.1.1g/crypto/rand/rand_local.h
+--- openssl-1.1.1g/crypto/rand/rand_local.h.crng-test	2020-04-23 13:30:45.470397250 +0200
++++ openssl-1.1.1g/crypto/rand/rand_local.h	2020-04-23 13:30:45.864389819 +0200
+@@ -33,7 +33,15 @@
+ # define MASTER_RESEED_TIME_INTERVAL             (60*60)   /* 1 hour */
+ # define SLAVE_RESEED_TIME_INTERVAL              (7*60)    /* 7 minutes */
+ 
+-
++/*
++ * The number of bytes that constitutes an atomic lump of entropy with respect
++ * to the FIPS 140-2 section 4.9.2 Conditional Tests.  The size is somewhat
++ * arbitrary, the smaller the value, the less entropy is consumed on first
++ * read but the higher the probability of the test failing by accident.
++ *
++ * The value is in bytes.
++ */
++#define CRNGT_BUFSIZ    16
+ 
+ /*
+  * Maximum input size for the DRBG (entropy, nonce, personalization string)
+@@ -44,6 +52,8 @@
+  */
+ # define DRBG_MAX_LENGTH                         INT32_MAX
+ 
++/* The default nonce */
++# define DRBG_DEFAULT_PERS_STRING                "OpenSSL NIST SP 800-90A DRBG"
+ 
+ /*
+  * Maximum allocation size for RANDOM_POOL buffers
+@@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG *
+ /* initializes the AES-CTR DRBG implementation */
+ int drbg_ctr_init(RAND_DRBG *drbg);
+ 
++/*
++ * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests.
++ * These need to be exposed for the unit tests.
++ */
++int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md,
++                              unsigned int *md_size);
++extern int (*crngt_get_entropy)(unsigned char *buf, unsigned char *md,
++                                unsigned int *md_size);
++int rand_crngt_init(void);
++void rand_crngt_cleanup(void);
++
++/*
++ * Expose the run once initialisation function for the unit tests because.
++ * they need to restart from scratch to validate the first block is skipped
++ * properly.
++ */
++int rand_crngt_single_init(void);
++
+ #endif
+diff -up openssl-1.1.1g/include/crypto/rand.h.crng-test openssl-1.1.1g/include/crypto/rand.h
+--- openssl-1.1.1g/include/crypto/rand.h.crng-test	2020-04-23 13:30:45.824390573 +0200
++++ openssl-1.1.1g/include/crypto/rand.h	2020-04-23 13:30:45.864389819 +0200
+@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN
+ 
+ void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out);
+ 
++/* CRNG test entropy filter callbacks. */
++size_t rand_crngt_get_entropy(RAND_DRBG *drbg,
++                              unsigned char **pout,
++                              int entropy, size_t min_len, size_t max_len,
++                              int prediction_resistance);
++void rand_crngt_cleanup_entropy(RAND_DRBG *drbg,
++                                unsigned char *out, size_t outlen);
++
+ /*
+  * RAND_POOL functions
+  */
+diff -up openssl-1.1.1g/test/drbgtest.c.crng-test openssl-1.1.1g/test/drbgtest.c
+--- openssl-1.1.1g/test/drbgtest.c.crng-test	2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/test/drbgtest.c	2020-04-23 13:30:45.865389800 +0200
+@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg,
+     return t->noncelen;
+ }
+ 
++ /*
++ * Disable CRNG testing if it is enabled.
++ * If the DRBG is ready or in an error state, this means an instantiate cycle
++ * for which the default personalisation string is used.
++ */
++static int disable_crngt(RAND_DRBG *drbg)
++{
++    static const char pers[] = DRBG_DEFAULT_PERS_STRING;
++    const int instantiate = drbg->state != DRBG_UNINITIALISED;
++
++    if (drbg->get_entropy != rand_crngt_get_entropy)
++        return 1;
++
++     if ((instantiate && !RAND_DRBG_uninstantiate(drbg))
++        || !TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy,
++                                              &rand_drbg_cleanup_entropy,
++                                              &rand_drbg_get_nonce,
++                                              &rand_drbg_cleanup_nonce))
++        || (instantiate
++            && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers,
++                                      sizeof(pers) - 1)))
++        return 0;
++    return 1;
++}
++
+ static int uninstantiate(RAND_DRBG *drbg)
+ {
+     int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
+@@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA
+     if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL)))
+         return 0;
+     if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
+-                                           kat_nonce, NULL))) {
++                                           kat_nonce, NULL))
++        || !TEST_true(disable_crngt(drbg))) {
+         failures++;
+         goto err;
+     }
+@@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT
+     unsigned int reseed_counter_tmp;
+     int ret = 0;
+ 
+-    if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)))
++    if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL))
++	|| !TEST_true(disable_crngt(drbg)))
+         goto err;
+ 
+     /*
+@@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void)
+         || !TEST_ptr_eq(private->parent, master))
+         return 0;
+ 
++    /* Disable CRNG testing for the master DRBG */
++    if (!TEST_true(disable_crngt(master)))
++        return 0;
++
+     /* uninstantiate the three global DRBGs */
+     RAND_DRBG_uninstantiate(private);
+     RAND_DRBG_uninstantiate(public);
+@@ -964,7 +995,8 @@ static int test_rand_seed(void)
+     size_t rand_buflen;
+     size_t required_seed_buflen = 0;
+ 
+-    if (!TEST_ptr(master = RAND_DRBG_get0_master()))
++    if (!TEST_ptr(master = RAND_DRBG_get0_master())
++        || !TEST_true(disable_crngt(master)))
+         return 0;
+ 
+ #ifdef OPENSSL_RAND_SEED_NONE
+@@ -1013,6 +1045,95 @@ static int test_rand_add(void)
+     return 1;
+ }
+ 
++/*
++ * A list of the FIPS DRGB types.
++ */
++static const struct s_drgb_types {
++    int nid;
++    int flags;
++} drgb_types[] = {
++    { NID_aes_128_ctr,  0                   },
++    { NID_aes_192_ctr,  0                   },
++    { NID_aes_256_ctr,  0                   },
++};
++
++/* Six cases for each covers seed sizes up to 32 bytes */
++static const size_t crngt_num_cases = 6;
++
++static size_t crngt_case, crngt_idx;
++
++static int crngt_entropy_cb(unsigned char *buf, unsigned char *md,
++                            unsigned int *md_size)
++{
++    size_t i, z;
++
++    if (!TEST_int_lt(crngt_idx, crngt_num_cases))
++        return 0;
++    /* Generate a block of unique data unless this is the duplication point */
++    z = crngt_idx++;
++    if (z > 0 && crngt_case == z)
++        z--;
++    for (i = 0; i < CRNGT_BUFSIZ; i++)
++        buf[i] = (unsigned char)(i + 'A' + z);
++    return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
++}
++
++static int test_crngt(int n)
++{
++    const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases;
++    RAND_DRBG *drbg = NULL;
++    unsigned char buff[100];
++    size_t ent;
++    int res = 0;
++    int expect;
++
++    if (!TEST_true(rand_crngt_single_init()))
++        return 0;
++    rand_crngt_cleanup();
++
++    if (!TEST_ptr(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL)))
++        return 0;
++    ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ;
++    crngt_case = n % crngt_num_cases;
++    crngt_idx = 0;
++    crngt_get_entropy = &crngt_entropy_cb;
++    if (!TEST_true(rand_crngt_init()))
++        goto err;
++#ifndef OPENSSL_FIPS
++    if (!TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy,
++                                           &rand_crngt_cleanup_entropy,
++                                           &rand_drbg_get_nonce,
++                                           &rand_drbg_cleanup_nonce)))
++        goto err;
++#endif
++    expect = crngt_case == 0 || crngt_case > ent;
++    if (!TEST_int_eq(RAND_DRBG_instantiate(drbg, NULL, 0), expect))
++        goto err;
++    if (!expect)
++        goto fin;
++    if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
++        goto err;
++
++    expect = crngt_case == 0 || crngt_case > 2 * ent;
++    if (!TEST_int_eq(RAND_DRBG_reseed(drbg, NULL, 0, 0), expect))
++        goto err;
++    if (!expect)
++        goto fin;
++    if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0)))
++        goto err;
++
++fin:
++    res = 1;
++err:
++    if (!res)
++        TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,
++                  crngt_case, crngt_idx);
++    uninstantiate(drbg);
++    RAND_DRBG_free(drbg);
++    crngt_get_entropy = &rand_crngt_get_entropy_cb;
++    return res;
++}
++
+ int setup_tests(void)
+ {
+     app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
+@@ -1025,5 +1146,6 @@ int setup_tests(void)
+ #if defined(OPENSSL_THREADS)
+     ADD_TEST(test_multi_thread);
+ #endif
++    ADD_ALL_TESTS(test_crngt, crngt_num_cases * OSSL_NELEM(drgb_types));
+     return 1;
+ }
diff --git a/openssl-1.1.1-fips-fix-memory-leaks.patch b/openssl-1.1.1-fips-fix-memory-leaks.patch
new file mode 100644
index 0000000..afea9f1
--- /dev/null
+++ b/openssl-1.1.1-fips-fix-memory-leaks.patch
@@ -0,0 +1,80 @@
+---
+ crypto/fips/fips.c           |    8 ++++++++
+ crypto/fips/fips_drbg_rand.c |    6 ++++++
+ crypto/init.c                |    4 ++++
+ include/crypto/fips.h        |    1 +
+ include/openssl/fips_rand.h  |    1 +
+ 5 files changed, 20 insertions(+)
+
+--- a/crypto/fips/fips.c
++++ b/crypto/fips/fips.c
+@@ -93,6 +93,14 @@ DEFINE_RUN_ONCE_STATIC(do_fips_lock_init
+     return fips_lock != NULL && fips_owning_lock != NULL;
+ }
+ 
++void FIPS_owning_thread_lock_cleanup(void)
++{
++    CRYPTO_THREAD_lock_free(fips_lock);
++    fips_lock = NULL;
++    CRYPTO_THREAD_lock_free(fips_owning_lock);
++    fips_owning_lock = NULL;
++}
++
+ # define fips_w_lock()   CRYPTO_THREAD_write_lock(fips_lock)
+ # define fips_w_unlock() CRYPTO_THREAD_unlock(fips_lock)
+ # define fips_r_lock()   CRYPTO_THREAD_read_lock(fips_lock)
+--- a/crypto/fips/fips_drbg_rand.c
++++ b/crypto/fips/fips_drbg_rand.c
+@@ -84,6 +84,12 @@ DRBG_CTX *FIPS_get_default_drbg(void)
+     return &ossl_dctx;
+ }
+ 
++void FIPS_drbg_lock_cleanup(void)
++{
++    CRYPTO_THREAD_lock_free(fips_rand_lock);
++    fips_rand_lock = NULL;
++}
++
+ static int fips_drbg_bytes(unsigned char *out, int count)
+ {
+     DRBG_CTX *dctx = &ossl_dctx;
+--- a/crypto/init.c
++++ b/crypto/init.c
+@@ -28,6 +28,8 @@
+ #include "internal/dso.h"
+ #include "crypto/store.h"
+ #include "openssl/fips.h"
++#include "openssl/fips_rand.h"
++#include "crypto/fips.h"
+ 
+ static int stopped = 0;
+ 
+@@ -600,6 +602,8 @@ void OPENSSL_cleanup(void)
+     conf_modules_free_int();
+ #ifdef OPENSSL_FIPS
+     FIPS_entropy_cleanup();
++    FIPS_drbg_lock_cleanup();
++    FIPS_owning_thread_lock_cleanup();
+ #endif
+ #ifndef OPENSSL_NO_ENGINE
+     engine_cleanup_int();
+--- a/include/crypto/fips.h
++++ b/include/crypto/fips.h
+@@ -56,6 +56,7 @@
+ 
+ #ifdef OPENSSL_FIPS
+ 
++void FIPS_owning_thread_lock_cleanup(void);
+ int FIPS_module_mode_set(int onoff);
+ int FIPS_module_mode(void);
+ int FIPS_module_installed(void);
+--- a/include/openssl/fips_rand.h
++++ b/include/openssl/fips_rand.h
+@@ -125,6 +125,7 @@ extern "C" {
+ 
+     DRBG_CTX *FIPS_get_default_drbg(void);
+     const RAND_METHOD *FIPS_drbg_method(void);
++    void FIPS_drbg_lock_cleanup(void);
+ 
+     int FIPS_rand_set_method(const RAND_METHOD *meth);
+     const RAND_METHOD *FIPS_rand_get_method(void);
diff --git a/openssl-1.1.1-fips-post-rand.patch b/openssl-1.1.1-fips-post-rand.patch
new file mode 100644
index 0000000..027dc55
--- /dev/null
+++ b/openssl-1.1.1-fips-post-rand.patch
@@ -0,0 +1,189 @@
+diff -up openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand openssl-1.1.1i/crypto/fips/fips.c
+--- openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand	2020-12-09 10:26:41.634106328 +0100
++++ openssl-1.1.1i/crypto/fips/fips.c	2020-12-09 10:26:41.652106475 +0100
+@@ -68,6 +68,7 @@
+ 
+ # include <openssl/fips.h>
+ # include "internal/thread_once.h"
++# include "crypto/rand.h"
+ 
+ # ifndef PATH_MAX
+ #  define PATH_MAX 1024
+@@ -76,6 +77,7 @@
+ static int fips_selftest_fail = 0;
+ static int fips_mode = 0;
+ static int fips_started = 0;
++static int fips_post = 0;
+ 
+ static int fips_is_owning_thread(void);
+ static int fips_set_owning_thread(void);
+@@ -158,6 +160,11 @@ void fips_set_selftest_fail(void)
+     fips_selftest_fail = 1;
+ }
+ 
++int fips_in_post(void)
++{
++    return fips_post;
++}
++
+ /* we implement what libfipscheck does ourselves */
+ 
+ static int
+@@ -445,6 +452,8 @@ int FIPS_module_mode_set(int onoff)
+         }
+ # endif
+ 
++        fips_post = 1;
++
+         if (!FIPS_selftest()) {
+             fips_selftest_fail = 1;
+             ret = 0;
+@@ -459,7 +468,12 @@ int FIPS_module_mode_set(int onoff)
+             goto end;
+         }
+ 
++        fips_post = 0;
++
+         fips_set_mode(onoff);
++        /* force RNG reseed with entropy from getrandom() on next call */
++        rand_force_reseed();
++
+         ret = 1;
+         goto end;
+     }
+diff -up openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1i/crypto/rand/drbg_lib.c
+--- openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand	2020-12-08 14:20:59.000000000 +0100
++++ openssl-1.1.1i/crypto/rand/drbg_lib.c	2020-12-09 10:26:41.652106475 +0100
+@@ -1005,6 +1005,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg
+     return min_entropy > min_entropylen ? min_entropy : min_entropylen;
+ }
+ 
++void rand_force_reseed(void)
++{
++    RAND_DRBG *drbg;
++
++    drbg = RAND_DRBG_get0_master();
++    drbg->fork_id = 0;
++
++    drbg = RAND_DRBG_get0_private();
++    drbg->fork_id = 0;
++
++    drbg = RAND_DRBG_get0_public();
++    drbg->fork_id = 0;
++}
++
+ /* Implements the default OpenSSL RAND_add() method */
+ static int drbg_add(const void *buf, int num, double randomness)
+ {
+diff -up openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1i/crypto/rand/rand_unix.c
+--- openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand	2020-12-08 14:20:59.000000000 +0100
++++ openssl-1.1.1i/crypto/rand/rand_unix.c	2020-12-09 10:36:59.531221903 +0100
+@@ -17,10 +17,12 @@
+ #include <openssl/crypto.h>
+ #include "rand_local.h"
+ #include "crypto/rand.h"
++#include "crypto/fips.h"
+ #include <stdio.h>
+ #include "internal/dso.h"
+ #ifdef __linux
+ # include <sys/syscall.h>
++# include <sys/random.h>
+ # ifdef DEVRANDOM_WAIT
+ #  include <sys/shm.h>
+ #  include <sys/utsname.h>
+@@ -344,7 +346,7 @@ static ssize_t sysctl_random(char *buf,
+  * syscall_random(): Try to get random data using a system call
+  * returns the number of bytes returned in buf, or < 0 on error.
+  */
+-static ssize_t syscall_random(void *buf, size_t buflen)
++static ssize_t syscall_random(void *buf, size_t buflen, int nonblock)
+ {
+     /*
+      * Note: 'buflen' equals the size of the buffer which is used by the
+@@ -369,6 +371,7 @@ static ssize_t syscall_random(void *buf,
+      * Note: Sometimes getentropy() can be provided but not implemented
+      * internally. So we need to check errno for ENOSYS
+      */
++#  if 0
+ #  if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
+     extern int getentropy(void *buffer, size_t length) __attribute__((weak));
+ 
+@@ -394,10 +397,10 @@ static ssize_t syscall_random(void *buf,
+     if (p_getentropy.p != NULL)
+         return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1;
+ #  endif
+-
++#  endif
+     /* Linux supports this since version 3.17 */
+-#  if defined(__linux) && defined(__NR_getrandom)
+-    return syscall(__NR_getrandom, buf, buflen, 0);
++#  if defined(__linux) && defined(SYS_getrandom)
++    return syscall(SYS_getrandom, buf, buflen, nonblock?GRND_NONBLOCK:0);
+ #  elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND)
+     return sysctl_random(buf, buflen);
+ #  else
+@@ -633,6 +636,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
+     size_t entropy_available;
+ 
+ #   if defined(OPENSSL_RAND_SEED_GETRANDOM)
++    int in_post;
++
++    for (in_post = fips_in_post(); in_post >= 0; --in_post) {
+     {
+         size_t bytes_needed;
+         unsigned char *buffer;
+@@ -643,7 +649,7 @@ size_t rand_pool_acquire_entropy(RAND_PO
+         bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
+         while (bytes_needed != 0 && attempts-- > 0) {
+             buffer = rand_pool_add_begin(pool, bytes_needed);
+-            bytes = syscall_random(buffer, bytes_needed);
++            bytes = syscall_random(buffer, bytes_needed, in_post);
+             if (bytes > 0) {
+                 rand_pool_add_end(pool, bytes, 8 * bytes);
+                 bytes_needed -= bytes;
+@@ -678,8 +684,10 @@ size_t rand_pool_acquire_entropy(RAND_PO
+             int attempts = 3;
+             const int fd = get_random_device(i);
+ 
+-            if (fd == -1)
++            if (fd == -1) {
++                OPENSSL_showfatal("Random device %s cannot be opened.\n", random_device_paths[i]);
+                 continue;
++            }
+ 
+             while (bytes_needed != 0 && attempts-- > 0) {
+                 buffer = rand_pool_add_begin(pool, bytes_needed);
+@@ -742,7 +750,9 @@ size_t rand_pool_acquire_entropy(RAND_PO
+             return entropy_available;
+     }
+ #   endif
+-
++#   ifdef OPENSSL_RAND_SEED_GETRANDOM
++    }
++#   endif
+     return rand_pool_entropy_available(pool);
+ #  endif
+ }
+diff -up openssl-1.1.1i/include/crypto/fips.h.fips-post-rand openssl-1.1.1i/include/crypto/fips.h
+--- openssl-1.1.1i/include/crypto/fips.h.fips-post-rand	2020-12-09 10:26:41.639106369 +0100
++++ openssl-1.1.1i/include/crypto/fips.h	2020-12-09 10:26:41.657106516 +0100
+@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void);
+ int FIPS_selftest_drbg(void);
+ int FIPS_selftest_cmac(void);
+ 
++int fips_in_post(void);
++
+ int fips_pkey_signature_test(EVP_PKEY *pkey,
+                                  const unsigned char *tbs, int tbslen,
+                                  const unsigned char *kat,
+diff -up openssl-1.1.1i/include/crypto/rand.h.fips-post-rand openssl-1.1.1i/include/crypto/rand.h
+--- openssl-1.1.1i/include/crypto/rand.h.fips-post-rand	2020-12-08 14:20:59.000000000 +0100
++++ openssl-1.1.1i/include/crypto/rand.h	2020-12-09 10:26:41.657106516 +0100
+@@ -24,6 +24,7 @@
+ typedef struct rand_pool_st RAND_POOL;
+ 
+ void rand_cleanup_int(void);
++void rand_force_reseed(void);
+ void rand_drbg_cleanup_int(void);
+ void drbg_delete_thread_state(void);
+ 
diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch
new file mode 100644
index 0000000..baa2c1f
--- /dev/null
+++ b/openssl-1.1.1-fips.patch
@@ -0,0 +1,11635 @@
+diff -up openssl-1.1.1j/apps/pkcs12.c.fips openssl-1.1.1j/apps/pkcs12.c
+--- openssl-1.1.1j/apps/pkcs12.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/apps/pkcs12.c	2021-03-03 12:57:42.194734484 +0100
+@@ -123,7 +123,7 @@ int pkcs12_main(int argc, char **argv)
+     int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0;
+     int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER;
+ #ifndef OPENSSL_NO_RC2
+-    int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
++    int cert_pbe = FIPS_mode() ? NID_pbe_WithSHA1And3_Key_TripleDES_CBC : NID_pbe_WithSHA1And40BitRC2_CBC;
+ #else
+     int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+ #endif
+diff -up openssl-1.1.1j/apps/speed.c.fips openssl-1.1.1j/apps/speed.c
+--- openssl-1.1.1j/apps/speed.c.fips	2021-03-03 12:57:42.185734409 +0100
++++ openssl-1.1.1j/apps/speed.c	2021-03-03 12:57:42.195734492 +0100
+@@ -1593,7 +1593,8 @@ int speed_main(int argc, char **argv)
+             continue;
+         if (strcmp(*argv, "rsa") == 0) {
+             for (loop = 0; loop < OSSL_NELEM(rsa_doit); loop++)
+-                rsa_doit[loop] = 1;
++		if (!FIPS_mode() || loop != R_RSA_512)
++                    rsa_doit[loop] = 1;
+             continue;
+         }
+         if (found(*argv, rsa_choices, &i)) {
+@@ -1603,7 +1604,9 @@ int speed_main(int argc, char **argv)
+ #endif
+ #ifndef OPENSSL_NO_DSA
+         if (strcmp(*argv, "dsa") == 0) {
+-            dsa_doit[R_DSA_512] = dsa_doit[R_DSA_1024] =
++            if (!FIPS_mode())
++                dsa_doit[R_DSA_512] = 1;
++            dsa_doit[R_DSA_1024] =
+                 dsa_doit[R_DSA_2048] = 1;
+             continue;
+         }
+@@ -1634,19 +1637,21 @@ int speed_main(int argc, char **argv)
+         }
+         if (strcmp(*argv, "ecdh") == 0) {
+             for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++)
+-                ecdh_doit[loop] = 1;
++                if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448))
++                    ecdh_doit[loop] = 1;
+             continue;
+         }
+         if (found(*argv, ecdh_choices, &i)) {
+-            ecdh_doit[i] = 2;
++            if(!FIPS_mode() || (i != R_EC_X25519 && i != R_EC_X448))
++                ecdh_doit[i] = 2;
+             continue;
+         }
+-        if (strcmp(*argv, "eddsa") == 0) {
++        if (!FIPS_mode() && strcmp(*argv, "eddsa") == 0) {
+             for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
+                 eddsa_doit[loop] = 1;
+             continue;
+         }
+-        if (found(*argv, eddsa_choices, &i)) {
++        if (!FIPS_mode() && found(*argv, eddsa_choices, &i)) {
+             eddsa_doit[i] = 2;
+             continue;
+         }
+@@ -1735,23 +1740,31 @@ int speed_main(int argc, char **argv)
+     /* No parameters; turn on everything. */
+     if ((argc == 0) && !doit[D_EVP]) {
+         for (i = 0; i < ALGOR_NUM; i++)
+-            if (i != D_EVP)
++            if (i != D_EVP &&
++                (!FIPS_mode() || (i != D_WHIRLPOOL &&
++                                  i != D_MD2 && i != D_MD4 &&
++                                  i != D_MD5 && i != D_MDC2 &&
++                                  i != D_RMD160)))
+                 doit[i] = 1;
+ #ifndef OPENSSL_NO_RSA
+         for (i = 0; i < RSA_NUM; i++)
+-            rsa_doit[i] = 1;
++            if (!FIPS_mode() || i != R_RSA_512)
++                rsa_doit[i] = 1;
+ #endif
+ #ifndef OPENSSL_NO_DSA
+         for (i = 0; i < DSA_NUM; i++)
+-            dsa_doit[i] = 1;
++            if (!FIPS_mode() || i != R_DSA_512)
++                dsa_doit[i] = 1;
+ #endif
+ #ifndef OPENSSL_NO_EC
+         for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++)
+             ecdsa_doit[loop] = 1;
+         for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++)
+-            ecdh_doit[loop] = 1;
+-        for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
+-            eddsa_doit[loop] = 1;
++            if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448))
++                ecdh_doit[loop] = 1;
++        if (!FIPS_mode())
++            for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++)
++                eddsa_doit[loop] = 1;
+ #endif
+     }
+     for (i = 0; i < ALGOR_NUM; i++)
+@@ -1799,30 +1812,46 @@ int speed_main(int argc, char **argv)
+     AES_set_encrypt_key(key24, 192, &aes_ks2);
+     AES_set_encrypt_key(key32, 256, &aes_ks3);
+ #ifndef OPENSSL_NO_CAMELLIA
+-    Camellia_set_key(key16, 128, &camellia_ks1);
+-    Camellia_set_key(ckey24, 192, &camellia_ks2);
+-    Camellia_set_key(ckey32, 256, &camellia_ks3);
++    if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) {
++        Camellia_set_key(key16, 128, &camellia_ks1);
++        Camellia_set_key(ckey24, 192, &camellia_ks2);
++        Camellia_set_key(ckey32, 256, &camellia_ks3);
++    }
+ #endif
+ #ifndef OPENSSL_NO_IDEA
+-    IDEA_set_encrypt_key(key16, &idea_ks);
++    if (doit[D_CBC_IDEA]) {
++        IDEA_set_encrypt_key(key16, &idea_ks);
++    }
+ #endif
+ #ifndef OPENSSL_NO_SEED
+-    SEED_set_key(key16, &seed_ks);
++    if (doit[D_CBC_SEED]) {
++        SEED_set_key(key16, &seed_ks);
++    }
+ #endif
+ #ifndef OPENSSL_NO_RC4
+-    RC4_set_key(&rc4_ks, 16, key16);
++   if (doit[D_RC4]) {
++        RC4_set_key(&rc4_ks, 16, key16);
++    }
+ #endif
+ #ifndef OPENSSL_NO_RC2
+-    RC2_set_key(&rc2_ks, 16, key16, 128);
++    if (doit[D_CBC_RC2]) {
++        RC2_set_key(&rc2_ks, 16, key16, 128);
++    }
+ #endif
+ #ifndef OPENSSL_NO_RC5
+-    RC5_32_set_key(&rc5_ks, 16, key16, 12);
++    if (doit[D_CBC_RC5]) {
++        RC5_32_set_key(&rc5_ks, 16, key16, 12);
++    }
+ #endif
+ #ifndef OPENSSL_NO_BF
+-    BF_set_key(&bf_ks, 16, key16);
++    if (doit[D_CBC_BF]) {
++        BF_set_key(&bf_ks, 16, key16);
++    }
+ #endif
+ #ifndef OPENSSL_NO_CAST
+-    CAST_set_key(&cast_ks, 16, key16);
++    if (doit[D_CBC_CAST]) {
++        CAST_set_key(&cast_ks, 16, key16);
++    }
+ #endif
+ #ifndef SIGALRM
+ # ifndef OPENSSL_NO_DES
+@@ -2120,6 +2149,7 @@ int speed_main(int argc, char **argv)
+ 
+         for (i = 0; i < loopargs_len; i++) {
+             loopargs[i].hctx = HMAC_CTX_new();
++            HMAC_CTX_set_flags(loopargs[i].hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+             if (loopargs[i].hctx == NULL) {
+                 BIO_printf(bio_err, "HMAC malloc failure, exiting...");
+                 exit(1);
+diff -up openssl-1.1.1j/Configure.fips openssl-1.1.1j/Configure
+--- openssl-1.1.1j/Configure.fips	2021-03-03 12:57:42.192734467 +0100
++++ openssl-1.1.1j/Configure	2021-03-03 12:57:42.195734492 +0100
+@@ -329,7 +329,7 @@ $config{sdirs} = [
+     "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3",
+     "des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes",
+     "bn", "ec", "rsa", "dsa", "dh", "sm2", "dso", "engine",
+-    "buffer", "bio", "stack", "lhash", "rand", "err",
++    "buffer", "bio", "stack", "lhash", "rand", "err", "fips",
+     "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui",
+     "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store"
+     ];
+diff -up openssl-1.1.1j/crypto/cmac/cm_pmeth.c.fips openssl-1.1.1j/crypto/cmac/cm_pmeth.c
+--- openssl-1.1.1j/crypto/cmac/cm_pmeth.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/cmac/cm_pmeth.c	2021-03-03 12:57:42.195734492 +0100
+@@ -129,7 +129,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C
+ 
+ const EVP_PKEY_METHOD cmac_pkey_meth = {
+     EVP_PKEY_CMAC,
+-    EVP_PKEY_FLAG_SIGCTX_CUSTOM,
++    EVP_PKEY_FLAG_SIGCTX_CUSTOM | EVP_PKEY_FLAG_FIPS,
+     pkey_cmac_init,
+     pkey_cmac_copy,
+     pkey_cmac_cleanup,
+diff -up openssl-1.1.1j/crypto/dh/dh_err.c.fips openssl-1.1.1j/crypto/dh/dh_err.c
+--- openssl-1.1.1j/crypto/dh/dh_err.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/dh/dh_err.c	2021-03-03 12:57:42.195734492 +0100
+@@ -25,6 +25,9 @@ static const ERR_STRING_DATA DH_str_func
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0),
+      "dh_cms_set_shared_info"},
++    {ERR_PACK(ERR_LIB_DH, DH_F_DH_COMPUTE_KEY, 0), "DH_compute_key"},
++    {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_KEY, 0), "DH_generate_key"},
++    {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_PARAMETERS_EX, 0), "DH_generate_parameters_ex"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_DUP, 0), "DH_meth_dup"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_NEW, 0), "DH_meth_new"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_SET1_NAME, 0), "DH_meth_set1_name"},
+@@ -72,12 +75,14 @@ static const ERR_STRING_DATA DH_str_reas
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_INVALID_PUBKEY), "invalid public key"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_KDF_PARAMETER_ERROR), "kdf parameter error"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEYS_NOT_SET), "keys not set"},
++    {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEY_SIZE_TOO_SMALL), "key size too small"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_MISSING_PUBKEY), "missing pubkey"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_LARGE), "modulus too large"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_NOT_SUITABLE_GENERATOR),
+     "not suitable generator"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PARAMETERS_SET), "no parameters set"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PRIVATE_VALUE), "no private value"},
++    {ERR_PACK(ERR_LIB_DH, 0, DH_R_NON_FIPS_METHOD), "non FIPS method"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
+     "parameter encoding error"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
+diff -up openssl-1.1.1j/crypto/dh/dh_gen.c.fips openssl-1.1.1j/crypto/dh/dh_gen.c
+--- openssl-1.1.1j/crypto/dh/dh_gen.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/dh/dh_gen.c	2021-03-03 12:57:42.195734492 +0100
+@@ -16,6 +16,9 @@
+ #include "internal/cryptlib.h"
+ #include <openssl/bn.h>
+ #include "dh_local.h"
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+ 
+ static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
+                                 BN_GENCB *cb);
+@@ -23,6 +26,13 @@ static int dh_builtin_genparams(DH *ret,
+ int DH_generate_parameters_ex(DH *ret, int prime_len, int generator,
+                               BN_GENCB *cb)
+ {
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD)
++        && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) {
++        DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD);
++        return 0;
++    }
++#endif
+     if (ret->meth->generate_params)
+         return ret->meth->generate_params(ret, prime_len, generator, cb);
+     return dh_builtin_genparams(ret, prime_len, generator, cb);
+@@ -65,6 +75,18 @@ static int dh_builtin_genparams(DH *ret,
+     int g, ok = -1;
+     BN_CTX *ctx = NULL;
+ 
++#ifdef OPENSSL_FIPS
++    if (FIPS_selftest_failed()) {
++        FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED);
++        return 0;
++    }
++
++    if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) {
++        DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
++        goto err;
++    }
++#endif
++
+     ctx = BN_CTX_new();
+     if (ctx == NULL)
+         goto err;
+diff -up openssl-1.1.1j/crypto/dh/dh_key.c.fips openssl-1.1.1j/crypto/dh/dh_key.c
+--- openssl-1.1.1j/crypto/dh/dh_key.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/dh/dh_key.c	2021-03-03 13:02:45.963247596 +0100
+@@ -11,6 +11,9 @@
+ #include "internal/cryptlib.h"
+ #include "dh_local.h"
+ #include "crypto/bn.h"
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+ 
+ static int generate_key(DH *dh);
+ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
+@@ -34,6 +37,13 @@ int DH_compute_key(unsigned char *key, c
+     int ret = 0, i;
+     volatile size_t npad = 0, mask = 1;
+ 
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD)
++        && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) {
++        DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD);
++        return 0;
++    }
++#endif
+     /* compute the key; ret is constant unless compute_key is external */
+     if ((ret = dh->meth->compute_key(key, pub_key, dh)) <= 0)
+         return ret;
+@@ -109,6 +119,14 @@ static int generate_key(DH *dh)
+     BN_MONT_CTX *mont = NULL;
+     BIGNUM *pub_key = NULL, *priv_key = NULL;
+ 
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode()
++        && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
++        DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
++        return 0;
++    }
++#endif
++
+     if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) {
+         DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE);
+         return 0;
+@@ -206,6 +224,13 @@ static int compute_key(unsigned char *ke
+         DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE);
+         goto err;
+     }
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode()
++        && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
++        DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
++        goto err;
++    }
++#endif
+ 
+     ctx = BN_CTX_new();
+     if (ctx == NULL)
+@@ -255,6 +280,9 @@ static int dh_bn_mod_exp(const DH *dh, B
+ 
+ static int dh_init(DH *dh)
+ {
++#ifdef OPENSSL_FIPS
++    FIPS_selftest_check();
++#endif
+     dh->flags |= DH_FLAG_CACHE_MONT_P;
+     return 1;
+ }
+diff -up openssl-1.1.1j/crypto/dh/dh_pmeth.c.fips openssl-1.1.1j/crypto/dh/dh_pmeth.c
+--- openssl-1.1.1j/crypto/dh/dh_pmeth.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/dh/dh_pmeth.c	2021-03-03 12:57:42.196734500 +0100
+@@ -480,7 +480,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *
+ 
+ const EVP_PKEY_METHOD dh_pkey_meth = {
+     EVP_PKEY_DH,
+-    0,
++    EVP_PKEY_FLAG_FIPS,
+     pkey_dh_init,
+     pkey_dh_copy,
+     pkey_dh_cleanup,
+@@ -514,7 +514,7 @@ const EVP_PKEY_METHOD dh_pkey_meth = {
+ 
+ const EVP_PKEY_METHOD dhx_pkey_meth = {
+     EVP_PKEY_DHX,
+-    0,
++    EVP_PKEY_FLAG_FIPS,
+     pkey_dh_init,
+     pkey_dh_copy,
+     pkey_dh_cleanup,
+diff -up openssl-1.1.1j/crypto/dsa/dsa_err.c.fips openssl-1.1.1j/crypto/dsa/dsa_err.c
+--- openssl-1.1.1j/crypto/dsa/dsa_err.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/dsa/dsa_err.c	2021-03-03 12:57:42.196734500 +0100
+@@ -16,12 +16,15 @@
+ static const ERR_STRING_DATA DSA_str_functs[] = {
+     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT, 0), "DSAparams_print"},
+     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT_FP, 0), "DSAparams_print_fp"},
++    {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_KEYGEN, 0), "dsa_builtin_keygen"},
+     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN, 0),
+      "dsa_builtin_paramgen"},
+     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN2, 0),
+      "dsa_builtin_paramgen2"},
+     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_SIGN, 0), "DSA_do_sign"},
+     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_VERIFY, 0), "DSA_do_verify"},
++    {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_KEY, 0), "DSA_generate_key"},
++    {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_PARAMETERS_EX, 0), "DSA_generate_parameters_ex"},
+     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_DUP, 0), "DSA_meth_dup"},
+     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_NEW, 0), "DSA_meth_new"},
+     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_SET1_NAME, 0), "DSA_meth_set1_name"},
+@@ -51,11 +54,14 @@ static const ERR_STRING_DATA DSA_str_rea
+     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_DIGEST_TYPE),
+     "invalid digest type"},
+     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_PARAMETERS), "invalid parameters"},
++    {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_INVALID), "key size invalid"},
++    {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"},
+     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PARAMETERS), "missing parameters"},
+     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PRIVATE_KEY),
+     "missing private key"},
+     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"},
+     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"},
++    {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"},
+     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR),
+     "parameter encoding error"},
+     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"},
+diff -up openssl-1.1.1j/crypto/dsa/dsa_gen.c.fips openssl-1.1.1j/crypto/dsa/dsa_gen.c
+--- openssl-1.1.1j/crypto/dsa/dsa_gen.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/dsa/dsa_gen.c	2021-03-03 12:57:42.196734500 +0100
+@@ -22,12 +22,22 @@
+ #include <openssl/rand.h>
+ #include <openssl/sha.h>
+ #include "dsa_local.h"
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+ 
+ int DSA_generate_parameters_ex(DSA *ret, int bits,
+                                const unsigned char *seed_in, int seed_len,
+                                int *counter_ret, unsigned long *h_ret,
+                                BN_GENCB *cb)
+ {
++# ifdef OPENSSL_FIPS
++    if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD)
++        && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW)) {
++        DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD);
++        return 0;
++    }
++# endif
+     if (ret->meth->dsa_paramgen)
+         return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len,
+                                        counter_ret, h_ret, cb);
+@@ -35,9 +45,15 @@ int DSA_generate_parameters_ex(DSA *ret,
+         const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1();
+         size_t qbits = EVP_MD_size(evpmd) * 8;
+ 
++# ifdef OPENSSL_FIPS
++        return dsa_builtin_paramgen2(ret, bits, qbits, evpmd,
++                          seed_in, seed_len, -1, NULL, counter_ret,
++                          h_ret, cb);
++# else
+         return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
+                                     seed_in, seed_len, NULL, counter_ret,
+                                     h_ret, cb);
++# endif
+     }
+ }
+ 
+@@ -309,7 +325,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
+                           int *counter_ret, unsigned long *h_ret,
+                           BN_GENCB *cb)
+ {
+-    int ok = -1;
++    int ok = 0;
+     unsigned char *seed = NULL, *seed_tmp = NULL;
+     unsigned char md[EVP_MAX_MD_SIZE];
+     int mdsize;
+@@ -332,6 +348,20 @@ int dsa_builtin_paramgen2(DSA *ret, size
+         goto err;
+     }
+ 
++# ifdef OPENSSL_FIPS
++    if (FIPS_selftest_failed()) {
++        FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN2, FIPS_R_FIPS_SELFTEST_FAILED);
++        goto err;
++    }
++
++    if (FIPS_mode() &&
++        (L != 2048 || N != 224) && (L != 2048 || N != 256) &&
++        (L != 3072 || N != 256)) {
++        DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID);
++        goto err;
++    }
++# endif
++
+     if (evpmd == NULL) {
+         if (N == 160)
+             evpmd = EVP_sha1();
+@@ -432,9 +462,10 @@ int dsa_builtin_paramgen2(DSA *ret, size
+                 goto err;
+             /* Provided seed didn't produce a prime: error */
+             if (seed_in) {
+-                ok = 0;
+-                DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_Q_NOT_PRIME);
+-                goto err;
++                /* Different seed_out will indicate that seed_in
++                 * did not generate primes.
++                 */
++                seed_in = NULL;
+             }
+ 
+             /* do a callback call */
+@@ -520,11 +551,14 @@ int dsa_builtin_paramgen2(DSA *ret, size
+             if (counter >= (int)(4 * L))
+                 break;
+         }
++#if 0
++        /* Cannot happen */
+         if (seed_in) {
+             ok = 0;
+             DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS);
+             goto err;
+         }
++#endif
+     }
+  end:
+     if (!BN_GENCB_call(cb, 2, 1))
+@@ -595,7 +629,7 @@ int dsa_builtin_paramgen2(DSA *ret, size
+         BN_free(ret->g);
+         ret->g = BN_dup(g);
+         if (ret->p == NULL || ret->q == NULL || ret->g == NULL) {
+-            ok = -1;
++            ok = 0;
+             goto err;
+         }
+         if (counter_ret != NULL)
+@@ -612,3 +646,53 @@ int dsa_builtin_paramgen2(DSA *ret, size
+     EVP_MD_CTX_free(mctx);
+     return ok;
+ }
++
++#ifdef OPENSSL_FIPS
++
++int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
++                               const EVP_MD *evpmd, const unsigned char *seed_in,
++                               size_t seed_len, int idx, unsigned char *seed_out,
++                               int *counter_ret, unsigned long *h_ret,
++                               BN_GENCB *cb)
++{
++    return dsa_builtin_paramgen2(ret, L, N, evpmd, seed_in, seed_len,
++        idx, seed_out, counter_ret, h_ret, cb);
++}
++
++int FIPS_dsa_paramgen_check_g(DSA *dsa)
++{
++    BN_CTX *ctx;
++    BIGNUM *tmp;
++    BN_MONT_CTX *mont = NULL;
++    int rv = -1;
++
++    ctx = BN_CTX_new();
++    if (ctx == NULL)
++        return -1;
++    if (BN_cmp(dsa->g, BN_value_one()) <= 0)
++        return 0;
++    if (BN_cmp(dsa->g, dsa->p) >= 0)
++        return 0;
++    BN_CTX_start(ctx);
++    tmp = BN_CTX_get(ctx);
++    if (tmp == NULL)
++        goto err;
++    if ((mont=BN_MONT_CTX_new()) == NULL)
++        goto err;
++    if (!BN_MONT_CTX_set(mont,dsa->p,ctx))
++        goto err;
++    /* Work out g^q mod p */
++    if (!BN_mod_exp_mont(tmp,dsa->g,dsa->q, dsa->p, ctx, mont))
++        goto err;
++    if (!BN_cmp(tmp, BN_value_one()))
++        rv = 1;
++    else
++        rv = 0;
++ err:
++    BN_CTX_end(ctx);
++    BN_MONT_CTX_free(mont);
++    BN_CTX_free(ctx);
++    return rv;
++}
++
++#endif
+diff -up openssl-1.1.1j/crypto/dsa/dsa_key.c.fips openssl-1.1.1j/crypto/dsa/dsa_key.c
+--- openssl-1.1.1j/crypto/dsa/dsa_key.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/dsa/dsa_key.c	2021-03-03 12:57:42.196734500 +0100
+@@ -13,10 +13,49 @@
+ #include <openssl/bn.h>
+ #include "dsa_local.h"
+ 
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++# include "crypto/fips.h"
++
++static int fips_check_dsa(DSA *dsa)
++{
++    EVP_PKEY *pk;
++    unsigned char tbs[] = "DSA Pairwise Check Data";
++    int ret = 0;
++
++    if ((pk = EVP_PKEY_new()) == NULL)
++        goto err;
++
++    EVP_PKEY_set1_DSA(pk, dsa);
++
++    if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
++        ret = 1;
++
++ err:
++    if (ret == 0) {
++        FIPSerr(FIPS_F_FIPS_CHECK_DSA, FIPS_R_PAIRWISE_TEST_FAILED);
++        fips_set_selftest_fail();
++    }
++
++    if (pk)
++        EVP_PKEY_free(pk);
++
++    return ret;
++}
++
++#endif
++
+ static int dsa_builtin_keygen(DSA *dsa);
+ 
+ int DSA_generate_key(DSA *dsa)
+ {
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD)
++        && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) {
++        DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD);
++        return 0;
++    }
++#endif
+     if (dsa->meth->dsa_keygen)
+         return dsa->meth->dsa_keygen(dsa);
+     return dsa_builtin_keygen(dsa);
+@@ -28,6 +67,14 @@ static int dsa_builtin_keygen(DSA *dsa)
+     BN_CTX *ctx = NULL;
+     BIGNUM *pub_key = NULL, *priv_key = NULL;
+ 
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
++        && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) {
++        DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL);
++        goto err;
++    }
++#endif
++
+     if ((ctx = BN_CTX_new()) == NULL)
+         goto err;
+ 
+@@ -65,6 +112,13 @@ static int dsa_builtin_keygen(DSA *dsa)
+ 
+     dsa->priv_key = priv_key;
+     dsa->pub_key = pub_key;
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode() && !fips_check_dsa(dsa)) {
++        dsa->pub_key = NULL;
++        dsa->priv_key = NULL;
++        goto err;
++    }
++#endif
+     ok = 1;
+ 
+  err:
+diff -up openssl-1.1.1j/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1j/crypto/dsa/dsa_ossl.c
+--- openssl-1.1.1j/crypto/dsa/dsa_ossl.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/dsa/dsa_ossl.c	2021-03-03 12:57:42.196734500 +0100
+@@ -14,6 +14,9 @@
+ #include <openssl/sha.h>
+ #include "dsa_local.h"
+ #include <openssl/asn1.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+ 
+ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
+ static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+@@ -77,6 +80,19 @@ static DSA_SIG *dsa_do_sign(const unsign
+         goto err;
+     }
+ 
++#ifdef OPENSSL_FIPS
++    if (FIPS_selftest_failed()) {
++        FIPSerr(FIPS_F_DSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED);
++        return NULL;
++    }
++
++    if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
++        && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
++        DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL);
++        return NULL;
++    }
++#endif
++
+     ret = DSA_SIG_new();
+     if (ret == NULL)
+         goto err;
+@@ -315,6 +331,18 @@ static int dsa_do_verify(const unsigned
+         DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE);
+         return -1;
+     }
++#ifdef OPENSSL_FIPS
++    if (FIPS_selftest_failed()) {
++        FIPSerr(FIPS_F_DSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED);
++        return -1;
++    }
++
++    if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)
++        && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) {
++        DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL);
++        return -1;
++    }
++#endif
+ 
+     if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
+         DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE);
+@@ -403,6 +431,9 @@ static int dsa_do_verify(const unsigned
+ 
+ static int dsa_init(DSA *dsa)
+ {
++#ifdef OPENSSL_FIPS
++    FIPS_selftest_check();
++#endif
+     dsa->flags |= DSA_FLAG_CACHE_MONT_P;
+     return 1;
+ }
+diff -up openssl-1.1.1j/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1j/crypto/dsa/dsa_pmeth.c
+--- openssl-1.1.1j/crypto/dsa/dsa_pmeth.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/dsa/dsa_pmeth.c	2021-03-03 12:57:42.196734500 +0100
+@@ -211,8 +211,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT
+         BN_GENCB_free(pcb);
+         return 0;
+     }
+-    ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
+-                               NULL, 0, NULL, NULL, NULL, pcb);
++    ret = dsa_builtin_paramgen2(dsa, dctx->nbits, dctx->qbits, dctx->pmd,
++                               NULL, 0, -1, NULL, NULL, NULL, pcb);
+     BN_GENCB_free(pcb);
+     if (ret)
+         EVP_PKEY_assign_DSA(pkey, dsa);
+@@ -241,7 +241,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX
+ 
+ const EVP_PKEY_METHOD dsa_pkey_meth = {
+     EVP_PKEY_DSA,
+-    EVP_PKEY_FLAG_AUTOARGLEN,
++    EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS,
+     pkey_dsa_init,
+     pkey_dsa_copy,
+     pkey_dsa_cleanup,
+diff -up openssl-1.1.1j/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1j/crypto/ec/ecdh_ossl.c
+--- openssl-1.1.1j/crypto/ec/ecdh_ossl.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/ec/ecdh_ossl.c	2021-03-03 12:57:42.196734500 +0100
+@@ -19,9 +19,20 @@
+ #include <openssl/ec.h>
+ #include "ec_local.h"
+ 
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++
+ int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen,
+                           const EC_POINT *pub_key, const EC_KEY *ecdh)
+ {
++#ifdef OPENSSL_FIPS
++    if (FIPS_selftest_failed()) {
++        FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED);
++        return -1;
++    }
++#endif
++
+     if (ecdh->group->meth->ecdh_compute_key == NULL) {
+         ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH);
+         return 0;
+diff -up openssl-1.1.1j/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1j/crypto/ec/ecdsa_ossl.c
+--- openssl-1.1.1j/crypto/ec/ecdsa_ossl.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/ec/ecdsa_ossl.c	2021-03-03 12:57:42.196734500 +0100
+@@ -14,6 +14,10 @@
+ #include "crypto/bn.h"
+ #include "ec_local.h"
+ 
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++
+ int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
+                           BIGNUM **rp)
+ {
+@@ -163,6 +167,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns
+     ECDSA_SIG *ret;
+     const BIGNUM *priv_key;
+ 
++#ifdef OPENSSL_FIPS
++    if (FIPS_selftest_failed()) {
++        FIPSerr(FIPS_F_OSSL_ECDSA_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
++        return NULL;
++    }
++#endif
++
+     group = EC_KEY_get0_group(eckey);
+     priv_key = EC_KEY_get0_private_key(eckey);
+ 
+@@ -325,6 +336,13 @@ int ossl_ecdsa_verify_sig(const unsigned
+     const EC_GROUP *group;
+     const EC_POINT *pub_key;
+ 
++#ifdef OPENSSL_FIPS
++    if (FIPS_selftest_failed()) {
++        FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
++        return -1;
++    }
++#endif
++
+     /* check input values */
+     if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
+         (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
+diff -up openssl-1.1.1j/crypto/ec/ec_key.c.fips openssl-1.1.1j/crypto/ec/ec_key.c
+--- openssl-1.1.1j/crypto/ec/ec_key.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/ec/ec_key.c	2021-03-03 12:57:42.196734500 +0100
+@@ -179,14 +179,62 @@ ENGINE *EC_KEY_get0_engine(const EC_KEY
+     return eckey->engine;
+ }
+ 
++#ifdef OPENSSL_FIPS
++
++# include <openssl/fips.h>
++# include "crypto/fips.h"
++
++static int fips_check_ec(EC_KEY *key)
++{
++    EVP_PKEY *pk;
++    unsigned char tbs[] = "ECDSA Pairwise Check Data";
++    int ret = 0;
++
++    if (!EC_KEY_can_sign(key)) /* no test for non-signing keys */
++        return 1;
++
++    if ((pk = EVP_PKEY_new()) == NULL)
++        goto err;
++
++    EVP_PKEY_set1_EC_KEY(pk, key);
++
++    if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL))
++        ret = 1;
++
++ err:
++    if (ret == 0) {
++        FIPSerr(FIPS_F_FIPS_CHECK_EC, FIPS_R_PAIRWISE_TEST_FAILED);
++        fips_set_selftest_fail();
++    }
++    if (pk)
++        EVP_PKEY_free(pk);
++    return ret;
++}
++
++#endif
++
+ int EC_KEY_generate_key(EC_KEY *eckey)
+ {
++#ifdef OPENSSL_FIPS
++    if (FIPS_selftest_failed()) {
++        ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_NOT_INITIALIZED);
++        return 0;
++    }
++#endif
+     if (eckey == NULL || eckey->group == NULL) {
+         ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER);
+         return 0;
+     }
+-    if (eckey->meth->keygen != NULL)
+-        return eckey->meth->keygen(eckey);
++    if (eckey->meth->keygen != NULL) {
++        int rv = eckey->meth->keygen(eckey);
++
++#ifdef OPENSSL_FIPS
++        if (rv > 0 && FIPS_mode()) {
++            rv = fips_check_ec(eckey);
++        }
++#endif
++        return rv;
++    }
+     ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED);
+     return 0;
+ }
+diff -up openssl-1.1.1j/crypto/ec/ec_pmeth.c.fips openssl-1.1.1j/crypto/ec/ec_pmeth.c
+--- openssl-1.1.1j/crypto/ec/ec_pmeth.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/ec/ec_pmeth.c	2021-03-03 12:57:42.197734509 +0100
+@@ -438,7 +438,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX *
+ 
+ const EVP_PKEY_METHOD ec_pkey_meth = {
+     EVP_PKEY_EC,
+-    0,
++    EVP_PKEY_FLAG_FIPS,
+     pkey_ec_init,
+     pkey_ec_copy,
+     pkey_ec_cleanup,
+diff -up openssl-1.1.1j/crypto/evp/digest.c.fips openssl-1.1.1j/crypto/evp/digest.c
+--- openssl-1.1.1j/crypto/evp/digest.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/evp/digest.c	2021-03-03 12:57:42.197734509 +0100
+@@ -14,6 +14,9 @@
+ #include <openssl/engine.h>
+ #include "crypto/evp.h"
+ #include "evp_local.h"
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+ 
+ /* This call frees resources associated with the context */
+ int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
+@@ -66,6 +69,12 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons
+ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
+ {
+     EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
++#ifdef OPENSSL_FIPS
++    if (FIPS_selftest_failed()) {
++        FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
++        return 0;
++    }
++#endif
+ #ifndef OPENSSL_NO_ENGINE
+     /*
+      * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
+@@ -119,6 +128,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
+     }
+ #endif
+     if (ctx->digest != type) {
++#ifdef OPENSSL_FIPS
++        if (FIPS_mode()) {
++            if (!(type->flags & EVP_MD_FLAG_FIPS)
++                && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) {
++                EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
++                return 0;
++            }
++        }
++#endif
+         if (ctx->digest && ctx->digest->ctx_size) {
+             OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size);
+             ctx->md_data = NULL;
+@@ -150,6 +168,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
+ 
+ int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
+ {
++#ifdef OPENSSL_FIPS
++    FIPS_selftest_check();
++#endif
++
+     if (count == 0)
+         return 1;
+ 
+@@ -170,6 +192,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx,
+ {
+     int ret;
+ 
++#ifdef OPENSSL_FIPS
++    FIPS_selftest_check();
++#endif
+     OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
+     ret = ctx->digest->final(ctx, md);
+     if (size != NULL)
+diff -up openssl-1.1.1j/crypto/evp/e_aes.c.fips openssl-1.1.1j/crypto/evp/e_aes.c
+--- openssl-1.1.1j/crypto/evp/e_aes.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/evp/e_aes.c	2021-03-03 12:57:42.197734509 +0100
+@@ -397,7 +397,7 @@ static int aesni_xts_init_key(EVP_CIPHER
+          * This addresses Rogaway's vulnerability.
+          * See comment in aes_xts_init_key() below.
+          */
+-        if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
++        if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
+             EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
+             return 0;
+         }
+@@ -817,7 +817,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE
+          * This addresses Rogaway's vulnerability.
+          * See comment in aes_xts_init_key() below.
+          */
+-        if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
++        if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
+             EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
+             return 0;
+         }
+@@ -2833,9 +2833,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX
+     return 1;
+ }
+ 
+-BLOCK_CIPHER_generic_pack(NID_aes, 128, 0)
+-    BLOCK_CIPHER_generic_pack(NID_aes, 192, 0)
+-    BLOCK_CIPHER_generic_pack(NID_aes, 256, 0)
++BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS)
++    BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS)
++    BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS)
+ 
+ static int aes_gcm_cleanup(EVP_CIPHER_CTX *c)
+ {
+@@ -2869,6 +2869,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *
+     case EVP_CTRL_AEAD_SET_IVLEN:
+         if (arg <= 0)
+             return 0;
++# ifdef OPENSSL_FIPS
++        if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)
++            && arg < 12)
++            return 0;
++# endif
+         /* Allocate memory for IV if needed */
+         if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) {
+             if (gctx->iv != c->iv)
+@@ -3318,11 +3323,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
+                 | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH)
+ 
+ BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM,
+-                    EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
++                    EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
++                    CUSTOM_FLAGS)
+     BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM,
+-                    EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
++                    EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
++                    CUSTOM_FLAGS)
+     BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM,
+-                    EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
++                    EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER |
++                    CUSTOM_FLAGS)
+ 
+ static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
+ {
+@@ -3380,7 +3388,7 @@ static int aes_xts_init_key(EVP_CIPHER_C
+              *       BEFORE using the keys in the XTS-AES algorithm to process
+              *       data with them."
+              */
+-            if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
++            if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) {
+                 EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS);
+                 return 0;
+             }
+@@ -3484,6 +3492,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
+         return 0;
+     if (!out || !in || len < AES_BLOCK_SIZE)
+         return 0;
++# ifdef OPENSSL_FIPS
++    /* Requirement of SP800-38E */
++    if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) &&
++        (len > (1UL << 20) * 16)) {
++        EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE);
++        return 0;
++    }
++# endif
+     if (xctx->stream)
+         (*xctx->stream) (in, out, len,
+                          xctx->xts.key1, xctx->xts.key2,
+@@ -3501,8 +3517,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX
+                          | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \
+                          | EVP_CIPH_CUSTOM_COPY)
+ 
+-BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS)
+-    BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS)
++BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS,
++                    EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
++    BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS,
++                    EVP_CIPH_FLAG_FIPS | XTS_FLAGS)
+ 
+ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
+ {
+@@ -3772,11 +3790,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX
+ #define aes_ccm_cleanup NULL
+ 
+ BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM,
+-                    EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
++                    EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+     BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM,
+-                        EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
++                        EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+     BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM,
+-                        EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
++                        EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+ 
+ typedef struct {
+     union {
+@@ -3869,7 +3887,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT
+     return rv ? (int)rv : -1;
+ }
+ 
+-#define WRAP_FLAGS      (EVP_CIPH_WRAP_MODE \
++#define WRAP_FLAGS      (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \
+                 | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \
+                 | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1)
+ 
+diff -up openssl-1.1.1j/crypto/evp/e_des3.c.fips openssl-1.1.1j/crypto/evp/e_des3.c
+--- openssl-1.1.1j/crypto/evp/e_des3.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/evp/e_des3.c	2021-03-03 12:57:42.197734509 +0100
+@@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY,
+ # define des_ede3_cbc_cipher des_ede_cbc_cipher
+ # define des_ede3_ecb_cipher des_ede_ecb_cipher
+     BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
+-                  EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
+-                  des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
++                  EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
++                  EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, NULL,
++                  des3_ctrl)
+ 
+     BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1,
+-                     EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
+-                     des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
++                     EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
++                     EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL,
++                     NULL, des3_ctrl)
+ 
+     BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8,
+-                     EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1,
+-                     des_ede3_init_key, NULL, NULL, NULL, des3_ctrl)
++                     EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS |
++                     EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL,
++                     NULL, des3_ctrl)
+ 
+ static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+                             const unsigned char *iv, int enc)
+diff -up openssl-1.1.1j/crypto/evp/e_null.c.fips openssl-1.1.1j/crypto/evp/e_null.c
+--- openssl-1.1.1j/crypto/evp/e_null.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/evp/e_null.c	2021-03-03 12:57:42.197734509 +0100
+@@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c
+                        const unsigned char *in, size_t inl);
+ static const EVP_CIPHER n_cipher = {
+     NID_undef,
+-    1, 0, 0, 0,
++    1, 0, 0,
++    EVP_CIPH_FLAG_FIPS,
+     null_init_key,
+     null_cipher,
+     NULL,
+diff -up openssl-1.1.1j/crypto/evp/evp_enc.c.fips openssl-1.1.1j/crypto/evp/evp_enc.c
+--- openssl-1.1.1j/crypto/evp/evp_enc.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/evp/evp_enc.c	2021-03-03 12:57:42.197734509 +0100
+@@ -18,9 +18,18 @@
+ #include <openssl/engine.h>
+ #include "crypto/evp.h"
+ #include "evp_local.h"
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
+ 
+ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c)
+ {
++#ifdef OPENSSL_FIPS
++    if (FIPS_selftest_failed()) {
++        FIPSerr(FIPS_F_EVP_CIPHER_CTX_RESET, FIPS_R_FIPS_SELFTEST_FAILED);
++        return 0;
++    }
++#endif
+     if (c == NULL)
+         return 1;
+     if (c->cipher != NULL) {
+@@ -40,6 +49,12 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX
+ 
+ EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
+ {
++#ifdef OPENSSL_FIPS
++    if (FIPS_selftest_failed()) {
++        FIPSerr(FIPS_F_EVP_CIPHER_CTX_NEW, FIPS_R_FIPS_SELFTEST_FAILED);
++        return NULL;
++    }
++#endif
+     return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX));
+ }
+ 
+@@ -68,6 +83,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+             enc = 1;
+         ctx->encrypt = enc;
+     }
++#ifdef OPENSSL_FIPS
++    if (FIPS_selftest_failed()) {
++        FIPSerr(FIPS_F_EVP_CIPHERINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
++        return 0;
++    }
++#endif
+ #ifndef OPENSSL_NO_ENGINE
+     /*
+      * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so
+@@ -137,7 +158,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+         }
+         ctx->key_len = cipher->key_len;
+         /* Preserve wrap enable flag, zero everything else */
+-        ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW;
++        ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW | EVP_CIPH_FLAG_NON_FIPS_ALLOW;
+         if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) {
+             if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {
+                 ctx->cipher = NULL;
+@@ -196,6 +217,18 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct
+             return 0;
+         }
+     }
++#ifdef OPENSSL_FIPS
++    /* After 'key' is set no further parameters changes are permissible.
++     * So only check for non FIPS enabling at this point.
++     */
++    if (key && FIPS_mode()) {
++        if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS)
++            & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) {
++            EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS);
++            return 0;
++        }
++    }
++#endif
+ 
+     if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
+         if (!ctx->cipher->init(ctx, key, iv, enc))
+diff -up openssl-1.1.1j/crypto/evp/evp_err.c.fips openssl-1.1.1j/crypto/evp/evp_err.c
+--- openssl-1.1.1j/crypto/evp/evp_err.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/evp/evp_err.c	2021-03-03 12:57:42.198734517 +0100
+@@ -23,6 +23,7 @@ static const ERR_STRING_DATA EVP_str_fun
+     {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0),
+      "aes_t4_xts_init_key"},
+     {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"},
++    {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_CIPHER, 0), "aes_xts_cipher"},
+     {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_INIT_KEY, 0), "aes_xts_init_key"},
+     {ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"},
+     {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"},
+@@ -186,6 +187,7 @@ static const ERR_STRING_DATA EVP_str_rea
+     "different key types"},
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_PARAMETERS),
+     "different parameters"},
++    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DISABLED_FOR_FIPS), "disabled for FIPS"},
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION),
+     "error loading section"},
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE),
+@@ -251,6 +253,7 @@ static const ERR_STRING_DATA EVP_str_rea
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PRIVATE_KEY_ENCODE_ERROR),
+     "private key encode error"},
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"},
++    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_TOO_LARGE), "too large"},
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"},
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"},
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"},
+@@ -276,6 +279,8 @@ static const ERR_STRING_DATA EVP_str_rea
+     "wrap mode not allowed"},
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH),
+     "wrong final block length"},
++    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE),
++    "xts data unit is too large"},
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS),
+     "xts duplicated keys"},
+     {0, NULL}
+diff -up openssl-1.1.1j/crypto/evp/evp_lib.c.fips openssl-1.1.1j/crypto/evp/evp_lib.c
+--- openssl-1.1.1j/crypto/evp/evp_lib.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/evp/evp_lib.c	2021-03-03 12:57:42.198734517 +0100
+@@ -192,6 +192,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C
+ int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                const unsigned char *in, unsigned int inl)
+ {
++#ifdef OPENSSL_FIPS
++    FIPS_selftest_check();
++#endif
+     return ctx->cipher->do_cipher(ctx, out, in, inl);
+ }
+ 
+diff -up openssl-1.1.1j/crypto/evp/m_sha1.c.fips openssl-1.1.1j/crypto/evp/m_sha1.c
+--- openssl-1.1.1j/crypto/evp/m_sha1.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/evp/m_sha1.c	2021-03-03 12:57:42.198734517 +0100
+@@ -95,7 +95,7 @@ static const EVP_MD sha1_md = {
+     NID_sha1,
+     NID_sha1WithRSAEncryption,
+     SHA_DIGEST_LENGTH,
+-    EVP_MD_FLAG_DIGALGID_ABSENT,
++    EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
+     init,
+     update,
+     final,
+@@ -145,7 +145,7 @@ static const EVP_MD sha224_md = {
+     NID_sha224,
+     NID_sha224WithRSAEncryption,
+     SHA224_DIGEST_LENGTH,
+-    EVP_MD_FLAG_DIGALGID_ABSENT,
++    EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
+     init224,
+     update224,
+     final224,
+@@ -164,7 +164,7 @@ static const EVP_MD sha256_md = {
+     NID_sha256,
+     NID_sha256WithRSAEncryption,
+     SHA256_DIGEST_LENGTH,
+-    EVP_MD_FLAG_DIGALGID_ABSENT,
++    EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
+     init256,
+     update256,
+     final256,
+@@ -224,7 +224,7 @@ static const EVP_MD sha512_224_md = {
+     NID_sha512_224,
+     NID_sha512_224WithRSAEncryption,
+     SHA224_DIGEST_LENGTH,
+-    EVP_MD_FLAG_DIGALGID_ABSENT,
++    EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
+     init512_224,
+     update512,
+     final512,
+@@ -243,7 +243,7 @@ static const EVP_MD sha512_256_md = {
+     NID_sha512_256,
+     NID_sha512_256WithRSAEncryption,
+     SHA256_DIGEST_LENGTH,
+-    EVP_MD_FLAG_DIGALGID_ABSENT,
++    EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
+     init512_256,
+     update512,
+     final512,
+@@ -262,7 +262,7 @@ static const EVP_MD sha384_md = {
+     NID_sha384,
+     NID_sha384WithRSAEncryption,
+     SHA384_DIGEST_LENGTH,
+-    EVP_MD_FLAG_DIGALGID_ABSENT,
++    EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
+     init384,
+     update384,
+     final384,
+@@ -281,7 +281,7 @@ static const EVP_MD sha512_md = {
+     NID_sha512,
+     NID_sha512WithRSAEncryption,
+     SHA512_DIGEST_LENGTH,
+-    EVP_MD_FLAG_DIGALGID_ABSENT,
++    EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS,
+     init512,
+     update512,
+     final512,
+diff -up openssl-1.1.1j/crypto/evp/m_sha3.c.fips openssl-1.1.1j/crypto/evp/m_sha3.c
+--- openssl-1.1.1j/crypto/evp/m_sha3.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/evp/m_sha3.c	2021-03-03 12:57:42.198734517 +0100
+@@ -295,7 +295,7 @@ const EVP_MD *EVP_sha3_##bitlen(void)
+         NID_sha3_##bitlen,                           \
+         NID_RSA_SHA3_##bitlen,                       \
+         bitlen / 8,                                  \
+-        EVP_MD_FLAG_DIGALGID_ABSENT,                 \
++        EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \
+         s390x_sha3_init,                             \
+         s390x_sha3_update,                           \
+         s390x_sha3_final,                            \
+@@ -308,7 +308,7 @@ const EVP_MD *EVP_sha3_##bitlen(void)
+         NID_sha3_##bitlen,                           \
+         NID_RSA_SHA3_##bitlen,                       \
+         bitlen / 8,                                  \
+-        EVP_MD_FLAG_DIGALGID_ABSENT,                 \
++        EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \
+         sha3_init,                                   \
+         sha3_update,                                 \
+         sha3_final,                                  \
+@@ -329,7 +329,7 @@ const EVP_MD *EVP_shake##bitlen(void)
+         NID_shake##bitlen,                           \
+         0,                                           \
+         bitlen / 8,                                  \
+-        EVP_MD_FLAG_XOF,                             \
++        EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS,          \
+         s390x_shake_init,                            \
+         s390x_sha3_update,                           \
+         s390x_shake_final,                           \
+@@ -343,7 +343,7 @@ const EVP_MD *EVP_shake##bitlen(void)
+         NID_shake##bitlen,                           \
+         0,                                           \
+         bitlen / 8,                                  \
+-        EVP_MD_FLAG_XOF,                             \
++        EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS,          \
+         shake_init,                                  \
+         sha3_update,                                 \
+         sha3_final,                                  \
+@@ -367,7 +367,7 @@ const EVP_MD *EVP_sha3_##bitlen(void)
+         NID_sha3_##bitlen,                      \
+         NID_RSA_SHA3_##bitlen,                  \
+         bitlen / 8,                             \
+-        EVP_MD_FLAG_DIGALGID_ABSENT,            \
++        EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \
+         sha3_init,                              \
+         sha3_update,                            \
+         sha3_final,                             \
+@@ -386,7 +386,7 @@ const EVP_MD *EVP_shake##bitlen(void)
+         NID_shake##bitlen,                      \
+         0,                                      \
+         bitlen / 8,                             \
+-        EVP_MD_FLAG_XOF,                        \
++        EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS,     \
+         shake_init,                             \
+         sha3_update,                            \
+         sha3_final,                             \
+diff -up openssl-1.1.1j/crypto/evp/pmeth_lib.c.fips openssl-1.1.1j/crypto/evp/pmeth_lib.c
+--- openssl-1.1.1j/crypto/evp/pmeth_lib.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/evp/pmeth_lib.c	2021-03-03 12:57:42.198734517 +0100
+@@ -131,7 +131,15 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKE
+         pmeth = ENGINE_get_pkey_meth(e, id);
+     else
+ #endif
++    {
+         pmeth = EVP_PKEY_meth_find(id);
++#ifdef OPENSSL_FIPS
++        if (pmeth && !(pmeth->flags & EVP_PKEY_FLAG_FIPS) && FIPS_mode()) {
++            EVPerr(EVP_F_INT_CTX_NEW, EVP_R_DISABLED_FOR_FIPS);
++            return NULL;
++        }
++#endif
++    }
+ 
+     if (pmeth == NULL) {
+ #ifndef OPENSSL_NO_ENGINE
+diff -up openssl-1.1.1j/crypto/fips/build.info.fips openssl-1.1.1j/crypto/fips/build.info
+--- openssl-1.1.1j/crypto/fips/build.info.fips	2021-03-03 12:57:42.198734517 +0100
++++ openssl-1.1.1j/crypto/fips/build.info	2021-03-03 12:57:42.198734517 +0100
+@@ -0,0 +1,15 @@
++LIBS=../../libcrypto
++SOURCE[../../libcrypto]=\
++        fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \
++        fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \
++        fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
++        fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
++        fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
++        fips_dh_selftest.c fips_ers.c
++
++PROGRAMS_NO_INST=\
++          fips_standalone_hmac
++
++SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c
++INCLUDE[fips_standalone_hmac]=../../include
++DEPEND[fips_standalone_hmac]=../../libcrypto
+diff -up openssl-1.1.1j/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_aes_selftest.c
+--- openssl-1.1.1j/crypto/fips/fips_aes_selftest.c.fips	2021-03-03 12:57:42.198734517 +0100
++++ openssl-1.1.1j/crypto/fips/fips_aes_selftest.c	2021-03-03 12:57:42.198734517 +0100
+@@ -0,0 +1,372 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++# include "crypto/fips.h"
++#endif
++
++#ifdef OPENSSL_FIPS
++static const struct {
++    const unsigned char key[16];
++    const unsigned char plaintext[16];
++    const unsigned char ciphertext[16];
++} tests[] = {
++    {
++        {
++        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++                0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}, {
++        0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
++                0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, {
++0x69, 0xC4, 0xE0, 0xD8, 0x6A, 0x7B, 0x04, 0x30,
++                0xD8, 0xCD, 0xB7, 0x80, 0x70, 0xB4, 0xC5, 0x5A},},};
++
++int FIPS_selftest_aes()
++{
++    int n;
++    int ret = 0;
++    EVP_CIPHER_CTX *ctx;
++
++    ctx = EVP_CIPHER_CTX_new();
++    if (ctx == NULL)
++        goto err;
++
++    for (n = 0; n < 1; ++n) {
++        unsigned char key[16];
++
++        memcpy(key, tests[n].key, sizeof(key));
++        if (fips_cipher_test(ctx, EVP_aes_128_ecb(),
++                             key, NULL,
++                             tests[n].plaintext,
++                             tests[n].ciphertext, 16) <= 0)
++            goto err;
++    }
++    ret = 1;
++ err:
++    EVP_CIPHER_CTX_free(ctx);
++    if (ret == 0)
++        FIPSerr(FIPS_F_FIPS_SELFTEST_AES, FIPS_R_SELFTEST_FAILED);
++    return ret;
++}
++
++/* AES-CCM test data from NIST public test vectors */
++
++static const unsigned char ccm_key[] = {
++    0xce, 0xb0, 0x09, 0xae, 0xa4, 0x45, 0x44, 0x51, 0xfe, 0xad, 0xf0, 0xe6,
++    0xb3, 0x6f, 0x45, 0x55, 0x5d, 0xd0, 0x47, 0x23, 0xba, 0xa4, 0x48, 0xe8
++};
++
++static const unsigned char ccm_nonce[] = {
++    0x76, 0x40, 0x43, 0xc4, 0x94, 0x60, 0xb7
++};
++
++static const unsigned char ccm_adata[] = {
++    0x6e, 0x80, 0xdd, 0x7f, 0x1b, 0xad, 0xf3, 0xa1, 0xc9, 0xab, 0x25, 0xc7,
++    0x5f, 0x10, 0xbd, 0xe7, 0x8c, 0x23, 0xfa, 0x0e, 0xb8, 0xf9, 0xaa, 0xa5,
++    0x3a, 0xde, 0xfb, 0xf4, 0xcb, 0xf7, 0x8f, 0xe4
++};
++
++static const unsigned char ccm_pt[] = {
++    0xc8, 0xd2, 0x75, 0xf9, 0x19, 0xe1, 0x7d, 0x7f, 0xe6, 0x9c, 0x2a, 0x1f,
++    0x58, 0x93, 0x9d, 0xfe, 0x4d, 0x40, 0x37, 0x91, 0xb5, 0xdf, 0x13, 0x10
++};
++
++static const unsigned char ccm_ct[] = {
++    0x8a, 0x0f, 0x3d, 0x82, 0x29, 0xe4, 0x8e, 0x74, 0x87, 0xfd, 0x95, 0xa2,
++    0x8a, 0xd3, 0x92, 0xc8, 0x0b, 0x36, 0x81, 0xd4, 0xfb, 0xc7, 0xbb, 0xfd
++};
++
++static const unsigned char ccm_tag[] = {
++    0x2d, 0xd6, 0xef, 0x1c, 0x45, 0xd4, 0xcc, 0xb7, 0x23, 0xdc, 0x07, 0x44,
++    0x14, 0xdb, 0x50, 0x6d
++};
++
++int FIPS_selftest_aes_ccm(void)
++{
++    int ret = 0;
++    unsigned char out[128], tag[16];
++    EVP_CIPHER_CTX *ctx;
++
++    ctx = EVP_CIPHER_CTX_new();
++    if (ctx == NULL)
++        goto err;
++
++    memset(out, 0, sizeof(out));
++    if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 1))
++        goto err;
++    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN,
++                             sizeof(ccm_nonce), NULL))
++        goto err;
++    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG,
++                             sizeof(ccm_tag), NULL))
++        goto err;
++    if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 1))
++        goto err;
++    if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt))
++        goto err;
++    if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
++        goto err;
++    if (EVP_Cipher(ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct))
++        goto err;
++
++    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, 16, tag))
++        goto err;
++    if (memcmp(tag, ccm_tag, sizeof(ccm_tag))
++        || memcmp(out, ccm_ct, sizeof(ccm_ct)))
++        goto err;
++
++    memset(out, 0, sizeof(out));
++
++    if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0))
++        goto err;
++    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN,
++                             sizeof(ccm_nonce), NULL))
++        goto err;
++    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, 16, tag))
++        goto err;
++    if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 0))
++        goto err;
++    if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct))
++        goto err;
++    if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0)
++        goto err;
++    if (EVP_Cipher(ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt))
++        goto err;
++
++    if (memcmp(out, ccm_pt, sizeof(ccm_pt)))
++        goto err;
++
++    ret = 1;
++
++ err:
++    EVP_CIPHER_CTX_free(ctx);
++
++    if (ret == 0) {
++        FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM, FIPS_R_SELFTEST_FAILED);
++        return 0;
++    } else
++        return ret;
++
++}
++
++/* AES-GCM test data from NIST public test vectors */
++
++static const unsigned char gcm_key[] = {
++    0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66,
++    0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69,
++    0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f
++};
++
++static const unsigned char gcm_iv[] = {
++    0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x84
++};
++
++static const unsigned char gcm_pt[] = {
++    0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea,
++    0xcc, 0x2b, 0xf2, 0xa5
++};
++
++static const unsigned char gcm_aad[] = {
++    0x4d, 0x23, 0xc3, 0xce, 0xc3, 0x34, 0xb4, 0x9b, 0xdb, 0x37, 0x0c, 0x43,
++    0x7f, 0xec, 0x78, 0xde
++};
++
++static const unsigned char gcm_ct[] = {
++    0xf7, 0x26, 0x44, 0x13, 0xa8, 0x4c, 0x0e, 0x7c, 0xd5, 0x36, 0x86, 0x7e,
++    0xb9, 0xf2, 0x17, 0x36
++};
++
++static const unsigned char gcm_tag[] = {
++    0x67, 0xba, 0x05, 0x10, 0x26, 0x2a, 0xe4, 0x87, 0xd7, 0x37, 0xee, 0x62,
++    0x98, 0xf7, 0x7e, 0x0c
++};
++
++int FIPS_selftest_aes_gcm(void)
++{
++    int ret = 0;
++    unsigned char out[128], tag[16];
++    EVP_CIPHER_CTX *ctx;
++
++    ctx = EVP_CIPHER_CTX_new();
++    if (ctx == NULL)
++        goto err;
++
++    memset(out, 0, sizeof(out));
++    memset(tag, 0, sizeof(tag));
++    if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1))
++        goto err;
++    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN,
++                             sizeof(gcm_iv), NULL))
++        goto err;
++    if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 1))
++        goto err;
++    if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
++        goto err;
++    if (EVP_Cipher(ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct))
++        goto err;
++    if (EVP_Cipher(ctx, NULL, NULL, 0) < 0)
++        goto err;
++
++    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
++        goto err;
++
++    if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16))
++        goto err;
++
++    memset(out, 0, sizeof(out));
++
++    if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0))
++        goto err;
++    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN,
++                             sizeof(gcm_iv), NULL))
++        goto err;
++    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag))
++        goto err;
++    if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 0))
++        goto err;
++    if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0)
++        goto err;
++    if (EVP_Cipher(ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt))
++        goto err;
++    if (EVP_Cipher(ctx, NULL, NULL, 0) < 0)
++        goto err;
++
++    if (memcmp(out, gcm_pt, 16))
++        goto err;
++
++    ret = 1;
++
++ err:
++    EVP_CIPHER_CTX_free(ctx);
++
++    if (ret == 0) {
++        FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM, FIPS_R_SELFTEST_FAILED);
++        return 0;
++    } else
++        return ret;
++
++}
++
++static const unsigned char XTS_128_key[] = {
++    0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35, 0x3b, 0x2c, 0x34, 0x38,
++    0x76, 0x08, 0x17, 0x62, 0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18,
++    0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f
++};
++
++static const unsigned char XTS_128_i[] = {
++    0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6, 0x6e, 0x4b, 0x92, 0x01,
++    0x3e, 0x76, 0x8a, 0xd5
++};
++
++static const unsigned char XTS_128_pt[] = {
++    0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d, 0x6f, 0xb3, 0x50, 0x39,
++    0x07, 0x90, 0x31, 0x1c
++};
++
++static const unsigned char XTS_128_ct[] = {
++    0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a, 0x82, 0x50, 0x81, 0xd5,
++    0xbe, 0x47, 0x1c, 0x63
++};
++
++static const unsigned char XTS_256_key[] = {
++    0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e, 0x48, 0x01, 0xe4, 0x2f,
++    0x4b, 0x09, 0x47, 0x14, 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7,
++    0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c, 0xd6, 0xe1, 0x3f, 0xfd,
++    0xf2, 0x41, 0x8d, 0x8d, 0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3,
++    0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58, 0x31, 0x8e, 0xea, 0x39,
++    0x2c, 0xf4, 0x1b, 0x08
++};
++
++static const unsigned char XTS_256_i[] = {
++    0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2, 0xf0, 0x42, 0x8e, 0x84,
++    0xa9, 0xf8, 0x75, 0x64
++};
++
++static const unsigned char XTS_256_pt[] = {
++    0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1, 0xac, 0xc6, 0x47, 0xe8,
++    0x10, 0xbb, 0xc3, 0x64, 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3,
++    0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e
++};
++
++static const unsigned char XTS_256_ct[] = {
++    0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5, 0x0b, 0x37, 0xf9, 0x34,
++    0xd4, 0x6a, 0x9b, 0x13, 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a,
++    0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb
++};
++
++int FIPS_selftest_aes_xts()
++{
++    int ret = 1;
++    EVP_CIPHER_CTX *ctx;
++
++    ctx = EVP_CIPHER_CTX_new();
++    if (ctx == NULL)
++        goto err;
++
++    if (fips_cipher_test(ctx, EVP_aes_128_xts(),
++                         XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct,
++                         sizeof(XTS_128_pt)) <= 0)
++        ret = 0;
++
++    if (fips_cipher_test(ctx, EVP_aes_256_xts(),
++                         XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct,
++                         sizeof(XTS_256_pt)) <= 0)
++        ret = 0;
++
++    EVP_CIPHER_CTX_free(ctx);
++
++ err:
++    if (ret == 0)
++        FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS, FIPS_R_SELFTEST_FAILED);
++    return ret;
++}
++
++#endif
+diff -up openssl-1.1.1j/crypto/fips/fips.c.fips openssl-1.1.1j/crypto/fips/fips.c
+--- openssl-1.1.1j/crypto/fips/fips.c.fips	2021-03-03 12:57:42.198734517 +0100
++++ openssl-1.1.1j/crypto/fips/fips.c	2021-03-03 12:57:42.198734517 +0100
+@@ -0,0 +1,526 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#define _GNU_SOURCE
++
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include <openssl/err.h>
++#include <openssl/bio.h>
++#include <openssl/hmac.h>
++#include <openssl/rsa.h>
++#include <string.h>
++#include <limits.h>
++#include <dlfcn.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <unistd.h>
++#include <errno.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++# include <openssl/fips.h>
++# include "internal/thread_once.h"
++
++# ifndef PATH_MAX
++#  define PATH_MAX 1024
++# endif
++
++static int fips_selftest_fail = 0;
++static int fips_mode = 0;
++static int fips_started = 0;
++
++static int fips_is_owning_thread(void);
++static int fips_set_owning_thread(void);
++static int fips_clear_owning_thread(void);
++
++static CRYPTO_RWLOCK *fips_lock = NULL;
++static CRYPTO_RWLOCK *fips_owning_lock = NULL;
++static CRYPTO_ONCE fips_lock_init = CRYPTO_ONCE_STATIC_INIT;
++
++DEFINE_RUN_ONCE_STATIC(do_fips_lock_init)
++{
++    fips_lock = CRYPTO_THREAD_lock_new();
++    fips_owning_lock = CRYPTO_THREAD_lock_new();
++    return fips_lock != NULL && fips_owning_lock != NULL;
++}
++
++# define fips_w_lock()   CRYPTO_THREAD_write_lock(fips_lock)
++# define fips_w_unlock() CRYPTO_THREAD_unlock(fips_lock)
++# define fips_r_lock()   CRYPTO_THREAD_read_lock(fips_lock)
++# define fips_r_unlock() CRYPTO_THREAD_unlock(fips_lock)
++
++static void fips_set_mode(int onoff)
++{
++    int owning_thread = fips_is_owning_thread();
++
++    if (fips_started) {
++        if (!owning_thread)
++            fips_w_lock();
++        fips_mode = onoff;
++        if (!owning_thread)
++            fips_w_unlock();
++    }
++}
++
++int FIPS_module_mode(void)
++{
++    int ret = 0;
++    int owning_thread = fips_is_owning_thread();
++
++    if (fips_started) {
++        if (!owning_thread)
++            fips_r_lock();
++        ret = fips_mode;
++        if (!owning_thread)
++            fips_r_unlock();
++    }
++    return ret;
++}
++
++/* just a compat symbol - return NULL */
++int FIPS_selftest_failed(void)
++{
++    int ret = 0;
++    if (fips_started) {
++        int owning_thread = fips_is_owning_thread();
++
++        if (!owning_thread)
++            fips_r_lock();
++        ret = fips_selftest_fail;
++        if (!owning_thread)
++            fips_r_unlock();
++    }
++    return ret;
++}
++
++/* Selftest failure fatal exit routine. This will be called
++ * during *any* cryptographic operation. It has the minimum
++ * overhead possible to avoid too big a performance hit.
++ */
++
++void FIPS_selftest_check(void)
++{
++    if (fips_selftest_fail) {
++        OpenSSLDie(__FILE__, __LINE__, "FATAL FIPS SELFTEST FAILURE");
++    }
++}
++
++void fips_set_selftest_fail(void)
++{
++    fips_selftest_fail = 1;
++}
++
++/* we implement what libfipscheck does ourselves */
++
++static int
++get_library_path(const char *libname, const char *symbolname, char *path,
++                 size_t pathlen)
++{
++    Dl_info info;
++    void *dl, *sym;
++    int rv = -1;
++
++    dl = dlopen(libname, RTLD_LAZY);
++    if (dl == NULL) {
++        return -1;
++    }
++
++    sym = dlsym(dl, symbolname);
++
++    if (sym != NULL && dladdr(sym, &info)) {
++        strncpy(path, info.dli_fname, pathlen - 1);
++        path[pathlen - 1] = '\0';
++        rv = 0;
++    }
++
++    dlclose(dl);
++
++    return rv;
++}
++
++static const char conv[] = "0123456789abcdef";
++
++static char *bin2hex(void *buf, size_t len)
++{
++    char *hex, *p;
++    unsigned char *src = buf;
++
++    hex = malloc(len * 2 + 1);
++    if (hex == NULL)
++        return NULL;
++
++    p = hex;
++
++    while (len > 0) {
++        unsigned c;
++
++        c = *src;
++        src++;
++
++        *p = conv[c >> 4];
++        ++p;
++        *p = conv[c & 0x0f];
++        ++p;
++        --len;
++    }
++    *p = '\0';
++    return hex;
++}
++
++# define HMAC_PREFIX "."
++# ifndef HMAC_SUFFIX
++#  define HMAC_SUFFIX ".hmac"
++# endif
++# define READ_BUFFER_LENGTH 16384
++
++static char *make_hmac_path(const char *origpath)
++{
++    char *path, *p;
++    const char *fn;
++
++    path =
++        malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath));
++    if (path == NULL) {
++        return NULL;
++    }
++
++    fn = strrchr(origpath, '/');
++    if (fn == NULL) {
++        fn = origpath;
++    } else {
++        ++fn;
++    }
++
++    strncpy(path, origpath, fn - origpath);
++    p = path + (fn - origpath);
++    p = stpcpy(p, HMAC_PREFIX);
++    p = stpcpy(p, fn);
++    p = stpcpy(p, HMAC_SUFFIX);
++
++    return path;
++}
++
++static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP";
++
++static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen)
++{
++    FILE *f = NULL;
++    int rv = -1;
++    unsigned char rbuf[READ_BUFFER_LENGTH];
++    size_t len;
++    unsigned int hlen;
++    HMAC_CTX *c;
++
++    c = HMAC_CTX_new();
++    if (c == NULL)
++        return rv;
++
++    f = fopen(path, "r");
++
++    if (f == NULL) {
++        goto end;
++    }
++
++    if (HMAC_Init_ex(c, hmackey, sizeof(hmackey) - 1, EVP_sha256(), NULL) <= 0) {
++        goto end;
++    }
++
++    while ((len = fread(rbuf, 1, sizeof(rbuf), f)) != 0) {
++        if (HMAC_Update(c, rbuf, len) <= 0) {
++            goto end;
++        }
++    }
++
++    len = sizeof(rbuf);
++    /* reuse rbuf for hmac */
++    if (HMAC_Final(c, rbuf, &hlen) <= 0) {
++        goto end;
++    }
++
++    *buf = malloc(hlen);
++    if (*buf == NULL) {
++        goto end;
++    }
++
++    *hmaclen = hlen;
++
++    memcpy(*buf, rbuf, hlen);
++
++    rv = 0;
++ end:
++    HMAC_CTX_free(c);
++
++    if (f)
++        fclose(f);
++
++    return rv;
++}
++
++static int FIPSCHECK_verify(const char *path)
++{
++    int rv = 0;
++    FILE *hf;
++    char *hmacpath, *p;
++    char *hmac = NULL;
++    size_t n;
++
++    hmacpath = make_hmac_path(path);
++    if (hmacpath == NULL)
++        return 0;
++
++    hf = fopen(hmacpath, "r");
++    if (hf == NULL) {
++        free(hmacpath);
++        return 0;
++    }
++
++    if (getline(&hmac, &n, hf) > 0) {
++        void *buf;
++        size_t hmaclen;
++        char *hex;
++
++        if ((p = strchr(hmac, '\n')) != NULL)
++            *p = '\0';
++
++        if (compute_file_hmac(path, &buf, &hmaclen) < 0) {
++            rv = -4;
++            goto end;
++        }
++
++        if ((hex = bin2hex(buf, hmaclen)) == NULL) {
++            free(buf);
++            rv = -5;
++            goto end;
++        }
++
++        if (strcmp(hex, hmac) != 0) {
++            rv = -1;
++        }
++        free(buf);
++        free(hex);
++    } else {
++        rv = -1;
++    }
++
++ end:
++    free(hmac);
++    free(hmacpath);
++    fclose(hf);
++
++    if (rv < 0)
++        return 0;
++
++    /* check successful */
++    return 1;
++}
++
++static int verify_checksums(void)
++{
++    int rv;
++    char path[PATH_MAX + 1];
++    char *p;
++
++    /* we need to avoid dlopening libssl, assume both libcrypto and libssl
++       are in the same directory */
++
++    rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER,
++                          "FIPS_mode_set", path, sizeof(path));
++    if (rv < 0)
++        return 0;
++
++    rv = FIPSCHECK_verify(path);
++    if (!rv)
++        return 0;
++
++    /* replace libcrypto with libssl */
++    while ((p = strstr(path, "libcrypto.so")) != NULL) {
++        p = stpcpy(p, "libssl");
++        memmove(p, p + 3, strlen(p + 2));
++    }
++
++    rv = FIPSCHECK_verify(path);
++    if (!rv)
++        return 0;
++    return 1;
++}
++
++# ifndef FIPS_MODULE_PATH
++#  define FIPS_MODULE_PATH "/etc/system-fips"
++# endif
++
++int FIPS_module_installed(void)
++{
++    int rv;
++    rv = access(FIPS_MODULE_PATH, F_OK);
++    if (rv < 0 && errno != ENOENT)
++        rv = 0;
++
++    /* Installed == true */
++    return !rv || FIPS_module_mode();
++}
++
++int FIPS_module_mode_set(int onoff)
++{
++    int ret = 0;
++
++    if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init))
++        return 0;
++
++    fips_w_lock();
++    fips_started = 1;
++    fips_set_owning_thread();
++
++    if (onoff) {
++
++        fips_selftest_fail = 0;
++
++        /* Don't go into FIPS mode twice, just so we can do automagic
++           seeding */
++        if (FIPS_module_mode()) {
++            FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++                    FIPS_R_FIPS_MODE_ALREADY_SET);
++            fips_selftest_fail = 1;
++            ret = 0;
++            goto end;
++        }
++# ifdef OPENSSL_IA32_SSE2
++        {
++            extern unsigned int OPENSSL_ia32cap_P[2];
++            if ((OPENSSL_ia32cap_P[0] & (1 << 25 | 1 << 26)) !=
++                (1 << 25 | 1 << 26)) {
++                FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++                        FIPS_R_UNSUPPORTED_PLATFORM);
++                fips_selftest_fail = 1;
++                ret = 0;
++                goto end;
++            }
++        }
++# endif
++
++        if (!FIPS_selftest()) {
++            fips_selftest_fail = 1;
++            ret = 0;
++            goto end;
++        }
++
++        if (!verify_checksums()) {
++            FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++                    FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
++            fips_selftest_fail = 1;
++            ret = 0;
++            goto end;
++        }
++
++        fips_set_mode(onoff);
++        ret = 1;
++        goto end;
++    }
++    fips_set_mode(0);
++    fips_selftest_fail = 0;
++    ret = 1;
++ end:
++    fips_clear_owning_thread();
++    fips_w_unlock();
++    return ret;
++}
++
++static CRYPTO_THREAD_ID fips_threadid;
++static int fips_thread_set = 0;
++
++static int fips_is_owning_thread(void)
++{
++    int ret = 0;
++
++    if (fips_started) {
++        CRYPTO_THREAD_read_lock(fips_owning_lock);
++        if (fips_thread_set) {
++            CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id();
++            if (CRYPTO_THREAD_compare_id(fips_threadid, cur))
++                ret = 1;
++        }
++        CRYPTO_THREAD_unlock(fips_owning_lock);
++    }
++    return ret;
++}
++
++int fips_set_owning_thread(void)
++{
++    int ret = 0;
++
++    if (fips_started) {
++        CRYPTO_THREAD_write_lock(fips_owning_lock);
++        if (!fips_thread_set) {
++            fips_threadid = CRYPTO_THREAD_get_current_id();
++            ret = 1;
++            fips_thread_set = 1;
++        }
++        CRYPTO_THREAD_unlock(fips_owning_lock);
++    }
++    return ret;
++}
++
++int fips_clear_owning_thread(void)
++{
++    int ret = 0;
++
++    if (fips_started) {
++        CRYPTO_THREAD_write_lock(fips_owning_lock);
++        if (fips_thread_set) {
++            CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id();
++            if (CRYPTO_THREAD_compare_id(fips_threadid, cur))
++                fips_thread_set = 0;
++        }
++        CRYPTO_THREAD_unlock(fips_owning_lock);
++    }
++    return ret;
++}
++
++#endif
+diff -up openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c
+--- openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c.fips	2021-03-03 12:57:42.199734525 +0100
++++ openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c	2021-03-03 12:57:42.199734525 +0100
+@@ -0,0 +1,156 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include "crypto/fips.h"
++#include <openssl/cmac.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++typedef struct {
++    int nid;
++    const unsigned char key[EVP_MAX_KEY_LENGTH];
++    size_t keysize;
++    const unsigned char msg[64];
++    size_t msgsize;
++    const unsigned char mac[32];
++    size_t macsize;
++} CMAC_KAT;
++
++/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */
++static const CMAC_KAT vector[] = {
++    {NID_aes_128_cbc,           /* Count = 32 from CMACGenAES128.txt */
++     {0x77, 0xa7, 0x7f, 0xaf, 0x29, 0x0c, 0x1f, 0xa3,
++      0x0c, 0x68, 0x3d, 0xf1, 0x6b, 0xa7, 0xa7, 0x7b,}, 128,
++     {0x02, 0x06, 0x83, 0xe1, 0xf0, 0x39, 0x2f, 0x4c,
++      0xac, 0x54, 0x31, 0x8b, 0x60, 0x29, 0x25, 0x9e,
++      0x9c, 0x55, 0x3d, 0xbc, 0x4b, 0x6a, 0xd9, 0x98,
++      0xe6, 0x4d, 0x58, 0xe4, 0xe7, 0xdc, 0x2e, 0x13,}, 256,
++     {0xfb, 0xfe, 0xa4, 0x1b,}, 32},
++    {NID_aes_192_cbc,           /* Count = 23 from CMACGenAES192.txt */
++     {0x7b, 0x32, 0x39, 0x13, 0x69, 0xaa, 0x4c, 0xa9,
++      0x75, 0x58, 0x09, 0x5b, 0xe3, 0xc3, 0xec, 0x86,
++      0x2b, 0xd0, 0x57, 0xce, 0xf1, 0xe3, 0x2d, 0x62,}, 192,
++     {0x0}, 0,
++     {0xe4, 0xd9, 0x34, 0x0b, 0x03, 0xe6, 0x7d, 0xef,
++      0xd4, 0x96, 0x9c, 0xc1, 0xed, 0x37, 0x35, 0xe6,}, 128,
++     },
++    {NID_aes_256_cbc,           /* Count = 33 from CMACGenAES256.txt */
++     {0x0b, 0x12, 0x2a, 0xc8, 0xf3, 0x4e, 0xd1, 0xfe,
++      0x08, 0x2a, 0x36, 0x25, 0xd1, 0x57, 0x56, 0x14,
++      0x54, 0x16, 0x7a, 0xc1, 0x45, 0xa1, 0x0b, 0xbf,
++      0x77, 0xc6, 0xa7, 0x05, 0x96, 0xd5, 0x74, 0xf1,}, 256,
++     {0x49, 0x8b, 0x53, 0xfd, 0xec, 0x87, 0xed, 0xcb,
++      0xf0, 0x70, 0x97, 0xdc, 0xcd, 0xe9, 0x3a, 0x08,
++      0x4b, 0xad, 0x75, 0x01, 0xa2, 0x24, 0xe3, 0x88,
++      0xdf, 0x34, 0x9c, 0xe1, 0x89, 0x59, 0xfe, 0x84,
++      0x85, 0xf8, 0xad, 0x15, 0x37, 0xf0, 0xd8, 0x96,
++      0xea, 0x73, 0xbe, 0xdc, 0x72, 0x14, 0x71, 0x3f,}, 384,
++     {0xf6, 0x2c, 0x46, 0x32, 0x9b,}, 40,
++     },
++    {NID_des_ede3_cbc,          /* Count = 41 from CMACGenTDES3.req */
++     {0x89, 0xbc, 0xd9, 0x52, 0xa8, 0xc8, 0xab, 0x37,
++      0x1a, 0xf4, 0x8a, 0xc7, 0xd0, 0x70, 0x85, 0xd5,
++      0xef, 0xf7, 0x02, 0xe6, 0xd6, 0x2c, 0xdc, 0x23,}, 192,
++     {0xfa, 0x62, 0x0c, 0x1b, 0xbe, 0x97, 0x31, 0x9e,
++      0x9a, 0x0c, 0xf0, 0x49, 0x21, 0x21, 0xf7, 0xa2,
++      0x0e, 0xb0, 0x8a, 0x6a, 0x70, 0x9d, 0xcb, 0xd0,
++      0x0a, 0xaf, 0x38, 0xe4, 0xf9, 0x9e, 0x75, 0x4e,}, 256,
++     {0x8f, 0x49, 0xa1, 0xb7, 0xd6, 0xaa, 0x22, 0x58,}, 64,
++     },
++};
++
++int FIPS_selftest_cmac()
++{
++    size_t n, outlen;
++    unsigned char out[32];
++    const EVP_CIPHER *cipher;
++    CMAC_CTX *ctx = CMAC_CTX_new();
++    const CMAC_KAT *t;
++    int rv = 1;
++
++    for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
++        cipher = EVP_get_cipherbynid(t->nid);
++        if (!cipher) {
++            rv = -1;
++            goto err;
++        }
++        if (!CMAC_Init(ctx, t->key, t->keysize / 8, cipher, 0)) {
++            rv = -1;
++            goto err;
++        }
++        if (!CMAC_Update(ctx, t->msg, t->msgsize / 8)) {
++            rv = -1;
++            goto err;
++        }
++
++        if (!CMAC_Final(ctx, out, &outlen)) {
++            rv = -1;
++            goto err;
++        }
++
++        if (outlen < t->macsize / 8 || memcmp(out, t->mac, t->macsize / 8)) {
++            rv = 0;
++        }
++    }
++
++ err:
++    CMAC_CTX_free(ctx);
++
++    if (rv == -1) {
++        rv = 0;
++    }
++    if (!rv)
++        FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC, FIPS_R_SELFTEST_FAILED);
++
++    return rv;
++}
++#endif
+diff -up openssl-1.1.1j/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_des_selftest.c
+--- openssl-1.1.1j/crypto/fips/fips_des_selftest.c.fips	2021-03-03 12:57:42.199734525 +0100
++++ openssl-1.1.1j/crypto/fips/fips_des_selftest.c	2021-03-03 12:57:42.199734525 +0100
+@@ -0,0 +1,133 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++# include "crypto/fips.h"
++#endif
++#include <openssl/opensslconf.h>
++
++#ifdef OPENSSL_FIPS
++
++static const struct {
++    const unsigned char key[16];
++    const unsigned char plaintext[8];
++    const unsigned char ciphertext[8];
++} tests2[] = {
++    {
++        {
++        0x7c, 0x4f, 0x6e, 0xf7, 0xa2, 0x04, 0x16, 0xec,
++                0x0b, 0x6b, 0x7c, 0x9e, 0x5e, 0x19, 0xa7, 0xc4}, {
++        0x06, 0xa7, 0xd8, 0x79, 0xaa, 0xce, 0x69, 0xef}, {
++        0x4c, 0x11, 0x17, 0x55, 0xbf, 0xc4, 0x4e, 0xfd}
++    }, {
++        {
++        0x5d, 0x9e, 0x01, 0xd3, 0x25, 0xc7, 0x3e, 0x34,
++                0x01, 0x16, 0x7c, 0x85, 0x23, 0xdf, 0xe0, 0x68}, {
++        0x9c, 0x50, 0x09, 0x0f, 0x5e, 0x7d, 0x69, 0x7e}, {
++    0xd2, 0x0b, 0x18, 0xdf, 0xd9, 0x0d, 0x9e, 0xff},}
++};
++
++static const struct {
++    const unsigned char key[24];
++    const unsigned char plaintext[8];
++    const unsigned char ciphertext[8];
++} tests3[] = {
++    {
++        {
++        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++                0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10,
++                0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}, {
++        0x8f, 0x8f, 0xbf, 0x9b, 0x5d, 0x48, 0xb4, 0x1c}, {
++    0x59, 0x8c, 0xe5, 0xd3, 0x6c, 0xa2, 0xea, 0x1b},}, {
++        {
++        0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0xFE,
++                0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
++                0xED, 0x39, 0xD9, 0x50, 0xFA, 0x74, 0xBC, 0xC4}, {
++        0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF}, {
++0x11, 0x25, 0xb0, 0x35, 0xbe, 0xa0, 0x82, 0x86},},};
++
++int FIPS_selftest_des()
++{
++    int n, ret = 0;
++    EVP_CIPHER_CTX *ctx;
++
++    ctx = EVP_CIPHER_CTX_new();
++    if (ctx == NULL)
++        goto err;
++
++    /* Encrypt/decrypt with 2-key 3DES and compare to known answers */
++    for (n = 0; n < 2; ++n) {
++        unsigned char plaintext[8];
++
++        memcpy(plaintext, tests2[n].plaintext, sizeof(plaintext));
++        if (!fips_cipher_test(ctx, EVP_des_ede_ecb(),
++                              tests2[n].key, NULL,
++                              plaintext, tests2[n].ciphertext, 8))
++            goto err;
++    }
++
++    /* Encrypt/decrypt with 3DES and compare to known answers */
++    for (n = 0; n < 2; ++n) {
++        if (!fips_cipher_test(ctx, EVP_des_ede3_ecb(),
++                              tests3[n].key, NULL,
++                              tests3[n].plaintext, tests3[n].ciphertext, 8))
++            goto err;
++    }
++    ret = 1;
++ err:
++    EVP_CIPHER_CTX_free(ctx);
++    if (ret == 0)
++        FIPSerr(FIPS_F_FIPS_SELFTEST_DES, FIPS_R_SELFTEST_FAILED);
++
++    return ret;
++}
++#endif
+diff -up openssl-1.1.1j/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_dh_selftest.c
+--- openssl-1.1.1j/crypto/fips/fips_dh_selftest.c.fips	2021-03-03 12:57:42.199734525 +0100
++++ openssl-1.1.1j/crypto/fips/fips_dh_selftest.c	2021-03-03 12:57:42.199734525 +0100
+@@ -0,0 +1,180 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
++ * Copyright (c) 2013 Red Hat, Inc.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/dh.h>
++#include <openssl/fips.h>
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++static const unsigned char dh_test_2048_p[] = {
++    0xAE, 0xEC, 0xEE, 0x22, 0xFA, 0x3A, 0xA5, 0x22, 0xC0, 0xDE, 0x0F, 0x09,
++    0x7E, 0x17, 0xC0, 0x05, 0xF9, 0xF1, 0xE7, 0xC6, 0x87, 0x14, 0x6D, 0x11,
++    0xE7, 0xAE, 0xED, 0x2F, 0x72, 0x59, 0xC5, 0xA9, 0x9B, 0xB8, 0x02, 0xA5,
++    0xF3, 0x69, 0x70, 0xD6, 0xDD, 0x90, 0xF9, 0x19, 0x79, 0xBE, 0x60, 0x8F,
++    0x25, 0x92, 0x30, 0x1C, 0x51, 0x51, 0x38, 0x26, 0x82, 0x25, 0xE6, 0xFC,
++    0xED, 0x65, 0x96, 0x8F, 0x57, 0xE5, 0x53, 0x8B, 0x38, 0x63, 0xC7, 0xCE,
++    0xBC, 0x1B, 0x4D, 0x18, 0x2A, 0x5B, 0x04, 0x3F, 0x6A, 0x3C, 0x94, 0x39,
++    0xAE, 0x36, 0xD6, 0x5E, 0x0F, 0xA2, 0xCC, 0xD0, 0xD4, 0xD5, 0xC6, 0x1E,
++    0xF6, 0xA0, 0xF5, 0x89, 0x4E, 0xB4, 0x0B, 0xA4, 0xB3, 0x2B, 0x3D, 0xE2,
++    0x4E, 0xE1, 0x49, 0x25, 0x99, 0x5F, 0x32, 0x16, 0x33, 0x32, 0x1B, 0x7A,
++    0xA5, 0x5C, 0x6B, 0x34, 0x0D, 0x39, 0x99, 0xDC, 0xF0, 0x76, 0xE5, 0x5A,
++    0xD4, 0x71, 0x00, 0xED, 0x5A, 0x73, 0xFB, 0xC8, 0x01, 0xAD, 0x99, 0xCF,
++    0x99, 0x52, 0x7C, 0x9C, 0x64, 0xC6, 0x76, 0x40, 0x57, 0xAF, 0x59, 0xD7,
++    0x38, 0x0B, 0x40, 0xDE, 0x33, 0x0D, 0xB8, 0x76, 0xEC, 0xA9, 0xD8, 0x73,
++    0xF8, 0xEF, 0x26, 0x66, 0x06, 0x27, 0xDD, 0x7C, 0xA4, 0x10, 0x9C, 0xA6,
++    0xAA, 0xF9, 0x53, 0x62, 0x73, 0x1D, 0xBA, 0x1C, 0xF1, 0x67, 0xF4, 0x35,
++    0xED, 0x6F, 0x37, 0x92, 0xE8, 0x4F, 0x6C, 0xBA, 0x52, 0x6E, 0xA1, 0xED,
++    0xDA, 0x9F, 0x85, 0x11, 0x82, 0x52, 0x62, 0x08, 0x44, 0xF1, 0x30, 0x03,
++    0xC3, 0x38, 0x2C, 0x79, 0xBD, 0xD4, 0x43, 0x45, 0xEE, 0x8E, 0x50, 0xFC,
++    0x29, 0x46, 0x9A, 0xFE, 0x54, 0x1A, 0x19, 0x8F, 0x4B, 0x84, 0x08, 0xDE,
++    0x20, 0x62, 0x73, 0xCC, 0xDD, 0x7E, 0xF0, 0xEF, 0xA2, 0xFD, 0x86, 0x58,
++    0x4B, 0xD8, 0x37, 0xEB
++};
++
++static const unsigned char dh_test_2048_g[] = {
++    0x02
++};
++
++static const unsigned char dh_test_2048_pub_key[] = {
++    0xA0, 0x39, 0x11, 0x77, 0x9A, 0xC1, 0x30, 0x1F, 0xBE, 0x48, 0xA7, 0xAA,
++    0xA0, 0x84, 0x54, 0x64, 0xAD, 0x1B, 0x70, 0xFA, 0x13, 0x55, 0x63, 0xD2,
++    0x1F, 0x62, 0x32, 0x93, 0x8E, 0xC9, 0x3E, 0x09, 0xA7, 0x64, 0xE4, 0x12,
++    0x6E, 0x1B, 0xF2, 0x92, 0x3B, 0xB9, 0xCB, 0x56, 0xEA, 0x07, 0x88, 0xB5,
++    0xA6, 0xBC, 0x16, 0x1F, 0x27, 0xFE, 0xD8, 0xAA, 0x40, 0xB2, 0xB0, 0x2D,
++    0x37, 0x76, 0xA6, 0xA4, 0x82, 0x2C, 0x0E, 0x22, 0x64, 0x9D, 0xCB, 0xD1,
++    0x00, 0xB7, 0x89, 0x14, 0x72, 0x4E, 0xBE, 0x48, 0x41, 0xF8, 0xB2, 0x51,
++    0x11, 0x09, 0x4B, 0x22, 0x01, 0x23, 0x39, 0x96, 0xE0, 0x15, 0xD7, 0x9F,
++    0x60, 0xD1, 0xB7, 0xAE, 0xFE, 0x5F, 0xDB, 0xE7, 0x03, 0x17, 0x97, 0xA6,
++    0x16, 0x74, 0xBD, 0x53, 0x81, 0x19, 0xC5, 0x47, 0x5E, 0xCE, 0x8D, 0xED,
++    0x45, 0x5D, 0x3C, 0x00, 0xA0, 0x0A, 0x68, 0x6A, 0xE0, 0x8E, 0x06, 0x46,
++    0x6F, 0xD7, 0xF9, 0xDF, 0x31, 0x7E, 0x77, 0x44, 0x0D, 0x98, 0xE0, 0xCA,
++    0x98, 0x09, 0x52, 0x04, 0x90, 0xEA, 0x6D, 0xF4, 0x30, 0x69, 0x8F, 0xB1,
++    0x9B, 0xC1, 0x43, 0xDB, 0xD5, 0x8D, 0xC8, 0x8E, 0xB6, 0x0B, 0x05, 0xBE,
++    0x0E, 0xC5, 0x99, 0xC8, 0x6E, 0x4E, 0xF3, 0xCB, 0xC3, 0x5E, 0x9B, 0x53,
++    0xF7, 0x06, 0x1C, 0x4F, 0xC7, 0xB8, 0x6E, 0x30, 0x18, 0xCA, 0x9B, 0xB9,
++    0xBC, 0x5F, 0x17, 0x72, 0x29, 0x5A, 0xE5, 0xD9, 0x96, 0xB7, 0x0B, 0xF3,
++    0x2D, 0x8C, 0xF1, 0xE1, 0x0E, 0x0D, 0x74, 0xD5, 0x9D, 0xF0, 0x06, 0xA9,
++    0xB4, 0x95, 0x63, 0x76, 0x46, 0x55, 0x48, 0x82, 0x39, 0x90, 0xEF, 0x56,
++    0x75, 0x34, 0xB8, 0x34, 0xC3, 0x18, 0x6E, 0x1E, 0xAD, 0xE3, 0x48, 0x7E,
++    0x93, 0x2C, 0x23, 0xE7, 0xF8, 0x90, 0x73, 0xB1, 0x77, 0x80, 0x67, 0xA9,
++    0x36, 0x9E, 0xDA, 0xD2
++};
++
++static const unsigned char dh_test_2048_priv_key[] = {
++    0x0C, 0x4B, 0x30, 0x89, 0xD1, 0xB8, 0x62, 0xCB, 0x3C, 0x43, 0x64, 0x91,
++    0xF0, 0x91, 0x54, 0x70, 0xC5, 0x27, 0x96, 0xE3, 0xAC, 0xBE, 0xE8, 0x00,
++    0xEC, 0x55, 0xF6, 0xCC
++};
++
++int FIPS_selftest_dh()
++{
++    DH *dh = NULL;
++    int ret = 0;
++    void *pub_key_bin = NULL;
++    int len;
++    BIGNUM *p = NULL, *g = NULL, *priv_key = NULL, *tmp_pub_key = NULL;
++    const BIGNUM *pub_key;
++
++    fips_load_key_component(p, dh_test_2048);
++    fips_load_key_component(g, dh_test_2048);
++    /* note that the private key is much shorter than normally used
++     * but still g ** priv_key > p
++     */
++    fips_load_key_component(priv_key, dh_test_2048);
++    if ((tmp_pub_key = BN_new()) == NULL)
++        goto err;
++
++    dh = DH_new();
++
++    if (dh == NULL)
++        goto err;
++
++    DH_set0_pqg(dh, p, NULL, g);
++    DH_set0_key(dh, tmp_pub_key, priv_key);
++
++    if (DH_generate_key(dh) <= 0)
++        goto err;
++
++    DH_get0_key(dh, &pub_key, NULL);
++
++    if (pub_key == NULL)
++        goto err;
++
++    len = BN_num_bytes(pub_key);
++    if ((pub_key_bin = OPENSSL_malloc(len)) == NULL)
++        goto err;
++    BN_bn2bin(pub_key, pub_key_bin);
++
++    if (len != sizeof(dh_test_2048_pub_key) ||
++        memcmp(pub_key_bin, dh_test_2048_pub_key, len) != 0)
++        goto err;
++
++    ret = 1;
++
++ err:
++    if (dh)
++        DH_free(dh);
++    else {
++        BN_free(p);
++        BN_free(g);
++        BN_free(priv_key);
++        BN_free(tmp_pub_key);
++    }
++
++    OPENSSL_free(pub_key_bin);
++    return ret;
++}
++#endif
+diff -up openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c
+--- openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c.fips	2021-03-03 12:57:42.199734525 +0100
++++ openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c	2021-03-03 12:57:42.199734525 +0100
+@@ -0,0 +1,406 @@
++/* fips/rand/fips_drbg_ctr.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++static void inc_128(DRBG_CTR_CTX * cctx)
++{
++    int i;
++    unsigned char c;
++    unsigned char *p = cctx->V + 15;
++    for (i = 0; i < 16; i++) {
++        c = *p;
++        c++;
++        *p = c;
++        if (c)
++            return;
++        p--;
++    }
++}
++
++static void ctr_XOR(DRBG_CTR_CTX * cctx, const unsigned char *in,
++                    size_t inlen)
++{
++    size_t i, n;
++    /* Any zero padding will have no effect on the result as we
++     * are XORing. So just process however much input we have.
++     */
++
++    if (!in || !inlen)
++        return;
++
++    if (inlen < cctx->keylen)
++        n = inlen;
++    else
++        n = cctx->keylen;
++
++    for (i = 0; i < n; i++)
++        cctx->K[i] ^= in[i];
++    if (inlen <= cctx->keylen)
++        return;
++
++    n = inlen - cctx->keylen;
++    /* Should never happen */
++    if (n > 16)
++        n = 16;
++    for (i = 0; i < 16; i++)
++        cctx->V[i] ^= in[i + cctx->keylen];
++}
++
++/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */
++
++static void ctr_BCC_block(DRBG_CTR_CTX * cctx, unsigned char *out,
++                          const unsigned char *in)
++{
++    int i;
++    for (i = 0; i < 16; i++)
++        out[i] ^= in[i];
++    AES_encrypt(out, out, &cctx->df_ks);
++#if 0
++    fprintf(stderr, "BCC in+out\n");
++    BIO_dump_fp(stderr, in, 16);
++    BIO_dump_fp(stderr, out, 16);
++#endif
++}
++
++/* Handle several BCC operations for as much data as we need for K and X */
++static void ctr_BCC_blocks(DRBG_CTR_CTX * cctx, const unsigned char *in)
++{
++    ctr_BCC_block(cctx, cctx->KX, in);
++    ctr_BCC_block(cctx, cctx->KX + 16, in);
++    if (cctx->keylen != 16)
++        ctr_BCC_block(cctx, cctx->KX + 32, in);
++}
++
++/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions:
++ * see 10.4.2 stage 7.
++ */
++static void ctr_BCC_init(DRBG_CTR_CTX * cctx)
++{
++    memset(cctx->KX, 0, 48);
++    memset(cctx->bltmp, 0, 16);
++    ctr_BCC_block(cctx, cctx->KX, cctx->bltmp);
++    cctx->bltmp[3] = 1;
++    ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp);
++    if (cctx->keylen != 16) {
++        cctx->bltmp[3] = 2;
++        ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp);
++    }
++}
++
++/* Process several blocks into BCC algorithm, some possibly partial */
++static void ctr_BCC_update(DRBG_CTR_CTX * cctx,
++                           const unsigned char *in, size_t inlen)
++{
++    if (!in || !inlen)
++        return;
++    /* If we have partial block handle it first */
++    if (cctx->bltmp_pos) {
++        size_t left = 16 - cctx->bltmp_pos;
++        /* If we now have a complete block process it */
++        if (inlen >= left) {
++            memcpy(cctx->bltmp + cctx->bltmp_pos, in, left);
++            ctr_BCC_blocks(cctx, cctx->bltmp);
++            cctx->bltmp_pos = 0;
++            inlen -= left;
++            in += left;
++        }
++    }
++    /* Process zero or more complete blocks */
++    while (inlen >= 16) {
++        ctr_BCC_blocks(cctx, in);
++        in += 16;
++        inlen -= 16;
++    }
++    /* Copy any remaining partial block to the temporary buffer */
++    if (inlen > 0) {
++        memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen);
++        cctx->bltmp_pos += inlen;
++    }
++}
++
++static void ctr_BCC_final(DRBG_CTR_CTX * cctx)
++{
++    if (cctx->bltmp_pos) {
++        memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos);
++        ctr_BCC_blocks(cctx, cctx->bltmp);
++    }
++}
++
++static void ctr_df(DRBG_CTR_CTX * cctx,
++                   const unsigned char *in1, size_t in1len,
++                   const unsigned char *in2, size_t in2len,
++                   const unsigned char *in3, size_t in3len)
++{
++    size_t inlen;
++    unsigned char *p = cctx->bltmp;
++    static unsigned char c80 = 0x80;
++
++    ctr_BCC_init(cctx);
++    if (!in1)
++        in1len = 0;
++    if (!in2)
++        in2len = 0;
++    if (!in3)
++        in3len = 0;
++    inlen = in1len + in2len + in3len;
++    /* Initialise L||N in temporary block */
++    *p++ = (inlen >> 24) & 0xff;
++    *p++ = (inlen >> 16) & 0xff;
++    *p++ = (inlen >> 8) & 0xff;
++    *p++ = inlen & 0xff;
++    /* NB keylen is at most 32 bytes */
++    *p++ = 0;
++    *p++ = 0;
++    *p++ = 0;
++    *p = (unsigned char)((cctx->keylen + 16) & 0xff);
++    cctx->bltmp_pos = 8;
++    ctr_BCC_update(cctx, in1, in1len);
++    ctr_BCC_update(cctx, in2, in2len);
++    ctr_BCC_update(cctx, in3, in3len);
++    ctr_BCC_update(cctx, &c80, 1);
++    ctr_BCC_final(cctx);
++    /* Set up key K */
++    AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks);
++    /* X follows key K */
++    AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks);
++    AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks);
++    if (cctx->keylen != 16)
++        AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks);
++#if 0
++    fprintf(stderr, "Output of ctr_df:\n");
++    BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16);
++#endif
++}
++
++/* NB the no-df  Update in SP800-90 specifies a constant input length
++ * of seedlen, however other uses of this algorithm pad the input with
++ * zeroes if necessary and have up to two parameters XORed together,
++ * handle both cases in this function instead.
++ */
++
++static void ctr_Update(DRBG_CTX *dctx,
++                       const unsigned char *in1, size_t in1len,
++                       const unsigned char *in2, size_t in2len,
++                       const unsigned char *nonce, size_t noncelen)
++{
++    DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++    /* ks is already setup for correct key */
++    inc_128(cctx);
++    AES_encrypt(cctx->V, cctx->K, &cctx->ks);
++    /* If keylen longer than 128 bits need extra encrypt */
++    if (cctx->keylen != 16) {
++        inc_128(cctx);
++        AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks);
++    }
++    inc_128(cctx);
++    AES_encrypt(cctx->V, cctx->V, &cctx->ks);
++    /* If 192 bit key part of V is on end of K */
++    if (cctx->keylen == 24) {
++        memcpy(cctx->V + 8, cctx->V, 8);
++        memcpy(cctx->V, cctx->K + 24, 8);
++    }
++
++    if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
++        /* If no input reuse existing derived value */
++        if (in1 || nonce || in2)
++            ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len);
++        /* If this a reuse input in1len != 0 */
++        if (in1len)
++            ctr_XOR(cctx, cctx->KX, dctx->seedlen);
++    } else {
++        ctr_XOR(cctx, in1, in1len);
++        ctr_XOR(cctx, in2, in2len);
++    }
++
++    AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
++#if 0
++    fprintf(stderr, "K+V after update is:\n");
++    BIO_dump_fp(stderr, cctx->K, cctx->keylen);
++    BIO_dump_fp(stderr, cctx->V, 16);
++#endif
++}
++
++static int drbg_ctr_instantiate(DRBG_CTX *dctx,
++                                const unsigned char *ent, size_t entlen,
++                                const unsigned char *nonce, size_t noncelen,
++                                const unsigned char *pers, size_t perslen)
++{
++    DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++    memset(cctx->K, 0, sizeof(cctx->K));
++    memset(cctx->V, 0, sizeof(cctx->V));
++    AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks);
++    ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen);
++    return 1;
++}
++
++static int drbg_ctr_reseed(DRBG_CTX *dctx,
++                           const unsigned char *ent, size_t entlen,
++                           const unsigned char *adin, size_t adinlen)
++{
++    ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0);
++    return 1;
++}
++
++static int drbg_ctr_generate(DRBG_CTX *dctx,
++                             unsigned char *out, size_t outlen,
++                             const unsigned char *adin, size_t adinlen)
++{
++    DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++    if (adin && adinlen) {
++        ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
++        /* This means we reuse derived value */
++        if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
++            adin = NULL;
++            adinlen = 1;
++        }
++    } else
++        adinlen = 0;
++
++    for (;;) {
++        inc_128(cctx);
++        if (outlen < 16) {
++            /* Use K as temp space as it will be updated */
++            AES_encrypt(cctx->V, cctx->K, &cctx->ks);
++            memcpy(out, cctx->K, outlen);
++            break;
++        }
++        AES_encrypt(cctx->V, out, &cctx->ks);
++        out += 16;
++        outlen -= 16;
++        if (outlen == 0)
++            break;
++    }
++
++    ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0);
++
++    return 1;
++
++}
++
++static int drbg_ctr_uninstantiate(DRBG_CTX *dctx)
++{
++    memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX));
++    return 1;
++}
++
++int fips_drbg_ctr_init(DRBG_CTX *dctx)
++{
++    DRBG_CTR_CTX *cctx = &dctx->d.ctr;
++
++    size_t keylen;
++
++    switch (dctx->type) {
++    case NID_aes_128_ctr:
++        keylen = 16;
++        break;
++
++    case NID_aes_192_ctr:
++        keylen = 24;
++        break;
++
++    case NID_aes_256_ctr:
++        keylen = 32;
++        break;
++
++    default:
++        return -2;
++    }
++
++    dctx->instantiate = drbg_ctr_instantiate;
++    dctx->reseed = drbg_ctr_reseed;
++    dctx->generate = drbg_ctr_generate;
++    dctx->uninstantiate = drbg_ctr_uninstantiate;
++
++    cctx->keylen = keylen;
++    dctx->strength = keylen * 8;
++    dctx->blocklength = 16;
++    dctx->seedlen = keylen + 16;
++
++    if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) {
++        /* df initialisation */
++        static unsigned char df_key[32] = {
++            0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++            0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
++            0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
++            0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
++        };
++        /* Set key schedule for df_key */
++        AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks);
++
++        dctx->min_entropy = cctx->keylen;
++        dctx->max_entropy = DRBG_MAX_LENGTH;
++        dctx->min_nonce = dctx->min_entropy / 2;
++        dctx->max_nonce = DRBG_MAX_LENGTH;
++        dctx->max_pers = DRBG_MAX_LENGTH;
++        dctx->max_adin = DRBG_MAX_LENGTH;
++    } else {
++        dctx->min_entropy = dctx->seedlen;
++        dctx->max_entropy = dctx->seedlen;
++        /* Nonce not used */
++        dctx->min_nonce = 0;
++        dctx->max_nonce = 0;
++        dctx->max_pers = dctx->seedlen;
++        dctx->max_adin = dctx->seedlen;
++    }
++
++    dctx->max_request = 1 << 16;
++    dctx->reseed_interval = 1 << 24;
++
++    return 1;
++}
+diff -up openssl-1.1.1j/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_hash.c
+--- openssl-1.1.1j/crypto/fips/fips_drbg_hash.c.fips	2021-03-03 12:57:42.199734525 +0100
++++ openssl-1.1.1j/crypto/fips/fips_drbg_hash.c	2021-03-03 12:57:42.199734525 +0100
+@@ -0,0 +1,354 @@
++/* fips/rand/fips_drbg_hash.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#define OPENSSL_FIPSAPI
++
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/fips.h>
++#include "crypto/fips.h"
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++/* This is Hash_df from SP 800-90 10.4.1 */
++
++static int hash_df(DRBG_CTX *dctx, unsigned char *out,
++                   const unsigned char *in1, size_t in1len,
++                   const unsigned char *in2, size_t in2len,
++                   const unsigned char *in3, size_t in3len,
++                   const unsigned char *in4, size_t in4len)
++{
++    EVP_MD_CTX *mctx = dctx->d.hash.mctx;
++    unsigned char *vtmp = dctx->d.hash.vtmp;
++    unsigned char tmp[6];
++    /* Standard only ever needs seedlen bytes which is always less than
++     * maximum permitted so no need to check length.
++     */
++    size_t outlen = dctx->seedlen;
++    tmp[0] = 1;
++    tmp[1] = ((outlen * 8) >> 24) & 0xff;
++    tmp[2] = ((outlen * 8) >> 16) & 0xff;
++    tmp[3] = ((outlen * 8) >> 8) & 0xff;
++    tmp[4] = (outlen * 8) & 0xff;
++    if (!in1) {
++        tmp[5] = (unsigned char)in1len;
++        in1 = tmp + 5;
++        in1len = 1;
++    }
++    for (;;) {
++        if (!FIPS_digestinit(mctx, dctx->d.hash.md))
++            return 0;
++        if (!FIPS_digestupdate(mctx, tmp, 5))
++            return 0;
++        if (in1 && !FIPS_digestupdate(mctx, in1, in1len))
++            return 0;
++        if (in2 && !FIPS_digestupdate(mctx, in2, in2len))
++            return 0;
++        if (in3 && !FIPS_digestupdate(mctx, in3, in3len))
++            return 0;
++        if (in4 && !FIPS_digestupdate(mctx, in4, in4len))
++            return 0;
++        if (outlen < dctx->blocklength) {
++            if (!FIPS_digestfinal(mctx, vtmp, NULL))
++                return 0;
++            memcpy(out, vtmp, outlen);
++            OPENSSL_cleanse(vtmp, dctx->blocklength);
++            return 1;
++        } else if (!FIPS_digestfinal(mctx, out, NULL))
++            return 0;
++
++        outlen -= dctx->blocklength;
++        if (outlen == 0)
++            return 1;
++        tmp[0]++;
++        out += dctx->blocklength;
++    }
++}
++
++/* Add an unsigned buffer to the buf value, storing the result in buf. For
++ * this algorithm the length of input never exceeds the seed length.
++ */
++
++static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf,
++                        unsigned char *in, size_t inlen)
++{
++    size_t i = inlen;
++    const unsigned char *q;
++    unsigned char c, *p;
++    p = buf + dctx->seedlen;
++    q = in + inlen;
++
++    OPENSSL_assert(i <= dctx->seedlen);
++
++    /* Special case: zero length, just increment buffer */
++    if (i)
++        c = 0;
++    else
++        c = 1;
++
++    while (i) {
++        int r;
++        p--;
++        q--;
++        r = *p + *q + c;
++        /* Carry */
++        if (r > 0xff)
++            c = 1;
++        else
++            c = 0;
++        *p = r & 0xff;
++        i--;
++    }
++
++    i = dctx->seedlen - inlen;
++
++    /* If not adding whole buffer handle final carries */
++    if (c && i) {
++        do {
++            p--;
++            c = *p;
++            c++;
++            *p = c;
++            if (c)
++                return;
++        } while (i--);
++    }
++}
++
++/* Finalise and add hash to V */
++
++static int ctx_add_md(DRBG_CTX *dctx)
++{
++    if (!FIPS_digestfinal(dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL))
++        return 0;
++    ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength);
++    return 1;
++}
++
++static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen)
++{
++    DRBG_HASH_CTX *hctx = &dctx->d.hash;
++    if (outlen == 0)
++        return 1;
++    memcpy(hctx->vtmp, hctx->V, dctx->seedlen);
++    for (;;) {
++        FIPS_digestinit(hctx->mctx, hctx->md);
++        FIPS_digestupdate(hctx->mctx, hctx->vtmp, dctx->seedlen);
++        if (outlen < dctx->blocklength) {
++            FIPS_digestfinal(hctx->mctx, hctx->vtmp, NULL);
++            memcpy(out, hctx->vtmp, outlen);
++            return 1;
++        } else {
++            FIPS_digestfinal(hctx->mctx, out, NULL);
++            outlen -= dctx->blocklength;
++            if (outlen == 0)
++                return 1;
++            out += dctx->blocklength;
++        }
++        ctx_add_buf(dctx, hctx->vtmp, NULL, 0);
++    }
++}
++
++static int drbg_hash_instantiate(DRBG_CTX *dctx,
++                                 const unsigned char *ent, size_t ent_len,
++                                 const unsigned char *nonce, size_t nonce_len,
++                                 const unsigned char *pstr, size_t pstr_len)
++{
++    DRBG_HASH_CTX *hctx = &dctx->d.hash;
++    if (!hash_df(dctx, hctx->V,
++                 ent, ent_len, nonce, nonce_len, pstr, pstr_len, NULL, 0))
++        return 0;
++    if (!hash_df(dctx, hctx->C,
++                 NULL, 0, hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
++        return 0;
++
++#ifdef HASH_DRBG_TRACE
++    fprintf(stderr, "V+C after instantiate:\n");
++    hexprint(stderr, hctx->V, dctx->seedlen);
++    hexprint(stderr, hctx->C, dctx->seedlen);
++#endif
++    return 1;
++}
++
++static int drbg_hash_reseed(DRBG_CTX *dctx,
++                            const unsigned char *ent, size_t ent_len,
++                            const unsigned char *adin, size_t adin_len)
++{
++    DRBG_HASH_CTX *hctx = &dctx->d.hash;
++    /* V about to be updated so use C as output instead */
++    if (!hash_df(dctx, hctx->C,
++                 NULL, 1, hctx->V, dctx->seedlen,
++                 ent, ent_len, adin, adin_len))
++        return 0;
++    memcpy(hctx->V, hctx->C, dctx->seedlen);
++    if (!hash_df(dctx, hctx->C, NULL, 0,
++                 hctx->V, dctx->seedlen, NULL, 0, NULL, 0))
++        return 0;
++#ifdef HASH_DRBG_TRACE
++    fprintf(stderr, "V+C after reseed:\n");
++    hexprint(stderr, hctx->V, dctx->seedlen);
++    hexprint(stderr, hctx->C, dctx->seedlen);
++#endif
++    return 1;
++}
++
++static int drbg_hash_generate(DRBG_CTX *dctx,
++                              unsigned char *out, size_t outlen,
++                              const unsigned char *adin, size_t adin_len)
++{
++    DRBG_HASH_CTX *hctx = &dctx->d.hash;
++    EVP_MD_CTX *mctx = hctx->mctx;
++    unsigned char tmp[4];
++    if (adin && adin_len) {
++        tmp[0] = 2;
++        if (!FIPS_digestinit(mctx, hctx->md))
++            return 0;
++        if (!EVP_DigestUpdate(mctx, tmp, 1))
++            return 0;
++        if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
++            return 0;
++        if (!EVP_DigestUpdate(mctx, adin, adin_len))
++            return 0;
++        if (!ctx_add_md(dctx))
++            return 0;
++    }
++    if (!hash_gen(dctx, out, outlen))
++        return 0;
++
++    tmp[0] = 3;
++    if (!FIPS_digestinit(mctx, hctx->md))
++        return 0;
++    if (!EVP_DigestUpdate(mctx, tmp, 1))
++        return 0;
++    if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen))
++        return 0;
++
++    if (!ctx_add_md(dctx))
++        return 0;
++
++    ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen);
++
++    tmp[0] = (dctx->reseed_counter >> 24) & 0xff;
++    tmp[1] = (dctx->reseed_counter >> 16) & 0xff;
++    tmp[2] = (dctx->reseed_counter >> 8) & 0xff;
++    tmp[3] = dctx->reseed_counter & 0xff;
++    ctx_add_buf(dctx, hctx->V, tmp, 4);
++#ifdef HASH_DRBG_TRACE
++    fprintf(stderr, "V+C after generate:\n");
++    hexprint(stderr, hctx->V, dctx->seedlen);
++    hexprint(stderr, hctx->C, dctx->seedlen);
++#endif
++    return 1;
++}
++
++static int drbg_hash_uninstantiate(DRBG_CTX *dctx)
++{
++    EVP_MD_CTX_free(dctx->d.hash.mctx);
++    OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX));
++    return 1;
++}
++
++int fips_drbg_hash_init(DRBG_CTX *dctx)
++{
++    const EVP_MD *md;
++    DRBG_HASH_CTX *hctx = &dctx->d.hash;
++    md = EVP_get_digestbynid(dctx->type);
++    if (!md)
++        return -2;
++    switch (dctx->type) {
++    case NID_sha1:
++        dctx->strength = 128;
++        break;
++
++    case NID_sha224:
++        dctx->strength = 192;
++        break;
++
++    default:
++        dctx->strength = 256;
++        break;
++    }
++
++    dctx->instantiate = drbg_hash_instantiate;
++    dctx->reseed = drbg_hash_reseed;
++    dctx->generate = drbg_hash_generate;
++    dctx->uninstantiate = drbg_hash_uninstantiate;
++
++    dctx->d.hash.md = md;
++    hctx->mctx = EVP_MD_CTX_new();
++    if (hctx->mctx == NULL)
++        return -1;
++
++    /* These are taken from SP 800-90 10.1 table 2 */
++
++    dctx->blocklength = EVP_MD_size(md);
++    if (dctx->blocklength > 32)
++        dctx->seedlen = 111;
++    else
++        dctx->seedlen = 55;
++
++    dctx->min_entropy = dctx->strength / 8;
++    dctx->max_entropy = DRBG_MAX_LENGTH;
++
++    dctx->min_nonce = dctx->min_entropy / 2;
++    dctx->max_nonce = DRBG_MAX_LENGTH;
++
++    dctx->max_pers = DRBG_MAX_LENGTH;
++    dctx->max_adin = DRBG_MAX_LENGTH;
++
++    dctx->max_request = 1 << 16;
++    dctx->reseed_interval = 1 << 24;
++
++    return 1;
++}
+diff -up openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c
+--- openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c.fips	2021-03-03 12:57:42.199734525 +0100
++++ openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c	2021-03-03 12:57:42.199734525 +0100
+@@ -0,0 +1,262 @@
++/* fips/rand/fips_drbg_hmac.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/evp.h>
++#include <openssl/hmac.h>
++#include <openssl/aes.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++static int drbg_hmac_update(DRBG_CTX *dctx,
++                            const unsigned char *in1, size_t in1len,
++                            const unsigned char *in2, size_t in2len,
++                            const unsigned char *in3, size_t in3len)
++{
++    static unsigned char c0 = 0, c1 = 1;
++    DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++    HMAC_CTX *hctx = hmac->hctx;
++
++    if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++        return 0;
++    if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++        return 0;
++    if (!HMAC_Update(hctx, &c0, 1))
++        return 0;
++    if (in1len && !HMAC_Update(hctx, in1, in1len))
++        return 0;
++    if (in2len && !HMAC_Update(hctx, in2, in2len))
++        return 0;
++    if (in3len && !HMAC_Update(hctx, in3, in3len))
++        return 0;
++
++    if (!HMAC_Final(hctx, hmac->K, NULL))
++        return 0;
++
++    if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++        return 0;
++    if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++        return 0;
++
++    if (!HMAC_Final(hctx, hmac->V, NULL))
++        return 0;
++
++    if (!in1len && !in2len && !in3len)
++        return 1;
++
++    if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++        return 0;
++    if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++        return 0;
++    if (!HMAC_Update(hctx, &c1, 1))
++        return 0;
++    if (in1len && !HMAC_Update(hctx, in1, in1len))
++        return 0;
++    if (in2len && !HMAC_Update(hctx, in2, in2len))
++        return 0;
++    if (in3len && !HMAC_Update(hctx, in3, in3len))
++        return 0;
++
++    if (!HMAC_Final(hctx, hmac->K, NULL))
++        return 0;
++
++    if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++        return 0;
++    if (!HMAC_Update(hctx, hmac->V, dctx->blocklength))
++        return 0;
++
++    if (!HMAC_Final(hctx, hmac->V, NULL))
++        return 0;
++
++    return 1;
++
++}
++
++static int drbg_hmac_instantiate(DRBG_CTX *dctx,
++                                 const unsigned char *ent, size_t ent_len,
++                                 const unsigned char *nonce, size_t nonce_len,
++                                 const unsigned char *pstr, size_t pstr_len)
++{
++    DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++    memset(hmac->K, 0, dctx->blocklength);
++    memset(hmac->V, 1, dctx->blocklength);
++    if (!drbg_hmac_update(dctx,
++                          ent, ent_len, nonce, nonce_len, pstr, pstr_len))
++        return 0;
++
++#ifdef HMAC_DRBG_TRACE
++    fprintf(stderr, "K+V after instantiate:\n");
++    hexprint(stderr, hmac->K, hmac->blocklength);
++    hexprint(stderr, hmac->V, hmac->blocklength);
++#endif
++    return 1;
++}
++
++static int drbg_hmac_reseed(DRBG_CTX *dctx,
++                            const unsigned char *ent, size_t ent_len,
++                            const unsigned char *adin, size_t adin_len)
++{
++    if (!drbg_hmac_update(dctx, ent, ent_len, adin, adin_len, NULL, 0))
++        return 0;
++
++#ifdef HMAC_DRBG_TRACE
++    {
++        DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++        fprintf(stderr, "K+V after reseed:\n");
++        hexprint(stderr, hmac->K, hmac->blocklength);
++        hexprint(stderr, hmac->V, hmac->blocklength);
++    }
++#endif
++    return 1;
++}
++
++static int drbg_hmac_generate(DRBG_CTX *dctx,
++                              unsigned char *out, size_t outlen,
++                              const unsigned char *adin, size_t adin_len)
++{
++    DRBG_HMAC_CTX *hmac = &dctx->d.hmac;
++    HMAC_CTX *hctx = hmac->hctx;
++    const unsigned char *Vtmp = hmac->V;
++    if (adin_len && !drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
++        return 0;
++    for (;;) {
++        if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL))
++            return 0;
++        if (!HMAC_Update(hctx, Vtmp, dctx->blocklength))
++            return 0;
++        if (outlen > dctx->blocklength) {
++            if (!HMAC_Final(hctx, out, NULL))
++                return 0;
++            Vtmp = out;
++        } else {
++            if (!HMAC_Final(hctx, hmac->V, NULL))
++                return 0;
++            memcpy(out, hmac->V, outlen);
++            break;
++        }
++        out += dctx->blocklength;
++        outlen -= dctx->blocklength;
++    }
++    if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0))
++        return 0;
++
++    return 1;
++}
++
++static int drbg_hmac_uninstantiate(DRBG_CTX *dctx)
++{
++    HMAC_CTX_free(dctx->d.hmac.hctx);
++    OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX));
++    return 1;
++}
++
++int fips_drbg_hmac_init(DRBG_CTX *dctx)
++{
++    const EVP_MD *md = NULL;
++    DRBG_HMAC_CTX *hctx = &dctx->d.hmac;
++    dctx->strength = 256;
++    switch (dctx->type) {
++    case NID_hmacWithSHA1:
++        md = EVP_sha1();
++        dctx->strength = 128;
++        break;
++
++    case NID_hmacWithSHA224:
++        md = EVP_sha224();
++        dctx->strength = 192;
++        break;
++
++    case NID_hmacWithSHA256:
++        md = EVP_sha256();
++        break;
++
++    case NID_hmacWithSHA384:
++        md = EVP_sha384();
++        break;
++
++    case NID_hmacWithSHA512:
++        md = EVP_sha512();
++        break;
++
++    default:
++        dctx->strength = 0;
++        return -2;
++    }
++    dctx->instantiate = drbg_hmac_instantiate;
++    dctx->reseed = drbg_hmac_reseed;
++    dctx->generate = drbg_hmac_generate;
++    dctx->uninstantiate = drbg_hmac_uninstantiate;
++    hctx->hctx = HMAC_CTX_new();
++    if (hctx->hctx == NULL)
++        return -1;
++    hctx->md = md;
++    dctx->blocklength = M_EVP_MD_size(md);
++    dctx->seedlen = M_EVP_MD_size(md);
++
++    dctx->min_entropy = dctx->strength / 8;
++    dctx->max_entropy = DRBG_MAX_LENGTH;
++
++    dctx->min_nonce = dctx->min_entropy / 2;
++    dctx->max_nonce = DRBG_MAX_LENGTH;
++
++    dctx->max_pers = DRBG_MAX_LENGTH;
++    dctx->max_adin = DRBG_MAX_LENGTH;
++
++    dctx->max_request = 1 << 16;
++    dctx->reseed_interval = 1 << 24;
++
++    return 1;
++}
+diff -up openssl-1.1.1j/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_lib.c
+--- openssl-1.1.1j/crypto/fips/fips_drbg_lib.c.fips	2021-03-03 12:57:42.199734525 +0100
++++ openssl-1.1.1j/crypto/fips/fips_drbg_lib.c	2021-03-03 12:57:42.199734525 +0100
+@@ -0,0 +1,528 @@
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include "crypto/fips.h"
++#include <openssl/fips_rand.h>
++#include "fips_locl.h"
++#include "fips_rand_lcl.h"
++
++/* Support framework for SP800-90 DRBGs */
++
++int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags)
++{
++    int rv;
++    memset(dctx, 0, sizeof(DRBG_CTX));
++    dctx->status = DRBG_STATUS_UNINITIALISED;
++    dctx->xflags = flags;
++    dctx->type = type;
++
++    dctx->iflags = 0;
++    dctx->entropy_blocklen = 0;
++    dctx->health_check_cnt = 0;
++    dctx->health_check_interval = DRBG_HEALTH_INTERVAL;
++
++    rv = fips_drbg_hash_init(dctx);
++
++    if (rv == -2)
++        rv = fips_drbg_ctr_init(dctx);
++    if (rv == -2)
++        rv = fips_drbg_hmac_init(dctx);
++
++    if (rv <= 0) {
++        if (rv == -2)
++            FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE);
++        else
++            FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG);
++    }
++
++    /* If not in test mode run selftests on DRBG of the same type */
++
++    if (!(dctx->xflags & DRBG_FLAG_TEST)) {
++        if (!FIPS_drbg_health_check(dctx)) {
++            FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE);
++            return 0;
++        }
++    }
++
++    return rv;
++}
++
++DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags)
++{
++    DRBG_CTX *dctx;
++    dctx = OPENSSL_malloc(sizeof(DRBG_CTX));
++    if (!dctx) {
++        FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE);
++        return NULL;
++    }
++
++    if (type == 0) {
++        memset(dctx, 0, sizeof(DRBG_CTX));
++        dctx->type = 0;
++        dctx->status = DRBG_STATUS_UNINITIALISED;
++        return dctx;
++    }
++
++    if (FIPS_drbg_init(dctx, type, flags) <= 0) {
++        OPENSSL_free(dctx);
++        return NULL;
++    }
++
++    return dctx;
++}
++
++void FIPS_drbg_free(DRBG_CTX *dctx)
++{
++    if (dctx->uninstantiate)
++        dctx->uninstantiate(dctx);
++    /* Don't free up default DRBG */
++    if (dctx == FIPS_get_default_drbg()) {
++        memset(dctx, 0, sizeof(DRBG_CTX));
++        dctx->type = 0;
++        dctx->status = DRBG_STATUS_UNINITIALISED;
++    } else {
++        OPENSSL_cleanse(&dctx->d, sizeof(dctx->d));
++        OPENSSL_free(dctx);
++    }
++}
++
++static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout,
++                               int entropy, size_t min_len, size_t max_len)
++{
++    unsigned char *tout, *p;
++    size_t bl = dctx->entropy_blocklen, rv;
++    if (!dctx->get_entropy)
++        return 0;
++    if (dctx->xflags & DRBG_FLAG_TEST || !bl)
++        return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
++    rv = dctx->get_entropy(dctx, &tout, entropy + bl,
++                           min_len + bl, max_len + bl);
++    if (tout == NULL)
++        return 0;
++    *pout = tout + bl;
++    if (rv < (min_len + bl) || (rv % bl))
++        return 0;
++    /* Compare consecutive blocks for continuous PRNG test */
++    for (p = tout; p < tout + rv - bl; p += bl) {
++        if (!memcmp(p, p + bl, bl)) {
++            FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK);
++            return 0;
++        }
++    }
++    rv -= bl;
++    if (rv > max_len)
++        return max_len;
++    return rv;
++}
++
++static void fips_cleanup_entropy(DRBG_CTX *dctx,
++                                 unsigned char *out, size_t olen)
++{
++    size_t bl;
++    if (dctx->xflags & DRBG_FLAG_TEST)
++        bl = 0;
++    else
++        bl = dctx->entropy_blocklen;
++    /* Call cleanup with original arguments */
++    dctx->cleanup_entropy(dctx, out - bl, olen + bl);
++}
++
++int FIPS_drbg_instantiate(DRBG_CTX *dctx,
++                          const unsigned char *pers, size_t perslen)
++{
++    size_t entlen = 0, noncelen = 0;
++    unsigned char *nonce = NULL, *entropy = NULL;
++
++#if 0
++    /* Put here so error script picks them up */
++    FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE,
++            FIPS_R_PERSONALISATION_STRING_TOO_LONG);
++    FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE);
++    FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED);
++    FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY);
++    FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE);
++    FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR);
++    FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED);
++#endif
++
++    int r = 0;
++
++    if (perslen > dctx->max_pers) {
++        r = FIPS_R_PERSONALISATION_STRING_TOO_LONG;
++        goto end;
++    }
++
++    if (!dctx->instantiate) {
++        r = FIPS_R_DRBG_NOT_INITIALISED;
++        goto end;
++    }
++
++    if (dctx->status != DRBG_STATUS_UNINITIALISED) {
++        if (dctx->status == DRBG_STATUS_ERROR)
++            r = FIPS_R_IN_ERROR_STATE;
++        else
++            r = FIPS_R_ALREADY_INSTANTIATED;
++        goto end;
++    }
++
++    dctx->status = DRBG_STATUS_ERROR;
++
++    entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
++                              dctx->min_entropy, dctx->max_entropy);
++
++    if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
++        r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
++        goto end;
++    }
++
++    if (dctx->max_nonce > 0 && dctx->get_nonce) {
++        noncelen = dctx->get_nonce(dctx, &nonce,
++                                   dctx->strength / 2,
++                                   dctx->min_nonce, dctx->max_nonce);
++
++        if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) {
++            r = FIPS_R_ERROR_RETRIEVING_NONCE;
++            goto end;
++        }
++
++    }
++
++    if (!dctx->instantiate(dctx,
++                           entropy, entlen, nonce, noncelen, pers, perslen)) {
++        r = FIPS_R_ERROR_INSTANTIATING_DRBG;
++        goto end;
++    }
++
++    dctx->status = DRBG_STATUS_READY;
++    if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
++        dctx->reseed_counter = 1;
++
++ end:
++
++    if (entropy && dctx->cleanup_entropy)
++        fips_cleanup_entropy(dctx, entropy, entlen);
++
++    if (nonce && dctx->cleanup_nonce)
++        dctx->cleanup_nonce(dctx, nonce, noncelen);
++
++    if (dctx->status == DRBG_STATUS_READY)
++        return 1;
++
++    if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
++        FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r);
++
++    return 0;
++
++}
++
++static int drbg_reseed(DRBG_CTX *dctx,
++                       const unsigned char *adin, size_t adinlen, int hcheck)
++{
++    unsigned char *entropy = NULL;
++    size_t entlen = 0;
++    int r = 0;
++
++#if 0
++    FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED);
++    FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
++#endif
++    if (dctx->status != DRBG_STATUS_READY
++        && dctx->status != DRBG_STATUS_RESEED) {
++        if (dctx->status == DRBG_STATUS_ERROR)
++            r = FIPS_R_IN_ERROR_STATE;
++        else if (dctx->status == DRBG_STATUS_UNINITIALISED)
++            r = FIPS_R_NOT_INSTANTIATED;
++        goto end;
++    }
++
++    if (!adin)
++        adinlen = 0;
++    else if (adinlen > dctx->max_adin) {
++        r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
++        goto end;
++    }
++
++    dctx->status = DRBG_STATUS_ERROR;
++    /* Peform health check on all reseed operations if not a prediction
++     * resistance request and not in test mode.
++     */
++    if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST)) {
++        if (!FIPS_drbg_health_check(dctx)) {
++            r = FIPS_R_SELFTEST_FAILURE;
++            goto end;
++        }
++    }
++
++    entlen = fips_get_entropy(dctx, &entropy, dctx->strength,
++                              dctx->min_entropy, dctx->max_entropy);
++
++    if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) {
++        r = FIPS_R_ERROR_RETRIEVING_ENTROPY;
++        goto end;
++    }
++
++    if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen))
++        goto end;
++
++    dctx->status = DRBG_STATUS_READY;
++    if (!(dctx->iflags & DRBG_CUSTOM_RESEED))
++        dctx->reseed_counter = 1;
++ end:
++
++    if (entropy && dctx->cleanup_entropy)
++        fips_cleanup_entropy(dctx, entropy, entlen);
++
++    if (dctx->status == DRBG_STATUS_READY)
++        return 1;
++
++    if (r && !(dctx->iflags & DRBG_FLAG_NOERR))
++        FIPSerr(FIPS_F_DRBG_RESEED, r);
++
++    return 0;
++}
++
++int FIPS_drbg_reseed(DRBG_CTX *dctx,
++                     const unsigned char *adin, size_t adinlen)
++{
++    return drbg_reseed(dctx, adin, adinlen, 1);
++}
++
++static int fips_drbg_check(DRBG_CTX *dctx)
++{
++    if (dctx->xflags & DRBG_FLAG_TEST)
++        return 1;
++    dctx->health_check_cnt++;
++    if (dctx->health_check_cnt >= dctx->health_check_interval) {
++        if (!FIPS_drbg_health_check(dctx)) {
++            FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE);
++            return 0;
++        }
++    }
++    return 1;
++}
++
++int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
++                       int prediction_resistance,
++                       const unsigned char *adin, size_t adinlen)
++{
++    int r = 0;
++
++    if (FIPS_selftest_failed()) {
++        FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED);
++        return 0;
++    }
++
++    if (!fips_drbg_check(dctx))
++        return 0;
++
++    if (dctx->status != DRBG_STATUS_READY
++        && dctx->status != DRBG_STATUS_RESEED) {
++        if (dctx->status == DRBG_STATUS_ERROR)
++            r = FIPS_R_IN_ERROR_STATE;
++        else if (dctx->status == DRBG_STATUS_UNINITIALISED)
++            r = FIPS_R_NOT_INSTANTIATED;
++        goto end;
++    }
++
++    if (outlen > dctx->max_request) {
++        r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG;
++        return 0;
++    }
++
++    if (adinlen > dctx->max_adin) {
++        r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG;
++        goto end;
++    }
++
++    if (dctx->iflags & DRBG_CUSTOM_RESEED)
++        dctx->generate(dctx, NULL, outlen, NULL, 0);
++    else if (dctx->reseed_counter >= dctx->reseed_interval)
++        dctx->status = DRBG_STATUS_RESEED;
++
++    if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) {
++        /* If prediction resistance request don't do health check */
++        int hcheck = prediction_resistance ? 0 : 1;
++
++        if (!drbg_reseed(dctx, adin, adinlen, hcheck)) {
++            r = FIPS_R_RESEED_ERROR;
++            goto end;
++        }
++        adin = NULL;
++        adinlen = 0;
++    }
++
++    if (!dctx->generate(dctx, out, outlen, adin, adinlen)) {
++        r = FIPS_R_GENERATE_ERROR;
++        dctx->status = DRBG_STATUS_ERROR;
++        goto end;
++    }
++    if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) {
++        if (dctx->reseed_counter >= dctx->reseed_interval)
++            dctx->status = DRBG_STATUS_RESEED;
++        else
++            dctx->reseed_counter++;
++    }
++
++ end:
++    if (r) {
++        if (!(dctx->iflags & DRBG_FLAG_NOERR))
++            FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r);
++        return 0;
++    }
++
++    return 1;
++}
++
++int FIPS_drbg_uninstantiate(DRBG_CTX *dctx)
++{
++    int rv;
++    if (!dctx->uninstantiate)
++        rv = 1;
++    else
++        rv = dctx->uninstantiate(dctx);
++    /* Although we'd like to cleanse here we can't because we have to
++     * test the uninstantiate really zeroes the data.
++     */
++    memset(&dctx->d, 0, sizeof(dctx->d));
++    dctx->status = DRBG_STATUS_UNINITIALISED;
++    /* If method has problems uninstantiating, return error */
++    return rv;
++}
++
++int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
++                            size_t (*get_entropy) (DRBG_CTX *ctx,
++                                                   unsigned char **pout,
++                                                   int entropy,
++                                                   size_t min_len,
++                                                   size_t max_len),
++                            void (*cleanup_entropy) (DRBG_CTX *ctx,
++                                                     unsigned char *out,
++                                                     size_t olen),
++                            size_t entropy_blocklen,
++                            size_t (*get_nonce) (DRBG_CTX *ctx,
++                                                 unsigned char **pout,
++                                                 int entropy, size_t min_len,
++                                                 size_t max_len),
++                            void (*cleanup_nonce) (DRBG_CTX *ctx,
++                                                   unsigned char *out,
++                                                   size_t olen))
++{
++    if (dctx->status != DRBG_STATUS_UNINITIALISED)
++        return 0;
++    dctx->entropy_blocklen = entropy_blocklen;
++    dctx->get_entropy = get_entropy;
++    dctx->cleanup_entropy = cleanup_entropy;
++    dctx->get_nonce = get_nonce;
++    dctx->cleanup_nonce = cleanup_nonce;
++    return 1;
++}
++
++int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
++                                 size_t (*get_adin) (DRBG_CTX *ctx,
++                                                     unsigned char **pout),
++                                 void (*cleanup_adin) (DRBG_CTX *ctx,
++                                                       unsigned char *out,
++                                                       size_t olen),
++                                 int (*rand_seed_cb) (DRBG_CTX *ctx,
++                                                      const void *buf,
++                                                      int num),
++                                 int (*rand_add_cb) (DRBG_CTX *ctx,
++                                                     const void *buf, int num,
++                                                     double entropy))
++{
++    if (dctx->status != DRBG_STATUS_UNINITIALISED)
++        return 0;
++    dctx->get_adin = get_adin;
++    dctx->cleanup_adin = cleanup_adin;
++    dctx->rand_seed_cb = rand_seed_cb;
++    dctx->rand_add_cb = rand_add_cb;
++    return 1;
++}
++
++void *FIPS_drbg_get_app_data(DRBG_CTX *dctx)
++{
++    return dctx->app_data;
++}
++
++void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data)
++{
++    dctx->app_data = app_data;
++}
++
++size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx)
++{
++    return dctx->blocklength;
++}
++
++int FIPS_drbg_get_strength(DRBG_CTX *dctx)
++{
++    return dctx->strength;
++}
++
++void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval)
++{
++    dctx->health_check_interval = interval;
++}
++
++void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval)
++{
++    dctx->reseed_interval = interval;
++}
++
++void FIPS_drbg_stick(int onoff)
++{
++    /* Just backwards compatibility API call with no effect. */
++}
+diff -up openssl-1.1.1j/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_rand.c
+--- openssl-1.1.1j/crypto/fips/fips_drbg_rand.c.fips	2021-03-03 12:57:42.199734525 +0100
++++ openssl-1.1.1j/crypto/fips/fips_drbg_rand.c	2021-03-03 12:57:42.199734525 +0100
+@@ -0,0 +1,185 @@
++/* fips/rand/fips_drbg_rand.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include "internal/thread_once.h"
++#include <openssl/err.h>
++#include <openssl/rand.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++
++/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */
++
++/* Since we only have one global PRNG used at any time in OpenSSL use a global
++ * variable to store context.
++ */
++
++static DRBG_CTX ossl_dctx;
++
++static CRYPTO_RWLOCK *fips_rand_lock = NULL;
++static CRYPTO_ONCE fips_rand_lock_init = CRYPTO_ONCE_STATIC_INIT;
++
++DEFINE_RUN_ONCE_STATIC(do_fips_rand_lock_init)
++{
++    fips_rand_lock = CRYPTO_THREAD_lock_new();
++    return fips_rand_lock != NULL;
++}
++
++DRBG_CTX *FIPS_get_default_drbg(void)
++{
++    if (!RUN_ONCE(&fips_rand_lock_init, do_fips_rand_lock_init))
++        return NULL;
++    return &ossl_dctx;
++}
++
++static int fips_drbg_bytes(unsigned char *out, int count)
++{
++    DRBG_CTX *dctx = &ossl_dctx;
++    int rv = 0;
++    unsigned char *adin = NULL;
++    size_t adinlen = 0;
++    CRYPTO_THREAD_write_lock(fips_rand_lock);
++    do {
++        size_t rcnt;
++        if (count > (int)dctx->max_request)
++            rcnt = dctx->max_request;
++        else
++            rcnt = count;
++        if (dctx->get_adin) {
++            adinlen = dctx->get_adin(dctx, &adin);
++            if (adinlen && !adin) {
++                FIPSerr(FIPS_F_FIPS_DRBG_BYTES,
++                        FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT);
++                goto err;
++            }
++        }
++        rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen);
++        if (adin) {
++            if (dctx->cleanup_adin)
++                dctx->cleanup_adin(dctx, adin, adinlen);
++            adin = NULL;
++        }
++        if (!rv)
++            goto err;
++        out += rcnt;
++        count -= rcnt;
++    }
++    while (count);
++    rv = 1;
++ err:
++    CRYPTO_THREAD_unlock(fips_rand_lock);
++    return rv;
++}
++
++static int fips_drbg_pseudo(unsigned char *out, int count)
++{
++    if (fips_drbg_bytes(out, count) <= 0)
++        return -1;
++    return 1;
++}
++
++static int fips_drbg_status(void)
++{
++    DRBG_CTX *dctx = &ossl_dctx;
++    int rv;
++    CRYPTO_THREAD_read_lock(fips_rand_lock);
++    rv = dctx->status == DRBG_STATUS_READY ? 1 : 0;
++    CRYPTO_THREAD_unlock(fips_rand_lock);
++    return rv;
++}
++
++static void fips_drbg_cleanup(void)
++{
++    DRBG_CTX *dctx = &ossl_dctx;
++    CRYPTO_THREAD_write_lock(fips_rand_lock);
++    FIPS_drbg_uninstantiate(dctx);
++    CRYPTO_THREAD_unlock(fips_rand_lock);
++}
++
++static int fips_drbg_seed(const void *seed, int seedlen)
++{
++    DRBG_CTX *dctx = &ossl_dctx;
++    int ret = 1;
++    CRYPTO_THREAD_write_lock(fips_rand_lock);
++    if (dctx->rand_seed_cb)
++        ret = dctx->rand_seed_cb(dctx, seed, seedlen);
++    CRYPTO_THREAD_unlock(fips_rand_lock);
++    return ret;
++}
++
++static int fips_drbg_add(const void *seed, int seedlen, double add_entropy)
++{
++    DRBG_CTX *dctx = &ossl_dctx;
++    int ret = 1;
++    CRYPTO_THREAD_write_lock(fips_rand_lock);
++    if (dctx->rand_add_cb)
++        ret = dctx->rand_add_cb(dctx, seed, seedlen, add_entropy);
++    CRYPTO_THREAD_unlock(fips_rand_lock);
++    return ret;
++}
++
++static const RAND_METHOD rand_drbg_meth = {
++    fips_drbg_seed,
++    fips_drbg_bytes,
++    fips_drbg_cleanup,
++    fips_drbg_add,
++    fips_drbg_pseudo,
++    fips_drbg_status
++};
++
++const RAND_METHOD *FIPS_drbg_method(void)
++{
++    return &rand_drbg_meth;
++}
+diff -up openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c
+--- openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c.fips	2021-03-03 12:57:42.200734534 +0100
++++ openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c	2021-03-03 12:57:42.200734534 +0100
+@@ -0,0 +1,828 @@
++/* fips/rand/fips_drbg_selftest.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include <openssl/fips_rand.h>
++#include "fips_rand_lcl.h"
++#include "fips_locl.h"
++
++#include "fips_drbg_selftest.h"
++
++typedef struct {
++    int post;
++    int nid;
++    unsigned int flags;
++
++    /* KAT data for no PR */
++    const unsigned char *ent;
++    size_t entlen;
++    const unsigned char *nonce;
++    size_t noncelen;
++    const unsigned char *pers;
++    size_t perslen;
++    const unsigned char *adin;
++    size_t adinlen;
++    const unsigned char *entreseed;
++    size_t entreseedlen;
++    const unsigned char *adinreseed;
++    size_t adinreseedlen;
++    const unsigned char *adin2;
++    size_t adin2len;
++    const unsigned char *kat;
++    size_t katlen;
++    const unsigned char *kat2;
++    size_t kat2len;
++
++    /* KAT data for PR */
++    const unsigned char *ent_pr;
++    size_t entlen_pr;
++    const unsigned char *nonce_pr;
++    size_t noncelen_pr;
++    const unsigned char *pers_pr;
++    size_t perslen_pr;
++    const unsigned char *adin_pr;
++    size_t adinlen_pr;
++    const unsigned char *entpr_pr;
++    size_t entprlen_pr;
++    const unsigned char *ading_pr;
++    size_t adinglen_pr;
++    const unsigned char *entg_pr;
++    size_t entglen_pr;
++    const unsigned char *kat_pr;
++    size_t katlen_pr;
++    const unsigned char *kat2_pr;
++    size_t kat2len_pr;
++
++} DRBG_SELFTEST_DATA;
++
++#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \
++        pr##_entropyinput, sizeof(pr##_entropyinput), \
++        pr##_nonce, sizeof(pr##_nonce), \
++        pr##_personalizationstring, sizeof(pr##_personalizationstring), \
++        pr##_additionalinput, sizeof(pr##_additionalinput), \
++        pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
++        pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
++        pr##_additionalinput2, sizeof(pr##_additionalinput2), \
++        pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
++        pr##_returnedbits, sizeof(pr##_returnedbits), \
++        pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
++        pr##_pr_nonce, sizeof(pr##_pr_nonce), \
++        pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
++        pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
++        pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
++        pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
++        pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
++        pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
++        pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \
++        }
++
++#define make_drbg_test_data_df(nid, pr, p) \
++        make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p)
++
++#define make_drbg_test_data_ec(curve, md, pr, p) \
++        make_drbg_test_data((curve << 16) | md , 0, pr, p)
++
++static DRBG_SELFTEST_DATA drbg_test[] = {
++    make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0),
++    make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0),
++    make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1),
++    make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0),
++    make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0),
++    make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1),
++    make_drbg_test_data(NID_sha1, 0, sha1, 0),
++    make_drbg_test_data(NID_sha224, 0, sha224, 0),
++    make_drbg_test_data(NID_sha256, 0, sha256, 1),
++    make_drbg_test_data(NID_sha384, 0, sha384, 0),
++    make_drbg_test_data(NID_sha512, 0, sha512, 0),
++    make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0),
++    make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0),
++    make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1),
++    make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0),
++    make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0),
++    {0, 0, 0}
++};
++
++typedef struct {
++    const unsigned char *ent;
++    size_t entlen;
++    int entcnt;
++    const unsigned char *nonce;
++    size_t noncelen;
++    int noncecnt;
++} TEST_ENT;
++
++static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout,
++                           int entropy, size_t min_len, size_t max_len)
++{
++    TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
++    *pout = (unsigned char *)t->ent;
++    t->entcnt++;
++    return t->entlen;
++}
++
++static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout,
++                         int entropy, size_t min_len, size_t max_len)
++{
++    TEST_ENT *t = FIPS_drbg_get_app_data(dctx);
++    *pout = (unsigned char *)t->nonce;
++    t->noncecnt++;
++    return t->noncelen;
++}
++
++static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,
++                                int quick)
++{
++    TEST_ENT t;
++    int rv = 0;
++    size_t adinlen;
++    unsigned char randout[1024];
++
++    /* Initial test without PR */
++
++    /* Instantiate DRBG with test entropy, nonce and personalisation
++     * string.
++     */
++
++    if (!FIPS_drbg_init(dctx, td->nid, td->flags))
++        return 0;
++    if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
++        return 0;
++
++    FIPS_drbg_set_app_data(dctx, &t);
++
++    t.ent = td->ent;
++    t.entlen = td->entlen;
++    t.nonce = td->nonce;
++    t.noncelen = td->noncelen;
++    t.entcnt = 0;
++    t.noncecnt = 0;
++
++    if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
++        goto err;
++
++    /* Note for CTR without DF some additional input values
++     * ignore bytes after the keylength: so reduce adinlen
++     * to half to ensure invalid data is fed in.
++     */
++    if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
++        adinlen = td->adinlen / 2;
++    else
++        adinlen = td->adinlen;
++
++    /* Generate with no PR and verify output matches expected data */
++    if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, td->adin, adinlen))
++        goto err;
++
++    if (memcmp(randout, td->kat, td->katlen)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE);
++        goto err2;
++    }
++    /* If abbreviated POST end of test */
++    if (quick) {
++        rv = 1;
++        goto err;
++    }
++    /* Reseed DRBG with test entropy and additional input */
++    t.ent = td->entreseed;
++    t.entlen = td->entreseedlen;
++
++    if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen))
++        goto err;
++
++    /* Generate with no PR and verify output matches expected data */
++    if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0,
++                            td->adin2, td->adin2len))
++        goto err;
++
++    if (memcmp(randout, td->kat2, td->kat2len)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE);
++        goto err2;
++    }
++
++    FIPS_drbg_uninstantiate(dctx);
++
++    /* Now test with PR */
++
++    /* Instantiate DRBG with test entropy, nonce and personalisation
++     * string.
++     */
++    if (!FIPS_drbg_init(dctx, td->nid, td->flags))
++        return 0;
++    if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
++        return 0;
++
++    FIPS_drbg_set_app_data(dctx, &t);
++
++    t.ent = td->ent_pr;
++    t.entlen = td->entlen_pr;
++    t.nonce = td->nonce_pr;
++    t.noncelen = td->noncelen_pr;
++    t.entcnt = 0;
++    t.noncecnt = 0;
++
++    if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr))
++        goto err;
++
++    /* Now generate with PR: we need to supply entropy as this will
++     * perform a reseed operation. Check output matches expected value.
++     */
++
++    t.ent = td->entpr_pr;
++    t.entlen = td->entprlen_pr;
++
++    /* Note for CTR without DF some additional input values
++     * ignore bytes after the keylength: so reduce adinlen
++     * to half to ensure invalid data is fed in.
++     */
++    if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags))
++        adinlen = td->adinlen_pr / 2;
++    else
++        adinlen = td->adinlen_pr;
++    if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1,
++                            td->adin_pr, adinlen))
++        goto err;
++
++    if (memcmp(randout, td->kat_pr, td->katlen_pr)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE);
++        goto err2;
++    }
++
++    /* Now generate again with PR: supply new entropy again.
++     * Check output matches expected value.
++     */
++
++    t.ent = td->entg_pr;
++    t.entlen = td->entglen_pr;
++
++    if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1,
++                            td->ading_pr, td->adinglen_pr))
++        goto err;
++
++    if (memcmp(randout, td->kat2_pr, td->kat2len_pr)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE);
++        goto err2;
++    }
++    /* All OK, test complete */
++    rv = 1;
++
++ err:
++    if (rv == 0)
++        FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED);
++ err2:
++    FIPS_drbg_uninstantiate(dctx);
++
++    return rv;
++
++}
++
++/* Initialise a DRBG based on selftest data */
++
++static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, TEST_ENT * t)
++{
++
++    if (!FIPS_drbg_init(dctx, td->nid, td->flags))
++        return 0;
++
++    if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0))
++        return 0;
++
++    FIPS_drbg_set_app_data(dctx, t);
++
++    t->ent = td->ent;
++    t->entlen = td->entlen;
++    t->nonce = td->nonce;
++    t->noncelen = td->noncelen;
++    t->entcnt = 0;
++    t->noncecnt = 0;
++    return 1;
++}
++
++/* Initialise and instantiate DRBG based on selftest data */
++static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td,
++                               TEST_ENT * t)
++{
++    if (!do_drbg_init(dctx, td, t))
++        return 0;
++    if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen))
++        return 0;
++
++    return 1;
++}
++
++/* This function performs extensive error checking as required by SP800-90.
++ * Induce several failure modes and check an error condition is set.
++ * This function along with fips_drbg_single_kat peforms the health checking
++ * operation.
++ */
++
++static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td)
++{
++    unsigned char randout[1024];
++    TEST_ENT t;
++    size_t i;
++    unsigned int reseed_counter_tmp;
++    unsigned char *p = (unsigned char *)dctx;
++
++    /* Initialise DRBG */
++
++    if (!do_drbg_init(dctx, td, &t))
++        goto err;
++
++    /* Don't report induced errors */
++    dctx->iflags |= DRBG_FLAG_NOERR;
++
++    /* Personalisation string tests */
++
++    /* Test detection of too large personlisation string */
++
++    if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++                FIPS_R_PERSONALISATION_ERROR_UNDETECTED);
++        goto err;
++    }
++
++    /* Entropy source tests */
++
++    /* Test entropy source failure detecion: i.e. returns no data */
++
++    t.entlen = 0;
++
++    if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++                FIPS_R_ENTROPY_ERROR_UNDETECTED);
++        goto err;
++    }
++
++    /* Try to generate output from uninstantiated DRBG */
++    if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++                           td->adin, td->adinlen)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++                FIPS_R_GENERATE_ERROR_UNDETECTED);
++        goto err;
++    }
++
++    dctx->iflags &= ~DRBG_FLAG_NOERR;
++    if (!FIPS_drbg_uninstantiate(dctx)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++        goto err;
++    }
++
++    if (!do_drbg_init(dctx, td, &t))
++        goto err;
++
++    dctx->iflags |= DRBG_FLAG_NOERR;
++
++    /* Test insufficient entropy */
++
++    t.entlen = dctx->min_entropy - 1;
++
++    if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++                FIPS_R_ENTROPY_ERROR_UNDETECTED);
++        goto err;
++    }
++
++    dctx->iflags &= ~DRBG_FLAG_NOERR;
++    if (!FIPS_drbg_uninstantiate(dctx)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++        goto err;
++    }
++
++    /* Test too much entropy */
++
++    if (!do_drbg_init(dctx, td, &t))
++        goto err;
++
++    dctx->iflags |= DRBG_FLAG_NOERR;
++
++    t.entlen = dctx->max_entropy + 1;
++
++    if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++                FIPS_R_ENTROPY_ERROR_UNDETECTED);
++        goto err;
++    }
++
++    dctx->iflags &= ~DRBG_FLAG_NOERR;
++    if (!FIPS_drbg_uninstantiate(dctx)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++        goto err;
++    }
++
++    /* Nonce tests */
++
++    /* Test too small nonce */
++
++    if (dctx->min_nonce) {
++
++        if (!do_drbg_init(dctx, td, &t))
++            goto err;
++
++        dctx->iflags |= DRBG_FLAG_NOERR;
++
++        t.noncelen = dctx->min_nonce - 1;
++
++        if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++            FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++                    FIPS_R_NONCE_ERROR_UNDETECTED);
++            goto err;
++        }
++
++        dctx->iflags &= ~DRBG_FLAG_NOERR;
++        if (!FIPS_drbg_uninstantiate(dctx)) {
++            FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++            goto err;
++        }
++
++    }
++
++    /* Test too large nonce */
++
++    if (dctx->max_nonce) {
++
++        if (!do_drbg_init(dctx, td, &t))
++            goto err;
++
++        dctx->iflags |= DRBG_FLAG_NOERR;
++
++        t.noncelen = dctx->max_nonce + 1;
++
++        if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) {
++            FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++                    FIPS_R_NONCE_ERROR_UNDETECTED);
++            goto err;
++        }
++
++        dctx->iflags &= ~DRBG_FLAG_NOERR;
++        if (!FIPS_drbg_uninstantiate(dctx)) {
++            FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++            goto err;
++        }
++
++    }
++
++    /* Instantiate with valid data. */
++    if (!do_drbg_instantiate(dctx, td, &t))
++        goto err;
++
++    /* Check generation is now OK */
++    if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++                            td->adin, td->adinlen))
++        goto err;
++
++    dctx->iflags |= DRBG_FLAG_NOERR;
++
++    /* Request too much data for one request */
++    if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0,
++                           td->adin, td->adinlen)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++                FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED);
++        goto err;
++    }
++
++    /* Try too large additional input */
++    if (FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++                           td->adin, dctx->max_adin + 1)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++                FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
++        goto err;
++    }
++
++    /* Check prediction resistance request fails if entropy source
++     * failure.
++     */
++
++    t.entlen = 0;
++
++    if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
++                           td->adin, td->adinlen)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++                FIPS_R_ENTROPY_ERROR_UNDETECTED);
++        goto err;
++    }
++
++    dctx->iflags &= ~DRBG_FLAG_NOERR;
++    if (!FIPS_drbg_uninstantiate(dctx)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++        goto err;
++    }
++
++    /* Instantiate again with valid data */
++
++    if (!do_drbg_instantiate(dctx, td, &t))
++        goto err;
++    /* Test reseed counter works */
++    /* Save initial reseed counter */
++    reseed_counter_tmp = dctx->reseed_counter;
++    /* Set reseed counter to beyond interval */
++    dctx->reseed_counter = dctx->reseed_interval;
++
++    /* Generate output and check entropy has been requested for reseed */
++    t.entcnt = 0;
++    if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++                            td->adin, td->adinlen))
++        goto err;
++    if (t.entcnt != 1) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++                FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
++        goto err;
++    }
++    /* Check reseed counter has been reset */
++    if (dctx->reseed_counter != reseed_counter_tmp + 1) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
++        goto err;
++    }
++
++    dctx->iflags &= ~DRBG_FLAG_NOERR;
++    if (!FIPS_drbg_uninstantiate(dctx)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++        goto err;
++    }
++
++    /* Check prediction resistance request fails if entropy source
++     * failure.
++     */
++
++    t.entlen = 0;
++
++    dctx->iflags |= DRBG_FLAG_NOERR;
++    if (FIPS_drbg_generate(dctx, randout, td->katlen, 1,
++                           td->adin, td->adinlen)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++                FIPS_R_ENTROPY_ERROR_UNDETECTED);
++        goto err;
++    }
++
++    dctx->iflags &= ~DRBG_FLAG_NOERR;
++
++    if (!FIPS_drbg_uninstantiate(dctx)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++        goto err;
++    }
++
++    if (!do_drbg_instantiate(dctx, td, &t))
++        goto err;
++    /* Test reseed counter works */
++    /* Save initial reseed counter */
++    reseed_counter_tmp = dctx->reseed_counter;
++    /* Set reseed counter to beyond interval */
++    dctx->reseed_counter = dctx->reseed_interval;
++
++    /* Generate output and check entropy has been requested for reseed */
++    t.entcnt = 0;
++    if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0,
++                            td->adin, td->adinlen))
++        goto err;
++    if (t.entcnt != 1) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++                FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED);
++        goto err;
++    }
++    /* Check reseed counter has been reset */
++    if (dctx->reseed_counter != reseed_counter_tmp + 1) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR);
++        goto err;
++    }
++
++    dctx->iflags &= ~DRBG_FLAG_NOERR;
++    if (!FIPS_drbg_uninstantiate(dctx)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++        goto err;
++    }
++
++    /* Explicit reseed tests */
++
++    /* Test explicit reseed with too large additional input */
++    if (!do_drbg_init(dctx, td, &t))
++        goto err;
++
++    dctx->iflags |= DRBG_FLAG_NOERR;
++
++    if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++                FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED);
++        goto err;
++    }
++
++    /* Test explicit reseed with entropy source failure */
++
++    t.entlen = 0;
++
++    if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++                FIPS_R_ENTROPY_ERROR_UNDETECTED);
++        goto err;
++    }
++
++    if (!FIPS_drbg_uninstantiate(dctx)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++        goto err;
++    }
++
++    /* Test explicit reseed with too much entropy */
++
++    if (!do_drbg_init(dctx, td, &t))
++        goto err;
++
++    dctx->iflags |= DRBG_FLAG_NOERR;
++
++    t.entlen = dctx->max_entropy + 1;
++
++    if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++                FIPS_R_ENTROPY_ERROR_UNDETECTED);
++        goto err;
++    }
++
++    if (!FIPS_drbg_uninstantiate(dctx)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++        goto err;
++    }
++
++    /* Test explicit reseed with too little entropy */
++
++    if (!do_drbg_init(dctx, td, &t))
++        goto err;
++
++    dctx->iflags |= DRBG_FLAG_NOERR;
++
++    t.entlen = dctx->min_entropy - 1;
++
++    if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++                FIPS_R_ENTROPY_ERROR_UNDETECTED);
++        goto err;
++    }
++
++    if (!FIPS_drbg_uninstantiate(dctx)) {
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR);
++        goto err;
++    }
++
++    p = (unsigned char *)&dctx->d;
++    /* Standard says we have to check uninstantiate really zeroes
++     * the data...
++     */
++    for (i = 0; i < sizeof(dctx->d); i++) {
++        if (*p != 0) {
++            FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK,
++                    FIPS_R_UNINSTANTIATE_ZEROISE_ERROR);
++            goto err;
++        }
++        p++;
++    }
++
++    return 1;
++
++ err:
++    /* A real error as opposed to an induced one: underlying function will
++     * indicate the error.
++     */
++    if (!(dctx->iflags & DRBG_FLAG_NOERR))
++        FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR);
++    FIPS_drbg_uninstantiate(dctx);
++    return 0;
++
++}
++
++int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags)
++{
++    DRBG_SELFTEST_DATA *td;
++    flags |= DRBG_FLAG_TEST;
++    for (td = drbg_test; td->nid != 0; td++) {
++        if (td->nid == nid && td->flags == flags) {
++            if (!fips_drbg_single_kat(dctx, td, 0))
++                return 0;
++            return fips_drbg_error_check(dctx, td);
++        }
++    }
++    return 0;
++}
++
++int FIPS_drbg_health_check(DRBG_CTX *dctx)
++{
++    int rv;
++    DRBG_CTX *tctx = NULL;
++    tctx = FIPS_drbg_new(0, 0);
++    fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
++    if (!tctx)
++        return 0;
++    rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags);
++    if (tctx)
++        FIPS_drbg_free(tctx);
++    if (rv)
++        fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
++    else
++        fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags);
++    if (!rv)
++        dctx->status = DRBG_STATUS_ERROR;
++    else
++        dctx->health_check_cnt = 0;
++    return rv;
++}
++
++int FIPS_selftest_drbg(void)
++{
++    DRBG_CTX *dctx;
++    DRBG_SELFTEST_DATA *td;
++    int rv = 1;
++    dctx = FIPS_drbg_new(0, 0);
++    if (!dctx)
++        return 0;
++    for (td = drbg_test; td->nid != 0; td++) {
++        if (td->post != 1)
++            continue;
++        if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
++            return 1;
++        if (!fips_drbg_single_kat(dctx, td, 1)) {
++            fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
++            rv = 0;
++            continue;
++        }
++        if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
++            return 0;
++    }
++    FIPS_drbg_free(dctx);
++    return rv;
++}
++
++int FIPS_selftest_drbg_all(void)
++{
++    DRBG_CTX *dctx;
++    DRBG_SELFTEST_DATA *td;
++    int rv = 1;
++    dctx = FIPS_drbg_new(0, 0);
++    if (!dctx)
++        return 0;
++    for (td = drbg_test; td->nid != 0; td++) {
++        if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags))
++            return 1;
++        if (!fips_drbg_single_kat(dctx, td, 0)) {
++            fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
++            rv = 0;
++            continue;
++        }
++        if (!fips_drbg_error_check(dctx, td)) {
++            fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags);
++            rv = 0;
++            continue;
++        }
++        if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags))
++            return 0;
++    }
++    FIPS_drbg_free(dctx);
++    return rv;
++}
+diff -up openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h
+--- openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h.fips	2021-03-03 12:57:42.200734534 +0100
++++ openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h	2021-03-03 12:57:42.200734534 +0100
+@@ -0,0 +1,1791 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++/* Selftest and health check data for the SP800-90 DRBG */
++
++#define __fips_constseg
++
++/* AES-128 use df PR  */
++__fips_constseg static const unsigned char aes_128_use_df_pr_entropyinput[] = {
++    0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33,
++    0xc8, 0xdb, 0xff, 0x12
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_pr_nonce[] = {
++    0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28
++};
++
++__fips_constseg
++    static const unsigned char aes_128_use_df_pr_personalizationstring[] = {
++    0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe,
++    0xd7, 0xd7, 0x01, 0x67
++};
++
++__fips_constseg
++    static const unsigned char aes_128_use_df_pr_additionalinput[] = {
++    0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e,
++    0x9a, 0x47, 0x08, 0x76
++};
++
++__fips_constseg
++    static const unsigned char aes_128_use_df_pr_entropyinputpr[] = {
++    0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51,
++    0x09, 0xfb, 0xa3, 0xb6
++};
++
++__fips_constseg
++    static const unsigned char aes_128_use_df_pr_int_returnedbits[] = {
++    0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52,
++    0x66, 0x1c, 0xea, 0x5b
++};
++
++__fips_constseg
++    static const unsigned char aes_128_use_df_pr_additionalinput2[] = {
++    0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11,
++    0x3f, 0x5e, 0x31, 0x06
++};
++
++__fips_constseg
++    static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = {
++    0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae,
++    0xa7, 0xe3, 0xa8, 0x67
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_pr_returnedbits[] = {
++    0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24,
++    0x0f, 0x38, 0x43, 0xc6
++};
++
++/* AES-128 use df No PR  */
++__fips_constseg static const unsigned char aes_128_use_df_entropyinput[] = {
++    0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3,
++    0x9d, 0x7d, 0x1c, 0x9b
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_nonce[] = {
++    0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96
++};
++
++__fips_constseg
++    static const unsigned char aes_128_use_df_personalizationstring[] = {
++    0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3,
++    0x38, 0x66, 0xba, 0x1b
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_additionalinput[] = {
++    0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46,
++    0xb5, 0xe2, 0xb2, 0x41
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_int_returnedbits[] = {
++    0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67,
++    0xe7, 0x57, 0x11, 0xb4
++};
++
++__fips_constseg
++    static const unsigned char aes_128_use_df_entropyinputreseed[] = {
++    0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b,
++    0xc7, 0xc4, 0x9e, 0x39
++};
++
++__fips_constseg
++    static const unsigned char aes_128_use_df_additionalinputreseed[] = {
++    0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a,
++    0xc8, 0x93, 0xfa, 0x84
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_additionalinput2[] = {
++    0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5,
++    0x06, 0x0c, 0x15, 0x2c
++};
++
++__fips_constseg static const unsigned char aes_128_use_df_returnedbits[] = {
++    0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88,
++    0x46, 0x81, 0xc7, 0x19
++};
++
++/* AES-192 use df PR  */
++__fips_constseg static const unsigned char aes_192_use_df_pr_entropyinput[] = {
++    0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec,
++    0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_pr_nonce[] = {
++    0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0,
++    0xd1, 0x80, 0x78, 0xfa
++};
++
++__fips_constseg
++    static const unsigned char aes_192_use_df_pr_personalizationstring[] = {
++    0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16,
++    0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5,
++    0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04
++};
++
++__fips_constseg
++    static const unsigned char aes_192_use_df_pr_additionalinput[] = {
++    0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac,
++    0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb,
++    0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36
++};
++
++__fips_constseg
++    static const unsigned char aes_192_use_df_pr_entropyinputpr[] = {
++    0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5,
++    0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5
++};
++
++__fips_constseg
++    static const unsigned char aes_192_use_df_pr_int_returnedbits[] = {
++    0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9,
++    0x19, 0x30, 0x6b, 0x67
++};
++
++__fips_constseg
++    static const unsigned char aes_192_use_df_pr_additionalinput2[] = {
++    0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32,
++    0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda,
++    0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99
++};
++
++__fips_constseg
++    static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = {
++    0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0,
++    0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_pr_returnedbits[] = {
++    0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c,
++    0x7e, 0x1a, 0x2b, 0x83
++};
++
++/* AES-192 use df No PR  */
++__fips_constseg static const unsigned char aes_192_use_df_entropyinput[] = {
++    0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82,
++    0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_nonce[] = {
++    0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d,
++    0x77, 0xd7, 0x41, 0x0e
++};
++
++__fips_constseg
++    static const unsigned char aes_192_use_df_personalizationstring[] = {
++    0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf,
++    0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65,
++    0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_additionalinput[] = {
++    0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69,
++    0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22,
++    0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_int_returnedbits[] = {
++    0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6,
++    0xb7, 0xed, 0xe9, 0xea
++};
++
++__fips_constseg
++    static const unsigned char aes_192_use_df_entropyinputreseed[] = {
++    0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02,
++    0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01
++};
++
++__fips_constseg
++    static const unsigned char aes_192_use_df_additionalinputreseed[] = {
++    0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76,
++    0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77,
++    0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_additionalinput2[] = {
++    0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e,
++    0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0,
++    0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77
++};
++
++__fips_constseg static const unsigned char aes_192_use_df_returnedbits[] = {
++    0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58,
++    0x1a, 0xf9, 0x13, 0x28
++};
++
++/* AES-256 use df PR  */
++__fips_constseg static const unsigned char aes_256_use_df_pr_entropyinput[] = {
++    0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74,
++    0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f,
++    0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_pr_nonce[] = {
++    0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33,
++    0x2b, 0x36, 0xff, 0xa4
++};
++
++__fips_constseg
++    static const unsigned char aes_256_use_df_pr_personalizationstring[] = {
++    0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24,
++    0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83,
++    0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d
++};
++
++__fips_constseg
++    static const unsigned char aes_256_use_df_pr_additionalinput[] = {
++    0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0,
++    0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3,
++    0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde
++};
++
++__fips_constseg
++    static const unsigned char aes_256_use_df_pr_entropyinputpr[] = {
++    0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77,
++    0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54,
++    0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9
++};
++
++__fips_constseg
++    static const unsigned char aes_256_use_df_pr_int_returnedbits[] = {
++    0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7,
++    0x17, 0xab, 0x3c, 0x7a
++};
++
++__fips_constseg
++    static const unsigned char aes_256_use_df_pr_additionalinput2[] = {
++    0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00,
++    0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78,
++    0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3
++};
++
++__fips_constseg
++    static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = {
++    0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73,
++    0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8,
++    0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_pr_returnedbits[] = {
++    0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0,
++    0xd9, 0xe2, 0x97, 0x00
++};
++
++/* AES-256 use df No PR  */
++__fips_constseg static const unsigned char aes_256_use_df_entropyinput[] = {
++    0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50,
++    0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68,
++    0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_nonce[] = {
++    0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a,
++    0x4c, 0x44, 0x84, 0x40
++};
++
++__fips_constseg
++    static const unsigned char aes_256_use_df_personalizationstring[] = {
++    0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05,
++    0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b,
++    0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_additionalinput[] = {
++    0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f,
++    0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf,
++    0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_int_returnedbits[] = {
++    0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1,
++    0x28, 0x0c, 0x3b, 0xc1
++};
++
++__fips_constseg
++    static const unsigned char aes_256_use_df_entropyinputreseed[] = {
++    0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76,
++    0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46,
++    0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e
++};
++
++__fips_constseg
++    static const unsigned char aes_256_use_df_additionalinputreseed[] = {
++    0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99,
++    0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75,
++    0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_additionalinput2[] = {
++    0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d,
++    0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a,
++    0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d
++};
++
++__fips_constseg static const unsigned char aes_256_use_df_returnedbits[] = {
++    0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad,
++    0xfa, 0xfd, 0x35, 0x5e
++};
++
++/* AES-128 no df PR  */
++__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinput[] = {
++    0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4,
++    0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf,
++    0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_pr_nonce[] = {
++    0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1
++};
++
++__fips_constseg
++    static const unsigned char aes_128_no_df_pr_personalizationstring[] = {
++    0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c,
++    0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c,
++    0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8
++};
++
++__fips_constseg
++    static const unsigned char aes_128_no_df_pr_additionalinput[] = {
++    0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02,
++    0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73,
++    0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinputpr[] = {
++    0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a,
++    0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7,
++    0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e
++};
++
++__fips_constseg
++    static const unsigned char aes_128_no_df_pr_int_returnedbits[] = {
++    0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71,
++    0xaf, 0x19, 0x32, 0x16
++};
++
++__fips_constseg
++    static const unsigned char aes_128_no_df_pr_additionalinput2[] = {
++    0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f,
++    0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83,
++    0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50
++};
++
++__fips_constseg
++    static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = {
++    0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a,
++    0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07,
++    0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_pr_returnedbits[] = {
++    0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33,
++    0x57, 0x82, 0x33, 0xaf
++};
++
++/* AES-128 no df No PR  */
++__fips_constseg static const unsigned char aes_128_no_df_entropyinput[] = {
++    0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67,
++    0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42,
++    0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_nonce[] = {
++    0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13
++};
++
++__fips_constseg
++    static const unsigned char aes_128_no_df_personalizationstring[] = {
++    0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb,
++    0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b,
++    0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_additionalinput[] = {
++    0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37,
++    0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24,
++    0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_int_returnedbits[] = {
++    0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6,
++    0xed, 0x3e, 0x65, 0xc2
++};
++
++__fips_constseg
++    static const unsigned char aes_128_no_df_entropyinputreseed[] = {
++    0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66,
++    0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1,
++    0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00
++};
++
++__fips_constseg
++    static const unsigned char aes_128_no_df_additionalinputreseed[] = {
++    0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2,
++    0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4,
++    0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_additionalinput2[] = {
++    0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f,
++    0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac,
++    0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6
++};
++
++__fips_constseg static const unsigned char aes_128_no_df_returnedbits[] = {
++    0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36,
++    0x81, 0x37, 0x19, 0xd4
++};
++
++/* AES-192 no df PR  */
++__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinput[] = {
++    0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7,
++    0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61,
++    0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a,
++    0x17, 0x1f, 0x8d, 0x9a
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_pr_nonce[] = {
++    0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19,
++    0x61, 0x5c, 0xee, 0x0f
++};
++
++__fips_constseg
++    static const unsigned char aes_192_no_df_pr_personalizationstring[] = {
++    0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1,
++    0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4,
++    0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10,
++    0x57, 0x2e, 0xe7, 0x55
++};
++
++__fips_constseg
++    static const unsigned char aes_192_no_df_pr_additionalinput[] = {
++    0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad,
++    0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85,
++    0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f,
++    0xe2, 0xd0, 0x0c, 0x2f
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinputpr[] = {
++    0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94,
++    0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb,
++    0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58,
++    0x1d, 0x30, 0xb3, 0x78
++};
++
++__fips_constseg
++    static const unsigned char aes_192_no_df_pr_int_returnedbits[] = {
++    0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40,
++    0x7e, 0x3e, 0x0c, 0x26
++};
++
++__fips_constseg
++    static const unsigned char aes_192_no_df_pr_additionalinput2[] = {
++    0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a,
++    0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57,
++    0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee,
++    0x0c, 0x4b, 0xee, 0x6e
++};
++
++__fips_constseg
++    static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = {
++    0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0,
++    0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f,
++    0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b,
++    0x8e, 0x0a, 0x83, 0xdf
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_pr_returnedbits[] = {
++    0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91,
++    0xb9, 0xa1, 0x21, 0x68
++};
++
++/* AES-192 no df No PR  */
++__fips_constseg static const unsigned char aes_192_no_df_entropyinput[] = {
++    0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e,
++    0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe,
++    0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28,
++    0x94, 0xc3, 0x59, 0x63
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_nonce[] = {
++    0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb,
++    0x29, 0xfd, 0x45, 0x71
++};
++
++__fips_constseg
++    static const unsigned char aes_192_no_df_personalizationstring[] = {
++    0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08,
++    0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96,
++    0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b,
++    0x3b, 0x88, 0xce, 0x35
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_additionalinput[] = {
++    0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b,
++    0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71,
++    0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3,
++    0x3e, 0xbe, 0xd4, 0x8e
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_int_returnedbits[] = {
++    0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a,
++    0x45, 0xe7, 0x4a, 0xc5
++};
++
++__fips_constseg
++    static const unsigned char aes_192_no_df_entropyinputreseed[] = {
++    0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e,
++    0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1,
++    0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33,
++    0x9b, 0xcb, 0x7e, 0x75
++};
++
++__fips_constseg
++    static const unsigned char aes_192_no_df_additionalinputreseed[] = {
++    0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01,
++    0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27,
++    0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40,
++    0x5d, 0x7a, 0x25, 0x79
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_additionalinput2[] = {
++    0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71,
++    0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5,
++    0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a,
++    0x91, 0x6a, 0xe3, 0x5f
++};
++
++__fips_constseg static const unsigned char aes_192_no_df_returnedbits[] = {
++    0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8,
++    0x66, 0x67, 0x2c, 0x92
++};
++
++/* AES-256 no df PR  */
++__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinput[] = {
++    0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8,
++    0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2,
++    0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03,
++    0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_pr_nonce[] = {
++    0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30,
++    0xcc, 0x4b, 0xee, 0x2e
++};
++
++__fips_constseg
++    static const unsigned char aes_256_no_df_pr_personalizationstring[] = {
++    0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7,
++    0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b,
++    0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac,
++    0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06
++};
++
++__fips_constseg
++    static const unsigned char aes_256_no_df_pr_additionalinput[] = {
++    0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40,
++    0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c,
++    0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69,
++    0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinputpr[] = {
++    0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16,
++    0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc,
++    0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9,
++    0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f
++};
++
++__fips_constseg
++    static const unsigned char aes_256_no_df_pr_int_returnedbits[] = {
++    0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56,
++    0x79, 0x60, 0x93, 0xcf
++};
++
++__fips_constseg
++    static const unsigned char aes_256_no_df_pr_additionalinput2[] = {
++    0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a,
++    0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35,
++    0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34,
++    0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb
++};
++
++__fips_constseg
++    static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = {
++    0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3,
++    0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa,
++    0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83,
++    0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_pr_returnedbits[] = {
++    0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7,
++    0x2d, 0x5f, 0x4a, 0x46
++};
++
++/* AES-256 no df No PR  */
++__fips_constseg static const unsigned char aes_256_no_df_entropyinput[] = {
++    0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3,
++    0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb,
++    0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96,
++    0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_nonce[] = {
++    0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99,
++    0x43, 0x96, 0xb9, 0xf0
++};
++
++__fips_constseg
++    static const unsigned char aes_256_no_df_personalizationstring[] = {
++    0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60,
++    0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc,
++    0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f,
++    0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_additionalinput[] = {
++    0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6,
++    0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9,
++    0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed,
++    0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_int_returnedbits[] = {
++    0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6,
++    0xd2, 0x25, 0x75, 0x0e
++};
++
++__fips_constseg
++    static const unsigned char aes_256_no_df_entropyinputreseed[] = {
++    0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b,
++    0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5,
++    0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed,
++    0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb
++};
++
++__fips_constseg
++    static const unsigned char aes_256_no_df_additionalinputreseed[] = {
++    0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e,
++    0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18,
++    0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b,
++    0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_additionalinput2[] = {
++    0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe,
++    0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42,
++    0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba,
++    0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6
++};
++
++__fips_constseg static const unsigned char aes_256_no_df_returnedbits[] = {
++    0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67,
++    0xf6, 0x02, 0x32, 0xe2
++};
++
++/* SHA-1 PR  */
++__fips_constseg static const unsigned char sha1_pr_entropyinput[] = {
++    0xd2, 0x36, 0xa5, 0x27, 0x31, 0x73, 0xdd, 0x11, 0x4f, 0x93, 0xbd, 0xe2,
++    0x31, 0xa5, 0x91, 0x13
++};
++
++__fips_constseg static const unsigned char sha1_pr_nonce[] = {
++    0xb5, 0xb3, 0x60, 0xef, 0xf7, 0x63, 0x31, 0xf3
++};
++
++__fips_constseg static const unsigned char sha1_pr_personalizationstring[] = {
++    0xd4, 0xbb, 0x02, 0x10, 0xb2, 0x71, 0xdb, 0x81, 0xd6, 0xf0, 0x42, 0x60,
++    0xda, 0xea, 0x77, 0x52
++};
++
++__fips_constseg static const unsigned char sha1_pr_additionalinput[] = {
++    0x4d, 0xd2, 0x6c, 0x87, 0xfb, 0x2c, 0x4f, 0xa6, 0x8d, 0x16, 0x63, 0x22,
++    0x6a, 0x51, 0xe3, 0xf8
++};
++
++__fips_constseg static const unsigned char sha1_pr_entropyinputpr[] = {
++    0xc9, 0x83, 0x9e, 0x16, 0xf6, 0x1c, 0x0f, 0xb2, 0xec, 0x60, 0x31, 0xa9,
++    0xcb, 0xa9, 0x36, 0x7a
++};
++
++__fips_constseg static const unsigned char sha1_pr_int_returnedbits[] = {
++    0xa8, 0x13, 0x4f, 0xf4, 0x31, 0x02, 0x44, 0xe3, 0xd3, 0x3d, 0x61, 0x9e,
++    0xe5, 0xc6, 0x3e, 0x89, 0xb5, 0x9b, 0x0f, 0x35
++};
++
++__fips_constseg static const unsigned char sha1_pr_additionalinput2[] = {
++    0xf9, 0xe8, 0xd2, 0x72, 0x13, 0x34, 0x95, 0x6f, 0x15, 0x49, 0x47, 0x99,
++    0x16, 0x03, 0x19, 0x47
++};
++
++__fips_constseg static const unsigned char sha1_pr_entropyinputpr2[] = {
++    0x4e, 0x8c, 0x49, 0x9b, 0x4a, 0x5c, 0x9b, 0x9c, 0x3a, 0xee, 0xfb, 0xd2,
++    0xae, 0xcd, 0x8c, 0xc4
++};
++
++__fips_constseg static const unsigned char sha1_pr_returnedbits[] = {
++    0x50, 0xb4, 0xb4, 0xcd, 0x68, 0x57, 0xfc, 0x2e, 0xc1, 0x52, 0xcc, 0xf6,
++    0x68, 0xa4, 0x81, 0xed, 0x7e, 0xe4, 0x1d, 0x87
++};
++
++/* SHA-1 No PR  */
++__fips_constseg static const unsigned char sha1_entropyinput[] = {
++    0xa9, 0x47, 0x1b, 0x29, 0x2d, 0x1c, 0x05, 0xdf, 0x76, 0xd0, 0x62, 0xf9,
++    0xe2, 0x7f, 0x4c, 0x7b
++};
++
++__fips_constseg static const unsigned char sha1_nonce[] = {
++    0x53, 0x23, 0x24, 0xe3, 0xec, 0x0c, 0x54, 0x14
++};
++
++__fips_constseg static const unsigned char sha1_personalizationstring[] = {
++    0x7a, 0x87, 0xa1, 0xac, 0x1c, 0xfd, 0xab, 0xae, 0xf7, 0xd6, 0xfb, 0x76,
++    0x28, 0xec, 0x6d, 0xca
++};
++
++__fips_constseg static const unsigned char sha1_additionalinput[] = {
++    0xfc, 0x92, 0x35, 0xd6, 0x7e, 0xb7, 0x24, 0x65, 0xfd, 0x12, 0x27, 0x35,
++    0xc0, 0x72, 0xca, 0x28
++};
++
++__fips_constseg static const unsigned char sha1_int_returnedbits[] = {
++    0x57, 0x88, 0x82, 0xe5, 0x25, 0xa5, 0x2c, 0x4a, 0x06, 0x20, 0x6c, 0x72,
++    0x55, 0x61, 0xdd, 0x90, 0x71, 0x9f, 0x95, 0xea
++};
++
++__fips_constseg static const unsigned char sha1_entropyinputreseed[] = {
++    0x69, 0xa5, 0x40, 0x62, 0x98, 0x47, 0x56, 0x73, 0x4a, 0x8f, 0x60, 0x96,
++    0xd6, 0x99, 0x27, 0xed
++};
++
++__fips_constseg static const unsigned char sha1_additionalinputreseed[] = {
++    0xe5, 0x40, 0x4e, 0xbd, 0x50, 0x00, 0xf5, 0x15, 0xa6, 0xee, 0x45, 0xda,
++    0x84, 0x3d, 0xd4, 0xc0
++};
++
++__fips_constseg static const unsigned char sha1_additionalinput2[] = {
++    0x11, 0x51, 0x14, 0xf0, 0x09, 0x1b, 0x4e, 0x56, 0x0d, 0xe9, 0xf6, 0x1e,
++    0x52, 0x65, 0xcd, 0x96
++};
++
++__fips_constseg static const unsigned char sha1_returnedbits[] = {
++    0xa1, 0x9c, 0x94, 0x6e, 0x29, 0xe1, 0x33, 0x0d, 0x32, 0xd6, 0xaa, 0xce,
++    0x71, 0x3f, 0x52, 0x72, 0x8b, 0x42, 0xa8, 0xd7
++};
++
++/* SHA-224 PR  */
++__fips_constseg static const unsigned char sha224_pr_entropyinput[] = {
++    0x12, 0x69, 0x32, 0x4f, 0x83, 0xa6, 0xf5, 0x14, 0xe3, 0x49, 0x3e, 0x75,
++    0x3e, 0xde, 0xad, 0xa1, 0x29, 0xc3, 0xf3, 0x19, 0x20, 0xb5, 0x4c, 0xd9
++};
++
++__fips_constseg static const unsigned char sha224_pr_nonce[] = {
++    0x6a, 0x78, 0xd0, 0xeb, 0xbb, 0x5a, 0xf0, 0xee, 0xe8, 0xc3, 0xba, 0x71
++};
++
++__fips_constseg static const unsigned char sha224_pr_personalizationstring[] = {
++    0xd5, 0xb8, 0xb6, 0xbc, 0xc1, 0x5b, 0x60, 0x31, 0x3c, 0xf5, 0xe5, 0xc0,
++    0x8e, 0x52, 0x7a, 0xbd, 0xea, 0x47, 0xa9, 0x5f, 0x8f, 0xf9, 0x8b, 0xae
++};
++
++__fips_constseg static const unsigned char sha224_pr_additionalinput[] = {
++    0x1f, 0x55, 0xec, 0xae, 0x16, 0x12, 0x84, 0xba, 0x84, 0x16, 0x19, 0x88,
++    0x8e, 0xb8, 0x33, 0x25, 0x54, 0xff, 0xca, 0x79, 0xaf, 0x07, 0x25, 0x50
++};
++
++__fips_constseg static const unsigned char sha224_pr_entropyinputpr[] = {
++    0x92, 0xa3, 0x32, 0xa8, 0x9a, 0x0a, 0x58, 0x7c, 0x1d, 0x5a, 0x7e, 0xe1,
++    0xb2, 0x73, 0xab, 0x0e, 0x16, 0x79, 0x23, 0xd3, 0x29, 0x89, 0x81, 0xe1
++};
++
++__fips_constseg static const unsigned char sha224_pr_int_returnedbits[] = {
++    0xf3, 0x38, 0x91, 0x40, 0x37, 0x7a, 0x51, 0x72, 0x42, 0x74, 0x78, 0x0a,
++    0x69, 0xfd, 0xa6, 0x44, 0x43, 0x45, 0x6c, 0x0c, 0x5a, 0x19, 0xff, 0xf1,
++    0x54, 0x60, 0xee, 0x6a
++};
++
++__fips_constseg static const unsigned char sha224_pr_additionalinput2[] = {
++    0x75, 0xf3, 0x04, 0x25, 0xdd, 0x36, 0xa8, 0x37, 0x46, 0xae, 0x0c, 0x52,
++    0x05, 0x79, 0x4c, 0x26, 0xdb, 0xe9, 0x71, 0x16, 0x4c, 0x0a, 0xf2, 0x60
++};
++
++__fips_constseg static const unsigned char sha224_pr_entropyinputpr2[] = {
++    0xea, 0xc5, 0x03, 0x0a, 0x4f, 0xb0, 0x38, 0x8d, 0x23, 0xd4, 0xc8, 0x77,
++    0xe2, 0x6d, 0x9c, 0x0b, 0x44, 0xf7, 0x2d, 0x5b, 0xbf, 0x5d, 0x2a, 0x11
++};
++
++__fips_constseg static const unsigned char sha224_pr_returnedbits[] = {
++    0x60, 0x50, 0x2b, 0xe7, 0x86, 0xd8, 0x26, 0x73, 0xe3, 0x1d, 0x95, 0x20,
++    0xb3, 0x2c, 0x32, 0x1c, 0xf5, 0xce, 0x57, 0xa6, 0x67, 0x2b, 0xdc, 0x4e,
++    0xdd, 0x11, 0x4c, 0xc4
++};
++
++/* SHA-224 No PR  */
++__fips_constseg static const unsigned char sha224_entropyinput[] = {
++    0xb2, 0x1c, 0x77, 0x4d, 0xf6, 0xd3, 0xb6, 0x40, 0xb7, 0x30, 0x3e, 0x29,
++    0xb0, 0x85, 0x1c, 0xbe, 0x4a, 0xea, 0x6b, 0x5a, 0xb5, 0x8a, 0x97, 0xeb
++};
++
++__fips_constseg static const unsigned char sha224_nonce[] = {
++    0x42, 0x02, 0x0a, 0x1c, 0x98, 0x9a, 0x77, 0x9e, 0x9f, 0x80, 0xba, 0xe0
++};
++
++__fips_constseg static const unsigned char sha224_personalizationstring[] = {
++    0x98, 0xb8, 0x04, 0x41, 0xfc, 0xc1, 0x5d, 0xc5, 0xe9, 0xb9, 0x08, 0xda,
++    0xf9, 0xfa, 0x0d, 0x90, 0xce, 0xdf, 0x1d, 0x10, 0xa9, 0x8d, 0x50, 0x0c
++};
++
++__fips_constseg static const unsigned char sha224_additionalinput[] = {
++    0x9a, 0x8d, 0x39, 0x49, 0x42, 0xd5, 0x0b, 0xae, 0xe1, 0xaf, 0xb7, 0x00,
++    0x02, 0xfa, 0x96, 0xb1, 0xa5, 0x1d, 0x2d, 0x25, 0x78, 0xee, 0x83, 0x3f
++};
++
++__fips_constseg static const unsigned char sha224_int_returnedbits[] = {
++    0xe4, 0xf5, 0x53, 0x79, 0x5a, 0x97, 0x58, 0x06, 0x08, 0xba, 0x7b, 0xfa,
++    0xf0, 0x83, 0x05, 0x8c, 0x22, 0xc0, 0xc9, 0xdb, 0x15, 0xe7, 0xde, 0x20,
++    0x55, 0x22, 0x9a, 0xad
++};
++
++__fips_constseg static const unsigned char sha224_entropyinputreseed[] = {
++    0x67, 0x09, 0x48, 0xaa, 0x07, 0x16, 0x99, 0x89, 0x7f, 0x6d, 0xa0, 0xe5,
++    0x8f, 0xdf, 0xbc, 0xdb, 0xfe, 0xe5, 0x6c, 0x7a, 0x95, 0x4a, 0x66, 0x17
++};
++
++__fips_constseg static const unsigned char sha224_additionalinputreseed[] = {
++    0x0f, 0x4b, 0x1c, 0x6f, 0xb7, 0xe3, 0x47, 0xe5, 0x5d, 0x7d, 0x38, 0xd6,
++    0x28, 0x9b, 0xeb, 0x55, 0x63, 0x09, 0x3e, 0x7c, 0x56, 0xea, 0xf8, 0x19
++};
++
++__fips_constseg static const unsigned char sha224_additionalinput2[] = {
++    0x2d, 0x26, 0x7c, 0x37, 0xe4, 0x7a, 0x28, 0x5e, 0x5a, 0x3c, 0xaf, 0x3d,
++    0x5a, 0x8e, 0x55, 0xa2, 0x1a, 0x6e, 0xc0, 0xe5, 0xf6, 0x21, 0xd3, 0xf6
++};
++
++__fips_constseg static const unsigned char sha224_returnedbits[] = {
++    0x4d, 0x83, 0x35, 0xdf, 0x67, 0xa9, 0xfc, 0x17, 0xda, 0x70, 0xcc, 0x8b,
++    0x7f, 0x77, 0xae, 0xa2, 0x5f, 0xb9, 0x7e, 0x74, 0x4c, 0x26, 0xc1, 0x7a,
++    0x3b, 0xa7, 0x5c, 0x93
++};
++
++/* SHA-256 PR  */
++__fips_constseg static const unsigned char sha256_pr_entropyinput[] = {
++    0xce, 0x49, 0x00, 0x7a, 0x56, 0xe3, 0x67, 0x8f, 0xe1, 0xb6, 0xa7, 0xd4,
++    0x4f, 0x08, 0x7a, 0x1b, 0x01, 0xf4, 0xfa, 0x6b, 0xef, 0xb7, 0xe5, 0xeb,
++    0x07, 0x3d, 0x11, 0x0d, 0xc8, 0xea, 0x2b, 0xfe
++};
++
++__fips_constseg static const unsigned char sha256_pr_nonce[] = {
++    0x73, 0x41, 0xc8, 0x92, 0x94, 0xe2, 0xc5, 0x5f, 0x93, 0xfd, 0x39, 0x5d,
++    0x2b, 0x91, 0x4d, 0x38
++};
++
++__fips_constseg static const unsigned char sha256_pr_personalizationstring[] = {
++    0x50, 0x6d, 0x01, 0x01, 0x07, 0x5a, 0x80, 0x35, 0x7a, 0x56, 0x1a, 0x56,
++    0x2f, 0x9a, 0x0b, 0x35, 0xb2, 0xb1, 0xc9, 0xe5, 0xca, 0x69, 0x61, 0x48,
++    0xff, 0xfb, 0x0f, 0xd9, 0x4b, 0x79, 0x1d, 0xba
++};
++
++__fips_constseg static const unsigned char sha256_pr_additionalinput[] = {
++    0x20, 0xb8, 0xdf, 0x44, 0x77, 0x5a, 0xb8, 0xd3, 0xbf, 0xf6, 0xcf, 0xac,
++    0x5e, 0xa6, 0x96, 0x62, 0x73, 0x44, 0x40, 0x4a, 0x30, 0xfb, 0x38, 0xa5,
++    0x7b, 0x0d, 0xe4, 0x0d, 0xc6, 0xe4, 0x9a, 0x1f
++};
++
++__fips_constseg static const unsigned char sha256_pr_entropyinputpr[] = {
++    0x04, 0xc4, 0x65, 0xf4, 0xd3, 0xbf, 0x83, 0x4b, 0xab, 0xc8, 0x41, 0xa8,
++    0xc2, 0xe0, 0x44, 0x63, 0x77, 0x4c, 0x6f, 0x6c, 0x49, 0x46, 0xff, 0x94,
++    0x17, 0xea, 0xe6, 0x1a, 0x9d, 0x5e, 0x66, 0x78
++};
++
++__fips_constseg static const unsigned char sha256_pr_int_returnedbits[] = {
++    0x07, 0x4d, 0xac, 0x9b, 0x86, 0xca, 0x4a, 0xaa, 0x6e, 0x7a, 0x03, 0xa2,
++    0x5d, 0x10, 0xea, 0x0b, 0xf9, 0x83, 0xcc, 0xd1, 0xfc, 0xe2, 0x07, 0xc7,
++    0x06, 0x34, 0x60, 0x6f, 0x83, 0x94, 0x99, 0x76
++};
++
++__fips_constseg static const unsigned char sha256_pr_additionalinput2[] = {
++    0x89, 0x4e, 0x45, 0x8c, 0x11, 0xf9, 0xbc, 0x5b, 0xac, 0x74, 0x8b, 0x4b,
++    0x5f, 0xf7, 0x19, 0xf3, 0xf5, 0x24, 0x54, 0x14, 0xd1, 0x15, 0xb1, 0x43,
++    0x12, 0xa4, 0x5f, 0xd4, 0xec, 0xfc, 0xcd, 0x09
++};
++
++__fips_constseg static const unsigned char sha256_pr_entropyinputpr2[] = {
++    0x0e, 0xeb, 0x1f, 0xd7, 0xfc, 0xd1, 0x9d, 0xd4, 0x05, 0x36, 0x8b, 0xb2,
++    0xfb, 0xe4, 0xf4, 0x51, 0x0c, 0x87, 0x9b, 0x02, 0x44, 0xd5, 0x92, 0x4d,
++    0x44, 0xfe, 0x1a, 0x03, 0x43, 0x56, 0xbd, 0x86
++};
++
++__fips_constseg static const unsigned char sha256_pr_returnedbits[] = {
++    0x02, 0xaa, 0xb6, 0x1d, 0x7e, 0x2a, 0x40, 0x03, 0x69, 0x2d, 0x49, 0xa3,
++    0x41, 0xe7, 0x44, 0x0b, 0xaf, 0x7b, 0x85, 0xe4, 0x5f, 0x53, 0x3b, 0x64,
++    0xbc, 0x89, 0xc8, 0x82, 0xd4, 0x78, 0x37, 0xa2
++};
++
++/* SHA-256 No PR  */
++__fips_constseg static const unsigned char sha256_entropyinput[] = {
++    0x5b, 0x1b, 0xec, 0x4d, 0xa9, 0x38, 0x74, 0x5a, 0x34, 0x0b, 0x7b, 0xc5,
++    0xe5, 0xd7, 0x66, 0x7c, 0xbc, 0x82, 0xb9, 0x0e, 0x2d, 0x1f, 0x92, 0xd7,
++    0xc1, 0xbc, 0x67, 0x69, 0xec, 0x6b, 0x03, 0x3c
++};
++
++__fips_constseg static const unsigned char sha256_nonce[] = {
++    0xa4, 0x0c, 0xd8, 0x9c, 0x61, 0xd8, 0xc3, 0x54, 0xfe, 0x53, 0xc9, 0xe5,
++    0x5d, 0x6f, 0x6d, 0x35
++};
++
++__fips_constseg static const unsigned char sha256_personalizationstring[] = {
++    0x22, 0x5e, 0x62, 0x93, 0x42, 0x83, 0x78, 0x24, 0xd8, 0x40, 0x8c, 0xde,
++    0x6f, 0xf9, 0xa4, 0x7a, 0xc5, 0xa7, 0x3b, 0x88, 0xa3, 0xee, 0x42, 0x20,
++    0xfd, 0x61, 0x56, 0xc6, 0x4c, 0x13, 0x41, 0x9c
++};
++
++__fips_constseg static const unsigned char sha256_additionalinput[] = {
++    0xbf, 0x74, 0x5b, 0xf6, 0xc5, 0x64, 0x5e, 0x99, 0x34, 0x8f, 0xbc, 0xa4,
++    0xe2, 0xbd, 0xd8, 0x85, 0x26, 0x37, 0xea, 0xba, 0x4f, 0xf2, 0x9a, 0x9a,
++    0x66, 0xfc, 0xdf, 0x63, 0x26, 0x26, 0x19, 0x87
++};
++
++__fips_constseg static const unsigned char sha256_int_returnedbits[] = {
++    0xb3, 0xc6, 0x07, 0x07, 0xd6, 0x75, 0xf6, 0x2b, 0xd6, 0x21, 0x96, 0xf1,
++    0xae, 0xdb, 0x2b, 0xac, 0x25, 0x2a, 0xae, 0xae, 0x41, 0x72, 0x03, 0x5e,
++    0xbf, 0xd3, 0x64, 0xbc, 0x59, 0xf9, 0xc0, 0x76
++};
++
++__fips_constseg static const unsigned char sha256_entropyinputreseed[] = {
++    0xbf, 0x20, 0x33, 0x56, 0x29, 0xa8, 0x37, 0x04, 0x1f, 0x78, 0x34, 0x3d,
++    0x81, 0x2a, 0xc9, 0x86, 0xc6, 0x7a, 0x2f, 0x88, 0x5e, 0xd5, 0xbe, 0x34,
++    0x46, 0x20, 0xa4, 0x35, 0xeb, 0xc7, 0xe2, 0x9d
++};
++
++__fips_constseg static const unsigned char sha256_additionalinputreseed[] = {
++    0x9b, 0xae, 0x2d, 0x2d, 0x61, 0xa4, 0x89, 0xeb, 0x43, 0x46, 0xa7, 0xda,
++    0xef, 0x40, 0xca, 0x4a, 0x99, 0x11, 0x41, 0xdc, 0x5c, 0x94, 0xe9, 0xac,
++    0xd4, 0xd0, 0xe6, 0xbd, 0xfb, 0x03, 0x9c, 0xa8
++};
++
++__fips_constseg static const unsigned char sha256_additionalinput2[] = {
++    0x23, 0xaa, 0x0c, 0xbd, 0x28, 0x33, 0xe2, 0x51, 0xfc, 0x71, 0xd2, 0x15,
++    0x1f, 0x76, 0xfd, 0x0d, 0xe0, 0xb7, 0xb5, 0x84, 0x75, 0x5b, 0xbe, 0xf3,
++    0x5c, 0xca, 0xc5, 0x30, 0xf2, 0x75, 0x1f, 0xda
++};
++
++__fips_constseg static const unsigned char sha256_returnedbits[] = {
++    0x90, 0x3c, 0xc1, 0x10, 0x8c, 0x12, 0x01, 0xc6, 0xa6, 0x3a, 0x0f, 0x4d,
++    0xb6, 0x3a, 0x4f, 0x41, 0x9c, 0x61, 0x75, 0x84, 0xe9, 0x74, 0x75, 0xfd,
++    0xfe, 0xf2, 0x1f, 0x43, 0xd8, 0x5e, 0x24, 0xa3
++};
++
++/* SHA-384 PR  */
++__fips_constseg static const unsigned char sha384_pr_entropyinput[] = {
++    0x71, 0x9d, 0xb2, 0x5a, 0x71, 0x6d, 0x04, 0xe9, 0x1e, 0xc7, 0x92, 0x24,
++    0x6e, 0x12, 0x33, 0xa9, 0x52, 0x64, 0x31, 0xef, 0x71, 0xeb, 0x22, 0x55,
++    0x28, 0x97, 0x06, 0x6a, 0xc0, 0x0c, 0xa0, 0x7e
++};
++
++__fips_constseg static const unsigned char sha384_pr_nonce[] = {
++    0xf5, 0x0d, 0xfa, 0xb0, 0xec, 0x6a, 0x7c, 0xd6, 0xbd, 0x9b, 0x05, 0xfd,
++    0x38, 0x3e, 0x2e, 0x56
++};
++
++__fips_constseg static const unsigned char sha384_pr_personalizationstring[] = {
++    0x74, 0xac, 0x7e, 0x6d, 0xb1, 0xa4, 0xe7, 0x21, 0xd1, 0x1e, 0x6e, 0x96,
++    0x6d, 0x4d, 0x53, 0x46, 0x82, 0x96, 0x6e, 0xcf, 0xaa, 0x81, 0x8d, 0x7d,
++    0x9e, 0xe1, 0x0f, 0x15, 0xea, 0x41, 0xbf, 0xe3
++};
++
++__fips_constseg static const unsigned char sha384_pr_additionalinput[] = {
++    0xda, 0x95, 0xd4, 0xd0, 0xb8, 0x11, 0xd3, 0x49, 0x27, 0x5d, 0xa9, 0x39,
++    0x68, 0xf3, 0xa8, 0xe9, 0x5d, 0x19, 0x8a, 0x2b, 0x66, 0xe8, 0x69, 0x06,
++    0x7c, 0x9e, 0x03, 0xa1, 0x8b, 0x26, 0x2d, 0x6e
++};
++
++__fips_constseg static const unsigned char sha384_pr_entropyinputpr[] = {
++    0x49, 0xdf, 0x44, 0x00, 0xe4, 0x1c, 0x75, 0x0b, 0x26, 0x5a, 0x59, 0x64,
++    0x1f, 0x4e, 0xb1, 0xb2, 0x13, 0xf1, 0x22, 0x4e, 0xb4, 0x6d, 0x9a, 0xcc,
++    0xa0, 0x48, 0xe6, 0xcf, 0x1d, 0xd1, 0x92, 0x0d
++};
++
++__fips_constseg static const unsigned char sha384_pr_int_returnedbits[] = {
++    0xc8, 0x52, 0xae, 0xbf, 0x04, 0x3c, 0x27, 0xb7, 0x78, 0x18, 0xaa, 0x8f,
++    0xff, 0xcf, 0xa4, 0xf1, 0xcc, 0xe7, 0x68, 0xfa, 0x22, 0xa2, 0x13, 0x45,
++    0xe8, 0xdd, 0x87, 0xe6, 0xf2, 0x6e, 0xdd, 0xc7, 0x52, 0x90, 0x9f, 0x7b,
++    0xfa, 0x61, 0x2d, 0x9d, 0x9e, 0xcf, 0x98, 0xac, 0x52, 0x40, 0xce, 0xaf
++};
++
++__fips_constseg static const unsigned char sha384_pr_additionalinput2[] = {
++    0x61, 0x7c, 0x03, 0x9a, 0x3e, 0x50, 0x57, 0x60, 0xc5, 0x83, 0xc9, 0xb2,
++    0xd1, 0x87, 0x85, 0x66, 0x92, 0x5d, 0x84, 0x0e, 0x53, 0xfb, 0x70, 0x03,
++    0x72, 0xfd, 0xba, 0xae, 0x9c, 0x8f, 0xf8, 0x18
++};
++
++__fips_constseg static const unsigned char sha384_pr_entropyinputpr2[] = {
++    0xf8, 0xeb, 0x89, 0xb1, 0x8d, 0x78, 0xbe, 0x21, 0xe0, 0xbb, 0x9d, 0xb7,
++    0x95, 0x0e, 0xd9, 0x46, 0x0c, 0x8c, 0xe2, 0x63, 0xb7, 0x9d, 0x67, 0x90,
++    0xbd, 0xc7, 0x0b, 0xa5, 0xce, 0xb2, 0x65, 0x81
++};
++
++__fips_constseg static const unsigned char sha384_pr_returnedbits[] = {
++    0xe6, 0x9f, 0xfe, 0x68, 0xd6, 0xb5, 0x79, 0xf1, 0x06, 0x5f, 0xa3, 0xbb,
++    0x23, 0x85, 0xd8, 0xf0, 0x29, 0x5a, 0x68, 0x9e, 0xf5, 0xf4, 0xa6, 0x12,
++    0xe0, 0x9a, 0xe2, 0xac, 0x00, 0x1d, 0x98, 0x26, 0xfc, 0x53, 0x95, 0x53,
++    0xe4, 0x3e, 0x17, 0xd5, 0x08, 0x0b, 0x70, 0x3d, 0x67, 0x99, 0xac, 0x66
++};
++
++/* SHA-384 No PR  */
++__fips_constseg static const unsigned char sha384_entropyinput[] = {
++    0x07, 0x15, 0x27, 0x2a, 0xaf, 0x74, 0x24, 0x37, 0xbc, 0xd5, 0x14, 0x69,
++    0xce, 0x11, 0xff, 0xa2, 0x6b, 0xb8, 0x05, 0x67, 0x34, 0xf8, 0xbd, 0x6d,
++    0x6a, 0xcc, 0xcd, 0x60, 0xa3, 0x68, 0xca, 0xf4
++};
++
++__fips_constseg static const unsigned char sha384_nonce[] = {
++    0x70, 0x17, 0xc2, 0x5b, 0x5d, 0x22, 0x0b, 0x06, 0x15, 0x54, 0x78, 0x77,
++    0x44, 0xaf, 0x2f, 0x09
++};
++
++__fips_constseg static const unsigned char sha384_personalizationstring[] = {
++    0x89, 0x39, 0x28, 0xb0, 0x60, 0xeb, 0x3d, 0xdc, 0x55, 0x75, 0x86, 0xeb,
++    0xae, 0xa2, 0x8f, 0xbc, 0x1b, 0x75, 0xd4, 0xe1, 0x0f, 0xaa, 0x38, 0xca,
++    0x62, 0x8b, 0xcb, 0x2c, 0x26, 0xf6, 0xbc, 0xb1
++};
++
++__fips_constseg static const unsigned char sha384_additionalinput[] = {
++    0x30, 0x2b, 0x42, 0x35, 0xef, 0xda, 0x40, 0x55, 0x28, 0xc6, 0x95, 0xfb,
++    0x54, 0x01, 0x62, 0xd7, 0x87, 0x14, 0x48, 0x6d, 0x90, 0x4c, 0xa9, 0x02,
++    0x54, 0x40, 0x22, 0xc8, 0x66, 0xa5, 0x48, 0x48
++};
++
++__fips_constseg static const unsigned char sha384_int_returnedbits[] = {
++    0x82, 0xc4, 0xa1, 0x9c, 0x21, 0xd2, 0xe7, 0xa5, 0xa6, 0xf6, 0x5f, 0x04,
++    0x5c, 0xc7, 0x31, 0x9d, 0x8d, 0x59, 0x74, 0x50, 0x19, 0x89, 0x2f, 0x63,
++    0xd5, 0xb7, 0x7e, 0xeb, 0x15, 0xe3, 0x70, 0x83, 0xa1, 0x24, 0x59, 0xfa,
++    0x2c, 0x56, 0xf6, 0x88, 0x3a, 0x92, 0x93, 0xa1, 0xfb, 0x79, 0xc1, 0x7a
++};
++
++__fips_constseg static const unsigned char sha384_entropyinputreseed[] = {
++    0x39, 0xa6, 0xe8, 0x5c, 0x82, 0x17, 0x71, 0x26, 0x57, 0x4f, 0x9f, 0xc2,
++    0x55, 0xff, 0x5c, 0x9b, 0x53, 0x1a, 0xd1, 0x5f, 0xbc, 0x62, 0xe4, 0x27,
++    0x2d, 0x32, 0xf0, 0xe4, 0x52, 0x8c, 0xc5, 0x0c
++};
++
++__fips_constseg static const unsigned char sha384_additionalinputreseed[] = {
++    0x8d, 0xcb, 0x8d, 0xce, 0x08, 0xea, 0x80, 0xe8, 0x9b, 0x61, 0xa8, 0x0f,
++    0xaf, 0x49, 0x20, 0x9e, 0x74, 0xcb, 0x57, 0x80, 0x42, 0xb0, 0x84, 0x5e,
++    0x30, 0x2a, 0x67, 0x08, 0xf4, 0xe3, 0x40, 0x22
++};
++
++__fips_constseg static const unsigned char sha384_additionalinput2[] = {
++    0x7c, 0x8f, 0xc2, 0xae, 0x22, 0x4a, 0xd6, 0xf6, 0x05, 0xa4, 0x7a, 0xea,
++    0xbb, 0x25, 0xd0, 0xb7, 0x5a, 0xd6, 0xcf, 0x9d, 0xf3, 0x6c, 0xe2, 0xb2,
++    0x4e, 0xb4, 0xbd, 0xf4, 0xe5, 0x40, 0x80, 0x94
++};
++
++__fips_constseg static const unsigned char sha384_returnedbits[] = {
++    0x9e, 0x7e, 0xfb, 0x59, 0xbb, 0xaa, 0x3c, 0xf7, 0xe1, 0xf8, 0x76, 0xdd,
++    0x63, 0x5f, 0xaf, 0x23, 0xd6, 0x64, 0x61, 0xc0, 0x9a, 0x09, 0x47, 0xc9,
++    0x33, 0xdf, 0x6d, 0x55, 0x91, 0x34, 0x79, 0x70, 0xc4, 0x99, 0x6e, 0x54,
++    0x09, 0x64, 0x21, 0x1a, 0xbd, 0x1e, 0x80, 0x40, 0x34, 0xad, 0xfa, 0xd7
++};
++
++/* SHA-512 PR  */
++__fips_constseg static const unsigned char sha512_pr_entropyinput[] = {
++    0x13, 0xf7, 0x61, 0x75, 0x65, 0x28, 0xa2, 0x59, 0x13, 0x5a, 0x4a, 0x4f,
++    0x56, 0x60, 0x8c, 0x53, 0x7d, 0xb0, 0xbd, 0x06, 0x4f, 0xed, 0xcc, 0xd2,
++    0xa2, 0xb5, 0xfd, 0x5b, 0x3a, 0xab, 0xec, 0x28
++};
++
++__fips_constseg static const unsigned char sha512_pr_nonce[] = {
++    0xbe, 0xa3, 0x91, 0x93, 0x1d, 0xc3, 0x31, 0x3a, 0x23, 0x33, 0x50, 0x67,
++    0x88, 0xc7, 0xa2, 0xc4
++};
++
++__fips_constseg static const unsigned char sha512_pr_personalizationstring[] = {
++    0x1f, 0x59, 0x4d, 0x7b, 0xe6, 0x46, 0x91, 0x48, 0xc1, 0x25, 0xfa, 0xff,
++    0x89, 0x12, 0x77, 0x35, 0xdf, 0x3e, 0xf4, 0x80, 0x5f, 0xd9, 0xb0, 0x07,
++    0x22, 0x41, 0xdd, 0x48, 0x78, 0x6b, 0x77, 0x2b
++};
++
++__fips_constseg static const unsigned char sha512_pr_additionalinput[] = {
++    0x30, 0xff, 0x63, 0x6f, 0xac, 0xd9, 0x84, 0x39, 0x6f, 0xe4, 0x99, 0xce,
++    0x91, 0x7d, 0x7e, 0xc8, 0x58, 0xf2, 0x12, 0xc3, 0xb6, 0xad, 0xda, 0x22,
++    0x04, 0xa0, 0xd2, 0x21, 0xfe, 0xf2, 0x95, 0x1d
++};
++
++__fips_constseg static const unsigned char sha512_pr_entropyinputpr[] = {
++    0x64, 0x54, 0x13, 0xec, 0x4f, 0x77, 0xda, 0xb2, 0x92, 0x2e, 0x52, 0x80,
++    0x11, 0x10, 0xc2, 0xf8, 0xe6, 0xa7, 0xcd, 0x4b, 0xfc, 0x32, 0x2e, 0x9e,
++    0xeb, 0xbb, 0xb1, 0xbf, 0x15, 0x5c, 0x73, 0x08
++};
++
++__fips_constseg static const unsigned char sha512_pr_int_returnedbits[] = {
++    0xef, 0x1e, 0xdc, 0x0a, 0xa4, 0x36, 0x91, 0x9c, 0x3d, 0x27, 0x97, 0x50,
++    0x8d, 0x36, 0x29, 0x8d, 0xce, 0x6a, 0x0c, 0xf7, 0x21, 0xc0, 0x91, 0xae,
++    0x0c, 0x96, 0x72, 0xbd, 0x52, 0x81, 0x58, 0xfc, 0x6d, 0xe5, 0xf7, 0xa5,
++    0xfd, 0x5d, 0xa7, 0x58, 0x68, 0xc8, 0x99, 0x58, 0x8e, 0xc8, 0xce, 0x95,
++    0x01, 0x7d, 0xff, 0xa4, 0xc8, 0xf7, 0x63, 0xfe, 0x5f, 0x69, 0x83, 0x53,
++    0xe2, 0xc6, 0x8b, 0xc3
++};
++
++__fips_constseg static const unsigned char sha512_pr_additionalinput2[] = {
++    0xe6, 0x9b, 0xc4, 0x88, 0x34, 0xca, 0xea, 0x29, 0x2f, 0x98, 0x05, 0xa4,
++    0xd3, 0xc0, 0x7b, 0x11, 0xe8, 0xbb, 0x75, 0xf2, 0xbd, 0x29, 0xb7, 0x40,
++    0x25, 0x7f, 0xc1, 0xb7, 0xb1, 0xf1, 0x25, 0x61
++};
++
++__fips_constseg static const unsigned char sha512_pr_entropyinputpr2[] = {
++    0x23, 0x6d, 0xff, 0xde, 0xfb, 0xd1, 0xba, 0x33, 0x18, 0xe6, 0xbe, 0xb5,
++    0x48, 0x77, 0x6d, 0x7f, 0xa7, 0xe1, 0x4d, 0x48, 0x1e, 0x3c, 0xa7, 0x34,
++    0x1a, 0xc8, 0x60, 0xdb, 0x8f, 0x99, 0x15, 0x99
++};
++
++__fips_constseg static const unsigned char sha512_pr_returnedbits[] = {
++    0x70, 0x27, 0x31, 0xdb, 0x92, 0x70, 0x21, 0xfe, 0x16, 0xb6, 0xc8, 0x51,
++    0x34, 0x87, 0x65, 0xd0, 0x4e, 0xfd, 0xfe, 0x68, 0xec, 0xac, 0xdc, 0x93,
++    0x41, 0x38, 0x92, 0x90, 0xb4, 0x94, 0xf9, 0x0d, 0xa4, 0xf7, 0x4e, 0x80,
++    0x92, 0x67, 0x48, 0x40, 0xa7, 0x08, 0xc7, 0xbc, 0x66, 0x00, 0xfd, 0xf7,
++    0x4c, 0x8b, 0x17, 0x6e, 0xd1, 0x8f, 0x9b, 0xf3, 0x6f, 0xf6, 0x34, 0xdd,
++    0x67, 0xf7, 0x68, 0xdd
++};
++
++/* SHA-512 No PR  */
++__fips_constseg static const unsigned char sha512_entropyinput[] = {
++    0xb6, 0x0b, 0xb7, 0xbc, 0x84, 0x56, 0xf6, 0x12, 0xaf, 0x45, 0x67, 0x17,
++    0x7c, 0xd1, 0xb2, 0x78, 0x2b, 0xa0, 0xf2, 0xbe, 0xb6, 0x6d, 0x8b, 0x56,
++    0xc6, 0xbc, 0x4d, 0xe1, 0xf7, 0xbe, 0xce, 0xbd
++};
++
++__fips_constseg static const unsigned char sha512_nonce[] = {
++    0x9d, 0xed, 0xc0, 0xe5, 0x5a, 0x98, 0x6a, 0xcb, 0x51, 0x7d, 0x76, 0x31,
++    0x5a, 0x64, 0xf0, 0xf7
++};
++
++__fips_constseg static const unsigned char sha512_personalizationstring[] = {
++    0xc2, 0x6d, 0xa3, 0xc3, 0x06, 0x74, 0xe5, 0x01, 0x5c, 0x10, 0x17, 0xc7,
++    0xaf, 0x83, 0x9d, 0x59, 0x8d, 0x2d, 0x29, 0x38, 0xc5, 0x59, 0x70, 0x8b,
++    0x46, 0x48, 0x2d, 0xcf, 0x36, 0x7d, 0x59, 0xc0
++};
++
++__fips_constseg static const unsigned char sha512_additionalinput[] = {
++    0xec, 0x8c, 0xd4, 0xf7, 0x61, 0x6e, 0x0d, 0x95, 0x79, 0xb7, 0x28, 0xad,
++    0x5f, 0x69, 0x74, 0x5f, 0x2d, 0x36, 0x06, 0x8a, 0x6b, 0xac, 0x54, 0x97,
++    0xc4, 0xa1, 0x12, 0x85, 0x0a, 0xdf, 0x4b, 0x34
++};
++
++__fips_constseg static const unsigned char sha512_int_returnedbits[] = {
++    0x84, 0x2f, 0x1f, 0x68, 0x6a, 0xa3, 0xad, 0x1e, 0xfb, 0xf4, 0x15, 0xbd,
++    0xde, 0x38, 0xd4, 0x30, 0x80, 0x51, 0xe9, 0xd3, 0xc7, 0x20, 0x88, 0xe9,
++    0xf5, 0xcc, 0xdf, 0x57, 0x5c, 0x47, 0x2f, 0x57, 0x3c, 0x5f, 0x13, 0x56,
++    0xcc, 0xc5, 0x4f, 0x84, 0xf8, 0x10, 0x41, 0xd5, 0x7e, 0x58, 0x6e, 0x19,
++    0x19, 0x9e, 0xaf, 0xc2, 0x22, 0x58, 0x41, 0x50, 0x79, 0xc2, 0xd8, 0x04,
++    0x28, 0xd4, 0x39, 0x9a
++};
++
++__fips_constseg static const unsigned char sha512_entropyinputreseed[] = {
++    0xfa, 0x7f, 0x46, 0x51, 0x83, 0x62, 0x98, 0x16, 0x9a, 0x19, 0xa2, 0x49,
++    0xa9, 0xe6, 0x4a, 0xd8, 0x85, 0xe7, 0xd4, 0x3b, 0x2c, 0x82, 0xc5, 0x82,
++    0xbf, 0x11, 0xf9, 0x9e, 0xbc, 0xd0, 0x01, 0xee
++};
++
++__fips_constseg static const unsigned char sha512_additionalinputreseed[] = {
++    0xb9, 0x12, 0xe0, 0x4f, 0xf7, 0xa7, 0xc4, 0xd8, 0xd0, 0x8e, 0x99, 0x29,
++    0x7c, 0x9a, 0xe9, 0xcf, 0xc4, 0x6c, 0xf8, 0xc3, 0xa7, 0x41, 0x83, 0xd6,
++    0x2e, 0xfa, 0xb8, 0x5e, 0x8e, 0x6b, 0x78, 0x20
++};
++
++__fips_constseg static const unsigned char sha512_additionalinput2[] = {
++    0xd7, 0x07, 0x52, 0xb9, 0x83, 0x2c, 0x03, 0x71, 0xee, 0xc9, 0xc0, 0x85,
++    0xe1, 0x57, 0xb2, 0xcd, 0x3a, 0xf0, 0xc9, 0x34, 0x24, 0x41, 0x1c, 0x42,
++    0x99, 0xb2, 0x84, 0xe9, 0x17, 0xd2, 0x76, 0x92
++};
++
++__fips_constseg static const unsigned char sha512_returnedbits[] = {
++    0x36, 0x17, 0x5d, 0x98, 0x2b, 0x65, 0x25, 0x8e, 0xc8, 0x29, 0xdf, 0x27,
++    0x05, 0x36, 0x26, 0x12, 0x8a, 0x68, 0x74, 0x27, 0x37, 0xd4, 0x7f, 0x32,
++    0xb1, 0x12, 0xd6, 0x85, 0x83, 0xeb, 0x2e, 0xa0, 0xed, 0x4b, 0xb5, 0x7b,
++    0x6f, 0x39, 0x3c, 0x71, 0x77, 0x02, 0x12, 0xcc, 0x2c, 0x3a, 0x8e, 0x63,
++    0xdf, 0x4a, 0xbd, 0x6f, 0x6e, 0x2e, 0xed, 0x0a, 0x85, 0xa5, 0x2f, 0xa2,
++    0x68, 0xde, 0x42, 0xb5
++};
++
++/* HMAC SHA-1 PR  */
++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinput[] = {
++    0x26, 0x5f, 0x36, 0x14, 0xff, 0x3d, 0x83, 0xfa, 0x73, 0x5e, 0x75, 0xdc,
++    0x2c, 0x18, 0x17, 0x1b
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_nonce[] = {
++    0xc8, 0xe3, 0x57, 0xa5, 0x7b, 0x74, 0x86, 0x6e
++};
++
++__fips_constseg
++    static const unsigned char hmac_sha1_pr_personalizationstring[] = {
++    0x6e, 0xdb, 0x0d, 0xfe, 0x7d, 0xac, 0x79, 0xd0, 0xa5, 0x3a, 0x48, 0x85,
++    0x80, 0xe2, 0x7f, 0x2a
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput[] = {
++    0x31, 0xcd, 0x5e, 0x43, 0xdc, 0xfb, 0x7a, 0x79, 0xca, 0x88, 0xde, 0x1f,
++    0xd7, 0xbb, 0x42, 0x09
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr[] = {
++    0x7c, 0x23, 0x95, 0x38, 0x00, 0x95, 0xc1, 0x78, 0x1f, 0x8f, 0xd7, 0x63,
++    0x23, 0x87, 0x2a, 0xed
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_int_returnedbits[] = {
++    0xbb, 0x34, 0xe7, 0x93, 0xa3, 0x02, 0x2c, 0x4a, 0xd0, 0x89, 0xda, 0x7f,
++    0xed, 0xf4, 0x4c, 0xde, 0x17, 0xec, 0xe5, 0x6c
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput2[] = {
++    0x49, 0xbc, 0x2d, 0x2c, 0xb7, 0x32, 0xcb, 0x20, 0xdf, 0xf5, 0x77, 0x58,
++    0xa0, 0x4b, 0x93, 0x6e
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr2[] = {
++    0x3c, 0xaa, 0xb0, 0x21, 0x42, 0xb0, 0xdd, 0x34, 0xf0, 0x16, 0x7f, 0x0c,
++    0x0f, 0xff, 0x2e, 0xaf
++};
++
++__fips_constseg static const unsigned char hmac_sha1_pr_returnedbits[] = {
++    0x8e, 0xcb, 0xa3, 0x64, 0xb2, 0xb8, 0x33, 0x6c, 0x64, 0x3b, 0x78, 0x16,
++    0x99, 0x35, 0xc8, 0x30, 0xcb, 0x3e, 0xa0, 0xd8
++};
++
++/* HMAC SHA-1 No PR  */
++__fips_constseg static const unsigned char hmac_sha1_entropyinput[] = {
++    0x32, 0x9a, 0x2a, 0x87, 0x7b, 0x89, 0x7c, 0xf6, 0xcb, 0x95, 0xd5, 0x40,
++    0x17, 0xfe, 0x47, 0x70
++};
++
++__fips_constseg static const unsigned char hmac_sha1_nonce[] = {
++    0x16, 0xd8, 0xe0, 0xc7, 0x52, 0xcf, 0x4a, 0x25
++};
++
++__fips_constseg static const unsigned char hmac_sha1_personalizationstring[] = {
++    0x35, 0x35, 0xa9, 0xa5, 0x40, 0xbe, 0x9b, 0xd1, 0x56, 0xdd, 0x44, 0x00,
++    0x72, 0xf7, 0xd3, 0x5e
++};
++
++__fips_constseg static const unsigned char hmac_sha1_additionalinput[] = {
++    0x1b, 0x2c, 0x84, 0x2d, 0x4a, 0x89, 0x8f, 0x69, 0x19, 0xf1, 0xf3, 0xdb,
++    0xbb, 0xe3, 0xaa, 0xea
++};
++
++__fips_constseg static const unsigned char hmac_sha1_int_returnedbits[] = {
++    0xcf, 0xfa, 0x7d, 0x72, 0x0f, 0xe6, 0xc7, 0x96, 0xa0, 0x69, 0x31, 0x11,
++    0x9b, 0x0b, 0x1a, 0x20, 0x1f, 0x3f, 0xaa, 0xd1
++};
++
++__fips_constseg static const unsigned char hmac_sha1_entropyinputreseed[] = {
++    0x90, 0x75, 0x15, 0x04, 0x95, 0xf1, 0xba, 0x81, 0x0c, 0x37, 0x94, 0x6f,
++    0x86, 0x52, 0x6d, 0x9c
++};
++
++__fips_constseg static const unsigned char hmac_sha1_additionalinputreseed[] = {
++    0x5b, 0x40, 0xba, 0x5f, 0x17, 0x70, 0xf0, 0x4b, 0xdf, 0xc9, 0x97, 0x92,
++    0x79, 0xc5, 0x82, 0x28
++};
++
++__fips_constseg static const unsigned char hmac_sha1_additionalinput2[] = {
++    0x97, 0xc8, 0x80, 0x90, 0xb3, 0xaa, 0x6e, 0x60, 0xea, 0x83, 0x7a, 0xe3,
++    0x8a, 0xca, 0xa4, 0x7f
++};
++
++__fips_constseg static const unsigned char hmac_sha1_returnedbits[] = {
++    0x90, 0xbd, 0x05, 0x56, 0x6d, 0xb5, 0x22, 0xd5, 0xb9, 0x5a, 0x29, 0x2d,
++    0xe9, 0x0b, 0xe1, 0xac, 0xde, 0x27, 0x0b, 0xb0
++};
++
++/* HMAC SHA-224 PR  */
++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinput[] = {
++    0x17, 0x32, 0x2b, 0x2e, 0x6f, 0x1b, 0x9c, 0x6d, 0x31, 0xe0, 0x34, 0x07,
++    0xcf, 0xed, 0xf6, 0xb6, 0x5a, 0x76, 0x4c, 0xbc, 0x62, 0x85, 0x01, 0x90
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_nonce[] = {
++    0x38, 0xbf, 0x5f, 0x20, 0xb3, 0x68, 0x2f, 0x43, 0x61, 0x05, 0x8f, 0x23
++};
++
++__fips_constseg
++    static const unsigned char hmac_sha224_pr_personalizationstring[] = {
++    0xc0, 0xc9, 0x45, 0xac, 0x8d, 0x27, 0x77, 0x08, 0x0b, 0x17, 0x6d, 0xed,
++    0xc1, 0x7d, 0xd5, 0x07, 0x9d, 0x6e, 0xf8, 0x23, 0x2a, 0x22, 0x13, 0xbd
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput[] = {
++    0xa4, 0x3c, 0xe7, 0x3b, 0xea, 0x19, 0x45, 0x32, 0xc2, 0x83, 0x6d, 0x21,
++    0x8a, 0xc0, 0xee, 0x67, 0x45, 0xde, 0x13, 0x7d, 0x9d, 0x61, 0x00, 0x3b
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr[] = {
++    0x15, 0x05, 0x74, 0x4a, 0x7f, 0x8d, 0x5c, 0x60, 0x16, 0xe5, 0x7b, 0xad,
++    0xf5, 0x41, 0x8f, 0x55, 0x60, 0xc4, 0x09, 0xee, 0x1e, 0x11, 0x81, 0xab
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_int_returnedbits[] = {
++    0x6f, 0xf5, 0x9a, 0xe2, 0x54, 0x53, 0x30, 0x3d, 0x5a, 0x27, 0x29, 0x38,
++    0x27, 0xf2, 0x0d, 0x05, 0xe9, 0x26, 0xcb, 0x16, 0xc3, 0x51, 0x5f, 0x13,
++    0x41, 0xfe, 0x99, 0xf2
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput2[] = {
++    0x73, 0x81, 0x88, 0x84, 0x8f, 0xed, 0x6f, 0x10, 0x9f, 0x93, 0xbf, 0x17,
++    0x35, 0x7c, 0xef, 0xd5, 0x8d, 0x26, 0xa6, 0x7a, 0xe8, 0x09, 0x36, 0x4f
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr2[] = {
++    0xe6, 0xcf, 0xcf, 0x7e, 0x12, 0xe5, 0x43, 0xd2, 0x38, 0xd8, 0x24, 0x6f,
++    0x5a, 0x37, 0x68, 0xbf, 0x4f, 0xa0, 0xff, 0xd5, 0x61, 0x8a, 0x93, 0xe0
++};
++
++__fips_constseg static const unsigned char hmac_sha224_pr_returnedbits[] = {
++    0xaf, 0xf9, 0xd8, 0x19, 0x91, 0x30, 0x82, 0x6f, 0xa9, 0x1e, 0x9d, 0xd7,
++    0xf3, 0x50, 0xe0, 0xc7, 0xd5, 0x64, 0x96, 0x7d, 0x4c, 0x4d, 0x78, 0x03,
++    0x6d, 0xd8, 0x9e, 0x72
++};
++
++/* HMAC SHA-224 No PR  */
++__fips_constseg static const unsigned char hmac_sha224_entropyinput[] = {
++    0x11, 0x82, 0xfd, 0xd9, 0x42, 0xf4, 0xfa, 0xc8, 0xf2, 0x41, 0xe6, 0x54,
++    0x01, 0xae, 0x22, 0x6e, 0xc6, 0xaf, 0xaf, 0xd0, 0xa6, 0xb2, 0xe2, 0x6d
++};
++
++__fips_constseg static const unsigned char hmac_sha224_nonce[] = {
++    0xa9, 0x48, 0xd7, 0x92, 0x39, 0x7e, 0x2a, 0xdc, 0x30, 0x1f, 0x0e, 0x2b
++};
++
++__fips_constseg
++    static const unsigned char hmac_sha224_personalizationstring[] = {
++    0x11, 0xd5, 0xf4, 0xbd, 0x67, 0x8c, 0x31, 0xcf, 0xa3, 0x3f, 0x1e, 0x6b,
++    0xa8, 0x07, 0x02, 0x0b, 0xc8, 0x2e, 0x6c, 0x64, 0x41, 0x5b, 0xc8, 0x37
++};
++
++__fips_constseg static const unsigned char hmac_sha224_additionalinput[] = {
++    0x68, 0x18, 0xc2, 0x06, 0xeb, 0x3e, 0x04, 0x95, 0x44, 0x5e, 0xfb, 0xe6,
++    0x41, 0xc1, 0x5c, 0xcc, 0x40, 0x2f, 0xb7, 0xd2, 0x0f, 0xf3, 0x6b, 0xe7
++};
++
++__fips_constseg static const unsigned char hmac_sha224_int_returnedbits[] = {
++    0x7f, 0x45, 0xc7, 0x5d, 0x32, 0xe6, 0x17, 0x60, 0xba, 0xdc, 0xb8, 0x42,
++    0x1b, 0x9c, 0xf1, 0xfa, 0x3b, 0x4d, 0x29, 0x54, 0xc6, 0x90, 0xff, 0x5c,
++    0xcd, 0xd6, 0xa9, 0xcc
++};
++
++__fips_constseg static const unsigned char hmac_sha224_entropyinputreseed[] = {
++    0xc4, 0x8e, 0x37, 0x95, 0x69, 0x53, 0x28, 0xd7, 0x37, 0xbb, 0x70, 0x95,
++    0x1c, 0x07, 0x1d, 0xd9, 0xb7, 0xe6, 0x1b, 0xbb, 0xfe, 0x41, 0xeb, 0xc9
++};
++
++__fips_constseg
++    static const unsigned char hmac_sha224_additionalinputreseed[] = {
++    0x53, 0x17, 0xa1, 0x6a, 0xfa, 0x77, 0x47, 0xb0, 0x95, 0x56, 0x9a, 0x20,
++    0x57, 0xde, 0x5c, 0x89, 0x9f, 0x7f, 0xe2, 0xde, 0x17, 0x3a, 0x50, 0x23
++};
++
++__fips_constseg static const unsigned char hmac_sha224_additionalinput2[] = {
++    0x3a, 0x32, 0xf9, 0x85, 0x0c, 0xc1, 0xed, 0x76, 0x2d, 0xdf, 0x40, 0xc3,
++    0x06, 0x22, 0x66, 0xd4, 0x9a, 0x9a, 0xff, 0x5a, 0x7e, 0x7a, 0xf3, 0x96
++};
++
++__fips_constseg static const unsigned char hmac_sha224_returnedbits[] = {
++    0x43, 0xb4, 0x57, 0x5c, 0x38, 0x25, 0x9d, 0xae, 0xec, 0x96, 0xd1, 0x85,
++    0x3a, 0x84, 0x8d, 0xfe, 0x68, 0xd5, 0x0e, 0x5c, 0x8f, 0x65, 0xa5, 0x4e,
++    0x45, 0x84, 0xa8, 0x94
++};
++
++/* HMAC SHA-256 PR  */
++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinput[] = {
++    0x4d, 0xb0, 0x43, 0xd8, 0x34, 0x4b, 0x10, 0x70, 0xb1, 0x8b, 0xed, 0xea,
++    0x07, 0x92, 0x9f, 0x6c, 0x79, 0x31, 0xaf, 0x81, 0x29, 0xeb, 0x6e, 0xca,
++    0x32, 0x48, 0x28, 0xe7, 0x02, 0x5d, 0xa6, 0xa6
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_nonce[] = {
++    0x3a, 0xae, 0x15, 0xa9, 0x99, 0xdc, 0xe4, 0x67, 0x34, 0x3b, 0x70, 0x15,
++    0xaa, 0xd3, 0x30, 0x9a
++};
++
++__fips_constseg
++    static const unsigned char hmac_sha256_pr_personalizationstring[] = {
++    0x13, 0x1d, 0x24, 0x04, 0xb0, 0x18, 0x81, 0x15, 0x21, 0x51, 0x2a, 0x24,
++    0x52, 0x61, 0xbe, 0x64, 0x82, 0x6b, 0x55, 0x2f, 0xe2, 0xf1, 0x40, 0x7d,
++    0x71, 0xd8, 0x01, 0x86, 0x15, 0xb7, 0x8b, 0xb5
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput[] = {
++    0x8f, 0xa6, 0x54, 0x5f, 0xb1, 0xd0, 0xd8, 0xc3, 0xe7, 0x0c, 0x15, 0xa9,
++    0x23, 0x6e, 0xfe, 0xfb, 0x93, 0xf7, 0x3a, 0xbd, 0x59, 0x01, 0xfa, 0x18,
++    0x8e, 0xe9, 0x1a, 0xa9, 0x78, 0xfc, 0x79, 0x0b
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr[] = {
++    0xcf, 0x24, 0xb9, 0xeb, 0xb3, 0xd4, 0xcd, 0x17, 0x37, 0x38, 0x75, 0x79,
++    0x15, 0xcb, 0x2d, 0x75, 0x51, 0xf1, 0xcc, 0xaa, 0x32, 0xa4, 0xa7, 0x36,
++    0x7c, 0x5c, 0xe4, 0x47, 0xf1, 0x3e, 0x1d, 0xe5
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_int_returnedbits[] = {
++    0x52, 0x42, 0xfa, 0xeb, 0x85, 0xe0, 0x30, 0x22, 0x79, 0x00, 0x16, 0xb2,
++    0x88, 0x2f, 0x14, 0x6a, 0xb7, 0xfc, 0xb7, 0x53, 0xdc, 0x4a, 0x12, 0xef,
++    0x54, 0xd6, 0x33, 0xe9, 0x20, 0xd6, 0xfd, 0x56
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput2[] = {
++    0xf4, 0xf6, 0x49, 0xa1, 0x2d, 0x64, 0x2b, 0x30, 0x58, 0xf8, 0xbd, 0xb8,
++    0x75, 0xeb, 0xbb, 0x5e, 0x1c, 0x9b, 0x81, 0x6a, 0xda, 0x14, 0x86, 0x6e,
++    0xd0, 0xda, 0x18, 0xb7, 0x88, 0xfb, 0x59, 0xf3
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr2[] = {
++    0x21, 0xcd, 0x6e, 0x46, 0xad, 0x99, 0x07, 0x17, 0xb4, 0x3d, 0x76, 0x0a,
++    0xff, 0x5b, 0x52, 0x50, 0x78, 0xdf, 0x1f, 0x24, 0x06, 0x0d, 0x3f, 0x74,
++    0xa9, 0xc9, 0x37, 0xcf, 0xd8, 0x26, 0x25, 0x91
++};
++
++__fips_constseg static const unsigned char hmac_sha256_pr_returnedbits[] = {
++    0xa7, 0xaf, 0x2f, 0x29, 0xe0, 0x3a, 0x72, 0x95, 0x96, 0x1c, 0xa9, 0xf0,
++    0x4a, 0x17, 0x4d, 0x66, 0x06, 0x10, 0xbf, 0x39, 0x89, 0x88, 0xb8, 0x91,
++    0x37, 0x18, 0x99, 0xcf, 0x8c, 0x53, 0x3b, 0x7e
++};
++
++/* HMAC SHA-256 No PR  */
++__fips_constseg static const unsigned char hmac_sha256_entropyinput[] = {
++    0x96, 0xb7, 0x53, 0x22, 0x1e, 0x52, 0x2a, 0x96, 0xb1, 0x15, 0x3c, 0x35,
++    0x5a, 0x8b, 0xd3, 0x4a, 0xa6, 0x6c, 0x83, 0x0a, 0x7d, 0xa3, 0x23, 0x3d,
++    0x43, 0xa1, 0x07, 0x2c, 0x2d, 0xe3, 0x81, 0xcc
++};
++
++__fips_constseg static const unsigned char hmac_sha256_nonce[] = {
++    0xf1, 0xac, 0x97, 0xcb, 0x5e, 0x06, 0x48, 0xd2, 0x94, 0xbe, 0x15, 0x2e,
++    0xc7, 0xfc, 0xc2, 0x01
++};
++
++__fips_constseg
++    static const unsigned char hmac_sha256_personalizationstring[] = {
++    0x98, 0xc5, 0x1e, 0x35, 0x5e, 0x89, 0x0d, 0xce, 0x64, 0x6d, 0x18, 0xa7,
++    0x5a, 0xc6, 0xf3, 0xe7, 0xd6, 0x9e, 0xc0, 0xea, 0xb7, 0x3a, 0x8d, 0x65,
++    0xb8, 0xeb, 0x10, 0xd7, 0x57, 0x18, 0xa0, 0x32
++};
++
++__fips_constseg static const unsigned char hmac_sha256_additionalinput[] = {
++    0x1b, 0x10, 0xaf, 0xac, 0xd0, 0x65, 0x95, 0xad, 0x04, 0xad, 0x03, 0x1c,
++    0xe0, 0x40, 0xd6, 0x3e, 0x1c, 0x46, 0x53, 0x39, 0x7c, 0xe2, 0xbc, 0xda,
++    0x8c, 0xa2, 0x33, 0xa7, 0x9a, 0x26, 0xd3, 0x27
++};
++
++__fips_constseg static const unsigned char hmac_sha256_int_returnedbits[] = {
++    0xba, 0x61, 0x0e, 0x55, 0xfe, 0x11, 0x8a, 0x9e, 0x0f, 0x80, 0xdf, 0x1d,
++    0x03, 0x0a, 0xfe, 0x15, 0x94, 0x28, 0x4b, 0xba, 0xf4, 0x9f, 0x51, 0x25,
++    0x88, 0xe5, 0x4e, 0xfb, 0xaf, 0xce, 0x69, 0x90
++};
++
++__fips_constseg static const unsigned char hmac_sha256_entropyinputreseed[] = {
++    0x62, 0x7f, 0x1e, 0x6b, 0xe8, 0x8e, 0xe1, 0x35, 0x7d, 0x9b, 0x4f, 0xc7,
++    0xec, 0xc8, 0xac, 0xef, 0x6b, 0x13, 0x9e, 0x05, 0x56, 0xc1, 0x08, 0xf9,
++    0x2f, 0x0f, 0x27, 0x9c, 0xd4, 0x15, 0xed, 0x2d
++};
++
++__fips_constseg
++    static const unsigned char hmac_sha256_additionalinputreseed[] = {
++    0xc7, 0x76, 0x6e, 0xa9, 0xd2, 0xb2, 0x76, 0x40, 0x82, 0x25, 0x2c, 0xb3,
++    0x6f, 0xac, 0xe9, 0x74, 0xef, 0x8f, 0x3c, 0x8e, 0xcd, 0xf1, 0xbf, 0xb3,
++    0x49, 0x77, 0x34, 0x88, 0x52, 0x36, 0xe6, 0x2e
++};
++
++__fips_constseg static const unsigned char hmac_sha256_additionalinput2[] = {
++    0x8d, 0xb8, 0x0c, 0xd1, 0xbf, 0x70, 0xf6, 0x19, 0xc3, 0x41, 0x80, 0x9f,
++    0xe1, 0xa5, 0xa4, 0x1f, 0x2c, 0x26, 0xb1, 0xe5, 0xd8, 0xeb, 0xbe, 0xf8,
++    0xdf, 0x88, 0x6a, 0x89, 0xd6, 0x05, 0xd8, 0x9d
++};
++
++__fips_constseg static const unsigned char hmac_sha256_returnedbits[] = {
++    0x43, 0x12, 0x2a, 0x2c, 0x40, 0x53, 0x2e, 0x7c, 0x66, 0x34, 0xac, 0xc3,
++    0x43, 0xe3, 0xe0, 0x6a, 0xfc, 0xfa, 0xea, 0x87, 0x21, 0x1f, 0xe2, 0x26,
++    0xc4, 0xf9, 0x09, 0x9a, 0x0d, 0x6e, 0x7f, 0xe0
++};
++
++/* HMAC SHA-384 PR  */
++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinput[] = {
++    0x69, 0x81, 0x98, 0x88, 0x44, 0xf5, 0xd6, 0x2e, 0x00, 0x08, 0x3b, 0xc5,
++    0xfb, 0xd7, 0x8e, 0x6f, 0x23, 0xf8, 0x6d, 0x09, 0xd6, 0x85, 0x49, 0xd1,
++    0xf8, 0x6d, 0xa4, 0x58, 0x54, 0xfd, 0x88, 0xa9
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_nonce[] = {
++    0x6e, 0x38, 0x81, 0xca, 0xb7, 0xe8, 0x6e, 0x66, 0x49, 0x8a, 0xb2, 0x59,
++    0xee, 0x16, 0xc9, 0xde
++};
++
++__fips_constseg
++    static const unsigned char hmac_sha384_pr_personalizationstring[] = {
++    0xfe, 0x4c, 0xd9, 0xf4, 0x78, 0x3b, 0x08, 0x41, 0x8d, 0x8f, 0x55, 0xc4,
++    0x43, 0x56, 0xb6, 0x12, 0x36, 0x6b, 0x30, 0xb7, 0x5e, 0xe1, 0xb9, 0x47,
++    0x04, 0xb1, 0x4e, 0xa9, 0x00, 0xa1, 0x52, 0xa1
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput[] = {
++    0x89, 0xe9, 0xcc, 0x8f, 0x27, 0x3c, 0x26, 0xd1, 0x95, 0xc8, 0x7d, 0x0f,
++    0x5b, 0x1a, 0xf0, 0x78, 0x39, 0x56, 0x6f, 0xa4, 0x23, 0xe7, 0xd1, 0xda,
++    0x7c, 0x66, 0x33, 0xa0, 0x90, 0xc9, 0x92, 0x88
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr[] = {
++    0xbe, 0x3d, 0x7c, 0x0d, 0xca, 0xda, 0x7c, 0x49, 0xb8, 0x12, 0x36, 0xc0,
++    0xdb, 0xad, 0x35, 0xa8, 0xc7, 0x0b, 0x2a, 0x2c, 0x69, 0x6d, 0x25, 0x56,
++    0x63, 0x82, 0x11, 0x3e, 0xa7, 0x33, 0x70, 0x72
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_int_returnedbits[] = {
++    0x82, 0x3d, 0xe6, 0x54, 0x80, 0x42, 0xf8, 0xba, 0x90, 0x4f, 0x06, 0xa6,
++    0xd2, 0x7f, 0xbf, 0x79, 0x7c, 0x12, 0x7d, 0xa6, 0xa2, 0x66, 0xe8, 0xa6,
++    0xc0, 0xd6, 0x4a, 0x55, 0xbf, 0xd8, 0x0a, 0xc5, 0xf8, 0x03, 0x88, 0xdd,
++    0x8e, 0x87, 0xd1, 0x5a, 0x48, 0x26, 0x72, 0x2a, 0x8e, 0xcf, 0xee, 0xba
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput2[] = {
++    0x8f, 0xff, 0xd9, 0x84, 0xbb, 0x85, 0x3a, 0x66, 0xa1, 0x21, 0xce, 0xb2,
++    0x3a, 0x3a, 0x17, 0x22, 0x19, 0xae, 0xc7, 0xb6, 0x63, 0x81, 0xd5, 0xff,
++    0x0d, 0xc8, 0xe1, 0xaf, 0x57, 0xd2, 0xcb, 0x60
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr2[] = {
++    0xd7, 0xfb, 0xc9, 0xe8, 0xe2, 0xf2, 0xaa, 0x4c, 0xb8, 0x51, 0x2f, 0xe1,
++    0x22, 0xba, 0xf3, 0xda, 0x0a, 0x19, 0x76, 0x71, 0x57, 0xb2, 0x1d, 0x94,
++    0x09, 0x69, 0x6c, 0xd3, 0x97, 0x51, 0x81, 0x87
++};
++
++__fips_constseg static const unsigned char hmac_sha384_pr_returnedbits[] = {
++    0xe6, 0x19, 0x28, 0xa8, 0x21, 0xce, 0x5e, 0xdb, 0x24, 0x79, 0x8c, 0x76,
++    0x5d, 0x73, 0xb2, 0xdf, 0xac, 0xef, 0x85, 0xa7, 0x3b, 0x19, 0x09, 0x8b,
++    0x7f, 0x98, 0x28, 0xa9, 0x93, 0xd8, 0x7a, 0xad, 0x55, 0x8b, 0x24, 0x9d,
++    0xe6, 0x98, 0xfe, 0x47, 0xd5, 0x48, 0xc1, 0x23, 0xd8, 0x1d, 0x62, 0x75
++};
++
++/* HMAC SHA-384 No PR  */
++__fips_constseg static const unsigned char hmac_sha384_entropyinput[] = {
++    0xc3, 0x56, 0x2b, 0x1d, 0xc2, 0xbb, 0xa8, 0xf0, 0xae, 0x1b, 0x0d, 0xd3,
++    0x5a, 0x6c, 0xda, 0x57, 0x8e, 0xa5, 0x8a, 0x0d, 0x6c, 0x4b, 0x18, 0xb1,
++    0x04, 0x3e, 0xb4, 0x99, 0x35, 0xc4, 0xc0, 0x5f
++};
++
++__fips_constseg static const unsigned char hmac_sha384_nonce[] = {
++    0xc5, 0x49, 0x1e, 0x66, 0x27, 0x92, 0xbe, 0xec, 0xb5, 0x1e, 0x4b, 0xb1,
++    0x38, 0xe3, 0xeb, 0x62
++};
++
++__fips_constseg
++    static const unsigned char hmac_sha384_personalizationstring[] = {
++    0xbe, 0xe7, 0x6b, 0x57, 0xde, 0x88, 0x11, 0x96, 0x9b, 0x6e, 0xea, 0xe5,
++    0x63, 0x83, 0x4c, 0xb6, 0x8d, 0x66, 0xaa, 0x1f, 0x8b, 0x54, 0xe7, 0x62,
++    0x6d, 0x5a, 0xfc, 0xbf, 0x97, 0xba, 0xcd, 0x77
++};
++
++__fips_constseg static const unsigned char hmac_sha384_additionalinput[] = {
++    0xe5, 0x28, 0x5f, 0x43, 0xf5, 0x83, 0x6e, 0x0a, 0x83, 0x5c, 0xe3, 0x81,
++    0x03, 0xf2, 0xf8, 0x78, 0x00, 0x7c, 0x95, 0x87, 0x16, 0xd6, 0x6c, 0x58,
++    0x33, 0x6c, 0x53, 0x35, 0x0d, 0x66, 0xe3, 0xce
++};
++
++__fips_constseg static const unsigned char hmac_sha384_int_returnedbits[] = {
++    0xe2, 0x1f, 0xf3, 0xda, 0x0d, 0x19, 0x99, 0x87, 0xc4, 0x90, 0xa2, 0x31,
++    0xca, 0x2a, 0x89, 0x58, 0x43, 0x44, 0xb8, 0xde, 0xcf, 0xa4, 0xbe, 0x3b,
++    0x53, 0x26, 0x22, 0x31, 0x76, 0x41, 0x22, 0xb5, 0xa8, 0x70, 0x2f, 0x4b,
++    0x64, 0x95, 0x4d, 0x48, 0x96, 0x35, 0xe6, 0xbd, 0x3c, 0x34, 0xdb, 0x1b
++};
++
++__fips_constseg static const unsigned char hmac_sha384_entropyinputreseed[] = {
++    0x77, 0x61, 0xba, 0xbc, 0xf2, 0xc1, 0xf3, 0x4b, 0x86, 0x65, 0xfd, 0x48,
++    0x0e, 0x3c, 0x02, 0x5e, 0xa2, 0x7a, 0x6b, 0x7c, 0xed, 0x21, 0x5e, 0xf9,
++    0xcd, 0xcd, 0x77, 0x07, 0x2b, 0xbe, 0xc5, 0x5c
++};
++
++__fips_constseg
++    static const unsigned char hmac_sha384_additionalinputreseed[] = {
++    0x18, 0x24, 0x5f, 0xc6, 0x84, 0xd1, 0x67, 0xc3, 0x9a, 0x11, 0xa5, 0x8c,
++    0x07, 0x39, 0x21, 0x83, 0x4d, 0x04, 0xc4, 0x6a, 0x28, 0x19, 0xcf, 0x92,
++    0x21, 0xd9, 0x9e, 0x41, 0x72, 0x6c, 0x9e, 0x63
++};
++
++__fips_constseg static const unsigned char hmac_sha384_additionalinput2[] = {
++    0x96, 0x67, 0x41, 0x28, 0x9b, 0xb7, 0x92, 0x8d, 0x64, 0x3b, 0xe4, 0xcf,
++    0x7e, 0xaa, 0x1e, 0xb1, 0x4b, 0x1d, 0x09, 0x56, 0x67, 0x9c, 0xc6, 0x6d,
++    0x3b, 0xe8, 0x91, 0x9d, 0xe1, 0x8a, 0xb7, 0x32
++};
++
++__fips_constseg static const unsigned char hmac_sha384_returnedbits[] = {
++    0xe3, 0x59, 0x61, 0x38, 0x92, 0xec, 0xe2, 0x3c, 0xff, 0xb7, 0xdb, 0x19,
++    0x0f, 0x5b, 0x93, 0x68, 0x0d, 0xa4, 0x94, 0x40, 0x72, 0x0b, 0xe0, 0xed,
++    0x4d, 0xcd, 0x68, 0xa0, 0x1e, 0xfe, 0x67, 0xb2, 0xfa, 0x21, 0x56, 0x74,
++    0xa4, 0xad, 0xcf, 0xb7, 0x60, 0x66, 0x2e, 0x40, 0xde, 0x82, 0xca, 0xfb
++};
++
++/* HMAC SHA-512 PR  */
++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinput[] = {
++    0xaa, 0x9e, 0x45, 0x67, 0x0e, 0x00, 0x2a, 0x67, 0x98, 0xd6, 0xda, 0x0b,
++    0x0f, 0x17, 0x7e, 0xac, 0xfd, 0x27, 0xc4, 0xca, 0x84, 0xdf, 0xde, 0xba,
++    0x85, 0xd9, 0xbe, 0x8f, 0xf3, 0xff, 0x91, 0x4d
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_nonce[] = {
++    0x8c, 0x49, 0x2f, 0x58, 0x1e, 0x7a, 0xda, 0x4b, 0x7e, 0x8a, 0x30, 0x7b,
++    0x86, 0xea, 0xaf, 0xa2
++};
++
++__fips_constseg
++    static const unsigned char hmac_sha512_pr_personalizationstring[] = {
++    0x71, 0xe1, 0xbb, 0xad, 0xa7, 0x4b, 0x2e, 0x31, 0x3b, 0x0b, 0xec, 0x24,
++    0x99, 0x38, 0xbc, 0xaa, 0x05, 0x4c, 0x46, 0x44, 0xfa, 0xad, 0x8e, 0x02,
++    0xc1, 0x7e, 0xad, 0xec, 0x54, 0xa6, 0xd0, 0xad
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput[] = {
++    0x3d, 0x6e, 0xa6, 0xa8, 0x29, 0x2a, 0xb2, 0xf5, 0x98, 0x42, 0xe4, 0x92,
++    0x78, 0x22, 0x67, 0xfd, 0x1b, 0x15, 0x1e, 0x29, 0xaa, 0x71, 0x3c, 0x3c,
++    0xe7, 0x05, 0x20, 0xa9, 0x29, 0xc6, 0x75, 0x71
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr[] = {
++    0xab, 0xb9, 0x16, 0xd8, 0x55, 0x35, 0x54, 0xb7, 0x97, 0x3f, 0x94, 0xbc,
++    0x2f, 0x7c, 0x70, 0xc7, 0xd0, 0xed, 0xb7, 0x4b, 0xf7, 0xf6, 0x6c, 0x03,
++    0x0c, 0xb0, 0x03, 0xd8, 0xbb, 0x71, 0xd9, 0x10
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_int_returnedbits[] = {
++    0x8e, 0xd3, 0xfd, 0x52, 0x9e, 0x83, 0x08, 0x49, 0x18, 0x6e, 0x23, 0x56,
++    0x5c, 0x45, 0x93, 0x34, 0x05, 0xe2, 0x98, 0x8f, 0x0c, 0xd4, 0x32, 0x0c,
++    0xfd, 0xda, 0x5f, 0x92, 0x3a, 0x8c, 0x81, 0xbd, 0xf6, 0x6c, 0x55, 0xfd,
++    0xb8, 0x20, 0xce, 0x8d, 0x97, 0x27, 0xe8, 0xe8, 0xe0, 0xb3, 0x85, 0x50,
++    0xa2, 0xc2, 0xb2, 0x95, 0x1d, 0x48, 0xd3, 0x7b, 0x4b, 0x78, 0x13, 0x35,
++    0x05, 0x17, 0xbe, 0x0d
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput2[] = {
++    0xc3, 0xfc, 0x95, 0xaa, 0x69, 0x06, 0xae, 0x59, 0x41, 0xce, 0x26, 0x08,
++    0x29, 0x6d, 0x45, 0xda, 0xe8, 0xb3, 0x6c, 0x95, 0x60, 0x0f, 0x70, 0x2c,
++    0x10, 0xba, 0x38, 0x8c, 0xcf, 0x29, 0x99, 0xaa
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr2[] = {
++    0x3b, 0x9a, 0x25, 0xce, 0xd7, 0xf9, 0x5c, 0xd1, 0x3a, 0x3e, 0xaa, 0x71,
++    0x14, 0x3e, 0x19, 0xe8, 0xce, 0xe6, 0xfe, 0x51, 0x84, 0xe9, 0x1b, 0xfe,
++    0x3f, 0xa7, 0xf2, 0xfd, 0x76, 0x5f, 0x6a, 0xe7
++};
++
++__fips_constseg static const unsigned char hmac_sha512_pr_returnedbits[] = {
++    0xb7, 0x82, 0xa9, 0x57, 0x81, 0x67, 0x53, 0xb5, 0xa1, 0xe9, 0x3d, 0x35,
++    0xf9, 0xe4, 0x97, 0xbe, 0xa6, 0xca, 0xf1, 0x01, 0x13, 0x09, 0xe7, 0x21,
++    0xc0, 0xed, 0x93, 0x5d, 0x4b, 0xf4, 0xeb, 0x8d, 0x53, 0x25, 0x8a, 0xc4,
++    0xb1, 0x6f, 0x6e, 0x37, 0xcd, 0x2e, 0xac, 0x39, 0xb2, 0xb6, 0x99, 0xa3,
++    0x82, 0x00, 0xb0, 0x21, 0xf0, 0xc7, 0x2f, 0x4c, 0x73, 0x92, 0xfd, 0x00,
++    0xb6, 0xaf, 0xbc, 0xd3
++};
++
++/* HMAC SHA-512 No PR  */
++__fips_constseg static const unsigned char hmac_sha512_entropyinput[] = {
++    0x6e, 0x85, 0xe6, 0x25, 0x96, 0x29, 0xa7, 0x52, 0x5b, 0x60, 0xba, 0xaa,
++    0xde, 0xdb, 0x36, 0x0a, 0x51, 0x9a, 0x15, 0xae, 0x6e, 0x18, 0xd3, 0xfe,
++    0x39, 0xb9, 0x4a, 0x96, 0xf8, 0x77, 0xcb, 0x95
++};
++
++__fips_constseg static const unsigned char hmac_sha512_nonce[] = {
++    0xe0, 0xa6, 0x5d, 0x08, 0xc3, 0x7c, 0xae, 0x25, 0x2e, 0x80, 0xd1, 0x3e,
++    0xd9, 0xaf, 0x43, 0x3c
++};
++
++__fips_constseg
++    static const unsigned char hmac_sha512_personalizationstring[] = {
++    0x53, 0x99, 0x52, 0x5f, 0x11, 0xa9, 0x64, 0x66, 0x20, 0x5e, 0x1b, 0x5f,
++    0x42, 0xb3, 0xf4, 0xda, 0xed, 0xbb, 0x63, 0xc1, 0x23, 0xaf, 0xd0, 0x01,
++    0x90, 0x3b, 0xd0, 0x78, 0xe4, 0x0b, 0xa7, 0x20
++};
++
++__fips_constseg static const unsigned char hmac_sha512_additionalinput[] = {
++    0x85, 0x90, 0x80, 0xd3, 0x98, 0xf1, 0x53, 0x6d, 0x68, 0x15, 0x8f, 0xe5,
++    0x60, 0x3f, 0x17, 0x29, 0x55, 0x8d, 0x33, 0xb1, 0x45, 0x64, 0x64, 0x8d,
++    0x50, 0x21, 0x89, 0xae, 0xf6, 0xfd, 0x32, 0x73
++};
++
++__fips_constseg static const unsigned char hmac_sha512_int_returnedbits[] = {
++    0x28, 0x56, 0x30, 0x6f, 0xf4, 0xa1, 0x48, 0xe0, 0xc9, 0xf5, 0x75, 0x90,
++    0xcc, 0xfb, 0xdf, 0xdf, 0x71, 0x3d, 0x0a, 0x9a, 0x03, 0x65, 0x3b, 0x18,
++    0x61, 0xe3, 0xd1, 0xda, 0xcc, 0x4a, 0xfe, 0x55, 0x38, 0xf8, 0x21, 0x6b,
++    0xfa, 0x18, 0x01, 0x42, 0x39, 0x2f, 0x99, 0x53, 0x38, 0x15, 0x82, 0x34,
++    0xc5, 0x93, 0x92, 0xbc, 0x4d, 0x75, 0x1a, 0x5f, 0x21, 0x27, 0xcc, 0xa1,
++    0xb1, 0x57, 0x69, 0xe8
++};
++
++__fips_constseg static const unsigned char hmac_sha512_entropyinputreseed[] = {
++    0x8c, 0x52, 0x7e, 0x77, 0x72, 0x3f, 0xa3, 0x04, 0x97, 0x10, 0x9b, 0x41,
++    0xbd, 0xe8, 0xff, 0x89, 0xed, 0x80, 0xe3, 0xbd, 0xaa, 0x12, 0x2d, 0xca,
++    0x75, 0x82, 0x36, 0x77, 0x88, 0xcd, 0xa6, 0x73
++};
++
++__fips_constseg
++    static const unsigned char hmac_sha512_additionalinputreseed[] = {
++    0x7e, 0x32, 0xe3, 0x69, 0x69, 0x07, 0x34, 0xa2, 0x16, 0xa2, 0x5d, 0x1a,
++    0x10, 0x91, 0xd3, 0xe2, 0x21, 0xa2, 0xa3, 0xdd, 0xcd, 0x0c, 0x09, 0x86,
++    0x11, 0xe1, 0x50, 0xff, 0x5c, 0xb7, 0xeb, 0x5c
++};
++
++__fips_constseg static const unsigned char hmac_sha512_additionalinput2[] = {
++    0x7f, 0x78, 0x66, 0xd8, 0xfb, 0x67, 0xcf, 0x8d, 0x8c, 0x08, 0x30, 0xa5,
++    0xf8, 0x7d, 0xcf, 0x44, 0x59, 0xce, 0xf8, 0xdf, 0x58, 0xd3, 0x60, 0xcb,
++    0xa8, 0x60, 0xb9, 0x07, 0xc4, 0xb1, 0x95, 0x48
++};
++
++__fips_constseg static const unsigned char hmac_sha512_returnedbits[] = {
++    0xdf, 0xa7, 0x36, 0xd4, 0xdc, 0x5d, 0x4d, 0x31, 0xad, 0x69, 0x46, 0x9f,
++    0xf1, 0x7c, 0xd7, 0x3b, 0x4f, 0x55, 0xf2, 0xd7, 0xb9, 0x9d, 0xad, 0x7a,
++    0x79, 0x08, 0x59, 0xa5, 0xdc, 0x74, 0xf5, 0x9b, 0x73, 0xd2, 0x13, 0x25,
++    0x0b, 0x81, 0x08, 0x08, 0x25, 0xfb, 0x39, 0xf2, 0xf0, 0xa3, 0xa4, 0x8d,
++    0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79,
++    0xc2, 0xd6, 0xfd, 0xa5
++};
+diff -up openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c
+--- openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c.fips	2021-03-03 12:57:42.200734534 +0100
++++ openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c	2021-03-03 12:57:42.200734534 +0100
+@@ -0,0 +1,195 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/dsa.h>
++#include <openssl/fips.h>
++#include "crypto/fips.h"
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++static const unsigned char dsa_test_2048_p[] = {
++    0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08,
++    0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62,
++    0x3b, 0x7e, 0x4d, 0x04, 0x44, 0x1d, 0xd1, 0xa0, 0x65, 0x86, 0x62, 0x59,
++    0x64, 0x93, 0xca, 0x8e, 0x9e, 0x8f, 0xbb, 0x7e, 0x34, 0xaa, 0xdd, 0xb6,
++    0x2e, 0x5d, 0x67, 0xb6, 0xd0, 0x9a, 0x6e, 0x61, 0xb7, 0x69, 0xe7, 0xc3,
++    0x52, 0xaa, 0x2b, 0x10, 0xe2, 0x0c, 0xa0, 0x63, 0x69, 0x63, 0xb5, 0x52,
++    0x3e, 0x86, 0x47, 0x0d, 0xec, 0xbb, 0xed, 0xa0, 0x27, 0xe7, 0x97, 0xe7,
++    0xb6, 0x76, 0x35, 0xd4, 0xd4, 0x9c, 0x30, 0x70, 0x0e, 0x74, 0xaf, 0x8a,
++    0x0f, 0xf1, 0x56, 0xa8, 0x01, 0xaf, 0x57, 0xa2, 0x6e, 0x70, 0x78, 0xf1,
++    0xd8, 0x2f, 0x74, 0x90, 0x8e, 0xcb, 0x6d, 0x07, 0xe7, 0x0b, 0x35, 0x03,
++    0xee, 0xd9, 0x4f, 0xa3, 0x2c, 0xf1, 0x7a, 0x7f, 0xc3, 0xd6, 0xcf, 0x40,
++    0xdc, 0x7b, 0x00, 0x83, 0x0e, 0x6a, 0x25, 0x66, 0xdc, 0x07, 0x3e, 0x34,
++    0x33, 0x12, 0x51, 0x7c, 0x6a, 0xa5, 0x15, 0x2b, 0x4b, 0xfe, 0xcd, 0x2e,
++    0x55, 0x1f, 0xee, 0x34, 0x63, 0x18, 0xa1, 0x53, 0x42, 0x3c, 0x99, 0x6b,
++    0x0d, 0x5d, 0xcb, 0x91, 0x02, 0xae, 0xdd, 0x38, 0x79, 0x86, 0x16, 0xf1,
++    0xf1, 0xe0, 0xd6, 0xc4, 0x03, 0x52, 0x5b, 0x1f, 0x9b, 0x3d, 0x4d, 0xc7,
++    0x66, 0xde, 0x2d, 0xfc, 0x4a, 0x56, 0xd7, 0xb8, 0xba, 0x59, 0x63, 0xd6,
++    0x0f, 0x3e, 0x16, 0x31, 0x88, 0x70, 0xad, 0x43, 0x69, 0x52, 0xe5, 0x57,
++    0x65, 0x37, 0x4e, 0xab, 0x85, 0xe8, 0xec, 0x17, 0xd6, 0xb9, 0xa4, 0x54,
++    0x7b, 0x9b, 0x5f, 0x27, 0x52, 0xf3, 0x10, 0x5b, 0xe8, 0x09, 0xb2, 0x3a,
++    0x2c, 0x8d, 0x74, 0x69, 0xdb, 0x02, 0xe2, 0x4d, 0x59, 0x23, 0x94, 0xa7,
++    0xdb, 0xa0, 0x69, 0xe9
++};
++
++static const unsigned char dsa_test_2048_q[] = {
++    0xd2, 0x77, 0x04, 0x4e, 0x50, 0xf5, 0xa4, 0xe3, 0xf5, 0x10, 0xa5, 0x0a,
++    0x0b, 0x84, 0xfd, 0xff, 0xbc, 0xa0, 0x47, 0xed, 0x27, 0x60, 0x20, 0x56,
++    0x74, 0x41, 0xa0, 0xa5
++};
++
++static const unsigned char dsa_test_2048_g[] = {
++    0x13, 0xd7, 0x54, 0xe2, 0x1f, 0xd2, 0x41, 0x65, 0x5d, 0xa8, 0x91, 0xc5,
++    0x22, 0xa6, 0x5a, 0x72, 0xa8, 0x9b, 0xdc, 0x64, 0xec, 0x9b, 0x54, 0xa8,
++    0x21, 0xed, 0x4a, 0x89, 0x8b, 0x49, 0x0e, 0x0c, 0x4f, 0xcb, 0x72, 0x19,
++    0x2a, 0x4a, 0x20, 0xf5, 0x41, 0xf3, 0xf2, 0x92, 0x53, 0x99, 0xf0, 0xba,
++    0xec, 0xf9, 0x29, 0xaa, 0xfb, 0xf7, 0x9d, 0xfe, 0x43, 0x32, 0x39, 0x3b,
++    0x32, 0xcd, 0x2e, 0x2f, 0xcf, 0x27, 0x2f, 0x32, 0xa6, 0x27, 0x43, 0x4a,
++    0x0d, 0xf2, 0x42, 0xb7, 0x5b, 0x41, 0x4d, 0xf3, 0x72, 0x12, 0x1e, 0x53,
++    0xa5, 0x53, 0xf2, 0x22, 0xf8, 0x36, 0xb0, 0x00, 0xf0, 0x16, 0x48, 0x5b,
++    0x6b, 0xd0, 0x89, 0x84, 0x51, 0x80, 0x1d, 0xcd, 0x8d, 0xe6, 0x4c, 0xd5,
++    0x36, 0x56, 0x96, 0xff, 0xc5, 0x32, 0xd5, 0x28, 0xc5, 0x06, 0x62, 0x0a,
++    0x94, 0x2a, 0x03, 0x05, 0x04, 0x6d, 0x8f, 0x18, 0x76, 0x34, 0x1f, 0x1e,
++    0x57, 0x0b, 0xc3, 0x97, 0x4b, 0xa6, 0xb9, 0xa4, 0x38, 0xe9, 0x70, 0x23,
++    0x02, 0xa2, 0xe6, 0xe6, 0x7b, 0xfd, 0x06, 0xd3, 0x2b, 0xc6, 0x79, 0x96,
++    0x22, 0x71, 0xd7, 0xb4, 0x0c, 0xd7, 0x2f, 0x38, 0x6e, 0x64, 0xe0, 0xd7,
++    0xef, 0x86, 0xca, 0x8c, 0xa5, 0xd1, 0x42, 0x28, 0xdc, 0x2a, 0x4f, 0x16,
++    0xe3, 0x18, 0x98, 0x86, 0xb5, 0x99, 0x06, 0x74, 0xf4, 0x20, 0x0f, 0x3a,
++    0x4c, 0xf6, 0x5a, 0x3f, 0x0d, 0xdb, 0xa1, 0xfa, 0x67, 0x2d, 0xff, 0x2f,
++    0x5e, 0x14, 0x3d, 0x10, 0xe4, 0xe9, 0x7a, 0xe8, 0x4f, 0x6d, 0xa0, 0x95,
++    0x35, 0xd5, 0xb9, 0xdf, 0x25, 0x91, 0x81, 0xa7, 0x9b, 0x63, 0xb0, 0x69,
++    0xe9, 0x49, 0x97, 0x2b, 0x02, 0xba, 0x36, 0xb3, 0x58, 0x6a, 0xab, 0x7e,
++    0x45, 0xf3, 0x22, 0xf8, 0x2e, 0x4e, 0x85, 0xca, 0x3a, 0xb8, 0x55, 0x91,
++    0xb3, 0xc2, 0xa9, 0x66
++};
++
++static const unsigned char dsa_test_2048_pub_key[] = {
++    0x24, 0x52, 0xf3, 0xcc, 0xbe, 0x9e, 0xd5, 0xca, 0x7d, 0xc7, 0x4c, 0x60,
++    0x2b, 0x99, 0x22, 0x6e, 0x8f, 0x2f, 0xab, 0x38, 0xe7, 0xd7, 0xdd, 0xfb,
++    0x75, 0x53, 0x9b, 0x17, 0x15, 0x5e, 0x9f, 0xcf, 0xd1, 0xab, 0xa5, 0x64,
++    0xeb, 0x85, 0x35, 0xd8, 0x12, 0xc9, 0xc2, 0xdc, 0xf9, 0x72, 0x84, 0x44,
++    0x1b, 0xc4, 0x82, 0x24, 0x36, 0x24, 0xc7, 0xf4, 0x57, 0x58, 0x0c, 0x1c,
++    0x38, 0xa5, 0x7c, 0x46, 0xc4, 0x57, 0x39, 0x24, 0x70, 0xed, 0xb5, 0x2c,
++    0xb5, 0xa6, 0xe0, 0x3f, 0xe6, 0x28, 0x7b, 0xb6, 0xf4, 0x9a, 0x42, 0xa2,
++    0x06, 0x5a, 0x05, 0x4f, 0x03, 0x08, 0x39, 0xdf, 0x1f, 0xd3, 0x14, 0x9c,
++    0x4c, 0xa0, 0x53, 0x1d, 0xd8, 0xca, 0x8a, 0xaa, 0x9c, 0xc7, 0x33, 0x71,
++    0x93, 0x38, 0x73, 0x48, 0x33, 0x61, 0x18, 0x22, 0x45, 0x45, 0xe8, 0x8c,
++    0x80, 0xff, 0xd8, 0x76, 0x5d, 0x74, 0x36, 0x03, 0x33, 0xcc, 0xab, 0x99,
++    0x72, 0x77, 0x9b, 0x65, 0x25, 0xa6, 0x5b, 0xdd, 0x0d, 0x10, 0xc6, 0x75,
++    0xc1, 0x09, 0xbb, 0xd3, 0xe5, 0xbe, 0x4d, 0x72, 0xef, 0x6e, 0xba, 0x6e,
++    0x43, 0x8d, 0x52, 0x26, 0x23, 0x7d, 0xb8, 0x88, 0x37, 0x9c, 0x5f, 0xcc,
++    0x47, 0xa3, 0x84, 0x7f, 0xf6, 0x37, 0x11, 0xba, 0xed, 0x6d, 0x03, 0xaf,
++    0xe8, 0x1e, 0x69, 0x4a, 0x41, 0x3b, 0x68, 0x0b, 0xd3, 0x8a, 0xb4, 0x90,
++    0x3f, 0x83, 0x70, 0xa7, 0x07, 0xef, 0x55, 0x1d, 0x49, 0x41, 0x02, 0x6d,
++    0x95, 0x79, 0xd6, 0x91, 0xde, 0x8e, 0xda, 0xa1, 0x61, 0x05, 0xeb, 0x9d,
++    0xba, 0x3c, 0x2f, 0x4c, 0x1b, 0xec, 0x50, 0x82, 0x75, 0xaa, 0x02, 0x07,
++    0xe2, 0x51, 0xb5, 0xec, 0xcb, 0x28, 0x6a, 0x4b, 0x01, 0xd4, 0x49, 0xd3,
++    0x0a, 0xcb, 0x67, 0x37, 0x17, 0xa0, 0xd2, 0xfb, 0x3b, 0x50, 0xc8, 0x93,
++    0xf7, 0xda, 0xb1, 0x4f
++};
++
++static const unsigned char dsa_test_2048_priv_key[] = {
++    0x0c, 0x4b, 0x30, 0x89, 0xd1, 0xb8, 0x62, 0xcb, 0x3c, 0x43, 0x64, 0x91,
++    0xf0, 0x91, 0x54, 0x70, 0xc5, 0x27, 0x96, 0xe3, 0xac, 0xbe, 0xe8, 0x00,
++    0xec, 0x55, 0xf6, 0xcc
++};
++
++int FIPS_selftest_dsa()
++{
++    DSA *dsa = NULL;
++    EVP_PKEY *pk = NULL;
++    int ret = 0;
++    BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL;
++
++    fips_load_key_component(p, dsa_test_2048);
++    fips_load_key_component(q, dsa_test_2048);
++    fips_load_key_component(g, dsa_test_2048);
++    fips_load_key_component(pub_key, dsa_test_2048);
++    fips_load_key_component(priv_key, dsa_test_2048);
++
++    dsa = DSA_new();
++
++    if (dsa == NULL)
++        goto err;
++
++    DSA_set0_pqg(dsa, p, q, g);
++
++    DSA_set0_key(dsa, pub_key, priv_key);
++
++    if ((pk = EVP_PKEY_new()) == NULL)
++        goto err;
++
++    EVP_PKEY_assign_DSA(pk, dsa);
++
++    if (!fips_pkey_signature_test(pk, NULL, 0,
++                                  NULL, 0, EVP_sha256(), 0, "DSA SHA256"))
++        goto err;
++    ret = 1;
++
++ err:
++    if (pk)
++        EVP_PKEY_free(pk);
++    else if (dsa)
++        DSA_free(dsa);
++    else {
++        BN_free(p);
++        BN_free(q);
++        BN_free(g);
++        BN_free(pub_key);
++        BN_free(priv_key);
++    }
++    return ret;
++}
++#endif
+diff -up openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c
+--- openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c.fips	2021-03-03 12:57:42.200734534 +0100
++++ openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c	2021-03-03 12:57:42.200734534 +0100
+@@ -0,0 +1,242 @@
++/* fips/ecdh/fips_ecdh_selftest.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project 2011.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ */
++
++#define OPENSSL_FIPSAPI
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/ec.h>
++#include <openssl/ecdh.h>
++#include <openssl/fips.h>
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++
++#ifdef OPENSSL_FIPS
++
++# include "fips_locl.h"
++
++static const unsigned char p256_qcavsx[] = {
++    0x52, 0xc6, 0xa5, 0x75, 0xf3, 0x04, 0x98, 0xb3, 0x29, 0x66, 0x0c, 0x62,
++    0x18, 0x60, 0x55, 0x41, 0x59, 0xd4, 0x60, 0x85, 0x99, 0xc1, 0x51, 0x13,
++    0x6f, 0x97, 0x85, 0x93, 0x33, 0x34, 0x07, 0x50
++};
++
++static const unsigned char p256_qcavsy[] = {
++    0x6f, 0x69, 0x24, 0xeb, 0xe9, 0x3b, 0xa7, 0xcc, 0x47, 0x17, 0xaa, 0x3f,
++    0x70, 0xfc, 0x10, 0x73, 0x0a, 0xcd, 0x21, 0xee, 0x29, 0x19, 0x1f, 0xaf,
++    0xb4, 0x1c, 0x1e, 0xc2, 0x8e, 0x97, 0x81, 0x6e
++};
++
++static const unsigned char p256_qiutx[] = {
++    0x71, 0x46, 0x88, 0x08, 0x92, 0x21, 0x1b, 0x10, 0x21, 0x74, 0xff, 0x0c,
++    0x94, 0xde, 0x34, 0x7c, 0x86, 0x74, 0xbe, 0x67, 0x41, 0x68, 0xd4, 0xc1,
++    0xe5, 0x75, 0x63, 0x9c, 0xa7, 0x46, 0x93, 0x6f
++};
++
++static const unsigned char p256_qiuty[] = {
++    0x33, 0x40, 0xa9, 0x6a, 0xf5, 0x20, 0xb5, 0x9e, 0xfc, 0x60, 0x1a, 0xae,
++    0x3d, 0xf8, 0x21, 0xd2, 0xa7, 0xca, 0x52, 0x34, 0xb9, 0x5f, 0x27, 0x75,
++    0x6c, 0x81, 0xbe, 0x32, 0x4d, 0xba, 0xbb, 0xf8
++};
++
++static const unsigned char p256_qiutd[] = {
++    0x1a, 0x48, 0x55, 0x6b, 0x11, 0xbe, 0x92, 0xd4, 0x1c, 0xd7, 0x45, 0xc3,
++    0x82, 0x81, 0x51, 0xf1, 0x23, 0x40, 0xb7, 0x83, 0xfd, 0x01, 0x6d, 0xbc,
++    0xa1, 0x66, 0xaf, 0x0a, 0x03, 0x23, 0xcd, 0xc8
++};
++
++static const unsigned char p256_ziut[] = {
++    0x77, 0x2a, 0x1e, 0x37, 0xee, 0xe6, 0x51, 0x02, 0x71, 0x40, 0xf8, 0x6a,
++    0x36, 0xf8, 0x65, 0x61, 0x2b, 0x18, 0x71, 0x82, 0x23, 0xe6, 0xf2, 0x77,
++    0xce, 0xec, 0xb8, 0x49, 0xc7, 0xbf, 0x36, 0x4f
++};
++
++typedef struct {
++    int curve;
++    const unsigned char *x1;
++    size_t x1len;
++    const unsigned char *y1;
++    size_t y1len;
++    const unsigned char *d1;
++    size_t d1len;
++    const unsigned char *x2;
++    size_t x2len;
++    const unsigned char *y2;
++    size_t y2len;
++    const unsigned char *z;
++    size_t zlen;
++} ECDH_SELFTEST_DATA;
++
++# define make_ecdh_test(nid, pr) { nid, \
++                                pr##_qiutx, sizeof(pr##_qiutx), \
++                                pr##_qiuty, sizeof(pr##_qiuty), \
++                                pr##_qiutd, sizeof(pr##_qiutd), \
++                                pr##_qcavsx, sizeof(pr##_qcavsx), \
++                                pr##_qcavsy, sizeof(pr##_qcavsy), \
++                                pr##_ziut, sizeof(pr##_ziut) }
++
++static ECDH_SELFTEST_DATA test_ecdh_data[] = {
++    make_ecdh_test(NID_X9_62_prime256v1, p256),
++};
++
++int FIPS_selftest_ecdh(void)
++{
++    EC_KEY *ec1 = NULL, *ec2 = NULL;
++    const EC_POINT *ecp = NULL;
++    BIGNUM *x = NULL, *y = NULL, *d = NULL;
++    unsigned char *ztmp = NULL;
++    int rv = 1;
++    size_t i;
++
++    for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) {
++        ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i;
++        if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0))
++            continue;
++        ztmp = OPENSSL_malloc(ecd->zlen);
++
++        x = BN_bin2bn(ecd->x1, ecd->x1len, x);
++        y = BN_bin2bn(ecd->y1, ecd->y1len, y);
++        d = BN_bin2bn(ecd->d1, ecd->d1len, d);
++
++        if (!x || !y || !d || !ztmp) {
++            rv = 0;
++            goto err;
++        }
++
++        ec1 = EC_KEY_new_by_curve_name(ecd->curve);
++        if (!ec1) {
++            rv = 0;
++            goto err;
++        }
++        EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
++
++        if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) {
++            rv = 0;
++            goto err;
++        }
++
++        if (!EC_KEY_set_private_key(ec1, d)) {
++            rv = 0;
++            goto err;
++        }
++
++        x = BN_bin2bn(ecd->x2, ecd->x2len, x);
++        y = BN_bin2bn(ecd->y2, ecd->y2len, y);
++
++        if (!x || !y) {
++            rv = 0;
++            goto err;
++        }
++
++        ec2 = EC_KEY_new_by_curve_name(ecd->curve);
++        if (!ec2) {
++            rv = 0;
++            goto err;
++        }
++        EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH);
++
++        if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) {
++            rv = 0;
++            goto err;
++        }
++
++        ecp = EC_KEY_get0_public_key(ec2);
++        if (!ecp) {
++            rv = 0;
++            goto err;
++        }
++
++        if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) {
++            rv = 0;
++            goto err;
++        }
++
++        if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL))
++            ztmp[0] ^= 0x1;
++
++        if (memcmp(ztmp, ecd->z, ecd->zlen)) {
++            fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0);
++            rv = 0;
++        } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0))
++            goto err;
++
++        EC_KEY_free(ec1);
++        ec1 = NULL;
++        EC_KEY_free(ec2);
++        ec2 = NULL;
++        OPENSSL_free(ztmp);
++        ztmp = NULL;
++    }
++
++ err:
++
++    if (x)
++        BN_clear_free(x);
++    if (y)
++        BN_clear_free(y);
++    if (d)
++        BN_clear_free(d);
++    if (ec1)
++        EC_KEY_free(ec1);
++    if (ec2)
++        EC_KEY_free(ec2);
++    if (ztmp)
++        OPENSSL_free(ztmp);
++
++    return rv;
++
++}
++
++#endif
+diff -up openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c
+--- openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c.fips	2021-03-03 12:57:42.200734534 +0100
++++ openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c	2021-03-03 12:57:42.200734534 +0100
+@@ -0,0 +1,166 @@
++/* fips/ecdsa/fips_ecdsa_selftest.c */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project 2011.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ */
++
++#define OPENSSL_FIPSAPI
++
++#include <string.h>
++#include <openssl/crypto.h>
++#include <openssl/ec.h>
++#include <openssl/ecdsa.h>
++#include <openssl/fips.h>
++#include "crypto/fips.h"
++#include <openssl/err.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++
++#ifdef OPENSSL_FIPS
++
++static const char P_256_name[] = "ECDSA P-256";
++
++static const unsigned char P_256_d[] = {
++    0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f,
++    0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87,
++    0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64
++};
++
++static const unsigned char P_256_qx[] = {
++    0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e,
++    0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31,
++    0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07
++};
++
++static const unsigned char P_256_qy[] = {
++    0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b,
++    0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e,
++    0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb
++};
++
++typedef struct {
++    int curve;
++    const char *name;
++    const unsigned char *x;
++    size_t xlen;
++    const unsigned char *y;
++    size_t ylen;
++    const unsigned char *d;
++    size_t dlen;
++} EC_SELFTEST_DATA;
++
++# define make_ecdsa_test(nid, pr) { nid, pr##_name, \
++                                pr##_qx, sizeof(pr##_qx), \
++                                pr##_qy, sizeof(pr##_qy), \
++                                pr##_d, sizeof(pr##_d)}
++
++static EC_SELFTEST_DATA test_ec_data[] = {
++    make_ecdsa_test(NID_X9_62_prime256v1, P_256),
++};
++
++int FIPS_selftest_ecdsa()
++{
++    EC_KEY *ec = NULL;
++    BIGNUM *x = NULL, *y = NULL, *d = NULL;
++    EVP_PKEY *pk = NULL;
++    int rv = 0;
++    size_t i;
++
++    for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) {
++        EC_SELFTEST_DATA *ecd = test_ec_data + i;
++
++        x = BN_bin2bn(ecd->x, ecd->xlen, x);
++        y = BN_bin2bn(ecd->y, ecd->ylen, y);
++        d = BN_bin2bn(ecd->d, ecd->dlen, d);
++
++        if (!x || !y || !d)
++            goto err;
++
++        ec = EC_KEY_new_by_curve_name(ecd->curve);
++        if (!ec)
++            goto err;
++
++        if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y))
++            goto err;
++
++        if (!EC_KEY_set_private_key(ec, d))
++            goto err;
++
++        if ((pk = EVP_PKEY_new()) == NULL)
++            goto err;
++
++        EVP_PKEY_assign_EC_KEY(pk, ec);
++
++        if (!fips_pkey_signature_test(pk, NULL, 0,
++                                      NULL, 0, EVP_sha256(), 0, ecd->name))
++            goto err;
++    }
++
++    rv = 1;
++
++ err:
++
++    if (x)
++        BN_clear_free(x);
++    if (y)
++        BN_clear_free(y);
++    if (d)
++        BN_clear_free(d);
++    if (pk)
++        EVP_PKEY_free(pk);
++    else if (ec)
++        EC_KEY_free(ec);
++
++    return rv;
++
++}
++
++#endif
+diff -up openssl-1.1.1j/crypto/fips/fips_err.h.fips openssl-1.1.1j/crypto/fips/fips_err.h
+--- openssl-1.1.1j/crypto/fips/fips_err.h.fips	2021-03-03 12:57:42.201734542 +0100
++++ openssl-1.1.1j/crypto/fips/fips_err.h	2021-03-03 12:57:42.201734542 +0100
+@@ -0,0 +1,197 @@
++/* crypto/fips_err.h */
++/* ====================================================================
++ * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com).  This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++/*
++ * NOTE: this file was auto generated by the mkerr.pl script: any changes
++ * made to it will be overwritten when the script next updates this file,
++ * only reason strings will be preserved.
++ */
++
++#include <stdio.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++
++/* BEGIN ERROR CODES */
++#ifndef OPENSSL_NO_ERR
++
++# define ERR_FUNC(func) ERR_PACK(ERR_LIB_FIPS,func,0)
++# define ERR_REASON(reason) ERR_PACK(ERR_LIB_FIPS,0,reason)
++
++static ERR_STRING_DATA FIPS_str_functs[] = {
++    {ERR_FUNC(FIPS_F_DH_BUILTIN_GENPARAMS), "dh_builtin_genparams"},
++    {ERR_FUNC(FIPS_F_DRBG_RESEED), "drbg_reseed"},
++    {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN2), "dsa_builtin_paramgen2"},
++    {ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"},
++    {ERR_FUNC(FIPS_F_DSA_DO_VERIFY), "DSA_do_verify"},
++    {ERR_FUNC(FIPS_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"},
++    {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_NEW), "EVP_CIPHER_CTX_new"},
++    {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_RESET), "EVP_CIPHER_CTX_reset"},
++    {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA), "fips_check_dsa"},
++    {ERR_FUNC(FIPS_F_FIPS_CHECK_EC), "fips_check_ec"},
++    {ERR_FUNC(FIPS_F_FIPS_CHECK_RSA), "fips_check_rsa"},
++    {ERR_FUNC(FIPS_F_FIPS_DRBG_BYTES), "fips_drbg_bytes"},
++    {ERR_FUNC(FIPS_F_FIPS_DRBG_CHECK), "fips_drbg_check"},
++    {ERR_FUNC(FIPS_F_FIPS_DRBG_CPRNG_TEST), "fips_drbg_cprng_test"},
++    {ERR_FUNC(FIPS_F_FIPS_DRBG_ERROR_CHECK), "fips_drbg_error_check"},
++    {ERR_FUNC(FIPS_F_FIPS_DRBG_GENERATE), "FIPS_drbg_generate"},
++    {ERR_FUNC(FIPS_F_FIPS_DRBG_INIT), "FIPS_drbg_init"},
++    {ERR_FUNC(FIPS_F_FIPS_DRBG_INSTANTIATE), "FIPS_drbg_instantiate"},
++    {ERR_FUNC(FIPS_F_FIPS_DRBG_NEW), "FIPS_drbg_new"},
++    {ERR_FUNC(FIPS_F_FIPS_DRBG_RESEED), "FIPS_drbg_reseed"},
++    {ERR_FUNC(FIPS_F_FIPS_DRBG_SINGLE_KAT), "FIPS_DRBG_SINGLE_KAT"},
++    {ERR_FUNC(FIPS_F_FIPS_GET_ENTROPY), "fips_get_entropy"},
++    {ERR_FUNC(FIPS_F_FIPS_MODULE_MODE_SET), "FIPS_module_mode_set"},
++    {ERR_FUNC(FIPS_F_FIPS_PKEY_SIGNATURE_TEST), "fips_pkey_signature_test"},
++    {ERR_FUNC(FIPS_F_FIPS_RAND_BYTES), "FIPS_rand_bytes"},
++    {ERR_FUNC(FIPS_F_FIPS_RAND_SEED), "FIPS_rand_seed"},
++    {ERR_FUNC(FIPS_F_FIPS_RAND_SET_METHOD), "FIPS_rand_set_method"},
++    {ERR_FUNC(FIPS_F_FIPS_RAND_STATUS), "FIPS_rand_status"},
++    {ERR_FUNC(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN), "fips_rsa_builtin_keygen"},
++    {ERR_FUNC(FIPS_F_FIPS_SELFTEST), "FIPS_selftest"},
++    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES), "FIPS_selftest_aes"},
++    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_CCM), "FIPS_selftest_aes_ccm"},
++    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_GCM), "FIPS_selftest_aes_gcm"},
++    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_XTS), "FIPS_selftest_aes_xts"},
++    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_CMAC), "FIPS_selftest_cmac"},
++    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"},
++    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"},
++    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"},
++    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"},
++    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"},
++    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"},
++    {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"},
++    {ERR_FUNC(FIPS_F_OSSL_ECDSA_VERIFY_SIG), "ossl_ecdsa_verify_sig"},
++    {ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "rsa_builtin_keygen"},
++    {ERR_FUNC(FIPS_F_RSA_OSSL_INIT), "rsa_ossl_init"},
++    {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT), "rsa_ossl_private_decrypt"},
++    {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT), "rsa_ossl_private_encrypt"},
++    {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT), "rsa_ossl_public_decrypt"},
++    {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT), "rsa_ossl_public_encrypt"},
++    {0, NULL}
++};
++
++static ERR_STRING_DATA FIPS_str_reasons[] = {
++    {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED),
++     "additional input error undetected"},
++    {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_TOO_LONG),
++     "additional input too long"},
++    {ERR_REASON(FIPS_R_ALREADY_INSTANTIATED), "already instantiated"},
++    {ERR_REASON(FIPS_R_DRBG_NOT_INITIALISED), "drbg not initialised"},
++    {ERR_REASON(FIPS_R_DRBG_STUCK), "drbg stuck"},
++    {ERR_REASON(FIPS_R_ENTROPY_ERROR_UNDETECTED), "entropy error undetected"},
++    {ERR_REASON(FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED),
++     "entropy not requested for reseed"},
++    {ERR_REASON(FIPS_R_ENTROPY_SOURCE_STUCK), "entropy source stuck"},
++    {ERR_REASON(FIPS_R_ERROR_INITIALISING_DRBG), "error initialising drbg"},
++    {ERR_REASON(FIPS_R_ERROR_INSTANTIATING_DRBG), "error instantiating drbg"},
++    {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT),
++     "error retrieving additional input"},
++    {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ENTROPY), "error retrieving entropy"},
++    {ERR_REASON(FIPS_R_ERROR_RETRIEVING_NONCE), "error retrieving nonce"},
++    {ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH),
++     "fingerprint does not match"},
++    {ERR_REASON(FIPS_R_FIPS_MODE_ALREADY_SET), "fips mode already set"},
++    {ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED), "fips selftest failed"},
++    {ERR_REASON(FIPS_R_FUNCTION_ERROR), "function error"},
++    {ERR_REASON(FIPS_R_GENERATE_ERROR), "generate error"},
++    {ERR_REASON(FIPS_R_GENERATE_ERROR_UNDETECTED),
++     "generate error undetected"},
++    {ERR_REASON(FIPS_R_INSTANTIATE_ERROR), "instantiate error"},
++    {ERR_REASON(FIPS_R_INTERNAL_ERROR), "internal error"},
++    {ERR_REASON(FIPS_R_INVALID_KEY_LENGTH), "invalid key length"},
++    {ERR_REASON(FIPS_R_IN_ERROR_STATE), "in error state"},
++    {ERR_REASON(FIPS_R_KEY_TOO_SHORT), "key too short"},
++    {ERR_REASON(FIPS_R_NONCE_ERROR_UNDETECTED), "nonce error undetected"},
++    {ERR_REASON(FIPS_R_NON_FIPS_METHOD), "non fips method"},
++    {ERR_REASON(FIPS_R_NOPR_TEST1_FAILURE), "nopr test1 failure"},
++    {ERR_REASON(FIPS_R_NOPR_TEST2_FAILURE), "nopr test2 failure"},
++    {ERR_REASON(FIPS_R_NOT_INSTANTIATED), "not instantiated"},
++    {ERR_REASON(FIPS_R_PAIRWISE_TEST_FAILED), "pairwise test failed"},
++    {ERR_REASON(FIPS_R_PERSONALISATION_ERROR_UNDETECTED),
++     "personalisation error undetected"},
++    {ERR_REASON(FIPS_R_PERSONALISATION_STRING_TOO_LONG),
++     "personalisation string too long"},
++    {ERR_REASON(FIPS_R_PR_TEST1_FAILURE), "pr test1 failure"},
++    {ERR_REASON(FIPS_R_PR_TEST2_FAILURE), "pr test2 failure"},
++    {ERR_REASON(FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED),
++     "request length error undetected"},
++    {ERR_REASON(FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG),
++     "request too large for drbg"},
++    {ERR_REASON(FIPS_R_RESEED_COUNTER_ERROR), "reseed counter error"},
++    {ERR_REASON(FIPS_R_RESEED_ERROR), "reseed error"},
++    {ERR_REASON(FIPS_R_SELFTEST_FAILED), "selftest failed"},
++    {ERR_REASON(FIPS_R_SELFTEST_FAILURE), "selftest failure"},
++    {ERR_REASON(FIPS_R_TEST_FAILURE), "test failure"},
++    {ERR_REASON(FIPS_R_UNINSTANTIATE_ERROR), "uninstantiate error"},
++    {ERR_REASON(FIPS_R_UNINSTANTIATE_ZEROISE_ERROR),
++     "uninstantiate zeroise error"},
++    {ERR_REASON(FIPS_R_UNSUPPORTED_DRBG_TYPE), "unsupported drbg type"},
++    {ERR_REASON(FIPS_R_UNSUPPORTED_PLATFORM), "unsupported platform"},
++    {0, NULL}
++};
++
++#endif
++
++int ERR_load_FIPS_strings(void)
++{
++#ifndef OPENSSL_NO_ERR
++
++    if (ERR_func_error_string(FIPS_str_functs[0].error) == NULL) {
++        ERR_load_strings(0, FIPS_str_functs);
++        ERR_load_strings(0, FIPS_str_reasons);
++    }
++#endif
++    return 1;
++}
+diff -up openssl-1.1.1j/crypto/fips/fips_ers.c.fips openssl-1.1.1j/crypto/fips/fips_ers.c
+--- openssl-1.1.1j/crypto/fips/fips_ers.c.fips	2021-03-03 12:57:42.201734542 +0100
++++ openssl-1.1.1j/crypto/fips/fips_ers.c	2021-03-03 12:57:42.201734542 +0100
+@@ -0,0 +1,7 @@
++#include <openssl/opensslconf.h>
++
++#ifdef OPENSSL_FIPS
++# include "fips_err.h"
++#else
++static void *dummy = &dummy;
++#endif
+diff -up openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c
+--- openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c.fips	2021-03-03 12:57:42.201734542 +0100
++++ openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c	2021-03-03 12:57:42.201734542 +0100
+@@ -0,0 +1,134 @@
++/* ====================================================================
++ * Copyright (c) 2005 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/hmac.h>
++
++#ifdef OPENSSL_FIPS
++typedef struct {
++    const EVP_MD *(*alg) (void);
++    const char *key, *iv;
++    unsigned char kaval[EVP_MAX_MD_SIZE];
++} HMAC_KAT;
++
++static const HMAC_KAT vector[] = {
++    {EVP_sha1,
++     /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */
++     "0123456789:;<=>?@ABC",
++     "Sample #2",
++     {0x09, 0x22, 0xd3, 0x40, 0x5f, 0xaa, 0x3d, 0x19,
++      0x4f, 0x82, 0xa4, 0x58, 0x30, 0x73, 0x7d, 0x5c,
++      0xc6, 0xc7, 0x5d, 0x24}
++     },
++    {EVP_sha224,
++     /* just keep extending the above... */
++     "0123456789:;<=>?@ABC",
++     "Sample #2",
++     {0xdd, 0xef, 0x0a, 0x40, 0xcb, 0x7d, 0x50, 0xfb,
++      0x6e, 0xe6, 0xce, 0xa1, 0x20, 0xba, 0x26, 0xaa,
++      0x08, 0xf3, 0x07, 0x75, 0x87, 0xb8, 0xad, 0x1b,
++      0x8c, 0x8d, 0x12, 0xc7}
++     },
++    {EVP_sha256,
++     "0123456789:;<=>?@ABC",
++     "Sample #2",
++     {0xb8, 0xf2, 0x0d, 0xb5, 0x41, 0xea, 0x43, 0x09,
++      0xca, 0x4e, 0xa9, 0x38, 0x0c, 0xd0, 0xe8, 0x34,
++      0xf7, 0x1f, 0xbe, 0x91, 0x74, 0xa2, 0x61, 0x38,
++      0x0d, 0xc1, 0x7e, 0xae, 0x6a, 0x34, 0x51, 0xd9}
++     },
++    {EVP_sha384,
++     "0123456789:;<=>?@ABC",
++     "Sample #2",
++     {0x08, 0xbc, 0xb0, 0xda, 0x49, 0x1e, 0x87, 0xad,
++      0x9a, 0x1d, 0x6a, 0xce, 0x23, 0xc5, 0x0b, 0xf6,
++      0xb7, 0x18, 0x06, 0xa5, 0x77, 0xcd, 0x49, 0x04,
++      0x89, 0xf1, 0xe6, 0x23, 0x44, 0x51, 0x51, 0x9f,
++      0x85, 0x56, 0x80, 0x79, 0x0c, 0xbd, 0x4d, 0x50,
++      0xa4, 0x5f, 0x29, 0xe3, 0x93, 0xf0, 0xe8, 0x7f}
++     },
++    {EVP_sha512,
++     "0123456789:;<=>?@ABC",
++     "Sample #2",
++     {0x80, 0x9d, 0x44, 0x05, 0x7c, 0x5b, 0x95, 0x41,
++      0x05, 0xbd, 0x04, 0x13, 0x16, 0xdb, 0x0f, 0xac,
++      0x44, 0xd5, 0xa4, 0xd5, 0xd0, 0x89, 0x2b, 0xd0,
++      0x4e, 0x86, 0x64, 0x12, 0xc0, 0x90, 0x77, 0x68,
++      0xf1, 0x87, 0xb7, 0x7c, 0x4f, 0xae, 0x2c, 0x2f,
++      0x21, 0xa5, 0xb5, 0x65, 0x9a, 0x4f, 0x4b, 0xa7,
++      0x47, 0x02, 0xa3, 0xde, 0x9b, 0x51, 0xf1, 0x45,
++      0xbd, 0x4f, 0x25, 0x27, 0x42, 0x98, 0x99, 0x05}
++     },
++};
++
++int FIPS_selftest_hmac()
++{
++    int n;
++    unsigned int outlen;
++    unsigned char out[EVP_MAX_MD_SIZE];
++    const EVP_MD *md;
++    const HMAC_KAT *t;
++
++    for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
++        md = (*t->alg) ();
++        HMAC(md, t->key, strlen(t->key),
++             (const unsigned char *)t->iv, strlen(t->iv), out, &outlen);
++
++        if (memcmp(out, t->kaval, outlen)) {
++            FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED);
++            return 0;
++        }
++    }
++    return 1;
++}
++#endif
+diff -up openssl-1.1.1j/crypto/fips/fips_locl.h.fips openssl-1.1.1j/crypto/fips/fips_locl.h
+--- openssl-1.1.1j/crypto/fips/fips_locl.h.fips	2021-03-03 12:57:42.201734542 +0100
++++ openssl-1.1.1j/crypto/fips/fips_locl.h	2021-03-03 12:57:42.201734542 +0100
+@@ -0,0 +1,71 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#ifdef OPENSSL_FIPS
++
++# ifdef  __cplusplus
++extern "C" {
++# endif
++
++# define FIPS_MAX_CIPHER_TEST_SIZE       32
++# define fips_load_key_component(comp, pre) \
++        comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), NULL); \
++        if (!comp) \
++                goto err
++
++# define fips_post_started(id, subid, ex) 1
++# define fips_post_success(id, subid, ex) 1
++# define fips_post_failed(id, subid, ex) 1
++# define fips_post_corrupt(id, subid, ex) 1
++# define fips_post_status() 1
++
++# ifdef  __cplusplus
++}
++# endif
++#endif
+diff -up openssl-1.1.1j/crypto/fips/fips_post.c.fips openssl-1.1.1j/crypto/fips/fips_post.c
+--- openssl-1.1.1j/crypto/fips/fips_post.c.fips	2021-03-03 12:57:42.201734542 +0100
++++ openssl-1.1.1j/crypto/fips/fips_post.c	2021-03-03 12:57:42.201734542 +0100
+@@ -0,0 +1,224 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#define OPENSSL_FIPSAPI
++
++#include <openssl/crypto.h>
++#include <openssl/rand.h>
++#include <openssl/fips_rand.h>
++#include <openssl/err.h>
++#include <openssl/bio.h>
++#include <openssl/hmac.h>
++#include <openssl/rsa.h>
++#include <openssl/dsa.h>
++#include <openssl/evp.h>
++#include <string.h>
++#include <limits.h>
++
++#ifdef OPENSSL_FIPS
++
++/* Power on self test (POST) support functions */
++
++# include <openssl/fips.h>
++# include "crypto/fips.h"
++# include "fips_locl.h"
++
++/* Run all selftests */
++int FIPS_selftest(void)
++{
++    int rv = 1;
++    if (!FIPS_selftest_drbg())
++        rv = 0;
++    if (!FIPS_selftest_sha1())
++        rv = 0;
++    if (!FIPS_selftest_sha2())
++        rv = 0;
++    if (!FIPS_selftest_sha3())
++        rv = 0;
++    if (!FIPS_selftest_hmac())
++        rv = 0;
++    if (!FIPS_selftest_cmac())
++        rv = 0;
++    if (!FIPS_selftest_aes())
++        rv = 0;
++    if (!FIPS_selftest_aes_ccm())
++        rv = 0;
++    if (!FIPS_selftest_aes_gcm())
++        rv = 0;
++    if (!FIPS_selftest_aes_xts())
++        rv = 0;
++    if (!FIPS_selftest_des())
++        rv = 0;
++    if (!FIPS_selftest_rsa())
++        rv = 0;
++    if (!FIPS_selftest_ecdsa())
++        rv = 0;
++    if (!FIPS_selftest_dsa())
++        rv = 0;
++    if (!FIPS_selftest_dh())
++        rv = 0;
++    if (!FIPS_selftest_ecdh())
++        rv = 0;
++    return rv;
++}
++
++/* Generalized public key test routine. Signs and verifies the data
++ * supplied in tbs using mesage digest md and setting option digest
++ * flags md_flags. If the 'kat' parameter is not NULL it will
++ * additionally check the signature matches it: a known answer test
++ * The string "fail_str" is used for identification purposes in case
++ * of failure. If "pkey" is NULL just perform a message digest check.
++ */
++
++int fips_pkey_signature_test(EVP_PKEY *pkey,
++                             const unsigned char *tbs, int tbslen,
++                             const unsigned char *kat, unsigned int katlen,
++                             const EVP_MD *digest, unsigned int flags,
++                             const char *fail_str)
++{
++    int ret = 0;
++    unsigned char sigtmp[256], *sig = sigtmp;
++    size_t siglen = sizeof(sigtmp);
++    EVP_MD_CTX *mctx;
++    EVP_PKEY_CTX *pctx;
++
++    if (digest == NULL)
++        digest = EVP_sha256();
++
++    mctx = EVP_MD_CTX_new();
++
++    if ((EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
++        && (RSA_size(EVP_PKEY_get0_RSA(pkey)) > sizeof(sigtmp))) {
++        sig = OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pkey)));
++        siglen = RSA_size(EVP_PKEY_get0_RSA(pkey));
++    }
++    if (!sig || ! mctx) {
++        EVP_MD_CTX_free(mctx);
++        FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, ERR_R_MALLOC_FAILURE);
++        return 0;
++    }
++
++    if (tbslen == -1)
++        tbslen = strlen((char *)tbs);
++
++    if (EVP_DigestSignInit(mctx, &pctx, digest, NULL, pkey) <= 0)
++        goto error;
++
++    if (flags == EVP_MD_CTX_FLAG_PAD_PSS) {
++        EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING);
++        EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0);
++    }
++
++    if (EVP_DigestSignUpdate(mctx, tbs, tbslen) <= 0)
++        goto error;
++
++    if (EVP_DigestSignFinal(mctx, sig, &siglen) <= 0)
++        goto error;
++
++    if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen)))
++        goto error;
++
++    if (EVP_DigestVerifyInit(mctx, &pctx, digest, NULL, pkey) <= 0)
++        goto error;
++
++    if (flags == EVP_MD_CTX_FLAG_PAD_PSS) {
++        EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING);
++        EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0);
++    }
++
++    if (EVP_DigestVerifyUpdate(mctx, tbs, tbslen) <= 0)
++        goto error;
++
++    ret = EVP_DigestVerifyFinal(mctx, sig, siglen);
++
++ error:
++    if (sig != sigtmp)
++        OPENSSL_free(sig);
++    EVP_MD_CTX_free(mctx);
++    if (ret <= 0) {
++        FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, FIPS_R_TEST_FAILURE);
++        if (fail_str)
++            ERR_add_error_data(2, "Type=", fail_str);
++        return 0;
++    }
++    return 1;
++}
++
++/* Generalized symmetric cipher test routine. Encrypt data, verify result
++ * against known answer, decrypt and compare with original plaintext.
++ */
++
++int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
++                     const unsigned char *key,
++                     const unsigned char *iv,
++                     const unsigned char *plaintext,
++                     const unsigned char *ciphertext, int len)
++{
++    unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE];
++    unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE];
++
++    OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE);
++    memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
++    memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE);
++
++    if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0)
++        return 0;
++    if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0)
++        return 0;
++    if (memcmp(citmp, ciphertext, len))
++        return 0;
++    if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0)
++        return 0;
++    if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0)
++        return 0;
++    if (memcmp(pltmp, plaintext, len))
++        return 0;
++    return 1;
++}
++#endif
+diff -up openssl-1.1.1j/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1j/crypto/fips/fips_rand_lcl.h
+--- openssl-1.1.1j/crypto/fips/fips_rand_lcl.h.fips	2021-03-03 12:57:42.201734542 +0100
++++ openssl-1.1.1j/crypto/fips/fips_rand_lcl.h	2021-03-03 12:57:42.201734542 +0100
+@@ -0,0 +1,203 @@
++/* fips/rand/fips_rand_lcl.h */
++/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
++ * project.
++ */
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++typedef struct drbg_hash_ctx_st DRBG_HASH_CTX;
++typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX;
++typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX;
++
++/* 888 bits from 10.1 table 2 */
++#define HASH_PRNG_MAX_SEEDLEN   111
++
++struct drbg_hash_ctx_st {
++    const EVP_MD *md;
++    EVP_MD_CTX *mctx;
++    unsigned char V[HASH_PRNG_MAX_SEEDLEN];
++    unsigned char C[HASH_PRNG_MAX_SEEDLEN];
++    /* Temporary value storage: should always exceed max digest length */
++    unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN];
++};
++
++struct drbg_hmac_ctx_st {
++    const EVP_MD *md;
++    HMAC_CTX *hctx;
++    unsigned char K[EVP_MAX_MD_SIZE];
++    unsigned char V[EVP_MAX_MD_SIZE];
++};
++
++struct drbg_ctr_ctx_st {
++    AES_KEY ks;
++    size_t keylen;
++    unsigned char K[32];
++    unsigned char V[16];
++    /* Temp variables used by derivation function */
++    AES_KEY df_ks;
++    AES_KEY df_kxks;
++    /* Temporary block storage used by ctr_df */
++    unsigned char bltmp[16];
++    size_t bltmp_pos;
++    unsigned char KX[48];
++};
++
++/* DRBG internal flags */
++
++/* Functions shouldn't call err library */
++#define DRBG_FLAG_NOERR                 0x1
++/* Custom reseed checking */
++#define DRBG_CUSTOM_RESEED              0x2
++
++/* DRBG status values */
++/* not initialised */
++#define DRBG_STATUS_UNINITIALISED       0
++/* ok and ready to generate random bits */
++#define DRBG_STATUS_READY               1
++/* reseed required */
++#define DRBG_STATUS_RESEED              2
++/* fatal error condition */
++#define DRBG_STATUS_ERROR               3
++
++/* A default maximum length: larger than any reasonable value used in pratice */
++
++#define DRBG_MAX_LENGTH                 0x7ffffff0
++/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes
++ * so use max digest length.
++ */
++#define DRBG_MAX_BLOCK                  EVP_MAX_MD_SIZE
++
++#define DRBG_HEALTH_INTERVAL            (1 << 24)
++
++/* DRBG context structure */
++
++struct drbg_ctx_st {
++    /* First types common to all implementations */
++    /* DRBG type: a NID for the underlying algorithm */
++    int type;
++    /* Various external flags */
++    unsigned int xflags;
++    /* Various internal use only flags */
++    unsigned int iflags;
++    /* Used for periodic health checks */
++    int health_check_cnt, health_check_interval;
++
++    /* The following parameters are setup by mechanism drbg_init() call */
++    int strength;
++    size_t blocklength;
++    size_t max_request;
++
++    size_t min_entropy, max_entropy;
++    size_t min_nonce, max_nonce;
++    size_t max_pers, max_adin;
++    unsigned int reseed_counter;
++    unsigned int reseed_interval;
++    size_t seedlen;
++    int status;
++    /* Application data: typically used by test get_entropy */
++    void *app_data;
++    /* Implementation specific structures */
++    union {
++        DRBG_HASH_CTX hash;
++        DRBG_HMAC_CTX hmac;
++        DRBG_CTR_CTX ctr;
++    } d;
++    /* Initialiase PRNG and setup callbacks below */
++    int (*init) (DRBG_CTX *ctx, int nid, int security, unsigned int flags);
++    /* Intantiate PRNG */
++    int (*instantiate) (DRBG_CTX *ctx,
++                        const unsigned char *ent, size_t entlen,
++                        const unsigned char *nonce, size_t noncelen,
++                        const unsigned char *pers, size_t perslen);
++    /* reseed */
++    int (*reseed) (DRBG_CTX *ctx,
++                   const unsigned char *ent, size_t entlen,
++                   const unsigned char *adin, size_t adinlen);
++    /* generat output */
++    int (*generate) (DRBG_CTX *ctx,
++                     unsigned char *out, size_t outlen,
++                     const unsigned char *adin, size_t adinlen);
++    /* uninstantiate */
++    int (*uninstantiate) (DRBG_CTX *ctx);
++
++    /* Entropy source block length */
++    size_t entropy_blocklen;
++
++    /* entropy gathering function */
++    size_t (*get_entropy) (DRBG_CTX *ctx, unsigned char **pout,
++                           int entropy, size_t min_len, size_t max_len);
++    /* Indicates we have finished with entropy buffer */
++    void (*cleanup_entropy) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
++
++    /* nonce gathering function */
++    size_t (*get_nonce) (DRBG_CTX *ctx, unsigned char **pout,
++                         int entropy, size_t min_len, size_t max_len);
++    /* Indicates we have finished with nonce buffer */
++    void (*cleanup_nonce) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
++
++    /* Callbacks used when called through RAND interface */
++    /* Get any additional input for generate */
++    size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout);
++    void (*cleanup_adin) (DRBG_CTX *ctx, unsigned char *out, size_t olen);
++    /* Callback for RAND_seed(), RAND_add() */
++    int (*rand_seed_cb) (DRBG_CTX *ctx, const void *buf, int num);
++    int (*rand_add_cb) (DRBG_CTX *ctx,
++                        const void *buf, int num, double entropy);
++};
++
++int fips_drbg_ctr_init(DRBG_CTX *dctx);
++int fips_drbg_hash_init(DRBG_CTX *dctx);
++int fips_drbg_hmac_init(DRBG_CTX *dctx);
++int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags);
++int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out);
++
++#define FIPS_digestinit EVP_DigestInit
++#define FIPS_digestupdate EVP_DigestUpdate
++#define FIPS_digestfinal EVP_DigestFinal
++#define M_EVP_MD_size EVP_MD_size
+diff -up openssl-1.1.1j/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1j/crypto/fips/fips_rand_lib.c
+--- openssl-1.1.1j/crypto/fips/fips_rand_lib.c.fips	2021-03-03 12:57:42.201734542 +0100
++++ openssl-1.1.1j/crypto/fips/fips_rand_lib.c	2021-03-03 12:57:42.201734542 +0100
+@@ -0,0 +1,234 @@
++/* ====================================================================
++ * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't
++   be defined and gettimeofday() won't be declared with strict compilers
++   like DEC C in ANSI C mode.  */
++#ifndef _XOPEN_SOURCE_EXTENDED
++# define _XOPEN_SOURCE_EXTENDED 1
++#endif
++
++#include <openssl/crypto.h>
++#include <openssl/rand.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++#include "crypto/fips.h"
++#include <openssl/fips_rand.h>
++#include "e_os.h"
++
++#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS))
++# include <sys/time.h>
++#endif
++#if defined(OPENSSL_SYS_VXWORKS)
++# include <time.h>
++#endif
++#ifndef OPENSSL_SYS_WIN32
++# ifdef OPENSSL_UNISTD
++#  include OPENSSL_UNISTD
++# else
++#  include <unistd.h>
++# endif
++#endif
++
++/* FIPS API for PRNG use. Similar to RAND functionality but without
++ * ENGINE and additional checking for non-FIPS rand methods.
++ */
++
++static const RAND_METHOD *fips_rand_meth = NULL;
++static int fips_approved_rand_meth = 0;
++static int fips_rand_bits = 0;
++
++/* Allows application to override number of bits and uses non-FIPS methods */
++void FIPS_rand_set_bits(int nbits)
++{
++    fips_rand_bits = nbits;
++}
++
++int FIPS_rand_set_method(const RAND_METHOD *meth)
++{
++    if (!fips_rand_bits) {
++        if (meth == FIPS_drbg_method())
++            fips_approved_rand_meth = 1;
++        else {
++            fips_approved_rand_meth = 0;
++            if (FIPS_module_mode()) {
++                FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD);
++                return 0;
++            }
++        }
++    }
++    fips_rand_meth = meth;
++    return 1;
++}
++
++const RAND_METHOD *FIPS_rand_get_method(void)
++{
++    return fips_rand_meth;
++}
++
++void FIPS_rand_reset(void)
++{
++    if (fips_rand_meth && fips_rand_meth->cleanup)
++        fips_rand_meth->cleanup();
++}
++
++int FIPS_rand_seed(const void *buf, int num)
++{
++    if (!fips_approved_rand_meth && FIPS_module_mode()) {
++        FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
++        return 0;
++    }
++    if (fips_rand_meth && fips_rand_meth->seed)
++        fips_rand_meth->seed(buf, num);
++    return 1;
++}
++
++int FIPS_rand_bytes(unsigned char *buf, int num)
++{
++    if (!fips_approved_rand_meth && FIPS_module_mode()) {
++        FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
++        return 0;
++    }
++    if (fips_rand_meth && fips_rand_meth->bytes)
++        return fips_rand_meth->bytes(buf, num);
++    return 0;
++}
++
++int FIPS_rand_status(void)
++{
++    if (!fips_approved_rand_meth && FIPS_module_mode()) {
++        FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
++        return 0;
++    }
++    if (fips_rand_meth && fips_rand_meth->status)
++        return fips_rand_meth->status();
++    return 0;
++}
++
++/* Return instantiated strength of PRNG. For DRBG this is an internal
++ * parameter. Any other type of PRNG is not approved and returns 0 in
++ * FIPS mode and maximum 256 outside FIPS mode.
++ */
++
++int FIPS_rand_strength(void)
++{
++    if (fips_rand_bits)
++        return fips_rand_bits;
++    if (fips_approved_rand_meth == 1)
++        return FIPS_drbg_get_strength(FIPS_get_default_drbg());
++    else if (fips_approved_rand_meth == 0) {
++        if (FIPS_module_mode())
++            return 0;
++        else
++            return 256;
++    }
++    return 0;
++}
++
++void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr)
++{
++# ifdef OPENSSL_SYS_WIN32
++    FILETIME ft;
++# elif defined(OPENSSL_SYS_VXWORKS)
++    struct timespec ts;
++# else
++    struct timeval tv;
++# endif
++
++# ifndef GETPID_IS_MEANINGLESS
++    unsigned long pid;
++# endif
++
++# ifdef OPENSSL_SYS_WIN32
++    GetSystemTimeAsFileTime(&ft);
++    buf[0] = (unsigned char)(ft.dwHighDateTime & 0xff);
++    buf[1] = (unsigned char)((ft.dwHighDateTime >> 8) & 0xff);
++    buf[2] = (unsigned char)((ft.dwHighDateTime >> 16) & 0xff);
++    buf[3] = (unsigned char)((ft.dwHighDateTime >> 24) & 0xff);
++    buf[4] = (unsigned char)(ft.dwLowDateTime & 0xff);
++    buf[5] = (unsigned char)((ft.dwLowDateTime >> 8) & 0xff);
++    buf[6] = (unsigned char)((ft.dwLowDateTime >> 16) & 0xff);
++    buf[7] = (unsigned char)((ft.dwLowDateTime >> 24) & 0xff);
++# elif defined(OPENSSL_SYS_VXWORKS)
++    clock_gettime(CLOCK_REALTIME, &ts);
++    buf[0] = (unsigned char)(ts.tv_sec & 0xff);
++    buf[1] = (unsigned char)((ts.tv_sec >> 8) & 0xff);
++    buf[2] = (unsigned char)((ts.tv_sec >> 16) & 0xff);
++    buf[3] = (unsigned char)((ts.tv_sec >> 24) & 0xff);
++    buf[4] = (unsigned char)(ts.tv_nsec & 0xff);
++    buf[5] = (unsigned char)((ts.tv_nsec >> 8) & 0xff);
++    buf[6] = (unsigned char)((ts.tv_nsec >> 16) & 0xff);
++    buf[7] = (unsigned char)((ts.tv_nsec >> 24) & 0xff);
++# else
++    gettimeofday(&tv, NULL);
++    buf[0] = (unsigned char)(tv.tv_sec & 0xff);
++    buf[1] = (unsigned char)((tv.tv_sec >> 8) & 0xff);
++    buf[2] = (unsigned char)((tv.tv_sec >> 16) & 0xff);
++    buf[3] = (unsigned char)((tv.tv_sec >> 24) & 0xff);
++    buf[4] = (unsigned char)(tv.tv_usec & 0xff);
++    buf[5] = (unsigned char)((tv.tv_usec >> 8) & 0xff);
++    buf[6] = (unsigned char)((tv.tv_usec >> 16) & 0xff);
++    buf[7] = (unsigned char)((tv.tv_usec >> 24) & 0xff);
++# endif
++    buf[8] = (unsigned char)(*pctr & 0xff);
++    buf[9] = (unsigned char)((*pctr >> 8) & 0xff);
++    buf[10] = (unsigned char)((*pctr >> 16) & 0xff);
++    buf[11] = (unsigned char)((*pctr >> 24) & 0xff);
++
++    (*pctr)++;
++
++# ifndef GETPID_IS_MEANINGLESS
++    pid = (unsigned long)getpid();
++    buf[12] = (unsigned char)(pid & 0xff);
++    buf[13] = (unsigned char)((pid >> 8) & 0xff);
++    buf[14] = (unsigned char)((pid >> 16) & 0xff);
++    buf[15] = (unsigned char)((pid >> 24) & 0xff);
++# endif
++}
++
+diff -up openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c
+--- openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c.fips	2021-03-03 12:57:42.201734542 +0100
++++ openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c	2021-03-03 12:57:42.201734542 +0100
+@@ -0,0 +1,338 @@
++/* ====================================================================
++ * Copyright (c) 2003-2007 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++# include "crypto/fips.h"
++#endif
++#include <openssl/rsa.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++#include <openssl/opensslconf.h>
++#include "fips_locl.h"
++
++#ifdef OPENSSL_FIPS
++
++static int setrsakey(RSA *key)
++{
++    static const unsigned char keydata_n[] = {
++        0x00, 0xc9, 0xd5, 0x6d, 0x9d, 0x90, 0xdb, 0x43, 0xd6, 0x02, 0xed, 0x96, 0x88, 0x13, 0x8a,
++        0xb2, 0xbf, 0x6e, 0xa1, 0x06, 0x10, 0xb2, 0x78, 0x37, 0xa7, 0x14, 0xa8, 0xff, 0xdd, 0x00,
++        0xdd, 0xb4, 0x93, 0xa0, 0x45, 0xcc, 0x96, 0x90, 0xed, 0xad, 0xa9, 0xdd, 0xc4, 0xd6, 0xca,
++        0x0c, 0xf0, 0xed, 0x4f, 0x72, 0x5e, 0x21, 0x49, 0x9a, 0x18, 0x12, 0x15, 0x8f, 0x90, 0x5a,
++        0xdb, 0xb6, 0x33, 0x99, 0xa3, 0xe6, 0xb4, 0xf0, 0xc4, 0x97, 0x21, 0x26, 0xbb, 0xe3, 0xba,
++        0xf2, 0xff, 0xa0, 0x72, 0xda, 0x89, 0x63, 0x8e, 0x8b, 0x3e, 0x08, 0x9d, 0x92, 0x2a, 0xbe,
++        0x16, 0xe1, 0x43, 0x15, 0xfc, 0x57, 0xc7, 0x1f, 0x09, 0x11, 0x67, 0x1c, 0xa9, 0x96, 0xd1,
++        0x8b, 0x3e, 0x80, 0x93, 0xc1, 0x59, 0xd0, 0x6d, 0x39, 0xf2, 0xac, 0x95, 0xcc, 0x10, 0x75,
++        0xe9, 0x31, 0x24, 0xd1, 0x43, 0xaf, 0x68, 0x52, 0x4b, 0xe7, 0x16, 0xd7, 0x49, 0x65, 0x6f,
++        0x26, 0xc0, 0x86, 0xad, 0xc0, 0x07, 0x0a, 0xc1, 0xe1, 0x2f, 0x87, 0x85, 0x86, 0x3b, 0xdc,
++        0x5a, 0x99, 0xbe, 0xe9, 0xf9, 0xb9, 0xe9, 0x82, 0x27, 0x51, 0x04, 0x15, 0xab, 0x06, 0x0e,
++        0x76, 0x5a, 0x28, 0x8d, 0x92, 0xbd, 0xc5, 0xb5, 0x7b, 0xa8, 0xdf, 0x4e, 0x47, 0xa2, 0xc1,
++        0xe7, 0x52, 0xbf, 0x47, 0xf7, 0x62, 0xe0, 0x3a, 0x6f, 0x4d, 0x6a, 0x4d, 0x4e, 0xd4, 0xb9,
++        0x59, 0x69, 0xfa, 0xb2, 0x14, 0xc1, 0xee, 0xe6, 0x2f, 0x95, 0xcd, 0x94, 0x72, 0xae, 0xe4,
++        0xdb, 0x18, 0x9a, 0xc4, 0xcd, 0x70, 0xbd, 0xee, 0x31, 0x16, 0xb7, 0x49, 0x65, 0xac, 0x40,
++        0x19, 0x0e, 0xb5, 0x6d, 0x83, 0xf1, 0x36, 0xbb, 0x08, 0x2f, 0x2e, 0x4e, 0x92, 0x62, 0xa4,
++        0xff, 0x50, 0xdb, 0x20, 0x45, 0xa2, 0xeb, 0x16, 0x7a, 0xf2, 0xd5, 0x28, 0xc1, 0xfd, 0x4e,
++        0x03, 0x71
++    };
++
++    static const unsigned char keydata_e[] = { 0x01, 0x00, 0x01 };
++
++    static const unsigned char keydata_d[] = {
++        0x36, 0x27, 0x3d, 0xb1, 0xf9, 0x1b, 0xdb, 0xa7, 0xa0, 0x41, 0x7f, 0x12, 0x23, 0xac, 0x23,
++        0x29, 0x99, 0xd5, 0x3a, 0x7b, 0x60, 0x67, 0x41, 0x07, 0x63, 0x53, 0xb4, 0xd2, 0xe7, 0x58,
++        0x95, 0x0a, 0xc7, 0x05, 0xf3, 0x4e, 0xb2, 0xb4, 0x12, 0xd4, 0x70, 0xdc, 0x4f, 0x85, 0x06,
++        0xd3, 0xdd, 0xd8, 0x63, 0x27, 0x3e, 0x67, 0x31, 0x21, 0x24, 0x39, 0x04, 0xbc, 0x06, 0xa4,
++        0xcc, 0xce, 0x2b, 0x7a, 0xfe, 0x7b, 0xad, 0xde, 0x11, 0x6e, 0xa3, 0xa5, 0xe6, 0x04, 0x53,
++        0x0e, 0xa3, 0x4e, 0x2d, 0xb4, 0x8f, 0x31, 0xbf, 0xca, 0x75, 0x25, 0x52, 0x02, 0x85, 0xde,
++        0x3d, 0xb2, 0x72, 0x43, 0xb2, 0x89, 0x8a, 0x9a, 0x34, 0x41, 0x26, 0x3f, 0x9a, 0x67, 0xbe,
++        0xa4, 0x96, 0x7b, 0x0e, 0x75, 0xba, 0xa6, 0x93, 0xd5, 0xb8, 0xd8, 0xb8, 0x57, 0xf2, 0x4b,
++        0x0f, 0x14, 0x81, 0xd1, 0x57, 0x4e, 0xf6, 0x45, 0x4c, 0xa6, 0x3b, 0xd0, 0x70, 0xca, 0xd3,
++        0x9d, 0x55, 0xde, 0x22, 0x05, 0xe7, 0x8e, 0x28, 0x4d, 0xee, 0x11, 0xcf, 0xb6, 0x67, 0x76,
++        0x09, 0xd3, 0xe3, 0x3c, 0x13, 0xf9, 0x99, 0x34, 0x10, 0x7b, 0xec, 0x81, 0x38, 0xf0, 0xb6,
++        0x34, 0x9c, 0x9b, 0x50, 0x6f, 0x0b, 0x91, 0x81, 0x4d, 0x89, 0x94, 0x04, 0x7b, 0xf0, 0x3c,
++        0xf4, 0xb1, 0xb2, 0x00, 0x48, 0x8d, 0x5a, 0x8f, 0x88, 0x9e, 0xc5, 0xab, 0x3a, 0x9e, 0x44,
++        0x3f, 0x54, 0xe7, 0xd9, 0x6e, 0x47, 0xaa, 0xa1, 0xbd, 0x40, 0x46, 0x31, 0xf9, 0xf0, 0x34,
++        0xb6, 0x04, 0xe1, 0x2b, 0x5b, 0x73, 0x86, 0xdd, 0x3a, 0x92, 0x1b, 0x71, 0xc7, 0x3f, 0x32,
++        0xe5, 0xc3, 0xc2, 0xab, 0xa1, 0x7e, 0xbf, 0xa4, 0x52, 0xa0, 0xb0, 0x68, 0x90, 0xd1, 0x20,
++        0x12, 0x79, 0xe9, 0xd7, 0xc9, 0x40, 0xba, 0xf2, 0x19, 0xc7, 0xa5, 0x00, 0x92, 0x86, 0x0d,
++        0x01
++    };
++
++    static const unsigned char keydata_p[] = {
++        0x00, 0xfc, 0x5c, 0x6e, 0x16, 0xce, 0x1f, 0x03, 0x7b, 0xcd, 0xf7, 0xb3, 0x72, 0xb2, 0x8f,
++        0x16, 0x72, 0xb8, 0x56, 0xae, 0xf7, 0xcd, 0x67, 0xd8, 0x4e, 0x7d, 0x07, 0xaf, 0xd5, 0x43,
++        0x26, 0xc3, 0x35, 0xbe, 0x43, 0x8f, 0x4e, 0x2f, 0x1c, 0x43, 0x4e, 0x6b, 0xd2, 0xb2, 0xec,
++        0x52, 0x6d, 0x97, 0x52, 0x2b, 0xcc, 0x5c, 0x3a, 0x6b, 0xf4, 0x14, 0xc6, 0x74, 0xda, 0x66,
++        0x38, 0x1c, 0x7a, 0x3f, 0x84, 0x2f, 0xe3, 0xf9, 0x5a, 0xb8, 0x65, 0x69, 0x46, 0x06, 0xa3,
++        0x37, 0x79, 0xb2, 0xa1, 0x5b, 0x58, 0xed, 0x5e, 0xa7, 0x5f, 0x8c, 0x65, 0x66, 0xbb, 0xd1,
++        0x24, 0x36, 0xe6, 0x37, 0xa7, 0x3d, 0x49, 0x77, 0x8a, 0x8c, 0x34, 0xd8, 0x69, 0x29, 0xf3,
++        0x4d, 0x58, 0x22, 0xb0, 0x51, 0x24, 0xb6, 0x40, 0xa8, 0x86, 0x59, 0x0a, 0xb7, 0xba, 0x5c,
++        0x97, 0xda, 0x57, 0xe8, 0x36, 0xda, 0x7a, 0x9c, 0xad
++    };
++
++    static const unsigned char keydata_q[] = {
++        0x00, 0xcc, 0xbe, 0x7b, 0x09, 0x69, 0x06, 0xee, 0x45, 0xbf, 0x88, 0x47, 0x38, 0xa8, 0xf8,
++        0x17, 0xe5, 0xb6, 0xba, 0x67, 0x55, 0xe3, 0xe8, 0x05, 0x8b, 0xb8, 0xe2, 0x53, 0xd6, 0x8e,
++        0xef, 0x2c, 0xe7, 0x4f, 0x4a, 0xf7, 0x4e, 0x26, 0x8d, 0x85, 0x0b, 0x3f, 0xec, 0xc3, 0x1c,
++        0xd4, 0xeb, 0xec, 0x6a, 0xc8, 0x72, 0x2a, 0x25, 0x7d, 0xfd, 0xa6, 0x77, 0x96, 0xf0, 0x1e,
++        0xcd, 0x28, 0x57, 0xf8, 0x37, 0x30, 0x75, 0x6b, 0xbd, 0xd4, 0x7b, 0x0c, 0x87, 0xc5, 0x6c,
++        0x87, 0x40, 0xa5, 0xbb, 0x27, 0x2c, 0x78, 0xc9, 0x74, 0x5a, 0x54, 0x5b, 0x0b, 0x30, 0x6f,
++        0x44, 0x4a, 0xfa, 0x71, 0xe4, 0x21, 0x61, 0x66, 0xf9, 0xee, 0x65, 0xde, 0x7c, 0x04, 0xd7,
++        0xfd, 0xa9, 0x15, 0x5b, 0x7f, 0xe2, 0x7a, 0xba, 0x69, 0x86, 0x72, 0xa6, 0x06, 0x8d, 0x9b,
++        0x90, 0x55, 0x60, 0x9e, 0x4c, 0x5d, 0xa9, 0xb6, 0x55
++    };
++
++    static const unsigned char keydata_dmp1[] = {
++        0x7a, 0xd6, 0x12, 0xd0, 0x0e, 0xec, 0x91, 0xa9, 0x85, 0x8b, 0xf8, 0x50, 0xf0, 0x11, 0x2e,
++        0x00, 0x11, 0x32, 0x40, 0x60, 0x66, 0x1f, 0x11, 0xee, 0xc2, 0x75, 0x27, 0x65, 0x4b, 0x16,
++        0x67, 0x16, 0x95, 0xd2, 0x14, 0xc3, 0x1d, 0xb3, 0x48, 0x1f, 0xb7, 0xe4, 0x0b, 0x2b, 0x74,
++        0xc3, 0xdb, 0x50, 0x27, 0xf9, 0x85, 0x3a, 0xfa, 0xa9, 0x08, 0x23, 0xc1, 0x65, 0x3d, 0x34,
++        0x3a, 0xc8, 0x56, 0x7a, 0x65, 0x45, 0x36, 0x6e, 0xae, 0x2a, 0xce, 0x9f, 0x43, 0x43, 0xd7,
++        0x10, 0xe9, 0x9e, 0x18, 0xf4, 0xa4, 0x35, 0xda, 0x8a, 0x6b, 0xb0, 0x3f, 0xdd, 0x53, 0xe3,
++        0xa8, 0xc5, 0x4e, 0x79, 0x9d, 0x1f, 0x51, 0x8c, 0xa2, 0xca, 0x66, 0x3c, 0x6a, 0x2a, 0xff,
++        0x8e, 0xd2, 0xf3, 0xb7, 0xcb, 0x82, 0xda, 0xde, 0x2c, 0xe6, 0xd2, 0x8c, 0xb3, 0xad, 0xb6,
++        0x4c, 0x95, 0x55, 0x76, 0xbd, 0xc9, 0xc8, 0xd1
++    };
++
++    static const unsigned char keydata_dmq1[] = {
++        0x00, 0x83, 0x23, 0x1d, 0xbb, 0x11, 0x42, 0x17, 0x2b, 0x25, 0x5a, 0x2c, 0x03, 0xe6, 0x75,
++        0xc1, 0x18, 0xa8, 0xc9, 0x0b, 0x96, 0xbf, 0xba, 0xc4, 0x92, 0x91, 0x80, 0xa5, 0x22, 0x2f,
++        0xba, 0x91, 0x90, 0x36, 0x01, 0x56, 0x15, 0x00, 0x2c, 0x74, 0xa2, 0x97, 0xf7, 0x15, 0xa1,
++        0x49, 0xdf, 0x32, 0x35, 0xd2, 0xdd, 0x0c, 0x91, 0xa6, 0xf8, 0xe7, 0xbe, 0x81, 0x36, 0x9b,
++        0x03, 0xdc, 0x6b, 0x3b, 0xd8, 0x5d, 0x79, 0x57, 0xe0, 0xe6, 0x4f, 0x49, 0xdf, 0x4c, 0x5c,
++        0x0e, 0xe5, 0x21, 0x41, 0x95, 0xfd, 0xad, 0xff, 0x9a, 0x3e, 0xa0, 0xf9, 0x0f, 0x59, 0x9e,
++        0x6a, 0xa7, 0x7b, 0x71, 0xa7, 0x24, 0x9a, 0x36, 0x52, 0xae, 0x97, 0x20, 0xc1, 0x5e, 0x78,
++        0xd9, 0x47, 0x8b, 0x1e, 0x67, 0xf2, 0xaf, 0x98, 0xe6, 0x2d, 0xef, 0x10, 0xd7, 0xf1, 0xab,
++        0x49, 0xee, 0xe5, 0x4b, 0x7e, 0xae, 0x1f, 0x1d, 0x61
++    };
++
++    static const unsigned char keydata_iqmp[] = {
++        0x23, 0x96, 0xc1, 0x91, 0x17, 0x5e, 0x0a, 0x83, 0xd2, 0xdc, 0x7b, 0x69, 0xb2, 0x59, 0x1d,
++        0x33, 0x58, 0x52, 0x3f, 0x18, 0xc7, 0x09, 0x50, 0x1c, 0xb9, 0xa1, 0xbb, 0x4c, 0xa2, 0x38,
++        0x40, 0x4c, 0x9a, 0x8e, 0xfe, 0x9c, 0x90, 0x92, 0xd0, 0x71, 0x9f, 0x89, 0x99, 0x50, 0x91,
++        0x1f, 0x34, 0x8b, 0x74, 0x53, 0x11, 0x11, 0x4a, 0x70, 0xe2, 0xf7, 0x30, 0xd8, 0x8c, 0x80,
++        0xe1, 0xcc, 0x9f, 0xf1, 0x63, 0x17, 0x1a, 0x7d, 0x67, 0x29, 0x4c, 0xcb, 0x4e, 0x74, 0x7b,
++        0xe0, 0x3e, 0x9e, 0x2f, 0xf4, 0x67, 0x8f, 0xec, 0xb9, 0x5c, 0x00, 0x1e, 0x7e, 0xa2, 0x7b,
++        0x92, 0xc9, 0x6f, 0x4c, 0xe4, 0x0e, 0xf9, 0x48, 0x63, 0xcd, 0x50, 0x22, 0x5d, 0xbf, 0xb6,
++        0x9d, 0x01, 0x33, 0x6a, 0xf4, 0x50, 0xbe, 0x86, 0x98, 0x4f, 0xca, 0x3f, 0x3a, 0xfa, 0xcf,
++        0x07, 0x40, 0xc4, 0xaa, 0xad, 0xae, 0xbe, 0xbf
++    };
++
++    int rv = 0;
++    BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL, *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
++
++    fips_load_key_component(n, keydata);
++    fips_load_key_component(e, keydata);
++    fips_load_key_component(d, keydata);
++    fips_load_key_component(p, keydata);
++    fips_load_key_component(q, keydata);
++    fips_load_key_component(dmp1, keydata);
++    fips_load_key_component(dmq1, keydata);
++    fips_load_key_component(iqmp, keydata);
++
++    RSA_set0_key(key, n, e, d);
++    RSA_set0_factors(key, p, q);
++    RSA_set0_crt_params(key, dmp1, dmq1, iqmp);
++
++    rv = 1;
++err:
++    if (!rv) {
++        BN_free(n);
++        BN_free(e);
++        BN_free(d);
++        BN_free(p);
++        BN_free(q);
++        BN_free(dmp1);
++        BN_free(dmq1);
++        BN_free(iqmp);
++    }
++    return rv;
++}
++
++/* Known Answer Test (KAT) data for the above RSA private key signing
++ * kat_tbs.
++ */
++
++static const unsigned char kat_tbs[] =
++    "OpenSSL FIPS 140-2 Public Key RSA KAT";
++
++static const unsigned char kat_RSA_PSS_SHA256[] = {
++    0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19,
++    0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9,
++    0xF2, 0xA8, 0x39, 0x6C, 0xD5, 0xCD, 0xCB, 0x55, 0xFC, 0x0C, 0xC5, 0xCB,
++    0xF7, 0x40, 0x17, 0x3B, 0xCF, 0xE4, 0x05, 0x03, 0x3B, 0xA0, 0xB2, 0xC9,
++    0x0D, 0x5E, 0x48, 0x3A, 0xE9, 0xAD, 0x28, 0x71, 0x7D, 0x8F, 0x89, 0x16,
++    0x59, 0x93, 0x35, 0xDC, 0x4D, 0x7B, 0xDF, 0x84, 0xE4, 0x68, 0xAA, 0x33,
++    0xAA, 0xDC, 0x66, 0x50, 0xC8, 0xA9, 0x32, 0x12, 0xDC, 0xC6, 0x90, 0x49,
++    0x0B, 0x75, 0xFF, 0x9B, 0x95, 0x00, 0x9A, 0x90, 0xE0, 0xD4, 0x0E, 0x67,
++    0xAB, 0x3C, 0x47, 0x36, 0xC5, 0x2E, 0x1C, 0x46, 0xF0, 0x2D, 0xD3, 0x8B,
++    0x42, 0x08, 0xDE, 0x0D, 0xB6, 0x2C, 0x86, 0xB0, 0x35, 0x71, 0x18, 0x6B,
++    0x89, 0x67, 0xC0, 0x05, 0xAD, 0xF4, 0x1D, 0x62, 0x4E, 0x75, 0xEC, 0xD6,
++    0xC2, 0xDB, 0x07, 0xB0, 0xB6, 0x8D, 0x15, 0xAD, 0xCD, 0xBF, 0xF5, 0x60,
++    0x76, 0xAE, 0x48, 0xB8, 0x77, 0x7F, 0xC5, 0x01, 0xD9, 0x29, 0xBB, 0xD6,
++    0x17, 0xA2, 0x20, 0x5A, 0xC0, 0x4A, 0x3B, 0x34, 0xC8, 0xB9, 0x39, 0xCF,
++    0x06, 0x89, 0x95, 0x6F, 0xC7, 0xCA, 0xC4, 0xE4, 0x43, 0xDF, 0x5A, 0x23,
++    0xE2, 0x89, 0xA3, 0x38, 0x78, 0x31, 0x38, 0xC6, 0xA4, 0x6F, 0x5F, 0x73,
++    0x5A, 0xE5, 0x9E, 0x09, 0xE7, 0x6F, 0xD4, 0xF8, 0x3E, 0xB7, 0xB0, 0x56,
++    0x9A, 0xF3, 0x65, 0xF0, 0xC2, 0xA6, 0x8A, 0x08, 0xBA, 0x44, 0xAC, 0x97,
++    0xDE, 0xB4, 0x16, 0x83, 0xDF, 0xE3, 0xEE, 0x71, 0xFA, 0xF9, 0x51, 0x50,
++    0x14, 0xDC, 0xFD, 0x6A, 0x82, 0x20, 0x68, 0x64, 0x7D, 0x4E, 0x82, 0x68,
++    0xD7, 0x45, 0xFA, 0x6A, 0xE4, 0xE5, 0x29, 0x3A, 0x70, 0xFB, 0xE4, 0x62,
++    0x2B, 0x31, 0xB9, 0x7D
++};
++
++static const unsigned char kat_RSA_SHA256[] = {
++    0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9,
++    0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF,
++    0x8E, 0xBC, 0xDE, 0xC7, 0x9A, 0x96, 0xF1, 0x47, 0x45, 0x24, 0x9D, 0x6F,
++    0xA6, 0xF3, 0x1D, 0x0D, 0x35, 0x4C, 0x1A, 0xF3, 0x58, 0x2C, 0x6C, 0x06,
++    0xD6, 0x22, 0x37, 0x77, 0x8C, 0x33, 0xE5, 0x07, 0x53, 0x93, 0x28, 0xCF,
++    0x67, 0xFA, 0xC4, 0x1F, 0x1B, 0x24, 0xDB, 0x4C, 0xC5, 0x2A, 0x51, 0xA2,
++    0x60, 0x15, 0x8C, 0x54, 0xB4, 0x30, 0xE2, 0x24, 0x47, 0x86, 0xF2, 0xF8,
++    0x6C, 0xD6, 0x12, 0x59, 0x2C, 0x74, 0x9A, 0x37, 0xF3, 0xC4, 0xA2, 0xD5,
++    0x4E, 0x1F, 0x77, 0xF0, 0x27, 0xCE, 0x77, 0xF8, 0x4A, 0x79, 0x03, 0xBE,
++    0xC8, 0x06, 0x2D, 0xA7, 0xA6, 0x46, 0xF5, 0x55, 0x79, 0xD7, 0x5C, 0xC6,
++    0x5B, 0xB1, 0x00, 0x4E, 0x7C, 0xD9, 0x11, 0x85, 0xE0, 0xB1, 0x4D, 0x2D,
++    0x13, 0xD7, 0xAC, 0xEA, 0x64, 0xD1, 0xAC, 0x8F, 0x8D, 0x8F, 0xEA, 0x42,
++    0x7F, 0xF9, 0xB7, 0x7D, 0x2C, 0x68, 0x49, 0x07, 0x7A, 0x74, 0xEF, 0xB4,
++    0xC9, 0x97, 0x16, 0x5C, 0x6C, 0x6E, 0x5C, 0x09, 0x2E, 0x8E, 0x13, 0x2E,
++    0x1A, 0x8D, 0xA6, 0x0C, 0x6E, 0x0C, 0x1C, 0x0F, 0xCC, 0xB2, 0x78, 0x8A,
++    0x07, 0xFC, 0x5C, 0xC2, 0xF5, 0x65, 0xEC, 0xAB, 0x8B, 0x3C, 0xCA, 0x91,
++    0x6F, 0x84, 0x7C, 0x21, 0x0E, 0xB8, 0xDA, 0x7B, 0x6C, 0xF7, 0xDF, 0xAB,
++    0x7E, 0x15, 0xFD, 0x85, 0x0B, 0x33, 0x9B, 0x6A, 0x3A, 0xC3, 0xEF, 0x65,
++    0x04, 0x6E, 0xB2, 0xAC, 0x98, 0xFD, 0xEB, 0x02, 0xF5, 0xC0, 0x0B, 0x5E,
++    0xCB, 0xD4, 0x83, 0x82, 0x18, 0x1B, 0xDA, 0xB4, 0xCD, 0xE8, 0x71, 0x6B,
++    0x1D, 0xB5, 0x4F, 0xE9, 0xD6, 0x43, 0xA0, 0x0A, 0x14, 0xA0, 0xE7, 0x5D,
++    0x47, 0x9D, 0x18, 0xD7
++};
++
++static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext,
++                                 int ptlen)
++{
++    unsigned char *ctbuf = NULL, *ptbuf = NULL;
++    int ret = 0;
++    int len;
++
++    ctbuf = OPENSSL_malloc(RSA_size(rsa));
++    if (!ctbuf)
++        goto err;
++
++    len = RSA_public_encrypt(ptlen, plaintext, ctbuf, rsa, RSA_PKCS1_PADDING);
++    if (len <= 0)
++        goto err;
++    /* Check ciphertext doesn't match plaintext */
++    if (len >= ptlen && !memcmp(plaintext, ctbuf, ptlen))
++        goto err;
++
++    ptbuf = OPENSSL_malloc(RSA_size(rsa));
++    if (!ptbuf)
++        goto err;
++
++    len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
++    if (len != ptlen)
++        goto err;
++    if (memcmp(ptbuf, plaintext, len))
++        goto err;
++
++    ret = 1;
++
++ err:
++    if (ctbuf)
++        OPENSSL_free(ctbuf);
++    if (ptbuf)
++        OPENSSL_free(ptbuf);
++    return ret;
++}
++
++int FIPS_selftest_rsa()
++{
++    int ret = 0;
++    RSA *key;
++    EVP_PKEY *pk = NULL;
++
++    if ((key = RSA_new()) == NULL)
++        goto err;
++
++    if (!setrsakey(key))
++        goto err;
++
++    if ((pk = EVP_PKEY_new()) == NULL)
++        goto err;
++
++    EVP_PKEY_set1_RSA(pk, key);
++
++    if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++                                  kat_RSA_SHA256, sizeof(kat_RSA_SHA256),
++                                  EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1,
++                                  "RSA SHA256 PKCS#1"))
++        goto err;
++
++    if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1,
++                                  kat_RSA_PSS_SHA256,
++                                  sizeof(kat_RSA_PSS_SHA256), EVP_sha256(),
++                                  EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA256 PSS"))
++        goto err;
++
++    if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1))
++        goto err;
++
++    ret = 1;
++
++ err:
++    if (pk)
++        EVP_PKEY_free(pk);
++    if (key)
++        RSA_free(key);
++    return ret;
++}
++
++#endif                          /* def OPENSSL_FIPS */
+diff -up openssl-1.1.1j/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_sha_selftest.c
+--- openssl-1.1.1j/crypto/fips/fips_sha_selftest.c.fips	2021-03-03 12:57:42.201734542 +0100
++++ openssl-1.1.1j/crypto/fips/fips_sha_selftest.c	2021-03-03 12:57:42.201734542 +0100
+@@ -0,0 +1,223 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++#include <openssl/evp.h>
++#include <openssl/sha.h>
++
++#ifdef OPENSSL_FIPS
++static const char test[][60] = {
++    "",
++    "abc",
++    "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
++};
++
++static const unsigned char ret[][SHA_DIGEST_LENGTH] = {
++    {0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55,
++     0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09},
++    {0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e,
++     0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d},
++    {0x84, 0x98, 0x3e, 0x44, 0x1c, 0x3b, 0xd2, 0x6e, 0xba, 0xae,
++     0x4a, 0xa1, 0xf9, 0x51, 0x29, 0xe5, 0xe5, 0x46, 0x70, 0xf1},
++};
++
++int FIPS_selftest_sha1()
++{
++    int n;
++
++    for (n = 0; n < sizeof(test) / sizeof(test[0]); ++n) {
++        unsigned char md[SHA_DIGEST_LENGTH];
++
++        EVP_Digest(test[n], strlen(test[n]), md, NULL,
++                   EVP_sha1(), NULL);
++        if (memcmp(md, ret[n], sizeof md)) {
++            FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1, FIPS_R_SELFTEST_FAILED);
++            return 0;
++        }
++    }
++    return 1;
++}
++
++static const unsigned char msg_sha256[] =
++    { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30,
++    0xfc
++};
++
++static const unsigned char dig_sha256[] =
++    { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b,
++    0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01,
++    0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83,
++    0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a
++};
++
++static const unsigned char msg_sha512[] =
++    { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7,
++    0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd
++};
++
++static const unsigned char dig_sha512[] =
++    { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16,
++    0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44,
++    0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0,
++    0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f,
++    0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38,
++    0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04,
++    0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1,
++    0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43
++};
++
++int FIPS_selftest_sha2(void)
++{
++    unsigned char md[SHA512_DIGEST_LENGTH];
++
++    EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL);
++    if (memcmp(dig_sha256, md, sizeof(dig_sha256))) {
++        FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED);
++        return 0;
++    }
++
++    EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL);
++    if (memcmp(dig_sha512, md, sizeof(dig_sha512))) {
++        FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED);
++        return 0;
++    }
++
++    return 1;
++}
++
++static const unsigned char msg_sha3_256[] = {
++    0xa1, 0xd7, 0xce, 0x51, 0x04, 0xeb, 0x25, 0xd6,
++    0x13, 0x1b, 0xb8, 0xf6, 0x6e, 0x1f, 0xb1, 0x3f,
++    0x35, 0x23
++};
++
++static const unsigned char dig_sha3_256[] = {
++    0xee, 0x90, 0x62, 0xf3, 0x97, 0x20, 0xb8, 0x21,
++    0xb8, 0x8b, 0xe5, 0xe6, 0x46, 0x21, 0xd7, 0xe0,
++    0xca, 0x02, 0x6a, 0x9f, 0xe7, 0x24, 0x8d, 0x78,
++    0x15, 0x0b, 0x14, 0xbd, 0xba, 0xa4, 0x0b, 0xed
++};
++
++static const unsigned char msg_sha3_512[] = {
++    0x13, 0x3b, 0x49, 0x7b, 0x00, 0x93, 0x27, 0x73,
++    0xa5, 0x3b, 0xa9, 0xbf, 0x8e, 0x61, 0xd5, 0x9f,
++    0x05, 0xf4
++};
++
++static const unsigned char dig_sha3_512[] = {
++    0x78, 0x39, 0x64, 0xa1, 0xcf, 0x41, 0xd6, 0xd2,
++    0x10, 0xa8, 0xd7, 0xc8, 0x1c, 0xe6, 0x97, 0x0a,
++    0xa6, 0x2c, 0x90, 0x53, 0xcb, 0x89, 0xe1, 0x5f,
++    0x88, 0x05, 0x39, 0x57, 0xec, 0xf6, 0x07, 0xf4,
++    0x2a, 0xf0, 0x88, 0x04, 0xe7, 0x6f, 0x2f, 0xbd,
++    0xbb, 0x31, 0x80, 0x9c, 0x9e, 0xef, 0xc6, 0x0e,
++    0x23, 0x3d, 0x66, 0x24, 0x36, 0x7a, 0x3b, 0x9c,
++    0x30, 0xf8, 0xee, 0x5f, 0x65, 0xbe, 0x56, 0xac
++};
++
++static const unsigned char msg_shake_128[] = {
++    0x43, 0xbd, 0xb1, 0x1e, 0xac, 0x71, 0x03, 0x1f,
++    0x02, 0xa1, 0x1c, 0x15, 0xa1, 0x88, 0x5f, 0xa4,
++    0x28, 0x98
++};
++
++static const unsigned char dig_shake_128[] = {
++    0xde, 0x68, 0x02, 0x7d, 0xa1, 0x30, 0x66, 0x3a,
++    0x73, 0x98, 0x0e, 0x35, 0x25, 0xb8, 0x8c, 0x75
++};
++
++static const unsigned char msg_shake_256[] = {
++    0x8f, 0x84, 0xa3, 0x7d, 0xbd, 0x44, 0xd0, 0xf6,
++    0x95, 0x36, 0xc5, 0xf4, 0x44, 0x6b, 0xa3, 0x23,
++    0x9b, 0xfc
++};
++
++static const unsigned char dig_shake_256[] = {
++    0x05, 0xca, 0x83, 0x5e, 0x0c, 0xdb, 0xfa, 0xf5,
++    0x95, 0xc6, 0x86, 0x7e, 0x2d, 0x9d, 0xb9, 0x3f,
++    0xca, 0x9c, 0x8b, 0xc6, 0x65, 0x02, 0x2e, 0xdd,
++    0x6f, 0xe7, 0xb3, 0xda, 0x5e, 0x07, 0xc4, 0xcf
++};
++
++int FIPS_selftest_sha3(void)
++{
++    unsigned char md[SHA512_DIGEST_LENGTH];
++
++    EVP_Digest(msg_sha3_256, sizeof(msg_sha3_256), md, NULL, EVP_sha3_256(), NULL);
++    if (memcmp(dig_sha3_256, md, sizeof(dig_sha3_256))) {
++        FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
++        return 0;
++    }
++
++    EVP_Digest(msg_sha3_512, sizeof(msg_sha3_512), md, NULL, EVP_sha3_512(), NULL);
++    if (memcmp(dig_sha3_512, md, sizeof(dig_sha3_512))) {
++        FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
++        return 0;
++    }
++
++    EVP_Digest(msg_shake_128, sizeof(msg_shake_128), md, NULL, EVP_shake128(), NULL);
++    if (memcmp(dig_shake_128, md, sizeof(dig_shake_128))) {
++        FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
++        return 0;
++    }
++
++    EVP_Digest(msg_shake_256, sizeof(msg_shake_256), md, NULL, EVP_shake256(), NULL);
++    if (memcmp(dig_shake_256, md, sizeof(dig_shake_256))) {
++        FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
++        return 0;
++    }
++
++    return 1;
++}
++
++#endif
+diff -up openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c
+--- openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c.fips	2021-03-03 12:57:42.201734542 +0100
++++ openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c	2021-03-03 12:57:42.201734542 +0100
+@@ -0,0 +1,127 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/opensslconf.h>
++#include <openssl/hmac.h>
++#include <openssl/sha.h>
++
++int main(int argc, char **argv)
++{
++#ifdef OPENSSL_FIPS
++    static char key[] = "orboDeJITITejsirpADONivirpUkvarP";
++    int n, binary = 0;
++
++    if (argc < 2) {
++        fprintf(stderr, "%s [<file>]+\n", argv[0]);
++        exit(1);
++    }
++
++    n = 1;
++    if (!strcmp(argv[n], "-binary")) {
++        n++;
++        binary = 1;             /* emit binary fingerprint... */
++    }
++
++    for (; n < argc; ++n) {
++        FILE *f = fopen(argv[n], "rb");
++        HMAC_CTX *hmac_ctx;
++        unsigned char mac[EVP_MAX_MD_SIZE];
++        unsigned int len;
++        unsigned int i;
++
++        if (!f) {
++            perror(argv[n]);
++            exit(2);
++        }
++        hmac_ctx = HMAC_CTX_new();
++        if (!hmac_ctx)
++            exit(3);
++
++        if (HMAC_Init_ex(hmac_ctx, key, strlen(key), EVP_sha256(), NULL) <= 0) {
++            fprintf(stderr, "HMAC SHA256 initialization failed.\n");
++            exit(4);
++        }
++
++        for (;;) {
++            unsigned char buf[1024];
++            size_t l = fread(buf, 1, sizeof buf, f);
++
++            if (l == 0) {
++                if (ferror(f)) {
++                    perror(argv[n]);
++                    exit(3);
++                } else
++                    break;
++            }
++            if (HMAC_Update(hmac_ctx, buf, l) <= 0) {
++                fprintf(stderr, "HMAC_Update() failed.\n");
++                exit(4);
++            }
++        }
++        if (HMAC_Final(hmac_ctx, mac, &len) <= 0) {
++            fprintf(stderr, "HMAC_Final() failed.\n");
++            exit(4);
++        }
++
++        if (binary) {
++            fwrite(mac, len, 1, stdout);
++            break;              /* ... for single(!) file */
++        }
++
++/*      printf("HMAC-SHA1(%s)= ",argv[n]); */
++        for (i = 0; i < len; ++i)
++            printf("%02x", mac[i]);
++        printf("\n");
++    }
++#endif
++    return 0;
++}
+diff -up openssl-1.1.1j/crypto/hmac/hmac.c.fips openssl-1.1.1j/crypto/hmac/hmac.c
+--- openssl-1.1.1j/crypto/hmac/hmac.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/hmac/hmac.c	2021-03-03 12:57:42.202734550 +0100
+@@ -44,6 +44,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo
+         return 0;
+ 
+     if (key != NULL) {
++#ifdef OPENSSL_FIPS
++        if (FIPS_mode() && !(EVP_MD_flags(md) & EVP_MD_FLAG_FIPS)
++            && (!EVP_MD_CTX_test_flags(ctx->md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
++                || !EVP_MD_CTX_test_flags(ctx->i_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
++                || !EVP_MD_CTX_test_flags(ctx->o_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)))
++            goto err;
++#endif
+         reset = 1;
+ 
+         j = EVP_MD_block_size(md);
+diff -up openssl-1.1.1j/crypto/hmac/hm_pmeth.c.fips openssl-1.1.1j/crypto/hmac/hm_pmeth.c
+--- openssl-1.1.1j/crypto/hmac/hm_pmeth.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/hmac/hm_pmeth.c	2021-03-03 12:57:42.202734550 +0100
+@@ -180,7 +180,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C
+ 
+ const EVP_PKEY_METHOD hmac_pkey_meth = {
+     EVP_PKEY_HMAC,
+-    0,
++    EVP_PKEY_FLAG_FIPS,
+     pkey_hmac_init,
+     pkey_hmac_copy,
+     pkey_hmac_cleanup,
+diff -up openssl-1.1.1j/crypto/o_fips.c.fips openssl-1.1.1j/crypto/o_fips.c
+--- openssl-1.1.1j/crypto/o_fips.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/o_fips.c	2021-03-03 12:57:42.202734550 +0100
+@@ -8,17 +8,28 @@
+  */
+ 
+ #include "internal/cryptlib.h"
++#include "crypto/fips.h"
+ 
+ int FIPS_mode(void)
+ {
++#ifdef OPENSSL_FIPS
++    return FIPS_module_mode();
++#else
+     /* This version of the library does not support FIPS mode. */
+     return 0;
++#endif
+ }
+ 
+ int FIPS_mode_set(int r)
+ {
++#ifdef OPENSSL_FIPS
++    if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */
++        return 1;
++    return FIPS_module_mode_set(r);
++#else
+     if (r == 0)
+         return 1;
+     CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED);
+     return 0;
++#endif
+ }
+diff -up openssl-1.1.1j/crypto/o_init.c.fips openssl-1.1.1j/crypto/o_init.c
+--- openssl-1.1.1j/crypto/o_init.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/o_init.c	2021-03-03 12:57:42.202734550 +0100
+@@ -7,8 +7,69 @@
+  * https://www.openssl.org/source/license.html
+  */
+ 
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include "e_os.h"
+ #include <openssl/err.h>
++#ifdef OPENSSL_FIPS
++# include <sys/types.h>
++# include <sys/stat.h>
++# include <fcntl.h>
++# include <unistd.h>
++# include <errno.h>
++# include <stdlib.h>
++# include <openssl/rand.h>
++# include <openssl/fips.h>
++# include "crypto/fips.h"
++
++# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled"
++
++static void init_fips_mode(void)
++{
++    char buf[2] = "0";
++    int fd;
++
++    if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) {
++        buf[0] = '1';
++    } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) {
++        while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ;
++        close(fd);
++    }
++
++    if (buf[0] != '1' && !FIPS_module_installed())
++        return;
++
++    /* Ensure the selftests always run */
++    /* XXX: TO SOLVE - premature initialization due to selftests */
++    FIPS_mode_set(1);
++
++    /* Failure reading the fips mode switch file means just not
++     * switching into FIPS mode. We would break too many things
++     * otherwise..
++     */
++
++    if (buf[0] != '1') {
++        /* drop down to non-FIPS mode if it is not requested */
++        FIPS_mode_set(0);
++    } else {
++        /* abort if selftest failed */
++        FIPS_selftest_check();
++    }
++}
++
++/*
++ * Perform FIPS module power on selftest and automatic FIPS mode switch.
++ */
++
++void __attribute__ ((constructor)) OPENSSL_init_library(void)
++{
++    static int done = 0;
++    if (done)
++        return;
++    done = 1;
++    init_fips_mode();
++}
++#endif
+ 
+ /*
+  * Perform any essential OpenSSL initialization operations. Currently does
+diff -up openssl-1.1.1j/crypto/rand/rand_lib.c.fips openssl-1.1.1j/crypto/rand/rand_lib.c
+--- openssl-1.1.1j/crypto/rand/rand_lib.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/rand/rand_lib.c	2021-03-03 12:57:42.202734550 +0100
+@@ -16,6 +16,10 @@
+ #include "internal/thread_once.h"
+ #include "rand_local.h"
+ #include "e_os.h"
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++# include <openssl/fips_rand.h>
++#endif
+ 
+ #ifndef OPENSSL_NO_ENGINE
+ /* non-NULL if default_RAND_meth is ENGINE-provided */
+@@ -959,3 +963,15 @@ int RAND_status(void)
+         return meth->status();
+     return 0;
+ }
++
++#ifdef OPENSSL_FIPS
++void RAND_set_fips_drbg_type(int type, int flags)
++{   /* just a stub for ABI compatibility */
++}
++
++int RAND_init_fips(void)
++{
++   /* just a stub for ABI compatibility */
++    return 1;
++}
++#endif
+diff -up openssl-1.1.1j/crypto/rsa/rsa_crpt.c.fips openssl-1.1.1j/crypto/rsa/rsa_crpt.c
+--- openssl-1.1.1j/crypto/rsa/rsa_crpt.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/rsa/rsa_crpt.c	2021-03-03 12:57:42.202734550 +0100
+@@ -27,24 +27,52 @@ int RSA_size(const RSA *r)
+ int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
+                        RSA *rsa, int padding)
+ {
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
++        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++        RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD);
++        return -1;
++    }
++#endif
+     return rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding);
+ }
+ 
+ int RSA_private_encrypt(int flen, const unsigned char *from,
+                         unsigned char *to, RSA *rsa, int padding)
+ {
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++        RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT,
++               RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
++        return -1;
++    }
++#endif
+     return rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding);
+ }
+ 
+ int RSA_private_decrypt(int flen, const unsigned char *from,
+                         unsigned char *to, RSA *rsa, int padding)
+ {
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
++        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++        RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD);
++        return -1;
++    }
++#endif
+     return rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding);
+ }
+ 
+ int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
+                        RSA *rsa, int padding)
+ {
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++        RSAerr(RSA_F_RSA_PUBLIC_DECRYPT,
++               RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
++        return -1;
++    }
++#endif
+     return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding);
+ }
+ 
+diff -up openssl-1.1.1j/crypto/rsa/rsa_err.c.fips openssl-1.1.1j/crypto/rsa/rsa_err.c
+--- openssl-1.1.1j/crypto/rsa/rsa_err.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/rsa/rsa_err.c	2021-03-03 12:57:42.202734550 +0100
+@@ -16,6 +16,8 @@
+ static const ERR_STRING_DATA RSA_str_functs[] = {
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_CHECK_PADDING_MD, 0), "check_padding_md"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_ENCODE_PKCS1, 0), "encode_pkcs1"},
++    {ERR_PACK(ERR_LIB_RSA, RSA_F_FIPS_RSA_BUILTIN_KEYGEN, 0),
++     "fips_rsa_builtin_keygen"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_INT_RSA_VERIFY, 0), "int_rsa_verify"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_OLD_RSA_PRIV_DECODE, 0),
+      "old_rsa_priv_decode"},
+@@ -32,6 +34,9 @@ static const ERR_STRING_DATA RSA_str_fun
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CHECK_KEY_EX, 0), "RSA_check_key_ex"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_DECRYPT, 0), "rsa_cms_decrypt"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_VERIFY, 0), "rsa_cms_verify"},
++    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_KEY_EX, 0), "RSA_generate_key_ex"},
++    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, 0),
++     "RSA_generate_multi_prime_key"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_ITEM_VERIFY, 0), "rsa_item_verify"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_METH_DUP, 0), "RSA_meth_dup"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_METH_NEW, 0), "RSA_meth_new"},
+@@ -90,9 +95,13 @@ static const ERR_STRING_DATA RSA_str_fun
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRINT_FP, 0), "RSA_print_fp"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_DECODE, 0), "rsa_priv_decode"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_ENCODE, 0), "rsa_priv_encode"},
++    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_DECRYPT, 0), "RSA_private_decrypt"},
++    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_ENCRYPT, 0), "RSA_private_encrypt"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_GET_PARAM, 0), "rsa_pss_get_param"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_TO_CTX, 0), "rsa_pss_to_ctx"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUB_DECODE, 0), "rsa_pub_decode"},
++    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_DECRYPT, 0), "RSA_public_decrypt"},
++    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_ENCRYPT, 0), "RSA_public_encrypt"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SETUP_BLINDING, 0), "RSA_setup_blinding"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN, 0), "RSA_sign"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN_ASN1_OCTET_STRING, 0),
+@@ -102,6 +111,8 @@ static const ERR_STRING_DATA RSA_str_fun
+      "RSA_verify_ASN1_OCTET_STRING"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, 0),
+      "RSA_verify_PKCS1_PSS_mgf1"},
++    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_DEFAULT_METHOD, 0), "RSA_set_default_method"},
++    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_METHOD, 0), "RSA_set_method"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_SETUP_TBUF, 0), "setup_tbuf"},
+     {0, NULL}
+ };
+@@ -183,6 +194,7 @@ static const ERR_STRING_DATA RSA_str_rea
+     "mp exponent not congruent to d"},
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_R_NOT_PRIME), "mp r not prime"},
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"},
++    {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NON_FIPS_RSA_METHOD), "non FIPS rsa method"},
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NULL_BEFORE_BLOCK_MISSING),
+     "null before block missing"},
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES),
+@@ -191,6 +203,8 @@ static const ERR_STRING_DATA RSA_str_rea
+     "n does not equal p q"},
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OAEP_DECODING_ERROR),
+     "oaep decoding error"},
++    {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE),
++    "operation not allowed in FIPS mode"},
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),
+     "operation not supported for this keytype"},
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PADDING_CHECK_FAILED),
+@@ -226,6 +240,8 @@ static const ERR_STRING_DATA RSA_str_rea
+     "unsupported mask algorithm"},
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_MASK_PARAMETER),
+     "unsupported mask parameter"},
++    {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_PARAMETERS),
++    "unsupported parameters"},
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_SIGNATURE_TYPE),
+     "unsupported signature type"},
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_VALUE_MISSING), "value missing"},
+diff -up openssl-1.1.1j/crypto/rsa/rsa_gen.c.fips openssl-1.1.1j/crypto/rsa/rsa_gen.c
+--- openssl-1.1.1j/crypto/rsa/rsa_gen.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/rsa/rsa_gen.c	2021-03-03 12:57:42.202734550 +0100
+@@ -18,6 +18,76 @@
+ #include "internal/cryptlib.h"
+ #include <openssl/bn.h>
+ #include "rsa_local.h"
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++# include "crypto/fips.h"
++
++int fips_check_rsa(RSA *rsa)
++{
++    const unsigned char tbs[] = "RSA Pairwise Check Data";
++    unsigned char *ctbuf = NULL, *ptbuf = NULL;
++    int len, ret = 0;
++    EVP_PKEY *pk;
++
++    if ((pk = EVP_PKEY_new()) == NULL)
++        goto err;
++
++    EVP_PKEY_set1_RSA(pk, rsa);
++
++    /* Perform pairwise consistency signature test */
++    if (!fips_pkey_signature_test(pk, tbs, -1,
++                                  NULL, 0, EVP_sha256(),
++                                  EVP_MD_CTX_FLAG_PAD_PKCS1, NULL)
++        || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha256(),
++                                     EVP_MD_CTX_FLAG_PAD_PSS, NULL))
++        goto err;
++    /* Now perform pairwise consistency encrypt/decrypt test */
++    ctbuf = OPENSSL_malloc(RSA_size(rsa));
++    if (!ctbuf)
++        goto err;
++
++    len =
++        RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa,
++                           RSA_PKCS1_PADDING);
++    if (len <= 0)
++        goto err;
++    /* Check ciphertext doesn't match plaintext */
++    if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len))
++        goto err;
++    ptbuf = OPENSSL_malloc(RSA_size(rsa));
++
++    if (!ptbuf)
++        goto err;
++    len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING);
++    if (len != (sizeof(tbs) - 1))
++        goto err;
++    if (memcmp(ptbuf, tbs, len))
++        goto err;
++
++    ret = 1;
++
++    if (!ptbuf)
++        goto err;
++
++ err:
++    if (ret == 0) {
++        fips_set_selftest_fail();
++        FIPSerr(FIPS_F_FIPS_CHECK_RSA, FIPS_R_PAIRWISE_TEST_FAILED);
++    }
++
++    if (ctbuf)
++        OPENSSL_free(ctbuf);
++    if (ptbuf)
++        OPENSSL_free(ptbuf);
++    if (pk)
++        EVP_PKEY_free(pk);
++
++    return ret;
++}
++
++static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
++                                   BN_GENCB *cb);
++#endif
+ 
+ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
+                               BN_GENCB *cb);
+@@ -31,6 +101,13 @@ static int rsa_builtin_keygen(RSA *rsa,
+  */
+ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
+ {
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
++        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++        RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
++        return 0;
++    }
++#endif
+     if (rsa->meth->rsa_keygen != NULL)
+         return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
+ 
+@@ -41,6 +118,13 @@ int RSA_generate_key_ex(RSA *rsa, int bi
+ int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes,
+                                  BIGNUM *e_value, BN_GENCB *cb)
+ {
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
++        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++        RSAerr(RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, RSA_R_NON_FIPS_RSA_METHOD);
++        return 0;
++    }
++#endif
+     /* multi-prime is only supported with the builtin key generation */
+     if (rsa->meth->rsa_multi_prime_keygen != NULL) {
+         return rsa->meth->rsa_multi_prime_keygen(rsa, bits, primes,
+@@ -57,10 +141,285 @@ int RSA_generate_multi_prime_key(RSA *rs
+         else
+             return 0;
+     }
+-
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode()) {
++        if (primes != 2) {
++            RSAerr(RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, RSA_R_UNSUPPORTED_PARAMETERS);
++            return 0;
++        }
++        return fips_rsa_builtin_keygen(rsa, bits, e_value, cb);
++    }
++#endif
+     return rsa_builtin_keygen(rsa, bits, primes, e_value, cb);
+ }
+ 
++#ifdef OPENSSL_FIPS
++static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
++                                   BN_GENCB *cb)
++{
++    BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
++    BN_CTX *ctx = NULL;
++    int ok = -1;
++    int i;
++    int n = 0;
++    int test = 0;
++    int pbits = bits / 2;
++    unsigned long error = 0;
++
++    if (FIPS_selftest_failed()) {
++        FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);
++        return 0;
++    }
++
++    if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS
++        || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits < 2048)) {
++        FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT);
++        return 0;
++    }
++    if ((pbits & 0xFF) != 0) {
++        FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH);
++        return 0;
++    }
++
++    ctx = BN_CTX_new();
++    if (ctx == NULL)
++        goto err;
++    BN_CTX_start(ctx);
++    r0 = BN_CTX_get(ctx);
++    r1 = BN_CTX_get(ctx);
++    r2 = BN_CTX_get(ctx);
++    r3 = BN_CTX_get(ctx);
++
++    if (r3 == NULL)
++        goto err;
++
++    /* We need the RSA components non-NULL */
++    if (!rsa->n && ((rsa->n = BN_new()) == NULL))
++        goto err;
++    if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL))
++        goto err;
++    if (!rsa->e && ((rsa->e = BN_new()) == NULL))
++        goto err;
++    if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL))
++        goto err;
++    if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL))
++        goto err;
++    if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL))
++        goto err;
++    if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL))
++        goto err;
++    if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL))
++        goto err;
++
++    if (!BN_set_word(r0, RSA_F4))
++        goto err;
++    if (BN_cmp(e_value, r0) < 0 || BN_num_bits(e_value) > 256) {
++        ok = 0;                 /* we set our own err */
++        RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, RSA_R_BAD_E_VALUE);
++        goto err;
++    }
++
++    /* prepare approximate minimum p and q */
++    if (!BN_set_word(r0, 0xB504F334))
++        goto err;
++    if (!BN_lshift(r0, r0, pbits - 32))
++        goto err;
++
++    /* prepare minimum p and q difference */
++    if (!BN_one(r3))
++        goto err;
++    if (!BN_lshift(r3, r3, pbits - 100))
++        goto err;
++
++    BN_copy(rsa->e, e_value);
++
++    if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q))
++        test = 1;
++
++    BN_set_flags(r0, BN_FLG_CONSTTIME);
++    BN_set_flags(r1, BN_FLG_CONSTTIME);
++    BN_set_flags(r2, BN_FLG_CONSTTIME);
++    BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
++    BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
++
++ retry:
++    /* generate p and q */
++    for (i = 0; i < 5 * pbits; i++) {
++ ploop:
++        if (!test)
++            if (!BN_rand(rsa->p, pbits, 0, 1))
++                goto err;
++        if (BN_cmp(rsa->p, r0) < 0) {
++            if (test)
++                goto err;
++            goto ploop;
++        }
++
++        if (!BN_sub(r2, rsa->p, BN_value_one()))
++            goto err;
++        ERR_set_mark();
++        if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
++            /* GCD == 1 since inverse exists */
++            int r;
++            r = BN_is_prime_fasttest_ex(rsa->p, pbits > 1024 ? 4 : 5, ctx, 0,
++                                        cb);
++            if (r == -1 || (test && r <= 0))
++                goto err;
++            if (r > 0)
++                break;
++        } else {
++            error = ERR_peek_last_error();
++            if (ERR_GET_LIB(error) == ERR_LIB_BN
++                && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
++                /* GCD != 1 */
++                ERR_pop_to_mark();
++            } else {
++                goto err;
++            }
++        }
++        if (!BN_GENCB_call(cb, 2, n++))
++            goto err;
++    }
++
++    if (!BN_GENCB_call(cb, 3, 0))
++        goto err;
++
++    if (i >= 5 * pbits)
++        /* prime not found */
++        goto err;
++
++    for (i = 0; i < 5 * pbits; i++) {
++ qloop:
++        if (!test)
++            if (!BN_rand(rsa->q, pbits, 0, 1))
++                goto err;
++        if (BN_cmp(rsa->q, r0) < 0) {
++            if (test)
++                goto err;
++            goto qloop;
++        }
++        if (!BN_sub(r2, rsa->q, rsa->p))
++            goto err;
++        if (BN_ucmp(r2, r3) <= 0) {
++            if (test)
++                goto err;
++            goto qloop;
++        }
++
++        if (!BN_sub(r2, rsa->q, BN_value_one()))
++            goto err;
++        ERR_set_mark();
++        if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
++            /* GCD == 1 since inverse exists */
++            int r;
++            r = BN_is_prime_fasttest_ex(rsa->q, pbits > 1024 ? 4 : 5, ctx, 0,
++                                        cb);
++            if (r == -1 || (test && r <= 0))
++                goto err;
++            if (r > 0)
++                break;
++        } else {
++            error = ERR_peek_last_error();
++            if (ERR_GET_LIB(error) == ERR_LIB_BN
++                && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
++                /* GCD != 1 */
++                ERR_pop_to_mark();
++            } else {
++                goto err;
++            }
++        }
++        if (!BN_GENCB_call(cb, 2, n++))
++            goto err;
++    }
++
++    if (!BN_GENCB_call(cb, 3, 1))
++        goto err;
++
++    if (i >= 5 * pbits)
++        /* prime not found */
++        goto err;
++
++    if (test) {
++        /* do not try to calculate the remaining key values */
++        BN_clear(rsa->n);
++        ok = 1;
++        goto err;
++    }
++
++    if (BN_cmp(rsa->p, rsa->q) < 0) {
++        tmp = rsa->p;
++        rsa->p = rsa->q;
++        rsa->q = tmp;
++    }
++
++    /* calculate n */
++    if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx))
++        goto err;
++
++    /* calculate d */
++    if (!BN_sub(r1, rsa->p, BN_value_one()))
++        goto err;               /* p-1 */
++    if (!BN_sub(r2, rsa->q, BN_value_one()))
++        goto err;               /* q-1 */
++
++    /* note that computing gcd is not safe to timing attacks */
++    if (!BN_gcd(r0, r1, r2, ctx))
++        goto err;
++
++    {
++        if (!BN_div(r0, NULL, r1, r0, ctx))
++            goto err;
++
++        if (!BN_mul(r0, r0, r2, ctx)) /* lcm(p-1, q-1) */
++            goto err;
++
++        if (!BN_mod_inverse(rsa->d, rsa->e, r0, ctx)) /* d */
++            goto err;
++    }
++
++    if (BN_num_bits(rsa->d) < pbits)
++        goto retry;             /* d is too small */
++
++    {
++        BIGNUM *d = BN_new();
++
++        if (d == NULL)
++            goto err;
++        BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
++
++        if (/* calculate d mod (p-1) */
++            !BN_mod(rsa->dmp1, d, r1, ctx)
++            /* calculate d mod (q-1) */
++            || !BN_mod(rsa->dmq1, d, r2, ctx)) {
++            BN_free(d);
++            goto err;
++        }
++        /* We MUST free d before any further use of rsa->d */
++        BN_free(d);
++    }
++
++    /* calculate inverse of q mod p */
++    if (!BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx))
++        goto err;
++
++    if (!fips_check_rsa(rsa))
++        goto err;
++
++    ok = 1;
++ err:
++    if (ok == -1) {
++        RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, ERR_LIB_BN);
++        ok = 0;
++    }
++    if (ctx != NULL) {
++        BN_CTX_end(ctx);
++        BN_CTX_free(ctx);
++    }
++
++    return ok;
++}
++#endif
++
+ static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value,
+                               BN_GENCB *cb)
+ {
+diff -up openssl-1.1.1j/crypto/rsa/rsa_lib.c.fips openssl-1.1.1j/crypto/rsa/rsa_lib.c
+--- openssl-1.1.1j/crypto/rsa/rsa_lib.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/rsa/rsa_lib.c	2021-03-03 12:57:42.203734558 +0100
+@@ -34,6 +34,12 @@ int RSA_set_method(RSA *rsa, const RSA_M
+      * to deal with which ENGINE it comes from.
+      */
+     const RSA_METHOD *mtmp;
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {
++        RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_RSA_METHOD);
++        return 0;
++    }
++#endif
+     mtmp = rsa->meth;
+     if (mtmp->finish)
+         mtmp->finish(rsa);
+@@ -66,7 +72,6 @@ RSA *RSA_new_method(ENGINE *engine)
+ 
+     ret->meth = RSA_get_default_method();
+ #ifndef OPENSSL_NO_ENGINE
+-    ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
+     if (engine) {
+         if (!ENGINE_init(engine)) {
+             RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
+@@ -84,8 +89,19 @@ RSA *RSA_new_method(ENGINE *engine)
+         }
+     }
+ #endif
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) {
++        RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_RSA_METHOD);
++# ifndef OPENSSL_NO_ENGINE
++        if (ret->engine)
++            ENGINE_finish(ret->engine);
++# endif
++        OPENSSL_free(ret);
++        return NULL;
++    }
++#endif
+ 
+-    ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
++    ret->flags = ret->meth->flags;
+     if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) {
+         goto err;
+     }
+diff -up openssl-1.1.1j/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1j/crypto/rsa/rsa_ossl.c
+--- openssl-1.1.1j/crypto/rsa/rsa_ossl.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/rsa/rsa_ossl.c	2021-03-03 12:57:42.203734558 +0100
+@@ -12,6 +12,10 @@
+ #include "rsa_local.h"
+ #include "internal/constant_time.h"
+ 
++#ifdef OPENSSL_FIPS
++# include <openssl/fips.h>
++#endif
++
+ static int rsa_ossl_public_encrypt(int flen, const unsigned char *from,
+                                   unsigned char *to, RSA *rsa, int padding);
+ static int rsa_ossl_private_encrypt(int flen, const unsigned char *from,
+@@ -47,6 +51,12 @@ static const RSA_METHOD *default_RSA_met
+ 
+ void RSA_set_default_method(const RSA_METHOD *meth)
+ {
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) {
++        RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_RSA_METHOD);
++        return;
++    }
++#endif
+     default_RSA_meth = meth;
+ }
+ 
+@@ -73,6 +83,22 @@ static int rsa_ossl_public_encrypt(int f
+     unsigned char *buf = NULL;
+     BN_CTX *ctx = NULL;
+ 
++# ifdef OPENSSL_FIPS
++    if (FIPS_mode()) {
++        if (FIPS_selftest_failed()) {
++            FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT,
++                    FIPS_R_FIPS_SELFTEST_FAILED);
++            goto err;
++        }
++
++        if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++            && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++            RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++            return -1;
++        }
++    }
++# endif
++
+     if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
+         RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
+         return -1;
+@@ -246,6 +272,22 @@ static int rsa_ossl_private_encrypt(int
+     BIGNUM *unblind = NULL;
+     BN_BLINDING *blinding = NULL;
+ 
++# ifdef OPENSSL_FIPS
++    if (FIPS_mode()) {
++        if (FIPS_selftest_failed()) {
++            FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT,
++                    FIPS_R_FIPS_SELFTEST_FAILED);
++            return -1;
++        }
++
++        if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++            && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++            RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++            return -1;
++        }
++    }
++# endif
++
+     if ((ctx = BN_CTX_new()) == NULL)
+         goto err;
+     BN_CTX_start(ctx);
+@@ -380,6 +422,22 @@ static int rsa_ossl_private_decrypt(int
+     BIGNUM *unblind = NULL;
+     BN_BLINDING *blinding = NULL;
+ 
++# ifdef OPENSSL_FIPS
++    if (FIPS_mode()) {
++        if (FIPS_selftest_failed()) {
++            FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT,
++                    FIPS_R_FIPS_SELFTEST_FAILED);
++            return -1;
++        }
++
++        if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++            && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++            RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++            return -1;
++        }
++    }
++# endif
++
+     if ((ctx = BN_CTX_new()) == NULL)
+         goto err;
+     BN_CTX_start(ctx);
+@@ -507,6 +565,22 @@ static int rsa_ossl_public_decrypt(int f
+     unsigned char *buf = NULL;
+     BN_CTX *ctx = NULL;
+ 
++# ifdef OPENSSL_FIPS
++    if (FIPS_mode()) {
++        if (FIPS_selftest_failed()) {
++            FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT,
++                    FIPS_R_FIPS_SELFTEST_FAILED);
++            goto err;
++        }
++
++        if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)
++            && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) {
++            RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL);
++            return -1;
++        }
++    }
++# endif
++
+     if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) {
+         RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
+         return -1;
+diff -up openssl-1.1.1j/crypto/rsa/rsa_pmeth.c.fips openssl-1.1.1j/crypto/rsa/rsa_pmeth.c
+--- openssl-1.1.1j/crypto/rsa/rsa_pmeth.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/rsa/rsa_pmeth.c	2021-03-03 12:57:42.203734558 +0100
+@@ -756,7 +756,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX
+ 
+ const EVP_PKEY_METHOD rsa_pkey_meth = {
+     EVP_PKEY_RSA,
+-    EVP_PKEY_FLAG_AUTOARGLEN,
++    EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS,
+     pkey_rsa_init,
+     pkey_rsa_copy,
+     pkey_rsa_cleanup,
+@@ -838,7 +838,7 @@ static int pkey_pss_init(EVP_PKEY_CTX *c
+ 
+ const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
+     EVP_PKEY_RSA_PSS,
+-    EVP_PKEY_FLAG_AUTOARGLEN,
++    EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS,
+     pkey_rsa_init,
+     pkey_rsa_copy,
+     pkey_rsa_cleanup,
+diff -up openssl-1.1.1j/crypto/rsa/rsa_sign.c.fips openssl-1.1.1j/crypto/rsa/rsa_sign.c
+--- openssl-1.1.1j/crypto/rsa/rsa_sign.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/rsa/rsa_sign.c	2021-03-03 12:57:42.203734558 +0100
+@@ -73,6 +73,13 @@ int RSA_sign(int type, const unsigned ch
+     unsigned char *tmps = NULL;
+     const unsigned char *encoded = NULL;
+ 
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
++        && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) {
++        RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD);
++        return 0;
++    }
++#endif
+     if (rsa->meth->rsa_sign) {
+         return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
+     }
+@@ -100,8 +107,9 @@ int RSA_sign(int type, const unsigned ch
+         RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
+         goto err;
+     }
+-    encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret, rsa,
+-                                      RSA_PKCS1_PADDING);
++    /* NB: call underlying method directly to avoid FIPS blocking */
++    encrypt_len = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(encoded_len, encoded, sigret, rsa,
++                                                                    RSA_PKCS1_PADDING) : 0;
+     if (encrypt_len <= 0)
+         goto err;
+ 
+diff -up openssl-1.1.1j/crypto/sha/sha256.c.fips openssl-1.1.1j/crypto/sha/sha256.c
+--- openssl-1.1.1j/crypto/sha/sha256.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/sha/sha256.c	2021-03-03 12:57:42.203734558 +0100
+@@ -18,6 +18,9 @@
+ 
+ int SHA224_Init(SHA256_CTX *c)
+ {
++# ifdef OPENSSL_FIPS
++    FIPS_selftest_check();
++# endif
+     memset(c, 0, sizeof(*c));
+     c->h[0] = 0xc1059ed8UL;
+     c->h[1] = 0x367cd507UL;
+@@ -33,6 +36,9 @@ int SHA224_Init(SHA256_CTX *c)
+ 
+ int SHA256_Init(SHA256_CTX *c)
+ {
++# ifdef OPENSSL_FIPS
++    FIPS_selftest_check();
++# endif
+     memset(c, 0, sizeof(*c));
+     c->h[0] = 0x6a09e667UL;
+     c->h[1] = 0xbb67ae85UL;
+diff -up openssl-1.1.1j/crypto/sha/sha512.c.fips openssl-1.1.1j/crypto/sha/sha512.c
+--- openssl-1.1.1j/crypto/sha/sha512.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/crypto/sha/sha512.c	2021-03-03 12:57:42.203734558 +0100
+@@ -98,6 +98,9 @@ int sha512_256_init(SHA512_CTX *c)
+ 
+ int SHA384_Init(SHA512_CTX *c)
+ {
++# ifdef OPENSSL_FIPS
++    FIPS_selftest_check();
++# endif
+     c->h[0] = U64(0xcbbb9d5dc1059ed8);
+     c->h[1] = U64(0x629a292a367cd507);
+     c->h[2] = U64(0x9159015a3070dd17);
+@@ -116,6 +119,9 @@ int SHA384_Init(SHA512_CTX *c)
+ 
+ int SHA512_Init(SHA512_CTX *c)
+ {
++# ifdef OPENSSL_FIPS
++    FIPS_selftest_check();
++# endif
+     c->h[0] = U64(0x6a09e667f3bcc908);
+     c->h[1] = U64(0xbb67ae8584caa73b);
+     c->h[2] = U64(0x3c6ef372fe94f82b);
+diff -up openssl-1.1.1j/crypto/sha/sha_local.h.fips openssl-1.1.1j/crypto/sha/sha_local.h
+--- openssl-1.1.1j/crypto/sha/sha_local.h.fips	2021-03-03 12:57:41.941732391 +0100
++++ openssl-1.1.1j/crypto/sha/sha_local.h	2021-03-03 12:57:42.203734558 +0100
+@@ -52,6 +52,9 @@ void sha1_block_data_order(SHA_CTX *c, c
+ 
+ int HASH_INIT(SHA_CTX *c)
+ {
++#if defined(OPENSSL_FIPS)
++    FIPS_selftest_check();
++#endif
+     memset(c, 0, sizeof(*c));
+     c->h0 = INIT_DATA_h0;
+     c->h1 = INIT_DATA_h1;
+diff -up openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod.fips openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod
+--- openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod	2021-03-03 12:57:42.203734558 +0100
+@@ -30,8 +30,10 @@ B<bits> is the length of the prime p to
+ For lengths under 2048 bits, the length of q is 160 bits; for lengths
+ greater than or equal to 2048 bits, the length of q is set to 256 bits.
+ 
+-If B<seed> is NULL, the primes will be generated at random.
+-If B<seed_len> is less than the length of q, an error is returned.
++If B<seed> is NULL, or it does not generate primes, the primes will be
++generated at random.
++If B<seed_len> is less than the length of q, an error is returned
++if old DSA parameter generation method is used as a backend.
+ 
+ DSA_generate_parameters_ex() places the iteration count in
+ *B<counter_ret> and a counter used for finding a generator in
+diff -up openssl-1.1.1j/include/crypto/fips.h.fips openssl-1.1.1j/include/crypto/fips.h
+--- openssl-1.1.1j/include/crypto/fips.h.fips	2021-03-03 12:57:42.202734550 +0100
++++ openssl-1.1.1j/include/crypto/fips.h	2021-03-03 12:57:42.202734550 +0100
+@@ -0,0 +1,98 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <openssl/opensslconf.h>
++#include <openssl/evp.h>
++
++#ifndef OPENSSL_FIPS
++# error FIPS is disabled.
++#endif
++
++#ifdef OPENSSL_FIPS
++
++int FIPS_module_mode_set(int onoff);
++int FIPS_module_mode(void);
++int FIPS_module_installed(void);
++int FIPS_selftest_sha1(void);
++int FIPS_selftest_sha2(void);
++int FIPS_selftest_sha3(void);
++int FIPS_selftest_aes_ccm(void);
++int FIPS_selftest_aes_gcm(void);
++int FIPS_selftest_aes_xts(void);
++int FIPS_selftest_aes(void);
++int FIPS_selftest_des(void);
++int FIPS_selftest_rsa(void);
++int FIPS_selftest_dsa(void);
++int FIPS_selftest_ecdsa(void);
++int FIPS_selftest_ecdh(void);
++int FIPS_selftest_dh(void);
++void FIPS_drbg_stick(int onoff);
++int FIPS_selftest_hmac(void);
++int FIPS_selftest_drbg(void);
++int FIPS_selftest_cmac(void);
++
++int fips_pkey_signature_test(EVP_PKEY *pkey,
++                                 const unsigned char *tbs, int tbslen,
++                                 const unsigned char *kat,
++                                 unsigned int katlen,
++                                 const EVP_MD *digest,
++                                 unsigned int md_flags, const char *fail_str);
++
++int fips_cipher_test(EVP_CIPHER_CTX *ctx,
++                         const EVP_CIPHER *cipher,
++                         const unsigned char *key,
++                         const unsigned char *iv,
++                         const unsigned char *plaintext,
++                         const unsigned char *ciphertext, int len);
++
++void fips_set_selftest_fail(void);
++
++void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
++
++#endif
+diff -up openssl-1.1.1j/include/openssl/crypto.h.fips openssl-1.1.1j/include/openssl/crypto.h
+--- openssl-1.1.1j/include/openssl/crypto.h.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/include/openssl/crypto.h	2021-03-03 12:57:42.204734567 +0100
+@@ -331,6 +331,11 @@ int OPENSSL_isservice(void);
+ int FIPS_mode(void);
+ int FIPS_mode_set(int r);
+ 
++# ifdef OPENSSL_FIPS
++/* die if FIPS selftest failed */
++void FIPS_selftest_check(void);
++# endif
++
+ void OPENSSL_init(void);
+ # ifdef OPENSSL_SYS_UNIX
+ void OPENSSL_fork_prepare(void);
+diff -up openssl-1.1.1j/include/openssl/dherr.h.fips openssl-1.1.1j/include/openssl/dherr.h
+--- openssl-1.1.1j/include/openssl/dherr.h.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/include/openssl/dherr.h	2021-03-03 12:57:42.204734567 +0100
+@@ -36,6 +36,9 @@ int ERR_load_DH_strings(void);
+ #  define DH_F_DH_CMS_DECRYPT                              114
+ #  define DH_F_DH_CMS_SET_PEERKEY                          115
+ #  define DH_F_DH_CMS_SET_SHARED_INFO                      116
++#  define DH_F_DH_COMPUTE_KEY                              203
++#  define DH_F_DH_GENERATE_KEY                             202
++#  define DH_F_DH_GENERATE_PARAMETERS_EX                   201
+ #  define DH_F_DH_METH_DUP                                 117
+ #  define DH_F_DH_METH_NEW                                 118
+ #  define DH_F_DH_METH_SET1_NAME                           119
+@@ -73,12 +76,14 @@ int ERR_load_DH_strings(void);
+ #  define DH_R_INVALID_PARAMETER_NID                       114
+ #  define DH_R_INVALID_PUBKEY                              102
+ #  define DH_R_KDF_PARAMETER_ERROR                         112
++#  define DH_R_KEY_SIZE_TOO_SMALL                          201
+ #  define DH_R_KEYS_NOT_SET                                108
+ #  define DH_R_MISSING_PUBKEY                              125
+ #  define DH_R_MODULUS_TOO_LARGE                           103
+ #  define DH_R_NOT_SUITABLE_GENERATOR                      120
+ #  define DH_R_NO_PARAMETERS_SET                           107
+ #  define DH_R_NO_PRIVATE_VALUE                            100
++#  define DH_R_NON_FIPS_METHOD                             202
+ #  define DH_R_PARAMETER_ENCODING_ERROR                    105
+ #  define DH_R_PEER_KEY_ERROR                              111
+ #  define DH_R_SHARED_INFO_ERROR                           113
+diff -up openssl-1.1.1j/include/openssl/dh.h.fips openssl-1.1.1j/include/openssl/dh.h
+--- openssl-1.1.1j/include/openssl/dh.h.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/include/openssl/dh.h	2021-03-03 12:57:42.204734567 +0100
+@@ -31,6 +31,7 @@ extern "C" {
+ # endif
+ 
+ # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
++# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
+ 
+ # define DH_FLAG_CACHE_MONT_P     0x01
+ 
+diff -up openssl-1.1.1j/include/openssl/dsaerr.h.fips openssl-1.1.1j/include/openssl/dsaerr.h
+--- openssl-1.1.1j/include/openssl/dsaerr.h.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/include/openssl/dsaerr.h	2021-03-03 12:57:42.204734567 +0100
+@@ -29,8 +29,11 @@ int ERR_load_DSA_strings(void);
+  */
+ #  define DSA_F_DSAPARAMS_PRINT                            100
+ #  define DSA_F_DSAPARAMS_PRINT_FP                         101
++#  define DSA_F_DSA_BUILTIN_KEYGEN                         202
+ #  define DSA_F_DSA_BUILTIN_PARAMGEN                       125
+ #  define DSA_F_DSA_BUILTIN_PARAMGEN2                      126
++#  define DSA_F_DSA_GENERATE_KEY                           201
++#  define DSA_F_DSA_GENERATE_PARAMETERS_EX                 200
+ #  define DSA_F_DSA_DO_SIGN                                112
+ #  define DSA_F_DSA_DO_VERIFY                              113
+ #  define DSA_F_DSA_METH_DUP                               127
+@@ -60,10 +63,13 @@ int ERR_load_DSA_strings(void);
+ #  define DSA_R_DECODE_ERROR                               104
+ #  define DSA_R_INVALID_DIGEST_TYPE                        106
+ #  define DSA_R_INVALID_PARAMETERS                         112
++#  define DSA_R_KEY_SIZE_INVALID                           201
++#  define DSA_R_KEY_SIZE_TOO_SMALL                         202
+ #  define DSA_R_MISSING_PARAMETERS                         101
+ #  define DSA_R_MISSING_PRIVATE_KEY                        111
+ #  define DSA_R_MODULUS_TOO_LARGE                          103
+ #  define DSA_R_NO_PARAMETERS_SET                          107
++#  define DSA_R_NON_FIPS_DSA_METHOD                        200
+ #  define DSA_R_PARAMETER_ENCODING_ERROR                   105
+ #  define DSA_R_Q_NOT_PRIME                                113
+ #  define DSA_R_SEED_LEN_SMALL                             110
+diff -up openssl-1.1.1j/include/openssl/dsa.h.fips openssl-1.1.1j/include/openssl/dsa.h
+--- openssl-1.1.1j/include/openssl/dsa.h.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/include/openssl/dsa.h	2021-03-03 12:57:42.204734567 +0100
+@@ -31,6 +31,7 @@ extern "C" {
+ # endif
+ 
+ # define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
++# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN 2048
+ 
+ # define DSA_FLAG_CACHE_MONT_P   0x01
+ # if OPENSSL_API_COMPAT < 0x10100000L
+diff -up openssl-1.1.1j/include/openssl/evperr.h.fips openssl-1.1.1j/include/openssl/evperr.h
+--- openssl-1.1.1j/include/openssl/evperr.h.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/include/openssl/evperr.h	2021-03-03 12:57:42.204734567 +0100
+@@ -22,14 +22,15 @@ int ERR_load_EVP_strings(void);
+  * EVP function codes.
+  */
+ # define EVP_F_AESNI_INIT_KEY                             165
+-# define EVP_F_AESNI_XTS_INIT_KEY                         207
++# define EVP_F_AESNI_XTS_INIT_KEY                         233
+ # define EVP_F_AES_GCM_CTRL                               196
+ # define EVP_F_AES_INIT_KEY                               133
+ # define EVP_F_AES_OCB_CIPHER                             169
+ # define EVP_F_AES_T4_INIT_KEY                            178
+-# define EVP_F_AES_T4_XTS_INIT_KEY                        208
++# define EVP_F_AES_T4_XTS_INIT_KEY                        234
+ # define EVP_F_AES_WRAP_CIPHER                            170
+-# define EVP_F_AES_XTS_INIT_KEY                           209
++# define EVP_F_AES_XTS_CIPHER                             229
++# define EVP_F_AES_XTS_INIT_KEY                           235
+ # define EVP_F_ALG_MODULE_INIT                            177
+ # define EVP_F_ARIA_CCM_INIT_KEY                          175
+ # define EVP_F_ARIA_GCM_CTRL                              197
+@@ -140,6 +141,7 @@ int ERR_load_EVP_strings(void);
+ # define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED             133
+ # define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH          138
+ # define EVP_R_DECODE_ERROR                               114
++# define EVP_R_DISABLED_FOR_FIPS                          200
+ # define EVP_R_DIFFERENT_KEY_TYPES                        101
+ # define EVP_R_DIFFERENT_PARAMETERS                       153
+ # define EVP_R_ERROR_LOADING_SECTION                      165
+@@ -184,6 +186,7 @@ int ERR_load_EVP_strings(void);
+ # define EVP_R_PRIVATE_KEY_DECODE_ERROR                   145
+ # define EVP_R_PRIVATE_KEY_ENCODE_ERROR                   146
+ # define EVP_R_PUBLIC_KEY_NOT_RSA                         106
++# define EVP_R_TOO_LARGE                                  201
+ # define EVP_R_UNKNOWN_CIPHER                             160
+ # define EVP_R_UNKNOWN_DIGEST                             161
+ # define EVP_R_UNKNOWN_OPTION                             169
+@@ -199,6 +202,7 @@ int ERR_load_EVP_strings(void);
+ # define EVP_R_UNSUPPORTED_SALT_TYPE                      126
+ # define EVP_R_WRAP_MODE_NOT_ALLOWED                      170
+ # define EVP_R_WRONG_FINAL_BLOCK_LENGTH                   109
+-# define EVP_R_XTS_DUPLICATED_KEYS                        183
++# define EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE                 191
++# define EVP_R_XTS_DUPLICATED_KEYS                        192
+ 
+ #endif
+diff -up openssl-1.1.1j/include/openssl/evp.h.fips openssl-1.1.1j/include/openssl/evp.h
+--- openssl-1.1.1j/include/openssl/evp.h.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/include/openssl/evp.h	2021-03-03 12:57:42.204734567 +0100
+@@ -1324,6 +1324,9 @@ void EVP_PKEY_asn1_set_security_bits(EVP
+  */
+ # define EVP_PKEY_FLAG_SIGCTX_CUSTOM     4
+ 
++/* Downstream modification, large value to avoid conflict */
++# define EVP_PKEY_FLAG_FIPS              0x4000
++
+ const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type);
+ EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags);
+ void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags,
+diff -up openssl-1.1.1j/include/openssl/fips.h.fips openssl-1.1.1j/include/openssl/fips.h
+--- openssl-1.1.1j/include/openssl/fips.h.fips	2021-03-03 12:57:42.204734567 +0100
++++ openssl-1.1.1j/include/openssl/fips.h	2021-03-03 12:57:42.204734567 +0100
+@@ -0,0 +1,187 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include <openssl/opensslconf.h>
++#include <openssl/dsa.h>
++#include <openssl/evp.h>
++#include <openssl/bn.h>
++
++#ifndef OPENSSL_FIPS
++# error FIPS is disabled.
++#endif
++
++#ifdef OPENSSL_FIPS
++
++# ifdef  __cplusplus
++extern "C" {
++# endif
++
++    int FIPS_selftest(void);
++    int FIPS_selftest_failed(void);
++    int FIPS_selftest_drbg_all(void);
++
++    int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
++                               const EVP_MD *evpmd, const unsigned char *seed_in,
++                               size_t seed_len, int idx, unsigned char *seed_out,
++                               int *counter_ret, unsigned long *h_ret,
++                               BN_GENCB *cb);
++    int FIPS_dsa_paramgen_check_g(DSA *dsa);
++
++/* BEGIN ERROR CODES */
++/* The following lines are auto generated by the script mkerr.pl. Any changes
++ * made after this point may be overwritten when the script is next run.
++ */
++    int ERR_load_FIPS_strings(void);
++
++/* Error codes for the FIPS functions. */
++
++/* Function codes. */
++# define FIPS_F_DH_BUILTIN_GENPARAMS                      100
++# define FIPS_F_DRBG_RESEED                               121
++# define FIPS_F_DSA_BUILTIN_PARAMGEN2                     107
++# define FIPS_F_DSA_DO_SIGN                               102
++# define FIPS_F_DSA_DO_VERIFY                             103
++# define FIPS_F_EVP_CIPHER_CTX_NEW                        137
++# define FIPS_F_EVP_CIPHER_CTX_RESET                      122
++# define FIPS_F_ECDH_COMPUTE_KEY                          123
++# define FIPS_F_EVP_CIPHERINIT_EX                         124
++# define FIPS_F_EVP_DIGESTINIT_EX                         125
++# define FIPS_F_FIPS_CHECK_DSA                            104
++# define FIPS_F_FIPS_CHECK_EC                             142
++# define FIPS_F_FIPS_CHECK_RSA                            106
++# define FIPS_F_FIPS_DRBG_BYTES                           131
++# define FIPS_F_FIPS_DRBG_CHECK                           146
++# define FIPS_F_FIPS_DRBG_CPRNG_TEST                      132
++# define FIPS_F_FIPS_DRBG_ERROR_CHECK                     136
++# define FIPS_F_FIPS_DRBG_GENERATE                        134
++# define FIPS_F_FIPS_DRBG_INIT                            135
++# define FIPS_F_FIPS_DRBG_INSTANTIATE                     138
++# define FIPS_F_FIPS_DRBG_NEW                             139
++# define FIPS_F_FIPS_DRBG_RESEED                          140
++# define FIPS_F_FIPS_DRBG_SINGLE_KAT                      141
++# define FIPS_F_FIPS_GET_ENTROPY                          147
++# define FIPS_F_FIPS_MODULE_MODE_SET                      108
++# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST                  109
++# define FIPS_F_FIPS_RAND_BYTES                           114
++# define FIPS_F_FIPS_RAND_SEED                            128
++# define FIPS_F_FIPS_RAND_SET_METHOD                      126
++# define FIPS_F_FIPS_RAND_STATUS                          127
++# define FIPS_F_FIPS_RSA_BUILTIN_KEYGEN                   101
++# define FIPS_F_FIPS_SELFTEST                             150
++# define FIPS_F_FIPS_SELFTEST_AES                         110
++# define FIPS_F_FIPS_SELFTEST_AES_CCM                     145
++# define FIPS_F_FIPS_SELFTEST_AES_GCM                     129
++# define FIPS_F_FIPS_SELFTEST_AES_XTS                     144
++# define FIPS_F_FIPS_SELFTEST_CMAC                        130
++# define FIPS_F_FIPS_SELFTEST_DES                         111
++# define FIPS_F_FIPS_SELFTEST_DSA                         112
++# define FIPS_F_FIPS_SELFTEST_ECDSA                       133
++# define FIPS_F_FIPS_SELFTEST_HMAC                        113
++# define FIPS_F_FIPS_SELFTEST_SHA1                        115
++# define FIPS_F_FIPS_SELFTEST_SHA2                        105
++# define FIPS_F_OSSL_ECDSA_SIGN_SIG                       143
++# define FIPS_F_OSSL_ECDSA_VERIFY_SIG                     148
++# define FIPS_F_RSA_BUILTIN_KEYGEN                        116
++# define FIPS_F_RSA_OSSL_INIT                             149
++# define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT                  117
++# define FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT                  118
++# define FIPS_F_RSA_OSSL_PUBLIC_DECRYPT                   119
++# define FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT                   120
++
++/* Reason codes. */
++# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED         150
++# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG                 125
++# define FIPS_R_ALREADY_INSTANTIATED                      134
++# define FIPS_R_DRBG_NOT_INITIALISED                      152
++# define FIPS_R_DRBG_STUCK                                103
++# define FIPS_R_ENTROPY_ERROR_UNDETECTED                  104
++# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED          105
++# define FIPS_R_ENTROPY_SOURCE_STUCK                      142
++# define FIPS_R_ERROR_INITIALISING_DRBG                   115
++# define FIPS_R_ERROR_INSTANTIATING_DRBG                  127
++# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT         124
++# define FIPS_R_ERROR_RETRIEVING_ENTROPY                  122
++# define FIPS_R_ERROR_RETRIEVING_NONCE                    140
++# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH                110
++# define FIPS_R_FIPS_MODE_ALREADY_SET                     102
++# define FIPS_R_FIPS_SELFTEST_FAILED                      106
++# define FIPS_R_FUNCTION_ERROR                            116
++# define FIPS_R_GENERATE_ERROR                            137
++# define FIPS_R_GENERATE_ERROR_UNDETECTED                 118
++# define FIPS_R_INSTANTIATE_ERROR                         119
++# define FIPS_R_INTERNAL_ERROR                            121
++# define FIPS_R_INVALID_KEY_LENGTH                        109
++# define FIPS_R_IN_ERROR_STATE                            123
++# define FIPS_R_KEY_TOO_SHORT                             108
++# define FIPS_R_NONCE_ERROR_UNDETECTED                    149
++# define FIPS_R_NON_FIPS_METHOD                           100
++# define FIPS_R_NOPR_TEST1_FAILURE                        145
++# define FIPS_R_NOPR_TEST2_FAILURE                        146
++# define FIPS_R_NOT_INSTANTIATED                          126
++# define FIPS_R_PAIRWISE_TEST_FAILED                      107
++# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED          128
++# define FIPS_R_PERSONALISATION_STRING_TOO_LONG           129
++# define FIPS_R_PR_TEST1_FAILURE                          147
++# define FIPS_R_PR_TEST2_FAILURE                          148
++# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED           130
++# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG                131
++# define FIPS_R_RESEED_COUNTER_ERROR                      132
++# define FIPS_R_RESEED_ERROR                              133
++# define FIPS_R_SELFTEST_FAILED                           101
++# define FIPS_R_SELFTEST_FAILURE                          135
++# define FIPS_R_TEST_FAILURE                              117
++# define FIPS_R_UNINSTANTIATE_ERROR                       141
++# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR               138
++# define FIPS_R_UNSUPPORTED_DRBG_TYPE                     139
++# define FIPS_R_UNSUPPORTED_PLATFORM                      113
++
++# ifdef  __cplusplus
++}
++# endif
++#endif
+diff -up openssl-1.1.1j/include/openssl/fips_rand.h.fips openssl-1.1.1j/include/openssl/fips_rand.h
+--- openssl-1.1.1j/include/openssl/fips_rand.h.fips	2021-03-03 12:57:42.204734567 +0100
++++ openssl-1.1.1j/include/openssl/fips_rand.h	2021-03-03 12:57:42.204734567 +0100
+@@ -0,0 +1,145 @@
++/* ====================================================================
++ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer. 
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    openssl-core@openssl.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#ifndef HEADER_FIPS_RAND_H
++# define HEADER_FIPS_RAND_H
++
++# include <openssl/aes.h>
++# include <openssl/evp.h>
++# include <openssl/hmac.h>
++# include <openssl/rand.h>
++
++# ifdef OPENSSL_FIPS
++
++#  ifdef  __cplusplus
++extern "C" {
++#  endif
++    typedef struct drbg_ctx_st DRBG_CTX;
++/* DRBG external flags */
++/* Flag for CTR mode only: use derivation function ctr_df */
++#  define DRBG_FLAG_CTR_USE_DF            0x1
++/* PRNG is in test state */
++#  define DRBG_FLAG_TEST                  0x2
++
++    DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags);
++    int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags);
++    int FIPS_drbg_instantiate(DRBG_CTX *dctx,
++                              const unsigned char *pers, size_t perslen);
++    int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin,
++                         size_t adinlen);
++    int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
++                           int prediction_resistance,
++                           const unsigned char *adin, size_t adinlen);
++
++    int FIPS_drbg_uninstantiate(DRBG_CTX *dctx);
++    void FIPS_drbg_free(DRBG_CTX *dctx);
++
++    int FIPS_drbg_set_callbacks(DRBG_CTX *dctx,
++                                size_t (*get_entropy) (DRBG_CTX *ctx,
++                                                       unsigned char **pout,
++                                                       int entropy,
++                                                       size_t min_len,
++                                                       size_t max_len),
++                                void (*cleanup_entropy) (DRBG_CTX *ctx,
++                                                         unsigned char *out,
++                                                         size_t olen),
++                                size_t entropy_blocklen,
++                                size_t (*get_nonce) (DRBG_CTX *ctx,
++                                                     unsigned char **pout,
++                                                     int entropy,
++                                                     size_t min_len,
++                                                     size_t max_len),
++                                void (*cleanup_nonce) (DRBG_CTX *ctx,
++                                                       unsigned char *out,
++                                                       size_t olen));
++
++    int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx,
++                                     size_t (*get_adin) (DRBG_CTX *ctx,
++                                                         unsigned char
++                                                         **pout),
++                                     void (*cleanup_adin) (DRBG_CTX *ctx,
++                                                           unsigned char *out,
++                                                           size_t olen),
++                                     int (*rand_seed_cb) (DRBG_CTX *ctx,
++                                                          const void *buf,
++                                                          int num),
++                                     int (*rand_add_cb) (DRBG_CTX *ctx,
++                                                         const void *buf,
++                                                         int num,
++                                                         double entropy));
++
++    void *FIPS_drbg_get_app_data(DRBG_CTX *ctx);
++    void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data);
++    size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx);
++    int FIPS_drbg_get_strength(DRBG_CTX *dctx);
++    void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval);
++    void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval);
++
++    int FIPS_drbg_health_check(DRBG_CTX *dctx);
++
++    DRBG_CTX *FIPS_get_default_drbg(void);
++    const RAND_METHOD *FIPS_drbg_method(void);
++
++    int FIPS_rand_set_method(const RAND_METHOD *meth);
++    const RAND_METHOD *FIPS_rand_get_method(void);
++
++    void FIPS_rand_set_bits(int nbits);
++
++    int FIPS_rand_strength(void);
++
++/* 1.0.0 compat functions */
++    int FIPS_rand_seed(const void *buf, int num);
++    int FIPS_rand_bytes(unsigned char *out, int outlen);
++    void FIPS_rand_reset(void);
++    int FIPS_rand_status(void);
++#  ifdef  __cplusplus
++}
++#  endif
++# endif
++#endif
+diff -up openssl-1.1.1j/include/openssl/opensslconf.h.in.fips openssl-1.1.1j/include/openssl/opensslconf.h.in
+--- openssl-1.1.1j/include/openssl/opensslconf.h.in.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/include/openssl/opensslconf.h.in	2021-03-03 12:57:42.205734575 +0100
+@@ -155,6 +155,11 @@ extern "C" {
+ 
+ #define RC4_INT {- $config{rc4_int} -}
+ 
++/* Always build FIPS module */
++#ifndef OPENSSL_FIPS
++# define OPENSSL_FIPS
++#endif
++
+ #ifdef  __cplusplus
+ }
+ #endif
+diff -up openssl-1.1.1j/include/openssl/randerr.h.fips openssl-1.1.1j/include/openssl/randerr.h
+--- openssl-1.1.1j/include/openssl/randerr.h.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/include/openssl/randerr.h	2021-03-03 12:57:42.205734575 +0100
+@@ -38,6 +38,7 @@ int ERR_load_RAND_strings(void);
+ # define RAND_F_RAND_DRBG_SET                             104
+ # define RAND_F_RAND_DRBG_SET_DEFAULTS                    121
+ # define RAND_F_RAND_DRBG_UNINSTANTIATE                   118
++# define RAND_F_RAND_INIT_FIPS                            200
+ # define RAND_F_RAND_LOAD_FILE                            111
+ # define RAND_F_RAND_POOL_ACQUIRE_ENTROPY                 122
+ # define RAND_F_RAND_POOL_ADD                             103
+diff -up openssl-1.1.1j/include/openssl/rand.h.fips openssl-1.1.1j/include/openssl/rand.h
+--- openssl-1.1.1j/include/openssl/rand.h.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/include/openssl/rand.h	2021-03-03 12:57:42.205734575 +0100
+@@ -69,6 +69,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void
+ DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM))
+ # endif
+ 
++# ifdef OPENSSL_FIPS
++/* just stubs for API compatibility */
++void RAND_set_fips_drbg_type(int type, int flags);
++int RAND_init_fips(void);
++# endif
+ 
+ #ifdef  __cplusplus
+ }
+diff -up openssl-1.1.1j/include/openssl/rsaerr.h.fips openssl-1.1.1j/include/openssl/rsaerr.h
+--- openssl-1.1.1j/include/openssl/rsaerr.h.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/include/openssl/rsaerr.h	2021-03-03 12:57:42.205734575 +0100
+@@ -25,6 +25,7 @@ int ERR_load_RSA_strings(void);
+  */
+ # define RSA_F_CHECK_PADDING_MD                           140
+ # define RSA_F_ENCODE_PKCS1                               146
++# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN                    206
+ # define RSA_F_INT_RSA_VERIFY                             145
+ # define RSA_F_OLD_RSA_PRIV_DECODE                        147
+ # define RSA_F_PKEY_PSS_INIT                              165
+@@ -39,6 +40,8 @@ int ERR_load_RSA_strings(void);
+ # define RSA_F_RSA_CHECK_KEY_EX                           160
+ # define RSA_F_RSA_CMS_DECRYPT                            159
+ # define RSA_F_RSA_CMS_VERIFY                             158
++# define RSA_F_RSA_GENERATE_KEY_EX                        204
++# define RSA_F_RSA_GENERATE_MULTI_PRIME_KEY               207
+ # define RSA_F_RSA_ITEM_VERIFY                            148
+ # define RSA_F_RSA_METH_DUP                               161
+ # define RSA_F_RSA_METH_NEW                               162
+@@ -76,10 +79,16 @@ int ERR_load_RSA_strings(void);
+ # define RSA_F_RSA_PRINT_FP                               116
+ # define RSA_F_RSA_PRIV_DECODE                            150
+ # define RSA_F_RSA_PRIV_ENCODE                            138
++# define RSA_F_RSA_PRIVATE_DECRYPT                        200
++# define RSA_F_RSA_PRIVATE_ENCRYPT                        201
+ # define RSA_F_RSA_PSS_GET_PARAM                          151
+ # define RSA_F_RSA_PSS_TO_CTX                             155
+ # define RSA_F_RSA_PUB_DECODE                             139
++# define RSA_F_RSA_PUBLIC_DECRYPT                         202
++# define RSA_F_RSA_PUBLIC_ENCRYPT                         203
+ # define RSA_F_RSA_SETUP_BLINDING                         136
++# define RSA_F_RSA_SET_DEFAULT_METHOD                     205
++# define RSA_F_RSA_SET_METHOD                             204
+ # define RSA_F_RSA_SIGN                                   117
+ # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING                 118
+ # define RSA_F_RSA_VERIFY                                 119
+@@ -137,10 +146,12 @@ int ERR_load_RSA_strings(void);
+ # define RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D             169
+ # define RSA_R_MP_R_NOT_PRIME                             170
+ # define RSA_R_NO_PUBLIC_EXPONENT                         140
++# define RSA_R_NON_FIPS_RSA_METHOD                        200
+ # define RSA_R_NULL_BEFORE_BLOCK_MISSING                  113
+ # define RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES         172
+ # define RSA_R_N_DOES_NOT_EQUAL_P_Q                       127
+ # define RSA_R_OAEP_DECODING_ERROR                        121
++# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE         201
+ # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE   148
+ # define RSA_R_PADDING_CHECK_FAILED                       114
+ # define RSA_R_PKCS_DECODING_ERROR                        159
+@@ -160,6 +171,7 @@ int ERR_load_RSA_strings(void);
+ # define RSA_R_UNSUPPORTED_LABEL_SOURCE                   163
+ # define RSA_R_UNSUPPORTED_MASK_ALGORITHM                 153
+ # define RSA_R_UNSUPPORTED_MASK_PARAMETER                 154
++# define RSA_R_UNSUPPORTED_PARAMETERS                     202
+ # define RSA_R_UNSUPPORTED_SIGNATURE_TYPE                 155
+ # define RSA_R_VALUE_MISSING                              147
+ # define RSA_R_WRONG_SIGNATURE_LENGTH                     119
+diff -up openssl-1.1.1j/ssl/s3_lib.c.fips openssl-1.1.1j/ssl/s3_lib.c
+--- openssl-1.1.1j/ssl/s3_lib.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/ssl/s3_lib.c	2021-03-03 12:57:42.205734575 +0100
+@@ -43,7 +43,7 @@ static SSL_CIPHER tls13_ciphers[] = {
+         SSL_AEAD,
+         TLS1_3_VERSION, TLS1_3_VERSION,
+         0, 0,
+-        SSL_HIGH,
++        SSL_HIGH | SSL_FIPS,
+         SSL_HANDSHAKE_MAC_SHA256,
+         128,
+         128,
+@@ -58,7 +58,7 @@ static SSL_CIPHER tls13_ciphers[] = {
+         SSL_AEAD,
+         TLS1_3_VERSION, TLS1_3_VERSION,
+         0, 0,
+-        SSL_HIGH,
++        SSL_HIGH | SSL_FIPS,
+         SSL_HANDSHAKE_MAC_SHA384,
+         256,
+         256,
+@@ -92,7 +92,7 @@ static SSL_CIPHER tls13_ciphers[] = {
+         SSL_AEAD,
+         TLS1_3_VERSION, TLS1_3_VERSION,
+         0, 0,
+-        SSL_NOT_DEFAULT | SSL_HIGH,
++        SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+         SSL_HANDSHAKE_MAC_SHA256,
+         128,
+         128,
+@@ -634,7 +634,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      SSL_AEAD,
+      TLS1_2_VERSION, TLS1_2_VERSION,
+      DTLS1_2_VERSION, DTLS1_2_VERSION,
+-     SSL_NOT_DEFAULT | SSL_HIGH,
++     SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+      128,
+      128,
+@@ -650,7 +650,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      SSL_AEAD,
+      TLS1_2_VERSION, TLS1_2_VERSION,
+      DTLS1_2_VERSION, DTLS1_2_VERSION,
+-     SSL_NOT_DEFAULT | SSL_HIGH,
++     SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+      256,
+      256,
+@@ -666,7 +666,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      SSL_AEAD,
+      TLS1_2_VERSION, TLS1_2_VERSION,
+      DTLS1_2_VERSION, DTLS1_2_VERSION,
+-     SSL_NOT_DEFAULT | SSL_HIGH,
++     SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+      128,
+      128,
+@@ -682,7 +682,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      SSL_AEAD,
+      TLS1_2_VERSION, TLS1_2_VERSION,
+      DTLS1_2_VERSION, DTLS1_2_VERSION,
+-     SSL_NOT_DEFAULT | SSL_HIGH,
++     SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+      256,
+      256,
+@@ -794,7 +794,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      SSL_AEAD,
+      TLS1_2_VERSION, TLS1_2_VERSION,
+      DTLS1_2_VERSION, DTLS1_2_VERSION,
+-     SSL_NOT_DEFAULT | SSL_HIGH,
++     SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+      128,
+      128,
+@@ -810,7 +810,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      SSL_AEAD,
+      TLS1_2_VERSION, TLS1_2_VERSION,
+      DTLS1_2_VERSION, DTLS1_2_VERSION,
+-     SSL_NOT_DEFAULT | SSL_HIGH,
++     SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+      256,
+      256,
+@@ -890,7 +890,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      SSL_AEAD,
+      TLS1_2_VERSION, TLS1_2_VERSION,
+      DTLS1_2_VERSION, DTLS1_2_VERSION,
+-     SSL_NOT_DEFAULT | SSL_HIGH,
++     SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+      128,
+      128,
+@@ -906,7 +906,7 @@ static SSL_CIPHER ssl3_ciphers[] = {
+      SSL_AEAD,
+      TLS1_2_VERSION, TLS1_2_VERSION,
+      DTLS1_2_VERSION, DTLS1_2_VERSION,
+-     SSL_NOT_DEFAULT | SSL_HIGH,
++     SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS,
+      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
+      256,
+      256,
+diff -up openssl-1.1.1j/ssl/ssl_ciph.c.fips openssl-1.1.1j/ssl/ssl_ciph.c
+--- openssl-1.1.1j/ssl/ssl_ciph.c.fips	2021-03-03 12:57:42.193734476 +0100
++++ openssl-1.1.1j/ssl/ssl_ciph.c	2021-03-03 12:57:42.206734583 +0100
+@@ -387,7 +387,7 @@ int ssl_load_ciphers(void)
+         }
+     }
+     /* Make sure we can access MD5 and SHA1 */
+-    if (!ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL))
++    if (!FIPS_mode() && !ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL))
+         return 0;
+     if (!ossl_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL))
+         return 0;
+@@ -559,6 +559,9 @@ int ssl_cipher_get_evp(const SSL_SESSION
+             s->ssl_version < TLS1_VERSION)
+             return 1;
+ 
++        if (FIPS_mode())
++            return 1;
++
+         if (c->algorithm_enc == SSL_RC4 &&
+             c->algorithm_mac == SSL_MD5 &&
+             (evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))
+@@ -667,6 +670,8 @@ static void ssl_cipher_collect_ciphers(c
+         /* drop those that use any of that is not available */
+         if (c == NULL || !c->valid)
+             continue;
++        if (FIPS_mode() && !(c->algo_strength & SSL_FIPS))
++            continue;
+         if ((c->algorithm_mkey & disabled_mkey) ||
+             (c->algorithm_auth & disabled_auth) ||
+             (c->algorithm_enc & disabled_enc) ||
+@@ -1671,7 +1676,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+      * to the resulting precedence to the STACK_OF(SSL_CIPHER).
+      */
+     for (curr = head; curr != NULL; curr = curr->next) {
+-        if (curr->active) {
++        if (curr->active
++            && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) {
+             if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) {
+                 OPENSSL_free(co_list);
+                 sk_SSL_CIPHER_free(cipherstack);
+diff -up openssl-1.1.1j/ssl/ssl_init.c.fips openssl-1.1.1j/ssl/ssl_init.c
+--- openssl-1.1.1j/ssl/ssl_init.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/ssl/ssl_init.c	2021-03-03 12:57:42.206734583 +0100
+@@ -27,6 +27,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas
+     fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
+             "Adding SSL ciphers and digests\n");
+ #endif
++#ifdef OPENSSL_FIPS
++    if (!FIPS_mode()) {
++#endif
++
+ #ifndef OPENSSL_NO_DES
+     EVP_add_cipher(EVP_des_cbc());
+     EVP_add_cipher(EVP_des_ede3_cbc());
+@@ -87,6 +91,31 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas
+     EVP_add_digest(EVP_sha256());
+     EVP_add_digest(EVP_sha384());
+     EVP_add_digest(EVP_sha512());
++#ifdef OPENSSL_FIPS
++    } else {
++# ifndef OPENSSL_NO_DES
++        EVP_add_cipher(EVP_des_ede3_cbc());
++# endif
++        EVP_add_cipher(EVP_aes_128_cbc());
++        EVP_add_cipher(EVP_aes_192_cbc());
++        EVP_add_cipher(EVP_aes_256_cbc());
++        EVP_add_cipher(EVP_aes_128_gcm());
++        EVP_add_cipher(EVP_aes_256_gcm());
++        EVP_add_cipher(EVP_aes_128_ccm());
++        EVP_add_cipher(EVP_aes_256_ccm());
++# ifndef OPENSSL_NO_MD5
++        /* needed even in the FIPS mode for TLS-1.0 */
++        EVP_add_digest(EVP_md5_sha1());
++# endif
++        EVP_add_digest(EVP_sha1()); /* RSA with sha1 */
++        EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
++        EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
++        EVP_add_digest(EVP_sha224());
++        EVP_add_digest(EVP_sha256());
++        EVP_add_digest(EVP_sha384());
++        EVP_add_digest(EVP_sha512());
++    }
++#endif
+ #ifndef OPENSSL_NO_COMP
+ # ifdef OPENSSL_INIT_DEBUG
+     fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: "
+diff -up openssl-1.1.1j/ssl/ssl_lib.c.fips openssl-1.1.1j/ssl/ssl_lib.c
+--- openssl-1.1.1j/ssl/ssl_lib.c.fips	2021-03-03 12:57:42.193734476 +0100
++++ openssl-1.1.1j/ssl/ssl_lib.c	2021-03-03 12:57:42.206734583 +0100
+@@ -2973,6 +2973,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+     if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL))
+         return NULL;
+ 
++    if (FIPS_mode() && (meth->version < TLS1_VERSION)) {
++        SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE);
++        return NULL;
++    }
++
+     if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) {
+         SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS);
+         goto err;
+@@ -3029,13 +3034,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+     if (ret->param == NULL)
+         goto err;
+ 
+-    if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
+-        SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
+-        goto err2;
+-    }
+-    if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
+-        SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
+-        goto err2;
++    if (!FIPS_mode()) {
++        if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
++            SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
++            goto err2;
++        }
++        if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
++            SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
++            goto err2;
++        }
++    } else {
++        ret->min_proto_version = TLS1_VERSION;
+     }
+ 
+     if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL)
+diff -up openssl-1.1.1j/ssl/ssl_local.h.fips openssl-1.1.1j/ssl/ssl_local.h
+--- openssl-1.1.1j/ssl/ssl_local.h.fips	2021-03-03 12:57:42.100733706 +0100
++++ openssl-1.1.1j/ssl/ssl_local.h	2021-03-03 12:57:42.206734583 +0100
+@@ -1515,6 +1515,7 @@ typedef struct tls_group_info_st {
+ # define TLS_CURVE_PRIME         0x0
+ # define TLS_CURVE_CHAR2         0x1
+ # define TLS_CURVE_CUSTOM        0x2
++# define TLS_CURVE_FIPS          0x80
+ 
+ typedef struct cert_pkey_st CERT_PKEY;
+ 
+diff -up openssl-1.1.1j/ssl/t1_lib.c.fips openssl-1.1.1j/ssl/t1_lib.c
+--- openssl-1.1.1j/ssl/t1_lib.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/ssl/t1_lib.c	2021-03-03 12:57:42.207734591 +0100
+@@ -159,11 +159,11 @@ static const TLS_GROUP_INFO nid_list[] =
+     {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */
+     {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */
+     {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */
+-    {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */
++    {NID_secp224r1, 112, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp224r1 (21) */
+     {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */
+-    {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */
+-    {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */
+-    {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */
++    {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp256r1 (23) */
++    {NID_secp384r1, 192, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp384r1 (24) */
++    {NID_secp521r1, 256, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp521r1 (25) */
+     {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */
+     {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */
+     {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */
+@@ -258,6 +258,8 @@ int tls_curve_allowed(SSL *s, uint16_t c
+     if (cinfo->flags & TLS_CURVE_CHAR2)
+         return 0;
+ # endif
++    if (FIPS_mode() && !(cinfo->flags & TLS_CURVE_FIPS))
++        return 0;
+     ctmp[0] = curve >> 8;
+     ctmp[1] = curve & 0xff;
+     return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp);
+diff -up openssl-1.1.1j/test/dsatest.c.fips openssl-1.1.1j/test/dsatest.c
+--- openssl-1.1.1j/test/dsatest.c.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/test/dsatest.c	2021-03-03 12:57:42.207734591 +0100
+@@ -24,41 +24,42 @@
+ #ifndef OPENSSL_NO_DSA
+ static int dsa_cb(int p, int n, BN_GENCB *arg);
+ 
+-/*
+- * seed, out_p, out_q, out_g are taken from the updated Appendix 5 to FIPS
+- * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1
+- */
+ static unsigned char seed[20] = {
+-    0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b, 0x40,
+-    0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3,
++    0x02, 0x47, 0x11, 0x92, 0x11, 0x88, 0xC8, 0xFB, 0xAF, 0x48, 0x4C, 0x62,
++    0xDF, 0xA5, 0xBE, 0xA0, 0xA4, 0x3C, 0x56, 0xE3,
+ };
+ 
+ static unsigned char out_p[] = {
+-    0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa,
+-    0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb,
+-    0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7,
+-    0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5,
+-    0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf,
+-    0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac,
+-    0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2,
+-    0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91,
++    0xAC, 0xCB, 0x1E, 0x63, 0x60, 0x69, 0x0C, 0xFB, 0x06, 0x19, 0x68, 0x3E,
++    0xA5, 0x01, 0x5A, 0xA2, 0x15, 0x5C, 0xE2, 0x99, 0x2D, 0xD5, 0x30, 0x99,
++    0x7E, 0x5F, 0x8D, 0xE2, 0xF7, 0xC6, 0x2E, 0x8D, 0xA3, 0x9F, 0x58, 0xAD,
++    0xD6, 0xA9, 0x7D, 0x0E, 0x0D, 0x95, 0x53, 0xA6, 0x71, 0x3A, 0xDE, 0xAB,
++    0xAC, 0xE9, 0xF4, 0x36, 0x55, 0x9E, 0xB9, 0xD6, 0x93, 0xBF, 0xF3, 0x18,
++    0x1C, 0x14, 0x7B, 0xA5, 0x42, 0x2E, 0xCD, 0x00, 0xEB, 0x35, 0x3B, 0x1B,
++    0xA8, 0x51, 0xBB, 0xE1, 0x58, 0x42, 0x85, 0x84, 0x22, 0xA7, 0x97, 0x5E,
++    0x99, 0x6F, 0x38, 0x20, 0xBD, 0x9D, 0xB6, 0xD9, 0x33, 0x37, 0x2A, 0xFD,
++    0xBB, 0xD4, 0xBC, 0x0C, 0x2A, 0x67, 0xCB, 0x9F, 0xBB, 0xDF, 0xF9, 0x93,
++    0xAA, 0xD6, 0xF0, 0xD6, 0x95, 0x0B, 0x5D, 0x65, 0x14, 0xD0, 0x18, 0x9D,
++    0xC6, 0xAF, 0xF0, 0xC6, 0x37, 0x7C, 0xF3, 0x5F,
+ };
+ 
+ static unsigned char out_q[] = {
+-    0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee,
+-    0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e,
+-    0xda, 0xce, 0x91, 0x5f,
++    0xE3, 0x8E, 0x5E, 0x6D, 0xBF, 0x2B, 0x79, 0xF8, 0xC5, 0x4B, 0x89, 0x8B,
++    0xBA, 0x2D, 0x91, 0xC3, 0x6C, 0x80, 0xAC, 0x87,
+ };
+ 
+ static unsigned char out_g[] = {
+-    0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13,
+-    0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00,
+-    0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb,
+-    0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e,
+-    0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf,
+-    0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c,
+-    0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c,
+-    0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02,
++    0x42, 0x4A, 0x04, 0x4E, 0x79, 0xB4, 0x99, 0x7F, 0xFD, 0x58, 0x36, 0x2C,
++    0x1B, 0x5F, 0x18, 0x7E, 0x0D, 0xCC, 0xAB, 0x81, 0xC9, 0x5D, 0x10, 0xCE,
++    0x4E, 0x80, 0x7E, 0x58, 0xB4, 0x34, 0x3F, 0xA7, 0x45, 0xC7, 0xAA, 0x36,
++    0x24, 0x42, 0xA9, 0x3B, 0xE8, 0x0E, 0x04, 0x02, 0x2D, 0xFB, 0xA6, 0x13,
++    0xB9, 0xB5, 0x15, 0xA5, 0x56, 0x07, 0x35, 0xE4, 0x03, 0xB6, 0x79, 0x7C,
++    0x62, 0xDD, 0xDF, 0x3F, 0x71, 0x3A, 0x9D, 0x8B, 0xC4, 0xF6, 0xE7, 0x1D,
++    0x52, 0xA8, 0xA9, 0x43, 0x1D, 0x33, 0x51, 0x88, 0x39, 0xBD, 0x73, 0xE9,
++    0x5F, 0xBE, 0x82, 0x49, 0x27, 0xE6, 0xB5, 0x53, 0xC1, 0x38, 0xAC, 0x2F,
++    0x6D, 0x97, 0x6C, 0xEB, 0x67, 0xC1, 0x5F, 0x67, 0xF8, 0x35, 0x05, 0x5E,
++    0xD5, 0x68, 0x80, 0xAA, 0x96, 0xCA, 0x0B, 0x8A, 0xE6, 0xF1, 0xB1, 0x41,
++    0xC6, 0x75, 0x94, 0x0A, 0x0A, 0x2A, 0xFA, 0x29,
+ };
+ 
+ static const unsigned char str1[] = "12345678901234567890";
+@@ -79,11 +80,11 @@ static int dsa_test(void)
+ 
+     BN_GENCB_set(cb, dsa_cb, NULL);
+     if (!TEST_ptr(dsa = DSA_new())
+-        || !TEST_true(DSA_generate_parameters_ex(dsa, 512, seed, 20,
++        || !TEST_true(DSA_generate_parameters_ex(dsa, 1024, seed, 20,
+                                                 &counter, &h, cb)))
+         goto end;
+ 
+-    if (!TEST_int_eq(counter, 105))
++    if (!TEST_int_eq(counter, 239))
+         goto end;
+     if (!TEST_int_eq(h, 2))
+         goto end;
+diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt
+--- openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt	2021-03-03 12:57:42.207734591 +0100
+@@ -1206,6 +1206,7 @@ Key = 0000000000000000000000000000000000
+ IV = 00000000000000000000000000000000
+ Plaintext = 0000000000000000000000000000000000000000000000000000000000000000
+ Ciphertext = 917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e
++Result = KEY_SET_ERROR
+ 
+ Cipher = aes-128-xts
+ Key = 1111111111111111111111111111111122222222222222222222222222222222
+diff -up openssl-1.1.1j/util/libcrypto.num.fips openssl-1.1.1j/util/libcrypto.num
+--- openssl-1.1.1j/util/libcrypto.num.fips	2021-02-16 16:24:01.000000000 +0100
++++ openssl-1.1.1j/util/libcrypto.num	2021-03-03 12:57:42.208734600 +0100
+@@ -4591,3 +4591,38 @@ X509_ALGOR_copy
+ X509_REQ_set0_signature                 4545	1_1_1h	EXIST::FUNCTION:
+ X509_REQ_set1_signature_algo            4546	1_1_1h	EXIST::FUNCTION:
+ EC_KEY_decoded_from_explicit_params     4547	1_1_1h	EXIST::FUNCTION:EC
++FIPS_drbg_reseed                        6348	1_1_0g	EXIST::FUNCTION:
++FIPS_selftest_check                     6349	1_1_0g	EXIST::FUNCTION:
++FIPS_rand_set_method                    6350	1_1_0g	EXIST::FUNCTION:
++FIPS_get_default_drbg                   6351	1_1_0g	EXIST::FUNCTION:
++FIPS_drbg_set_reseed_interval           6352	1_1_0g	EXIST::FUNCTION:
++FIPS_drbg_set_app_data                  6353	1_1_0g	EXIST::FUNCTION:
++FIPS_drbg_method                        6354	1_1_0g	EXIST::FUNCTION:
++FIPS_rand_status                        6355	1_1_0g	EXIST::FUNCTION:
++FIPS_drbg_instantiate                   6356	1_1_0g	EXIST::FUNCTION:
++FIPS_drbg_set_callbacks                 6357	1_1_0g	EXIST::FUNCTION:
++FIPS_drbg_new                           6358	1_1_0g	EXIST::FUNCTION:
++FIPS_dsa_paramgen_check_g               6359	1_1_0g	EXIST::FUNCTION:
++FIPS_selftest                           6360	1_1_0g	EXIST::FUNCTION:
++FIPS_rand_set_bits                      6361	1_1_0g	EXIST::FUNCTION:
++FIPS_rand_bytes                         6362	1_1_0g	EXIST::FUNCTION:
++FIPS_drbg_get_app_data                  6363	1_1_0g	EXIST::FUNCTION:
++FIPS_selftest_failed                    6364	1_1_0g	EXIST::FUNCTION:
++FIPS_dsa_builtin_paramgen2              6365	1_1_0g	EXIST::FUNCTION:
++FIPS_rand_reset                         6366	1_1_0g	EXIST::FUNCTION:
++ERR_load_FIPS_strings                   6367	1_1_0g	EXIST::FUNCTION:
++FIPS_drbg_generate                      6368	1_1_0g	EXIST::FUNCTION:
++FIPS_drbg_uninstantiate                 6369	1_1_0g	EXIST::FUNCTION:
++FIPS_drbg_set_check_interval            6370	1_1_0g	EXIST::FUNCTION:
++FIPS_drbg_free                          6371	1_1_0g	EXIST::FUNCTION:
++FIPS_selftest_drbg_all                  6372	1_1_0g	EXIST::FUNCTION:
++FIPS_rand_get_method                    6373	1_1_0g	EXIST::FUNCTION:
++RAND_set_fips_drbg_type                 6374	1_1_0g	EXIST::FUNCTION:
++FIPS_drbg_health_check                  6375	1_1_0g	EXIST::FUNCTION:
++RAND_init_fips                          6376	1_1_0g	EXIST::FUNCTION:
++FIPS_drbg_set_rand_callbacks            6377	1_1_0g	EXIST::FUNCTION:
++FIPS_rand_seed                          6378	1_1_0g	EXIST::FUNCTION:
++FIPS_drbg_get_strength                  6379	1_1_0g	EXIST::FUNCTION:
++FIPS_rand_strength                      6380	1_1_0g	EXIST::FUNCTION:
++FIPS_drbg_get_blocklength               6381	1_1_0g	EXIST::FUNCTION:
++FIPS_drbg_init                          6382	1_1_0g	EXIST::FUNCTION:
diff --git a/openssl-1.1.1-ssh-kdf.patch b/openssl-1.1.1-ssh-kdf.patch
new file mode 100644
index 0000000..1bf71c4
--- /dev/null
+++ b/openssl-1.1.1-ssh-kdf.patch
@@ -0,0 +1,5612 @@
+commit 1e662a43f0420cfdc40d01cd70c27fa1c220a57e
+Author: Simo Sorce <simo@redhat.com>
+Date:   Wed Sep 19 16:23:45 2018 -0400
+
+    Implement SSH KDF
+    
+    SSH's KDF is defined in RFC 4253 in Section 7.2
+    
+    Signed-off-by: Simo Sorce <simo@redhat.com>
+    
+    Reviewed-by: Paul Dale <paul.dale@oracle.com>
+    Reviewed-by: Matt Caswell <matt@openssl.org>
+    (Merged from https://github.com/openssl/openssl/pull/7290)
+
+diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+index ae67dac7f6..e7ed2f8d63 100644
+--- a/crypto/err/openssl.txt
++++ b/crypto/err/openssl.txt
+@@ -828,6 +828,10 @@ KDF_F_KDF_SCRYPT_CTRL_UINT32:121:kdf_scrypt_ctrl_uint32
+ KDF_F_KDF_SCRYPT_CTRL_UINT64:122:kdf_scrypt_ctrl_uint64
+ KDF_F_KDF_SCRYPT_DERIVE:123:kdf_scrypt_derive
+ KDF_F_KDF_SCRYPT_NEW:124:kdf_scrypt_new
++KDF_F_KDF_SSHKDF_CTRL:130:kdf_sshkdf_ctrl
++KDF_F_KDF_SSHKDF_CTRL_STR:131:kdf_sshkdf_ctrl_str
++KDF_F_KDF_SSHKDF_DERIVE:132:kdf_sshkdf_derive
++KDF_F_KDF_SSHKDF_NEW:133:kdf_sshkdf_new
+ KDF_F_KDF_TLS1_PRF_CTRL_STR:125:kdf_tls1_prf_ctrl_str
+ KDF_F_KDF_TLS1_PRF_DERIVE:126:kdf_tls1_prf_derive
+ KDF_F_KDF_TLS1_PRF_NEW:127:kdf_tls1_prf_new
+@@ -2320,6 +2324,9 @@ KDF_R_MISSING_PASS:110:missing pass
+ KDF_R_MISSING_SALT:111:missing salt
+ KDF_R_MISSING_SECRET:107:missing secret
+ KDF_R_MISSING_SEED:106:missing seed
++KDF_R_MISSING_SESSION_ID:113:missing session id
++KDF_R_MISSING_TYPE:114:missing type
++KDF_R_MISSING_XCGHASH:115:missing xcghash
+ KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type
+ KDF_R_VALUE_ERROR:108:value error
+ KDF_R_VALUE_MISSING:102:value missing
+diff --git a/crypto/evp/kdf_lib.c b/crypto/evp/kdf_lib.c
+index 05f5cec3a9..811fe727f6 100644
+--- a/crypto/evp/kdf_lib.c
++++ b/crypto/evp/kdf_lib.c
+@@ -29,7 +29,8 @@ static const EVP_KDF_METHOD *standard_methods[] = {
+     &scrypt_kdf_meth,
+ #endif
+     &tls1_prf_kdf_meth,
+-    &hkdf_kdf_meth
++    &hkdf_kdf_meth,
++    &sshkdf_kdf_meth,
+ };
+ 
+ DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *,
+diff --git a/include/crypto/evp.h b/include/crypto/evp.h
+index a109e561b3..8c313c65ac 100644
+--- a/include/crypto/evp.h
++++ b/include/crypto/evp.h
+@@ -129,6 +129,7 @@ extern const EVP_KDF_METHOD pbkdf2_kdf_meth;
+ extern const EVP_KDF_METHOD scrypt_kdf_meth;
+ extern const EVP_KDF_METHOD tls1_prf_kdf_meth;
+ extern const EVP_KDF_METHOD hkdf_kdf_meth;
++extern const EVP_KDF_METHOD sshkdf_kdf_meth;
+ 
+ struct evp_md_st {
+     int type;
+diff --git a/crypto/kdf/build.info b/crypto/kdf/build.info
+index dce960e9e1..f483c779dd 100644
+--- a/crypto/kdf/build.info
++++ b/crypto/kdf/build.info
+@@ -1,3 +1,3 @@
+ LIBS=../../libcrypto
+ SOURCE[../../libcrypto]=\
+-        tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c
++        tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c
+diff --git a/crypto/kdf/kdf_err.c b/crypto/kdf/kdf_err.c
+index b2a0c0ebfc..b4678775dd 100644
+--- a/crypto/kdf/kdf_err.c
++++ b/crypto/kdf/kdf_err.c
+@@ -31,6 +31,11 @@ static const ERR_STRING_DATA KDF_str_functs[] = {
+      "kdf_scrypt_ctrl_uint64"},
+     {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_DERIVE, 0), "kdf_scrypt_derive"},
+     {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_NEW, 0), "kdf_scrypt_new"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SSHKDF_CTRL, 0), "kdf_sshkdf_ctrl"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SSHKDF_CTRL_STR, 0),
++     "kdf_sshkdf_ctrl_str"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SSHKDF_DERIVE, 0), "kdf_sshkdf_derive"},
++    {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SSHKDF_NEW, 0), "kdf_sshkdf_new"},
+     {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_CTRL_STR, 0),
+      "kdf_tls1_prf_ctrl_str"},
+     {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_DERIVE, 0),
+@@ -70,6 +75,9 @@ static const ERR_STRING_DATA KDF_str_reasons[] = {
+     {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_SALT), "missing salt"},
+     {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_SECRET), "missing secret"},
+     {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_SEED), "missing seed"},
++    {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_SESSION_ID), "missing session id"},
++    {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_TYPE), "missing type"},
++    {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_XCGHASH), "missing xcghash"},
+     {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_UNKNOWN_PARAMETER_TYPE),
+     "unknown parameter type"},
+     {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_ERROR), "value error"},
+diff --git a/crypto/kdf/sshkdf.c b/crypto/kdf/sshkdf.c
+new file mode 100644
+index 0000000000..24f37cbed4
+--- /dev/null
++++ b/crypto/kdf/sshkdf.c
+@@ -0,0 +1,288 @@
++/*
++ * Copyright 2018-2018 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the OpenSSL license (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include <stdlib.h>
++#include <stdarg.h>
++#include <string.h>
++#include <openssl/evp.h>
++#include <openssl/kdf.h>
++#include "internal/cryptlib.h"
++#include "crypto/evp.h"
++#include "kdf_local.h"
++
++/* See RFC 4253, Section 7.2 */
++
++static void kdf_sshkdf_reset(EVP_KDF_IMPL *impl);
++static int SSHKDF(const EVP_MD *evp_md,
++                  const unsigned char *key, size_t key_len,
++                  const unsigned char *xcghash, size_t xcghash_len,
++                  const unsigned char *session_id, size_t session_id_len,
++                  char type, unsigned char *okey, size_t okey_len);
++
++struct evp_kdf_impl_st {
++    const EVP_MD *md;
++    unsigned char *key; /* K */
++    size_t key_len;
++    unsigned char *xcghash; /* H */
++    size_t xcghash_len;
++    char type; /* X */
++    unsigned char *session_id;
++    size_t session_id_len;
++};
++
++static EVP_KDF_IMPL *kdf_sshkdf_new(void)
++{
++    EVP_KDF_IMPL *impl;
++
++    if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL)
++        KDFerr(KDF_F_KDF_SSHKDF_NEW, ERR_R_MALLOC_FAILURE);
++    return impl;
++}
++
++static void kdf_sshkdf_free(EVP_KDF_IMPL *impl)
++{
++    kdf_sshkdf_reset(impl);
++    OPENSSL_free(impl);
++}
++
++static void kdf_sshkdf_reset(EVP_KDF_IMPL *impl)
++{
++    OPENSSL_clear_free(impl->key, impl->key_len);
++    OPENSSL_clear_free(impl->xcghash, impl->xcghash_len);
++    OPENSSL_clear_free(impl->session_id, impl->session_id_len);
++    memset(impl, 0, sizeof(*impl));
++}
++
++static int kdf_sshkdf_parse_buffer_arg(unsigned char **dst, size_t *dst_len,
++                                       va_list args)
++{
++    const unsigned char *p;
++    size_t len;
++
++    p = va_arg(args, const unsigned char *);
++    len = va_arg(args, size_t);
++    OPENSSL_clear_free(*dst, *dst_len);
++    *dst = OPENSSL_memdup(p, len);
++    if (*dst == NULL)
++        return 0;
++
++    *dst_len = len;
++    return 1;
++}
++
++static int kdf_sshkdf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args)
++{
++    int t;
++
++    switch (cmd) {
++    case EVP_KDF_CTRL_SET_MD:
++        impl->md = va_arg(args, const EVP_MD *);
++        if (impl->md == NULL)
++            return 0;
++
++        return 1;
++
++    case EVP_KDF_CTRL_SET_KEY:
++        return kdf_sshkdf_parse_buffer_arg(&impl->key,
++                                           &impl->key_len, args);
++
++    case EVP_KDF_CTRL_SET_SSHKDF_XCGHASH:
++        return kdf_sshkdf_parse_buffer_arg(&impl->xcghash,
++                                           &impl->xcghash_len, args);
++
++    case EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID:
++        return kdf_sshkdf_parse_buffer_arg(&impl->session_id,
++                                           &impl->session_id_len, args);
++
++    case EVP_KDF_CTRL_SET_SSHKDF_TYPE:
++        t = va_arg(args, int);
++        if (t < 65 || t > 70) {
++            KDFerr(KDF_F_KDF_SSHKDF_CTRL, KDF_R_VALUE_ERROR);
++            return 0;
++        }
++
++        impl->type = (char)t;
++        return 1;
++
++    default:
++        return -2;
++
++    }
++}
++
++static int kdf_sshkdf_ctrl_str(EVP_KDF_IMPL *impl, const char *type,
++                               const char *value)
++{
++    if (value == NULL) {
++        KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_VALUE_MISSING);
++        return 0;
++    }
++
++    if (strcmp(type, "md") == 0)
++        return kdf_md2ctrl(impl, kdf_sshkdf_ctrl, EVP_KDF_CTRL_SET_MD, value);
++
++    if (strcmp(type, "key") == 0)
++        return kdf_str2ctrl(impl, kdf_sshkdf_ctrl,
++                            EVP_KDF_CTRL_SET_KEY, value);
++
++    if (strcmp(type, "hexkey") == 0)
++        return kdf_hex2ctrl(impl, kdf_sshkdf_ctrl,
++                            EVP_KDF_CTRL_SET_KEY, value);
++
++    if (strcmp(type, "xcghash") == 0)
++        return kdf_str2ctrl(impl, kdf_sshkdf_ctrl,
++                            EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, value);
++
++    if (strcmp(type, "hexxcghash") == 0)
++        return kdf_hex2ctrl(impl, kdf_sshkdf_ctrl,
++                            EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, value);
++
++    if (strcmp(type, "session_id") == 0)
++        return kdf_str2ctrl(impl, kdf_sshkdf_ctrl,
++                            EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, value);
++
++    if (strcmp(type, "hexsession_id") == 0)
++        return kdf_hex2ctrl(impl, kdf_sshkdf_ctrl,
++                            EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, value);
++
++    if (strcmp(type, "type") == 0) {
++        if (strlen(value) != 1) {
++            KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_VALUE_ERROR);
++            return 0;
++        }
++
++        return call_ctrl(kdf_sshkdf_ctrl, impl, EVP_KDF_CTRL_SET_SSHKDF_TYPE,
++                         (int)value[0]);
++    }
++
++    KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE);
++    return -2;
++}
++
++static size_t kdf_sshkdf_size(EVP_KDF_IMPL *impl)
++{
++    return SIZE_MAX;
++}
++
++static int kdf_sshkdf_derive(EVP_KDF_IMPL *impl, unsigned char *key,
++                             size_t keylen)
++{
++    if (impl->md == NULL) {
++        KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST);
++        return 0;
++    }
++    if (impl->key == NULL) {
++        KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_KEY);
++        return 0;
++    }
++    if (impl->xcghash == NULL) {
++        KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_XCGHASH);
++        return 0;
++    }
++    if (impl->session_id == NULL) {
++        KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_SESSION_ID);
++        return 0;
++    }
++    if (impl->type == 0) {
++        KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_TYPE);
++        return 0;
++    }
++    return SSHKDF(impl->md, impl->key, impl->key_len,
++                  impl->xcghash, impl->xcghash_len,
++                  impl->session_id, impl->session_id_len,
++                  impl->type, key, keylen);
++}
++
++const EVP_KDF_METHOD sshkdf_kdf_meth = {
++    EVP_KDF_SSHKDF,
++    kdf_sshkdf_new,
++    kdf_sshkdf_free,
++    kdf_sshkdf_reset,
++    kdf_sshkdf_ctrl,
++    kdf_sshkdf_ctrl_str,
++    kdf_sshkdf_size,
++    kdf_sshkdf_derive,
++};
++
++static int SSHKDF(const EVP_MD *evp_md,
++                  const unsigned char *key, size_t key_len,
++                  const unsigned char *xcghash, size_t xcghash_len,
++                  const unsigned char *session_id, size_t session_id_len,
++                  char type, unsigned char *okey, size_t okey_len)
++{
++    EVP_MD_CTX *md = NULL;
++    unsigned char digest[EVP_MAX_MD_SIZE];
++    unsigned int dsize = 0;
++    size_t cursize = 0;
++    int ret = 0;
++
++    md = EVP_MD_CTX_new();
++    if (md == NULL)
++        return 0;
++
++    if (!EVP_DigestInit_ex(md, evp_md, NULL))
++        goto out;
++
++    if (!EVP_DigestUpdate(md, key, key_len))
++        goto out;
++
++    if (!EVP_DigestUpdate(md, xcghash, xcghash_len))
++        goto out;
++
++    if (!EVP_DigestUpdate(md, &type, 1))
++        goto out;
++
++    if (!EVP_DigestUpdate(md, session_id, session_id_len))
++        goto out;
++
++    if (!EVP_DigestFinal_ex(md, digest, &dsize))
++        goto out;
++
++    if (okey_len < dsize) {
++        memcpy(okey, digest, okey_len);
++        ret = 1;
++        goto out;
++    }
++
++    memcpy(okey, digest, dsize);
++
++    for (cursize = dsize; cursize < okey_len; cursize += dsize) {
++
++        if (!EVP_DigestInit_ex(md, evp_md, NULL))
++            goto out;
++
++        if (!EVP_DigestUpdate(md, key, key_len))
++            goto out;
++
++        if (!EVP_DigestUpdate(md, xcghash, xcghash_len))
++            goto out;
++
++        if (!EVP_DigestUpdate(md, okey, cursize))
++            goto out;
++
++        if (!EVP_DigestFinal_ex(md, digest, &dsize))
++            goto out;
++
++        if (okey_len < cursize + dsize) {
++            memcpy(okey + cursize, digest, okey_len - cursize);
++            ret = 1;
++            goto out;
++        }
++
++        memcpy(okey + cursize, digest, dsize);
++    }
++
++    ret = 1;
++
++out:
++    EVP_MD_CTX_free(md);
++    OPENSSL_cleanse(digest, EVP_MAX_MD_SIZE);
++    return ret;
++}
++
+diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
+index 9ab1a14b9e..81646fda52 100644
+--- a/crypto/objects/obj_dat.h
++++ b/crypto/objects/obj_dat.h
+@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = {
+     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D,       /* [ 7753] OBJ_hmacWithSHA512_256 */
+ };
+ 
+-#define NUM_NID 1195
++#define NUM_NID 1196
+ static const ASN1_OBJECT nid_objs[NUM_NID] = {
+     {"UNDEF", "undefined", NID_undef},
+     {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
+@@ -2275,9 +2275,10 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = {
+     {"magma-mac", "magma-mac", NID_magma_mac},
+     {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]},
+     {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]},
++    {"SSHKDF", "sshkdf", NID_sshkdf},
+ };
+ 
+-#define NUM_SN 1186
++#define NUM_SN 1187
+ static const unsigned int sn_objs[NUM_SN] = {
+      364,    /* "AD_DVCS" */
+      419,    /* "AES-128-CBC" */
+@@ -2555,6 +2556,7 @@ static const unsigned int sn_objs[NUM_SN] = {
+      167,    /* "SMIME-CAPS" */
+      100,    /* "SN" */
+     1006,    /* "SNILS" */
++    1195,    /* "SSHKDF" */
+       16,    /* "ST" */
+      143,    /* "SXNetID" */
+     1062,    /* "SipHash" */
+@@ -3467,7 +3469,7 @@ static const unsigned int sn_objs[NUM_SN] = {
+     1093,    /* "x509ExtAdmission" */
+ };
+ 
+-#define NUM_LN 1186
++#define NUM_LN 1187
+ static const unsigned int ln_objs[NUM_LN] = {
+      363,    /* "AD Time Stamping" */
+      405,    /* "ANSI X9.62" */
+@@ -4609,6 +4611,7 @@ static const unsigned int ln_objs[NUM_LN] = {
+     1139,    /* "sm4-ctr" */
+     1133,    /* "sm4-ecb" */
+     1135,    /* "sm4-ofb" */
++    1195,    /* "sshkdf" */
+       16,    /* "stateOrProvinceName" */
+      660,    /* "streetAddress" */
+      498,    /* "subtreeMaximumQuality" */
+diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num
+index 1b6a9c61a1..231c18384a 100644
+--- a/crypto/objects/obj_mac.num
++++ b/crypto/objects/obj_mac.num
+@@ -1192,3 +1192,4 @@ magma_cfb		1191
+ magma_mac		1192
+ hmacWithSHA512_224		1193
+ hmacWithSHA512_256		1194
++sshkdf		1195
+diff --git a/crypto/objects/objects.txt b/crypto/objects/objects.txt
+index 6dbc41ce37..5ded88e525 100644
+--- a/crypto/objects/objects.txt
++++ b/crypto/objects/objects.txt
+@@ -1600,6 +1600,9 @@ secg-scheme 14 3 : dhSinglePass-cofactorDH-sha512kdf-scheme
+ # NID for HKDF
+                             : HKDF              : hkdf
+ 
++# NID for SSHKDF
++                            : SSHKDF            : sshkdf
++
+ # RFC 4556
+ 1 3 6 1 5 2 3 : id-pkinit
+ id-pkinit 4                     : pkInitClientAuth      : PKINIT Client Auth
+diff --git a/doc/man7/EVP_KDF_SSHKDF.pod b/doc/man7/EVP_KDF_SSHKDF.pod
+new file mode 100644
+index 0000000000..9c9734e7c3
+--- /dev/null
++++ b/doc/man7/EVP_KDF_SSHKDF.pod
+@@ -0,0 +1,175 @@
++=pod
++
++=head1 NAME
++
++EVP_KDF_SSHKDF - The SSHKDF EVP_KDF implementation
++
++=head1 DESCRIPTION
++
++Support for computing the B<SSHKDF> KDF through the B<EVP_KDF> API.
++
++The EVP_KDF_SSHKDF algorithm implements the SSHKDF key derivation function.
++It is defined in RFC 4253, section 7.2 and is used by SSH to derive IVs,
++encryption keys and integrity keys.
++Five inputs are required to perform key derivation: The hashing function
++(for example SHA256), the Initial Key, the Exchange Hash, the Session ID,
++and the derivation key type.
++
++=head2 Numeric identity
++
++B<EVP_KDF_SSHKDF> is the numeric identity for this implementation; it
++can be used with the EVP_KDF_CTX_new_id() function.
++
++=head2 Supported controls
++
++The supported controls are:
++
++=over 4
++
++=item B<EVP_KDF_CTRL_SET_MD>
++
++=item B<EVP_KDF_CTRL_SET_KEY>
++
++These controls work as described in L<EVP_KDF_CTX(3)/CONTROLS>.
++
++=item B<EVP_KDF_CTRL_SET_SSHKDF_XCGHASH>
++
++=item B<EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID>
++
++These controls expect two arguments: C<unsigned char *buffer>, C<size_t length>
++
++They set the respective values to the first B<length> bytes of the buffer
++B<buffer>. If a value is already set, the contents are replaced.
++
++EVP_KDF_ctrl_str() takes two type strings for these controls:
++
++=over 4
++
++=item "xcghash"
++
++=item "session_id"
++
++The value string is used as is.
++
++=item "hexxcghash"
++
++=item "hexsession_id"
++
++The value string is expected to be a hexadecimal number, which will be
++decoded before being passed on as the control value.
++
++=back
++
++=item B<EVP_KDF_CTRL_SET_SSHKDF_TYPE>
++
++This control expects one argument: C<int mode>
++
++Sets the type for the SSHHKDF operation. There are six supported types:
++
++=over 4
++
++=item EVP_KDF_SSHKDF_TYPE_ININITAL_IV_CLI_TO_SRV
++
++The Initial IV from client to server.
++A single char of value 65 (ASCII char 'A').
++
++=item EVP_KDF_SSHKDF_TYPE_ININITAL_IV_SRV_TO_CLI
++
++The Initial IV from server to client
++A single char of value 66 (ASCII char 'B').
++
++=item EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV
++
++The Encryption Key from client to server
++A single char of value 67 (ASCII char 'C').
++
++=item EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI
++
++The Encryption Key from server to client
++A single char of value 68 (ASCII char 'D').
++
++=item EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV
++
++The Integrity Key from client to server
++A single char of value 69 (ASCII char 'E').
++
++=item EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI
++
++The Integrity Key from client to server
++A single char of value 70 (ASCII char 'F').
++
++=back
++
++EVP_KDF_ctrl_str() type string: "type"
++
++The value is a string of length one character. The only valid values
++are the numerical values of the ASCII caracters: "A" (65) to "F" (70).
++
++=back
++
++=head1 NOTES
++
++A context for SSHKDF can be obtained by calling:
++
++ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF);
++
++The output length of the SSHKDF derivation is specified via the C<keylen>
++parameter to the L<EVP_KDF_derive(3)> function.
++Since the SSHKDF output length is variable, calling L<EVP_KDF_size()>
++to obtain the requisite length is not meaningful. The caller must
++allocate a buffer of the desired length, and pass that buffer to the
++L<EVP_KDF_derive(3)> function along with the desired length.
++
++=head1 EXAMPLE
++
++This example derives an 8 byte IV using SHA-256 with a 1K "key" and appropriate
++"xcghash" and "session_id" values:
++
++ EVP_KDF_CTX *kctx;
++ unsigned char key[1024] = "01234...";
++ unsigned char xcghash[32] = "012345...";
++ unsigned char session_id[32] = "012345...";
++ unsigned char out[8];
++ size_t outlen = sizeof(out);
++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF);
++
++ if (EVP_KDF_CTX_set_md(kctx, EVP_sha256()) <= 0)
++     /* Error */
++ if (EVP_KDF_CTX_set1_key(kctx, key, 1024) <= 0)
++     /* Error */
++ if (EVP_KDF_CTX_set1_sshkdf_xcghash(kctx, xcghash, 32) <= 0)
++     /* Error */
++ if (EVP_KDF_CTX_set1_sshkdf_session_id(kctx, session_id, 32) <= 0)
++     /* Error */
++ if (EVP_KDF_CTX_set_sshkdf_type(kctx,
++                    EVP_KDF_SSHKDF_TYPE_ININITAL_IV_CLI_TO_SRV) <= 0)
++     /* Error */
++ if (EVP_KDF_derive(kctx, out, &outlen) <= 0)
++     /* Error */
++
++
++=head1 CONFORMING TO
++
++RFC 4253
++
++=head1 SEE ALSO
++
++L<EVP_KDF_CTX>,
++L<EVP_KDF_CTX_new_id(3)>,
++L<EVP_KDF_CTX_free(3)>,
++L<EVP_KDF_ctrl(3)>,
++L<EVP_KDF_size(3)>,
++L<EVP_KDF_derive(3)>,
++L<EVP_KDF_CTX(3)/CONTROLS>
++
++=head1 COPYRIGHT
++
++Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
++
++Licensed under the OpenSSL license (the "License").  You may not use
++this file except in compliance with the License.  You can obtain a copy
++in the file LICENSE in the source distribution or at
++L<https://www.openssl.org/source/license.html>.
++
++=cut
++
+diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h
+index 16caed5273..362ab14cff 100644
+--- a/include/openssl/kdf.h
++++ b/include/openssl/kdf.h
+@@ -20,6 +20,7 @@ extern "C" {
+ # define EVP_KDF_SCRYPT     NID_id_scrypt
+ # define EVP_KDF_TLS1_PRF   NID_tls1_prf
+ # define EVP_KDF_HKDF       NID_hkdf
++# define EVP_KDF_SSHKDF     NID_sshkdf
+ 
+ EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id);
+ void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx);
+@@ -47,11 +48,20 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen);
+ # define EVP_KDF_CTRL_SET_SCRYPT_N      0x0d /* uint64_t */
+ # define EVP_KDF_CTRL_SET_SCRYPT_R      0x0e /* uint32_t */
+ # define EVP_KDF_CTRL_SET_SCRYPT_P      0x0f /* uint32_t */
++# define EVP_KDF_CTRL_SET_SSHKDF_XCGHASH    0x10 /* unsigned char *, size_t */
++# define EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID 0x11 /* unsigned char *, size_t */
++# define EVP_KDF_CTRL_SET_SSHKDF_TYPE       0x12 /* int */
+ 
+ # define EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND  0
+ # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY        1
+ # define EVP_KDF_HKDF_MODE_EXPAND_ONLY         2
+ 
++#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65
++#define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66
++#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67
++#define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_SRV_TO_CLI 68
++#define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 69
++#define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 70
+ 
+ /**** The legacy PKEY-based KDF API follows. ****/
+ 
+diff --git a/include/openssl/kdferr.h b/include/openssl/kdferr.h
+index 0191f2b21d..ff13ccb649 100644
+--- a/include/openssl/kdferr.h
++++ b/include/openssl/kdferr.h
+@@ -32,6 +32,10 @@ int ERR_load_KDF_strings(void);
+ # define KDF_F_KDF_SCRYPT_CTRL_UINT64                     122
+ # define KDF_F_KDF_SCRYPT_DERIVE                          123
+ # define KDF_F_KDF_SCRYPT_NEW                             124
++# define KDF_F_KDF_SSHKDF_CTRL                            130
++# define KDF_F_KDF_SSHKDF_CTRL_STR                        131
++# define KDF_F_KDF_SSHKDF_DERIVE                          132
++# define KDF_F_KDF_SSHKDF_NEW                             133
+ # define KDF_F_KDF_TLS1_PRF_CTRL_STR                      125
+ # define KDF_F_KDF_TLS1_PRF_DERIVE                        126
+ # define KDF_F_KDF_TLS1_PRF_NEW                           127
+@@ -62,6 +66,9 @@ int ERR_load_KDF_strings(void);
+ # define KDF_R_MISSING_SALT                               111
+ # define KDF_R_MISSING_SECRET                             107
+ # define KDF_R_MISSING_SEED                               106
++# define KDF_R_MISSING_SESSION_ID                         113
++# define KDF_R_MISSING_TYPE                               114
++# define KDF_R_MISSING_XCGHASH                            115
+ # define KDF_R_UNKNOWN_PARAMETER_TYPE                     103
+ # define KDF_R_VALUE_ERROR                                108
+ # define KDF_R_VALUE_MISSING                              102
+diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h
+index 31fad4640f..baf2bd8db4 100644
+--- a/include/openssl/obj_mac.h
++++ b/include/openssl/obj_mac.h
+@@ -4970,6 +4970,10 @@
+ #define LN_hkdf         "hkdf"
+ #define NID_hkdf                1036
+ 
++#define SN_sshkdf               "SSHKDF"
++#define LN_sshkdf               "sshkdf"
++#define NID_sshkdf              1203
++
+ #define SN_id_pkinit            "id-pkinit"
+ #define NID_id_pkinit           1031
+ #define OBJ_id_pkinit           1L,3L,6L,1L,5L,2L,3L
+diff --git a/test/recipes/30-test_evp_data/evpkdf.txt b/test/recipes/30-test_evp_data/evpkdf.txt
+index 285c4311a6..7f2dcd2291 100644
+--- a/test/recipes/30-test_evp_data/evpkdf.txt
++++ b/test/recipes/30-test_evp_data/evpkdf.txt
+@@ -433,3 +433,4856 @@ Ctrl.iter = iter:1
+ Ctrl.digest = digest:sha512
+ Output = 00ef42cdbfc98d29db20976608e455567fdddf14
+ 
++Title = SSHKDF tests (from NIST CAVS 14.1 test vectors)
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59
++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.type = type:A
++Output = e2f627c0b43f1ac1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59
++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.type = type:B
++Output = 58471445f342b181
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59
++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.type = type:C
++Output = 1ca9d310f86d51f6cb8e7007cb2b220d55c5281ce680b533
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59
++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.type = type:D
++Output = 2c60df8603d34cc1dbb03c11f725a44b44008851c73d6844
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59
++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.type = type:E
++Output = 472eb8a26166ae6aa8e06868e45c3b26e6eeed06
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59
++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.type = type:F
++Output = e3e2fdb9d7bc21165a3dbe47e1eceb7764390bab
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100ec6f2c5f0517fd92f730567bd783138302917c277552b1b3fdf2b67d6edb6fa81bd17f7ebbe339b54b171341e6522b91611f8274cc88652a458f8041261040818a268497e949e12f57271318b2b3194c29760cbb767c0fc8833b272994e18682da807e6c9f235d88ef89c203c6f756d25cc2bea199b02c955b8b40cbc04f9208
++Ctrl.hexxcghash = hexxcghash:ee40eef61bea3da8c2b1cec40fc4cdac892a2626
++Ctrl.hexsession_id = hexsession_id:ca9aad244e24797fd348d1250387c8aa45a0110a
++Ctrl.type = type:A
++Output = 55a1015757de84cb
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100ec6f2c5f0517fd92f730567bd783138302917c277552b1b3fdf2b67d6edb6fa81bd17f7ebbe339b54b171341e6522b91611f8274cc88652a458f8041261040818a268497e949e12f57271318b2b3194c29760cbb767c0fc8833b272994e18682da807e6c9f235d88ef89c203c6f756d25cc2bea199b02c955b8b40cbc04f9208
++Ctrl.hexxcghash = hexxcghash:ee40eef61bea3da8c2b1cec40fc4cdac892a2626
++Ctrl.hexsession_id = hexsession_id:ca9aad244e24797fd348d1250387c8aa45a0110a
++Ctrl.type = type:B
++Output = 7e57f61d5735f4fb
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100ec6f2c5f0517fd92f730567bd783138302917c277552b1b3fdf2b67d6edb6fa81bd17f7ebbe339b54b171341e6522b91611f8274cc88652a458f8041261040818a268497e949e12f57271318b2b3194c29760cbb767c0fc8833b272994e18682da807e6c9f235d88ef89c203c6f756d25cc2bea199b02c955b8b40cbc04f9208
++Ctrl.hexxcghash = hexxcghash:ee40eef61bea3da8c2b1cec40fc4cdac892a2626
++Ctrl.hexsession_id = hexsession_id:ca9aad244e24797fd348d1250387c8aa45a0110a
++Ctrl.type = type:C
++Output = dd1c24bde1af845e82207541e3e173aec822fb904a94ae3c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100ec6f2c5f0517fd92f730567bd783138302917c277552b1b3fdf2b67d6edb6fa81bd17f7ebbe339b54b171341e6522b91611f8274cc88652a458f8041261040818a268497e949e12f57271318b2b3194c29760cbb767c0fc8833b272994e18682da807e6c9f235d88ef89c203c6f756d25cc2bea199b02c955b8b40cbc04f9208
++Ctrl.hexxcghash = hexxcghash:ee40eef61bea3da8c2b1cec40fc4cdac892a2626
++Ctrl.hexsession_id = hexsession_id:ca9aad244e24797fd348d1250387c8aa45a0110a
++Ctrl.type = type:D
++Output = cbbfdc9442af6db7f8c4dcaa4b0b5d0163e0e204476aa2a0
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100ec6f2c5f0517fd92f730567bd783138302917c277552b1b3fdf2b67d6edb6fa81bd17f7ebbe339b54b171341e6522b91611f8274cc88652a458f8041261040818a268497e949e12f57271318b2b3194c29760cbb767c0fc8833b272994e18682da807e6c9f235d88ef89c203c6f756d25cc2bea199b02c955b8b40cbc04f9208
++Ctrl.hexxcghash = hexxcghash:ee40eef61bea3da8c2b1cec40fc4cdac892a2626
++Ctrl.hexsession_id = hexsession_id:ca9aad244e24797fd348d1250387c8aa45a0110a
++Ctrl.type = type:E
++Output = e153e04886c0dc446dde9a9b3b13efb77151764d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100ec6f2c5f0517fd92f730567bd783138302917c277552b1b3fdf2b67d6edb6fa81bd17f7ebbe339b54b171341e6522b91611f8274cc88652a458f8041261040818a268497e949e12f57271318b2b3194c29760cbb767c0fc8833b272994e18682da807e6c9f235d88ef89c203c6f756d25cc2bea199b02c955b8b40cbc04f9208
++Ctrl.hexxcghash = hexxcghash:ee40eef61bea3da8c2b1cec40fc4cdac892a2626
++Ctrl.hexsession_id = hexsession_id:ca9aad244e24797fd348d1250387c8aa45a0110a
++Ctrl.type = type:F
++Output = c8e4f61bd6b5abb2c6e06eca7b302349435e4842
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100a3beebff410a7cdc0ac56dad0152a7f6da6b1d4195285ce96f8b59930d8c3ccbc518bc043eb60362388ea87c20db3b490b490ba9b90f086004ba3e389cb3a715d477c2b1e480e3419c36cd83e237e241462ee79758f4ff5bf7a5e1eae58a6834778a658c60b2e157d36b16371f97660ad4abfd4a2703dba7cab055be4c778b62
++Ctrl.hexxcghash = hexxcghash:b81915a9656128d2add5e5741914d765226f93e2
++Ctrl.hexsession_id = hexsession_id:2872e0c92fc3074d4f40e408a2ebd83e2fc7bccd
++Ctrl.type = type:A
++Output = 054eaf5d7dea31e7
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100a3beebff410a7cdc0ac56dad0152a7f6da6b1d4195285ce96f8b59930d8c3ccbc518bc043eb60362388ea87c20db3b490b490ba9b90f086004ba3e389cb3a715d477c2b1e480e3419c36cd83e237e241462ee79758f4ff5bf7a5e1eae58a6834778a658c60b2e157d36b16371f97660ad4abfd4a2703dba7cab055be4c778b62
++Ctrl.hexxcghash = hexxcghash:b81915a9656128d2add5e5741914d765226f93e2
++Ctrl.hexsession_id = hexsession_id:2872e0c92fc3074d4f40e408a2ebd83e2fc7bccd
++Ctrl.type = type:B
++Output = 6ce586c127da010f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100a3beebff410a7cdc0ac56dad0152a7f6da6b1d4195285ce96f8b59930d8c3ccbc518bc043eb60362388ea87c20db3b490b490ba9b90f086004ba3e389cb3a715d477c2b1e480e3419c36cd83e237e241462ee79758f4ff5bf7a5e1eae58a6834778a658c60b2e157d36b16371f97660ad4abfd4a2703dba7cab055be4c778b62
++Ctrl.hexxcghash = hexxcghash:b81915a9656128d2add5e5741914d765226f93e2
++Ctrl.hexsession_id = hexsession_id:2872e0c92fc3074d4f40e408a2ebd83e2fc7bccd
++Ctrl.type = type:C
++Output = 7907bf3d7c58ce72714b2adb1a14f156194b14378a4a7c49
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100a3beebff410a7cdc0ac56dad0152a7f6da6b1d4195285ce96f8b59930d8c3ccbc518bc043eb60362388ea87c20db3b490b490ba9b90f086004ba3e389cb3a715d477c2b1e480e3419c36cd83e237e241462ee79758f4ff5bf7a5e1eae58a6834778a658c60b2e157d36b16371f97660ad4abfd4a2703dba7cab055be4c778b62
++Ctrl.hexxcghash = hexxcghash:b81915a9656128d2add5e5741914d765226f93e2
++Ctrl.hexsession_id = hexsession_id:2872e0c92fc3074d4f40e408a2ebd83e2fc7bccd
++Ctrl.type = type:D
++Output = c34757dc104e7b811f6550bbc3888e1d4297578fd88b2ca5
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100a3beebff410a7cdc0ac56dad0152a7f6da6b1d4195285ce96f8b59930d8c3ccbc518bc043eb60362388ea87c20db3b490b490ba9b90f086004ba3e389cb3a715d477c2b1e480e3419c36cd83e237e241462ee79758f4ff5bf7a5e1eae58a6834778a658c60b2e157d36b16371f97660ad4abfd4a2703dba7cab055be4c778b62
++Ctrl.hexxcghash = hexxcghash:b81915a9656128d2add5e5741914d765226f93e2
++Ctrl.hexsession_id = hexsession_id:2872e0c92fc3074d4f40e408a2ebd83e2fc7bccd
++Ctrl.type = type:E
++Output = e463e05ef70e61f994ee3cd20d504cb6eddb9b1a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100a3beebff410a7cdc0ac56dad0152a7f6da6b1d4195285ce96f8b59930d8c3ccbc518bc043eb60362388ea87c20db3b490b490ba9b90f086004ba3e389cb3a715d477c2b1e480e3419c36cd83e237e241462ee79758f4ff5bf7a5e1eae58a6834778a658c60b2e157d36b16371f97660ad4abfd4a2703dba7cab055be4c778b62
++Ctrl.hexxcghash = hexxcghash:b81915a9656128d2add5e5741914d765226f93e2
++Ctrl.hexsession_id = hexsession_id:2872e0c92fc3074d4f40e408a2ebd83e2fc7bccd
++Ctrl.type = type:F
++Output = 676cf1dfc887e122353eead2b1e644f9d9def944
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008017357de60344a125ca41d9ea51eb304a571d7f0aa37a5e36d4b7a5473546f7226583cefe7c06f6f94b97da0da2517190fa02a0337a3bc9ddfeeb68b953613d4d5e473783f137a82246b8260fb3451363adda1813acdf6b10861e022e23a00db9b5a893fcefd6b647f6a73904aa9c3b53e5d879d7e84f052dfabe15a27c1f3aa9
++Ctrl.hexxcghash = hexxcghash:28fcf3bc600f6bb0b9594b01283d085e149b2586
++Ctrl.hexsession_id = hexsession_id:4d6b90988de45dfd08e8167504a6253a8552c200
++Ctrl.type = type:A
++Output = bc4b5164911bc87b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008017357de60344a125ca41d9ea51eb304a571d7f0aa37a5e36d4b7a5473546f7226583cefe7c06f6f94b97da0da2517190fa02a0337a3bc9ddfeeb68b953613d4d5e473783f137a82246b8260fb3451363adda1813acdf6b10861e022e23a00db9b5a893fcefd6b647f6a73904aa9c3b53e5d879d7e84f052dfabe15a27c1f3aa9
++Ctrl.hexxcghash = hexxcghash:28fcf3bc600f6bb0b9594b01283d085e149b2586
++Ctrl.hexsession_id = hexsession_id:4d6b90988de45dfd08e8167504a6253a8552c200
++Ctrl.type = type:B
++Output = d791c5986b27257e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008017357de60344a125ca41d9ea51eb304a571d7f0aa37a5e36d4b7a5473546f7226583cefe7c06f6f94b97da0da2517190fa02a0337a3bc9ddfeeb68b953613d4d5e473783f137a82246b8260fb3451363adda1813acdf6b10861e022e23a00db9b5a893fcefd6b647f6a73904aa9c3b53e5d879d7e84f052dfabe15a27c1f3aa9
++Ctrl.hexxcghash = hexxcghash:28fcf3bc600f6bb0b9594b01283d085e149b2586
++Ctrl.hexsession_id = hexsession_id:4d6b90988de45dfd08e8167504a6253a8552c200
++Ctrl.type = type:C
++Output = de8e99bb3f60ccf0583712528aa3dd0418fdb90d0a588012
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008017357de60344a125ca41d9ea51eb304a571d7f0aa37a5e36d4b7a5473546f7226583cefe7c06f6f94b97da0da2517190fa02a0337a3bc9ddfeeb68b953613d4d5e473783f137a82246b8260fb3451363adda1813acdf6b10861e022e23a00db9b5a893fcefd6b647f6a73904aa9c3b53e5d879d7e84f052dfabe15a27c1f3aa9
++Ctrl.hexxcghash = hexxcghash:28fcf3bc600f6bb0b9594b01283d085e149b2586
++Ctrl.hexsession_id = hexsession_id:4d6b90988de45dfd08e8167504a6253a8552c200
++Ctrl.type = type:D
++Output = f37f75a685f1eaf4fd270b946d84734e96aa3b4ed130afc6
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008017357de60344a125ca41d9ea51eb304a571d7f0aa37a5e36d4b7a5473546f7226583cefe7c06f6f94b97da0da2517190fa02a0337a3bc9ddfeeb68b953613d4d5e473783f137a82246b8260fb3451363adda1813acdf6b10861e022e23a00db9b5a893fcefd6b647f6a73904aa9c3b53e5d879d7e84f052dfabe15a27c1f3aa9
++Ctrl.hexxcghash = hexxcghash:28fcf3bc600f6bb0b9594b01283d085e149b2586
++Ctrl.hexsession_id = hexsession_id:4d6b90988de45dfd08e8167504a6253a8552c200
++Ctrl.type = type:E
++Output = 658f04b0f59aab071b9e11ec9ff187ee10e80254
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008017357de60344a125ca41d9ea51eb304a571d7f0aa37a5e36d4b7a5473546f7226583cefe7c06f6f94b97da0da2517190fa02a0337a3bc9ddfeeb68b953613d4d5e473783f137a82246b8260fb3451363adda1813acdf6b10861e022e23a00db9b5a893fcefd6b647f6a73904aa9c3b53e5d879d7e84f052dfabe15a27c1f3aa9
++Ctrl.hexxcghash = hexxcghash:28fcf3bc600f6bb0b9594b01283d085e149b2586
++Ctrl.hexsession_id = hexsession_id:4d6b90988de45dfd08e8167504a6253a8552c200
++Ctrl.type = type:F
++Output = b030809222ff7a12b0df35072d67f314ab1d5eda
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000000803c3ce2b19e0cadf8ad02438c695efcd3018c833657318bfaef7b9c278cd7e8d7b3a2249f9d586832c3dee727ada167056ff1febc9210186ba47cc1dfaaf08101fb89742ebf4f3e291a20c94a7a6f7877799151d177e163ce3e57ef863c0cda0311265fbac157879150a715e309392b3e521dcf03224717ff5e0030e480f20dff
++Ctrl.hexxcghash = hexxcghash:46a674c532460a80cdc5c6da9a8c3bdf4f3ff614
++Ctrl.hexsession_id = hexsession_id:aedeb64df7119db53202e959dc84be3e5285512d
++Ctrl.type = type:A
++Output = 7a74ec799ef16865
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000000803c3ce2b19e0cadf8ad02438c695efcd3018c833657318bfaef7b9c278cd7e8d7b3a2249f9d586832c3dee727ada167056ff1febc9210186ba47cc1dfaaf08101fb89742ebf4f3e291a20c94a7a6f7877799151d177e163ce3e57ef863c0cda0311265fbac157879150a715e309392b3e521dcf03224717ff5e0030e480f20dff
++Ctrl.hexxcghash = hexxcghash:46a674c532460a80cdc5c6da9a8c3bdf4f3ff614
++Ctrl.hexsession_id = hexsession_id:aedeb64df7119db53202e959dc84be3e5285512d
++Ctrl.type = type:B
++Output = 6e544fc6db0ca1ba
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000000803c3ce2b19e0cadf8ad02438c695efcd3018c833657318bfaef7b9c278cd7e8d7b3a2249f9d586832c3dee727ada167056ff1febc9210186ba47cc1dfaaf08101fb89742ebf4f3e291a20c94a7a6f7877799151d177e163ce3e57ef863c0cda0311265fbac157879150a715e309392b3e521dcf03224717ff5e0030e480f20dff
++Ctrl.hexxcghash = hexxcghash:46a674c532460a80cdc5c6da9a8c3bdf4f3ff614
++Ctrl.hexsession_id = hexsession_id:aedeb64df7119db53202e959dc84be3e5285512d
++Ctrl.type = type:C
++Output = 658226b1b10b2033fa88838b619572b18e81e80c76507918
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000000803c3ce2b19e0cadf8ad02438c695efcd3018c833657318bfaef7b9c278cd7e8d7b3a2249f9d586832c3dee727ada167056ff1febc9210186ba47cc1dfaaf08101fb89742ebf4f3e291a20c94a7a6f7877799151d177e163ce3e57ef863c0cda0311265fbac157879150a715e309392b3e521dcf03224717ff5e0030e480f20dff
++Ctrl.hexxcghash = hexxcghash:46a674c532460a80cdc5c6da9a8c3bdf4f3ff614
++Ctrl.hexsession_id = hexsession_id:aedeb64df7119db53202e959dc84be3e5285512d
++Ctrl.type = type:D
++Output = 327298c8660685efcb01c5c0df49faebb15c0e93b0f6c65d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000000803c3ce2b19e0cadf8ad02438c695efcd3018c833657318bfaef7b9c278cd7e8d7b3a2249f9d586832c3dee727ada167056ff1febc9210186ba47cc1dfaaf08101fb89742ebf4f3e291a20c94a7a6f7877799151d177e163ce3e57ef863c0cda0311265fbac157879150a715e309392b3e521dcf03224717ff5e0030e480f20dff
++Ctrl.hexxcghash = hexxcghash:46a674c532460a80cdc5c6da9a8c3bdf4f3ff614
++Ctrl.hexsession_id = hexsession_id:aedeb64df7119db53202e959dc84be3e5285512d
++Ctrl.type = type:E
++Output = 6b618a10aeaa12c9a8d2bcb10e975605582c00e5
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000000803c3ce2b19e0cadf8ad02438c695efcd3018c833657318bfaef7b9c278cd7e8d7b3a2249f9d586832c3dee727ada167056ff1febc9210186ba47cc1dfaaf08101fb89742ebf4f3e291a20c94a7a6f7877799151d177e163ce3e57ef863c0cda0311265fbac157879150a715e309392b3e521dcf03224717ff5e0030e480f20dff
++Ctrl.hexxcghash = hexxcghash:46a674c532460a80cdc5c6da9a8c3bdf4f3ff614
++Ctrl.hexsession_id = hexsession_id:aedeb64df7119db53202e959dc84be3e5285512d
++Ctrl.type = type:F
++Output = 6d4ce50da9de90d6f746e812a2e74bcd921f5612
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008075957f464f5a7985e1a3ffb7d5814ff9ceb8fb1584a3f5cc454c37139e9b880940442cce2aef94d9d0462c4dc313ed7a8cc3f9a58c38a98ef0236e3cc78fb63b6f82e9c503097b7a08ef2261dda68c7bfe9f83ac790d1f9ff57605d24f4bdfedde23cc5aabba248bc91d3fe1d4394485bc4421730a297694c09bdf024ac2eac3
++Ctrl.hexxcghash = hexxcghash:0a70b4f26b1985d48ece540f1de6304fdb38212f
++Ctrl.hexsession_id = hexsession_id:2f0ce0e2da2e2bf11eae2ab98e9734412d47a19a
++Ctrl.type = type:A
++Output = b655839abcb1a7b8
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008075957f464f5a7985e1a3ffb7d5814ff9ceb8fb1584a3f5cc454c37139e9b880940442cce2aef94d9d0462c4dc313ed7a8cc3f9a58c38a98ef0236e3cc78fb63b6f82e9c503097b7a08ef2261dda68c7bfe9f83ac790d1f9ff57605d24f4bdfedde23cc5aabba248bc91d3fe1d4394485bc4421730a297694c09bdf024ac2eac3
++Ctrl.hexxcghash = hexxcghash:0a70b4f26b1985d48ece540f1de6304fdb38212f
++Ctrl.hexsession_id = hexsession_id:2f0ce0e2da2e2bf11eae2ab98e9734412d47a19a
++Ctrl.type = type:B
++Output = 98f9ec980831a8bc
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008075957f464f5a7985e1a3ffb7d5814ff9ceb8fb1584a3f5cc454c37139e9b880940442cce2aef94d9d0462c4dc313ed7a8cc3f9a58c38a98ef0236e3cc78fb63b6f82e9c503097b7a08ef2261dda68c7bfe9f83ac790d1f9ff57605d24f4bdfedde23cc5aabba248bc91d3fe1d4394485bc4421730a297694c09bdf024ac2eac3
++Ctrl.hexxcghash = hexxcghash:0a70b4f26b1985d48ece540f1de6304fdb38212f
++Ctrl.hexsession_id = hexsession_id:2f0ce0e2da2e2bf11eae2ab98e9734412d47a19a
++Ctrl.type = type:C
++Output = 31a63b64cfa8b6a12ba165096dad8d127cd3f3b67698b670
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008075957f464f5a7985e1a3ffb7d5814ff9ceb8fb1584a3f5cc454c37139e9b880940442cce2aef94d9d0462c4dc313ed7a8cc3f9a58c38a98ef0236e3cc78fb63b6f82e9c503097b7a08ef2261dda68c7bfe9f83ac790d1f9ff57605d24f4bdfedde23cc5aabba248bc91d3fe1d4394485bc4421730a297694c09bdf024ac2eac3
++Ctrl.hexxcghash = hexxcghash:0a70b4f26b1985d48ece540f1de6304fdb38212f
++Ctrl.hexsession_id = hexsession_id:2f0ce0e2da2e2bf11eae2ab98e9734412d47a19a
++Ctrl.type = type:D
++Output = 8bd79633967b92f0039a38a2d421e12840ea5c31b43c4e90
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008075957f464f5a7985e1a3ffb7d5814ff9ceb8fb1584a3f5cc454c37139e9b880940442cce2aef94d9d0462c4dc313ed7a8cc3f9a58c38a98ef0236e3cc78fb63b6f82e9c503097b7a08ef2261dda68c7bfe9f83ac790d1f9ff57605d24f4bdfedde23cc5aabba248bc91d3fe1d4394485bc4421730a297694c09bdf024ac2eac3
++Ctrl.hexxcghash = hexxcghash:0a70b4f26b1985d48ece540f1de6304fdb38212f
++Ctrl.hexsession_id = hexsession_id:2f0ce0e2da2e2bf11eae2ab98e9734412d47a19a
++Ctrl.type = type:E
++Output = 37eccade73b422d1108e390eaa28c646b554a721
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008075957f464f5a7985e1a3ffb7d5814ff9ceb8fb1584a3f5cc454c37139e9b880940442cce2aef94d9d0462c4dc313ed7a8cc3f9a58c38a98ef0236e3cc78fb63b6f82e9c503097b7a08ef2261dda68c7bfe9f83ac790d1f9ff57605d24f4bdfedde23cc5aabba248bc91d3fe1d4394485bc4421730a297694c09bdf024ac2eac3
++Ctrl.hexxcghash = hexxcghash:0a70b4f26b1985d48ece540f1de6304fdb38212f
++Ctrl.hexsession_id = hexsession_id:2f0ce0e2da2e2bf11eae2ab98e9734412d47a19a
++Ctrl.type = type:F
++Output = 013a20fc8f53ef08aae0a836b9410153a877983a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100c050aa3d848750af69d1c04d6cb0a1ef8a4f25be4b16c927ff7313e83680b1b7a92b6100fa773cea9958fc7efb1a475fc71eda8be8efc92ad198a34d6ae017f12b76f39c82b741994b0d42ada1807fa7803876d21d93b129d75dc9aba4811ef51925e49e4bf4f5313e8fee0625d8727da8bcb15eb15da2d237082fc5499621ef
++Ctrl.hexxcghash = hexxcghash:5ea2568ee7ddcdb3260dfdf54e15e4d494ca9023
++Ctrl.hexsession_id = hexsession_id:bc8988ac5f9058ee76536472b1706c5c338bd114
++Ctrl.type = type:A
++Output = 12f6c3ac60d6ee3b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100c050aa3d848750af69d1c04d6cb0a1ef8a4f25be4b16c927ff7313e83680b1b7a92b6100fa773cea9958fc7efb1a475fc71eda8be8efc92ad198a34d6ae017f12b76f39c82b741994b0d42ada1807fa7803876d21d93b129d75dc9aba4811ef51925e49e4bf4f5313e8fee0625d8727da8bcb15eb15da2d237082fc5499621ef
++Ctrl.hexxcghash = hexxcghash:5ea2568ee7ddcdb3260dfdf54e15e4d494ca9023
++Ctrl.hexsession_id = hexsession_id:bc8988ac5f9058ee76536472b1706c5c338bd114
++Ctrl.type = type:B
++Output = 536d106e00aec6fd
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100c050aa3d848750af69d1c04d6cb0a1ef8a4f25be4b16c927ff7313e83680b1b7a92b6100fa773cea9958fc7efb1a475fc71eda8be8efc92ad198a34d6ae017f12b76f39c82b741994b0d42ada1807fa7803876d21d93b129d75dc9aba4811ef51925e49e4bf4f5313e8fee0625d8727da8bcb15eb15da2d237082fc5499621ef
++Ctrl.hexxcghash = hexxcghash:5ea2568ee7ddcdb3260dfdf54e15e4d494ca9023
++Ctrl.hexsession_id = hexsession_id:bc8988ac5f9058ee76536472b1706c5c338bd114
++Ctrl.type = type:C
++Output = 26b8ec66854d0f0aa98f6888be628ebc75900c3738d47894
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100c050aa3d848750af69d1c04d6cb0a1ef8a4f25be4b16c927ff7313e83680b1b7a92b6100fa773cea9958fc7efb1a475fc71eda8be8efc92ad198a34d6ae017f12b76f39c82b741994b0d42ada1807fa7803876d21d93b129d75dc9aba4811ef51925e49e4bf4f5313e8fee0625d8727da8bcb15eb15da2d237082fc5499621ef
++Ctrl.hexxcghash = hexxcghash:5ea2568ee7ddcdb3260dfdf54e15e4d494ca9023
++Ctrl.hexsession_id = hexsession_id:bc8988ac5f9058ee76536472b1706c5c338bd114
++Ctrl.type = type:D
++Output = d5d3b3817214eeb3bf292dffc77daeab062ac7fcd2e3a2bd
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100c050aa3d848750af69d1c04d6cb0a1ef8a4f25be4b16c927ff7313e83680b1b7a92b6100fa773cea9958fc7efb1a475fc71eda8be8efc92ad198a34d6ae017f12b76f39c82b741994b0d42ada1807fa7803876d21d93b129d75dc9aba4811ef51925e49e4bf4f5313e8fee0625d8727da8bcb15eb15da2d237082fc5499621ef
++Ctrl.hexxcghash = hexxcghash:5ea2568ee7ddcdb3260dfdf54e15e4d494ca9023
++Ctrl.hexsession_id = hexsession_id:bc8988ac5f9058ee76536472b1706c5c338bd114
++Ctrl.type = type:E
++Output = 014613aef22194307bc0678f6edd1ccff240adfa
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100c050aa3d848750af69d1c04d6cb0a1ef8a4f25be4b16c927ff7313e83680b1b7a92b6100fa773cea9958fc7efb1a475fc71eda8be8efc92ad198a34d6ae017f12b76f39c82b741994b0d42ada1807fa7803876d21d93b129d75dc9aba4811ef51925e49e4bf4f5313e8fee0625d8727da8bcb15eb15da2d237082fc5499621ef
++Ctrl.hexxcghash = hexxcghash:5ea2568ee7ddcdb3260dfdf54e15e4d494ca9023
++Ctrl.hexsession_id = hexsession_id:bc8988ac5f9058ee76536472b1706c5c338bd114
++Ctrl.type = type:F
++Output = 5057b4cc2c300f7546d358a75daf58233b71da1a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100f00388418be28ae3235c5b640d000df44f6e65782cad783726a507e2c645a056307f1ab7b4cd24d38640118105d7415c2ecea77e33e7b8a9dc9d205e3fdfb718769754213c0782ee18c7db1408e780369bccfb8233581cda4fbb133b3c41d0a7afa6996f31f8dd36fa3dd82efb23dcaa1ec5e37caae3af639123190fe7795983
++Ctrl.hexxcghash = hexxcghash:fc48c85ac48ee97be3ce45c10807a666e8e9b639
++Ctrl.hexsession_id = hexsession_id:d36e8c070b97795dfb10a3c2e41e4d0d70382606
++Ctrl.type = type:A
++Output = d160f91f36027ff9
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100f00388418be28ae3235c5b640d000df44f6e65782cad783726a507e2c645a056307f1ab7b4cd24d38640118105d7415c2ecea77e33e7b8a9dc9d205e3fdfb718769754213c0782ee18c7db1408e780369bccfb8233581cda4fbb133b3c41d0a7afa6996f31f8dd36fa3dd82efb23dcaa1ec5e37caae3af639123190fe7795983
++Ctrl.hexxcghash = hexxcghash:fc48c85ac48ee97be3ce45c10807a666e8e9b639
++Ctrl.hexsession_id = hexsession_id:d36e8c070b97795dfb10a3c2e41e4d0d70382606
++Ctrl.type = type:B
++Output = 0d02ec310663bbcc
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100f00388418be28ae3235c5b640d000df44f6e65782cad783726a507e2c645a056307f1ab7b4cd24d38640118105d7415c2ecea77e33e7b8a9dc9d205e3fdfb718769754213c0782ee18c7db1408e780369bccfb8233581cda4fbb133b3c41d0a7afa6996f31f8dd36fa3dd82efb23dcaa1ec5e37caae3af639123190fe7795983
++Ctrl.hexxcghash = hexxcghash:fc48c85ac48ee97be3ce45c10807a666e8e9b639
++Ctrl.hexsession_id = hexsession_id:d36e8c070b97795dfb10a3c2e41e4d0d70382606
++Ctrl.type = type:C
++Output = 03b66f451ad93a01914dd3372d980bea3de94993e176ea01
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100f00388418be28ae3235c5b640d000df44f6e65782cad783726a507e2c645a056307f1ab7b4cd24d38640118105d7415c2ecea77e33e7b8a9dc9d205e3fdfb718769754213c0782ee18c7db1408e780369bccfb8233581cda4fbb133b3c41d0a7afa6996f31f8dd36fa3dd82efb23dcaa1ec5e37caae3af639123190fe7795983
++Ctrl.hexxcghash = hexxcghash:fc48c85ac48ee97be3ce45c10807a666e8e9b639
++Ctrl.hexsession_id = hexsession_id:d36e8c070b97795dfb10a3c2e41e4d0d70382606
++Ctrl.type = type:D
++Output = c2db767cbbdf2f839eb2f37ada87a041d220b9f58842d0db
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100f00388418be28ae3235c5b640d000df44f6e65782cad783726a507e2c645a056307f1ab7b4cd24d38640118105d7415c2ecea77e33e7b8a9dc9d205e3fdfb718769754213c0782ee18c7db1408e780369bccfb8233581cda4fbb133b3c41d0a7afa6996f31f8dd36fa3dd82efb23dcaa1ec5e37caae3af639123190fe7795983
++Ctrl.hexxcghash = hexxcghash:fc48c85ac48ee97be3ce45c10807a666e8e9b639
++Ctrl.hexsession_id = hexsession_id:d36e8c070b97795dfb10a3c2e41e4d0d70382606
++Ctrl.type = type:E
++Output = 0b2944c26dcf4cc877cdc55c4e9b1b8155e3874b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100f00388418be28ae3235c5b640d000df44f6e65782cad783726a507e2c645a056307f1ab7b4cd24d38640118105d7415c2ecea77e33e7b8a9dc9d205e3fdfb718769754213c0782ee18c7db1408e780369bccfb8233581cda4fbb133b3c41d0a7afa6996f31f8dd36fa3dd82efb23dcaa1ec5e37caae3af639123190fe7795983
++Ctrl.hexxcghash = hexxcghash:fc48c85ac48ee97be3ce45c10807a666e8e9b639
++Ctrl.hexsession_id = hexsession_id:d36e8c070b97795dfb10a3c2e41e4d0d70382606
++Ctrl.type = type:F
++Output = f7977d574c7d9e4f34ecd6b405c765963f0dfe57
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:00000081009dc61278a79fdb00ee937c0418668ac0176fdfd0297ebc86ee391e3e8db147f01d782650f1e30391d3c1fe62425842119fe41b76243ed47f6c30370dd1cc1b10e3bdac2730287b0e5901e487563d700d56078ed88d20c300250a3da5f2128db56230d90bb99e90aca80da446d8dddac49e2f2db1b37f9e1b65834adf8fdbcd31
++Ctrl.hexxcghash = hexxcghash:3c63a552ac5313d219ec30f1e926e2c52e992929
++Ctrl.hexsession_id = hexsession_id:a17e0e9cc2741d861f4c7195c29c75e4c38e9ba0
++Ctrl.type = type:A
++Output = e4387818ab7f4fa6
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:00000081009dc61278a79fdb00ee937c0418668ac0176fdfd0297ebc86ee391e3e8db147f01d782650f1e30391d3c1fe62425842119fe41b76243ed47f6c30370dd1cc1b10e3bdac2730287b0e5901e487563d700d56078ed88d20c300250a3da5f2128db56230d90bb99e90aca80da446d8dddac49e2f2db1b37f9e1b65834adf8fdbcd31
++Ctrl.hexxcghash = hexxcghash:3c63a552ac5313d219ec30f1e926e2c52e992929
++Ctrl.hexsession_id = hexsession_id:a17e0e9cc2741d861f4c7195c29c75e4c38e9ba0
++Ctrl.type = type:B
++Output = 1daabebcc8a064df
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:00000081009dc61278a79fdb00ee937c0418668ac0176fdfd0297ebc86ee391e3e8db147f01d782650f1e30391d3c1fe62425842119fe41b76243ed47f6c30370dd1cc1b10e3bdac2730287b0e5901e487563d700d56078ed88d20c300250a3da5f2128db56230d90bb99e90aca80da446d8dddac49e2f2db1b37f9e1b65834adf8fdbcd31
++Ctrl.hexxcghash = hexxcghash:3c63a552ac5313d219ec30f1e926e2c52e992929
++Ctrl.hexsession_id = hexsession_id:a17e0e9cc2741d861f4c7195c29c75e4c38e9ba0
++Ctrl.type = type:C
++Output = 9fffad3aec53cd719c1d500850c2f38d8eea04606f78b402
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:00000081009dc61278a79fdb00ee937c0418668ac0176fdfd0297ebc86ee391e3e8db147f01d782650f1e30391d3c1fe62425842119fe41b76243ed47f6c30370dd1cc1b10e3bdac2730287b0e5901e487563d700d56078ed88d20c300250a3da5f2128db56230d90bb99e90aca80da446d8dddac49e2f2db1b37f9e1b65834adf8fdbcd31
++Ctrl.hexxcghash = hexxcghash:3c63a552ac5313d219ec30f1e926e2c52e992929
++Ctrl.hexsession_id = hexsession_id:a17e0e9cc2741d861f4c7195c29c75e4c38e9ba0
++Ctrl.type = type:D
++Output = 6b196bce2aa2bd912ffd67a94fc42dec1051376f73ec3ce2
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:00000081009dc61278a79fdb00ee937c0418668ac0176fdfd0297ebc86ee391e3e8db147f01d782650f1e30391d3c1fe62425842119fe41b76243ed47f6c30370dd1cc1b10e3bdac2730287b0e5901e487563d700d56078ed88d20c300250a3da5f2128db56230d90bb99e90aca80da446d8dddac49e2f2db1b37f9e1b65834adf8fdbcd31
++Ctrl.hexxcghash = hexxcghash:3c63a552ac5313d219ec30f1e926e2c52e992929
++Ctrl.hexsession_id = hexsession_id:a17e0e9cc2741d861f4c7195c29c75e4c38e9ba0
++Ctrl.type = type:E
++Output = beab583906e6bed005558c102a5b5fd6ee71485f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:00000081009dc61278a79fdb00ee937c0418668ac0176fdfd0297ebc86ee391e3e8db147f01d782650f1e30391d3c1fe62425842119fe41b76243ed47f6c30370dd1cc1b10e3bdac2730287b0e5901e487563d700d56078ed88d20c300250a3da5f2128db56230d90bb99e90aca80da446d8dddac49e2f2db1b37f9e1b65834adf8fdbcd31
++Ctrl.hexxcghash = hexxcghash:3c63a552ac5313d219ec30f1e926e2c52e992929
++Ctrl.hexsession_id = hexsession_id:a17e0e9cc2741d861f4c7195c29c75e4c38e9ba0
++Ctrl.type = type:F
++Output = 105140594b5b9061de7ff2afac09bce81b75d6c6
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100df75bb7ce0b66431ca073a5768dbc6930b024b8d6804a5ef9f3f3c9341b8c8b7216eaf26536ac671ab360eff568502e596adbf41b795d329d136ebe44c60ff4ffd58ed99b40a228cab6c8ed9733702e75f7750e58f04cbb78402eec2877205a0ba3f48318543489dc4885dcdc51c4658acbc28f9a82c563ac20b582cff8c432d
++Ctrl.hexxcghash = hexxcghash:c08ddd40832cc96fe373b67a4850b86848e48f70
++Ctrl.hexsession_id = hexsession_id:477c8d32e73a475707e0085cf235d605ed564a1c
++Ctrl.type = type:A
++Output = ef982c8fd0fd464f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100df75bb7ce0b66431ca073a5768dbc6930b024b8d6804a5ef9f3f3c9341b8c8b7216eaf26536ac671ab360eff568502e596adbf41b795d329d136ebe44c60ff4ffd58ed99b40a228cab6c8ed9733702e75f7750e58f04cbb78402eec2877205a0ba3f48318543489dc4885dcdc51c4658acbc28f9a82c563ac20b582cff8c432d
++Ctrl.hexxcghash = hexxcghash:c08ddd40832cc96fe373b67a4850b86848e48f70
++Ctrl.hexsession_id = hexsession_id:477c8d32e73a475707e0085cf235d605ed564a1c
++Ctrl.type = type:B
++Output = 845ad3ba4d359326
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100df75bb7ce0b66431ca073a5768dbc6930b024b8d6804a5ef9f3f3c9341b8c8b7216eaf26536ac671ab360eff568502e596adbf41b795d329d136ebe44c60ff4ffd58ed99b40a228cab6c8ed9733702e75f7750e58f04cbb78402eec2877205a0ba3f48318543489dc4885dcdc51c4658acbc28f9a82c563ac20b582cff8c432d
++Ctrl.hexxcghash = hexxcghash:c08ddd40832cc96fe373b67a4850b86848e48f70
++Ctrl.hexsession_id = hexsession_id:477c8d32e73a475707e0085cf235d605ed564a1c
++Ctrl.type = type:C
++Output = d9e516001b6b1a17268e507fa6e13f6bc9c3ded0020ef841
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100df75bb7ce0b66431ca073a5768dbc6930b024b8d6804a5ef9f3f3c9341b8c8b7216eaf26536ac671ab360eff568502e596adbf41b795d329d136ebe44c60ff4ffd58ed99b40a228cab6c8ed9733702e75f7750e58f04cbb78402eec2877205a0ba3f48318543489dc4885dcdc51c4658acbc28f9a82c563ac20b582cff8c432d
++Ctrl.hexxcghash = hexxcghash:c08ddd40832cc96fe373b67a4850b86848e48f70
++Ctrl.hexsession_id = hexsession_id:477c8d32e73a475707e0085cf235d605ed564a1c
++Ctrl.type = type:D
++Output = d57d2f3c25b536442d8c7f36d62778d06fb6e7d4b5c7ab76
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100df75bb7ce0b66431ca073a5768dbc6930b024b8d6804a5ef9f3f3c9341b8c8b7216eaf26536ac671ab360eff568502e596adbf41b795d329d136ebe44c60ff4ffd58ed99b40a228cab6c8ed9733702e75f7750e58f04cbb78402eec2877205a0ba3f48318543489dc4885dcdc51c4658acbc28f9a82c563ac20b582cff8c432d
++Ctrl.hexxcghash = hexxcghash:c08ddd40832cc96fe373b67a4850b86848e48f70
++Ctrl.hexsession_id = hexsession_id:477c8d32e73a475707e0085cf235d605ed564a1c
++Ctrl.type = type:E
++Output = f0b75425b271eb82645b1f1424b2a838dbcf6f98
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008100df75bb7ce0b66431ca073a5768dbc6930b024b8d6804a5ef9f3f3c9341b8c8b7216eaf26536ac671ab360eff568502e596adbf41b795d329d136ebe44c60ff4ffd58ed99b40a228cab6c8ed9733702e75f7750e58f04cbb78402eec2877205a0ba3f48318543489dc4885dcdc51c4658acbc28f9a82c563ac20b582cff8c432d
++Ctrl.hexxcghash = hexxcghash:c08ddd40832cc96fe373b67a4850b86848e48f70
++Ctrl.hexsession_id = hexsession_id:477c8d32e73a475707e0085cf235d605ed564a1c
++Ctrl.type = type:F
++Output = cdf59b2327588ffd18becfc0e5bb526014101401
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001010085a60bcca88b096c418e825f3de4fd8920ecce617afadda2ca8001e8eba07e58e60e70a9a05b8ddc29d5636d33c407d5f23952b65326e113f28d89bc6ba3a4c3b71ae239d6d1bd295466682d1c675bdb88a3259f474fe54a0f4004ddc46b442451654e1e66d0c93d7b310f28a8db7b95eee7abc61e71dee322b4e732baf9ec7ce189b889d536da1a55a2cc29e1666aa9c0e702f4412206bd207302fe84043c664394bde0e0a47d0a7a947c95997e1dbaeecd2efae12cacef8eab2f6b2478dedcebb3264827cf226e13f8082931db410fbc03352e7dde82fd1f58caab3115aa065ac6e2a1c7b1c1b2d5fa3447bf9839d76cfa5822b097bff9106f37eba1250145
++Ctrl.hexxcghash = hexxcghash:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03
++Ctrl.hexsession_id = hexsession_id:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03
++Ctrl.type = type:A
++Output = 79c9195e683ae10750960cb55c4d4c0b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001010085a60bcca88b096c418e825f3de4fd8920ecce617afadda2ca8001e8eba07e58e60e70a9a05b8ddc29d5636d33c407d5f23952b65326e113f28d89bc6ba3a4c3b71ae239d6d1bd295466682d1c675bdb88a3259f474fe54a0f4004ddc46b442451654e1e66d0c93d7b310f28a8db7b95eee7abc61e71dee322b4e732baf9ec7ce189b889d536da1a55a2cc29e1666aa9c0e702f4412206bd207302fe84043c664394bde0e0a47d0a7a947c95997e1dbaeecd2efae12cacef8eab2f6b2478dedcebb3264827cf226e13f8082931db410fbc03352e7dde82fd1f58caab3115aa065ac6e2a1c7b1c1b2d5fa3447bf9839d76cfa5822b097bff9106f37eba1250145
++Ctrl.hexxcghash = hexxcghash:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03
++Ctrl.hexsession_id = hexsession_id:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03
++Ctrl.type = type:B
++Output = ef00b448ab9fd6523bb5143a0a818750
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001010085a60bcca88b096c418e825f3de4fd8920ecce617afadda2ca8001e8eba07e58e60e70a9a05b8ddc29d5636d33c407d5f23952b65326e113f28d89bc6ba3a4c3b71ae239d6d1bd295466682d1c675bdb88a3259f474fe54a0f4004ddc46b442451654e1e66d0c93d7b310f28a8db7b95eee7abc61e71dee322b4e732baf9ec7ce189b889d536da1a55a2cc29e1666aa9c0e702f4412206bd207302fe84043c664394bde0e0a47d0a7a947c95997e1dbaeecd2efae12cacef8eab2f6b2478dedcebb3264827cf226e13f8082931db410fbc03352e7dde82fd1f58caab3115aa065ac6e2a1c7b1c1b2d5fa3447bf9839d76cfa5822b097bff9106f37eba1250145
++Ctrl.hexxcghash = hexxcghash:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03
++Ctrl.hexsession_id = hexsession_id:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03
++Ctrl.type = type:C
++Output = 51c8b4aaf5e42443be0aa3c50aa7e1dd
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001010085a60bcca88b096c418e825f3de4fd8920ecce617afadda2ca8001e8eba07e58e60e70a9a05b8ddc29d5636d33c407d5f23952b65326e113f28d89bc6ba3a4c3b71ae239d6d1bd295466682d1c675bdb88a3259f474fe54a0f4004ddc46b442451654e1e66d0c93d7b310f28a8db7b95eee7abc61e71dee322b4e732baf9ec7ce189b889d536da1a55a2cc29e1666aa9c0e702f4412206bd207302fe84043c664394bde0e0a47d0a7a947c95997e1dbaeecd2efae12cacef8eab2f6b2478dedcebb3264827cf226e13f8082931db410fbc03352e7dde82fd1f58caab3115aa065ac6e2a1c7b1c1b2d5fa3447bf9839d76cfa5822b097bff9106f37eba1250145
++Ctrl.hexxcghash = hexxcghash:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03
++Ctrl.hexsession_id = hexsession_id:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03
++Ctrl.type = type:D
++Output = 4153a587397fb14dc3faad028fdb7ecc
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001010085a60bcca88b096c418e825f3de4fd8920ecce617afadda2ca8001e8eba07e58e60e70a9a05b8ddc29d5636d33c407d5f23952b65326e113f28d89bc6ba3a4c3b71ae239d6d1bd295466682d1c675bdb88a3259f474fe54a0f4004ddc46b442451654e1e66d0c93d7b310f28a8db7b95eee7abc61e71dee322b4e732baf9ec7ce189b889d536da1a55a2cc29e1666aa9c0e702f4412206bd207302fe84043c664394bde0e0a47d0a7a947c95997e1dbaeecd2efae12cacef8eab2f6b2478dedcebb3264827cf226e13f8082931db410fbc03352e7dde82fd1f58caab3115aa065ac6e2a1c7b1c1b2d5fa3447bf9839d76cfa5822b097bff9106f37eba1250145
++Ctrl.hexxcghash = hexxcghash:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03
++Ctrl.hexsession_id = hexsession_id:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03
++Ctrl.type = type:E
++Output = d23e36347052a1cfb4a7789df48627e8a31345c7
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001010085a60bcca88b096c418e825f3de4fd8920ecce617afadda2ca8001e8eba07e58e60e70a9a05b8ddc29d5636d33c407d5f23952b65326e113f28d89bc6ba3a4c3b71ae239d6d1bd295466682d1c675bdb88a3259f474fe54a0f4004ddc46b442451654e1e66d0c93d7b310f28a8db7b95eee7abc61e71dee322b4e732baf9ec7ce189b889d536da1a55a2cc29e1666aa9c0e702f4412206bd207302fe84043c664394bde0e0a47d0a7a947c95997e1dbaeecd2efae12cacef8eab2f6b2478dedcebb3264827cf226e13f8082931db410fbc03352e7dde82fd1f58caab3115aa065ac6e2a1c7b1c1b2d5fa3447bf9839d76cfa5822b097bff9106f37eba1250145
++Ctrl.hexxcghash = hexxcghash:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03
++Ctrl.hexsession_id = hexsession_id:dde6f8e070ef32a27ff04ad1045c65b2dfa33e03
++Ctrl.type = type:F
++Output = c1286e92655912d923154c460702a31424bd6b01
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010100c0724e077d7237441eb79039debaa851c0bf411e69cd5314f3c72aa45760c9969985b34291fb64bf964b719d2b989e40a0e9fbccdb23536a78f1b55ebbda809f862e8ec3561c15c4288595546e09789cbc2491050073222397957c9090b7f8f96e3fefbc5f438c72ca8bb48f6337e208ee9b3f630a8c5b40b9fafca8e55be0a0cf4046884a0a049b4557da4ddb7a344226f4707c706e96467b1568ad4d10363aa9eb04b91efbada0c1c292475ce9893a27d4a1deb4a262d980141e63756adf3d5fbcf6ebde919cfd44052984704af6ba360e190fecfc730a5e470785d3061ee5f495cd697af97f90bbc11f2e4e41e57ce25f34b9c4ec9f3c051d964ad0c036b4
++Ctrl.hexxcghash = hexxcghash:5ae93beda675546c8a783974925aca9b365a6d8e
++Ctrl.hexsession_id = hexsession_id:bb0bfeb33b78474b2d53232b3122506992c0cae4
++Ctrl.type = type:A
++Output = 739ad52e454ba3457735b7c5304c6578
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010100c0724e077d7237441eb79039debaa851c0bf411e69cd5314f3c72aa45760c9969985b34291fb64bf964b719d2b989e40a0e9fbccdb23536a78f1b55ebbda809f862e8ec3561c15c4288595546e09789cbc2491050073222397957c9090b7f8f96e3fefbc5f438c72ca8bb48f6337e208ee9b3f630a8c5b40b9fafca8e55be0a0cf4046884a0a049b4557da4ddb7a344226f4707c706e96467b1568ad4d10363aa9eb04b91efbada0c1c292475ce9893a27d4a1deb4a262d980141e63756adf3d5fbcf6ebde919cfd44052984704af6ba360e190fecfc730a5e470785d3061ee5f495cd697af97f90bbc11f2e4e41e57ce25f34b9c4ec9f3c051d964ad0c036b4
++Ctrl.hexxcghash = hexxcghash:5ae93beda675546c8a783974925aca9b365a6d8e
++Ctrl.hexsession_id = hexsession_id:bb0bfeb33b78474b2d53232b3122506992c0cae4
++Ctrl.type = type:B
++Output = 3bd9f9d9f06aa521d2f53e40fc5d9f90
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010100c0724e077d7237441eb79039debaa851c0bf411e69cd5314f3c72aa45760c9969985b34291fb64bf964b719d2b989e40a0e9fbccdb23536a78f1b55ebbda809f862e8ec3561c15c4288595546e09789cbc2491050073222397957c9090b7f8f96e3fefbc5f438c72ca8bb48f6337e208ee9b3f630a8c5b40b9fafca8e55be0a0cf4046884a0a049b4557da4ddb7a344226f4707c706e96467b1568ad4d10363aa9eb04b91efbada0c1c292475ce9893a27d4a1deb4a262d980141e63756adf3d5fbcf6ebde919cfd44052984704af6ba360e190fecfc730a5e470785d3061ee5f495cd697af97f90bbc11f2e4e41e57ce25f34b9c4ec9f3c051d964ad0c036b4
++Ctrl.hexxcghash = hexxcghash:5ae93beda675546c8a783974925aca9b365a6d8e
++Ctrl.hexsession_id = hexsession_id:bb0bfeb33b78474b2d53232b3122506992c0cae4
++Ctrl.type = type:C
++Output = 335cd2813bebd3d5e1dda4c1e14c23de
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010100c0724e077d7237441eb79039debaa851c0bf411e69cd5314f3c72aa45760c9969985b34291fb64bf964b719d2b989e40a0e9fbccdb23536a78f1b55ebbda809f862e8ec3561c15c4288595546e09789cbc2491050073222397957c9090b7f8f96e3fefbc5f438c72ca8bb48f6337e208ee9b3f630a8c5b40b9fafca8e55be0a0cf4046884a0a049b4557da4ddb7a344226f4707c706e96467b1568ad4d10363aa9eb04b91efbada0c1c292475ce9893a27d4a1deb4a262d980141e63756adf3d5fbcf6ebde919cfd44052984704af6ba360e190fecfc730a5e470785d3061ee5f495cd697af97f90bbc11f2e4e41e57ce25f34b9c4ec9f3c051d964ad0c036b4
++Ctrl.hexxcghash = hexxcghash:5ae93beda675546c8a783974925aca9b365a6d8e
++Ctrl.hexsession_id = hexsession_id:bb0bfeb33b78474b2d53232b3122506992c0cae4
++Ctrl.type = type:D
++Output = fd25c5ae649645d8c0cfff0d4d8e7a47
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010100c0724e077d7237441eb79039debaa851c0bf411e69cd5314f3c72aa45760c9969985b34291fb64bf964b719d2b989e40a0e9fbccdb23536a78f1b55ebbda809f862e8ec3561c15c4288595546e09789cbc2491050073222397957c9090b7f8f96e3fefbc5f438c72ca8bb48f6337e208ee9b3f630a8c5b40b9fafca8e55be0a0cf4046884a0a049b4557da4ddb7a344226f4707c706e96467b1568ad4d10363aa9eb04b91efbada0c1c292475ce9893a27d4a1deb4a262d980141e63756adf3d5fbcf6ebde919cfd44052984704af6ba360e190fecfc730a5e470785d3061ee5f495cd697af97f90bbc11f2e4e41e57ce25f34b9c4ec9f3c051d964ad0c036b4
++Ctrl.hexxcghash = hexxcghash:5ae93beda675546c8a783974925aca9b365a6d8e
++Ctrl.hexsession_id = hexsession_id:bb0bfeb33b78474b2d53232b3122506992c0cae4
++Ctrl.type = type:E
++Output = 90e89773d04623553d4d298e6aa75781d8a6544b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010100c0724e077d7237441eb79039debaa851c0bf411e69cd5314f3c72aa45760c9969985b34291fb64bf964b719d2b989e40a0e9fbccdb23536a78f1b55ebbda809f862e8ec3561c15c4288595546e09789cbc2491050073222397957c9090b7f8f96e3fefbc5f438c72ca8bb48f6337e208ee9b3f630a8c5b40b9fafca8e55be0a0cf4046884a0a049b4557da4ddb7a344226f4707c706e96467b1568ad4d10363aa9eb04b91efbada0c1c292475ce9893a27d4a1deb4a262d980141e63756adf3d5fbcf6ebde919cfd44052984704af6ba360e190fecfc730a5e470785d3061ee5f495cd697af97f90bbc11f2e4e41e57ce25f34b9c4ec9f3c051d964ad0c036b4
++Ctrl.hexxcghash = hexxcghash:5ae93beda675546c8a783974925aca9b365a6d8e
++Ctrl.hexsession_id = hexsession_id:bb0bfeb33b78474b2d53232b3122506992c0cae4
++Ctrl.type = type:F
++Output = 86a3f05a5f844b23d787cccbda37a3d773a4d049
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001004c48728c828a34a5ff90188cd749d5ccf849d8f96d78072bc8c3a766e4be2c4bfdb8d0310225f05b0373fa582b5a9e78b6a05d958a7b82d944d00697a1ef2119e7545bdf2c6dc2e8cb2215ff58a0163c116b0b326caa50e6384e4e4ab424bfada5d15af1d22f34dc5f8bfd5c823c4b9253fe858a9d7f17bf0be17951bce751b8c2f0b3be25bad6054b39fb2d687d4e69c07d79f4952e65315b1f712cee11707a4984f29df9aac7a7274772f60a2f207ec6a35e1478aa9ae8045dc53417b220bf60124d988e376bf18414400bbe2ac4654716fd26b3a90ae53215ff906364ef82a08686a1977126c64d6d3f381e8477d55f8e79a0e0719089e073fffdbf828cde
++Ctrl.hexxcghash = hexxcghash:edeac369fd19f7dd1e8e48d0c69f9df5fe5475b4
++Ctrl.hexsession_id = hexsession_id:30d9cd8d63a203aeff4a99d8c299676f21a2c74e
++Ctrl.type = type:A
++Output = d2d06d589e6e696556e3d44d7d05decb
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001004c48728c828a34a5ff90188cd749d5ccf849d8f96d78072bc8c3a766e4be2c4bfdb8d0310225f05b0373fa582b5a9e78b6a05d958a7b82d944d00697a1ef2119e7545bdf2c6dc2e8cb2215ff58a0163c116b0b326caa50e6384e4e4ab424bfada5d15af1d22f34dc5f8bfd5c823c4b9253fe858a9d7f17bf0be17951bce751b8c2f0b3be25bad6054b39fb2d687d4e69c07d79f4952e65315b1f712cee11707a4984f29df9aac7a7274772f60a2f207ec6a35e1478aa9ae8045dc53417b220bf60124d988e376bf18414400bbe2ac4654716fd26b3a90ae53215ff906364ef82a08686a1977126c64d6d3f381e8477d55f8e79a0e0719089e073fffdbf828cde
++Ctrl.hexxcghash = hexxcghash:edeac369fd19f7dd1e8e48d0c69f9df5fe5475b4
++Ctrl.hexsession_id = hexsession_id:30d9cd8d63a203aeff4a99d8c299676f21a2c74e
++Ctrl.type = type:B
++Output = 14e3a886b715206e837b70fe7c02b941
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001004c48728c828a34a5ff90188cd749d5ccf849d8f96d78072bc8c3a766e4be2c4bfdb8d0310225f05b0373fa582b5a9e78b6a05d958a7b82d944d00697a1ef2119e7545bdf2c6dc2e8cb2215ff58a0163c116b0b326caa50e6384e4e4ab424bfada5d15af1d22f34dc5f8bfd5c823c4b9253fe858a9d7f17bf0be17951bce751b8c2f0b3be25bad6054b39fb2d687d4e69c07d79f4952e65315b1f712cee11707a4984f29df9aac7a7274772f60a2f207ec6a35e1478aa9ae8045dc53417b220bf60124d988e376bf18414400bbe2ac4654716fd26b3a90ae53215ff906364ef82a08686a1977126c64d6d3f381e8477d55f8e79a0e0719089e073fffdbf828cde
++Ctrl.hexxcghash = hexxcghash:edeac369fd19f7dd1e8e48d0c69f9df5fe5475b4
++Ctrl.hexsession_id = hexsession_id:30d9cd8d63a203aeff4a99d8c299676f21a2c74e
++Ctrl.type = type:C
++Output = 98625cf9741819273a0d6852ca7ab592
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001004c48728c828a34a5ff90188cd749d5ccf849d8f96d78072bc8c3a766e4be2c4bfdb8d0310225f05b0373fa582b5a9e78b6a05d958a7b82d944d00697a1ef2119e7545bdf2c6dc2e8cb2215ff58a0163c116b0b326caa50e6384e4e4ab424bfada5d15af1d22f34dc5f8bfd5c823c4b9253fe858a9d7f17bf0be17951bce751b8c2f0b3be25bad6054b39fb2d687d4e69c07d79f4952e65315b1f712cee11707a4984f29df9aac7a7274772f60a2f207ec6a35e1478aa9ae8045dc53417b220bf60124d988e376bf18414400bbe2ac4654716fd26b3a90ae53215ff906364ef82a08686a1977126c64d6d3f381e8477d55f8e79a0e0719089e073fffdbf828cde
++Ctrl.hexxcghash = hexxcghash:edeac369fd19f7dd1e8e48d0c69f9df5fe5475b4
++Ctrl.hexsession_id = hexsession_id:30d9cd8d63a203aeff4a99d8c299676f21a2c74e
++Ctrl.type = type:D
++Output = a7b273f04d537856015e06075c94c398
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001004c48728c828a34a5ff90188cd749d5ccf849d8f96d78072bc8c3a766e4be2c4bfdb8d0310225f05b0373fa582b5a9e78b6a05d958a7b82d944d00697a1ef2119e7545bdf2c6dc2e8cb2215ff58a0163c116b0b326caa50e6384e4e4ab424bfada5d15af1d22f34dc5f8bfd5c823c4b9253fe858a9d7f17bf0be17951bce751b8c2f0b3be25bad6054b39fb2d687d4e69c07d79f4952e65315b1f712cee11707a4984f29df9aac7a7274772f60a2f207ec6a35e1478aa9ae8045dc53417b220bf60124d988e376bf18414400bbe2ac4654716fd26b3a90ae53215ff906364ef82a08686a1977126c64d6d3f381e8477d55f8e79a0e0719089e073fffdbf828cde
++Ctrl.hexxcghash = hexxcghash:edeac369fd19f7dd1e8e48d0c69f9df5fe5475b4
++Ctrl.hexsession_id = hexsession_id:30d9cd8d63a203aeff4a99d8c299676f21a2c74e
++Ctrl.type = type:E
++Output = 3e1afa980d05ec30e9a55331ac301c10305999e2
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001004c48728c828a34a5ff90188cd749d5ccf849d8f96d78072bc8c3a766e4be2c4bfdb8d0310225f05b0373fa582b5a9e78b6a05d958a7b82d944d00697a1ef2119e7545bdf2c6dc2e8cb2215ff58a0163c116b0b326caa50e6384e4e4ab424bfada5d15af1d22f34dc5f8bfd5c823c4b9253fe858a9d7f17bf0be17951bce751b8c2f0b3be25bad6054b39fb2d687d4e69c07d79f4952e65315b1f712cee11707a4984f29df9aac7a7274772f60a2f207ec6a35e1478aa9ae8045dc53417b220bf60124d988e376bf18414400bbe2ac4654716fd26b3a90ae53215ff906364ef82a08686a1977126c64d6d3f381e8477d55f8e79a0e0719089e073fffdbf828cde
++Ctrl.hexxcghash = hexxcghash:edeac369fd19f7dd1e8e48d0c69f9df5fe5475b4
++Ctrl.hexsession_id = hexsession_id:30d9cd8d63a203aeff4a99d8c299676f21a2c74e
++Ctrl.type = type:F
++Output = b993c4254669c7a51ed713ddaf7174fd5296fe57
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010100f6fa934f303a9db720352fca5a6bae671857d44053d61132a6d36d76cee686fd31ea796407306ad3cb500f99b8881641ce304217910179ca03d3638c89419127542d2f6eea999c637070a3a2e2d17419fd2d53a23dc0bbad1333089a64c232c4328ca5d6db233777a93932407741a9fe4c8efd13e9f2f411368fd2035d05175f8710b79a77bd4749df3027eef44f1d050fd01458cd1c6d1fe67d774f4e056533305ad39ecf5a6e4898186b8b66e95c9546081c7df6df7a433887bb0333d0fb16418bb2d399b2be0b02978e5bbc97b57e67e88aa073ba3280a386209029bdc3d8f448eb18e29c87811142629827c54aa19d150b6eb6fb7a33d746b11d27d9d474
++Ctrl.hexxcghash = hexxcghash:6dffed964fd4044cb99b5f8770abef82d02c1cd1
++Ctrl.hexsession_id = hexsession_id:d98f1e884633c4632568e1dd0a54e4c8508c279d
++Ctrl.type = type:A
++Output = d9c0ed6b7fbf066d4f3cff7d2585ef5b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010100f6fa934f303a9db720352fca5a6bae671857d44053d61132a6d36d76cee686fd31ea796407306ad3cb500f99b8881641ce304217910179ca03d3638c89419127542d2f6eea999c637070a3a2e2d17419fd2d53a23dc0bbad1333089a64c232c4328ca5d6db233777a93932407741a9fe4c8efd13e9f2f411368fd2035d05175f8710b79a77bd4749df3027eef44f1d050fd01458cd1c6d1fe67d774f4e056533305ad39ecf5a6e4898186b8b66e95c9546081c7df6df7a433887bb0333d0fb16418bb2d399b2be0b02978e5bbc97b57e67e88aa073ba3280a386209029bdc3d8f448eb18e29c87811142629827c54aa19d150b6eb6fb7a33d746b11d27d9d474
++Ctrl.hexxcghash = hexxcghash:6dffed964fd4044cb99b5f8770abef82d02c1cd1
++Ctrl.hexsession_id = hexsession_id:d98f1e884633c4632568e1dd0a54e4c8508c279d
++Ctrl.type = type:B
++Output = da13833aa2c086e5d76595132f4e5fc6
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010100f6fa934f303a9db720352fca5a6bae671857d44053d61132a6d36d76cee686fd31ea796407306ad3cb500f99b8881641ce304217910179ca03d3638c89419127542d2f6eea999c637070a3a2e2d17419fd2d53a23dc0bbad1333089a64c232c4328ca5d6db233777a93932407741a9fe4c8efd13e9f2f411368fd2035d05175f8710b79a77bd4749df3027eef44f1d050fd01458cd1c6d1fe67d774f4e056533305ad39ecf5a6e4898186b8b66e95c9546081c7df6df7a433887bb0333d0fb16418bb2d399b2be0b02978e5bbc97b57e67e88aa073ba3280a386209029bdc3d8f448eb18e29c87811142629827c54aa19d150b6eb6fb7a33d746b11d27d9d474
++Ctrl.hexxcghash = hexxcghash:6dffed964fd4044cb99b5f8770abef82d02c1cd1
++Ctrl.hexsession_id = hexsession_id:d98f1e884633c4632568e1dd0a54e4c8508c279d
++Ctrl.type = type:C
++Output = 9e27400587b646397a7655be0e5763ec
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010100f6fa934f303a9db720352fca5a6bae671857d44053d61132a6d36d76cee686fd31ea796407306ad3cb500f99b8881641ce304217910179ca03d3638c89419127542d2f6eea999c637070a3a2e2d17419fd2d53a23dc0bbad1333089a64c232c4328ca5d6db233777a93932407741a9fe4c8efd13e9f2f411368fd2035d05175f8710b79a77bd4749df3027eef44f1d050fd01458cd1c6d1fe67d774f4e056533305ad39ecf5a6e4898186b8b66e95c9546081c7df6df7a433887bb0333d0fb16418bb2d399b2be0b02978e5bbc97b57e67e88aa073ba3280a386209029bdc3d8f448eb18e29c87811142629827c54aa19d150b6eb6fb7a33d746b11d27d9d474
++Ctrl.hexxcghash = hexxcghash:6dffed964fd4044cb99b5f8770abef82d02c1cd1
++Ctrl.hexsession_id = hexsession_id:d98f1e884633c4632568e1dd0a54e4c8508c279d
++Ctrl.type = type:D
++Output = 91b95d5cce7f2aec14776f49f652a305
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010100f6fa934f303a9db720352fca5a6bae671857d44053d61132a6d36d76cee686fd31ea796407306ad3cb500f99b8881641ce304217910179ca03d3638c89419127542d2f6eea999c637070a3a2e2d17419fd2d53a23dc0bbad1333089a64c232c4328ca5d6db233777a93932407741a9fe4c8efd13e9f2f411368fd2035d05175f8710b79a77bd4749df3027eef44f1d050fd01458cd1c6d1fe67d774f4e056533305ad39ecf5a6e4898186b8b66e95c9546081c7df6df7a433887bb0333d0fb16418bb2d399b2be0b02978e5bbc97b57e67e88aa073ba3280a386209029bdc3d8f448eb18e29c87811142629827c54aa19d150b6eb6fb7a33d746b11d27d9d474
++Ctrl.hexxcghash = hexxcghash:6dffed964fd4044cb99b5f8770abef82d02c1cd1
++Ctrl.hexsession_id = hexsession_id:d98f1e884633c4632568e1dd0a54e4c8508c279d
++Ctrl.type = type:E
++Output = a97dc9a99e37c983a4922cd2ecdfa394b71141ce
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010100f6fa934f303a9db720352fca5a6bae671857d44053d61132a6d36d76cee686fd31ea796407306ad3cb500f99b8881641ce304217910179ca03d3638c89419127542d2f6eea999c637070a3a2e2d17419fd2d53a23dc0bbad1333089a64c232c4328ca5d6db233777a93932407741a9fe4c8efd13e9f2f411368fd2035d05175f8710b79a77bd4749df3027eef44f1d050fd01458cd1c6d1fe67d774f4e056533305ad39ecf5a6e4898186b8b66e95c9546081c7df6df7a433887bb0333d0fb16418bb2d399b2be0b02978e5bbc97b57e67e88aa073ba3280a386209029bdc3d8f448eb18e29c87811142629827c54aa19d150b6eb6fb7a33d746b11d27d9d474
++Ctrl.hexxcghash = hexxcghash:6dffed964fd4044cb99b5f8770abef82d02c1cd1
++Ctrl.hexsession_id = hexsession_id:d98f1e884633c4632568e1dd0a54e4c8508c279d
++Ctrl.type = type:F
++Output = 173d846f9790c742ca86af4bff5f965c6088a05b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001000a341cb148554046ac79686473c7e924486ae79c9dd1878a647687d3562cc81e5379c20df44edd6bfa8b9a26cdc06c6eb5f02272f90992ef58c65fe3e98725e9434a8512aef4c2093d27c57a1aee5f5b6861025001d20b5bc8666c4930107f563035bca6ddc91ff9d15ebb56d2628146d3baa3c6f81dc73602518c2aef4906e08b2ffa67e4528d92b1b3bcbd3a9e421d86413bb355574bb68f94bf75221918ca4f6624445b0afa0c26e270788490cbab1abd41a42200ab9e76a2f8b8ffbe0c5ef7a230b5bf7018cfd170ccd009058092d2446ebe73c5f0bf2d9ceca311502af621880eb18e46edc7832765c00e2599fbb82402b039eb5c5ae376690a717c0344
++Ctrl.hexxcghash = hexxcghash:4cee9b1867e94911e8f9fbd9ec3375d25c955f97
++Ctrl.hexsession_id = hexsession_id:2aefdaa6f14ac3ec200a951fd74433cddc01193a
++Ctrl.type = type:A
++Output = 6fa496847cda7367cb32b8be9aae3f85
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001000a341cb148554046ac79686473c7e924486ae79c9dd1878a647687d3562cc81e5379c20df44edd6bfa8b9a26cdc06c6eb5f02272f90992ef58c65fe3e98725e9434a8512aef4c2093d27c57a1aee5f5b6861025001d20b5bc8666c4930107f563035bca6ddc91ff9d15ebb56d2628146d3baa3c6f81dc73602518c2aef4906e08b2ffa67e4528d92b1b3bcbd3a9e421d86413bb355574bb68f94bf75221918ca4f6624445b0afa0c26e270788490cbab1abd41a42200ab9e76a2f8b8ffbe0c5ef7a230b5bf7018cfd170ccd009058092d2446ebe73c5f0bf2d9ceca311502af621880eb18e46edc7832765c00e2599fbb82402b039eb5c5ae376690a717c0344
++Ctrl.hexxcghash = hexxcghash:4cee9b1867e94911e8f9fbd9ec3375d25c955f97
++Ctrl.hexsession_id = hexsession_id:2aefdaa6f14ac3ec200a951fd74433cddc01193a
++Ctrl.type = type:B
++Output = 702ac8636520b7c6169ddc660781de9f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001000a341cb148554046ac79686473c7e924486ae79c9dd1878a647687d3562cc81e5379c20df44edd6bfa8b9a26cdc06c6eb5f02272f90992ef58c65fe3e98725e9434a8512aef4c2093d27c57a1aee5f5b6861025001d20b5bc8666c4930107f563035bca6ddc91ff9d15ebb56d2628146d3baa3c6f81dc73602518c2aef4906e08b2ffa67e4528d92b1b3bcbd3a9e421d86413bb355574bb68f94bf75221918ca4f6624445b0afa0c26e270788490cbab1abd41a42200ab9e76a2f8b8ffbe0c5ef7a230b5bf7018cfd170ccd009058092d2446ebe73c5f0bf2d9ceca311502af621880eb18e46edc7832765c00e2599fbb82402b039eb5c5ae376690a717c0344
++Ctrl.hexxcghash = hexxcghash:4cee9b1867e94911e8f9fbd9ec3375d25c955f97
++Ctrl.hexsession_id = hexsession_id:2aefdaa6f14ac3ec200a951fd74433cddc01193a
++Ctrl.type = type:C
++Output = 6ffd703180af7c2207d5fa9e467272e3
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001000a341cb148554046ac79686473c7e924486ae79c9dd1878a647687d3562cc81e5379c20df44edd6bfa8b9a26cdc06c6eb5f02272f90992ef58c65fe3e98725e9434a8512aef4c2093d27c57a1aee5f5b6861025001d20b5bc8666c4930107f563035bca6ddc91ff9d15ebb56d2628146d3baa3c6f81dc73602518c2aef4906e08b2ffa67e4528d92b1b3bcbd3a9e421d86413bb355574bb68f94bf75221918ca4f6624445b0afa0c26e270788490cbab1abd41a42200ab9e76a2f8b8ffbe0c5ef7a230b5bf7018cfd170ccd009058092d2446ebe73c5f0bf2d9ceca311502af621880eb18e46edc7832765c00e2599fbb82402b039eb5c5ae376690a717c0344
++Ctrl.hexxcghash = hexxcghash:4cee9b1867e94911e8f9fbd9ec3375d25c955f97
++Ctrl.hexsession_id = hexsession_id:2aefdaa6f14ac3ec200a951fd74433cddc01193a
++Ctrl.type = type:D
++Output = 7ae5281e377f230dcc9854cf995f663d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001000a341cb148554046ac79686473c7e924486ae79c9dd1878a647687d3562cc81e5379c20df44edd6bfa8b9a26cdc06c6eb5f02272f90992ef58c65fe3e98725e9434a8512aef4c2093d27c57a1aee5f5b6861025001d20b5bc8666c4930107f563035bca6ddc91ff9d15ebb56d2628146d3baa3c6f81dc73602518c2aef4906e08b2ffa67e4528d92b1b3bcbd3a9e421d86413bb355574bb68f94bf75221918ca4f6624445b0afa0c26e270788490cbab1abd41a42200ab9e76a2f8b8ffbe0c5ef7a230b5bf7018cfd170ccd009058092d2446ebe73c5f0bf2d9ceca311502af621880eb18e46edc7832765c00e2599fbb82402b039eb5c5ae376690a717c0344
++Ctrl.hexxcghash = hexxcghash:4cee9b1867e94911e8f9fbd9ec3375d25c955f97
++Ctrl.hexsession_id = hexsession_id:2aefdaa6f14ac3ec200a951fd74433cddc01193a
++Ctrl.type = type:E
++Output = fbcb152df7a3f12a8f174f9ca31bb31b124ae3c2
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001000a341cb148554046ac79686473c7e924486ae79c9dd1878a647687d3562cc81e5379c20df44edd6bfa8b9a26cdc06c6eb5f02272f90992ef58c65fe3e98725e9434a8512aef4c2093d27c57a1aee5f5b6861025001d20b5bc8666c4930107f563035bca6ddc91ff9d15ebb56d2628146d3baa3c6f81dc73602518c2aef4906e08b2ffa67e4528d92b1b3bcbd3a9e421d86413bb355574bb68f94bf75221918ca4f6624445b0afa0c26e270788490cbab1abd41a42200ab9e76a2f8b8ffbe0c5ef7a230b5bf7018cfd170ccd009058092d2446ebe73c5f0bf2d9ceca311502af621880eb18e46edc7832765c00e2599fbb82402b039eb5c5ae376690a717c0344
++Ctrl.hexxcghash = hexxcghash:4cee9b1867e94911e8f9fbd9ec3375d25c955f97
++Ctrl.hexsession_id = hexsession_id:2aefdaa6f14ac3ec200a951fd74433cddc01193a
++Ctrl.type = type:F
++Output = 3f0c57fbccfb7306cff23bdaf69d70a8a394b34b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010011afb59055b4e8e0840d76a2d28a3ec1cf3fe7e436b585eab29cc3149e1fa610d979fcc1483a0ea2b426f8e25bc87bae94bdcbeaa80501a3c554d996f1656ac9be75ecefa46273b3ab8a66468cb4a16b3630cbc41df49ebe3917b5afba24d669264e11689f1a401abc557a0c4cf22ad9323056642c2bf7fea0907ba2274b7666dd144e66e1f39371a14ccafa030bad4c6e04f7b22f1e14f9a37ad6aaa3642f66068863a74ed4a07e87494f0ace772b682845fb27efd7f1a99f09b419f43d8443302534e4c59c0d3c59736e47375ff6e96c167247c5196a7c8849adb527e9ccbfae797ea311181978197f924dcf0db7367f84baa27db6e554ba6b764550d2834f
++Ctrl.hexxcghash = hexxcghash:7ced7b72644be681615e503ecafe0c8f7124c85b
++Ctrl.hexsession_id = hexsession_id:95d4ca5b0107d3d9f94ef857d7a64f685d3fecdc
++Ctrl.type = type:A
++Output = 7e37ea52156fad1903709e1d3229721f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010011afb59055b4e8e0840d76a2d28a3ec1cf3fe7e436b585eab29cc3149e1fa610d979fcc1483a0ea2b426f8e25bc87bae94bdcbeaa80501a3c554d996f1656ac9be75ecefa46273b3ab8a66468cb4a16b3630cbc41df49ebe3917b5afba24d669264e11689f1a401abc557a0c4cf22ad9323056642c2bf7fea0907ba2274b7666dd144e66e1f39371a14ccafa030bad4c6e04f7b22f1e14f9a37ad6aaa3642f66068863a74ed4a07e87494f0ace772b682845fb27efd7f1a99f09b419f43d8443302534e4c59c0d3c59736e47375ff6e96c167247c5196a7c8849adb527e9ccbfae797ea311181978197f924dcf0db7367f84baa27db6e554ba6b764550d2834f
++Ctrl.hexxcghash = hexxcghash:7ced7b72644be681615e503ecafe0c8f7124c85b
++Ctrl.hexsession_id = hexsession_id:95d4ca5b0107d3d9f94ef857d7a64f685d3fecdc
++Ctrl.type = type:B
++Output = c15569583de413e08293bf1689a9afe8
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010011afb59055b4e8e0840d76a2d28a3ec1cf3fe7e436b585eab29cc3149e1fa610d979fcc1483a0ea2b426f8e25bc87bae94bdcbeaa80501a3c554d996f1656ac9be75ecefa46273b3ab8a66468cb4a16b3630cbc41df49ebe3917b5afba24d669264e11689f1a401abc557a0c4cf22ad9323056642c2bf7fea0907ba2274b7666dd144e66e1f39371a14ccafa030bad4c6e04f7b22f1e14f9a37ad6aaa3642f66068863a74ed4a07e87494f0ace772b682845fb27efd7f1a99f09b419f43d8443302534e4c59c0d3c59736e47375ff6e96c167247c5196a7c8849adb527e9ccbfae797ea311181978197f924dcf0db7367f84baa27db6e554ba6b764550d2834f
++Ctrl.hexxcghash = hexxcghash:7ced7b72644be681615e503ecafe0c8f7124c85b
++Ctrl.hexsession_id = hexsession_id:95d4ca5b0107d3d9f94ef857d7a64f685d3fecdc
++Ctrl.type = type:C
++Output = 0c85227539f5e328c64172280759d9bf
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010011afb59055b4e8e0840d76a2d28a3ec1cf3fe7e436b585eab29cc3149e1fa610d979fcc1483a0ea2b426f8e25bc87bae94bdcbeaa80501a3c554d996f1656ac9be75ecefa46273b3ab8a66468cb4a16b3630cbc41df49ebe3917b5afba24d669264e11689f1a401abc557a0c4cf22ad9323056642c2bf7fea0907ba2274b7666dd144e66e1f39371a14ccafa030bad4c6e04f7b22f1e14f9a37ad6aaa3642f66068863a74ed4a07e87494f0ace772b682845fb27efd7f1a99f09b419f43d8443302534e4c59c0d3c59736e47375ff6e96c167247c5196a7c8849adb527e9ccbfae797ea311181978197f924dcf0db7367f84baa27db6e554ba6b764550d2834f
++Ctrl.hexxcghash = hexxcghash:7ced7b72644be681615e503ecafe0c8f7124c85b
++Ctrl.hexsession_id = hexsession_id:95d4ca5b0107d3d9f94ef857d7a64f685d3fecdc
++Ctrl.type = type:D
++Output = 3dbc42d9e7128e861b87781546cedc8e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010011afb59055b4e8e0840d76a2d28a3ec1cf3fe7e436b585eab29cc3149e1fa610d979fcc1483a0ea2b426f8e25bc87bae94bdcbeaa80501a3c554d996f1656ac9be75ecefa46273b3ab8a66468cb4a16b3630cbc41df49ebe3917b5afba24d669264e11689f1a401abc557a0c4cf22ad9323056642c2bf7fea0907ba2274b7666dd144e66e1f39371a14ccafa030bad4c6e04f7b22f1e14f9a37ad6aaa3642f66068863a74ed4a07e87494f0ace772b682845fb27efd7f1a99f09b419f43d8443302534e4c59c0d3c59736e47375ff6e96c167247c5196a7c8849adb527e9ccbfae797ea311181978197f924dcf0db7367f84baa27db6e554ba6b764550d2834f
++Ctrl.hexxcghash = hexxcghash:7ced7b72644be681615e503ecafe0c8f7124c85b
++Ctrl.hexsession_id = hexsession_id:95d4ca5b0107d3d9f94ef857d7a64f685d3fecdc
++Ctrl.type = type:E
++Output = 1ec0d15e38ea1b48da963837dbf30cef855a92c7
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010011afb59055b4e8e0840d76a2d28a3ec1cf3fe7e436b585eab29cc3149e1fa610d979fcc1483a0ea2b426f8e25bc87bae94bdcbeaa80501a3c554d996f1656ac9be75ecefa46273b3ab8a66468cb4a16b3630cbc41df49ebe3917b5afba24d669264e11689f1a401abc557a0c4cf22ad9323056642c2bf7fea0907ba2274b7666dd144e66e1f39371a14ccafa030bad4c6e04f7b22f1e14f9a37ad6aaa3642f66068863a74ed4a07e87494f0ace772b682845fb27efd7f1a99f09b419f43d8443302534e4c59c0d3c59736e47375ff6e96c167247c5196a7c8849adb527e9ccbfae797ea311181978197f924dcf0db7367f84baa27db6e554ba6b764550d2834f
++Ctrl.hexxcghash = hexxcghash:7ced7b72644be681615e503ecafe0c8f7124c85b
++Ctrl.hexsession_id = hexsession_id:95d4ca5b0107d3d9f94ef857d7a64f685d3fecdc
++Ctrl.type = type:F
++Output = eea8ea042a079fcf8416a8b244fafab35adeca8a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001002f14b1acdf871bec4ea5720a3e921cf16a796559b2a094a0d1e45021dcabff152a0e3dca4115239454dc407a6474c8fcd395273a6487c6736710610aeb607707b7ef87203a081646af53ba037f29316a3dec4ce80ec04775b8697db46f7e4f4b38d69de832a25cf0a5484c9b36a48950d50dfe77ac5da63a1c2314ffa8cb68f0c201bbfb7a1a89837b9f57465d14635bda2abf601a06bbd8f70af0169c39209dcda9fb1416a9eadb5ea4deb358566190a62a44d6765d9a25b5157ed5e0f5317f0ed3f6eacebe07ba214e2ef9f654dbc2fa3dc2f227124a3f56a40905c9c86cd64b0ed80c4299d86f59d5f06b9c026a28feea5c5fafbe7ba90283de867dd55858
++Ctrl.hexxcghash = hexxcghash:5fb6dff3272cb949856a57f2645a56d957dc4606
++Ctrl.hexsession_id = hexsession_id:5160cab836d899193077dc67485ef41669ec5d8a
++Ctrl.type = type:A
++Output = f2faef6e274814ed7ca544484ac21a3a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001002f14b1acdf871bec4ea5720a3e921cf16a796559b2a094a0d1e45021dcabff152a0e3dca4115239454dc407a6474c8fcd395273a6487c6736710610aeb607707b7ef87203a081646af53ba037f29316a3dec4ce80ec04775b8697db46f7e4f4b38d69de832a25cf0a5484c9b36a48950d50dfe77ac5da63a1c2314ffa8cb68f0c201bbfb7a1a89837b9f57465d14635bda2abf601a06bbd8f70af0169c39209dcda9fb1416a9eadb5ea4deb358566190a62a44d6765d9a25b5157ed5e0f5317f0ed3f6eacebe07ba214e2ef9f654dbc2fa3dc2f227124a3f56a40905c9c86cd64b0ed80c4299d86f59d5f06b9c026a28feea5c5fafbe7ba90283de867dd55858
++Ctrl.hexxcghash = hexxcghash:5fb6dff3272cb949856a57f2645a56d957dc4606
++Ctrl.hexsession_id = hexsession_id:5160cab836d899193077dc67485ef41669ec5d8a
++Ctrl.type = type:B
++Output = 3ca9bc0f3c65c257fa160a4d1c5e3520
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001002f14b1acdf871bec4ea5720a3e921cf16a796559b2a094a0d1e45021dcabff152a0e3dca4115239454dc407a6474c8fcd395273a6487c6736710610aeb607707b7ef87203a081646af53ba037f29316a3dec4ce80ec04775b8697db46f7e4f4b38d69de832a25cf0a5484c9b36a48950d50dfe77ac5da63a1c2314ffa8cb68f0c201bbfb7a1a89837b9f57465d14635bda2abf601a06bbd8f70af0169c39209dcda9fb1416a9eadb5ea4deb358566190a62a44d6765d9a25b5157ed5e0f5317f0ed3f6eacebe07ba214e2ef9f654dbc2fa3dc2f227124a3f56a40905c9c86cd64b0ed80c4299d86f59d5f06b9c026a28feea5c5fafbe7ba90283de867dd55858
++Ctrl.hexxcghash = hexxcghash:5fb6dff3272cb949856a57f2645a56d957dc4606
++Ctrl.hexsession_id = hexsession_id:5160cab836d899193077dc67485ef41669ec5d8a
++Ctrl.type = type:C
++Output = fcdf0545b51aca6515bccf6ed0ecb582
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001002f14b1acdf871bec4ea5720a3e921cf16a796559b2a094a0d1e45021dcabff152a0e3dca4115239454dc407a6474c8fcd395273a6487c6736710610aeb607707b7ef87203a081646af53ba037f29316a3dec4ce80ec04775b8697db46f7e4f4b38d69de832a25cf0a5484c9b36a48950d50dfe77ac5da63a1c2314ffa8cb68f0c201bbfb7a1a89837b9f57465d14635bda2abf601a06bbd8f70af0169c39209dcda9fb1416a9eadb5ea4deb358566190a62a44d6765d9a25b5157ed5e0f5317f0ed3f6eacebe07ba214e2ef9f654dbc2fa3dc2f227124a3f56a40905c9c86cd64b0ed80c4299d86f59d5f06b9c026a28feea5c5fafbe7ba90283de867dd55858
++Ctrl.hexxcghash = hexxcghash:5fb6dff3272cb949856a57f2645a56d957dc4606
++Ctrl.hexsession_id = hexsession_id:5160cab836d899193077dc67485ef41669ec5d8a
++Ctrl.type = type:D
++Output = 86ea895a310c3bbd1aac209b2362d58a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001002f14b1acdf871bec4ea5720a3e921cf16a796559b2a094a0d1e45021dcabff152a0e3dca4115239454dc407a6474c8fcd395273a6487c6736710610aeb607707b7ef87203a081646af53ba037f29316a3dec4ce80ec04775b8697db46f7e4f4b38d69de832a25cf0a5484c9b36a48950d50dfe77ac5da63a1c2314ffa8cb68f0c201bbfb7a1a89837b9f57465d14635bda2abf601a06bbd8f70af0169c39209dcda9fb1416a9eadb5ea4deb358566190a62a44d6765d9a25b5157ed5e0f5317f0ed3f6eacebe07ba214e2ef9f654dbc2fa3dc2f227124a3f56a40905c9c86cd64b0ed80c4299d86f59d5f06b9c026a28feea5c5fafbe7ba90283de867dd55858
++Ctrl.hexxcghash = hexxcghash:5fb6dff3272cb949856a57f2645a56d957dc4606
++Ctrl.hexsession_id = hexsession_id:5160cab836d899193077dc67485ef41669ec5d8a
++Ctrl.type = type:E
++Output = 12a4f2b749e2bf88c1f8437e5ff61de761fd48b3
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001002f14b1acdf871bec4ea5720a3e921cf16a796559b2a094a0d1e45021dcabff152a0e3dca4115239454dc407a6474c8fcd395273a6487c6736710610aeb607707b7ef87203a081646af53ba037f29316a3dec4ce80ec04775b8697db46f7e4f4b38d69de832a25cf0a5484c9b36a48950d50dfe77ac5da63a1c2314ffa8cb68f0c201bbfb7a1a89837b9f57465d14635bda2abf601a06bbd8f70af0169c39209dcda9fb1416a9eadb5ea4deb358566190a62a44d6765d9a25b5157ed5e0f5317f0ed3f6eacebe07ba214e2ef9f654dbc2fa3dc2f227124a3f56a40905c9c86cd64b0ed80c4299d86f59d5f06b9c026a28feea5c5fafbe7ba90283de867dd55858
++Ctrl.hexxcghash = hexxcghash:5fb6dff3272cb949856a57f2645a56d957dc4606
++Ctrl.hexsession_id = hexsession_id:5160cab836d899193077dc67485ef41669ec5d8a
++Ctrl.type = type:F
++Output = a3a9276a120db379ec780e434879a54935db954d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010060cc18ebbeb9b25cb16a58bfa47644110ceab67f274daf67157e923b70f775a4168bb7911d0e53075044366e503fbffcf3fcf9249e551d69211715b681ba3a28dd133dbada24dcf80d2bf67a1d6c0477f108f8763b30fe28c6d0b54e59e7e580692453d05a30d38e134d6117ca999ace80a57d088228b2a9f001e57d3a8b1cdffe55fda194f01189ec2bb0d99fc8570a9d822a94dddb22f4ba3c88f2ee1045dafa2d106e5c2c09519e47ad9eaf2301569c9258a2deda9d3ea5b0c73f00d8d12579e5931d5253220d60eeb12fcefc98bc8f390e52b3b407280a31283628963c1131b6fd584be948c3fb4d316fa4a1b135513a174cafb0d394bb4afbee6cbe796e
++Ctrl.hexxcghash = hexxcghash:501c76e6b5791e343fb6e7597e890c7dea7f04e5
++Ctrl.hexsession_id = hexsession_id:68e1f225f2e63df7bedbab15112b3670f03eed56
++Ctrl.type = type:A
++Output = e53f2f61d8919e097cb99627fe668385
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010060cc18ebbeb9b25cb16a58bfa47644110ceab67f274daf67157e923b70f775a4168bb7911d0e53075044366e503fbffcf3fcf9249e551d69211715b681ba3a28dd133dbada24dcf80d2bf67a1d6c0477f108f8763b30fe28c6d0b54e59e7e580692453d05a30d38e134d6117ca999ace80a57d088228b2a9f001e57d3a8b1cdffe55fda194f01189ec2bb0d99fc8570a9d822a94dddb22f4ba3c88f2ee1045dafa2d106e5c2c09519e47ad9eaf2301569c9258a2deda9d3ea5b0c73f00d8d12579e5931d5253220d60eeb12fcefc98bc8f390e52b3b407280a31283628963c1131b6fd584be948c3fb4d316fa4a1b135513a174cafb0d394bb4afbee6cbe796e
++Ctrl.hexxcghash = hexxcghash:501c76e6b5791e343fb6e7597e890c7dea7f04e5
++Ctrl.hexsession_id = hexsession_id:68e1f225f2e63df7bedbab15112b3670f03eed56
++Ctrl.type = type:B
++Output = cea80fd8dc06654ed80b0ec150835537
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010060cc18ebbeb9b25cb16a58bfa47644110ceab67f274daf67157e923b70f775a4168bb7911d0e53075044366e503fbffcf3fcf9249e551d69211715b681ba3a28dd133dbada24dcf80d2bf67a1d6c0477f108f8763b30fe28c6d0b54e59e7e580692453d05a30d38e134d6117ca999ace80a57d088228b2a9f001e57d3a8b1cdffe55fda194f01189ec2bb0d99fc8570a9d822a94dddb22f4ba3c88f2ee1045dafa2d106e5c2c09519e47ad9eaf2301569c9258a2deda9d3ea5b0c73f00d8d12579e5931d5253220d60eeb12fcefc98bc8f390e52b3b407280a31283628963c1131b6fd584be948c3fb4d316fa4a1b135513a174cafb0d394bb4afbee6cbe796e
++Ctrl.hexxcghash = hexxcghash:501c76e6b5791e343fb6e7597e890c7dea7f04e5
++Ctrl.hexsession_id = hexsession_id:68e1f225f2e63df7bedbab15112b3670f03eed56
++Ctrl.type = type:C
++Output = d5ba475e737bed349b8931ba38d426e9
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010060cc18ebbeb9b25cb16a58bfa47644110ceab67f274daf67157e923b70f775a4168bb7911d0e53075044366e503fbffcf3fcf9249e551d69211715b681ba3a28dd133dbada24dcf80d2bf67a1d6c0477f108f8763b30fe28c6d0b54e59e7e580692453d05a30d38e134d6117ca999ace80a57d088228b2a9f001e57d3a8b1cdffe55fda194f01189ec2bb0d99fc8570a9d822a94dddb22f4ba3c88f2ee1045dafa2d106e5c2c09519e47ad9eaf2301569c9258a2deda9d3ea5b0c73f00d8d12579e5931d5253220d60eeb12fcefc98bc8f390e52b3b407280a31283628963c1131b6fd584be948c3fb4d316fa4a1b135513a174cafb0d394bb4afbee6cbe796e
++Ctrl.hexxcghash = hexxcghash:501c76e6b5791e343fb6e7597e890c7dea7f04e5
++Ctrl.hexsession_id = hexsession_id:68e1f225f2e63df7bedbab15112b3670f03eed56
++Ctrl.type = type:D
++Output = f3ea92b4f365ab2fb8403ad8ecd2d17c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010060cc18ebbeb9b25cb16a58bfa47644110ceab67f274daf67157e923b70f775a4168bb7911d0e53075044366e503fbffcf3fcf9249e551d69211715b681ba3a28dd133dbada24dcf80d2bf67a1d6c0477f108f8763b30fe28c6d0b54e59e7e580692453d05a30d38e134d6117ca999ace80a57d088228b2a9f001e57d3a8b1cdffe55fda194f01189ec2bb0d99fc8570a9d822a94dddb22f4ba3c88f2ee1045dafa2d106e5c2c09519e47ad9eaf2301569c9258a2deda9d3ea5b0c73f00d8d12579e5931d5253220d60eeb12fcefc98bc8f390e52b3b407280a31283628963c1131b6fd584be948c3fb4d316fa4a1b135513a174cafb0d394bb4afbee6cbe796e
++Ctrl.hexxcghash = hexxcghash:501c76e6b5791e343fb6e7597e890c7dea7f04e5
++Ctrl.hexsession_id = hexsession_id:68e1f225f2e63df7bedbab15112b3670f03eed56
++Ctrl.type = type:E
++Output = 41fa718884738fd6fd9ee9fd5af05f0de9400952
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010060cc18ebbeb9b25cb16a58bfa47644110ceab67f274daf67157e923b70f775a4168bb7911d0e53075044366e503fbffcf3fcf9249e551d69211715b681ba3a28dd133dbada24dcf80d2bf67a1d6c0477f108f8763b30fe28c6d0b54e59e7e580692453d05a30d38e134d6117ca999ace80a57d088228b2a9f001e57d3a8b1cdffe55fda194f01189ec2bb0d99fc8570a9d822a94dddb22f4ba3c88f2ee1045dafa2d106e5c2c09519e47ad9eaf2301569c9258a2deda9d3ea5b0c73f00d8d12579e5931d5253220d60eeb12fcefc98bc8f390e52b3b407280a31283628963c1131b6fd584be948c3fb4d316fa4a1b135513a174cafb0d394bb4afbee6cbe796e
++Ctrl.hexxcghash = hexxcghash:501c76e6b5791e343fb6e7597e890c7dea7f04e5
++Ctrl.hexsession_id = hexsession_id:68e1f225f2e63df7bedbab15112b3670f03eed56
++Ctrl.type = type:F
++Output = 91395bbd90abb140d0984ed5e77836590bf44695
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010072a106d13e5148877457b7a8c853cfabd151d1b1acde6d776b7affc23c653a3b1c893398c7d83e039fbea9dc739dc14f3a9348af154f840d2f88e3c1982758adeaeb78cff050046d26a9a13391099eea03e9fb853e95c117edaac5b36736e63cb5ad72b346cf1fb342169f5e538591988daec82e0e9a2f4a57db22df8af92424f63111d87991345fd4458abab42cdbfcb84abb222701575a50274a7c6cc38355740cc04bfaff33467c816a70242142fd5467b1713eeec1e0d0f2fcfaf66602dcc31c4105d928a7185ebf53a6e792f419f57573e6dc6d1221e6907f6ad958d2a0c8fe096ce43e403316ae92f93acd1cac7878c9011bc71eff81d4353d7b0c13b1
++Ctrl.hexxcghash = hexxcghash:9acf1f808aeac5b11460192c8f191491b62fc66a
++Ctrl.hexsession_id = hexsession_id:4c662e4dc764cbcb1b3eed4de4375f85c8b2f56c
++Ctrl.type = type:A
++Output = 04d3c0a3f5e33ae373c637ef45897779
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010072a106d13e5148877457b7a8c853cfabd151d1b1acde6d776b7affc23c653a3b1c893398c7d83e039fbea9dc739dc14f3a9348af154f840d2f88e3c1982758adeaeb78cff050046d26a9a13391099eea03e9fb853e95c117edaac5b36736e63cb5ad72b346cf1fb342169f5e538591988daec82e0e9a2f4a57db22df8af92424f63111d87991345fd4458abab42cdbfcb84abb222701575a50274a7c6cc38355740cc04bfaff33467c816a70242142fd5467b1713eeec1e0d0f2fcfaf66602dcc31c4105d928a7185ebf53a6e792f419f57573e6dc6d1221e6907f6ad958d2a0c8fe096ce43e403316ae92f93acd1cac7878c9011bc71eff81d4353d7b0c13b1
++Ctrl.hexxcghash = hexxcghash:9acf1f808aeac5b11460192c8f191491b62fc66a
++Ctrl.hexsession_id = hexsession_id:4c662e4dc764cbcb1b3eed4de4375f85c8b2f56c
++Ctrl.type = type:B
++Output = c5a45bfbf6d7c14c5d3a953b4848e433
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010072a106d13e5148877457b7a8c853cfabd151d1b1acde6d776b7affc23c653a3b1c893398c7d83e039fbea9dc739dc14f3a9348af154f840d2f88e3c1982758adeaeb78cff050046d26a9a13391099eea03e9fb853e95c117edaac5b36736e63cb5ad72b346cf1fb342169f5e538591988daec82e0e9a2f4a57db22df8af92424f63111d87991345fd4458abab42cdbfcb84abb222701575a50274a7c6cc38355740cc04bfaff33467c816a70242142fd5467b1713eeec1e0d0f2fcfaf66602dcc31c4105d928a7185ebf53a6e792f419f57573e6dc6d1221e6907f6ad958d2a0c8fe096ce43e403316ae92f93acd1cac7878c9011bc71eff81d4353d7b0c13b1
++Ctrl.hexxcghash = hexxcghash:9acf1f808aeac5b11460192c8f191491b62fc66a
++Ctrl.hexsession_id = hexsession_id:4c662e4dc764cbcb1b3eed4de4375f85c8b2f56c
++Ctrl.type = type:C
++Output = 3a16d0da2f785e2c325b45109778910a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010072a106d13e5148877457b7a8c853cfabd151d1b1acde6d776b7affc23c653a3b1c893398c7d83e039fbea9dc739dc14f3a9348af154f840d2f88e3c1982758adeaeb78cff050046d26a9a13391099eea03e9fb853e95c117edaac5b36736e63cb5ad72b346cf1fb342169f5e538591988daec82e0e9a2f4a57db22df8af92424f63111d87991345fd4458abab42cdbfcb84abb222701575a50274a7c6cc38355740cc04bfaff33467c816a70242142fd5467b1713eeec1e0d0f2fcfaf66602dcc31c4105d928a7185ebf53a6e792f419f57573e6dc6d1221e6907f6ad958d2a0c8fe096ce43e403316ae92f93acd1cac7878c9011bc71eff81d4353d7b0c13b1
++Ctrl.hexxcghash = hexxcghash:9acf1f808aeac5b11460192c8f191491b62fc66a
++Ctrl.hexsession_id = hexsession_id:4c662e4dc764cbcb1b3eed4de4375f85c8b2f56c
++Ctrl.type = type:D
++Output = 902b38dd6c759945e671c1de7d99e918
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010072a106d13e5148877457b7a8c853cfabd151d1b1acde6d776b7affc23c653a3b1c893398c7d83e039fbea9dc739dc14f3a9348af154f840d2f88e3c1982758adeaeb78cff050046d26a9a13391099eea03e9fb853e95c117edaac5b36736e63cb5ad72b346cf1fb342169f5e538591988daec82e0e9a2f4a57db22df8af92424f63111d87991345fd4458abab42cdbfcb84abb222701575a50274a7c6cc38355740cc04bfaff33467c816a70242142fd5467b1713eeec1e0d0f2fcfaf66602dcc31c4105d928a7185ebf53a6e792f419f57573e6dc6d1221e6907f6ad958d2a0c8fe096ce43e403316ae92f93acd1cac7878c9011bc71eff81d4353d7b0c13b1
++Ctrl.hexxcghash = hexxcghash:9acf1f808aeac5b11460192c8f191491b62fc66a
++Ctrl.hexsession_id = hexsession_id:4c662e4dc764cbcb1b3eed4de4375f85c8b2f56c
++Ctrl.type = type:E
++Output = b573244de3127f6aa5457e792219dc89defaaecd
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000010072a106d13e5148877457b7a8c853cfabd151d1b1acde6d776b7affc23c653a3b1c893398c7d83e039fbea9dc739dc14f3a9348af154f840d2f88e3c1982758adeaeb78cff050046d26a9a13391099eea03e9fb853e95c117edaac5b36736e63cb5ad72b346cf1fb342169f5e538591988daec82e0e9a2f4a57db22df8af92424f63111d87991345fd4458abab42cdbfcb84abb222701575a50274a7c6cc38355740cc04bfaff33467c816a70242142fd5467b1713eeec1e0d0f2fcfaf66602dcc31c4105d928a7185ebf53a6e792f419f57573e6dc6d1221e6907f6ad958d2a0c8fe096ce43e403316ae92f93acd1cac7878c9011bc71eff81d4353d7b0c13b1
++Ctrl.hexxcghash = hexxcghash:9acf1f808aeac5b11460192c8f191491b62fc66a
++Ctrl.hexsession_id = hexsession_id:4c662e4dc764cbcb1b3eed4de4375f85c8b2f56c
++Ctrl.type = type:F
++Output = 6cd221005dd1f0de4f472f48d15e61dcc2e91e99
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001003644f9ee24c3ec2e2fe16cdece326cdf5c1309e931bc41f245d3b76f2bdbef0bae58e850e10dcbd0d18356b4f98957a3b95f64c85d1af12ab01fe967e52a632761074f27406a29618192f1cbebae2c25e42f6e9fc00a737e4c92398403ab946a6c33e675e529b5c7364f36d64f07ff65889866dee99293bd5bb5f6454a77bbe0cbfd746d54e5bc948c617c5a1d5d3d2b65fa6a86c5f42c5e01f92a8e97a96f848e50ecb1b495a0e87323b44f5b9dd25ab34a94c077b7490657d1d8f9a9acef2785de82b02ef9fb670faf841ae9b479d2d538ae8e38eaf6e74b884c18c9dafc19b6c9728ff3411537555b3b3b69f6f039958ffb0790e58b09bd8c63819ee50ea5
++Ctrl.hexxcghash = hexxcghash:4d31fdb68c8f42f38cae260bf6402e47de93aac7
++Ctrl.hexsession_id = hexsession_id:47caa2c09bb4dc9d6aeb697a76046bdf1fcd879b
++Ctrl.type = type:A
++Output = 5f9deaf2ee4f05af0a8a813ef6bb9549
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001003644f9ee24c3ec2e2fe16cdece326cdf5c1309e931bc41f245d3b76f2bdbef0bae58e850e10dcbd0d18356b4f98957a3b95f64c85d1af12ab01fe967e52a632761074f27406a29618192f1cbebae2c25e42f6e9fc00a737e4c92398403ab946a6c33e675e529b5c7364f36d64f07ff65889866dee99293bd5bb5f6454a77bbe0cbfd746d54e5bc948c617c5a1d5d3d2b65fa6a86c5f42c5e01f92a8e97a96f848e50ecb1b495a0e87323b44f5b9dd25ab34a94c077b7490657d1d8f9a9acef2785de82b02ef9fb670faf841ae9b479d2d538ae8e38eaf6e74b884c18c9dafc19b6c9728ff3411537555b3b3b69f6f039958ffb0790e58b09bd8c63819ee50ea5
++Ctrl.hexxcghash = hexxcghash:4d31fdb68c8f42f38cae260bf6402e47de93aac7
++Ctrl.hexsession_id = hexsession_id:47caa2c09bb4dc9d6aeb697a76046bdf1fcd879b
++Ctrl.type = type:B
++Output = a2ea4b795f9c9de1d786d0c771df2b84
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001003644f9ee24c3ec2e2fe16cdece326cdf5c1309e931bc41f245d3b76f2bdbef0bae58e850e10dcbd0d18356b4f98957a3b95f64c85d1af12ab01fe967e52a632761074f27406a29618192f1cbebae2c25e42f6e9fc00a737e4c92398403ab946a6c33e675e529b5c7364f36d64f07ff65889866dee99293bd5bb5f6454a77bbe0cbfd746d54e5bc948c617c5a1d5d3d2b65fa6a86c5f42c5e01f92a8e97a96f848e50ecb1b495a0e87323b44f5b9dd25ab34a94c077b7490657d1d8f9a9acef2785de82b02ef9fb670faf841ae9b479d2d538ae8e38eaf6e74b884c18c9dafc19b6c9728ff3411537555b3b3b69f6f039958ffb0790e58b09bd8c63819ee50ea5
++Ctrl.hexxcghash = hexxcghash:4d31fdb68c8f42f38cae260bf6402e47de93aac7
++Ctrl.hexsession_id = hexsession_id:47caa2c09bb4dc9d6aeb697a76046bdf1fcd879b
++Ctrl.type = type:C
++Output = 13f828f8f1e5532a04f138681bc8259d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001003644f9ee24c3ec2e2fe16cdece326cdf5c1309e931bc41f245d3b76f2bdbef0bae58e850e10dcbd0d18356b4f98957a3b95f64c85d1af12ab01fe967e52a632761074f27406a29618192f1cbebae2c25e42f6e9fc00a737e4c92398403ab946a6c33e675e529b5c7364f36d64f07ff65889866dee99293bd5bb5f6454a77bbe0cbfd746d54e5bc948c617c5a1d5d3d2b65fa6a86c5f42c5e01f92a8e97a96f848e50ecb1b495a0e87323b44f5b9dd25ab34a94c077b7490657d1d8f9a9acef2785de82b02ef9fb670faf841ae9b479d2d538ae8e38eaf6e74b884c18c9dafc19b6c9728ff3411537555b3b3b69f6f039958ffb0790e58b09bd8c63819ee50ea5
++Ctrl.hexxcghash = hexxcghash:4d31fdb68c8f42f38cae260bf6402e47de93aac7
++Ctrl.hexsession_id = hexsession_id:47caa2c09bb4dc9d6aeb697a76046bdf1fcd879b
++Ctrl.type = type:D
++Output = 7231ce5fd725391e058cd78815f44625
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001003644f9ee24c3ec2e2fe16cdece326cdf5c1309e931bc41f245d3b76f2bdbef0bae58e850e10dcbd0d18356b4f98957a3b95f64c85d1af12ab01fe967e52a632761074f27406a29618192f1cbebae2c25e42f6e9fc00a737e4c92398403ab946a6c33e675e529b5c7364f36d64f07ff65889866dee99293bd5bb5f6454a77bbe0cbfd746d54e5bc948c617c5a1d5d3d2b65fa6a86c5f42c5e01f92a8e97a96f848e50ecb1b495a0e87323b44f5b9dd25ab34a94c077b7490657d1d8f9a9acef2785de82b02ef9fb670faf841ae9b479d2d538ae8e38eaf6e74b884c18c9dafc19b6c9728ff3411537555b3b3b69f6f039958ffb0790e58b09bd8c63819ee50ea5
++Ctrl.hexxcghash = hexxcghash:4d31fdb68c8f42f38cae260bf6402e47de93aac7
++Ctrl.hexsession_id = hexsession_id:47caa2c09bb4dc9d6aeb697a76046bdf1fcd879b
++Ctrl.type = type:E
++Output = 937b7e16ed0b2324203cdae904fc55cbe25067a1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:000001003644f9ee24c3ec2e2fe16cdece326cdf5c1309e931bc41f245d3b76f2bdbef0bae58e850e10dcbd0d18356b4f98957a3b95f64c85d1af12ab01fe967e52a632761074f27406a29618192f1cbebae2c25e42f6e9fc00a737e4c92398403ab946a6c33e675e529b5c7364f36d64f07ff65889866dee99293bd5bb5f6454a77bbe0cbfd746d54e5bc948c617c5a1d5d3d2b65fa6a86c5f42c5e01f92a8e97a96f848e50ecb1b495a0e87323b44f5b9dd25ab34a94c077b7490657d1d8f9a9acef2785de82b02ef9fb670faf841ae9b479d2d538ae8e38eaf6e74b884c18c9dafc19b6c9728ff3411537555b3b3b69f6f039958ffb0790e58b09bd8c63819ee50ea5
++Ctrl.hexxcghash = hexxcghash:4d31fdb68c8f42f38cae260bf6402e47de93aac7
++Ctrl.hexsession_id = hexsession_id:47caa2c09bb4dc9d6aeb697a76046bdf1fcd879b
++Ctrl.type = type:F
++Output = d7536b911dc79d5953455ba6e15cb5fec7c14025
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:00000081008de60df019c23966d215d9b8490ac493dfae59b99dbefdad81d2c9e761205c93a696dbd9e538cc57cd3e24c2798d2c56561d6803e8ee24e112babef84ad5a2c571c572339f2b38f1345164314f8f4714047f0c66650f10051044f8dcd256bfe8171302a81ce13f47f7375db80a6bbf8ce7d8f96e03fc6275fd5dacfbdd166792
++Ctrl.hexxcghash = hexxcghash:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca
++Ctrl.hexsession_id = hexsession_id:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca
++Ctrl.type = type:A
++Output = 9fff6c6a6d1f5c31
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:00000081008de60df019c23966d215d9b8490ac493dfae59b99dbefdad81d2c9e761205c93a696dbd9e538cc57cd3e24c2798d2c56561d6803e8ee24e112babef84ad5a2c571c572339f2b38f1345164314f8f4714047f0c66650f10051044f8dcd256bfe8171302a81ce13f47f7375db80a6bbf8ce7d8f96e03fc6275fd5dacfbdd166792
++Ctrl.hexxcghash = hexxcghash:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca
++Ctrl.hexsession_id = hexsession_id:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca
++Ctrl.type = type:B
++Output = 8e0ae78c64d2fe2a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:00000081008de60df019c23966d215d9b8490ac493dfae59b99dbefdad81d2c9e761205c93a696dbd9e538cc57cd3e24c2798d2c56561d6803e8ee24e112babef84ad5a2c571c572339f2b38f1345164314f8f4714047f0c66650f10051044f8dcd256bfe8171302a81ce13f47f7375db80a6bbf8ce7d8f96e03fc6275fd5dacfbdd166792
++Ctrl.hexxcghash = hexxcghash:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca
++Ctrl.hexsession_id = hexsession_id:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca
++Ctrl.type = type:C
++Output = 9044f963ffb56b94556a38aac5398a7072ffba60258500be
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:00000081008de60df019c23966d215d9b8490ac493dfae59b99dbefdad81d2c9e761205c93a696dbd9e538cc57cd3e24c2798d2c56561d6803e8ee24e112babef84ad5a2c571c572339f2b38f1345164314f8f4714047f0c66650f10051044f8dcd256bfe8171302a81ce13f47f7375db80a6bbf8ce7d8f96e03fc6275fd5dacfbdd166792
++Ctrl.hexxcghash = hexxcghash:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca
++Ctrl.hexsession_id = hexsession_id:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca
++Ctrl.type = type:D
++Output = a861a317ea42b050901aff367b5a1d0abd5c497c77311ba2
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:00000081008de60df019c23966d215d9b8490ac493dfae59b99dbefdad81d2c9e761205c93a696dbd9e538cc57cd3e24c2798d2c56561d6803e8ee24e112babef84ad5a2c571c572339f2b38f1345164314f8f4714047f0c66650f10051044f8dcd256bfe8171302a81ce13f47f7375db80a6bbf8ce7d8f96e03fc6275fd5dacfbdd166792
++Ctrl.hexxcghash = hexxcghash:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca
++Ctrl.hexsession_id = hexsession_id:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca
++Ctrl.type = type:E
++Output = 43225d64b6da6f070925ad1c8b7ac88893f9a7cba0dfc55ddea42eec
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:00000081008de60df019c23966d215d9b8490ac493dfae59b99dbefdad81d2c9e761205c93a696dbd9e538cc57cd3e24c2798d2c56561d6803e8ee24e112babef84ad5a2c571c572339f2b38f1345164314f8f4714047f0c66650f10051044f8dcd256bfe8171302a81ce13f47f7375db80a6bbf8ce7d8f96e03fc6275fd5dacfbdd166792
++Ctrl.hexxcghash = hexxcghash:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca
++Ctrl.hexsession_id = hexsession_id:e69fbbee90f0cb7c57996c6f3f9ec4c7de9f0c43b7c993ec3ec1d4ca
++Ctrl.type = type:F
++Output = eb31db29bbafca2773f815fa478d927943288588e371ae9ba0414d98
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100a03d807fef48a50d8a04d9b6721979c5904412c3bcfe69ebd4c2554debe82a695a66fb9d844c6ef3aa4b745c2a4c8dbc4ba26742e0d1159ded83edca0bec61c7303e81f9d7f3169b7c97573b9184ec3c5286d9646e96595f064d61013431628f5c57bcb1bf79bcd1b0177ab4520c1a1a9b34b5067d9f465c9b03154d57f1b42f
++Ctrl.hexxcghash = hexxcghash:03af4bd15a37aa7816d826332dcd9daa1537770fd0bcafbafe30033d
++Ctrl.hexsession_id = hexsession_id:36084ca3dc535b37d533d034d891fabc20e3b0270bb8c008066bfac8
++Ctrl.type = type:A
++Output = bf2d6e03ba930c71
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100a03d807fef48a50d8a04d9b6721979c5904412c3bcfe69ebd4c2554debe82a695a66fb9d844c6ef3aa4b745c2a4c8dbc4ba26742e0d1159ded83edca0bec61c7303e81f9d7f3169b7c97573b9184ec3c5286d9646e96595f064d61013431628f5c57bcb1bf79bcd1b0177ab4520c1a1a9b34b5067d9f465c9b03154d57f1b42f
++Ctrl.hexxcghash = hexxcghash:03af4bd15a37aa7816d826332dcd9daa1537770fd0bcafbafe30033d
++Ctrl.hexsession_id = hexsession_id:36084ca3dc535b37d533d034d891fabc20e3b0270bb8c008066bfac8
++Ctrl.type = type:B
++Output = ff14fadc19a0bd8a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100a03d807fef48a50d8a04d9b6721979c5904412c3bcfe69ebd4c2554debe82a695a66fb9d844c6ef3aa4b745c2a4c8dbc4ba26742e0d1159ded83edca0bec61c7303e81f9d7f3169b7c97573b9184ec3c5286d9646e96595f064d61013431628f5c57bcb1bf79bcd1b0177ab4520c1a1a9b34b5067d9f465c9b03154d57f1b42f
++Ctrl.hexxcghash = hexxcghash:03af4bd15a37aa7816d826332dcd9daa1537770fd0bcafbafe30033d
++Ctrl.hexsession_id = hexsession_id:36084ca3dc535b37d533d034d891fabc20e3b0270bb8c008066bfac8
++Ctrl.type = type:C
++Output = 34a70734eaebeb8608cbb91098fa13326f37ccc5d408584d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100a03d807fef48a50d8a04d9b6721979c5904412c3bcfe69ebd4c2554debe82a695a66fb9d844c6ef3aa4b745c2a4c8dbc4ba26742e0d1159ded83edca0bec61c7303e81f9d7f3169b7c97573b9184ec3c5286d9646e96595f064d61013431628f5c57bcb1bf79bcd1b0177ab4520c1a1a9b34b5067d9f465c9b03154d57f1b42f
++Ctrl.hexxcghash = hexxcghash:03af4bd15a37aa7816d826332dcd9daa1537770fd0bcafbafe30033d
++Ctrl.hexsession_id = hexsession_id:36084ca3dc535b37d533d034d891fabc20e3b0270bb8c008066bfac8
++Ctrl.type = type:D
++Output = f993da8f2e840b836c8980fa2d780a1b4eeef77046988eed
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100a03d807fef48a50d8a04d9b6721979c5904412c3bcfe69ebd4c2554debe82a695a66fb9d844c6ef3aa4b745c2a4c8dbc4ba26742e0d1159ded83edca0bec61c7303e81f9d7f3169b7c97573b9184ec3c5286d9646e96595f064d61013431628f5c57bcb1bf79bcd1b0177ab4520c1a1a9b34b5067d9f465c9b03154d57f1b42f
++Ctrl.hexxcghash = hexxcghash:03af4bd15a37aa7816d826332dcd9daa1537770fd0bcafbafe30033d
++Ctrl.hexsession_id = hexsession_id:36084ca3dc535b37d533d034d891fabc20e3b0270bb8c008066bfac8
++Ctrl.type = type:E
++Output = a274441c86dd146cfab25d87344bd5a880d374d300aa8e1fe4919378
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100a03d807fef48a50d8a04d9b6721979c5904412c3bcfe69ebd4c2554debe82a695a66fb9d844c6ef3aa4b745c2a4c8dbc4ba26742e0d1159ded83edca0bec61c7303e81f9d7f3169b7c97573b9184ec3c5286d9646e96595f064d61013431628f5c57bcb1bf79bcd1b0177ab4520c1a1a9b34b5067d9f465c9b03154d57f1b42f
++Ctrl.hexxcghash = hexxcghash:03af4bd15a37aa7816d826332dcd9daa1537770fd0bcafbafe30033d
++Ctrl.hexsession_id = hexsession_id:36084ca3dc535b37d533d034d891fabc20e3b0270bb8c008066bfac8
++Ctrl.type = type:F
++Output = 7774dc48324cca24901bedc37224cb291d6202fb6b5e1d9315a9bd10
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100d09e300c8b93b8c759f96910b319b8fd9c9c8c1b704b65649f525b6c16732ee37f499ac729bdce9ea493811954849e8eeb449cb2f4485fe78b0f538038178ad3e1b95ef13fcf0134f1199ad742b31d5f222ed7927283a008c970143af46965acde32139c2448db5cc11fd55e534779f1b5d7757b27e3a3881a3596b0b002ff7e
++Ctrl.hexxcghash = hexxcghash:be8559339a1b231a59a8feae904c00decaf970ff8e83018662c65fa8
++Ctrl.hexsession_id = hexsession_id:a8378fd158677fac292c5cce8a9efdbd5c5c98ee6f056a5e6e771b6b
++Ctrl.type = type:A
++Output = 75bc82b271311f53
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100d09e300c8b93b8c759f96910b319b8fd9c9c8c1b704b65649f525b6c16732ee37f499ac729bdce9ea493811954849e8eeb449cb2f4485fe78b0f538038178ad3e1b95ef13fcf0134f1199ad742b31d5f222ed7927283a008c970143af46965acde32139c2448db5cc11fd55e534779f1b5d7757b27e3a3881a3596b0b002ff7e
++Ctrl.hexxcghash = hexxcghash:be8559339a1b231a59a8feae904c00decaf970ff8e83018662c65fa8
++Ctrl.hexsession_id = hexsession_id:a8378fd158677fac292c5cce8a9efdbd5c5c98ee6f056a5e6e771b6b
++Ctrl.type = type:B
++Output = 602d69e77b8c30b3
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100d09e300c8b93b8c759f96910b319b8fd9c9c8c1b704b65649f525b6c16732ee37f499ac729bdce9ea493811954849e8eeb449cb2f4485fe78b0f538038178ad3e1b95ef13fcf0134f1199ad742b31d5f222ed7927283a008c970143af46965acde32139c2448db5cc11fd55e534779f1b5d7757b27e3a3881a3596b0b002ff7e
++Ctrl.hexxcghash = hexxcghash:be8559339a1b231a59a8feae904c00decaf970ff8e83018662c65fa8
++Ctrl.hexsession_id = hexsession_id:a8378fd158677fac292c5cce8a9efdbd5c5c98ee6f056a5e6e771b6b
++Ctrl.type = type:C
++Output = e0c8856a26b2f4804e98809d5b81cdb360b43884a33d4fef
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100d09e300c8b93b8c759f96910b319b8fd9c9c8c1b704b65649f525b6c16732ee37f499ac729bdce9ea493811954849e8eeb449cb2f4485fe78b0f538038178ad3e1b95ef13fcf0134f1199ad742b31d5f222ed7927283a008c970143af46965acde32139c2448db5cc11fd55e534779f1b5d7757b27e3a3881a3596b0b002ff7e
++Ctrl.hexxcghash = hexxcghash:be8559339a1b231a59a8feae904c00decaf970ff8e83018662c65fa8
++Ctrl.hexsession_id = hexsession_id:a8378fd158677fac292c5cce8a9efdbd5c5c98ee6f056a5e6e771b6b
++Ctrl.type = type:D
++Output = e661555415bcab0b1f2d4b4387cda213cdd93f8458a2ace4
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100d09e300c8b93b8c759f96910b319b8fd9c9c8c1b704b65649f525b6c16732ee37f499ac729bdce9ea493811954849e8eeb449cb2f4485fe78b0f538038178ad3e1b95ef13fcf0134f1199ad742b31d5f222ed7927283a008c970143af46965acde32139c2448db5cc11fd55e534779f1b5d7757b27e3a3881a3596b0b002ff7e
++Ctrl.hexxcghash = hexxcghash:be8559339a1b231a59a8feae904c00decaf970ff8e83018662c65fa8
++Ctrl.hexsession_id = hexsession_id:a8378fd158677fac292c5cce8a9efdbd5c5c98ee6f056a5e6e771b6b
++Ctrl.type = type:E
++Output = a368f66127573c79e2d936032f75c3d11c0131455eb9b6c5384582de
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100d09e300c8b93b8c759f96910b319b8fd9c9c8c1b704b65649f525b6c16732ee37f499ac729bdce9ea493811954849e8eeb449cb2f4485fe78b0f538038178ad3e1b95ef13fcf0134f1199ad742b31d5f222ed7927283a008c970143af46965acde32139c2448db5cc11fd55e534779f1b5d7757b27e3a3881a3596b0b002ff7e
++Ctrl.hexxcghash = hexxcghash:be8559339a1b231a59a8feae904c00decaf970ff8e83018662c65fa8
++Ctrl.hexsession_id = hexsession_id:a8378fd158677fac292c5cce8a9efdbd5c5c98ee6f056a5e6e771b6b
++Ctrl.type = type:F
++Output = 779f09f514bdf7ed4a01788f10146367ce2ddf2aacebb961524c002a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008057352c4a26aa011e9b9e101736ab6b1369c73f553848d159b01bf2c7671074cdcdc73b8c697649dc7465197c2f17560d0045246410063f20d8d29518e7b25d871886346acccd9ec1b2d74b19b4aff16953714266d1440247859958f010f3fe616859c07315169c5bb5547c6dfdaf4a219daa3a78f546958f56e14fdf64c3b26e
++Ctrl.hexxcghash = hexxcghash:dca302cd4ee29d88b3f909f73e19d920099b8c18062e875cb762257b
++Ctrl.hexsession_id = hexsession_id:2f6368dd5f1a6a8db98f74331850c110aa0e58f06a10ca8178171d95
++Ctrl.type = type:A
++Output = 386bc0b99215c8fa
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008057352c4a26aa011e9b9e101736ab6b1369c73f553848d159b01bf2c7671074cdcdc73b8c697649dc7465197c2f17560d0045246410063f20d8d29518e7b25d871886346acccd9ec1b2d74b19b4aff16953714266d1440247859958f010f3fe616859c07315169c5bb5547c6dfdaf4a219daa3a78f546958f56e14fdf64c3b26e
++Ctrl.hexxcghash = hexxcghash:dca302cd4ee29d88b3f909f73e19d920099b8c18062e875cb762257b
++Ctrl.hexsession_id = hexsession_id:2f6368dd5f1a6a8db98f74331850c110aa0e58f06a10ca8178171d95
++Ctrl.type = type:B
++Output = c793dba9a68f70a4
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008057352c4a26aa011e9b9e101736ab6b1369c73f553848d159b01bf2c7671074cdcdc73b8c697649dc7465197c2f17560d0045246410063f20d8d29518e7b25d871886346acccd9ec1b2d74b19b4aff16953714266d1440247859958f010f3fe616859c07315169c5bb5547c6dfdaf4a219daa3a78f546958f56e14fdf64c3b26e
++Ctrl.hexxcghash = hexxcghash:dca302cd4ee29d88b3f909f73e19d920099b8c18062e875cb762257b
++Ctrl.hexsession_id = hexsession_id:2f6368dd5f1a6a8db98f74331850c110aa0e58f06a10ca8178171d95
++Ctrl.type = type:C
++Output = 3dcaea7c946c2de76811482556299aa9bf96c8eef11fb2d6
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008057352c4a26aa011e9b9e101736ab6b1369c73f553848d159b01bf2c7671074cdcdc73b8c697649dc7465197c2f17560d0045246410063f20d8d29518e7b25d871886346acccd9ec1b2d74b19b4aff16953714266d1440247859958f010f3fe616859c07315169c5bb5547c6dfdaf4a219daa3a78f546958f56e14fdf64c3b26e
++Ctrl.hexxcghash = hexxcghash:dca302cd4ee29d88b3f909f73e19d920099b8c18062e875cb762257b
++Ctrl.hexsession_id = hexsession_id:2f6368dd5f1a6a8db98f74331850c110aa0e58f06a10ca8178171d95
++Ctrl.type = type:D
++Output = fd078ef65922006809729f9533c8742e9f973f7ff37ba987
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008057352c4a26aa011e9b9e101736ab6b1369c73f553848d159b01bf2c7671074cdcdc73b8c697649dc7465197c2f17560d0045246410063f20d8d29518e7b25d871886346acccd9ec1b2d74b19b4aff16953714266d1440247859958f010f3fe616859c07315169c5bb5547c6dfdaf4a219daa3a78f546958f56e14fdf64c3b26e
++Ctrl.hexxcghash = hexxcghash:dca302cd4ee29d88b3f909f73e19d920099b8c18062e875cb762257b
++Ctrl.hexsession_id = hexsession_id:2f6368dd5f1a6a8db98f74331850c110aa0e58f06a10ca8178171d95
++Ctrl.type = type:E
++Output = 83a1924fa5f7ceffeba7f519ac51a86a2746a93eb194db51a4596ca1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008057352c4a26aa011e9b9e101736ab6b1369c73f553848d159b01bf2c7671074cdcdc73b8c697649dc7465197c2f17560d0045246410063f20d8d29518e7b25d871886346acccd9ec1b2d74b19b4aff16953714266d1440247859958f010f3fe616859c07315169c5bb5547c6dfdaf4a219daa3a78f546958f56e14fdf64c3b26e
++Ctrl.hexxcghash = hexxcghash:dca302cd4ee29d88b3f909f73e19d920099b8c18062e875cb762257b
++Ctrl.hexsession_id = hexsession_id:2f6368dd5f1a6a8db98f74331850c110aa0e58f06a10ca8178171d95
++Ctrl.type = type:F
++Output = e16507d1bbd53b41f9bb2f0f21b5112eb6cd1eb0489fb5e754212390
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:00000081008d372970f67a75a1748e6967c67a1f5665a3d6f71d6d24ab113bedb42ad544de34e67df7f644f78e5dcfd12e25b7cb8655aa9f07fef59058e42450aee5d4a733887535313e06c7e6426598284fdaa33ff88e1b6174c33199f2630ec42c8d7d9b92ea3d83a1bf8514b153fd9cf9c520636a0de9c6ba8b9318465ddcaa293367e5
++Ctrl.hexxcghash = hexxcghash:683a0b23e8bf98e03178a032a65e743e429c805b8de04407f73ab21b
++Ctrl.hexsession_id = hexsession_id:0e9de6ef124b670db44ade438920db01b5e6fb69a482816a303fcef7
++Ctrl.type = type:A
++Output = 0e764ebe0d523aae
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:00000081008d372970f67a75a1748e6967c67a1f5665a3d6f71d6d24ab113bedb42ad544de34e67df7f644f78e5dcfd12e25b7cb8655aa9f07fef59058e42450aee5d4a733887535313e06c7e6426598284fdaa33ff88e1b6174c33199f2630ec42c8d7d9b92ea3d83a1bf8514b153fd9cf9c520636a0de9c6ba8b9318465ddcaa293367e5
++Ctrl.hexxcghash = hexxcghash:683a0b23e8bf98e03178a032a65e743e429c805b8de04407f73ab21b
++Ctrl.hexsession_id = hexsession_id:0e9de6ef124b670db44ade438920db01b5e6fb69a482816a303fcef7
++Ctrl.type = type:B
++Output = 24bd2eff86c2a8dc
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:00000081008d372970f67a75a1748e6967c67a1f5665a3d6f71d6d24ab113bedb42ad544de34e67df7f644f78e5dcfd12e25b7cb8655aa9f07fef59058e42450aee5d4a733887535313e06c7e6426598284fdaa33ff88e1b6174c33199f2630ec42c8d7d9b92ea3d83a1bf8514b153fd9cf9c520636a0de9c6ba8b9318465ddcaa293367e5
++Ctrl.hexxcghash = hexxcghash:683a0b23e8bf98e03178a032a65e743e429c805b8de04407f73ab21b
++Ctrl.hexsession_id = hexsession_id:0e9de6ef124b670db44ade438920db01b5e6fb69a482816a303fcef7
++Ctrl.type = type:C
++Output = 26c01e3d56c1b928f65aaa1b6a15f5b8d41de187b4bb5fdc
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:00000081008d372970f67a75a1748e6967c67a1f5665a3d6f71d6d24ab113bedb42ad544de34e67df7f644f78e5dcfd12e25b7cb8655aa9f07fef59058e42450aee5d4a733887535313e06c7e6426598284fdaa33ff88e1b6174c33199f2630ec42c8d7d9b92ea3d83a1bf8514b153fd9cf9c520636a0de9c6ba8b9318465ddcaa293367e5
++Ctrl.hexxcghash = hexxcghash:683a0b23e8bf98e03178a032a65e743e429c805b8de04407f73ab21b
++Ctrl.hexsession_id = hexsession_id:0e9de6ef124b670db44ade438920db01b5e6fb69a482816a303fcef7
++Ctrl.type = type:D
++Output = e0cc3bdb6d69d10893eeb73b892d746acea151f24247fd9c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:00000081008d372970f67a75a1748e6967c67a1f5665a3d6f71d6d24ab113bedb42ad544de34e67df7f644f78e5dcfd12e25b7cb8655aa9f07fef59058e42450aee5d4a733887535313e06c7e6426598284fdaa33ff88e1b6174c33199f2630ec42c8d7d9b92ea3d83a1bf8514b153fd9cf9c520636a0de9c6ba8b9318465ddcaa293367e5
++Ctrl.hexxcghash = hexxcghash:683a0b23e8bf98e03178a032a65e743e429c805b8de04407f73ab21b
++Ctrl.hexsession_id = hexsession_id:0e9de6ef124b670db44ade438920db01b5e6fb69a482816a303fcef7
++Ctrl.type = type:E
++Output = bf442ba6ec794f20584528686cedbaa568c13b895f642fe5cb3542bb
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:00000081008d372970f67a75a1748e6967c67a1f5665a3d6f71d6d24ab113bedb42ad544de34e67df7f644f78e5dcfd12e25b7cb8655aa9f07fef59058e42450aee5d4a733887535313e06c7e6426598284fdaa33ff88e1b6174c33199f2630ec42c8d7d9b92ea3d83a1bf8514b153fd9cf9c520636a0de9c6ba8b9318465ddcaa293367e5
++Ctrl.hexxcghash = hexxcghash:683a0b23e8bf98e03178a032a65e743e429c805b8de04407f73ab21b
++Ctrl.hexsession_id = hexsession_id:0e9de6ef124b670db44ade438920db01b5e6fb69a482816a303fcef7
++Ctrl.type = type:F
++Output = 65ab453e5ffd1b5e1540aa547766d7c177204c319642f93059bdf257
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008004a70cf5e546c0920433bf16dcda3076d9195b5c35ad6b83b6a51e880f22fddaae0d358e35037bbe1e66f2422c29ff30a39822e067930b9faf59f844441dee6f233635a00c7cb71596f8589194016132ebbe204d98fc7f9bb0b7f4e6b6a68f488a59138d9859729d938de6ace9d08be86301bbd4e80d4650391ef3599a6f0bc0
++Ctrl.hexxcghash = hexxcghash:a05a5c2d8beb394b7befaecfe3f4227cd81a28d90ac64ec78ce170b6
++Ctrl.hexsession_id = hexsession_id:1380b38f6b6997a47ce234b7d3d6afb5960e721a348a725704c19cff
++Ctrl.type = type:A
++Output = 45799bbb09fd8804
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008004a70cf5e546c0920433bf16dcda3076d9195b5c35ad6b83b6a51e880f22fddaae0d358e35037bbe1e66f2422c29ff30a39822e067930b9faf59f844441dee6f233635a00c7cb71596f8589194016132ebbe204d98fc7f9bb0b7f4e6b6a68f488a59138d9859729d938de6ace9d08be86301bbd4e80d4650391ef3599a6f0bc0
++Ctrl.hexxcghash = hexxcghash:a05a5c2d8beb394b7befaecfe3f4227cd81a28d90ac64ec78ce170b6
++Ctrl.hexsession_id = hexsession_id:1380b38f6b6997a47ce234b7d3d6afb5960e721a348a725704c19cff
++Ctrl.type = type:B
++Output = b787b009f3313be0
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008004a70cf5e546c0920433bf16dcda3076d9195b5c35ad6b83b6a51e880f22fddaae0d358e35037bbe1e66f2422c29ff30a39822e067930b9faf59f844441dee6f233635a00c7cb71596f8589194016132ebbe204d98fc7f9bb0b7f4e6b6a68f488a59138d9859729d938de6ace9d08be86301bbd4e80d4650391ef3599a6f0bc0
++Ctrl.hexxcghash = hexxcghash:a05a5c2d8beb394b7befaecfe3f4227cd81a28d90ac64ec78ce170b6
++Ctrl.hexsession_id = hexsession_id:1380b38f6b6997a47ce234b7d3d6afb5960e721a348a725704c19cff
++Ctrl.type = type:C
++Output = c4cbb547c997e8fddb9e56ef5df91327766668a43a958a8e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008004a70cf5e546c0920433bf16dcda3076d9195b5c35ad6b83b6a51e880f22fddaae0d358e35037bbe1e66f2422c29ff30a39822e067930b9faf59f844441dee6f233635a00c7cb71596f8589194016132ebbe204d98fc7f9bb0b7f4e6b6a68f488a59138d9859729d938de6ace9d08be86301bbd4e80d4650391ef3599a6f0bc0
++Ctrl.hexxcghash = hexxcghash:a05a5c2d8beb394b7befaecfe3f4227cd81a28d90ac64ec78ce170b6
++Ctrl.hexsession_id = hexsession_id:1380b38f6b6997a47ce234b7d3d6afb5960e721a348a725704c19cff
++Ctrl.type = type:D
++Output = b55b7cca0a0363b84b40b79366b87db7c440dec5bf89e952
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008004a70cf5e546c0920433bf16dcda3076d9195b5c35ad6b83b6a51e880f22fddaae0d358e35037bbe1e66f2422c29ff30a39822e067930b9faf59f844441dee6f233635a00c7cb71596f8589194016132ebbe204d98fc7f9bb0b7f4e6b6a68f488a59138d9859729d938de6ace9d08be86301bbd4e80d4650391ef3599a6f0bc0
++Ctrl.hexxcghash = hexxcghash:a05a5c2d8beb394b7befaecfe3f4227cd81a28d90ac64ec78ce170b6
++Ctrl.hexsession_id = hexsession_id:1380b38f6b6997a47ce234b7d3d6afb5960e721a348a725704c19cff
++Ctrl.type = type:E
++Output = 9c6399e5f4db0fc7652268d7423230ee5ffc0a210c26568dc5c0ab7d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008004a70cf5e546c0920433bf16dcda3076d9195b5c35ad6b83b6a51e880f22fddaae0d358e35037bbe1e66f2422c29ff30a39822e067930b9faf59f844441dee6f233635a00c7cb71596f8589194016132ebbe204d98fc7f9bb0b7f4e6b6a68f488a59138d9859729d938de6ace9d08be86301bbd4e80d4650391ef3599a6f0bc0
++Ctrl.hexxcghash = hexxcghash:a05a5c2d8beb394b7befaecfe3f4227cd81a28d90ac64ec78ce170b6
++Ctrl.hexsession_id = hexsession_id:1380b38f6b6997a47ce234b7d3d6afb5960e721a348a725704c19cff
++Ctrl.type = type:F
++Output = 9824301c33daae0f1b75eb472d6f0b4ef2cea0b2f61e204b6aefb0bd
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100d07c8a0c16c5f000ff00db6161555ea6b6b400803fe250288a9b88b48ced381de3f46982210216dff4defdbb007e98ea47f891ae3f38e09f56c96913406c13ed35cade3f2f80c6c6402e7ab097decc9e7ecc377b9965991422b54b8fcf34b9635cdc6b1cb698c61cd8377f3fadf1ba9e289d83767ca24370661085461a0b348e
++Ctrl.hexxcghash = hexxcghash:45dfee14ec8160cb1ccd769d2db4785b9773aeedde0c6ca0f75324df
++Ctrl.hexsession_id = hexsession_id:0f15315853288a987cec1e0668f34fa54537304f7082673d74d4f970
++Ctrl.type = type:A
++Output = 2958928e5fd3c6e4
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100d07c8a0c16c5f000ff00db6161555ea6b6b400803fe250288a9b88b48ced381de3f46982210216dff4defdbb007e98ea47f891ae3f38e09f56c96913406c13ed35cade3f2f80c6c6402e7ab097decc9e7ecc377b9965991422b54b8fcf34b9635cdc6b1cb698c61cd8377f3fadf1ba9e289d83767ca24370661085461a0b348e
++Ctrl.hexxcghash = hexxcghash:45dfee14ec8160cb1ccd769d2db4785b9773aeedde0c6ca0f75324df
++Ctrl.hexsession_id = hexsession_id:0f15315853288a987cec1e0668f34fa54537304f7082673d74d4f970
++Ctrl.type = type:B
++Output = aa91bee1a3b3374c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100d07c8a0c16c5f000ff00db6161555ea6b6b400803fe250288a9b88b48ced381de3f46982210216dff4defdbb007e98ea47f891ae3f38e09f56c96913406c13ed35cade3f2f80c6c6402e7ab097decc9e7ecc377b9965991422b54b8fcf34b9635cdc6b1cb698c61cd8377f3fadf1ba9e289d83767ca24370661085461a0b348e
++Ctrl.hexxcghash = hexxcghash:45dfee14ec8160cb1ccd769d2db4785b9773aeedde0c6ca0f75324df
++Ctrl.hexsession_id = hexsession_id:0f15315853288a987cec1e0668f34fa54537304f7082673d74d4f970
++Ctrl.type = type:C
++Output = 6fdac559eb1d6af7fc7fbaa4f9a15fd4145b97b9418518d9
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100d07c8a0c16c5f000ff00db6161555ea6b6b400803fe250288a9b88b48ced381de3f46982210216dff4defdbb007e98ea47f891ae3f38e09f56c96913406c13ed35cade3f2f80c6c6402e7ab097decc9e7ecc377b9965991422b54b8fcf34b9635cdc6b1cb698c61cd8377f3fadf1ba9e289d83767ca24370661085461a0b348e
++Ctrl.hexxcghash = hexxcghash:45dfee14ec8160cb1ccd769d2db4785b9773aeedde0c6ca0f75324df
++Ctrl.hexsession_id = hexsession_id:0f15315853288a987cec1e0668f34fa54537304f7082673d74d4f970
++Ctrl.type = type:D
++Output = 5a8271402756f7eac59f09b5020f7b05f6475fc3a2e2b482
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100d07c8a0c16c5f000ff00db6161555ea6b6b400803fe250288a9b88b48ced381de3f46982210216dff4defdbb007e98ea47f891ae3f38e09f56c96913406c13ed35cade3f2f80c6c6402e7ab097decc9e7ecc377b9965991422b54b8fcf34b9635cdc6b1cb698c61cd8377f3fadf1ba9e289d83767ca24370661085461a0b348e
++Ctrl.hexxcghash = hexxcghash:45dfee14ec8160cb1ccd769d2db4785b9773aeedde0c6ca0f75324df
++Ctrl.hexsession_id = hexsession_id:0f15315853288a987cec1e0668f34fa54537304f7082673d74d4f970
++Ctrl.type = type:E
++Output = 910de4a4a437cab056f7c38037f0196c524464237c5e332e79564a90
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100d07c8a0c16c5f000ff00db6161555ea6b6b400803fe250288a9b88b48ced381de3f46982210216dff4defdbb007e98ea47f891ae3f38e09f56c96913406c13ed35cade3f2f80c6c6402e7ab097decc9e7ecc377b9965991422b54b8fcf34b9635cdc6b1cb698c61cd8377f3fadf1ba9e289d83767ca24370661085461a0b348e
++Ctrl.hexxcghash = hexxcghash:45dfee14ec8160cb1ccd769d2db4785b9773aeedde0c6ca0f75324df
++Ctrl.hexsession_id = hexsession_id:0f15315853288a987cec1e0668f34fa54537304f7082673d74d4f970
++Ctrl.type = type:F
++Output = 0bfa6ed5dc8ab0fc1bb9feb966d7107137ebf3f754ac71c2a16a9c22
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000000807f046e0e1a0050fe544cd0bf194fdb0a07efe7708498a1b25aad90641e8befdef8f4aacb538ccc446d02d3896e1cc34d9a8becdcc48d10e73460f7c0c58eb51707d37f1eaa0008cb21c89e8b226a3e60c76f9f9f5af2a16abca346a81c66ec0199167b17e0d8cb3baea9a9c700632f585e0cd467e779eba02bc24eff22b6425c
++Ctrl.hexxcghash = hexxcghash:b63c992199e370cde19b640077bbbac92c6a8a0f206b4d560935cee5
++Ctrl.hexsession_id = hexsession_id:ee00f86c7ecc4ce74a3ece1699802b7420ca4d49cc74b23399c23545
++Ctrl.type = type:A
++Output = 82204d79e13252f1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000000807f046e0e1a0050fe544cd0bf194fdb0a07efe7708498a1b25aad90641e8befdef8f4aacb538ccc446d02d3896e1cc34d9a8becdcc48d10e73460f7c0c58eb51707d37f1eaa0008cb21c89e8b226a3e60c76f9f9f5af2a16abca346a81c66ec0199167b17e0d8cb3baea9a9c700632f585e0cd467e779eba02bc24eff22b6425c
++Ctrl.hexxcghash = hexxcghash:b63c992199e370cde19b640077bbbac92c6a8a0f206b4d560935cee5
++Ctrl.hexsession_id = hexsession_id:ee00f86c7ecc4ce74a3ece1699802b7420ca4d49cc74b23399c23545
++Ctrl.type = type:B
++Output = a76ff923488c7bd3
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000000807f046e0e1a0050fe544cd0bf194fdb0a07efe7708498a1b25aad90641e8befdef8f4aacb538ccc446d02d3896e1cc34d9a8becdcc48d10e73460f7c0c58eb51707d37f1eaa0008cb21c89e8b226a3e60c76f9f9f5af2a16abca346a81c66ec0199167b17e0d8cb3baea9a9c700632f585e0cd467e779eba02bc24eff22b6425c
++Ctrl.hexxcghash = hexxcghash:b63c992199e370cde19b640077bbbac92c6a8a0f206b4d560935cee5
++Ctrl.hexsession_id = hexsession_id:ee00f86c7ecc4ce74a3ece1699802b7420ca4d49cc74b23399c23545
++Ctrl.type = type:C
++Output = 8ba3bd224890bdd4dd07d2a5a98e5efcd95d82c66583d098
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000000807f046e0e1a0050fe544cd0bf194fdb0a07efe7708498a1b25aad90641e8befdef8f4aacb538ccc446d02d3896e1cc34d9a8becdcc48d10e73460f7c0c58eb51707d37f1eaa0008cb21c89e8b226a3e60c76f9f9f5af2a16abca346a81c66ec0199167b17e0d8cb3baea9a9c700632f585e0cd467e779eba02bc24eff22b6425c
++Ctrl.hexxcghash = hexxcghash:b63c992199e370cde19b640077bbbac92c6a8a0f206b4d560935cee5
++Ctrl.hexsession_id = hexsession_id:ee00f86c7ecc4ce74a3ece1699802b7420ca4d49cc74b23399c23545
++Ctrl.type = type:D
++Output = a04a3844933ca1bb45848bc1a7626e4c50dc46aa5376d027
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000000807f046e0e1a0050fe544cd0bf194fdb0a07efe7708498a1b25aad90641e8befdef8f4aacb538ccc446d02d3896e1cc34d9a8becdcc48d10e73460f7c0c58eb51707d37f1eaa0008cb21c89e8b226a3e60c76f9f9f5af2a16abca346a81c66ec0199167b17e0d8cb3baea9a9c700632f585e0cd467e779eba02bc24eff22b6425c
++Ctrl.hexxcghash = hexxcghash:b63c992199e370cde19b640077bbbac92c6a8a0f206b4d560935cee5
++Ctrl.hexsession_id = hexsession_id:ee00f86c7ecc4ce74a3ece1699802b7420ca4d49cc74b23399c23545
++Ctrl.type = type:E
++Output = 393f2f152d6c6d063f284cadd1fd9d700928188b7fea31f74b44fbc6
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000000807f046e0e1a0050fe544cd0bf194fdb0a07efe7708498a1b25aad90641e8befdef8f4aacb538ccc446d02d3896e1cc34d9a8becdcc48d10e73460f7c0c58eb51707d37f1eaa0008cb21c89e8b226a3e60c76f9f9f5af2a16abca346a81c66ec0199167b17e0d8cb3baea9a9c700632f585e0cd467e779eba02bc24eff22b6425c
++Ctrl.hexxcghash = hexxcghash:b63c992199e370cde19b640077bbbac92c6a8a0f206b4d560935cee5
++Ctrl.hexsession_id = hexsession_id:ee00f86c7ecc4ce74a3ece1699802b7420ca4d49cc74b23399c23545
++Ctrl.type = type:F
++Output = f27f2cd72b22e1719f91b912d6c9d180985121d32bd217e348cd2003
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100b51d0e3d21612b3bde548bf3da6d474166972f602beb1b876b7045a595483ec0bfb707eaf7c0d416d028a3ed7cff460cad66e2284e3190a746d3304678c91b2654b3ab147aece57e3bb5f4d30d4d7c01e065f70b12b9270ebec306a178870d1fd814806c3dbdc16d4bd7e843de8e5414ff336e735bc5c8241ab0ae08197159d6
++Ctrl.hexxcghash = hexxcghash:1eacc2c8e8ec2c3a5af31c6d498301e82664f60899223ef4348f4467
++Ctrl.hexsession_id = hexsession_id:ddc879c0f221147bd70a1cedf5578fd8f196290357945fe75e551262
++Ctrl.type = type:A
++Output = f843e3c6a1621998
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100b51d0e3d21612b3bde548bf3da6d474166972f602beb1b876b7045a595483ec0bfb707eaf7c0d416d028a3ed7cff460cad66e2284e3190a746d3304678c91b2654b3ab147aece57e3bb5f4d30d4d7c01e065f70b12b9270ebec306a178870d1fd814806c3dbdc16d4bd7e843de8e5414ff336e735bc5c8241ab0ae08197159d6
++Ctrl.hexxcghash = hexxcghash:1eacc2c8e8ec2c3a5af31c6d498301e82664f60899223ef4348f4467
++Ctrl.hexsession_id = hexsession_id:ddc879c0f221147bd70a1cedf5578fd8f196290357945fe75e551262
++Ctrl.type = type:B
++Output = 128b2d8968cfaad5
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100b51d0e3d21612b3bde548bf3da6d474166972f602beb1b876b7045a595483ec0bfb707eaf7c0d416d028a3ed7cff460cad66e2284e3190a746d3304678c91b2654b3ab147aece57e3bb5f4d30d4d7c01e065f70b12b9270ebec306a178870d1fd814806c3dbdc16d4bd7e843de8e5414ff336e735bc5c8241ab0ae08197159d6
++Ctrl.hexxcghash = hexxcghash:1eacc2c8e8ec2c3a5af31c6d498301e82664f60899223ef4348f4467
++Ctrl.hexsession_id = hexsession_id:ddc879c0f221147bd70a1cedf5578fd8f196290357945fe75e551262
++Ctrl.type = type:C
++Output = d6c4d2685753580dea2c6a6eb6add592011356eb9e868d44
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100b51d0e3d21612b3bde548bf3da6d474166972f602beb1b876b7045a595483ec0bfb707eaf7c0d416d028a3ed7cff460cad66e2284e3190a746d3304678c91b2654b3ab147aece57e3bb5f4d30d4d7c01e065f70b12b9270ebec306a178870d1fd814806c3dbdc16d4bd7e843de8e5414ff336e735bc5c8241ab0ae08197159d6
++Ctrl.hexxcghash = hexxcghash:1eacc2c8e8ec2c3a5af31c6d498301e82664f60899223ef4348f4467
++Ctrl.hexsession_id = hexsession_id:ddc879c0f221147bd70a1cedf5578fd8f196290357945fe75e551262
++Ctrl.type = type:D
++Output = 92af60f4858f3d14efaac039130389ab9ae1237f0da09a29
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100b51d0e3d21612b3bde548bf3da6d474166972f602beb1b876b7045a595483ec0bfb707eaf7c0d416d028a3ed7cff460cad66e2284e3190a746d3304678c91b2654b3ab147aece57e3bb5f4d30d4d7c01e065f70b12b9270ebec306a178870d1fd814806c3dbdc16d4bd7e843de8e5414ff336e735bc5c8241ab0ae08197159d6
++Ctrl.hexxcghash = hexxcghash:1eacc2c8e8ec2c3a5af31c6d498301e82664f60899223ef4348f4467
++Ctrl.hexsession_id = hexsession_id:ddc879c0f221147bd70a1cedf5578fd8f196290357945fe75e551262
++Ctrl.type = type:E
++Output = a37af93c8f25e145def1c5397bec2ee2119cc0e0bd4854fe23b2e3d1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000008100b51d0e3d21612b3bde548bf3da6d474166972f602beb1b876b7045a595483ec0bfb707eaf7c0d416d028a3ed7cff460cad66e2284e3190a746d3304678c91b2654b3ab147aece57e3bb5f4d30d4d7c01e065f70b12b9270ebec306a178870d1fd814806c3dbdc16d4bd7e843de8e5414ff336e735bc5c8241ab0ae08197159d6
++Ctrl.hexxcghash = hexxcghash:1eacc2c8e8ec2c3a5af31c6d498301e82664f60899223ef4348f4467
++Ctrl.hexsession_id = hexsession_id:ddc879c0f221147bd70a1cedf5578fd8f196290357945fe75e551262
++Ctrl.type = type:F
++Output = d44def5fcec300da5913ca109c0fd7a2c2cbcedd2c3e3216c5cb0d95
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000000810088a2add0cc5918c649c6bbc82930ae99326188faa20e2cfc8f819cc44bdd99d1638fbbd380197beda58c039c239fdcced533db7ea31635b835f5f92725490e7638d40a017b89f48406faab653aa03721af5d7c5c61d4519e7c07f99974c1f715b1ce3fcffc50b2a6cc9b4e45a76791b862ac87524d2b52fe6c706f5a73e5dc0a
++Ctrl.hexxcghash = hexxcghash:321ef6b92cae9df351c1b7d2253325536e659df52acd4a8787b45217
++Ctrl.hexsession_id = hexsession_id:340edbc8aeec53501158ad2ea7650abcbb906348d57b14b61524469e
++Ctrl.type = type:A
++Output = 4276fab65090b420
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000000810088a2add0cc5918c649c6bbc82930ae99326188faa20e2cfc8f819cc44bdd99d1638fbbd380197beda58c039c239fdcced533db7ea31635b835f5f92725490e7638d40a017b89f48406faab653aa03721af5d7c5c61d4519e7c07f99974c1f715b1ce3fcffc50b2a6cc9b4e45a76791b862ac87524d2b52fe6c706f5a73e5dc0a
++Ctrl.hexxcghash = hexxcghash:321ef6b92cae9df351c1b7d2253325536e659df52acd4a8787b45217
++Ctrl.hexsession_id = hexsession_id:340edbc8aeec53501158ad2ea7650abcbb906348d57b14b61524469e
++Ctrl.type = type:B
++Output = 00303ca4f9a5a6f8
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000000810088a2add0cc5918c649c6bbc82930ae99326188faa20e2cfc8f819cc44bdd99d1638fbbd380197beda58c039c239fdcced533db7ea31635b835f5f92725490e7638d40a017b89f48406faab653aa03721af5d7c5c61d4519e7c07f99974c1f715b1ce3fcffc50b2a6cc9b4e45a76791b862ac87524d2b52fe6c706f5a73e5dc0a
++Ctrl.hexxcghash = hexxcghash:321ef6b92cae9df351c1b7d2253325536e659df52acd4a8787b45217
++Ctrl.hexsession_id = hexsession_id:340edbc8aeec53501158ad2ea7650abcbb906348d57b14b61524469e
++Ctrl.type = type:C
++Output = 3d67892281e9c6ed6535d7ae69e832f6723afd545763bd3d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000000810088a2add0cc5918c649c6bbc82930ae99326188faa20e2cfc8f819cc44bdd99d1638fbbd380197beda58c039c239fdcced533db7ea31635b835f5f92725490e7638d40a017b89f48406faab653aa03721af5d7c5c61d4519e7c07f99974c1f715b1ce3fcffc50b2a6cc9b4e45a76791b862ac87524d2b52fe6c706f5a73e5dc0a
++Ctrl.hexxcghash = hexxcghash:321ef6b92cae9df351c1b7d2253325536e659df52acd4a8787b45217
++Ctrl.hexsession_id = hexsession_id:340edbc8aeec53501158ad2ea7650abcbb906348d57b14b61524469e
++Ctrl.type = type:D
++Output = 5a5844e6c47eacc172e0012044037668a653758b96310350
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000000810088a2add0cc5918c649c6bbc82930ae99326188faa20e2cfc8f819cc44bdd99d1638fbbd380197beda58c039c239fdcced533db7ea31635b835f5f92725490e7638d40a017b89f48406faab653aa03721af5d7c5c61d4519e7c07f99974c1f715b1ce3fcffc50b2a6cc9b4e45a76791b862ac87524d2b52fe6c706f5a73e5dc0a
++Ctrl.hexxcghash = hexxcghash:321ef6b92cae9df351c1b7d2253325536e659df52acd4a8787b45217
++Ctrl.hexsession_id = hexsession_id:340edbc8aeec53501158ad2ea7650abcbb906348d57b14b61524469e
++Ctrl.type = type:E
++Output = 4783fb6e98db788f6594c2b82e751528590c41780adce2ffba234290
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000000810088a2add0cc5918c649c6bbc82930ae99326188faa20e2cfc8f819cc44bdd99d1638fbbd380197beda58c039c239fdcced533db7ea31635b835f5f92725490e7638d40a017b89f48406faab653aa03721af5d7c5c61d4519e7c07f99974c1f715b1ce3fcffc50b2a6cc9b4e45a76791b862ac87524d2b52fe6c706f5a73e5dc0a
++Ctrl.hexxcghash = hexxcghash:321ef6b92cae9df351c1b7d2253325536e659df52acd4a8787b45217
++Ctrl.hexsession_id = hexsession_id:340edbc8aeec53501158ad2ea7650abcbb906348d57b14b61524469e
++Ctrl.type = type:F
++Output = 7c60752b0b5a0f0027507ecd88e6af2b78e462a98459bf0511152663
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100d62744a1ee5a4d03d761f48fb63ece42d9204e00016dad042ae7cbe600cb9e93535bc36d2f94d715cf8c2cd948caf876b4948429cb85ac73765949495af8380a56b68d1d3eeb4d9b310e2c53db5f51a7b8382759273c0be30862df81ca420f414c3ea8e6a1fb4875257ccc536e971c8dc07e600e265e642489266604f94ee995f96ef02eac771bb88bc66c57d229edfba1e484fd1c8b49e11e594aefa681f26ea28c348615d3e0a2dc76845d2d19543751ce444c7b65fa449a74639fa13c123d025200efa7012b209400746e03bd6a7bc938b926107da0491407bd952602d14a7fa743cbd51d5090a22c76a336f06b5e6dc5ecf70c803da8dcbff149c5013c36
++Ctrl.hexxcghash = hexxcghash:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701
++Ctrl.hexsession_id = hexsession_id:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701
++Ctrl.type = type:A
++Output = 2512664639690af9f64afd16d9ccf3d3
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100d62744a1ee5a4d03d761f48fb63ece42d9204e00016dad042ae7cbe600cb9e93535bc36d2f94d715cf8c2cd948caf876b4948429cb85ac73765949495af8380a56b68d1d3eeb4d9b310e2c53db5f51a7b8382759273c0be30862df81ca420f414c3ea8e6a1fb4875257ccc536e971c8dc07e600e265e642489266604f94ee995f96ef02eac771bb88bc66c57d229edfba1e484fd1c8b49e11e594aefa681f26ea28c348615d3e0a2dc76845d2d19543751ce444c7b65fa449a74639fa13c123d025200efa7012b209400746e03bd6a7bc938b926107da0491407bd952602d14a7fa743cbd51d5090a22c76a336f06b5e6dc5ecf70c803da8dcbff149c5013c36
++Ctrl.hexxcghash = hexxcghash:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701
++Ctrl.hexsession_id = hexsession_id:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701
++Ctrl.type = type:B
++Output = c13223796f394c6d1ffd18c22c09f27a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100d62744a1ee5a4d03d761f48fb63ece42d9204e00016dad042ae7cbe600cb9e93535bc36d2f94d715cf8c2cd948caf876b4948429cb85ac73765949495af8380a56b68d1d3eeb4d9b310e2c53db5f51a7b8382759273c0be30862df81ca420f414c3ea8e6a1fb4875257ccc536e971c8dc07e600e265e642489266604f94ee995f96ef02eac771bb88bc66c57d229edfba1e484fd1c8b49e11e594aefa681f26ea28c348615d3e0a2dc76845d2d19543751ce444c7b65fa449a74639fa13c123d025200efa7012b209400746e03bd6a7bc938b926107da0491407bd952602d14a7fa743cbd51d5090a22c76a336f06b5e6dc5ecf70c803da8dcbff149c5013c36
++Ctrl.hexxcghash = hexxcghash:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701
++Ctrl.hexsession_id = hexsession_id:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701
++Ctrl.type = type:C
++Output = 7be659a7cbeda28722315d96444a5c98
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100d62744a1ee5a4d03d761f48fb63ece42d9204e00016dad042ae7cbe600cb9e93535bc36d2f94d715cf8c2cd948caf876b4948429cb85ac73765949495af8380a56b68d1d3eeb4d9b310e2c53db5f51a7b8382759273c0be30862df81ca420f414c3ea8e6a1fb4875257ccc536e971c8dc07e600e265e642489266604f94ee995f96ef02eac771bb88bc66c57d229edfba1e484fd1c8b49e11e594aefa681f26ea28c348615d3e0a2dc76845d2d19543751ce444c7b65fa449a74639fa13c123d025200efa7012b209400746e03bd6a7bc938b926107da0491407bd952602d14a7fa743cbd51d5090a22c76a336f06b5e6dc5ecf70c803da8dcbff149c5013c36
++Ctrl.hexxcghash = hexxcghash:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701
++Ctrl.hexsession_id = hexsession_id:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701
++Ctrl.type = type:D
++Output = bdfbd698c518aa45c35d7afd7bd91150
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100d62744a1ee5a4d03d761f48fb63ece42d9204e00016dad042ae7cbe600cb9e93535bc36d2f94d715cf8c2cd948caf876b4948429cb85ac73765949495af8380a56b68d1d3eeb4d9b310e2c53db5f51a7b8382759273c0be30862df81ca420f414c3ea8e6a1fb4875257ccc536e971c8dc07e600e265e642489266604f94ee995f96ef02eac771bb88bc66c57d229edfba1e484fd1c8b49e11e594aefa681f26ea28c348615d3e0a2dc76845d2d19543751ce444c7b65fa449a74639fa13c123d025200efa7012b209400746e03bd6a7bc938b926107da0491407bd952602d14a7fa743cbd51d5090a22c76a336f06b5e6dc5ecf70c803da8dcbff149c5013c36
++Ctrl.hexxcghash = hexxcghash:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701
++Ctrl.hexsession_id = hexsession_id:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701
++Ctrl.type = type:E
++Output = dd38b79b081713ac3007ffd88d5cd67f43fbb36c983e0fc1cd273d84
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100d62744a1ee5a4d03d761f48fb63ece42d9204e00016dad042ae7cbe600cb9e93535bc36d2f94d715cf8c2cd948caf876b4948429cb85ac73765949495af8380a56b68d1d3eeb4d9b310e2c53db5f51a7b8382759273c0be30862df81ca420f414c3ea8e6a1fb4875257ccc536e971c8dc07e600e265e642489266604f94ee995f96ef02eac771bb88bc66c57d229edfba1e484fd1c8b49e11e594aefa681f26ea28c348615d3e0a2dc76845d2d19543751ce444c7b65fa449a74639fa13c123d025200efa7012b209400746e03bd6a7bc938b926107da0491407bd952602d14a7fa743cbd51d5090a22c76a336f06b5e6dc5ecf70c803da8dcbff149c5013c36
++Ctrl.hexxcghash = hexxcghash:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701
++Ctrl.hexsession_id = hexsession_id:273ab849318045321f672fdf9b4bc250c4b46717374bfb3322bc7701
++Ctrl.type = type:F
++Output = edf713ecfb21b9e9c2d9d04c882d5ded433dcf459ff5b0fe7cd45bb1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100d9b92844753a5eadc2ef7e84372a56bd096cc1d57a5c282811658d7df87564f202e800c774e75bbb53f47e835f207300ccd4661fd8a73b6ff87770c2c036346e99fadc5193171e1e732f3b6a017808a150ee02c4b6e70d87462e51825a94bda27fa9cbe18c7ef20d0b0201cb7526e0e9bac21b877e5064000290424387a9aa98da563ee2a5ef36af4b442a69eb631b88b8e3a0f073aa5dda589c4aa0e4e007e0d0036a231d52137d724fd60d41f42512214853e7acf8bde77e377842468f4216a15d0c8fe033c2b133bf651c82fda6d227e3c3f0cb7d0a9eba7c35eeefcf683ddde696fdeba5ec124e701f01bf5b0d59a667c75633dea07670b07baa20f313c3
++Ctrl.hexxcghash = hexxcghash:a510774a9b07b05e4e0eaf9409d77028a511a9565784b69ab3c03ffc
++Ctrl.hexsession_id = hexsession_id:49c4ad412d13870d0e9c6855e2881fc032aab36fa3ab3598a7f1153e
++Ctrl.type = type:A
++Output = f3064d3f3ed09eefd34731a2c60c1a80
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100d9b92844753a5eadc2ef7e84372a56bd096cc1d57a5c282811658d7df87564f202e800c774e75bbb53f47e835f207300ccd4661fd8a73b6ff87770c2c036346e99fadc5193171e1e732f3b6a017808a150ee02c4b6e70d87462e51825a94bda27fa9cbe18c7ef20d0b0201cb7526e0e9bac21b877e5064000290424387a9aa98da563ee2a5ef36af4b442a69eb631b88b8e3a0f073aa5dda589c4aa0e4e007e0d0036a231d52137d724fd60d41f42512214853e7acf8bde77e377842468f4216a15d0c8fe033c2b133bf651c82fda6d227e3c3f0cb7d0a9eba7c35eeefcf683ddde696fdeba5ec124e701f01bf5b0d59a667c75633dea07670b07baa20f313c3
++Ctrl.hexxcghash = hexxcghash:a510774a9b07b05e4e0eaf9409d77028a511a9565784b69ab3c03ffc
++Ctrl.hexsession_id = hexsession_id:49c4ad412d13870d0e9c6855e2881fc032aab36fa3ab3598a7f1153e
++Ctrl.type = type:B
++Output = 1f7f508d9c4cf1004a220f26e0e6c184
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100d9b92844753a5eadc2ef7e84372a56bd096cc1d57a5c282811658d7df87564f202e800c774e75bbb53f47e835f207300ccd4661fd8a73b6ff87770c2c036346e99fadc5193171e1e732f3b6a017808a150ee02c4b6e70d87462e51825a94bda27fa9cbe18c7ef20d0b0201cb7526e0e9bac21b877e5064000290424387a9aa98da563ee2a5ef36af4b442a69eb631b88b8e3a0f073aa5dda589c4aa0e4e007e0d0036a231d52137d724fd60d41f42512214853e7acf8bde77e377842468f4216a15d0c8fe033c2b133bf651c82fda6d227e3c3f0cb7d0a9eba7c35eeefcf683ddde696fdeba5ec124e701f01bf5b0d59a667c75633dea07670b07baa20f313c3
++Ctrl.hexxcghash = hexxcghash:a510774a9b07b05e4e0eaf9409d77028a511a9565784b69ab3c03ffc
++Ctrl.hexsession_id = hexsession_id:49c4ad412d13870d0e9c6855e2881fc032aab36fa3ab3598a7f1153e
++Ctrl.type = type:C
++Output = 2ad48a77fa12fcb5d3d3e98d5bb87d76
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100d9b92844753a5eadc2ef7e84372a56bd096cc1d57a5c282811658d7df87564f202e800c774e75bbb53f47e835f207300ccd4661fd8a73b6ff87770c2c036346e99fadc5193171e1e732f3b6a017808a150ee02c4b6e70d87462e51825a94bda27fa9cbe18c7ef20d0b0201cb7526e0e9bac21b877e5064000290424387a9aa98da563ee2a5ef36af4b442a69eb631b88b8e3a0f073aa5dda589c4aa0e4e007e0d0036a231d52137d724fd60d41f42512214853e7acf8bde77e377842468f4216a15d0c8fe033c2b133bf651c82fda6d227e3c3f0cb7d0a9eba7c35eeefcf683ddde696fdeba5ec124e701f01bf5b0d59a667c75633dea07670b07baa20f313c3
++Ctrl.hexxcghash = hexxcghash:a510774a9b07b05e4e0eaf9409d77028a511a9565784b69ab3c03ffc
++Ctrl.hexsession_id = hexsession_id:49c4ad412d13870d0e9c6855e2881fc032aab36fa3ab3598a7f1153e
++Ctrl.type = type:D
++Output = 0433db7fd40d9d0dc9df6e9eed8059e4
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100d9b92844753a5eadc2ef7e84372a56bd096cc1d57a5c282811658d7df87564f202e800c774e75bbb53f47e835f207300ccd4661fd8a73b6ff87770c2c036346e99fadc5193171e1e732f3b6a017808a150ee02c4b6e70d87462e51825a94bda27fa9cbe18c7ef20d0b0201cb7526e0e9bac21b877e5064000290424387a9aa98da563ee2a5ef36af4b442a69eb631b88b8e3a0f073aa5dda589c4aa0e4e007e0d0036a231d52137d724fd60d41f42512214853e7acf8bde77e377842468f4216a15d0c8fe033c2b133bf651c82fda6d227e3c3f0cb7d0a9eba7c35eeefcf683ddde696fdeba5ec124e701f01bf5b0d59a667c75633dea07670b07baa20f313c3
++Ctrl.hexxcghash = hexxcghash:a510774a9b07b05e4e0eaf9409d77028a511a9565784b69ab3c03ffc
++Ctrl.hexsession_id = hexsession_id:49c4ad412d13870d0e9c6855e2881fc032aab36fa3ab3598a7f1153e
++Ctrl.type = type:E
++Output = b07884f15910c6a083143ef9bda115d05c9e4c4057c1987c4f78a1b6
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100d9b92844753a5eadc2ef7e84372a56bd096cc1d57a5c282811658d7df87564f202e800c774e75bbb53f47e835f207300ccd4661fd8a73b6ff87770c2c036346e99fadc5193171e1e732f3b6a017808a150ee02c4b6e70d87462e51825a94bda27fa9cbe18c7ef20d0b0201cb7526e0e9bac21b877e5064000290424387a9aa98da563ee2a5ef36af4b442a69eb631b88b8e3a0f073aa5dda589c4aa0e4e007e0d0036a231d52137d724fd60d41f42512214853e7acf8bde77e377842468f4216a15d0c8fe033c2b133bf651c82fda6d227e3c3f0cb7d0a9eba7c35eeefcf683ddde696fdeba5ec124e701f01bf5b0d59a667c75633dea07670b07baa20f313c3
++Ctrl.hexxcghash = hexxcghash:a510774a9b07b05e4e0eaf9409d77028a511a9565784b69ab3c03ffc
++Ctrl.hexsession_id = hexsession_id:49c4ad412d13870d0e9c6855e2881fc032aab36fa3ab3598a7f1153e
++Ctrl.type = type:F
++Output = f838da7b26311dbd529f742d901709229482cea9d7ac9f0c2cd14200
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010012641156f363edf89c1824532fcf379a846dd042ac173d6b9b75651d7aa911ebe75f5dd3b502a7d6ec331f095ed08505e86f51008242357b3d29d75db82619066c2ecb3ba78e8de8fceeb206bfa39ef3e6617d1f20e4a092ac6bd589904fe0ce4fac2d73c7396a54084bf71e929ae0c5c7e67e1795e73f9fab8c6ee90254f27dae6750e1f8769af5b235f9f7aef302f1fc4015f60af34656a1a8187159a4d6c4b3be40abe9ad5cb56a52f5407186b42fdce7a691b917550719fc7eef858030dcb2829a07a39ca279d9deb0487b893d4c7bbc41cde4eb366188f38bdb4289b8a95ae757864e963cbe4f5eced9aebf3b33ebb3c75b7e405816366e609e16f8bc56
++Ctrl.hexxcghash = hexxcghash:d041364fa73e42f0c9c49d2ad25a758c3f4691761d9caf6dfd2ad690
++Ctrl.hexsession_id = hexsession_id:1fea0e79508d3b2caf0e275c463626ad7d57c6cfc1da79a5bce2fa53
++Ctrl.type = type:A
++Output = d8c60bf582892d2cd03956774614b9f1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010012641156f363edf89c1824532fcf379a846dd042ac173d6b9b75651d7aa911ebe75f5dd3b502a7d6ec331f095ed08505e86f51008242357b3d29d75db82619066c2ecb3ba78e8de8fceeb206bfa39ef3e6617d1f20e4a092ac6bd589904fe0ce4fac2d73c7396a54084bf71e929ae0c5c7e67e1795e73f9fab8c6ee90254f27dae6750e1f8769af5b235f9f7aef302f1fc4015f60af34656a1a8187159a4d6c4b3be40abe9ad5cb56a52f5407186b42fdce7a691b917550719fc7eef858030dcb2829a07a39ca279d9deb0487b893d4c7bbc41cde4eb366188f38bdb4289b8a95ae757864e963cbe4f5eced9aebf3b33ebb3c75b7e405816366e609e16f8bc56
++Ctrl.hexxcghash = hexxcghash:d041364fa73e42f0c9c49d2ad25a758c3f4691761d9caf6dfd2ad690
++Ctrl.hexsession_id = hexsession_id:1fea0e79508d3b2caf0e275c463626ad7d57c6cfc1da79a5bce2fa53
++Ctrl.type = type:B
++Output = bac1bef6d6dd92de55bc174c9db77a54
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010012641156f363edf89c1824532fcf379a846dd042ac173d6b9b75651d7aa911ebe75f5dd3b502a7d6ec331f095ed08505e86f51008242357b3d29d75db82619066c2ecb3ba78e8de8fceeb206bfa39ef3e6617d1f20e4a092ac6bd589904fe0ce4fac2d73c7396a54084bf71e929ae0c5c7e67e1795e73f9fab8c6ee90254f27dae6750e1f8769af5b235f9f7aef302f1fc4015f60af34656a1a8187159a4d6c4b3be40abe9ad5cb56a52f5407186b42fdce7a691b917550719fc7eef858030dcb2829a07a39ca279d9deb0487b893d4c7bbc41cde4eb366188f38bdb4289b8a95ae757864e963cbe4f5eced9aebf3b33ebb3c75b7e405816366e609e16f8bc56
++Ctrl.hexxcghash = hexxcghash:d041364fa73e42f0c9c49d2ad25a758c3f4691761d9caf6dfd2ad690
++Ctrl.hexsession_id = hexsession_id:1fea0e79508d3b2caf0e275c463626ad7d57c6cfc1da79a5bce2fa53
++Ctrl.type = type:C
++Output = bdf96d88d7ac4f0daa62d29948a5c891
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010012641156f363edf89c1824532fcf379a846dd042ac173d6b9b75651d7aa911ebe75f5dd3b502a7d6ec331f095ed08505e86f51008242357b3d29d75db82619066c2ecb3ba78e8de8fceeb206bfa39ef3e6617d1f20e4a092ac6bd589904fe0ce4fac2d73c7396a54084bf71e929ae0c5c7e67e1795e73f9fab8c6ee90254f27dae6750e1f8769af5b235f9f7aef302f1fc4015f60af34656a1a8187159a4d6c4b3be40abe9ad5cb56a52f5407186b42fdce7a691b917550719fc7eef858030dcb2829a07a39ca279d9deb0487b893d4c7bbc41cde4eb366188f38bdb4289b8a95ae757864e963cbe4f5eced9aebf3b33ebb3c75b7e405816366e609e16f8bc56
++Ctrl.hexxcghash = hexxcghash:d041364fa73e42f0c9c49d2ad25a758c3f4691761d9caf6dfd2ad690
++Ctrl.hexsession_id = hexsession_id:1fea0e79508d3b2caf0e275c463626ad7d57c6cfc1da79a5bce2fa53
++Ctrl.type = type:D
++Output = ef0dbe568b4f3fbcb8b2665ed7ed0f8d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010012641156f363edf89c1824532fcf379a846dd042ac173d6b9b75651d7aa911ebe75f5dd3b502a7d6ec331f095ed08505e86f51008242357b3d29d75db82619066c2ecb3ba78e8de8fceeb206bfa39ef3e6617d1f20e4a092ac6bd589904fe0ce4fac2d73c7396a54084bf71e929ae0c5c7e67e1795e73f9fab8c6ee90254f27dae6750e1f8769af5b235f9f7aef302f1fc4015f60af34656a1a8187159a4d6c4b3be40abe9ad5cb56a52f5407186b42fdce7a691b917550719fc7eef858030dcb2829a07a39ca279d9deb0487b893d4c7bbc41cde4eb366188f38bdb4289b8a95ae757864e963cbe4f5eced9aebf3b33ebb3c75b7e405816366e609e16f8bc56
++Ctrl.hexxcghash = hexxcghash:d041364fa73e42f0c9c49d2ad25a758c3f4691761d9caf6dfd2ad690
++Ctrl.hexsession_id = hexsession_id:1fea0e79508d3b2caf0e275c463626ad7d57c6cfc1da79a5bce2fa53
++Ctrl.type = type:E
++Output = 315d50a1b29f9d556c983432b98bf437893c1a892cf69880353d9797
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010012641156f363edf89c1824532fcf379a846dd042ac173d6b9b75651d7aa911ebe75f5dd3b502a7d6ec331f095ed08505e86f51008242357b3d29d75db82619066c2ecb3ba78e8de8fceeb206bfa39ef3e6617d1f20e4a092ac6bd589904fe0ce4fac2d73c7396a54084bf71e929ae0c5c7e67e1795e73f9fab8c6ee90254f27dae6750e1f8769af5b235f9f7aef302f1fc4015f60af34656a1a8187159a4d6c4b3be40abe9ad5cb56a52f5407186b42fdce7a691b917550719fc7eef858030dcb2829a07a39ca279d9deb0487b893d4c7bbc41cde4eb366188f38bdb4289b8a95ae757864e963cbe4f5eced9aebf3b33ebb3c75b7e405816366e609e16f8bc56
++Ctrl.hexxcghash = hexxcghash:d041364fa73e42f0c9c49d2ad25a758c3f4691761d9caf6dfd2ad690
++Ctrl.hexsession_id = hexsession_id:1fea0e79508d3b2caf0e275c463626ad7d57c6cfc1da79a5bce2fa53
++Ctrl.type = type:F
++Output = 612e3ac6651f9c7d99c532da0820f079292d9b33d36b684198665f5e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100ecfd38c0707d59db0b361a449a22ddc63f055678e253ffbc8324a306ff06e31590fcdf6fc271665335f01af804619f4367489d7829ca756cd14d2147f2c6b2c0355847955ebe89ed2133dc74283732c4f821a7cadcaa9abf661fa9fcf81b0596c454fdac23d79267c5a832979217df61f9bb04c0fa69f5fdae2407da763210f0b7c1097463505b0da86ad71c20c1c57accaae353919cb2708aa378a5ff598d0a4b21b7527b2dbd271957fbbf04f5787076fb7f8afdfb75ddb5fa142ab427e026c87033fe2c6f22454ebace3f77646d0ee447cd1d339c9a21ce86c0b233c7fcbd6d1d165e14d57908777cde654b7fc3c3db7e62951b359ec71fe475356dc6a58b
++Ctrl.hexxcghash = hexxcghash:7af5885d52c4173000c45dd2b0fbeb21fa5722aa65eecb1bf977248a
++Ctrl.hexsession_id = hexsession_id:122e2d181cca7dcec6f30a8b027b4d29275d342af5fd82794b24560f
++Ctrl.type = type:A
++Output = e0d36ac1de6cc8514d25ff824bfaaa37
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100ecfd38c0707d59db0b361a449a22ddc63f055678e253ffbc8324a306ff06e31590fcdf6fc271665335f01af804619f4367489d7829ca756cd14d2147f2c6b2c0355847955ebe89ed2133dc74283732c4f821a7cadcaa9abf661fa9fcf81b0596c454fdac23d79267c5a832979217df61f9bb04c0fa69f5fdae2407da763210f0b7c1097463505b0da86ad71c20c1c57accaae353919cb2708aa378a5ff598d0a4b21b7527b2dbd271957fbbf04f5787076fb7f8afdfb75ddb5fa142ab427e026c87033fe2c6f22454ebace3f77646d0ee447cd1d339c9a21ce86c0b233c7fcbd6d1d165e14d57908777cde654b7fc3c3db7e62951b359ec71fe475356dc6a58b
++Ctrl.hexxcghash = hexxcghash:7af5885d52c4173000c45dd2b0fbeb21fa5722aa65eecb1bf977248a
++Ctrl.hexsession_id = hexsession_id:122e2d181cca7dcec6f30a8b027b4d29275d342af5fd82794b24560f
++Ctrl.type = type:B
++Output = 58c896b4d1a9507e7da2234a1a538d78
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100ecfd38c0707d59db0b361a449a22ddc63f055678e253ffbc8324a306ff06e31590fcdf6fc271665335f01af804619f4367489d7829ca756cd14d2147f2c6b2c0355847955ebe89ed2133dc74283732c4f821a7cadcaa9abf661fa9fcf81b0596c454fdac23d79267c5a832979217df61f9bb04c0fa69f5fdae2407da763210f0b7c1097463505b0da86ad71c20c1c57accaae353919cb2708aa378a5ff598d0a4b21b7527b2dbd271957fbbf04f5787076fb7f8afdfb75ddb5fa142ab427e026c87033fe2c6f22454ebace3f77646d0ee447cd1d339c9a21ce86c0b233c7fcbd6d1d165e14d57908777cde654b7fc3c3db7e62951b359ec71fe475356dc6a58b
++Ctrl.hexxcghash = hexxcghash:7af5885d52c4173000c45dd2b0fbeb21fa5722aa65eecb1bf977248a
++Ctrl.hexsession_id = hexsession_id:122e2d181cca7dcec6f30a8b027b4d29275d342af5fd82794b24560f
++Ctrl.type = type:C
++Output = 5966df5cb582234585b4c4312318f829
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100ecfd38c0707d59db0b361a449a22ddc63f055678e253ffbc8324a306ff06e31590fcdf6fc271665335f01af804619f4367489d7829ca756cd14d2147f2c6b2c0355847955ebe89ed2133dc74283732c4f821a7cadcaa9abf661fa9fcf81b0596c454fdac23d79267c5a832979217df61f9bb04c0fa69f5fdae2407da763210f0b7c1097463505b0da86ad71c20c1c57accaae353919cb2708aa378a5ff598d0a4b21b7527b2dbd271957fbbf04f5787076fb7f8afdfb75ddb5fa142ab427e026c87033fe2c6f22454ebace3f77646d0ee447cd1d339c9a21ce86c0b233c7fcbd6d1d165e14d57908777cde654b7fc3c3db7e62951b359ec71fe475356dc6a58b
++Ctrl.hexxcghash = hexxcghash:7af5885d52c4173000c45dd2b0fbeb21fa5722aa65eecb1bf977248a
++Ctrl.hexsession_id = hexsession_id:122e2d181cca7dcec6f30a8b027b4d29275d342af5fd82794b24560f
++Ctrl.type = type:D
++Output = 40d8bdab78c9dac2b2d14d1c8bd41405
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100ecfd38c0707d59db0b361a449a22ddc63f055678e253ffbc8324a306ff06e31590fcdf6fc271665335f01af804619f4367489d7829ca756cd14d2147f2c6b2c0355847955ebe89ed2133dc74283732c4f821a7cadcaa9abf661fa9fcf81b0596c454fdac23d79267c5a832979217df61f9bb04c0fa69f5fdae2407da763210f0b7c1097463505b0da86ad71c20c1c57accaae353919cb2708aa378a5ff598d0a4b21b7527b2dbd271957fbbf04f5787076fb7f8afdfb75ddb5fa142ab427e026c87033fe2c6f22454ebace3f77646d0ee447cd1d339c9a21ce86c0b233c7fcbd6d1d165e14d57908777cde654b7fc3c3db7e62951b359ec71fe475356dc6a58b
++Ctrl.hexxcghash = hexxcghash:7af5885d52c4173000c45dd2b0fbeb21fa5722aa65eecb1bf977248a
++Ctrl.hexsession_id = hexsession_id:122e2d181cca7dcec6f30a8b027b4d29275d342af5fd82794b24560f
++Ctrl.type = type:E
++Output = 1af4707570794ff6c718c817ccb9fca5edf22a3a8d493a861633fb7a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100ecfd38c0707d59db0b361a449a22ddc63f055678e253ffbc8324a306ff06e31590fcdf6fc271665335f01af804619f4367489d7829ca756cd14d2147f2c6b2c0355847955ebe89ed2133dc74283732c4f821a7cadcaa9abf661fa9fcf81b0596c454fdac23d79267c5a832979217df61f9bb04c0fa69f5fdae2407da763210f0b7c1097463505b0da86ad71c20c1c57accaae353919cb2708aa378a5ff598d0a4b21b7527b2dbd271957fbbf04f5787076fb7f8afdfb75ddb5fa142ab427e026c87033fe2c6f22454ebace3f77646d0ee447cd1d339c9a21ce86c0b233c7fcbd6d1d165e14d57908777cde654b7fc3c3db7e62951b359ec71fe475356dc6a58b
++Ctrl.hexxcghash = hexxcghash:7af5885d52c4173000c45dd2b0fbeb21fa5722aa65eecb1bf977248a
++Ctrl.hexsession_id = hexsession_id:122e2d181cca7dcec6f30a8b027b4d29275d342af5fd82794b24560f
++Ctrl.type = type:F
++Output = 4e6edd5d86f0a3b92595fb2d4f0f9b0f0ed1e850c84014224270bcbc
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000001002dde91723fa969756f5a597683fa0ef938423ffcf3b3d0262f9ba0d69d72ffc3afbf2ccb9bbc42332f97d3857b44575e30849fe19e77688e9102d9909585d9e53835eee4127aee038deaf8501c70cfd209ef755f84613365d9b2150009f9055300b74c593f8204b84c7faaac87c781e7bdda8c54bf0ec170e4dbf71cd15825c949ebaa934797333124e63db50efe0f33f5224687c097b22d52de36045659622dd214effab378b6bff298c84436831f85540a5eac0b68d51fa1abd18d19ce5452aefe729b7d384e038927ee8f0c2ddffd1cb6ea537a90d9b06bce3bd01fdf4370d62d985ab80417d1256d38ab3874297163a020052b42e73e8ef64950851e7da2
++Ctrl.hexxcghash = hexxcghash:590c8e3800ddfd382f0b3023c7a8753bd013e756855ffbca1dee0f01
++Ctrl.hexsession_id = hexsession_id:5e4528c7ff85f2ed7d632c4355e2524438ee83ef0e1695524921408d
++Ctrl.type = type:A
++Output = d30b7efda77a1008d78487fb1c9df511
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000001002dde91723fa969756f5a597683fa0ef938423ffcf3b3d0262f9ba0d69d72ffc3afbf2ccb9bbc42332f97d3857b44575e30849fe19e77688e9102d9909585d9e53835eee4127aee038deaf8501c70cfd209ef755f84613365d9b2150009f9055300b74c593f8204b84c7faaac87c781e7bdda8c54bf0ec170e4dbf71cd15825c949ebaa934797333124e63db50efe0f33f5224687c097b22d52de36045659622dd214effab378b6bff298c84436831f85540a5eac0b68d51fa1abd18d19ce5452aefe729b7d384e038927ee8f0c2ddffd1cb6ea537a90d9b06bce3bd01fdf4370d62d985ab80417d1256d38ab3874297163a020052b42e73e8ef64950851e7da2
++Ctrl.hexxcghash = hexxcghash:590c8e3800ddfd382f0b3023c7a8753bd013e756855ffbca1dee0f01
++Ctrl.hexsession_id = hexsession_id:5e4528c7ff85f2ed7d632c4355e2524438ee83ef0e1695524921408d
++Ctrl.type = type:B
++Output = 498b3d9f14446a028d1aed8bc4748e34
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000001002dde91723fa969756f5a597683fa0ef938423ffcf3b3d0262f9ba0d69d72ffc3afbf2ccb9bbc42332f97d3857b44575e30849fe19e77688e9102d9909585d9e53835eee4127aee038deaf8501c70cfd209ef755f84613365d9b2150009f9055300b74c593f8204b84c7faaac87c781e7bdda8c54bf0ec170e4dbf71cd15825c949ebaa934797333124e63db50efe0f33f5224687c097b22d52de36045659622dd214effab378b6bff298c84436831f85540a5eac0b68d51fa1abd18d19ce5452aefe729b7d384e038927ee8f0c2ddffd1cb6ea537a90d9b06bce3bd01fdf4370d62d985ab80417d1256d38ab3874297163a020052b42e73e8ef64950851e7da2
++Ctrl.hexxcghash = hexxcghash:590c8e3800ddfd382f0b3023c7a8753bd013e756855ffbca1dee0f01
++Ctrl.hexsession_id = hexsession_id:5e4528c7ff85f2ed7d632c4355e2524438ee83ef0e1695524921408d
++Ctrl.type = type:C
++Output = f4909273c39ef8819b353cde80f57cc9
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000001002dde91723fa969756f5a597683fa0ef938423ffcf3b3d0262f9ba0d69d72ffc3afbf2ccb9bbc42332f97d3857b44575e30849fe19e77688e9102d9909585d9e53835eee4127aee038deaf8501c70cfd209ef755f84613365d9b2150009f9055300b74c593f8204b84c7faaac87c781e7bdda8c54bf0ec170e4dbf71cd15825c949ebaa934797333124e63db50efe0f33f5224687c097b22d52de36045659622dd214effab378b6bff298c84436831f85540a5eac0b68d51fa1abd18d19ce5452aefe729b7d384e038927ee8f0c2ddffd1cb6ea537a90d9b06bce3bd01fdf4370d62d985ab80417d1256d38ab3874297163a020052b42e73e8ef64950851e7da2
++Ctrl.hexxcghash = hexxcghash:590c8e3800ddfd382f0b3023c7a8753bd013e756855ffbca1dee0f01
++Ctrl.hexsession_id = hexsession_id:5e4528c7ff85f2ed7d632c4355e2524438ee83ef0e1695524921408d
++Ctrl.type = type:D
++Output = b31337a6ecd02f4beb9bf4af12ea4e11
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000001002dde91723fa969756f5a597683fa0ef938423ffcf3b3d0262f9ba0d69d72ffc3afbf2ccb9bbc42332f97d3857b44575e30849fe19e77688e9102d9909585d9e53835eee4127aee038deaf8501c70cfd209ef755f84613365d9b2150009f9055300b74c593f8204b84c7faaac87c781e7bdda8c54bf0ec170e4dbf71cd15825c949ebaa934797333124e63db50efe0f33f5224687c097b22d52de36045659622dd214effab378b6bff298c84436831f85540a5eac0b68d51fa1abd18d19ce5452aefe729b7d384e038927ee8f0c2ddffd1cb6ea537a90d9b06bce3bd01fdf4370d62d985ab80417d1256d38ab3874297163a020052b42e73e8ef64950851e7da2
++Ctrl.hexxcghash = hexxcghash:590c8e3800ddfd382f0b3023c7a8753bd013e756855ffbca1dee0f01
++Ctrl.hexsession_id = hexsession_id:5e4528c7ff85f2ed7d632c4355e2524438ee83ef0e1695524921408d
++Ctrl.type = type:E
++Output = 6f3da7bb4b64ad3e1171083a62eca5e755563e639594b848243760d8
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000001002dde91723fa969756f5a597683fa0ef938423ffcf3b3d0262f9ba0d69d72ffc3afbf2ccb9bbc42332f97d3857b44575e30849fe19e77688e9102d9909585d9e53835eee4127aee038deaf8501c70cfd209ef755f84613365d9b2150009f9055300b74c593f8204b84c7faaac87c781e7bdda8c54bf0ec170e4dbf71cd15825c949ebaa934797333124e63db50efe0f33f5224687c097b22d52de36045659622dd214effab378b6bff298c84436831f85540a5eac0b68d51fa1abd18d19ce5452aefe729b7d384e038927ee8f0c2ddffd1cb6ea537a90d9b06bce3bd01fdf4370d62d985ab80417d1256d38ab3874297163a020052b42e73e8ef64950851e7da2
++Ctrl.hexxcghash = hexxcghash:590c8e3800ddfd382f0b3023c7a8753bd013e756855ffbca1dee0f01
++Ctrl.hexsession_id = hexsession_id:5e4528c7ff85f2ed7d632c4355e2524438ee83ef0e1695524921408d
++Ctrl.type = type:F
++Output = e88506aa4a4ffa33675c4a296abf91e24450a496e56f8465e9a7525c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100be7e6428be4ff862e2b9fe69f055bbbeaa51b7666d51e1ad2e5fe12e2f7a171121147311780840e5d1345c6a24eb3e2d7bace8c88cddae9a062c7aacc7ae87d31ef7d4c52dc2e35f364266c9c34e1ff703a61a8fb39397344ac94e75a42fc956dcc887e50e67018d5a74c89c1a8555ebff4a4baf5b4916aea1dd95c126df390882143908821ecf68511e986bd379cf0871fe1a2679241b339f3317f76c65dc2b121e15a0b8891d9c0120b8a8a383a1dd5eb6fbd65d22a03b7987f843d454e4e1f09b9e2d37ef2be72b7f8accade301c772f74a582afab960dfa43a167275771f6a9be5a9f275cea55e9661a54b1c3210042f824fe783969fa60ad23b748a6b56
++Ctrl.hexxcghash = hexxcghash:97e793420ceda1730dac88f0d7dc52d8713a79a0b48ddb2af45dd143
++Ctrl.hexsession_id = hexsession_id:16dd0d6aca3757eec6e9dc3c4a5f590cb7911cd3cabc80815527b73c
++Ctrl.type = type:A
++Output = c5cbb653102d99457c33c88921b5dbe4
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100be7e6428be4ff862e2b9fe69f055bbbeaa51b7666d51e1ad2e5fe12e2f7a171121147311780840e5d1345c6a24eb3e2d7bace8c88cddae9a062c7aacc7ae87d31ef7d4c52dc2e35f364266c9c34e1ff703a61a8fb39397344ac94e75a42fc956dcc887e50e67018d5a74c89c1a8555ebff4a4baf5b4916aea1dd95c126df390882143908821ecf68511e986bd379cf0871fe1a2679241b339f3317f76c65dc2b121e15a0b8891d9c0120b8a8a383a1dd5eb6fbd65d22a03b7987f843d454e4e1f09b9e2d37ef2be72b7f8accade301c772f74a582afab960dfa43a167275771f6a9be5a9f275cea55e9661a54b1c3210042f824fe783969fa60ad23b748a6b56
++Ctrl.hexxcghash = hexxcghash:97e793420ceda1730dac88f0d7dc52d8713a79a0b48ddb2af45dd143
++Ctrl.hexsession_id = hexsession_id:16dd0d6aca3757eec6e9dc3c4a5f590cb7911cd3cabc80815527b73c
++Ctrl.type = type:B
++Output = dd9b1c786c7f739832629f7666e4e21e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100be7e6428be4ff862e2b9fe69f055bbbeaa51b7666d51e1ad2e5fe12e2f7a171121147311780840e5d1345c6a24eb3e2d7bace8c88cddae9a062c7aacc7ae87d31ef7d4c52dc2e35f364266c9c34e1ff703a61a8fb39397344ac94e75a42fc956dcc887e50e67018d5a74c89c1a8555ebff4a4baf5b4916aea1dd95c126df390882143908821ecf68511e986bd379cf0871fe1a2679241b339f3317f76c65dc2b121e15a0b8891d9c0120b8a8a383a1dd5eb6fbd65d22a03b7987f843d454e4e1f09b9e2d37ef2be72b7f8accade301c772f74a582afab960dfa43a167275771f6a9be5a9f275cea55e9661a54b1c3210042f824fe783969fa60ad23b748a6b56
++Ctrl.hexxcghash = hexxcghash:97e793420ceda1730dac88f0d7dc52d8713a79a0b48ddb2af45dd143
++Ctrl.hexsession_id = hexsession_id:16dd0d6aca3757eec6e9dc3c4a5f590cb7911cd3cabc80815527b73c
++Ctrl.type = type:C
++Output = c33d08d706ffac1811f157526b08086f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100be7e6428be4ff862e2b9fe69f055bbbeaa51b7666d51e1ad2e5fe12e2f7a171121147311780840e5d1345c6a24eb3e2d7bace8c88cddae9a062c7aacc7ae87d31ef7d4c52dc2e35f364266c9c34e1ff703a61a8fb39397344ac94e75a42fc956dcc887e50e67018d5a74c89c1a8555ebff4a4baf5b4916aea1dd95c126df390882143908821ecf68511e986bd379cf0871fe1a2679241b339f3317f76c65dc2b121e15a0b8891d9c0120b8a8a383a1dd5eb6fbd65d22a03b7987f843d454e4e1f09b9e2d37ef2be72b7f8accade301c772f74a582afab960dfa43a167275771f6a9be5a9f275cea55e9661a54b1c3210042f824fe783969fa60ad23b748a6b56
++Ctrl.hexxcghash = hexxcghash:97e793420ceda1730dac88f0d7dc52d8713a79a0b48ddb2af45dd143
++Ctrl.hexsession_id = hexsession_id:16dd0d6aca3757eec6e9dc3c4a5f590cb7911cd3cabc80815527b73c
++Ctrl.type = type:D
++Output = 5750b617b71a239d99fc412796f6d986
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100be7e6428be4ff862e2b9fe69f055bbbeaa51b7666d51e1ad2e5fe12e2f7a171121147311780840e5d1345c6a24eb3e2d7bace8c88cddae9a062c7aacc7ae87d31ef7d4c52dc2e35f364266c9c34e1ff703a61a8fb39397344ac94e75a42fc956dcc887e50e67018d5a74c89c1a8555ebff4a4baf5b4916aea1dd95c126df390882143908821ecf68511e986bd379cf0871fe1a2679241b339f3317f76c65dc2b121e15a0b8891d9c0120b8a8a383a1dd5eb6fbd65d22a03b7987f843d454e4e1f09b9e2d37ef2be72b7f8accade301c772f74a582afab960dfa43a167275771f6a9be5a9f275cea55e9661a54b1c3210042f824fe783969fa60ad23b748a6b56
++Ctrl.hexxcghash = hexxcghash:97e793420ceda1730dac88f0d7dc52d8713a79a0b48ddb2af45dd143
++Ctrl.hexsession_id = hexsession_id:16dd0d6aca3757eec6e9dc3c4a5f590cb7911cd3cabc80815527b73c
++Ctrl.type = type:E
++Output = 4c2edee4688119e17723fede94d81c141cb2dd632dde5e223fcd12c2
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100be7e6428be4ff862e2b9fe69f055bbbeaa51b7666d51e1ad2e5fe12e2f7a171121147311780840e5d1345c6a24eb3e2d7bace8c88cddae9a062c7aacc7ae87d31ef7d4c52dc2e35f364266c9c34e1ff703a61a8fb39397344ac94e75a42fc956dcc887e50e67018d5a74c89c1a8555ebff4a4baf5b4916aea1dd95c126df390882143908821ecf68511e986bd379cf0871fe1a2679241b339f3317f76c65dc2b121e15a0b8891d9c0120b8a8a383a1dd5eb6fbd65d22a03b7987f843d454e4e1f09b9e2d37ef2be72b7f8accade301c772f74a582afab960dfa43a167275771f6a9be5a9f275cea55e9661a54b1c3210042f824fe783969fa60ad23b748a6b56
++Ctrl.hexxcghash = hexxcghash:97e793420ceda1730dac88f0d7dc52d8713a79a0b48ddb2af45dd143
++Ctrl.hexsession_id = hexsession_id:16dd0d6aca3757eec6e9dc3c4a5f590cb7911cd3cabc80815527b73c
++Ctrl.type = type:F
++Output = b48103cd81397bed3bf618b2ef30a44ea806b0ad07aa098a8a33273e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100c810e36b6ae23b2dac234f36b4ddfe820762b53478eaea205cdab848c384f2c5fe262bc471971ff42a1ff8fdfff81cdc66371a75e9fda5d7d0bd656523603255c3e0970435f995948ec98d87942cefe2194e475a507e2928e0cfbba63962c75794aa53e8a385a5d1599d88dd1684a827914da576f9e06caaecc586bb98425621a5afaf86003cabe86fcd3964a390f47302bbbee8536f24024c5c31f031e80e6bcf2a3e24d4f0b6bd42250996f12a8a5c99b09a42a737e3cbf481e002c334fe3b7626419266e0036339b1592d3bf43245c449a65e43946e60112c1f8aff8963ff56e365c6f56c36b2208eadf591360554d2b116d3374341bd5779ebcdf7ba93de
++Ctrl.hexxcghash = hexxcghash:f8a7854ec21f252f679b924f0f3d34639fe976de146ddb8e93c4e4d9
++Ctrl.hexsession_id = hexsession_id:6bebea19564c0f65dd96446496f7d7c7198a5b08bcdacf29449808ba
++Ctrl.type = type:A
++Output = c8bc1d232edd620e0282af630d596a6c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100c810e36b6ae23b2dac234f36b4ddfe820762b53478eaea205cdab848c384f2c5fe262bc471971ff42a1ff8fdfff81cdc66371a75e9fda5d7d0bd656523603255c3e0970435f995948ec98d87942cefe2194e475a507e2928e0cfbba63962c75794aa53e8a385a5d1599d88dd1684a827914da576f9e06caaecc586bb98425621a5afaf86003cabe86fcd3964a390f47302bbbee8536f24024c5c31f031e80e6bcf2a3e24d4f0b6bd42250996f12a8a5c99b09a42a737e3cbf481e002c334fe3b7626419266e0036339b1592d3bf43245c449a65e43946e60112c1f8aff8963ff56e365c6f56c36b2208eadf591360554d2b116d3374341bd5779ebcdf7ba93de
++Ctrl.hexxcghash = hexxcghash:f8a7854ec21f252f679b924f0f3d34639fe976de146ddb8e93c4e4d9
++Ctrl.hexsession_id = hexsession_id:6bebea19564c0f65dd96446496f7d7c7198a5b08bcdacf29449808ba
++Ctrl.type = type:B
++Output = 6a90269aab1a3e3612eec97a45db11e1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100c810e36b6ae23b2dac234f36b4ddfe820762b53478eaea205cdab848c384f2c5fe262bc471971ff42a1ff8fdfff81cdc66371a75e9fda5d7d0bd656523603255c3e0970435f995948ec98d87942cefe2194e475a507e2928e0cfbba63962c75794aa53e8a385a5d1599d88dd1684a827914da576f9e06caaecc586bb98425621a5afaf86003cabe86fcd3964a390f47302bbbee8536f24024c5c31f031e80e6bcf2a3e24d4f0b6bd42250996f12a8a5c99b09a42a737e3cbf481e002c334fe3b7626419266e0036339b1592d3bf43245c449a65e43946e60112c1f8aff8963ff56e365c6f56c36b2208eadf591360554d2b116d3374341bd5779ebcdf7ba93de
++Ctrl.hexxcghash = hexxcghash:f8a7854ec21f252f679b924f0f3d34639fe976de146ddb8e93c4e4d9
++Ctrl.hexsession_id = hexsession_id:6bebea19564c0f65dd96446496f7d7c7198a5b08bcdacf29449808ba
++Ctrl.type = type:C
++Output = ebb8a6227e789d33fa072355cb2851ac
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100c810e36b6ae23b2dac234f36b4ddfe820762b53478eaea205cdab848c384f2c5fe262bc471971ff42a1ff8fdfff81cdc66371a75e9fda5d7d0bd656523603255c3e0970435f995948ec98d87942cefe2194e475a507e2928e0cfbba63962c75794aa53e8a385a5d1599d88dd1684a827914da576f9e06caaecc586bb98425621a5afaf86003cabe86fcd3964a390f47302bbbee8536f24024c5c31f031e80e6bcf2a3e24d4f0b6bd42250996f12a8a5c99b09a42a737e3cbf481e002c334fe3b7626419266e0036339b1592d3bf43245c449a65e43946e60112c1f8aff8963ff56e365c6f56c36b2208eadf591360554d2b116d3374341bd5779ebcdf7ba93de
++Ctrl.hexxcghash = hexxcghash:f8a7854ec21f252f679b924f0f3d34639fe976de146ddb8e93c4e4d9
++Ctrl.hexsession_id = hexsession_id:6bebea19564c0f65dd96446496f7d7c7198a5b08bcdacf29449808ba
++Ctrl.type = type:D
++Output = 9662ff73b11bd2978ffceb7545f6054e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100c810e36b6ae23b2dac234f36b4ddfe820762b53478eaea205cdab848c384f2c5fe262bc471971ff42a1ff8fdfff81cdc66371a75e9fda5d7d0bd656523603255c3e0970435f995948ec98d87942cefe2194e475a507e2928e0cfbba63962c75794aa53e8a385a5d1599d88dd1684a827914da576f9e06caaecc586bb98425621a5afaf86003cabe86fcd3964a390f47302bbbee8536f24024c5c31f031e80e6bcf2a3e24d4f0b6bd42250996f12a8a5c99b09a42a737e3cbf481e002c334fe3b7626419266e0036339b1592d3bf43245c449a65e43946e60112c1f8aff8963ff56e365c6f56c36b2208eadf591360554d2b116d3374341bd5779ebcdf7ba93de
++Ctrl.hexxcghash = hexxcghash:f8a7854ec21f252f679b924f0f3d34639fe976de146ddb8e93c4e4d9
++Ctrl.hexsession_id = hexsession_id:6bebea19564c0f65dd96446496f7d7c7198a5b08bcdacf29449808ba
++Ctrl.type = type:E
++Output = 9eb35f9a8a6155b81b8dda117f5d631cc4eddea4b4912147513bc4ec
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100c810e36b6ae23b2dac234f36b4ddfe820762b53478eaea205cdab848c384f2c5fe262bc471971ff42a1ff8fdfff81cdc66371a75e9fda5d7d0bd656523603255c3e0970435f995948ec98d87942cefe2194e475a507e2928e0cfbba63962c75794aa53e8a385a5d1599d88dd1684a827914da576f9e06caaecc586bb98425621a5afaf86003cabe86fcd3964a390f47302bbbee8536f24024c5c31f031e80e6bcf2a3e24d4f0b6bd42250996f12a8a5c99b09a42a737e3cbf481e002c334fe3b7626419266e0036339b1592d3bf43245c449a65e43946e60112c1f8aff8963ff56e365c6f56c36b2208eadf591360554d2b116d3374341bd5779ebcdf7ba93de
++Ctrl.hexxcghash = hexxcghash:f8a7854ec21f252f679b924f0f3d34639fe976de146ddb8e93c4e4d9
++Ctrl.hexsession_id = hexsession_id:6bebea19564c0f65dd96446496f7d7c7198a5b08bcdacf29449808ba
++Ctrl.type = type:F
++Output = 3e137e015973e21c37a8de81cc812683d506fc35699114b31c06797e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100940a3535b876a90210236f8571e20cb04d287ae7217b95d75c4170e8afea4d290bc41e736cdd1b470b02ce8b74ca4cdaa121bbb3b31df3f2c847455ef21b61e0c966bdb8cf58fb94819108c7feb9551c5dcacc37fec5fe4e9a59818e93ed08f3477632c62304fb2ba05f7fa8611970adb39379ab7159baa3731fb1fceba201a1858635b92d938b195a44612ffddac3f2b5db59b47c9f90b66e76b3e901887b27312e1043b000b5ff21d4fff4b5fc06203403387fe28837c4d367dbe2c73e1ec5c4e867cc99dca2bf8171aad1498b37bf0d17e5fd64e411386df72667d824e4514530cf6021ca8880154212884f5fdb44a0c8745a4049971de370eb31c959dac4
++Ctrl.hexxcghash = hexxcghash:4688aa9bceb36ddab933675e6963357b2bd0daa5e1984a06fc7f3ff3
++Ctrl.hexsession_id = hexsession_id:fb72bca26e61577066d7c5093ac9281fcf06ae3250b43228b067b86e
++Ctrl.type = type:A
++Output = cc22a730c15abf9628f749fac9d3f935
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100940a3535b876a90210236f8571e20cb04d287ae7217b95d75c4170e8afea4d290bc41e736cdd1b470b02ce8b74ca4cdaa121bbb3b31df3f2c847455ef21b61e0c966bdb8cf58fb94819108c7feb9551c5dcacc37fec5fe4e9a59818e93ed08f3477632c62304fb2ba05f7fa8611970adb39379ab7159baa3731fb1fceba201a1858635b92d938b195a44612ffddac3f2b5db59b47c9f90b66e76b3e901887b27312e1043b000b5ff21d4fff4b5fc06203403387fe28837c4d367dbe2c73e1ec5c4e867cc99dca2bf8171aad1498b37bf0d17e5fd64e411386df72667d824e4514530cf6021ca8880154212884f5fdb44a0c8745a4049971de370eb31c959dac4
++Ctrl.hexxcghash = hexxcghash:4688aa9bceb36ddab933675e6963357b2bd0daa5e1984a06fc7f3ff3
++Ctrl.hexsession_id = hexsession_id:fb72bca26e61577066d7c5093ac9281fcf06ae3250b43228b067b86e
++Ctrl.type = type:B
++Output = 188c477061a597384b1d1e417dc04f7d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100940a3535b876a90210236f8571e20cb04d287ae7217b95d75c4170e8afea4d290bc41e736cdd1b470b02ce8b74ca4cdaa121bbb3b31df3f2c847455ef21b61e0c966bdb8cf58fb94819108c7feb9551c5dcacc37fec5fe4e9a59818e93ed08f3477632c62304fb2ba05f7fa8611970adb39379ab7159baa3731fb1fceba201a1858635b92d938b195a44612ffddac3f2b5db59b47c9f90b66e76b3e901887b27312e1043b000b5ff21d4fff4b5fc06203403387fe28837c4d367dbe2c73e1ec5c4e867cc99dca2bf8171aad1498b37bf0d17e5fd64e411386df72667d824e4514530cf6021ca8880154212884f5fdb44a0c8745a4049971de370eb31c959dac4
++Ctrl.hexxcghash = hexxcghash:4688aa9bceb36ddab933675e6963357b2bd0daa5e1984a06fc7f3ff3
++Ctrl.hexsession_id = hexsession_id:fb72bca26e61577066d7c5093ac9281fcf06ae3250b43228b067b86e
++Ctrl.type = type:C
++Output = b309760dd9f0d65c6edcdee3a3457c33
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100940a3535b876a90210236f8571e20cb04d287ae7217b95d75c4170e8afea4d290bc41e736cdd1b470b02ce8b74ca4cdaa121bbb3b31df3f2c847455ef21b61e0c966bdb8cf58fb94819108c7feb9551c5dcacc37fec5fe4e9a59818e93ed08f3477632c62304fb2ba05f7fa8611970adb39379ab7159baa3731fb1fceba201a1858635b92d938b195a44612ffddac3f2b5db59b47c9f90b66e76b3e901887b27312e1043b000b5ff21d4fff4b5fc06203403387fe28837c4d367dbe2c73e1ec5c4e867cc99dca2bf8171aad1498b37bf0d17e5fd64e411386df72667d824e4514530cf6021ca8880154212884f5fdb44a0c8745a4049971de370eb31c959dac4
++Ctrl.hexxcghash = hexxcghash:4688aa9bceb36ddab933675e6963357b2bd0daa5e1984a06fc7f3ff3
++Ctrl.hexsession_id = hexsession_id:fb72bca26e61577066d7c5093ac9281fcf06ae3250b43228b067b86e
++Ctrl.type = type:D
++Output = 1b8674f603a78f16fb979d6db70f6795
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100940a3535b876a90210236f8571e20cb04d287ae7217b95d75c4170e8afea4d290bc41e736cdd1b470b02ce8b74ca4cdaa121bbb3b31df3f2c847455ef21b61e0c966bdb8cf58fb94819108c7feb9551c5dcacc37fec5fe4e9a59818e93ed08f3477632c62304fb2ba05f7fa8611970adb39379ab7159baa3731fb1fceba201a1858635b92d938b195a44612ffddac3f2b5db59b47c9f90b66e76b3e901887b27312e1043b000b5ff21d4fff4b5fc06203403387fe28837c4d367dbe2c73e1ec5c4e867cc99dca2bf8171aad1498b37bf0d17e5fd64e411386df72667d824e4514530cf6021ca8880154212884f5fdb44a0c8745a4049971de370eb31c959dac4
++Ctrl.hexxcghash = hexxcghash:4688aa9bceb36ddab933675e6963357b2bd0daa5e1984a06fc7f3ff3
++Ctrl.hexsession_id = hexsession_id:fb72bca26e61577066d7c5093ac9281fcf06ae3250b43228b067b86e
++Ctrl.type = type:E
++Output = d881ac0cf62ecff2eb7d3c8284cfd4b95e003c435f6a3121ab0c65b0
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100940a3535b876a90210236f8571e20cb04d287ae7217b95d75c4170e8afea4d290bc41e736cdd1b470b02ce8b74ca4cdaa121bbb3b31df3f2c847455ef21b61e0c966bdb8cf58fb94819108c7feb9551c5dcacc37fec5fe4e9a59818e93ed08f3477632c62304fb2ba05f7fa8611970adb39379ab7159baa3731fb1fceba201a1858635b92d938b195a44612ffddac3f2b5db59b47c9f90b66e76b3e901887b27312e1043b000b5ff21d4fff4b5fc06203403387fe28837c4d367dbe2c73e1ec5c4e867cc99dca2bf8171aad1498b37bf0d17e5fd64e411386df72667d824e4514530cf6021ca8880154212884f5fdb44a0c8745a4049971de370eb31c959dac4
++Ctrl.hexxcghash = hexxcghash:4688aa9bceb36ddab933675e6963357b2bd0daa5e1984a06fc7f3ff3
++Ctrl.hexsession_id = hexsession_id:fb72bca26e61577066d7c5093ac9281fcf06ae3250b43228b067b86e
++Ctrl.type = type:F
++Output = 9a7560e7976c7fb0153fc94e51a7dead3b7f8954d1efa7ed6be77858
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000001004b9f55f17de634edb39218b30f224ae8ec64edd6e0c49dd00a52ac11e0a4089ccff931838ce5c02f449ffe33c14fd0a9f11da7d783787a03defc7931ce638a31aa11ddc4351e54480bea637857cae6cf30e03d392737fe2b3f234115903ab43f97d4fdb49fb987650610d9a0ca51b70839d0fc9980de371acc78ac6eaf5f5ac5008eec0f5aedd0f95496f27d2858477fc54d3113fe7884047596d5705d1dd974875872fc7c9111bdc5da73b317331c543f60687fc1ecb3f3853787a64fd94335b570a99fe2544acde49f99b96ef473dbcb16315b9e7ee8c3a20feb36636c1fa39567c2efd2b7827e38ab31607f6a3cff1fc7edf8612380e4af93c620bcd6ac36
++Ctrl.hexxcghash = hexxcghash:0d18d069225d0db81b8bb979635dc9e89999a74ad6b02022189150fd
++Ctrl.hexsession_id = hexsession_id:1f42aa7a240d8b412fc26bd18f85ebefe59641d19a1e5e3681560a2c
++Ctrl.type = type:A
++Output = b842e2900a8c1f7d7c3fa465d46142fa
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000001004b9f55f17de634edb39218b30f224ae8ec64edd6e0c49dd00a52ac11e0a4089ccff931838ce5c02f449ffe33c14fd0a9f11da7d783787a03defc7931ce638a31aa11ddc4351e54480bea637857cae6cf30e03d392737fe2b3f234115903ab43f97d4fdb49fb987650610d9a0ca51b70839d0fc9980de371acc78ac6eaf5f5ac5008eec0f5aedd0f95496f27d2858477fc54d3113fe7884047596d5705d1dd974875872fc7c9111bdc5da73b317331c543f60687fc1ecb3f3853787a64fd94335b570a99fe2544acde49f99b96ef473dbcb16315b9e7ee8c3a20feb36636c1fa39567c2efd2b7827e38ab31607f6a3cff1fc7edf8612380e4af93c620bcd6ac36
++Ctrl.hexxcghash = hexxcghash:0d18d069225d0db81b8bb979635dc9e89999a74ad6b02022189150fd
++Ctrl.hexsession_id = hexsession_id:1f42aa7a240d8b412fc26bd18f85ebefe59641d19a1e5e3681560a2c
++Ctrl.type = type:B
++Output = 5e96f771c176fafd18d4aa0bc07dc5d5
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000001004b9f55f17de634edb39218b30f224ae8ec64edd6e0c49dd00a52ac11e0a4089ccff931838ce5c02f449ffe33c14fd0a9f11da7d783787a03defc7931ce638a31aa11ddc4351e54480bea637857cae6cf30e03d392737fe2b3f234115903ab43f97d4fdb49fb987650610d9a0ca51b70839d0fc9980de371acc78ac6eaf5f5ac5008eec0f5aedd0f95496f27d2858477fc54d3113fe7884047596d5705d1dd974875872fc7c9111bdc5da73b317331c543f60687fc1ecb3f3853787a64fd94335b570a99fe2544acde49f99b96ef473dbcb16315b9e7ee8c3a20feb36636c1fa39567c2efd2b7827e38ab31607f6a3cff1fc7edf8612380e4af93c620bcd6ac36
++Ctrl.hexxcghash = hexxcghash:0d18d069225d0db81b8bb979635dc9e89999a74ad6b02022189150fd
++Ctrl.hexsession_id = hexsession_id:1f42aa7a240d8b412fc26bd18f85ebefe59641d19a1e5e3681560a2c
++Ctrl.type = type:C
++Output = fe5fca0a03e6f8ac95ba4e882c64fb8c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000001004b9f55f17de634edb39218b30f224ae8ec64edd6e0c49dd00a52ac11e0a4089ccff931838ce5c02f449ffe33c14fd0a9f11da7d783787a03defc7931ce638a31aa11ddc4351e54480bea637857cae6cf30e03d392737fe2b3f234115903ab43f97d4fdb49fb987650610d9a0ca51b70839d0fc9980de371acc78ac6eaf5f5ac5008eec0f5aedd0f95496f27d2858477fc54d3113fe7884047596d5705d1dd974875872fc7c9111bdc5da73b317331c543f60687fc1ecb3f3853787a64fd94335b570a99fe2544acde49f99b96ef473dbcb16315b9e7ee8c3a20feb36636c1fa39567c2efd2b7827e38ab31607f6a3cff1fc7edf8612380e4af93c620bcd6ac36
++Ctrl.hexxcghash = hexxcghash:0d18d069225d0db81b8bb979635dc9e89999a74ad6b02022189150fd
++Ctrl.hexsession_id = hexsession_id:1f42aa7a240d8b412fc26bd18f85ebefe59641d19a1e5e3681560a2c
++Ctrl.type = type:D
++Output = b952b4e6f2010ebdac7ee10adb90f9ef
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000001004b9f55f17de634edb39218b30f224ae8ec64edd6e0c49dd00a52ac11e0a4089ccff931838ce5c02f449ffe33c14fd0a9f11da7d783787a03defc7931ce638a31aa11ddc4351e54480bea637857cae6cf30e03d392737fe2b3f234115903ab43f97d4fdb49fb987650610d9a0ca51b70839d0fc9980de371acc78ac6eaf5f5ac5008eec0f5aedd0f95496f27d2858477fc54d3113fe7884047596d5705d1dd974875872fc7c9111bdc5da73b317331c543f60687fc1ecb3f3853787a64fd94335b570a99fe2544acde49f99b96ef473dbcb16315b9e7ee8c3a20feb36636c1fa39567c2efd2b7827e38ab31607f6a3cff1fc7edf8612380e4af93c620bcd6ac36
++Ctrl.hexxcghash = hexxcghash:0d18d069225d0db81b8bb979635dc9e89999a74ad6b02022189150fd
++Ctrl.hexsession_id = hexsession_id:1f42aa7a240d8b412fc26bd18f85ebefe59641d19a1e5e3681560a2c
++Ctrl.type = type:E
++Output = 819db930507c1f8e1617dc74e78de9f4abb02b7089d764cb20d14c56
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:000001004b9f55f17de634edb39218b30f224ae8ec64edd6e0c49dd00a52ac11e0a4089ccff931838ce5c02f449ffe33c14fd0a9f11da7d783787a03defc7931ce638a31aa11ddc4351e54480bea637857cae6cf30e03d392737fe2b3f234115903ab43f97d4fdb49fb987650610d9a0ca51b70839d0fc9980de371acc78ac6eaf5f5ac5008eec0f5aedd0f95496f27d2858477fc54d3113fe7884047596d5705d1dd974875872fc7c9111bdc5da73b317331c543f60687fc1ecb3f3853787a64fd94335b570a99fe2544acde49f99b96ef473dbcb16315b9e7ee8c3a20feb36636c1fa39567c2efd2b7827e38ab31607f6a3cff1fc7edf8612380e4af93c620bcd6ac36
++Ctrl.hexxcghash = hexxcghash:0d18d069225d0db81b8bb979635dc9e89999a74ad6b02022189150fd
++Ctrl.hexsession_id = hexsession_id:1f42aa7a240d8b412fc26bd18f85ebefe59641d19a1e5e3681560a2c
++Ctrl.type = type:F
++Output = 79be1ec6ce722e98bca50a25bbca581318b6227c9fd346d67602958f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100a0216e73007c1b53dba18acb5592ea68ab7719d9fd2f24af3e2968024933a5e68fcb1aa8b187f42972815f12d5f995c15d2d3eab84cfb869db413dcb328d045df23646e65179a53e3cbe1babcd6e6a5e300e33be1f5ed5d7eb1661a0ae6d8e6dd8f156eed726b30df6b9eee7e9457189b140de7671a1c7790938617e1bc95b8ee8bb9229f98be158a569bcb799869c445484d30d6019db44d97dcfd9b47f5a36418e3d5ec88037c172104d44ac6e770cbec415fbfce8ac9257074ca5fe003a4836001c8331f1845c1069d0610a62378e1c32ae512ffa22032f28245ee7ae957348a484bef3d295463b293975d787d45c480903f3eb35dcfd140161606f270177
++Ctrl.hexxcghash = hexxcghash:0f85b7ee92fe1a95c0aa0103f10092f04ba613a37e118f8fbb43e308
++Ctrl.hexsession_id = hexsession_id:25d9a92c96b98ecc31e6aca945899e93607848caf2c332efc03f9a0c
++Ctrl.type = type:A
++Output = 4d40be7041ac4c74d56d53855fead94f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100a0216e73007c1b53dba18acb5592ea68ab7719d9fd2f24af3e2968024933a5e68fcb1aa8b187f42972815f12d5f995c15d2d3eab84cfb869db413dcb328d045df23646e65179a53e3cbe1babcd6e6a5e300e33be1f5ed5d7eb1661a0ae6d8e6dd8f156eed726b30df6b9eee7e9457189b140de7671a1c7790938617e1bc95b8ee8bb9229f98be158a569bcb799869c445484d30d6019db44d97dcfd9b47f5a36418e3d5ec88037c172104d44ac6e770cbec415fbfce8ac9257074ca5fe003a4836001c8331f1845c1069d0610a62378e1c32ae512ffa22032f28245ee7ae957348a484bef3d295463b293975d787d45c480903f3eb35dcfd140161606f270177
++Ctrl.hexxcghash = hexxcghash:0f85b7ee92fe1a95c0aa0103f10092f04ba613a37e118f8fbb43e308
++Ctrl.hexsession_id = hexsession_id:25d9a92c96b98ecc31e6aca945899e93607848caf2c332efc03f9a0c
++Ctrl.type = type:B
++Output = 501781a04c919226a9e2dd6d7a880568
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100a0216e73007c1b53dba18acb5592ea68ab7719d9fd2f24af3e2968024933a5e68fcb1aa8b187f42972815f12d5f995c15d2d3eab84cfb869db413dcb328d045df23646e65179a53e3cbe1babcd6e6a5e300e33be1f5ed5d7eb1661a0ae6d8e6dd8f156eed726b30df6b9eee7e9457189b140de7671a1c7790938617e1bc95b8ee8bb9229f98be158a569bcb799869c445484d30d6019db44d97dcfd9b47f5a36418e3d5ec88037c172104d44ac6e770cbec415fbfce8ac9257074ca5fe003a4836001c8331f1845c1069d0610a62378e1c32ae512ffa22032f28245ee7ae957348a484bef3d295463b293975d787d45c480903f3eb35dcfd140161606f270177
++Ctrl.hexxcghash = hexxcghash:0f85b7ee92fe1a95c0aa0103f10092f04ba613a37e118f8fbb43e308
++Ctrl.hexsession_id = hexsession_id:25d9a92c96b98ecc31e6aca945899e93607848caf2c332efc03f9a0c
++Ctrl.type = type:C
++Output = fe183f0e31d4bf9ebc9364e19e422385
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100a0216e73007c1b53dba18acb5592ea68ab7719d9fd2f24af3e2968024933a5e68fcb1aa8b187f42972815f12d5f995c15d2d3eab84cfb869db413dcb328d045df23646e65179a53e3cbe1babcd6e6a5e300e33be1f5ed5d7eb1661a0ae6d8e6dd8f156eed726b30df6b9eee7e9457189b140de7671a1c7790938617e1bc95b8ee8bb9229f98be158a569bcb799869c445484d30d6019db44d97dcfd9b47f5a36418e3d5ec88037c172104d44ac6e770cbec415fbfce8ac9257074ca5fe003a4836001c8331f1845c1069d0610a62378e1c32ae512ffa22032f28245ee7ae957348a484bef3d295463b293975d787d45c480903f3eb35dcfd140161606f270177
++Ctrl.hexxcghash = hexxcghash:0f85b7ee92fe1a95c0aa0103f10092f04ba613a37e118f8fbb43e308
++Ctrl.hexsession_id = hexsession_id:25d9a92c96b98ecc31e6aca945899e93607848caf2c332efc03f9a0c
++Ctrl.type = type:D
++Output = f12c0da703e5bedb2921a0e1795eb62f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100a0216e73007c1b53dba18acb5592ea68ab7719d9fd2f24af3e2968024933a5e68fcb1aa8b187f42972815f12d5f995c15d2d3eab84cfb869db413dcb328d045df23646e65179a53e3cbe1babcd6e6a5e300e33be1f5ed5d7eb1661a0ae6d8e6dd8f156eed726b30df6b9eee7e9457189b140de7671a1c7790938617e1bc95b8ee8bb9229f98be158a569bcb799869c445484d30d6019db44d97dcfd9b47f5a36418e3d5ec88037c172104d44ac6e770cbec415fbfce8ac9257074ca5fe003a4836001c8331f1845c1069d0610a62378e1c32ae512ffa22032f28245ee7ae957348a484bef3d295463b293975d787d45c480903f3eb35dcfd140161606f270177
++Ctrl.hexxcghash = hexxcghash:0f85b7ee92fe1a95c0aa0103f10092f04ba613a37e118f8fbb43e308
++Ctrl.hexsession_id = hexsession_id:25d9a92c96b98ecc31e6aca945899e93607848caf2c332efc03f9a0c
++Ctrl.type = type:E
++Output = 1d34b1ae23af48c25db971fe0f95c2fdb4e269ca435b90e0e22ee720
++
++KDF = SSHKDF
++Ctrl.md = md:SHA224
++Ctrl.hexkey = hexkey:0000010100a0216e73007c1b53dba18acb5592ea68ab7719d9fd2f24af3e2968024933a5e68fcb1aa8b187f42972815f12d5f995c15d2d3eab84cfb869db413dcb328d045df23646e65179a53e3cbe1babcd6e6a5e300e33be1f5ed5d7eb1661a0ae6d8e6dd8f156eed726b30df6b9eee7e9457189b140de7671a1c7790938617e1bc95b8ee8bb9229f98be158a569bcb799869c445484d30d6019db44d97dcfd9b47f5a36418e3d5ec88037c172104d44ac6e770cbec415fbfce8ac9257074ca5fe003a4836001c8331f1845c1069d0610a62378e1c32ae512ffa22032f28245ee7ae957348a484bef3d295463b293975d787d45c480903f3eb35dcfd140161606f270177
++Ctrl.hexxcghash = hexxcghash:0f85b7ee92fe1a95c0aa0103f10092f04ba613a37e118f8fbb43e308
++Ctrl.hexsession_id = hexsession_id:25d9a92c96b98ecc31e6aca945899e93607848caf2c332efc03f9a0c
++Ctrl.type = type:F
++Output = b77dce4e2211c8e2b4fba841ba45d7f136323999ed9a4d306fa411a8
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100875c551cef526a4a8be1a7df27e9ed354bac9afb71f53dbae905679d14f9faf2469c53457cf80a366be278965ba6255276ca2d9f4a97d271f71e50d8a9ec46253a6a906ac2c5e4f48b27a63ce08d80390a492aa43bad9d882ccac23dac88bcada4b4d426a362083dab6569c54c224dd2d87643aa227693e141ad1630ce13144e
++Ctrl.hexxcghash = hexxcghash:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642
++Ctrl.hexsession_id = hexsession_id:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642
++Ctrl.type = type:A
++Output = 41ff2ead1683f1e6
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100875c551cef526a4a8be1a7df27e9ed354bac9afb71f53dbae905679d14f9faf2469c53457cf80a366be278965ba6255276ca2d9f4a97d271f71e50d8a9ec46253a6a906ac2c5e4f48b27a63ce08d80390a492aa43bad9d882ccac23dac88bcada4b4d426a362083dab6569c54c224dd2d87643aa227693e141ad1630ce13144e
++Ctrl.hexxcghash = hexxcghash:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642
++Ctrl.hexsession_id = hexsession_id:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642
++Ctrl.type = type:B
++Output = e619ecfd9edb50cd
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100875c551cef526a4a8be1a7df27e9ed354bac9afb71f53dbae905679d14f9faf2469c53457cf80a366be278965ba6255276ca2d9f4a97d271f71e50d8a9ec46253a6a906ac2c5e4f48b27a63ce08d80390a492aa43bad9d882ccac23dac88bcada4b4d426a362083dab6569c54c224dd2d87643aa227693e141ad1630ce13144e
++Ctrl.hexxcghash = hexxcghash:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642
++Ctrl.hexsession_id = hexsession_id:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642
++Ctrl.type = type:C
++Output = 4a6314d2f7511bf88fad39fb6892f3f218cafd530e72fe43
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100875c551cef526a4a8be1a7df27e9ed354bac9afb71f53dbae905679d14f9faf2469c53457cf80a366be278965ba6255276ca2d9f4a97d271f71e50d8a9ec46253a6a906ac2c5e4f48b27a63ce08d80390a492aa43bad9d882ccac23dac88bcada4b4d426a362083dab6569c54c224dd2d87643aa227693e141ad1630ce13144e
++Ctrl.hexxcghash = hexxcghash:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642
++Ctrl.hexsession_id = hexsession_id:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642
++Ctrl.type = type:D
++Output = 084c15fb7f99c65ff134eeb407cee5d540c341dea45a42a5
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100875c551cef526a4a8be1a7df27e9ed354bac9afb71f53dbae905679d14f9faf2469c53457cf80a366be278965ba6255276ca2d9f4a97d271f71e50d8a9ec46253a6a906ac2c5e4f48b27a63ce08d80390a492aa43bad9d882ccac23dac88bcada4b4d426a362083dab6569c54c224dd2d87643aa227693e141ad1630ce13144e
++Ctrl.hexxcghash = hexxcghash:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642
++Ctrl.hexsession_id = hexsession_id:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642
++Ctrl.type = type:E
++Output = 41ec5a94fecce7707ea156a6ad29239a891621adacbedb8be70675008d6f9274
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100875c551cef526a4a8be1a7df27e9ed354bac9afb71f53dbae905679d14f9faf2469c53457cf80a366be278965ba6255276ca2d9f4a97d271f71e50d8a9ec46253a6a906ac2c5e4f48b27a63ce08d80390a492aa43bad9d882ccac23dac88bcada4b4d426a362083dab6569c54c224dd2d87643aa227693e141ad1630ce13144e
++Ctrl.hexxcghash = hexxcghash:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642
++Ctrl.hexsession_id = hexsession_id:0e683fc8a9ed7c2ff02def23b2745ebc99b267daa86a4aa7697239088253f642
++Ctrl.type = type:F
++Output = 47d3c20aba60981e47b30533623613ff1cacbcf1642fb4ad86ee712f2aed9af8
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000000800faa172b8c287e372bb236ad34c733695c13d77f882adc0f47e5a7f6a3de07efb101207aa5d665b619826f756591f65310bbd2c92c9384e6c6a67b42dec382fdb24c591d79ff5e47737b0f5b8479694c3adc19401704912bbfec2704d4d5bebbfc1a7fc796e277634e40851851a187ec2d37ed3f351c4596a5a0892916b4c55f
++Ctrl.hexxcghash = hexxcghash:a347f5f1e191c35f212c9324d5867efdf83026be62c2b16ae006edb3378d4006
++Ctrl.hexsession_id = hexsession_id:90befcef3ff8f920674a9fab94198cf3fd9dca24a21d3c9dba394daafbc621ed
++Ctrl.type = type:A
++Output = 99bae6531508705f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000000800faa172b8c287e372bb236ad34c733695c13d77f882adc0f47e5a7f6a3de07efb101207aa5d665b619826f756591f65310bbd2c92c9384e6c6a67b42dec382fdb24c591d79ff5e47737b0f5b8479694c3adc19401704912bbfec2704d4d5bebbfc1a7fc796e277634e40851851a187ec2d37ed3f351c4596a5a0892916b4c55f
++Ctrl.hexxcghash = hexxcghash:a347f5f1e191c35f212c9324d5867efdf83026be62c2b16ae006edb3378d4006
++Ctrl.hexsession_id = hexsession_id:90befcef3ff8f920674a9fab94198cf3fd9dca24a21d3c9dba394daafbc621ed
++Ctrl.type = type:B
++Output = f25786f02f199737
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000000800faa172b8c287e372bb236ad34c733695c13d77f882adc0f47e5a7f6a3de07efb101207aa5d665b619826f756591f65310bbd2c92c9384e6c6a67b42dec382fdb24c591d79ff5e47737b0f5b8479694c3adc19401704912bbfec2704d4d5bebbfc1a7fc796e277634e40851851a187ec2d37ed3f351c4596a5a0892916b4c55f
++Ctrl.hexxcghash = hexxcghash:a347f5f1e191c35f212c9324d5867efdf83026be62c2b16ae006edb3378d4006
++Ctrl.hexsession_id = hexsession_id:90befcef3ff8f920674a9fab94198cf3fd9dca24a21d3c9dba394daafbc621ed
++Ctrl.type = type:C
++Output = 97621bf882266f905da78cf193fc31f642acbb60957c41b7
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000000800faa172b8c287e372bb236ad34c733695c13d77f882adc0f47e5a7f6a3de07efb101207aa5d665b619826f756591f65310bbd2c92c9384e6c6a67b42dec382fdb24c591d79ff5e47737b0f5b8479694c3adc19401704912bbfec2704d4d5bebbfc1a7fc796e277634e40851851a187ec2d37ed3f351c4596a5a0892916b4c55f
++Ctrl.hexxcghash = hexxcghash:a347f5f1e191c35f212c9324d5867efdf83026be62c2b16ae006edb3378d4006
++Ctrl.hexsession_id = hexsession_id:90befcef3ff8f920674a9fab94198cf3fd9dca24a21d3c9dba394daafbc621ed
++Ctrl.type = type:D
++Output = ad98a86a2386280912efea50f790e800a7758f7dade5d77e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000000800faa172b8c287e372bb236ad34c733695c13d77f882adc0f47e5a7f6a3de07efb101207aa5d665b619826f756591f65310bbd2c92c9384e6c6a67b42dec382fdb24c591d79ff5e47737b0f5b8479694c3adc19401704912bbfec2704d4d5bebbfc1a7fc796e277634e40851851a187ec2d37ed3f351c4596a5a0892916b4c55f
++Ctrl.hexxcghash = hexxcghash:a347f5f1e191c35f212c9324d5867efdf83026be62c2b16ae006edb3378d4006
++Ctrl.hexsession_id = hexsession_id:90befcef3ff8f920674a9fab94198cf3fd9dca24a21d3c9dba394daafbc621ed
++Ctrl.type = type:E
++Output = f92d052d3cdf34dfc69bc60a489c3a3553f4356596c191931d08fa20551273b3
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000000800faa172b8c287e372bb236ad34c733695c13d77f882adc0f47e5a7f6a3de07efb101207aa5d665b619826f756591f65310bbd2c92c9384e6c6a67b42dec382fdb24c591d79ff5e47737b0f5b8479694c3adc19401704912bbfec2704d4d5bebbfc1a7fc796e277634e40851851a187ec2d37ed3f351c4596a5a0892916b4c55f
++Ctrl.hexxcghash = hexxcghash:a347f5f1e191c35f212c9324d5867efdf83026be62c2b16ae006edb3378d4006
++Ctrl.hexsession_id = hexsession_id:90befcef3ff8f920674a9fab94198cf3fd9dca24a21d3c9dba394daafbc621ed
++Ctrl.type = type:F
++Output = 147a771445123f846d8ae514d7ff9b3c93b2bceb7c7c9500942161b8e2d0110f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100db8205ad53a96bd4c111ad8dc8dab8196f04557d87a5ac90b1013eec71456ca80f0a59af26f9ac6eb91ee51cd601602fe9467550d1f09f417f94e4df2aa5fb941a33ff7764b4d57bcba77f549959ca4fe5d568ff5d20702fcfef904d07f9182bd9936da1fc63d0b11cd573bc0ed9c4e7bb07b5c77c4214d457ca5b0a4410d7b0
++Ctrl.hexxcghash = hexxcghash:a85aa36aeae3f8a948ffa077509f183f2894b52930a79a06bf8783e501d9cae3
++Ctrl.hexsession_id = hexsession_id:6629bb9f32e259935f946e73543bf65830e78ddab691a8b885f3444f976fd655
++Ctrl.type = type:A
++Output = 93da642974d71e52
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100db8205ad53a96bd4c111ad8dc8dab8196f04557d87a5ac90b1013eec71456ca80f0a59af26f9ac6eb91ee51cd601602fe9467550d1f09f417f94e4df2aa5fb941a33ff7764b4d57bcba77f549959ca4fe5d568ff5d20702fcfef904d07f9182bd9936da1fc63d0b11cd573bc0ed9c4e7bb07b5c77c4214d457ca5b0a4410d7b0
++Ctrl.hexxcghash = hexxcghash:a85aa36aeae3f8a948ffa077509f183f2894b52930a79a06bf8783e501d9cae3
++Ctrl.hexsession_id = hexsession_id:6629bb9f32e259935f946e73543bf65830e78ddab691a8b885f3444f976fd655
++Ctrl.type = type:B
++Output = df2035ad67457151
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100db8205ad53a96bd4c111ad8dc8dab8196f04557d87a5ac90b1013eec71456ca80f0a59af26f9ac6eb91ee51cd601602fe9467550d1f09f417f94e4df2aa5fb941a33ff7764b4d57bcba77f549959ca4fe5d568ff5d20702fcfef904d07f9182bd9936da1fc63d0b11cd573bc0ed9c4e7bb07b5c77c4214d457ca5b0a4410d7b0
++Ctrl.hexxcghash = hexxcghash:a85aa36aeae3f8a948ffa077509f183f2894b52930a79a06bf8783e501d9cae3
++Ctrl.hexsession_id = hexsession_id:6629bb9f32e259935f946e73543bf65830e78ddab691a8b885f3444f976fd655
++Ctrl.type = type:C
++Output = 42067bb0535da6701232a0f39ac7f436535af346c4786af5
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100db8205ad53a96bd4c111ad8dc8dab8196f04557d87a5ac90b1013eec71456ca80f0a59af26f9ac6eb91ee51cd601602fe9467550d1f09f417f94e4df2aa5fb941a33ff7764b4d57bcba77f549959ca4fe5d568ff5d20702fcfef904d07f9182bd9936da1fc63d0b11cd573bc0ed9c4e7bb07b5c77c4214d457ca5b0a4410d7b0
++Ctrl.hexxcghash = hexxcghash:a85aa36aeae3f8a948ffa077509f183f2894b52930a79a06bf8783e501d9cae3
++Ctrl.hexsession_id = hexsession_id:6629bb9f32e259935f946e73543bf65830e78ddab691a8b885f3444f976fd655
++Ctrl.type = type:D
++Output = 08a0181a6c373d39540409dafb1b4e2359bc249af33bcfe0
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100db8205ad53a96bd4c111ad8dc8dab8196f04557d87a5ac90b1013eec71456ca80f0a59af26f9ac6eb91ee51cd601602fe9467550d1f09f417f94e4df2aa5fb941a33ff7764b4d57bcba77f549959ca4fe5d568ff5d20702fcfef904d07f9182bd9936da1fc63d0b11cd573bc0ed9c4e7bb07b5c77c4214d457ca5b0a4410d7b0
++Ctrl.hexxcghash = hexxcghash:a85aa36aeae3f8a948ffa077509f183f2894b52930a79a06bf8783e501d9cae3
++Ctrl.hexsession_id = hexsession_id:6629bb9f32e259935f946e73543bf65830e78ddab691a8b885f3444f976fd655
++Ctrl.type = type:E
++Output = c043b5aece7cd2685c6dfb3788d7a562d6622d20f6d7e07b38aeb47c649dd99c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100db8205ad53a96bd4c111ad8dc8dab8196f04557d87a5ac90b1013eec71456ca80f0a59af26f9ac6eb91ee51cd601602fe9467550d1f09f417f94e4df2aa5fb941a33ff7764b4d57bcba77f549959ca4fe5d568ff5d20702fcfef904d07f9182bd9936da1fc63d0b11cd573bc0ed9c4e7bb07b5c77c4214d457ca5b0a4410d7b0
++Ctrl.hexxcghash = hexxcghash:a85aa36aeae3f8a948ffa077509f183f2894b52930a79a06bf8783e501d9cae3
++Ctrl.hexsession_id = hexsession_id:6629bb9f32e259935f946e73543bf65830e78ddab691a8b885f3444f976fd655
++Ctrl.type = type:F
++Output = cbe67a93ac758d9f2a6ff580bad5a44bb1a1062c9e20d5c974decb7aa2b0faa0
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100d97164957831bbc57c91e0a5c9ece230b4625d14b9d07decdc971cee28d28c2938d2f8b682bc33bd67458fb90120dd6a2ca5255fbe3daeb0325029e15b5e3135aae5081894da98fb4e4d578890c5a4b6a359097bf5e2c403f77b0398d12795d6c895ed979e792d13f5aeb3cd62799d9a509cb4bd8e2bf5d8b08498abccc0790c
++Ctrl.hexxcghash = hexxcghash:81c3e6d1a6aeb3f3fc111a9e1467a7e569b9debbfef48fd31acd0d8b9b50a647
++Ctrl.hexsession_id = hexsession_id:068d4a2ebf66a0a6f75d3e76659c72a7f70630f98872e6f48c45ad862fd9b2a4
++Ctrl.type = type:A
++Output = 320e807fab2b10f0
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100d97164957831bbc57c91e0a5c9ece230b4625d14b9d07decdc971cee28d28c2938d2f8b682bc33bd67458fb90120dd6a2ca5255fbe3daeb0325029e15b5e3135aae5081894da98fb4e4d578890c5a4b6a359097bf5e2c403f77b0398d12795d6c895ed979e792d13f5aeb3cd62799d9a509cb4bd8e2bf5d8b08498abccc0790c
++Ctrl.hexxcghash = hexxcghash:81c3e6d1a6aeb3f3fc111a9e1467a7e569b9debbfef48fd31acd0d8b9b50a647
++Ctrl.hexsession_id = hexsession_id:068d4a2ebf66a0a6f75d3e76659c72a7f70630f98872e6f48c45ad862fd9b2a4
++Ctrl.type = type:B
++Output = 7b8f91be4dcd59b1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100d97164957831bbc57c91e0a5c9ece230b4625d14b9d07decdc971cee28d28c2938d2f8b682bc33bd67458fb90120dd6a2ca5255fbe3daeb0325029e15b5e3135aae5081894da98fb4e4d578890c5a4b6a359097bf5e2c403f77b0398d12795d6c895ed979e792d13f5aeb3cd62799d9a509cb4bd8e2bf5d8b08498abccc0790c
++Ctrl.hexxcghash = hexxcghash:81c3e6d1a6aeb3f3fc111a9e1467a7e569b9debbfef48fd31acd0d8b9b50a647
++Ctrl.hexsession_id = hexsession_id:068d4a2ebf66a0a6f75d3e76659c72a7f70630f98872e6f48c45ad862fd9b2a4
++Ctrl.type = type:C
++Output = dec6e67a94b3ddfcd32a24d6026c6951d00b6f4402d32c1a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100d97164957831bbc57c91e0a5c9ece230b4625d14b9d07decdc971cee28d28c2938d2f8b682bc33bd67458fb90120dd6a2ca5255fbe3daeb0325029e15b5e3135aae5081894da98fb4e4d578890c5a4b6a359097bf5e2c403f77b0398d12795d6c895ed979e792d13f5aeb3cd62799d9a509cb4bd8e2bf5d8b08498abccc0790c
++Ctrl.hexxcghash = hexxcghash:81c3e6d1a6aeb3f3fc111a9e1467a7e569b9debbfef48fd31acd0d8b9b50a647
++Ctrl.hexsession_id = hexsession_id:068d4a2ebf66a0a6f75d3e76659c72a7f70630f98872e6f48c45ad862fd9b2a4
++Ctrl.type = type:D
++Output = 2ef3cea4588ad928ac3e8874f3e1f613f2d50787495acc32
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100d97164957831bbc57c91e0a5c9ece230b4625d14b9d07decdc971cee28d28c2938d2f8b682bc33bd67458fb90120dd6a2ca5255fbe3daeb0325029e15b5e3135aae5081894da98fb4e4d578890c5a4b6a359097bf5e2c403f77b0398d12795d6c895ed979e792d13f5aeb3cd62799d9a509cb4bd8e2bf5d8b08498abccc0790c
++Ctrl.hexxcghash = hexxcghash:81c3e6d1a6aeb3f3fc111a9e1467a7e569b9debbfef48fd31acd0d8b9b50a647
++Ctrl.hexsession_id = hexsession_id:068d4a2ebf66a0a6f75d3e76659c72a7f70630f98872e6f48c45ad862fd9b2a4
++Ctrl.type = type:E
++Output = 72f93537328eebeec1b5ca88fedb41bf4d9c6279e4fe8d13c38da72a39739ed8
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100d97164957831bbc57c91e0a5c9ece230b4625d14b9d07decdc971cee28d28c2938d2f8b682bc33bd67458fb90120dd6a2ca5255fbe3daeb0325029e15b5e3135aae5081894da98fb4e4d578890c5a4b6a359097bf5e2c403f77b0398d12795d6c895ed979e792d13f5aeb3cd62799d9a509cb4bd8e2bf5d8b08498abccc0790c
++Ctrl.hexxcghash = hexxcghash:81c3e6d1a6aeb3f3fc111a9e1467a7e569b9debbfef48fd31acd0d8b9b50a647
++Ctrl.hexsession_id = hexsession_id:068d4a2ebf66a0a6f75d3e76659c72a7f70630f98872e6f48c45ad862fd9b2a4
++Ctrl.type = type:F
++Output = 55dcf2c322b9c94686edbf9314d7c93bd9651e2ebc64f1a299d7176577d65b32
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008001223839219fa4dbaf2b88deaa058bed95793bd6079e670e88eecf0a391ae7ce2d3bf129e11273aad0d0047b84960e6f73fa3de394042b4254c7850fddc7525dcf27fb9bdcafc604626aa25e08c938a27c80ca97a4c1a2662f4e8485e016c75e4f4e6861f5bbd694bbd6492cbffa95128dab52d8a3d0316bcabd5da2c789dd62
++Ctrl.hexxcghash = hexxcghash:7817d37fe11f3499feda39bf21ce7755040a0091e61e8eb585e6299c6673db81
++Ctrl.hexsession_id = hexsession_id:2b7ef879949594c35dbccdba0ba4959e3a2fad446c5ce35666e400b7214fe69e
++Ctrl.type = type:A
++Output = f4dbc41aa23e1621
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008001223839219fa4dbaf2b88deaa058bed95793bd6079e670e88eecf0a391ae7ce2d3bf129e11273aad0d0047b84960e6f73fa3de394042b4254c7850fddc7525dcf27fb9bdcafc604626aa25e08c938a27c80ca97a4c1a2662f4e8485e016c75e4f4e6861f5bbd694bbd6492cbffa95128dab52d8a3d0316bcabd5da2c789dd62
++Ctrl.hexxcghash = hexxcghash:7817d37fe11f3499feda39bf21ce7755040a0091e61e8eb585e6299c6673db81
++Ctrl.hexsession_id = hexsession_id:2b7ef879949594c35dbccdba0ba4959e3a2fad446c5ce35666e400b7214fe69e
++Ctrl.type = type:B
++Output = e53b40c511180817
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008001223839219fa4dbaf2b88deaa058bed95793bd6079e670e88eecf0a391ae7ce2d3bf129e11273aad0d0047b84960e6f73fa3de394042b4254c7850fddc7525dcf27fb9bdcafc604626aa25e08c938a27c80ca97a4c1a2662f4e8485e016c75e4f4e6861f5bbd694bbd6492cbffa95128dab52d8a3d0316bcabd5da2c789dd62
++Ctrl.hexxcghash = hexxcghash:7817d37fe11f3499feda39bf21ce7755040a0091e61e8eb585e6299c6673db81
++Ctrl.hexsession_id = hexsession_id:2b7ef879949594c35dbccdba0ba4959e3a2fad446c5ce35666e400b7214fe69e
++Ctrl.type = type:C
++Output = 70fed9412989cf5de908ad429cb92065fd5ccc081477abba
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008001223839219fa4dbaf2b88deaa058bed95793bd6079e670e88eecf0a391ae7ce2d3bf129e11273aad0d0047b84960e6f73fa3de394042b4254c7850fddc7525dcf27fb9bdcafc604626aa25e08c938a27c80ca97a4c1a2662f4e8485e016c75e4f4e6861f5bbd694bbd6492cbffa95128dab52d8a3d0316bcabd5da2c789dd62
++Ctrl.hexxcghash = hexxcghash:7817d37fe11f3499feda39bf21ce7755040a0091e61e8eb585e6299c6673db81
++Ctrl.hexsession_id = hexsession_id:2b7ef879949594c35dbccdba0ba4959e3a2fad446c5ce35666e400b7214fe69e
++Ctrl.type = type:D
++Output = 3afdb0b4b4bc13e8731bb92e541b7d82a0b20d8878ce184b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008001223839219fa4dbaf2b88deaa058bed95793bd6079e670e88eecf0a391ae7ce2d3bf129e11273aad0d0047b84960e6f73fa3de394042b4254c7850fddc7525dcf27fb9bdcafc604626aa25e08c938a27c80ca97a4c1a2662f4e8485e016c75e4f4e6861f5bbd694bbd6492cbffa95128dab52d8a3d0316bcabd5da2c789dd62
++Ctrl.hexxcghash = hexxcghash:7817d37fe11f3499feda39bf21ce7755040a0091e61e8eb585e6299c6673db81
++Ctrl.hexsession_id = hexsession_id:2b7ef879949594c35dbccdba0ba4959e3a2fad446c5ce35666e400b7214fe69e
++Ctrl.type = type:E
++Output = 59937f257aeef0806038543ced541990e5c2243881818edf2c522a54b64e9e93
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008001223839219fa4dbaf2b88deaa058bed95793bd6079e670e88eecf0a391ae7ce2d3bf129e11273aad0d0047b84960e6f73fa3de394042b4254c7850fddc7525dcf27fb9bdcafc604626aa25e08c938a27c80ca97a4c1a2662f4e8485e016c75e4f4e6861f5bbd694bbd6492cbffa95128dab52d8a3d0316bcabd5da2c789dd62
++Ctrl.hexxcghash = hexxcghash:7817d37fe11f3499feda39bf21ce7755040a0091e61e8eb585e6299c6673db81
++Ctrl.hexsession_id = hexsession_id:2b7ef879949594c35dbccdba0ba4959e3a2fad446c5ce35666e400b7214fe69e
++Ctrl.type = type:F
++Output = 187532105293274b841918e3ab51f5dd0453d4331e85f4e06b775dbce4979cdd
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000000807d3783ce1f598c3279e8a33f3e8bfe9c255979034f43d107bb3dd6cb21ff67d945594929f2fd7bef74679be81d3ad6c1b472293d1060242d720ed2fb250fde838064eec64d75cb9d5d2ec09c9e67e3bf48c0d0a92577f8bf6e05cfcbaafcd243369f30f14d24a4ad2c1aaff528e03198227135d26839fd45cd60678ae41307c2
++Ctrl.hexxcghash = hexxcghash:2efc2c1be24e1259105757bbd2c518d62ae52400451347aa90e2aab00bc58864
++Ctrl.hexsession_id = hexsession_id:2df7d0dbcb1beb17ef1a8b9884c9d6d8833b5039797a5fce61e7a2490405b323
++Ctrl.type = type:A
++Output = 3cc220d5bb9b5346
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000000807d3783ce1f598c3279e8a33f3e8bfe9c255979034f43d107bb3dd6cb21ff67d945594929f2fd7bef74679be81d3ad6c1b472293d1060242d720ed2fb250fde838064eec64d75cb9d5d2ec09c9e67e3bf48c0d0a92577f8bf6e05cfcbaafcd243369f30f14d24a4ad2c1aaff528e03198227135d26839fd45cd60678ae41307c2
++Ctrl.hexxcghash = hexxcghash:2efc2c1be24e1259105757bbd2c518d62ae52400451347aa90e2aab00bc58864
++Ctrl.hexsession_id = hexsession_id:2df7d0dbcb1beb17ef1a8b9884c9d6d8833b5039797a5fce61e7a2490405b323
++Ctrl.type = type:B
++Output = 051e3c79aede7e41
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000000807d3783ce1f598c3279e8a33f3e8bfe9c255979034f43d107bb3dd6cb21ff67d945594929f2fd7bef74679be81d3ad6c1b472293d1060242d720ed2fb250fde838064eec64d75cb9d5d2ec09c9e67e3bf48c0d0a92577f8bf6e05cfcbaafcd243369f30f14d24a4ad2c1aaff528e03198227135d26839fd45cd60678ae41307c2
++Ctrl.hexxcghash = hexxcghash:2efc2c1be24e1259105757bbd2c518d62ae52400451347aa90e2aab00bc58864
++Ctrl.hexsession_id = hexsession_id:2df7d0dbcb1beb17ef1a8b9884c9d6d8833b5039797a5fce61e7a2490405b323
++Ctrl.type = type:C
++Output = 44c2b4725965ee9a2bce58d38e2e9a778263c415b21a25be
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000000807d3783ce1f598c3279e8a33f3e8bfe9c255979034f43d107bb3dd6cb21ff67d945594929f2fd7bef74679be81d3ad6c1b472293d1060242d720ed2fb250fde838064eec64d75cb9d5d2ec09c9e67e3bf48c0d0a92577f8bf6e05cfcbaafcd243369f30f14d24a4ad2c1aaff528e03198227135d26839fd45cd60678ae41307c2
++Ctrl.hexxcghash = hexxcghash:2efc2c1be24e1259105757bbd2c518d62ae52400451347aa90e2aab00bc58864
++Ctrl.hexsession_id = hexsession_id:2df7d0dbcb1beb17ef1a8b9884c9d6d8833b5039797a5fce61e7a2490405b323
++Ctrl.type = type:D
++Output = d5de7a801956b934d820f9aa51bf1dae2a7aec7ce5ce4e50
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000000807d3783ce1f598c3279e8a33f3e8bfe9c255979034f43d107bb3dd6cb21ff67d945594929f2fd7bef74679be81d3ad6c1b472293d1060242d720ed2fb250fde838064eec64d75cb9d5d2ec09c9e67e3bf48c0d0a92577f8bf6e05cfcbaafcd243369f30f14d24a4ad2c1aaff528e03198227135d26839fd45cd60678ae41307c2
++Ctrl.hexxcghash = hexxcghash:2efc2c1be24e1259105757bbd2c518d62ae52400451347aa90e2aab00bc58864
++Ctrl.hexsession_id = hexsession_id:2df7d0dbcb1beb17ef1a8b9884c9d6d8833b5039797a5fce61e7a2490405b323
++Ctrl.type = type:E
++Output = 7d2039a6505e3220535fde0ff71464f3971580f50711356760b225fc3053fc19
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000000807d3783ce1f598c3279e8a33f3e8bfe9c255979034f43d107bb3dd6cb21ff67d945594929f2fd7bef74679be81d3ad6c1b472293d1060242d720ed2fb250fde838064eec64d75cb9d5d2ec09c9e67e3bf48c0d0a92577f8bf6e05cfcbaafcd243369f30f14d24a4ad2c1aaff528e03198227135d26839fd45cd60678ae41307c2
++Ctrl.hexxcghash = hexxcghash:2efc2c1be24e1259105757bbd2c518d62ae52400451347aa90e2aab00bc58864
++Ctrl.hexsession_id = hexsession_id:2df7d0dbcb1beb17ef1a8b9884c9d6d8833b5039797a5fce61e7a2490405b323
++Ctrl.type = type:F
++Output = b0972348a031ef2e87d42611e53cf0c4782d759ecdcc1390318eb11e1925ac35
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100b44b386751753bf1fbfe100b11761766aaef16b2786462ba9561d3b493581254a1c1556ef611fec70146a864f8860c6317f294d06aec94129740c78035411992492825554362d25bf2c43a2e8a4d22e5d4777c593c8686966684b95e8e4535fc0b4a0e53264f22cf568469e829a303cdd06c09d8f74ccef6b6028fde782a7285
++Ctrl.hexxcghash = hexxcghash:8c691585cffd38a6ad0fd751da66c1a0f2b46ad6c12348b5a89cd24f39e76517
++Ctrl.hexsession_id = hexsession_id:2d93238fe20a860db2fb8fb4c5a0525a2f8817abbb53773e4af9fb366a213506
++Ctrl.type = type:A
++Output = cdb047beecd92d84
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100b44b386751753bf1fbfe100b11761766aaef16b2786462ba9561d3b493581254a1c1556ef611fec70146a864f8860c6317f294d06aec94129740c78035411992492825554362d25bf2c43a2e8a4d22e5d4777c593c8686966684b95e8e4535fc0b4a0e53264f22cf568469e829a303cdd06c09d8f74ccef6b6028fde782a7285
++Ctrl.hexxcghash = hexxcghash:8c691585cffd38a6ad0fd751da66c1a0f2b46ad6c12348b5a89cd24f39e76517
++Ctrl.hexsession_id = hexsession_id:2d93238fe20a860db2fb8fb4c5a0525a2f8817abbb53773e4af9fb366a213506
++Ctrl.type = type:B
++Output = ef378e894d8f675e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100b44b386751753bf1fbfe100b11761766aaef16b2786462ba9561d3b493581254a1c1556ef611fec70146a864f8860c6317f294d06aec94129740c78035411992492825554362d25bf2c43a2e8a4d22e5d4777c593c8686966684b95e8e4535fc0b4a0e53264f22cf568469e829a303cdd06c09d8f74ccef6b6028fde782a7285
++Ctrl.hexxcghash = hexxcghash:8c691585cffd38a6ad0fd751da66c1a0f2b46ad6c12348b5a89cd24f39e76517
++Ctrl.hexsession_id = hexsession_id:2d93238fe20a860db2fb8fb4c5a0525a2f8817abbb53773e4af9fb366a213506
++Ctrl.type = type:C
++Output = 23ee42a437801e87348b3999bde76147a8731e318db57752
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100b44b386751753bf1fbfe100b11761766aaef16b2786462ba9561d3b493581254a1c1556ef611fec70146a864f8860c6317f294d06aec94129740c78035411992492825554362d25bf2c43a2e8a4d22e5d4777c593c8686966684b95e8e4535fc0b4a0e53264f22cf568469e829a303cdd06c09d8f74ccef6b6028fde782a7285
++Ctrl.hexxcghash = hexxcghash:8c691585cffd38a6ad0fd751da66c1a0f2b46ad6c12348b5a89cd24f39e76517
++Ctrl.hexsession_id = hexsession_id:2d93238fe20a860db2fb8fb4c5a0525a2f8817abbb53773e4af9fb366a213506
++Ctrl.type = type:D
++Output = a3f50e3d14498f15e1f111cc929648011d6abfb58e90df1c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100b44b386751753bf1fbfe100b11761766aaef16b2786462ba9561d3b493581254a1c1556ef611fec70146a864f8860c6317f294d06aec94129740c78035411992492825554362d25bf2c43a2e8a4d22e5d4777c593c8686966684b95e8e4535fc0b4a0e53264f22cf568469e829a303cdd06c09d8f74ccef6b6028fde782a7285
++Ctrl.hexxcghash = hexxcghash:8c691585cffd38a6ad0fd751da66c1a0f2b46ad6c12348b5a89cd24f39e76517
++Ctrl.hexsession_id = hexsession_id:2d93238fe20a860db2fb8fb4c5a0525a2f8817abbb53773e4af9fb366a213506
++Ctrl.type = type:E
++Output = fb6a020561e46e521344cb671a50175afd63ded91eedaa1b2879c3a63761674d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100b44b386751753bf1fbfe100b11761766aaef16b2786462ba9561d3b493581254a1c1556ef611fec70146a864f8860c6317f294d06aec94129740c78035411992492825554362d25bf2c43a2e8a4d22e5d4777c593c8686966684b95e8e4535fc0b4a0e53264f22cf568469e829a303cdd06c09d8f74ccef6b6028fde782a7285
++Ctrl.hexxcghash = hexxcghash:8c691585cffd38a6ad0fd751da66c1a0f2b46ad6c12348b5a89cd24f39e76517
++Ctrl.hexsession_id = hexsession_id:2d93238fe20a860db2fb8fb4c5a0525a2f8817abbb53773e4af9fb366a213506
++Ctrl.type = type:F
++Output = 567a79e7c4b10d62a420ce2ea740661c08d9459ed636ecb4edebcedb17b0baba
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100b3462ee942f026de0922ab88b6ebf5ee2c968a4e12cbf374593f3542c6eb619ea1ec29b958c65a83305c37008de3b691ec020cc989e6c5393dae36bbb3bf0d1a29ed0bab6d23f60e63e277119b7a4c0a5fa96d9c043a5ace58034052ffb71b8bf0eaea8a6bc9a9834c512d7470122c71908a44ef7f3227b512f6971c82436e96
++Ctrl.hexxcghash = hexxcghash:3d5d7f742b08976755e2eb8457f1d9401d918bbf7e201fe0742f00ae799082df
++Ctrl.hexsession_id = hexsession_id:50bcad2970e07c3ad3f14db05d451d77304fe70927ba26815fcaf1f3a723af91
++Ctrl.type = type:A
++Output = 1f9e7ad5592ac73d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100b3462ee942f026de0922ab88b6ebf5ee2c968a4e12cbf374593f3542c6eb619ea1ec29b958c65a83305c37008de3b691ec020cc989e6c5393dae36bbb3bf0d1a29ed0bab6d23f60e63e277119b7a4c0a5fa96d9c043a5ace58034052ffb71b8bf0eaea8a6bc9a9834c512d7470122c71908a44ef7f3227b512f6971c82436e96
++Ctrl.hexxcghash = hexxcghash:3d5d7f742b08976755e2eb8457f1d9401d918bbf7e201fe0742f00ae799082df
++Ctrl.hexsession_id = hexsession_id:50bcad2970e07c3ad3f14db05d451d77304fe70927ba26815fcaf1f3a723af91
++Ctrl.type = type:B
++Output = 15b254fe3510dd77
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100b3462ee942f026de0922ab88b6ebf5ee2c968a4e12cbf374593f3542c6eb619ea1ec29b958c65a83305c37008de3b691ec020cc989e6c5393dae36bbb3bf0d1a29ed0bab6d23f60e63e277119b7a4c0a5fa96d9c043a5ace58034052ffb71b8bf0eaea8a6bc9a9834c512d7470122c71908a44ef7f3227b512f6971c82436e96
++Ctrl.hexxcghash = hexxcghash:3d5d7f742b08976755e2eb8457f1d9401d918bbf7e201fe0742f00ae799082df
++Ctrl.hexsession_id = hexsession_id:50bcad2970e07c3ad3f14db05d451d77304fe70927ba26815fcaf1f3a723af91
++Ctrl.type = type:C
++Output = 88eadd5802e1a748284684438eb1b1bdc9b20ea30c59950d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100b3462ee942f026de0922ab88b6ebf5ee2c968a4e12cbf374593f3542c6eb619ea1ec29b958c65a83305c37008de3b691ec020cc989e6c5393dae36bbb3bf0d1a29ed0bab6d23f60e63e277119b7a4c0a5fa96d9c043a5ace58034052ffb71b8bf0eaea8a6bc9a9834c512d7470122c71908a44ef7f3227b512f6971c82436e96
++Ctrl.hexxcghash = hexxcghash:3d5d7f742b08976755e2eb8457f1d9401d918bbf7e201fe0742f00ae799082df
++Ctrl.hexsession_id = hexsession_id:50bcad2970e07c3ad3f14db05d451d77304fe70927ba26815fcaf1f3a723af91
++Ctrl.type = type:D
++Output = 277c2c4ad3d4a3bec4bdc5329bb5f9d4e39aa06b1e115e77
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100b3462ee942f026de0922ab88b6ebf5ee2c968a4e12cbf374593f3542c6eb619ea1ec29b958c65a83305c37008de3b691ec020cc989e6c5393dae36bbb3bf0d1a29ed0bab6d23f60e63e277119b7a4c0a5fa96d9c043a5ace58034052ffb71b8bf0eaea8a6bc9a9834c512d7470122c71908a44ef7f3227b512f6971c82436e96
++Ctrl.hexxcghash = hexxcghash:3d5d7f742b08976755e2eb8457f1d9401d918bbf7e201fe0742f00ae799082df
++Ctrl.hexsession_id = hexsession_id:50bcad2970e07c3ad3f14db05d451d77304fe70927ba26815fcaf1f3a723af91
++Ctrl.type = type:E
++Output = 090d2f273a690ed1d67dd9919c34385b18a661f8657b84bef6832f2396771979
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100b3462ee942f026de0922ab88b6ebf5ee2c968a4e12cbf374593f3542c6eb619ea1ec29b958c65a83305c37008de3b691ec020cc989e6c5393dae36bbb3bf0d1a29ed0bab6d23f60e63e277119b7a4c0a5fa96d9c043a5ace58034052ffb71b8bf0eaea8a6bc9a9834c512d7470122c71908a44ef7f3227b512f6971c82436e96
++Ctrl.hexxcghash = hexxcghash:3d5d7f742b08976755e2eb8457f1d9401d918bbf7e201fe0742f00ae799082df
++Ctrl.hexsession_id = hexsession_id:50bcad2970e07c3ad3f14db05d451d77304fe70927ba26815fcaf1f3a723af91
++Ctrl.type = type:F
++Output = 1f3082fa5ac8ec565595c4c5b8a7ddbba88ed4936fca913bba6a8715dc856f30
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100831889c603d4dc01d0d9f19f07ccadb6a9fa7662305277d59efbc872f38325de2ec2151f58649f5fd15ff3a099f0191dca69be0b9c88ef729fe74af849cc8e7479f8a5406842af88e12167607103cda449a1394c86b2c21d4083cdee216f74078d4e878b352df901727870815528ae99f74f25c21a8a39772940d871badb39a6
++Ctrl.hexxcghash = hexxcghash:f77992d066bc305419a6c1b0879008856287b95ec20c2b1be5a5c8189cadbbb1
++Ctrl.hexsession_id = hexsession_id:15bd2e8c86d23eace4a581377ef8a3f5266dbd081cfcd01ab2b68506438228a2
++Ctrl.type = type:A
++Output = 3aa08d67c81310b7
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100831889c603d4dc01d0d9f19f07ccadb6a9fa7662305277d59efbc872f38325de2ec2151f58649f5fd15ff3a099f0191dca69be0b9c88ef729fe74af849cc8e7479f8a5406842af88e12167607103cda449a1394c86b2c21d4083cdee216f74078d4e878b352df901727870815528ae99f74f25c21a8a39772940d871badb39a6
++Ctrl.hexxcghash = hexxcghash:f77992d066bc305419a6c1b0879008856287b95ec20c2b1be5a5c8189cadbbb1
++Ctrl.hexsession_id = hexsession_id:15bd2e8c86d23eace4a581377ef8a3f5266dbd081cfcd01ab2b68506438228a2
++Ctrl.type = type:B
++Output = cf46596878a17a87
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100831889c603d4dc01d0d9f19f07ccadb6a9fa7662305277d59efbc872f38325de2ec2151f58649f5fd15ff3a099f0191dca69be0b9c88ef729fe74af849cc8e7479f8a5406842af88e12167607103cda449a1394c86b2c21d4083cdee216f74078d4e878b352df901727870815528ae99f74f25c21a8a39772940d871badb39a6
++Ctrl.hexxcghash = hexxcghash:f77992d066bc305419a6c1b0879008856287b95ec20c2b1be5a5c8189cadbbb1
++Ctrl.hexsession_id = hexsession_id:15bd2e8c86d23eace4a581377ef8a3f5266dbd081cfcd01ab2b68506438228a2
++Ctrl.type = type:C
++Output = 871db438b8b33c2102ddab0c1f7be51ee4c2cbdf52a01a58
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100831889c603d4dc01d0d9f19f07ccadb6a9fa7662305277d59efbc872f38325de2ec2151f58649f5fd15ff3a099f0191dca69be0b9c88ef729fe74af849cc8e7479f8a5406842af88e12167607103cda449a1394c86b2c21d4083cdee216f74078d4e878b352df901727870815528ae99f74f25c21a8a39772940d871badb39a6
++Ctrl.hexxcghash = hexxcghash:f77992d066bc305419a6c1b0879008856287b95ec20c2b1be5a5c8189cadbbb1
++Ctrl.hexsession_id = hexsession_id:15bd2e8c86d23eace4a581377ef8a3f5266dbd081cfcd01ab2b68506438228a2
++Ctrl.type = type:D
++Output = 04ac13599b84c22be0f1e5f7b96def31598e6ad36be412e8
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100831889c603d4dc01d0d9f19f07ccadb6a9fa7662305277d59efbc872f38325de2ec2151f58649f5fd15ff3a099f0191dca69be0b9c88ef729fe74af849cc8e7479f8a5406842af88e12167607103cda449a1394c86b2c21d4083cdee216f74078d4e878b352df901727870815528ae99f74f25c21a8a39772940d871badb39a6
++Ctrl.hexxcghash = hexxcghash:f77992d066bc305419a6c1b0879008856287b95ec20c2b1be5a5c8189cadbbb1
++Ctrl.hexsession_id = hexsession_id:15bd2e8c86d23eace4a581377ef8a3f5266dbd081cfcd01ab2b68506438228a2
++Ctrl.type = type:E
++Output = f00c83a8afb5d1793749d4aae825b80e67ccd7f67e08f572222ccf42126ea2f0
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000008100831889c603d4dc01d0d9f19f07ccadb6a9fa7662305277d59efbc872f38325de2ec2151f58649f5fd15ff3a099f0191dca69be0b9c88ef729fe74af849cc8e7479f8a5406842af88e12167607103cda449a1394c86b2c21d4083cdee216f74078d4e878b352df901727870815528ae99f74f25c21a8a39772940d871badb39a6
++Ctrl.hexxcghash = hexxcghash:f77992d066bc305419a6c1b0879008856287b95ec20c2b1be5a5c8189cadbbb1
++Ctrl.hexsession_id = hexsession_id:15bd2e8c86d23eace4a581377ef8a3f5266dbd081cfcd01ab2b68506438228a2
++Ctrl.type = type:F
++Output = df0570749d67136095b0dda6d461676b7eeb9a386f126306d436cab16dfd1b3c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000081008fa89f9f89a2a2417a9461451a4b97343afd46552a8700e588638b0ef0ae568ffbaee2727ae3ae96271aa33b8439c1a4bad313ea42605ae0902817d91577b6a3c72fc576ee29544c1d6323bad205317d2265c533d82ed27a2dea64a8545c64e9772e81ce1cbfe265a51acfae74b72d5365366263541e50a567c3ffa594eac071
++Ctrl.hexxcghash = hexxcghash:4d071ee398757c548fa72f77ed94d5b158a311d3655bb7a6e324c4e2a26be84f
++Ctrl.hexsession_id = hexsession_id:d1d34becf667002ace16be10726cab3c7d18ce7414759f62a83cb4cfaaed77f4
++Ctrl.type = type:A
++Output = fad800cbf8975a01
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000081008fa89f9f89a2a2417a9461451a4b97343afd46552a8700e588638b0ef0ae568ffbaee2727ae3ae96271aa33b8439c1a4bad313ea42605ae0902817d91577b6a3c72fc576ee29544c1d6323bad205317d2265c533d82ed27a2dea64a8545c64e9772e81ce1cbfe265a51acfae74b72d5365366263541e50a567c3ffa594eac071
++Ctrl.hexxcghash = hexxcghash:4d071ee398757c548fa72f77ed94d5b158a311d3655bb7a6e324c4e2a26be84f
++Ctrl.hexsession_id = hexsession_id:d1d34becf667002ace16be10726cab3c7d18ce7414759f62a83cb4cfaaed77f4
++Ctrl.type = type:B
++Output = 679a118bda1f15a9
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000081008fa89f9f89a2a2417a9461451a4b97343afd46552a8700e588638b0ef0ae568ffbaee2727ae3ae96271aa33b8439c1a4bad313ea42605ae0902817d91577b6a3c72fc576ee29544c1d6323bad205317d2265c533d82ed27a2dea64a8545c64e9772e81ce1cbfe265a51acfae74b72d5365366263541e50a567c3ffa594eac071
++Ctrl.hexxcghash = hexxcghash:4d071ee398757c548fa72f77ed94d5b158a311d3655bb7a6e324c4e2a26be84f
++Ctrl.hexsession_id = hexsession_id:d1d34becf667002ace16be10726cab3c7d18ce7414759f62a83cb4cfaaed77f4
++Ctrl.type = type:C
++Output = 5193e9b3b10b7939b79b967b98e6cf3396758eaf8263edf2
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000081008fa89f9f89a2a2417a9461451a4b97343afd46552a8700e588638b0ef0ae568ffbaee2727ae3ae96271aa33b8439c1a4bad313ea42605ae0902817d91577b6a3c72fc576ee29544c1d6323bad205317d2265c533d82ed27a2dea64a8545c64e9772e81ce1cbfe265a51acfae74b72d5365366263541e50a567c3ffa594eac071
++Ctrl.hexxcghash = hexxcghash:4d071ee398757c548fa72f77ed94d5b158a311d3655bb7a6e324c4e2a26be84f
++Ctrl.hexsession_id = hexsession_id:d1d34becf667002ace16be10726cab3c7d18ce7414759f62a83cb4cfaaed77f4
++Ctrl.type = type:D
++Output = 3f5de8bec6d737836d3a91480ac76c19d0a90bc146f02d5c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000081008fa89f9f89a2a2417a9461451a4b97343afd46552a8700e588638b0ef0ae568ffbaee2727ae3ae96271aa33b8439c1a4bad313ea42605ae0902817d91577b6a3c72fc576ee29544c1d6323bad205317d2265c533d82ed27a2dea64a8545c64e9772e81ce1cbfe265a51acfae74b72d5365366263541e50a567c3ffa594eac071
++Ctrl.hexxcghash = hexxcghash:4d071ee398757c548fa72f77ed94d5b158a311d3655bb7a6e324c4e2a26be84f
++Ctrl.hexsession_id = hexsession_id:d1d34becf667002ace16be10726cab3c7d18ce7414759f62a83cb4cfaaed77f4
++Ctrl.type = type:E
++Output = ce7be4fffd0ffd09ff45889d10c7be0edf922422d01cb71b737c6149bb1a2d05
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000081008fa89f9f89a2a2417a9461451a4b97343afd46552a8700e588638b0ef0ae568ffbaee2727ae3ae96271aa33b8439c1a4bad313ea42605ae0902817d91577b6a3c72fc576ee29544c1d6323bad205317d2265c533d82ed27a2dea64a8545c64e9772e81ce1cbfe265a51acfae74b72d5365366263541e50a567c3ffa594eac071
++Ctrl.hexxcghash = hexxcghash:4d071ee398757c548fa72f77ed94d5b158a311d3655bb7a6e324c4e2a26be84f
++Ctrl.hexsession_id = hexsession_id:d1d34becf667002ace16be10726cab3c7d18ce7414759f62a83cb4cfaaed77f4
++Ctrl.type = type:F
++Output = 60f413c9bcc42dcf0acc53d513dd8bc703f7e5d668f4e043f13028dcf40880b2
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000001006ac382eaaca093e125e25c24bebc84640c11987507344b5c739ceb84a9e0b222b9a8b51c839e5ebe49cfadbfb39599764ed522099dc912751950dc7dc97fbdc06328b68f22781fd315af568009a5509e5b87a11bf527c056daffd82ab6cbc25cca37143459e7bc63bcde52757adeb7df01cf12173f1fef8102ec5ab142c213dd9d30696278a8d8bc32dde9592d28c078c6d92b947d825acaab6494846a49de24b9623f4889e8adc38e8c669effef176040ad945e90a7d3eec15efeee78ae71043c96511103a16ba7caf0acd0642efdbe809934faa1a5f1bd11043649b25ccd1fee2e38815d4d5f5fc6b4102969f21c22ae1b0e7d3603a556a13262ff628de222
++Ctrl.hexxcghash = hexxcghash:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d
++Ctrl.hexsession_id = hexsession_id:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d
++Ctrl.type = type:A
++Output = 81f0330ef6f05361b3823bfded6e1de9
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000001006ac382eaaca093e125e25c24bebc84640c11987507344b5c739ceb84a9e0b222b9a8b51c839e5ebe49cfadbfb39599764ed522099dc912751950dc7dc97fbdc06328b68f22781fd315af568009a5509e5b87a11bf527c056daffd82ab6cbc25cca37143459e7bc63bcde52757adeb7df01cf12173f1fef8102ec5ab142c213dd9d30696278a8d8bc32dde9592d28c078c6d92b947d825acaab6494846a49de24b9623f4889e8adc38e8c669effef176040ad945e90a7d3eec15efeee78ae71043c96511103a16ba7caf0acd0642efdbe809934faa1a5f1bd11043649b25ccd1fee2e38815d4d5f5fc6b4102969f21c22ae1b0e7d3603a556a13262ff628de222
++Ctrl.hexxcghash = hexxcghash:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d
++Ctrl.hexsession_id = hexsession_id:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d
++Ctrl.type = type:B
++Output = 3f6fd2065eeb2b0b1d93195a1fed48a5
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000001006ac382eaaca093e125e25c24bebc84640c11987507344b5c739ceb84a9e0b222b9a8b51c839e5ebe49cfadbfb39599764ed522099dc912751950dc7dc97fbdc06328b68f22781fd315af568009a5509e5b87a11bf527c056daffd82ab6cbc25cca37143459e7bc63bcde52757adeb7df01cf12173f1fef8102ec5ab142c213dd9d30696278a8d8bc32dde9592d28c078c6d92b947d825acaab6494846a49de24b9623f4889e8adc38e8c669effef176040ad945e90a7d3eec15efeee78ae71043c96511103a16ba7caf0acd0642efdbe809934faa1a5f1bd11043649b25ccd1fee2e38815d4d5f5fc6b4102969f21c22ae1b0e7d3603a556a13262ff628de222
++Ctrl.hexxcghash = hexxcghash:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d
++Ctrl.hexsession_id = hexsession_id:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d
++Ctrl.type = type:C
++Output = c35471034e6fd6547613178e23435f21
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000001006ac382eaaca093e125e25c24bebc84640c11987507344b5c739ceb84a9e0b222b9a8b51c839e5ebe49cfadbfb39599764ed522099dc912751950dc7dc97fbdc06328b68f22781fd315af568009a5509e5b87a11bf527c056daffd82ab6cbc25cca37143459e7bc63bcde52757adeb7df01cf12173f1fef8102ec5ab142c213dd9d30696278a8d8bc32dde9592d28c078c6d92b947d825acaab6494846a49de24b9623f4889e8adc38e8c669effef176040ad945e90a7d3eec15efeee78ae71043c96511103a16ba7caf0acd0642efdbe809934faa1a5f1bd11043649b25ccd1fee2e38815d4d5f5fc6b4102969f21c22ae1b0e7d3603a556a13262ff628de222
++Ctrl.hexxcghash = hexxcghash:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d
++Ctrl.hexsession_id = hexsession_id:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d
++Ctrl.type = type:D
++Output = 7e9d79032090d99f98b015634dd9f462
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000001006ac382eaaca093e125e25c24bebc84640c11987507344b5c739ceb84a9e0b222b9a8b51c839e5ebe49cfadbfb39599764ed522099dc912751950dc7dc97fbdc06328b68f22781fd315af568009a5509e5b87a11bf527c056daffd82ab6cbc25cca37143459e7bc63bcde52757adeb7df01cf12173f1fef8102ec5ab142c213dd9d30696278a8d8bc32dde9592d28c078c6d92b947d825acaab6494846a49de24b9623f4889e8adc38e8c669effef176040ad945e90a7d3eec15efeee78ae71043c96511103a16ba7caf0acd0642efdbe809934faa1a5f1bd11043649b25ccd1fee2e38815d4d5f5fc6b4102969f21c22ae1b0e7d3603a556a13262ff628de222
++Ctrl.hexxcghash = hexxcghash:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d
++Ctrl.hexsession_id = hexsession_id:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d
++Ctrl.type = type:E
++Output = 24ee559ad7ce712b685d0b2271e443c17ab1d1dceb5a360569d25d5dc243002f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000001006ac382eaaca093e125e25c24bebc84640c11987507344b5c739ceb84a9e0b222b9a8b51c839e5ebe49cfadbfb39599764ed522099dc912751950dc7dc97fbdc06328b68f22781fd315af568009a5509e5b87a11bf527c056daffd82ab6cbc25cca37143459e7bc63bcde52757adeb7df01cf12173f1fef8102ec5ab142c213dd9d30696278a8d8bc32dde9592d28c078c6d92b947d825acaab6494846a49de24b9623f4889e8adc38e8c669effef176040ad945e90a7d3eec15efeee78ae71043c96511103a16ba7caf0acd0642efdbe809934faa1a5f1bd11043649b25ccd1fee2e38815d4d5f5fc6b4102969f21c22ae1b0e7d3603a556a13262ff628de222
++Ctrl.hexxcghash = hexxcghash:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d
++Ctrl.hexsession_id = hexsession_id:7b7001185e256d4493445f39a55fb905e6321f4b5dd8bbf3100d51ba0bda3d2d
++Ctrl.type = type:F
++Output = c3419c2b966235869d714ba5ac48ddb7d9e35c8c19aac73422337a373453607e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000010044708c76616f700bd31b0c155ef74e36390eeb39bc5c32cdc90e21922b0ed930b5b519c8afebef0f4e4fb5b41b81d649d2127506620b594e9899f7f0d442ecddd68308307b82f00065e9d75220a5a6f5641795772132215a236064ea965c6493c21f89879730ebbc3c20a22d8f5bfd07b525b194323b22d8a49944d1aa58502e756101ef1e8a91c9310e71f6db65a3ad0a542cfa751f83721a99e89f1dbe54971a3620ecffc967aa55eed1a42d6e7a138b853557ac84689889f6d0c8553575fb89b4e13eab5537da72ef16f0d72f5e8505d97f110745193d550fa315fe88f672db90d73843e97ba1f3d087ba8eb39025bbffad37589a6199227303d9d8e7f1e3
++Ctrl.hexxcghash = hexxcghash:fe3727fd99a5ac7987c2cfbe062129e3027bf5e10310c6bccde9c916c8329dc2
++Ctrl.hexsession_id = hexsession_id:fffa598bc0ad2ae84dc8dc05b1f72c5b0134025ae7edf8a2e8db11472e18e1fc
++Ctrl.type = type:A
++Output = 36730bae8de5cb98898d6b4a00b37058
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000010044708c76616f700bd31b0c155ef74e36390eeb39bc5c32cdc90e21922b0ed930b5b519c8afebef0f4e4fb5b41b81d649d2127506620b594e9899f7f0d442ecddd68308307b82f00065e9d75220a5a6f5641795772132215a236064ea965c6493c21f89879730ebbc3c20a22d8f5bfd07b525b194323b22d8a49944d1aa58502e756101ef1e8a91c9310e71f6db65a3ad0a542cfa751f83721a99e89f1dbe54971a3620ecffc967aa55eed1a42d6e7a138b853557ac84689889f6d0c8553575fb89b4e13eab5537da72ef16f0d72f5e8505d97f110745193d550fa315fe88f672db90d73843e97ba1f3d087ba8eb39025bbffad37589a6199227303d9d8e7f1e3
++Ctrl.hexxcghash = hexxcghash:fe3727fd99a5ac7987c2cfbe062129e3027bf5e10310c6bccde9c916c8329dc2
++Ctrl.hexsession_id = hexsession_id:fffa598bc0ad2ae84dc8dc05b1f72c5b0134025ae7edf8a2e8db11472e18e1fc
++Ctrl.type = type:B
++Output = 5dfe446a83f40e8358d28cb97df8f340
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000010044708c76616f700bd31b0c155ef74e36390eeb39bc5c32cdc90e21922b0ed930b5b519c8afebef0f4e4fb5b41b81d649d2127506620b594e9899f7f0d442ecddd68308307b82f00065e9d75220a5a6f5641795772132215a236064ea965c6493c21f89879730ebbc3c20a22d8f5bfd07b525b194323b22d8a49944d1aa58502e756101ef1e8a91c9310e71f6db65a3ad0a542cfa751f83721a99e89f1dbe54971a3620ecffc967aa55eed1a42d6e7a138b853557ac84689889f6d0c8553575fb89b4e13eab5537da72ef16f0d72f5e8505d97f110745193d550fa315fe88f672db90d73843e97ba1f3d087ba8eb39025bbffad37589a6199227303d9d8e7f1e3
++Ctrl.hexxcghash = hexxcghash:fe3727fd99a5ac7987c2cfbe062129e3027bf5e10310c6bccde9c916c8329dc2
++Ctrl.hexsession_id = hexsession_id:fffa598bc0ad2ae84dc8dc05b1f72c5b0134025ae7edf8a2e8db11472e18e1fc
++Ctrl.type = type:C
++Output = 495b7afed0872b761437728e9e94e2b8
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000010044708c76616f700bd31b0c155ef74e36390eeb39bc5c32cdc90e21922b0ed930b5b519c8afebef0f4e4fb5b41b81d649d2127506620b594e9899f7f0d442ecddd68308307b82f00065e9d75220a5a6f5641795772132215a236064ea965c6493c21f89879730ebbc3c20a22d8f5bfd07b525b194323b22d8a49944d1aa58502e756101ef1e8a91c9310e71f6db65a3ad0a542cfa751f83721a99e89f1dbe54971a3620ecffc967aa55eed1a42d6e7a138b853557ac84689889f6d0c8553575fb89b4e13eab5537da72ef16f0d72f5e8505d97f110745193d550fa315fe88f672db90d73843e97ba1f3d087ba8eb39025bbffad37589a6199227303d9d8e7f1e3
++Ctrl.hexxcghash = hexxcghash:fe3727fd99a5ac7987c2cfbe062129e3027bf5e10310c6bccde9c916c8329dc2
++Ctrl.hexsession_id = hexsession_id:fffa598bc0ad2ae84dc8dc05b1f72c5b0134025ae7edf8a2e8db11472e18e1fc
++Ctrl.type = type:D
++Output = c1474b3925bec36f0b7f6cc698e949c8
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000010044708c76616f700bd31b0c155ef74e36390eeb39bc5c32cdc90e21922b0ed930b5b519c8afebef0f4e4fb5b41b81d649d2127506620b594e9899f7f0d442ecddd68308307b82f00065e9d75220a5a6f5641795772132215a236064ea965c6493c21f89879730ebbc3c20a22d8f5bfd07b525b194323b22d8a49944d1aa58502e756101ef1e8a91c9310e71f6db65a3ad0a542cfa751f83721a99e89f1dbe54971a3620ecffc967aa55eed1a42d6e7a138b853557ac84689889f6d0c8553575fb89b4e13eab5537da72ef16f0d72f5e8505d97f110745193d550fa315fe88f672db90d73843e97ba1f3d087ba8eb39025bbffad37589a6199227303d9d8e7f1e3
++Ctrl.hexxcghash = hexxcghash:fe3727fd99a5ac7987c2cfbe062129e3027bf5e10310c6bccde9c916c8329dc2
++Ctrl.hexsession_id = hexsession_id:fffa598bc0ad2ae84dc8dc05b1f72c5b0134025ae7edf8a2e8db11472e18e1fc
++Ctrl.type = type:E
++Output = b730f8df6a0697645be261169486c32a11612229276cbac5d8b3669afb2e4262
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000010044708c76616f700bd31b0c155ef74e36390eeb39bc5c32cdc90e21922b0ed930b5b519c8afebef0f4e4fb5b41b81d649d2127506620b594e9899f7f0d442ecddd68308307b82f00065e9d75220a5a6f5641795772132215a236064ea965c6493c21f89879730ebbc3c20a22d8f5bfd07b525b194323b22d8a49944d1aa58502e756101ef1e8a91c9310e71f6db65a3ad0a542cfa751f83721a99e89f1dbe54971a3620ecffc967aa55eed1a42d6e7a138b853557ac84689889f6d0c8553575fb89b4e13eab5537da72ef16f0d72f5e8505d97f110745193d550fa315fe88f672db90d73843e97ba1f3d087ba8eb39025bbffad37589a6199227303d9d8e7f1e3
++Ctrl.hexxcghash = hexxcghash:fe3727fd99a5ac7987c2cfbe062129e3027bf5e10310c6bccde9c916c8329dc2
++Ctrl.hexsession_id = hexsession_id:fffa598bc0ad2ae84dc8dc05b1f72c5b0134025ae7edf8a2e8db11472e18e1fc
++Ctrl.type = type:F
++Output = 14a5ea98245fb058978b82a3cb092b1cca7ce0109a4f98c16e1529579d58b819
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000101009b1c637286720d11a9030260e35726621f54115560c443ded98d5622f4007cb65427ba8ae0831f34452349993c74933466f3307e11452150f4640010ed7d1ab87656232d9659d9982e8227c25d648189d2bdda3283aa5dec8a2105af0fa840592a21d96eebb932f8ff36f94a2e4fc3819d7c9f0d26a472fb5ae5a43a2d4906247d59c42512dda252205f60042e1900e1581127f25ace253b62a83f62d4703281a294f240df2aa34ddf437c9f278278120bc10e2cb99f7804ecd6741b1be5520c553cb89747f79b4e4efd3cf09b484eb1eb034d220da457546a2ebb28d7f2faf67de0630757b8ae05e27a761956d2e190fe3fb93b1c7c142f62baeb089721cedc
++Ctrl.hexxcghash = hexxcghash:cad407a823551726f9bdcb78e8f351536e4406e8ee64947ecc0074662c7c0462
++Ctrl.hexsession_id = hexsession_id:a9c8207642627e6ee872999123b29e36abfdd071dba36ea6f0c11dd59ea46410
++Ctrl.type = type:A
++Output = 32d20a3f5e92b20fe100f4f41a1ad53c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000101009b1c637286720d11a9030260e35726621f54115560c443ded98d5622f4007cb65427ba8ae0831f34452349993c74933466f3307e11452150f4640010ed7d1ab87656232d9659d9982e8227c25d648189d2bdda3283aa5dec8a2105af0fa840592a21d96eebb932f8ff36f94a2e4fc3819d7c9f0d26a472fb5ae5a43a2d4906247d59c42512dda252205f60042e1900e1581127f25ace253b62a83f62d4703281a294f240df2aa34ddf437c9f278278120bc10e2cb99f7804ecd6741b1be5520c553cb89747f79b4e4efd3cf09b484eb1eb034d220da457546a2ebb28d7f2faf67de0630757b8ae05e27a761956d2e190fe3fb93b1c7c142f62baeb089721cedc
++Ctrl.hexxcghash = hexxcghash:cad407a823551726f9bdcb78e8f351536e4406e8ee64947ecc0074662c7c0462
++Ctrl.hexsession_id = hexsession_id:a9c8207642627e6ee872999123b29e36abfdd071dba36ea6f0c11dd59ea46410
++Ctrl.type = type:B
++Output = c3a3ff57f99187ba011fd422100af577
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000101009b1c637286720d11a9030260e35726621f54115560c443ded98d5622f4007cb65427ba8ae0831f34452349993c74933466f3307e11452150f4640010ed7d1ab87656232d9659d9982e8227c25d648189d2bdda3283aa5dec8a2105af0fa840592a21d96eebb932f8ff36f94a2e4fc3819d7c9f0d26a472fb5ae5a43a2d4906247d59c42512dda252205f60042e1900e1581127f25ace253b62a83f62d4703281a294f240df2aa34ddf437c9f278278120bc10e2cb99f7804ecd6741b1be5520c553cb89747f79b4e4efd3cf09b484eb1eb034d220da457546a2ebb28d7f2faf67de0630757b8ae05e27a761956d2e190fe3fb93b1c7c142f62baeb089721cedc
++Ctrl.hexxcghash = hexxcghash:cad407a823551726f9bdcb78e8f351536e4406e8ee64947ecc0074662c7c0462
++Ctrl.hexsession_id = hexsession_id:a9c8207642627e6ee872999123b29e36abfdd071dba36ea6f0c11dd59ea46410
++Ctrl.type = type:C
++Output = 8517903c49d5a59ad8ef7cd8591c6b5e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000101009b1c637286720d11a9030260e35726621f54115560c443ded98d5622f4007cb65427ba8ae0831f34452349993c74933466f3307e11452150f4640010ed7d1ab87656232d9659d9982e8227c25d648189d2bdda3283aa5dec8a2105af0fa840592a21d96eebb932f8ff36f94a2e4fc3819d7c9f0d26a472fb5ae5a43a2d4906247d59c42512dda252205f60042e1900e1581127f25ace253b62a83f62d4703281a294f240df2aa34ddf437c9f278278120bc10e2cb99f7804ecd6741b1be5520c553cb89747f79b4e4efd3cf09b484eb1eb034d220da457546a2ebb28d7f2faf67de0630757b8ae05e27a761956d2e190fe3fb93b1c7c142f62baeb089721cedc
++Ctrl.hexxcghash = hexxcghash:cad407a823551726f9bdcb78e8f351536e4406e8ee64947ecc0074662c7c0462
++Ctrl.hexsession_id = hexsession_id:a9c8207642627e6ee872999123b29e36abfdd071dba36ea6f0c11dd59ea46410
++Ctrl.type = type:D
++Output = a5ad201101a617f1cd5b3a2baa3b27f7
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000101009b1c637286720d11a9030260e35726621f54115560c443ded98d5622f4007cb65427ba8ae0831f34452349993c74933466f3307e11452150f4640010ed7d1ab87656232d9659d9982e8227c25d648189d2bdda3283aa5dec8a2105af0fa840592a21d96eebb932f8ff36f94a2e4fc3819d7c9f0d26a472fb5ae5a43a2d4906247d59c42512dda252205f60042e1900e1581127f25ace253b62a83f62d4703281a294f240df2aa34ddf437c9f278278120bc10e2cb99f7804ecd6741b1be5520c553cb89747f79b4e4efd3cf09b484eb1eb034d220da457546a2ebb28d7f2faf67de0630757b8ae05e27a761956d2e190fe3fb93b1c7c142f62baeb089721cedc
++Ctrl.hexxcghash = hexxcghash:cad407a823551726f9bdcb78e8f351536e4406e8ee64947ecc0074662c7c0462
++Ctrl.hexsession_id = hexsession_id:a9c8207642627e6ee872999123b29e36abfdd071dba36ea6f0c11dd59ea46410
++Ctrl.type = type:E
++Output = 16747a23fddd72f785c5d61dfb81a5a38555f5d8ff1dc5ae4fb423b82adfe05b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000101009b1c637286720d11a9030260e35726621f54115560c443ded98d5622f4007cb65427ba8ae0831f34452349993c74933466f3307e11452150f4640010ed7d1ab87656232d9659d9982e8227c25d648189d2bdda3283aa5dec8a2105af0fa840592a21d96eebb932f8ff36f94a2e4fc3819d7c9f0d26a472fb5ae5a43a2d4906247d59c42512dda252205f60042e1900e1581127f25ace253b62a83f62d4703281a294f240df2aa34ddf437c9f278278120bc10e2cb99f7804ecd6741b1be5520c553cb89747f79b4e4efd3cf09b484eb1eb034d220da457546a2ebb28d7f2faf67de0630757b8ae05e27a761956d2e190fe3fb93b1c7c142f62baeb089721cedc
++Ctrl.hexxcghash = hexxcghash:cad407a823551726f9bdcb78e8f351536e4406e8ee64947ecc0074662c7c0462
++Ctrl.hexsession_id = hexsession_id:a9c8207642627e6ee872999123b29e36abfdd071dba36ea6f0c11dd59ea46410
++Ctrl.type = type:F
++Output = b1b1bba896b0fd75a90187eae6cdf744d23884caa5f4ca979ced327ca1239771
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000101008cd7061a3591b477989a4deb1bfc6debe874f753a4686eef11d1fa0e6796800db97c38497992b220d6e40d8f9154743b533666c8689db8cdffd38ac4009f85cfc6e48dc2fe94f78870138994ab4189e8d461a00b03425d8d838061b44e7ccd41e3a0332ab68afbf2919763c9f03747637db87a50d766504199fba6c34d216580fcd77756a6004ff485a79cdb646f0adde47a727e028261c808e0cb31928071701a0f2d2d237c293b93e80854f4e43243eaeb96cc25e00f74e2cd414c72774c7995757e93c0a9aac5ef5b0d23bef9ce475bfe697d14b815eeb0535d6e7e438bdb54aa2d8f50d05564d17c3ff2bc3451ca5b932f320c20f1c256c61ed503be2528
++Ctrl.hexxcghash = hexxcghash:53fc521edf6dea9daf619676276766508d32c1964943e9bd40b4ed2cdefa7c20
++Ctrl.hexsession_id = hexsession_id:14c6727d8e211c7632f930e716ab360e0916b1da3409367ef52d9e21512c700d
++Ctrl.type = type:A
++Output = b5c636c93e002f1fac0b78eb423d92cf
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000101008cd7061a3591b477989a4deb1bfc6debe874f753a4686eef11d1fa0e6796800db97c38497992b220d6e40d8f9154743b533666c8689db8cdffd38ac4009f85cfc6e48dc2fe94f78870138994ab4189e8d461a00b03425d8d838061b44e7ccd41e3a0332ab68afbf2919763c9f03747637db87a50d766504199fba6c34d216580fcd77756a6004ff485a79cdb646f0adde47a727e028261c808e0cb31928071701a0f2d2d237c293b93e80854f4e43243eaeb96cc25e00f74e2cd414c72774c7995757e93c0a9aac5ef5b0d23bef9ce475bfe697d14b815eeb0535d6e7e438bdb54aa2d8f50d05564d17c3ff2bc3451ca5b932f320c20f1c256c61ed503be2528
++Ctrl.hexxcghash = hexxcghash:53fc521edf6dea9daf619676276766508d32c1964943e9bd40b4ed2cdefa7c20
++Ctrl.hexsession_id = hexsession_id:14c6727d8e211c7632f930e716ab360e0916b1da3409367ef52d9e21512c700d
++Ctrl.type = type:B
++Output = 64d82bef35e924abf030fe42cda10e81
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000101008cd7061a3591b477989a4deb1bfc6debe874f753a4686eef11d1fa0e6796800db97c38497992b220d6e40d8f9154743b533666c8689db8cdffd38ac4009f85cfc6e48dc2fe94f78870138994ab4189e8d461a00b03425d8d838061b44e7ccd41e3a0332ab68afbf2919763c9f03747637db87a50d766504199fba6c34d216580fcd77756a6004ff485a79cdb646f0adde47a727e028261c808e0cb31928071701a0f2d2d237c293b93e80854f4e43243eaeb96cc25e00f74e2cd414c72774c7995757e93c0a9aac5ef5b0d23bef9ce475bfe697d14b815eeb0535d6e7e438bdb54aa2d8f50d05564d17c3ff2bc3451ca5b932f320c20f1c256c61ed503be2528
++Ctrl.hexxcghash = hexxcghash:53fc521edf6dea9daf619676276766508d32c1964943e9bd40b4ed2cdefa7c20
++Ctrl.hexsession_id = hexsession_id:14c6727d8e211c7632f930e716ab360e0916b1da3409367ef52d9e21512c700d
++Ctrl.type = type:C
++Output = 76a1b8b85d0ea49c68f30d7448155901
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000101008cd7061a3591b477989a4deb1bfc6debe874f753a4686eef11d1fa0e6796800db97c38497992b220d6e40d8f9154743b533666c8689db8cdffd38ac4009f85cfc6e48dc2fe94f78870138994ab4189e8d461a00b03425d8d838061b44e7ccd41e3a0332ab68afbf2919763c9f03747637db87a50d766504199fba6c34d216580fcd77756a6004ff485a79cdb646f0adde47a727e028261c808e0cb31928071701a0f2d2d237c293b93e80854f4e43243eaeb96cc25e00f74e2cd414c72774c7995757e93c0a9aac5ef5b0d23bef9ce475bfe697d14b815eeb0535d6e7e438bdb54aa2d8f50d05564d17c3ff2bc3451ca5b932f320c20f1c256c61ed503be2528
++Ctrl.hexxcghash = hexxcghash:53fc521edf6dea9daf619676276766508d32c1964943e9bd40b4ed2cdefa7c20
++Ctrl.hexsession_id = hexsession_id:14c6727d8e211c7632f930e716ab360e0916b1da3409367ef52d9e21512c700d
++Ctrl.type = type:D
++Output = f136e09324b1ef12b92bf35d5b3dd8e2
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000101008cd7061a3591b477989a4deb1bfc6debe874f753a4686eef11d1fa0e6796800db97c38497992b220d6e40d8f9154743b533666c8689db8cdffd38ac4009f85cfc6e48dc2fe94f78870138994ab4189e8d461a00b03425d8d838061b44e7ccd41e3a0332ab68afbf2919763c9f03747637db87a50d766504199fba6c34d216580fcd77756a6004ff485a79cdb646f0adde47a727e028261c808e0cb31928071701a0f2d2d237c293b93e80854f4e43243eaeb96cc25e00f74e2cd414c72774c7995757e93c0a9aac5ef5b0d23bef9ce475bfe697d14b815eeb0535d6e7e438bdb54aa2d8f50d05564d17c3ff2bc3451ca5b932f320c20f1c256c61ed503be2528
++Ctrl.hexxcghash = hexxcghash:53fc521edf6dea9daf619676276766508d32c1964943e9bd40b4ed2cdefa7c20
++Ctrl.hexsession_id = hexsession_id:14c6727d8e211c7632f930e716ab360e0916b1da3409367ef52d9e21512c700d
++Ctrl.type = type:E
++Output = 77abc45165b126f9127d59fbe655140cd3f768cd0498c29aa69cb5d65f7b0d50
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000101008cd7061a3591b477989a4deb1bfc6debe874f753a4686eef11d1fa0e6796800db97c38497992b220d6e40d8f9154743b533666c8689db8cdffd38ac4009f85cfc6e48dc2fe94f78870138994ab4189e8d461a00b03425d8d838061b44e7ccd41e3a0332ab68afbf2919763c9f03747637db87a50d766504199fba6c34d216580fcd77756a6004ff485a79cdb646f0adde47a727e028261c808e0cb31928071701a0f2d2d237c293b93e80854f4e43243eaeb96cc25e00f74e2cd414c72774c7995757e93c0a9aac5ef5b0d23bef9ce475bfe697d14b815eeb0535d6e7e438bdb54aa2d8f50d05564d17c3ff2bc3451ca5b932f320c20f1c256c61ed503be2528
++Ctrl.hexxcghash = hexxcghash:53fc521edf6dea9daf619676276766508d32c1964943e9bd40b4ed2cdefa7c20
++Ctrl.hexsession_id = hexsession_id:14c6727d8e211c7632f930e716ab360e0916b1da3409367ef52d9e21512c700d
++Ctrl.type = type:F
++Output = d43f93faf692f59bc96fd480fb336033c94ee237ceece69691ffaa64bdd7fcc1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000101009b0b6fe41d565564f87ae984aadc75902d95828bdee0bba0ecc176afd5cc9c3ec79a34a9f7cf44ee6cbdcb5d8f027bb64c4c3b73e2f891ee06b781f3d7f02b59f95cbbfb2725b208856f3ebb8195fef1596248d56a371ed7acf3b973c627976e0cf156f340aa01acfbe9b574d4dedd4cbb66cb6ca5d9e76f16385be532fed8dd65735a3ecddeeb295133bb8a59499b4777242a4a7e463481d26baece4c7ef224aaf40af4d5108d024f5dd174cfdb91213939e355b0a1ca51ed6f7f584a4e47a0f1482d6a5768b1236e25d837cc8a2b49b2176bb54b2f77f4212ba394336e6a6046def9205fe482d98fcdd8d0a2643a39d753d2d481fe6689b0dc0d1c078335b7
++Ctrl.hexxcghash = hexxcghash:27faf1b9a15e505a0b46c47e2bf6ab5fff37a6dadb09e96ea9562091f1d88ce0
++Ctrl.hexsession_id = hexsession_id:6b52ddb87a66f0f1bb0dad39b462e7bd42bdeb99049d5a3581ca6f056c398228
++Ctrl.type = type:A
++Output = 3b3c4416d3121a6838dd3f94a84b6ec6
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000101009b0b6fe41d565564f87ae984aadc75902d95828bdee0bba0ecc176afd5cc9c3ec79a34a9f7cf44ee6cbdcb5d8f027bb64c4c3b73e2f891ee06b781f3d7f02b59f95cbbfb2725b208856f3ebb8195fef1596248d56a371ed7acf3b973c627976e0cf156f340aa01acfbe9b574d4dedd4cbb66cb6ca5d9e76f16385be532fed8dd65735a3ecddeeb295133bb8a59499b4777242a4a7e463481d26baece4c7ef224aaf40af4d5108d024f5dd174cfdb91213939e355b0a1ca51ed6f7f584a4e47a0f1482d6a5768b1236e25d837cc8a2b49b2176bb54b2f77f4212ba394336e6a6046def9205fe482d98fcdd8d0a2643a39d753d2d481fe6689b0dc0d1c078335b7
++Ctrl.hexxcghash = hexxcghash:27faf1b9a15e505a0b46c47e2bf6ab5fff37a6dadb09e96ea9562091f1d88ce0
++Ctrl.hexsession_id = hexsession_id:6b52ddb87a66f0f1bb0dad39b462e7bd42bdeb99049d5a3581ca6f056c398228
++Ctrl.type = type:B
++Output = e0af22a9184e5cea74f3e90faf5212ba
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000101009b0b6fe41d565564f87ae984aadc75902d95828bdee0bba0ecc176afd5cc9c3ec79a34a9f7cf44ee6cbdcb5d8f027bb64c4c3b73e2f891ee06b781f3d7f02b59f95cbbfb2725b208856f3ebb8195fef1596248d56a371ed7acf3b973c627976e0cf156f340aa01acfbe9b574d4dedd4cbb66cb6ca5d9e76f16385be532fed8dd65735a3ecddeeb295133bb8a59499b4777242a4a7e463481d26baece4c7ef224aaf40af4d5108d024f5dd174cfdb91213939e355b0a1ca51ed6f7f584a4e47a0f1482d6a5768b1236e25d837cc8a2b49b2176bb54b2f77f4212ba394336e6a6046def9205fe482d98fcdd8d0a2643a39d753d2d481fe6689b0dc0d1c078335b7
++Ctrl.hexxcghash = hexxcghash:27faf1b9a15e505a0b46c47e2bf6ab5fff37a6dadb09e96ea9562091f1d88ce0
++Ctrl.hexsession_id = hexsession_id:6b52ddb87a66f0f1bb0dad39b462e7bd42bdeb99049d5a3581ca6f056c398228
++Ctrl.type = type:C
++Output = a3a7a9e48cc09a927e2d6eddd7647368
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000101009b0b6fe41d565564f87ae984aadc75902d95828bdee0bba0ecc176afd5cc9c3ec79a34a9f7cf44ee6cbdcb5d8f027bb64c4c3b73e2f891ee06b781f3d7f02b59f95cbbfb2725b208856f3ebb8195fef1596248d56a371ed7acf3b973c627976e0cf156f340aa01acfbe9b574d4dedd4cbb66cb6ca5d9e76f16385be532fed8dd65735a3ecddeeb295133bb8a59499b4777242a4a7e463481d26baece4c7ef224aaf40af4d5108d024f5dd174cfdb91213939e355b0a1ca51ed6f7f584a4e47a0f1482d6a5768b1236e25d837cc8a2b49b2176bb54b2f77f4212ba394336e6a6046def9205fe482d98fcdd8d0a2643a39d753d2d481fe6689b0dc0d1c078335b7
++Ctrl.hexxcghash = hexxcghash:27faf1b9a15e505a0b46c47e2bf6ab5fff37a6dadb09e96ea9562091f1d88ce0
++Ctrl.hexsession_id = hexsession_id:6b52ddb87a66f0f1bb0dad39b462e7bd42bdeb99049d5a3581ca6f056c398228
++Ctrl.type = type:D
++Output = b9411d2870e885e223a6b414ae6ac813
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000101009b0b6fe41d565564f87ae984aadc75902d95828bdee0bba0ecc176afd5cc9c3ec79a34a9f7cf44ee6cbdcb5d8f027bb64c4c3b73e2f891ee06b781f3d7f02b59f95cbbfb2725b208856f3ebb8195fef1596248d56a371ed7acf3b973c627976e0cf156f340aa01acfbe9b574d4dedd4cbb66cb6ca5d9e76f16385be532fed8dd65735a3ecddeeb295133bb8a59499b4777242a4a7e463481d26baece4c7ef224aaf40af4d5108d024f5dd174cfdb91213939e355b0a1ca51ed6f7f584a4e47a0f1482d6a5768b1236e25d837cc8a2b49b2176bb54b2f77f4212ba394336e6a6046def9205fe482d98fcdd8d0a2643a39d753d2d481fe6689b0dc0d1c078335b7
++Ctrl.hexxcghash = hexxcghash:27faf1b9a15e505a0b46c47e2bf6ab5fff37a6dadb09e96ea9562091f1d88ce0
++Ctrl.hexsession_id = hexsession_id:6b52ddb87a66f0f1bb0dad39b462e7bd42bdeb99049d5a3581ca6f056c398228
++Ctrl.type = type:E
++Output = 7f11812c28229fd8e39367b8885045313fea6322f22a69b6436caa4fb6c2d915
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000101009b0b6fe41d565564f87ae984aadc75902d95828bdee0bba0ecc176afd5cc9c3ec79a34a9f7cf44ee6cbdcb5d8f027bb64c4c3b73e2f891ee06b781f3d7f02b59f95cbbfb2725b208856f3ebb8195fef1596248d56a371ed7acf3b973c627976e0cf156f340aa01acfbe9b574d4dedd4cbb66cb6ca5d9e76f16385be532fed8dd65735a3ecddeeb295133bb8a59499b4777242a4a7e463481d26baece4c7ef224aaf40af4d5108d024f5dd174cfdb91213939e355b0a1ca51ed6f7f584a4e47a0f1482d6a5768b1236e25d837cc8a2b49b2176bb54b2f77f4212ba394336e6a6046def9205fe482d98fcdd8d0a2643a39d753d2d481fe6689b0dc0d1c078335b7
++Ctrl.hexxcghash = hexxcghash:27faf1b9a15e505a0b46c47e2bf6ab5fff37a6dadb09e96ea9562091f1d88ce0
++Ctrl.hexsession_id = hexsession_id:6b52ddb87a66f0f1bb0dad39b462e7bd42bdeb99049d5a3581ca6f056c398228
++Ctrl.type = type:F
++Output = 4fc39e2a1e7038f2664a48986e8227c213e577eafea082f46cb08d087e642fe4
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000100435266668e94e5f35d31f10f7b486bed8a88465cf30711e54f8c6550a917916fb7160c41880d364df5084446d7834e32917882c10eef49f8192fa6ff4c9498a12d87bbf710d4bba3e76a6681c7ac3470e6f5e80c55851dcca38a9ce48b015ab73b24e28e0553f3a1bbe1dfa9b67bb9cb9372ad0fb0aaf443c3a8927d00b9b2705f4d1b219c80f7caa637c986de79410c5924943128e64cf869491f19c1646cb403d8543d5aaaea7fbaaaa1a846b9851f4f708b14266e55839e1d61b67a60359c2c111841839225c0f940252506be02ba43fcc7c4be7cb01c64094fbd9a78cc331c6e7809e0be3a4b693adfeedd1b20ad36d321498b396fce7cf169b2fb10e54b
++Ctrl.hexxcghash = hexxcghash:d7303e57a2bf969f815c1b2fd08a879226c0e95c9897fb5586200c0f5e0a8a23
++Ctrl.hexsession_id = hexsession_id:20ace711e8190f5bbd2168bc93061c903899acd41697b76d0f6667d2bf345725
++Ctrl.type = type:A
++Output = b71bd280b230b6fb9b326a3544ab9c90
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000100435266668e94e5f35d31f10f7b486bed8a88465cf30711e54f8c6550a917916fb7160c41880d364df5084446d7834e32917882c10eef49f8192fa6ff4c9498a12d87bbf710d4bba3e76a6681c7ac3470e6f5e80c55851dcca38a9ce48b015ab73b24e28e0553f3a1bbe1dfa9b67bb9cb9372ad0fb0aaf443c3a8927d00b9b2705f4d1b219c80f7caa637c986de79410c5924943128e64cf869491f19c1646cb403d8543d5aaaea7fbaaaa1a846b9851f4f708b14266e55839e1d61b67a60359c2c111841839225c0f940252506be02ba43fcc7c4be7cb01c64094fbd9a78cc331c6e7809e0be3a4b693adfeedd1b20ad36d321498b396fce7cf169b2fb10e54b
++Ctrl.hexxcghash = hexxcghash:d7303e57a2bf969f815c1b2fd08a879226c0e95c9897fb5586200c0f5e0a8a23
++Ctrl.hexsession_id = hexsession_id:20ace711e8190f5bbd2168bc93061c903899acd41697b76d0f6667d2bf345725
++Ctrl.type = type:B
++Output = ca38c1b5940e1417fb8caa6ab6deaf18
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000100435266668e94e5f35d31f10f7b486bed8a88465cf30711e54f8c6550a917916fb7160c41880d364df5084446d7834e32917882c10eef49f8192fa6ff4c9498a12d87bbf710d4bba3e76a6681c7ac3470e6f5e80c55851dcca38a9ce48b015ab73b24e28e0553f3a1bbe1dfa9b67bb9cb9372ad0fb0aaf443c3a8927d00b9b2705f4d1b219c80f7caa637c986de79410c5924943128e64cf869491f19c1646cb403d8543d5aaaea7fbaaaa1a846b9851f4f708b14266e55839e1d61b67a60359c2c111841839225c0f940252506be02ba43fcc7c4be7cb01c64094fbd9a78cc331c6e7809e0be3a4b693adfeedd1b20ad36d321498b396fce7cf169b2fb10e54b
++Ctrl.hexxcghash = hexxcghash:d7303e57a2bf969f815c1b2fd08a879226c0e95c9897fb5586200c0f5e0a8a23
++Ctrl.hexsession_id = hexsession_id:20ace711e8190f5bbd2168bc93061c903899acd41697b76d0f6667d2bf345725
++Ctrl.type = type:C
++Output = 5d02347e16760101a3689bf0087ed947
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000100435266668e94e5f35d31f10f7b486bed8a88465cf30711e54f8c6550a917916fb7160c41880d364df5084446d7834e32917882c10eef49f8192fa6ff4c9498a12d87bbf710d4bba3e76a6681c7ac3470e6f5e80c55851dcca38a9ce48b015ab73b24e28e0553f3a1bbe1dfa9b67bb9cb9372ad0fb0aaf443c3a8927d00b9b2705f4d1b219c80f7caa637c986de79410c5924943128e64cf869491f19c1646cb403d8543d5aaaea7fbaaaa1a846b9851f4f708b14266e55839e1d61b67a60359c2c111841839225c0f940252506be02ba43fcc7c4be7cb01c64094fbd9a78cc331c6e7809e0be3a4b693adfeedd1b20ad36d321498b396fce7cf169b2fb10e54b
++Ctrl.hexxcghash = hexxcghash:d7303e57a2bf969f815c1b2fd08a879226c0e95c9897fb5586200c0f5e0a8a23
++Ctrl.hexsession_id = hexsession_id:20ace711e8190f5bbd2168bc93061c903899acd41697b76d0f6667d2bf345725
++Ctrl.type = type:D
++Output = 2fb5e0eb5552f7e26ad9651bd22f1666
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000100435266668e94e5f35d31f10f7b486bed8a88465cf30711e54f8c6550a917916fb7160c41880d364df5084446d7834e32917882c10eef49f8192fa6ff4c9498a12d87bbf710d4bba3e76a6681c7ac3470e6f5e80c55851dcca38a9ce48b015ab73b24e28e0553f3a1bbe1dfa9b67bb9cb9372ad0fb0aaf443c3a8927d00b9b2705f4d1b219c80f7caa637c986de79410c5924943128e64cf869491f19c1646cb403d8543d5aaaea7fbaaaa1a846b9851f4f708b14266e55839e1d61b67a60359c2c111841839225c0f940252506be02ba43fcc7c4be7cb01c64094fbd9a78cc331c6e7809e0be3a4b693adfeedd1b20ad36d321498b396fce7cf169b2fb10e54b
++Ctrl.hexxcghash = hexxcghash:d7303e57a2bf969f815c1b2fd08a879226c0e95c9897fb5586200c0f5e0a8a23
++Ctrl.hexsession_id = hexsession_id:20ace711e8190f5bbd2168bc93061c903899acd41697b76d0f6667d2bf345725
++Ctrl.type = type:E
++Output = b7b7c4292a73e7d378284b12b318e0cd3ad714904b4ef9c83d44ee06ff49b1e1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000100435266668e94e5f35d31f10f7b486bed8a88465cf30711e54f8c6550a917916fb7160c41880d364df5084446d7834e32917882c10eef49f8192fa6ff4c9498a12d87bbf710d4bba3e76a6681c7ac3470e6f5e80c55851dcca38a9ce48b015ab73b24e28e0553f3a1bbe1dfa9b67bb9cb9372ad0fb0aaf443c3a8927d00b9b2705f4d1b219c80f7caa637c986de79410c5924943128e64cf869491f19c1646cb403d8543d5aaaea7fbaaaa1a846b9851f4f708b14266e55839e1d61b67a60359c2c111841839225c0f940252506be02ba43fcc7c4be7cb01c64094fbd9a78cc331c6e7809e0be3a4b693adfeedd1b20ad36d321498b396fce7cf169b2fb10e54b
++Ctrl.hexxcghash = hexxcghash:d7303e57a2bf969f815c1b2fd08a879226c0e95c9897fb5586200c0f5e0a8a23
++Ctrl.hexsession_id = hexsession_id:20ace711e8190f5bbd2168bc93061c903899acd41697b76d0f6667d2bf345725
++Ctrl.type = type:F
++Output = c9884e71b158f2255fb204733e888bc5b2ee38a5493de9d0ef6700949159ac6a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000100745f5abd8fb685eaae10854a96900806cd7d17d2d255990328594a4fdbb9fa28088ccb8fbf92ef23492a595f92c49d5fa32ea5ef6d76000635fb58496c9db824aaa41b67c3c2e8bdd525f6c6a224562c670076f6efd21fe49222c2627596b775c56dff5d477cd4cc008ef566086a495cf4ba634af20a42fb13fa52597dc252edebdfa57592494fd9cd44d0f7e27d6a6ff370876c42733977db656d7372d553c2ffc824fb02375e55069d5cccb493ec77001fb4cd73cbec6976bd45ae2cc0812c078784d917c0a0a54d8df6c745a2710828939be0685d7fc1657eee9c4dbc71615fab0174e62fb7971fa20f6d6b2da1c22c0a35c781c9dbdf009cec3d89891afc
++Ctrl.hexxcghash = hexxcghash:35f601a7877ef637d6c40b4f2e1d85b888eceac9f37e686254f9d707b22bd764
++Ctrl.hexsession_id = hexsession_id:d04bce75141ed2a44942d98354ded46e861da28fc1175e5a22e8dddad4942f9a
++Ctrl.type = type:A
++Output = 88af3bdb49bd8e9d24489efc95dea1c1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000100745f5abd8fb685eaae10854a96900806cd7d17d2d255990328594a4fdbb9fa28088ccb8fbf92ef23492a595f92c49d5fa32ea5ef6d76000635fb58496c9db824aaa41b67c3c2e8bdd525f6c6a224562c670076f6efd21fe49222c2627596b775c56dff5d477cd4cc008ef566086a495cf4ba634af20a42fb13fa52597dc252edebdfa57592494fd9cd44d0f7e27d6a6ff370876c42733977db656d7372d553c2ffc824fb02375e55069d5cccb493ec77001fb4cd73cbec6976bd45ae2cc0812c078784d917c0a0a54d8df6c745a2710828939be0685d7fc1657eee9c4dbc71615fab0174e62fb7971fa20f6d6b2da1c22c0a35c781c9dbdf009cec3d89891afc
++Ctrl.hexxcghash = hexxcghash:35f601a7877ef637d6c40b4f2e1d85b888eceac9f37e686254f9d707b22bd764
++Ctrl.hexsession_id = hexsession_id:d04bce75141ed2a44942d98354ded46e861da28fc1175e5a22e8dddad4942f9a
++Ctrl.type = type:B
++Output = 5cf41e1d43f797c16a30e070f2f37dd4
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000100745f5abd8fb685eaae10854a96900806cd7d17d2d255990328594a4fdbb9fa28088ccb8fbf92ef23492a595f92c49d5fa32ea5ef6d76000635fb58496c9db824aaa41b67c3c2e8bdd525f6c6a224562c670076f6efd21fe49222c2627596b775c56dff5d477cd4cc008ef566086a495cf4ba634af20a42fb13fa52597dc252edebdfa57592494fd9cd44d0f7e27d6a6ff370876c42733977db656d7372d553c2ffc824fb02375e55069d5cccb493ec77001fb4cd73cbec6976bd45ae2cc0812c078784d917c0a0a54d8df6c745a2710828939be0685d7fc1657eee9c4dbc71615fab0174e62fb7971fa20f6d6b2da1c22c0a35c781c9dbdf009cec3d89891afc
++Ctrl.hexxcghash = hexxcghash:35f601a7877ef637d6c40b4f2e1d85b888eceac9f37e686254f9d707b22bd764
++Ctrl.hexsession_id = hexsession_id:d04bce75141ed2a44942d98354ded46e861da28fc1175e5a22e8dddad4942f9a
++Ctrl.type = type:C
++Output = 7cc48e0f8b4bdd63f76e41ba411d7f37
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000100745f5abd8fb685eaae10854a96900806cd7d17d2d255990328594a4fdbb9fa28088ccb8fbf92ef23492a595f92c49d5fa32ea5ef6d76000635fb58496c9db824aaa41b67c3c2e8bdd525f6c6a224562c670076f6efd21fe49222c2627596b775c56dff5d477cd4cc008ef566086a495cf4ba634af20a42fb13fa52597dc252edebdfa57592494fd9cd44d0f7e27d6a6ff370876c42733977db656d7372d553c2ffc824fb02375e55069d5cccb493ec77001fb4cd73cbec6976bd45ae2cc0812c078784d917c0a0a54d8df6c745a2710828939be0685d7fc1657eee9c4dbc71615fab0174e62fb7971fa20f6d6b2da1c22c0a35c781c9dbdf009cec3d89891afc
++Ctrl.hexxcghash = hexxcghash:35f601a7877ef637d6c40b4f2e1d85b888eceac9f37e686254f9d707b22bd764
++Ctrl.hexsession_id = hexsession_id:d04bce75141ed2a44942d98354ded46e861da28fc1175e5a22e8dddad4942f9a
++Ctrl.type = type:D
++Output = 37d942416267be06cd1ff9498dcf1e6e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000100745f5abd8fb685eaae10854a96900806cd7d17d2d255990328594a4fdbb9fa28088ccb8fbf92ef23492a595f92c49d5fa32ea5ef6d76000635fb58496c9db824aaa41b67c3c2e8bdd525f6c6a224562c670076f6efd21fe49222c2627596b775c56dff5d477cd4cc008ef566086a495cf4ba634af20a42fb13fa52597dc252edebdfa57592494fd9cd44d0f7e27d6a6ff370876c42733977db656d7372d553c2ffc824fb02375e55069d5cccb493ec77001fb4cd73cbec6976bd45ae2cc0812c078784d917c0a0a54d8df6c745a2710828939be0685d7fc1657eee9c4dbc71615fab0174e62fb7971fa20f6d6b2da1c22c0a35c781c9dbdf009cec3d89891afc
++Ctrl.hexxcghash = hexxcghash:35f601a7877ef637d6c40b4f2e1d85b888eceac9f37e686254f9d707b22bd764
++Ctrl.hexsession_id = hexsession_id:d04bce75141ed2a44942d98354ded46e861da28fc1175e5a22e8dddad4942f9a
++Ctrl.type = type:E
++Output = c3c8b48e228a3a671ae8c48aa4e4f1fe32c1ad4d5ae48c904836d13e7350f72e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:00000100745f5abd8fb685eaae10854a96900806cd7d17d2d255990328594a4fdbb9fa28088ccb8fbf92ef23492a595f92c49d5fa32ea5ef6d76000635fb58496c9db824aaa41b67c3c2e8bdd525f6c6a224562c670076f6efd21fe49222c2627596b775c56dff5d477cd4cc008ef566086a495cf4ba634af20a42fb13fa52597dc252edebdfa57592494fd9cd44d0f7e27d6a6ff370876c42733977db656d7372d553c2ffc824fb02375e55069d5cccb493ec77001fb4cd73cbec6976bd45ae2cc0812c078784d917c0a0a54d8df6c745a2710828939be0685d7fc1657eee9c4dbc71615fab0174e62fb7971fa20f6d6b2da1c22c0a35c781c9dbdf009cec3d89891afc
++Ctrl.hexxcghash = hexxcghash:35f601a7877ef637d6c40b4f2e1d85b888eceac9f37e686254f9d707b22bd764
++Ctrl.hexsession_id = hexsession_id:d04bce75141ed2a44942d98354ded46e861da28fc1175e5a22e8dddad4942f9a
++Ctrl.type = type:F
++Output = 605f7d3b3f28a8967402ba67ff916a61b0a4e9b736665c5e911fb33f60dc16fe
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000001010089b741b0b9a6704f56df9aafe5f4294828fdc67f4243e9aa9b1d83166ad892f2d970fdff65eba7fa5eddb954dd86bda5262e084752c69c6b93c729ad34e9728f7c838c49f0e87349ae35feef1610b83a345c64c5b190fb5857bf0aa8419efba35789c258f19e8713e2729c184eab9d9c33a32ab3731d77e207a91849625bb855e581ca0be5d9f961aab9d65b463e416ee3d636ece573ead0d088a2fe05d87dd5ed21031f4dbea831112d3bd0e1cc1087a8395430cde3cb54d22a5965dd825329bee8c62d4599fb67ff90260204c6e608e6246f768e29a60cb85f580d4751f9c017cbf4e6062a160c6ff1d0c9d303a2c862a4986e22f72da79b17b868cee189a2
++Ctrl.hexxcghash = hexxcghash:61e49599eb3b01e3d7bc65415ce7004e20bf77805a4ff09681f3856adc129943
++Ctrl.hexsession_id = hexsession_id:832400eb1c4031502f7249d0a4279a7cbe4d4d6979289d02837d98b9ca16ff46
++Ctrl.type = type:A
++Output = 7b91adc6eb48a6f82a8990efd2537903
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000001010089b741b0b9a6704f56df9aafe5f4294828fdc67f4243e9aa9b1d83166ad892f2d970fdff65eba7fa5eddb954dd86bda5262e084752c69c6b93c729ad34e9728f7c838c49f0e87349ae35feef1610b83a345c64c5b190fb5857bf0aa8419efba35789c258f19e8713e2729c184eab9d9c33a32ab3731d77e207a91849625bb855e581ca0be5d9f961aab9d65b463e416ee3d636ece573ead0d088a2fe05d87dd5ed21031f4dbea831112d3bd0e1cc1087a8395430cde3cb54d22a5965dd825329bee8c62d4599fb67ff90260204c6e608e6246f768e29a60cb85f580d4751f9c017cbf4e6062a160c6ff1d0c9d303a2c862a4986e22f72da79b17b868cee189a2
++Ctrl.hexxcghash = hexxcghash:61e49599eb3b01e3d7bc65415ce7004e20bf77805a4ff09681f3856adc129943
++Ctrl.hexsession_id = hexsession_id:832400eb1c4031502f7249d0a4279a7cbe4d4d6979289d02837d98b9ca16ff46
++Ctrl.type = type:B
++Output = 814c8fb54a535b38d4c2301aa49ad702
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000001010089b741b0b9a6704f56df9aafe5f4294828fdc67f4243e9aa9b1d83166ad892f2d970fdff65eba7fa5eddb954dd86bda5262e084752c69c6b93c729ad34e9728f7c838c49f0e87349ae35feef1610b83a345c64c5b190fb5857bf0aa8419efba35789c258f19e8713e2729c184eab9d9c33a32ab3731d77e207a91849625bb855e581ca0be5d9f961aab9d65b463e416ee3d636ece573ead0d088a2fe05d87dd5ed21031f4dbea831112d3bd0e1cc1087a8395430cde3cb54d22a5965dd825329bee8c62d4599fb67ff90260204c6e608e6246f768e29a60cb85f580d4751f9c017cbf4e6062a160c6ff1d0c9d303a2c862a4986e22f72da79b17b868cee189a2
++Ctrl.hexxcghash = hexxcghash:61e49599eb3b01e3d7bc65415ce7004e20bf77805a4ff09681f3856adc129943
++Ctrl.hexsession_id = hexsession_id:832400eb1c4031502f7249d0a4279a7cbe4d4d6979289d02837d98b9ca16ff46
++Ctrl.type = type:C
++Output = 3ec64c8571c7c7f39a9f37c0e1053324
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000001010089b741b0b9a6704f56df9aafe5f4294828fdc67f4243e9aa9b1d83166ad892f2d970fdff65eba7fa5eddb954dd86bda5262e084752c69c6b93c729ad34e9728f7c838c49f0e87349ae35feef1610b83a345c64c5b190fb5857bf0aa8419efba35789c258f19e8713e2729c184eab9d9c33a32ab3731d77e207a91849625bb855e581ca0be5d9f961aab9d65b463e416ee3d636ece573ead0d088a2fe05d87dd5ed21031f4dbea831112d3bd0e1cc1087a8395430cde3cb54d22a5965dd825329bee8c62d4599fb67ff90260204c6e608e6246f768e29a60cb85f580d4751f9c017cbf4e6062a160c6ff1d0c9d303a2c862a4986e22f72da79b17b868cee189a2
++Ctrl.hexxcghash = hexxcghash:61e49599eb3b01e3d7bc65415ce7004e20bf77805a4ff09681f3856adc129943
++Ctrl.hexsession_id = hexsession_id:832400eb1c4031502f7249d0a4279a7cbe4d4d6979289d02837d98b9ca16ff46
++Ctrl.type = type:D
++Output = 846d40dc45123f2710e27bd3140070c8
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000001010089b741b0b9a6704f56df9aafe5f4294828fdc67f4243e9aa9b1d83166ad892f2d970fdff65eba7fa5eddb954dd86bda5262e084752c69c6b93c729ad34e9728f7c838c49f0e87349ae35feef1610b83a345c64c5b190fb5857bf0aa8419efba35789c258f19e8713e2729c184eab9d9c33a32ab3731d77e207a91849625bb855e581ca0be5d9f961aab9d65b463e416ee3d636ece573ead0d088a2fe05d87dd5ed21031f4dbea831112d3bd0e1cc1087a8395430cde3cb54d22a5965dd825329bee8c62d4599fb67ff90260204c6e608e6246f768e29a60cb85f580d4751f9c017cbf4e6062a160c6ff1d0c9d303a2c862a4986e22f72da79b17b868cee189a2
++Ctrl.hexxcghash = hexxcghash:61e49599eb3b01e3d7bc65415ce7004e20bf77805a4ff09681f3856adc129943
++Ctrl.hexsession_id = hexsession_id:832400eb1c4031502f7249d0a4279a7cbe4d4d6979289d02837d98b9ca16ff46
++Ctrl.type = type:E
++Output = c2199b9bd701c2f4ee82a145adc28f3e8fac0af8dd43cb7f3da173681bcad2e0
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000001010089b741b0b9a6704f56df9aafe5f4294828fdc67f4243e9aa9b1d83166ad892f2d970fdff65eba7fa5eddb954dd86bda5262e084752c69c6b93c729ad34e9728f7c838c49f0e87349ae35feef1610b83a345c64c5b190fb5857bf0aa8419efba35789c258f19e8713e2729c184eab9d9c33a32ab3731d77e207a91849625bb855e581ca0be5d9f961aab9d65b463e416ee3d636ece573ead0d088a2fe05d87dd5ed21031f4dbea831112d3bd0e1cc1087a8395430cde3cb54d22a5965dd825329bee8c62d4599fb67ff90260204c6e608e6246f768e29a60cb85f580d4751f9c017cbf4e6062a160c6ff1d0c9d303a2c862a4986e22f72da79b17b868cee189a2
++Ctrl.hexxcghash = hexxcghash:61e49599eb3b01e3d7bc65415ce7004e20bf77805a4ff09681f3856adc129943
++Ctrl.hexsession_id = hexsession_id:832400eb1c4031502f7249d0a4279a7cbe4d4d6979289d02837d98b9ca16ff46
++Ctrl.type = type:F
++Output = 49f5fb8862a4f01900f9f76d6146f181483428beadb000d4f5097adf59c5eb99
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000010100f7217049f9cc4f3d59ea109a06ac3cfb79fc05dc349e1c54482072c467e503494d845004c278dabd9338d3bdb3c2f3c58cb264d65575d9946961345dcda5b9ce59cc8fdfc994acb74fe8f3b1fc143abceedc541ae74d69cd543fa7438ac5b5c84168d6e6f7fba2722c279b7cd0c1e07cdd59bb231f17174d33b7c1a6eb199cfa093476cdd31292f3bff20ae224459caaec461c76d741f0e9269ba96676a3ccebe986a3843a36747a0998bb3feaba41671db20368867a13875f76136b2418b6c807335a7133b4e4fbc0e908516ce97458abec2a32355fb061237bada4e07b950a2b1c8d41201f1c0a41c771d990e4741fef6e2eb5cd106c3b4b6000ad07b482ad
++Ctrl.hexxcghash = hexxcghash:be79b302374817c2fd052704dfba5e98b05a8346db9269e6401265a1c7970d98
++Ctrl.hexsession_id = hexsession_id:def8533bf220d0c632aa4f1b16168e51c0be904c6f299225b30bd7df7bbdc6f2
++Ctrl.type = type:A
++Output = 50afb2f3b8a3bc466b3a68f04da0d56c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000010100f7217049f9cc4f3d59ea109a06ac3cfb79fc05dc349e1c54482072c467e503494d845004c278dabd9338d3bdb3c2f3c58cb264d65575d9946961345dcda5b9ce59cc8fdfc994acb74fe8f3b1fc143abceedc541ae74d69cd543fa7438ac5b5c84168d6e6f7fba2722c279b7cd0c1e07cdd59bb231f17174d33b7c1a6eb199cfa093476cdd31292f3bff20ae224459caaec461c76d741f0e9269ba96676a3ccebe986a3843a36747a0998bb3feaba41671db20368867a13875f76136b2418b6c807335a7133b4e4fbc0e908516ce97458abec2a32355fb061237bada4e07b950a2b1c8d41201f1c0a41c771d990e4741fef6e2eb5cd106c3b4b6000ad07b482ad
++Ctrl.hexxcghash = hexxcghash:be79b302374817c2fd052704dfba5e98b05a8346db9269e6401265a1c7970d98
++Ctrl.hexsession_id = hexsession_id:def8533bf220d0c632aa4f1b16168e51c0be904c6f299225b30bd7df7bbdc6f2
++Ctrl.type = type:B
++Output = b8672a8cc59ee1316fb9a2c0a82ffd73
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000010100f7217049f9cc4f3d59ea109a06ac3cfb79fc05dc349e1c54482072c467e503494d845004c278dabd9338d3bdb3c2f3c58cb264d65575d9946961345dcda5b9ce59cc8fdfc994acb74fe8f3b1fc143abceedc541ae74d69cd543fa7438ac5b5c84168d6e6f7fba2722c279b7cd0c1e07cdd59bb231f17174d33b7c1a6eb199cfa093476cdd31292f3bff20ae224459caaec461c76d741f0e9269ba96676a3ccebe986a3843a36747a0998bb3feaba41671db20368867a13875f76136b2418b6c807335a7133b4e4fbc0e908516ce97458abec2a32355fb061237bada4e07b950a2b1c8d41201f1c0a41c771d990e4741fef6e2eb5cd106c3b4b6000ad07b482ad
++Ctrl.hexxcghash = hexxcghash:be79b302374817c2fd052704dfba5e98b05a8346db9269e6401265a1c7970d98
++Ctrl.hexsession_id = hexsession_id:def8533bf220d0c632aa4f1b16168e51c0be904c6f299225b30bd7df7bbdc6f2
++Ctrl.type = type:C
++Output = d854cbdb8f7544b796f982e4973d4de9
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000010100f7217049f9cc4f3d59ea109a06ac3cfb79fc05dc349e1c54482072c467e503494d845004c278dabd9338d3bdb3c2f3c58cb264d65575d9946961345dcda5b9ce59cc8fdfc994acb74fe8f3b1fc143abceedc541ae74d69cd543fa7438ac5b5c84168d6e6f7fba2722c279b7cd0c1e07cdd59bb231f17174d33b7c1a6eb199cfa093476cdd31292f3bff20ae224459caaec461c76d741f0e9269ba96676a3ccebe986a3843a36747a0998bb3feaba41671db20368867a13875f76136b2418b6c807335a7133b4e4fbc0e908516ce97458abec2a32355fb061237bada4e07b950a2b1c8d41201f1c0a41c771d990e4741fef6e2eb5cd106c3b4b6000ad07b482ad
++Ctrl.hexxcghash = hexxcghash:be79b302374817c2fd052704dfba5e98b05a8346db9269e6401265a1c7970d98
++Ctrl.hexsession_id = hexsession_id:def8533bf220d0c632aa4f1b16168e51c0be904c6f299225b30bd7df7bbdc6f2
++Ctrl.type = type:D
++Output = bd6bde82c451ee39069d0794f7000f38
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000010100f7217049f9cc4f3d59ea109a06ac3cfb79fc05dc349e1c54482072c467e503494d845004c278dabd9338d3bdb3c2f3c58cb264d65575d9946961345dcda5b9ce59cc8fdfc994acb74fe8f3b1fc143abceedc541ae74d69cd543fa7438ac5b5c84168d6e6f7fba2722c279b7cd0c1e07cdd59bb231f17174d33b7c1a6eb199cfa093476cdd31292f3bff20ae224459caaec461c76d741f0e9269ba96676a3ccebe986a3843a36747a0998bb3feaba41671db20368867a13875f76136b2418b6c807335a7133b4e4fbc0e908516ce97458abec2a32355fb061237bada4e07b950a2b1c8d41201f1c0a41c771d990e4741fef6e2eb5cd106c3b4b6000ad07b482ad
++Ctrl.hexxcghash = hexxcghash:be79b302374817c2fd052704dfba5e98b05a8346db9269e6401265a1c7970d98
++Ctrl.hexsession_id = hexsession_id:def8533bf220d0c632aa4f1b16168e51c0be904c6f299225b30bd7df7bbdc6f2
++Ctrl.type = type:E
++Output = 270794ec70fcd9d742aad66c54001b4c218ae8cca813453560a9aeaacc6909ec
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:0000010100f7217049f9cc4f3d59ea109a06ac3cfb79fc05dc349e1c54482072c467e503494d845004c278dabd9338d3bdb3c2f3c58cb264d65575d9946961345dcda5b9ce59cc8fdfc994acb74fe8f3b1fc143abceedc541ae74d69cd543fa7438ac5b5c84168d6e6f7fba2722c279b7cd0c1e07cdd59bb231f17174d33b7c1a6eb199cfa093476cdd31292f3bff20ae224459caaec461c76d741f0e9269ba96676a3ccebe986a3843a36747a0998bb3feaba41671db20368867a13875f76136b2418b6c807335a7133b4e4fbc0e908516ce97458abec2a32355fb061237bada4e07b950a2b1c8d41201f1c0a41c771d990e4741fef6e2eb5cd106c3b4b6000ad07b482ad
++Ctrl.hexxcghash = hexxcghash:be79b302374817c2fd052704dfba5e98b05a8346db9269e6401265a1c7970d98
++Ctrl.hexsession_id = hexsession_id:def8533bf220d0c632aa4f1b16168e51c0be904c6f299225b30bd7df7bbdc6f2
++Ctrl.type = type:F
++Output = e967df7571a0eb82f59ddfead22c617beeefa25ce4afd80ac8320bc2635c70d0
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000001001b3a1cab1e87a29e229efcae0f569d855a61d6da6ea0ae5bed3491c7bdb5f70f6caf8dc305100160bbf6ecd726b11799da685ce4528ee689fe292043e318ad9f797bd5746399e007cf1f40d7918b85e4607f6e674da84709543dd0d50ad1d5c993770b4d0c045fdef89d5534c3d77edd8dc4536a10cc2b5d0bd14caa7e029ba8a81d5f5fb16524b56ddb9f35d96593955514b80d89b711ff717e11ad3d691424f6cefc5c613b04e5532d89f91383e4a6f45058604bb63876b1308dc7eb8f86cb5c032e6f1f061646e0bbf27b0c7eaa8216ba9381cb7734df24fe6691183c4823d3b645f3139a45b2b8ee3909bb431477f332ea3616b919724782fda8546a3235
++Ctrl.hexxcghash = hexxcghash:fe491f41cdbcaec6b8821eda916eb03bc1a0e934c14850696f79bd30c73a18e2
++Ctrl.hexsession_id = hexsession_id:df1c0910cf8b81ca157916b8ac0411b7363f62ce10ee23cbb69ddfe8c3f16be9
++Ctrl.type = type:A
++Output = ebb3d10f461d8697a064461822f34507
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000001001b3a1cab1e87a29e229efcae0f569d855a61d6da6ea0ae5bed3491c7bdb5f70f6caf8dc305100160bbf6ecd726b11799da685ce4528ee689fe292043e318ad9f797bd5746399e007cf1f40d7918b85e4607f6e674da84709543dd0d50ad1d5c993770b4d0c045fdef89d5534c3d77edd8dc4536a10cc2b5d0bd14caa7e029ba8a81d5f5fb16524b56ddb9f35d96593955514b80d89b711ff717e11ad3d691424f6cefc5c613b04e5532d89f91383e4a6f45058604bb63876b1308dc7eb8f86cb5c032e6f1f061646e0bbf27b0c7eaa8216ba9381cb7734df24fe6691183c4823d3b645f3139a45b2b8ee3909bb431477f332ea3616b919724782fda8546a3235
++Ctrl.hexxcghash = hexxcghash:fe491f41cdbcaec6b8821eda916eb03bc1a0e934c14850696f79bd30c73a18e2
++Ctrl.hexsession_id = hexsession_id:df1c0910cf8b81ca157916b8ac0411b7363f62ce10ee23cbb69ddfe8c3f16be9
++Ctrl.type = type:B
++Output = bb95f9cbed695529fd7977281332100b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000001001b3a1cab1e87a29e229efcae0f569d855a61d6da6ea0ae5bed3491c7bdb5f70f6caf8dc305100160bbf6ecd726b11799da685ce4528ee689fe292043e318ad9f797bd5746399e007cf1f40d7918b85e4607f6e674da84709543dd0d50ad1d5c993770b4d0c045fdef89d5534c3d77edd8dc4536a10cc2b5d0bd14caa7e029ba8a81d5f5fb16524b56ddb9f35d96593955514b80d89b711ff717e11ad3d691424f6cefc5c613b04e5532d89f91383e4a6f45058604bb63876b1308dc7eb8f86cb5c032e6f1f061646e0bbf27b0c7eaa8216ba9381cb7734df24fe6691183c4823d3b645f3139a45b2b8ee3909bb431477f332ea3616b919724782fda8546a3235
++Ctrl.hexxcghash = hexxcghash:fe491f41cdbcaec6b8821eda916eb03bc1a0e934c14850696f79bd30c73a18e2
++Ctrl.hexsession_id = hexsession_id:df1c0910cf8b81ca157916b8ac0411b7363f62ce10ee23cbb69ddfe8c3f16be9
++Ctrl.type = type:C
++Output = da1318a6a34224cc86c9afa41991db4b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000001001b3a1cab1e87a29e229efcae0f569d855a61d6da6ea0ae5bed3491c7bdb5f70f6caf8dc305100160bbf6ecd726b11799da685ce4528ee689fe292043e318ad9f797bd5746399e007cf1f40d7918b85e4607f6e674da84709543dd0d50ad1d5c993770b4d0c045fdef89d5534c3d77edd8dc4536a10cc2b5d0bd14caa7e029ba8a81d5f5fb16524b56ddb9f35d96593955514b80d89b711ff717e11ad3d691424f6cefc5c613b04e5532d89f91383e4a6f45058604bb63876b1308dc7eb8f86cb5c032e6f1f061646e0bbf27b0c7eaa8216ba9381cb7734df24fe6691183c4823d3b645f3139a45b2b8ee3909bb431477f332ea3616b919724782fda8546a3235
++Ctrl.hexxcghash = hexxcghash:fe491f41cdbcaec6b8821eda916eb03bc1a0e934c14850696f79bd30c73a18e2
++Ctrl.hexsession_id = hexsession_id:df1c0910cf8b81ca157916b8ac0411b7363f62ce10ee23cbb69ddfe8c3f16be9
++Ctrl.type = type:D
++Output = 091f8fa87a01c5768de8d663ba8bf9d7
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000001001b3a1cab1e87a29e229efcae0f569d855a61d6da6ea0ae5bed3491c7bdb5f70f6caf8dc305100160bbf6ecd726b11799da685ce4528ee689fe292043e318ad9f797bd5746399e007cf1f40d7918b85e4607f6e674da84709543dd0d50ad1d5c993770b4d0c045fdef89d5534c3d77edd8dc4536a10cc2b5d0bd14caa7e029ba8a81d5f5fb16524b56ddb9f35d96593955514b80d89b711ff717e11ad3d691424f6cefc5c613b04e5532d89f91383e4a6f45058604bb63876b1308dc7eb8f86cb5c032e6f1f061646e0bbf27b0c7eaa8216ba9381cb7734df24fe6691183c4823d3b645f3139a45b2b8ee3909bb431477f332ea3616b919724782fda8546a3235
++Ctrl.hexxcghash = hexxcghash:fe491f41cdbcaec6b8821eda916eb03bc1a0e934c14850696f79bd30c73a18e2
++Ctrl.hexsession_id = hexsession_id:df1c0910cf8b81ca157916b8ac0411b7363f62ce10ee23cbb69ddfe8c3f16be9
++Ctrl.type = type:E
++Output = cc09127a759000f3bd9724fbf5285cd680ee323ffc19cf2f495403f896587317
++
++KDF = SSHKDF
++Ctrl.md = md:SHA256
++Ctrl.hexkey = hexkey:000001001b3a1cab1e87a29e229efcae0f569d855a61d6da6ea0ae5bed3491c7bdb5f70f6caf8dc305100160bbf6ecd726b11799da685ce4528ee689fe292043e318ad9f797bd5746399e007cf1f40d7918b85e4607f6e674da84709543dd0d50ad1d5c993770b4d0c045fdef89d5534c3d77edd8dc4536a10cc2b5d0bd14caa7e029ba8a81d5f5fb16524b56ddb9f35d96593955514b80d89b711ff717e11ad3d691424f6cefc5c613b04e5532d89f91383e4a6f45058604bb63876b1308dc7eb8f86cb5c032e6f1f061646e0bbf27b0c7eaa8216ba9381cb7734df24fe6691183c4823d3b645f3139a45b2b8ee3909bb431477f332ea3616b919724782fda8546a3235
++Ctrl.hexxcghash = hexxcghash:fe491f41cdbcaec6b8821eda916eb03bc1a0e934c14850696f79bd30c73a18e2
++Ctrl.hexsession_id = hexsession_id:df1c0910cf8b81ca157916b8ac0411b7363f62ce10ee23cbb69ddfe8c3f16be9
++Ctrl.type = type:F
++Output = a3ceddafc49f7c0131ce2965945c3892be6605b465877bc0637685612ede242b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008100941456bd72267a90690ffc873528f4b76394431aceee1e24a7bed414568d9b97c84ce13d34a2b4a63ef735bac23af0b7fa634a9e56c2d775c741a61d63981332f9027d3f52c4a9a3adb83e96d39f7e6bb72514797da32f2f0edb59accfc58a49fc34b198e0285b31032ac9f06907def196f5748bd32ce22a5383a1bbdbd31f24
++Ctrl.hexxcghash = hexxcghash:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a
++Ctrl.hexsession_id = hexsession_id:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a
++Ctrl.type = type:A
++Output = d31c16f67b17bc69
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008100941456bd72267a90690ffc873528f4b76394431aceee1e24a7bed414568d9b97c84ce13d34a2b4a63ef735bac23af0b7fa634a9e56c2d775c741a61d63981332f9027d3f52c4a9a3adb83e96d39f7e6bb72514797da32f2f0edb59accfc58a49fc34b198e0285b31032ac9f06907def196f5748bd32ce22a5383a1bbdbd31f24
++Ctrl.hexxcghash = hexxcghash:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a
++Ctrl.hexsession_id = hexsession_id:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a
++Ctrl.type = type:B
++Output = 675340f27269e7ae
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008100941456bd72267a90690ffc873528f4b76394431aceee1e24a7bed414568d9b97c84ce13d34a2b4a63ef735bac23af0b7fa634a9e56c2d775c741a61d63981332f9027d3f52c4a9a3adb83e96d39f7e6bb72514797da32f2f0edb59accfc58a49fc34b198e0285b31032ac9f06907def196f5748bd32ce22a5383a1bbdbd31f24
++Ctrl.hexxcghash = hexxcghash:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a
++Ctrl.hexsession_id = hexsession_id:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a
++Ctrl.type = type:C
++Output = 2ffed577a90d29872ea59f3782c3b406908d7394ff63c9d7
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008100941456bd72267a90690ffc873528f4b76394431aceee1e24a7bed414568d9b97c84ce13d34a2b4a63ef735bac23af0b7fa634a9e56c2d775c741a61d63981332f9027d3f52c4a9a3adb83e96d39f7e6bb72514797da32f2f0edb59accfc58a49fc34b198e0285b31032ac9f06907def196f5748bd32ce22a5383a1bbdbd31f24
++Ctrl.hexxcghash = hexxcghash:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a
++Ctrl.hexsession_id = hexsession_id:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a
++Ctrl.type = type:D
++Output = fae751987c1fa8665e4387e410297db58ff69b260a8fe85f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008100941456bd72267a90690ffc873528f4b76394431aceee1e24a7bed414568d9b97c84ce13d34a2b4a63ef735bac23af0b7fa634a9e56c2d775c741a61d63981332f9027d3f52c4a9a3adb83e96d39f7e6bb72514797da32f2f0edb59accfc58a49fc34b198e0285b31032ac9f06907def196f5748bd32ce22a5383a1bbdbd31f24
++Ctrl.hexxcghash = hexxcghash:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a
++Ctrl.hexsession_id = hexsession_id:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a
++Ctrl.type = type:E
++Output = ff2db5975edf3824325b257455791869434c6af47fb0c8145253c2695abfd2b8c980565ad20e6b9313ba44ee488bafb0
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008100941456bd72267a90690ffc873528f4b76394431aceee1e24a7bed414568d9b97c84ce13d34a2b4a63ef735bac23af0b7fa634a9e56c2d775c741a61d63981332f9027d3f52c4a9a3adb83e96d39f7e6bb72514797da32f2f0edb59accfc58a49fc34b198e0285b31032ac9f06907def196f5748bd32ce22a5383a1bbdbd31f24
++Ctrl.hexxcghash = hexxcghash:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a
++Ctrl.hexsession_id = hexsession_id:e0dee80ccc162884393930ad2073d92120c804254162446b7d048f85a1a4dd7b636a09b69252b80952a0581e9490ee5a
++Ctrl.type = type:F
++Output = 85a9463cd653c7619d4dc85006406d6ed3364220419ca13810301be0f0389d932ddeaebb0e504a0849e2e73a7d087db2
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:00000080319534aabf1100b1ef3ec089ba6e5b25946bdf67cbc92493c29d0e63765ee38dc27e15720393d6aa5741b2129b24ee6a71c079190588232f4facadd034dd6e456bf45aedf72a059eca591ceb2d7c50f8ae918528872f40eaf62faa511d6bfbed4b8613163c42b99eb30c20ecce1c36a78b93fb0046467a0bcb41dfa1e609b61b
++Ctrl.hexxcghash = hexxcghash:0f831ff3e907b3f0922722bd8073b2c263c77c7f552c0b0b12be68f19520b1ae2bbf62a9dba0f582d5f0197c0d534f6e
++Ctrl.hexsession_id = hexsession_id:dede417f4b45d58d54cbe59e7d80bab3150ccd99583aa87f7ecde731462d074edf49907278819043341d1fe20e136563
++Ctrl.type = type:A
++Output = 93323451441b761f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:00000080319534aabf1100b1ef3ec089ba6e5b25946bdf67cbc92493c29d0e63765ee38dc27e15720393d6aa5741b2129b24ee6a71c079190588232f4facadd034dd6e456bf45aedf72a059eca591ceb2d7c50f8ae918528872f40eaf62faa511d6bfbed4b8613163c42b99eb30c20ecce1c36a78b93fb0046467a0bcb41dfa1e609b61b
++Ctrl.hexxcghash = hexxcghash:0f831ff3e907b3f0922722bd8073b2c263c77c7f552c0b0b12be68f19520b1ae2bbf62a9dba0f582d5f0197c0d534f6e
++Ctrl.hexsession_id = hexsession_id:dede417f4b45d58d54cbe59e7d80bab3150ccd99583aa87f7ecde731462d074edf49907278819043341d1fe20e136563
++Ctrl.type = type:B
++Output = 3dbfdc2364807ecc
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:00000080319534aabf1100b1ef3ec089ba6e5b25946bdf67cbc92493c29d0e63765ee38dc27e15720393d6aa5741b2129b24ee6a71c079190588232f4facadd034dd6e456bf45aedf72a059eca591ceb2d7c50f8ae918528872f40eaf62faa511d6bfbed4b8613163c42b99eb30c20ecce1c36a78b93fb0046467a0bcb41dfa1e609b61b
++Ctrl.hexxcghash = hexxcghash:0f831ff3e907b3f0922722bd8073b2c263c77c7f552c0b0b12be68f19520b1ae2bbf62a9dba0f582d5f0197c0d534f6e
++Ctrl.hexsession_id = hexsession_id:dede417f4b45d58d54cbe59e7d80bab3150ccd99583aa87f7ecde731462d074edf49907278819043341d1fe20e136563
++Ctrl.type = type:C
++Output = c699e3488f825fb24c5e2adc699ec83a5d8fce339fa0e9b0
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:00000080319534aabf1100b1ef3ec089ba6e5b25946bdf67cbc92493c29d0e63765ee38dc27e15720393d6aa5741b2129b24ee6a71c079190588232f4facadd034dd6e456bf45aedf72a059eca591ceb2d7c50f8ae918528872f40eaf62faa511d6bfbed4b8613163c42b99eb30c20ecce1c36a78b93fb0046467a0bcb41dfa1e609b61b
++Ctrl.hexxcghash = hexxcghash:0f831ff3e907b3f0922722bd8073b2c263c77c7f552c0b0b12be68f19520b1ae2bbf62a9dba0f582d5f0197c0d534f6e
++Ctrl.hexsession_id = hexsession_id:dede417f4b45d58d54cbe59e7d80bab3150ccd99583aa87f7ecde731462d074edf49907278819043341d1fe20e136563
++Ctrl.type = type:D
++Output = a250b13da0716f2d4440cc4cac01a2d591002ebfaada9758
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:00000080319534aabf1100b1ef3ec089ba6e5b25946bdf67cbc92493c29d0e63765ee38dc27e15720393d6aa5741b2129b24ee6a71c079190588232f4facadd034dd6e456bf45aedf72a059eca591ceb2d7c50f8ae918528872f40eaf62faa511d6bfbed4b8613163c42b99eb30c20ecce1c36a78b93fb0046467a0bcb41dfa1e609b61b
++Ctrl.hexxcghash = hexxcghash:0f831ff3e907b3f0922722bd8073b2c263c77c7f552c0b0b12be68f19520b1ae2bbf62a9dba0f582d5f0197c0d534f6e
++Ctrl.hexsession_id = hexsession_id:dede417f4b45d58d54cbe59e7d80bab3150ccd99583aa87f7ecde731462d074edf49907278819043341d1fe20e136563
++Ctrl.type = type:E
++Output = 76966a1b7d5f250eea3696077a373b9421e8294dd7cb0aedd172cf9c6879ef34c9deb9c208f11c5d4b6fd713b576894d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:00000080319534aabf1100b1ef3ec089ba6e5b25946bdf67cbc92493c29d0e63765ee38dc27e15720393d6aa5741b2129b24ee6a71c079190588232f4facadd034dd6e456bf45aedf72a059eca591ceb2d7c50f8ae918528872f40eaf62faa511d6bfbed4b8613163c42b99eb30c20ecce1c36a78b93fb0046467a0bcb41dfa1e609b61b
++Ctrl.hexxcghash = hexxcghash:0f831ff3e907b3f0922722bd8073b2c263c77c7f552c0b0b12be68f19520b1ae2bbf62a9dba0f582d5f0197c0d534f6e
++Ctrl.hexsession_id = hexsession_id:dede417f4b45d58d54cbe59e7d80bab3150ccd99583aa87f7ecde731462d074edf49907278819043341d1fe20e136563
++Ctrl.type = type:F
++Output = 28a66e21fe7f8a070fe40ecf68a64f2a35a46b84ac38810902639906611053832179d5c07a8422993496059af67f585f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000803b4fd086d25a4bf0b5347a2e323d45525b12a3df508b9129ae7d51637b6fc76aba743d7ee254888ee6d49314ebd8b82e25d187e80770ff6365fbfe96029e23b92ccbb2bfb4cf27e175cd09154b0e68d75a84c490f936ee0366180f781049ddcfefcb4bf25409ba8a8a9a3296cf0619bc51363abfd58cea3d0480673d8ac8370a
++Ctrl.hexxcghash = hexxcghash:8fbe46474bf6ccdad0f706492c4b534cf5698b38afc4b21a6af4a00c3ccda689cf5382e5de34a48bd798f083570ad411
++Ctrl.hexsession_id = hexsession_id:a397aa78a58fcf619f1e8368018d6e40934d4befc96671a63aea4558d5e54c9f42bdca50f618ec84b2d19b539a1f10f1
++Ctrl.type = type:A
++Output = b0db344b1e2e98d3
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000803b4fd086d25a4bf0b5347a2e323d45525b12a3df508b9129ae7d51637b6fc76aba743d7ee254888ee6d49314ebd8b82e25d187e80770ff6365fbfe96029e23b92ccbb2bfb4cf27e175cd09154b0e68d75a84c490f936ee0366180f781049ddcfefcb4bf25409ba8a8a9a3296cf0619bc51363abfd58cea3d0480673d8ac8370a
++Ctrl.hexxcghash = hexxcghash:8fbe46474bf6ccdad0f706492c4b534cf5698b38afc4b21a6af4a00c3ccda689cf5382e5de34a48bd798f083570ad411
++Ctrl.hexsession_id = hexsession_id:a397aa78a58fcf619f1e8368018d6e40934d4befc96671a63aea4558d5e54c9f42bdca50f618ec84b2d19b539a1f10f1
++Ctrl.type = type:B
++Output = 29fcd6a7d317f527
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000803b4fd086d25a4bf0b5347a2e323d45525b12a3df508b9129ae7d51637b6fc76aba743d7ee254888ee6d49314ebd8b82e25d187e80770ff6365fbfe96029e23b92ccbb2bfb4cf27e175cd09154b0e68d75a84c490f936ee0366180f781049ddcfefcb4bf25409ba8a8a9a3296cf0619bc51363abfd58cea3d0480673d8ac8370a
++Ctrl.hexxcghash = hexxcghash:8fbe46474bf6ccdad0f706492c4b534cf5698b38afc4b21a6af4a00c3ccda689cf5382e5de34a48bd798f083570ad411
++Ctrl.hexsession_id = hexsession_id:a397aa78a58fcf619f1e8368018d6e40934d4befc96671a63aea4558d5e54c9f42bdca50f618ec84b2d19b539a1f10f1
++Ctrl.type = type:C
++Output = 156f9d4c58d7783959e785af3fefb133662009b93891bff7
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000803b4fd086d25a4bf0b5347a2e323d45525b12a3df508b9129ae7d51637b6fc76aba743d7ee254888ee6d49314ebd8b82e25d187e80770ff6365fbfe96029e23b92ccbb2bfb4cf27e175cd09154b0e68d75a84c490f936ee0366180f781049ddcfefcb4bf25409ba8a8a9a3296cf0619bc51363abfd58cea3d0480673d8ac8370a
++Ctrl.hexxcghash = hexxcghash:8fbe46474bf6ccdad0f706492c4b534cf5698b38afc4b21a6af4a00c3ccda689cf5382e5de34a48bd798f083570ad411
++Ctrl.hexsession_id = hexsession_id:a397aa78a58fcf619f1e8368018d6e40934d4befc96671a63aea4558d5e54c9f42bdca50f618ec84b2d19b539a1f10f1
++Ctrl.type = type:D
++Output = c4bc4471e2c7f04dbef9100977e222f4156a7118a122f6cd
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000803b4fd086d25a4bf0b5347a2e323d45525b12a3df508b9129ae7d51637b6fc76aba743d7ee254888ee6d49314ebd8b82e25d187e80770ff6365fbfe96029e23b92ccbb2bfb4cf27e175cd09154b0e68d75a84c490f936ee0366180f781049ddcfefcb4bf25409ba8a8a9a3296cf0619bc51363abfd58cea3d0480673d8ac8370a
++Ctrl.hexxcghash = hexxcghash:8fbe46474bf6ccdad0f706492c4b534cf5698b38afc4b21a6af4a00c3ccda689cf5382e5de34a48bd798f083570ad411
++Ctrl.hexsession_id = hexsession_id:a397aa78a58fcf619f1e8368018d6e40934d4befc96671a63aea4558d5e54c9f42bdca50f618ec84b2d19b539a1f10f1
++Ctrl.type = type:E
++Output = 5878fdbf693638430e31b287ad8cfab560d952d7a828167bd0454e0c8aa14274c7c0c1921a31575f77fd80144e6d2999
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000803b4fd086d25a4bf0b5347a2e323d45525b12a3df508b9129ae7d51637b6fc76aba743d7ee254888ee6d49314ebd8b82e25d187e80770ff6365fbfe96029e23b92ccbb2bfb4cf27e175cd09154b0e68d75a84c490f936ee0366180f781049ddcfefcb4bf25409ba8a8a9a3296cf0619bc51363abfd58cea3d0480673d8ac8370a
++Ctrl.hexxcghash = hexxcghash:8fbe46474bf6ccdad0f706492c4b534cf5698b38afc4b21a6af4a00c3ccda689cf5382e5de34a48bd798f083570ad411
++Ctrl.hexsession_id = hexsession_id:a397aa78a58fcf619f1e8368018d6e40934d4befc96671a63aea4558d5e54c9f42bdca50f618ec84b2d19b539a1f10f1
++Ctrl.type = type:F
++Output = 1fdb34ae9d2f12363350dd5aeefe728066500a083668ac2d48af671d7651a67acdf9b7a0581b922e67278d53f0b2fb17
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000801a3eab3e516f776ab0a282861a42fec52223859d5af2da778727bd0363ba5983b5d883cd75132c94351a7b5b23fba10aec35a78ab03ba183682b4d3e72c67bd1e6b83afc5178c97624f718243d9377694f085e15cef33040fca144e856c74ab0e70dbf4a7766aa916e5edf184ae7dbd3f19d2491e45828fe5969d61075695e39
++Ctrl.hexxcghash = hexxcghash:5e9be9089c8b952d8ffdb0cbdbe5bb6c1f336e6620292da1ab5eb92eef379655579e24cd6273bd4f552d46dfa87df917
++Ctrl.hexsession_id = hexsession_id:c54542e32ba1ae8c266781c6d14c8356d6f548cfdb8a303c4f1c947318610eed8ae3d6d4350ab4dddc7f9202a510d32e
++Ctrl.type = type:A
++Output = c828150149eb433a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000801a3eab3e516f776ab0a282861a42fec52223859d5af2da778727bd0363ba5983b5d883cd75132c94351a7b5b23fba10aec35a78ab03ba183682b4d3e72c67bd1e6b83afc5178c97624f718243d9377694f085e15cef33040fca144e856c74ab0e70dbf4a7766aa916e5edf184ae7dbd3f19d2491e45828fe5969d61075695e39
++Ctrl.hexxcghash = hexxcghash:5e9be9089c8b952d8ffdb0cbdbe5bb6c1f336e6620292da1ab5eb92eef379655579e24cd6273bd4f552d46dfa87df917
++Ctrl.hexsession_id = hexsession_id:c54542e32ba1ae8c266781c6d14c8356d6f548cfdb8a303c4f1c947318610eed8ae3d6d4350ab4dddc7f9202a510d32e
++Ctrl.type = type:B
++Output = 45636e088875de58
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000801a3eab3e516f776ab0a282861a42fec52223859d5af2da778727bd0363ba5983b5d883cd75132c94351a7b5b23fba10aec35a78ab03ba183682b4d3e72c67bd1e6b83afc5178c97624f718243d9377694f085e15cef33040fca144e856c74ab0e70dbf4a7766aa916e5edf184ae7dbd3f19d2491e45828fe5969d61075695e39
++Ctrl.hexxcghash = hexxcghash:5e9be9089c8b952d8ffdb0cbdbe5bb6c1f336e6620292da1ab5eb92eef379655579e24cd6273bd4f552d46dfa87df917
++Ctrl.hexsession_id = hexsession_id:c54542e32ba1ae8c266781c6d14c8356d6f548cfdb8a303c4f1c947318610eed8ae3d6d4350ab4dddc7f9202a510d32e
++Ctrl.type = type:C
++Output = 75da9408e65f61dac9dafa496675214b0d84b0e66feb68fe
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000801a3eab3e516f776ab0a282861a42fec52223859d5af2da778727bd0363ba5983b5d883cd75132c94351a7b5b23fba10aec35a78ab03ba183682b4d3e72c67bd1e6b83afc5178c97624f718243d9377694f085e15cef33040fca144e856c74ab0e70dbf4a7766aa916e5edf184ae7dbd3f19d2491e45828fe5969d61075695e39
++Ctrl.hexxcghash = hexxcghash:5e9be9089c8b952d8ffdb0cbdbe5bb6c1f336e6620292da1ab5eb92eef379655579e24cd6273bd4f552d46dfa87df917
++Ctrl.hexsession_id = hexsession_id:c54542e32ba1ae8c266781c6d14c8356d6f548cfdb8a303c4f1c947318610eed8ae3d6d4350ab4dddc7f9202a510d32e
++Ctrl.type = type:D
++Output = cb7897fdeb2c235be5812d1959cb55907ff02a9cf6c76c17
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000801a3eab3e516f776ab0a282861a42fec52223859d5af2da778727bd0363ba5983b5d883cd75132c94351a7b5b23fba10aec35a78ab03ba183682b4d3e72c67bd1e6b83afc5178c97624f718243d9377694f085e15cef33040fca144e856c74ab0e70dbf4a7766aa916e5edf184ae7dbd3f19d2491e45828fe5969d61075695e39
++Ctrl.hexxcghash = hexxcghash:5e9be9089c8b952d8ffdb0cbdbe5bb6c1f336e6620292da1ab5eb92eef379655579e24cd6273bd4f552d46dfa87df917
++Ctrl.hexsession_id = hexsession_id:c54542e32ba1ae8c266781c6d14c8356d6f548cfdb8a303c4f1c947318610eed8ae3d6d4350ab4dddc7f9202a510d32e
++Ctrl.type = type:E
++Output = 13a8062561c28c1bc678a019b22da95aa462f82cfff6268876ffe2fddc86536fa4d19bdc15d90c1cff4d37e69f1fc021
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000801a3eab3e516f776ab0a282861a42fec52223859d5af2da778727bd0363ba5983b5d883cd75132c94351a7b5b23fba10aec35a78ab03ba183682b4d3e72c67bd1e6b83afc5178c97624f718243d9377694f085e15cef33040fca144e856c74ab0e70dbf4a7766aa916e5edf184ae7dbd3f19d2491e45828fe5969d61075695e39
++Ctrl.hexxcghash = hexxcghash:5e9be9089c8b952d8ffdb0cbdbe5bb6c1f336e6620292da1ab5eb92eef379655579e24cd6273bd4f552d46dfa87df917
++Ctrl.hexsession_id = hexsession_id:c54542e32ba1ae8c266781c6d14c8356d6f548cfdb8a303c4f1c947318610eed8ae3d6d4350ab4dddc7f9202a510d32e
++Ctrl.type = type:F
++Output = 69437ec44d764caeb89faebf7b8577b433677abcb0c58f166a5e5724a4eb293d335004d412c983d4c7aca4df1b8328fd
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000810091473fb24a9fca3fd1639c029c0e6ae6390c83b3278336017068771569d0957bf7ff80a8f188b936f7e238502efc86e518ebafcc4ecdf1b44f01bb070b3cc88c1b23937dcd04c456987a3b75df3874ca54a10e7f4a3123a7fb47365a7552c9e3f7070ec19d1ebb9922dd10aa0280222db770a71ce9541b60b53d9e7783350100
++Ctrl.hexxcghash = hexxcghash:d0bbb1a81edca6ae7ac5c9e60bf447d198bf875b945fcba06b0074e640331b2205c2c055864c011913f6dad3e34ed44b
++Ctrl.hexsession_id = hexsession_id:58d7b77f0cc5480254c68e4e9cb06a1ea5389b39a3f9cba5c9ca03a091fb123aeb5934c519b60181d097b8cc9455b96a
++Ctrl.type = type:A
++Output = b669e05aa9706468
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000810091473fb24a9fca3fd1639c029c0e6ae6390c83b3278336017068771569d0957bf7ff80a8f188b936f7e238502efc86e518ebafcc4ecdf1b44f01bb070b3cc88c1b23937dcd04c456987a3b75df3874ca54a10e7f4a3123a7fb47365a7552c9e3f7070ec19d1ebb9922dd10aa0280222db770a71ce9541b60b53d9e7783350100
++Ctrl.hexxcghash = hexxcghash:d0bbb1a81edca6ae7ac5c9e60bf447d198bf875b945fcba06b0074e640331b2205c2c055864c011913f6dad3e34ed44b
++Ctrl.hexsession_id = hexsession_id:58d7b77f0cc5480254c68e4e9cb06a1ea5389b39a3f9cba5c9ca03a091fb123aeb5934c519b60181d097b8cc9455b96a
++Ctrl.type = type:B
++Output = 57f943111ca01b15
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000810091473fb24a9fca3fd1639c029c0e6ae6390c83b3278336017068771569d0957bf7ff80a8f188b936f7e238502efc86e518ebafcc4ecdf1b44f01bb070b3cc88c1b23937dcd04c456987a3b75df3874ca54a10e7f4a3123a7fb47365a7552c9e3f7070ec19d1ebb9922dd10aa0280222db770a71ce9541b60b53d9e7783350100
++Ctrl.hexxcghash = hexxcghash:d0bbb1a81edca6ae7ac5c9e60bf447d198bf875b945fcba06b0074e640331b2205c2c055864c011913f6dad3e34ed44b
++Ctrl.hexsession_id = hexsession_id:58d7b77f0cc5480254c68e4e9cb06a1ea5389b39a3f9cba5c9ca03a091fb123aeb5934c519b60181d097b8cc9455b96a
++Ctrl.type = type:C
++Output = e9aa354b6b85f357d6f982fcc18a6ca797bd7a125e786f8a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000810091473fb24a9fca3fd1639c029c0e6ae6390c83b3278336017068771569d0957bf7ff80a8f188b936f7e238502efc86e518ebafcc4ecdf1b44f01bb070b3cc88c1b23937dcd04c456987a3b75df3874ca54a10e7f4a3123a7fb47365a7552c9e3f7070ec19d1ebb9922dd10aa0280222db770a71ce9541b60b53d9e7783350100
++Ctrl.hexxcghash = hexxcghash:d0bbb1a81edca6ae7ac5c9e60bf447d198bf875b945fcba06b0074e640331b2205c2c055864c011913f6dad3e34ed44b
++Ctrl.hexsession_id = hexsession_id:58d7b77f0cc5480254c68e4e9cb06a1ea5389b39a3f9cba5c9ca03a091fb123aeb5934c519b60181d097b8cc9455b96a
++Ctrl.type = type:D
++Output = 199d2b244689bfc4f807f225a7130a069c8a181f5b20d32a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000810091473fb24a9fca3fd1639c029c0e6ae6390c83b3278336017068771569d0957bf7ff80a8f188b936f7e238502efc86e518ebafcc4ecdf1b44f01bb070b3cc88c1b23937dcd04c456987a3b75df3874ca54a10e7f4a3123a7fb47365a7552c9e3f7070ec19d1ebb9922dd10aa0280222db770a71ce9541b60b53d9e7783350100
++Ctrl.hexxcghash = hexxcghash:d0bbb1a81edca6ae7ac5c9e60bf447d198bf875b945fcba06b0074e640331b2205c2c055864c011913f6dad3e34ed44b
++Ctrl.hexsession_id = hexsession_id:58d7b77f0cc5480254c68e4e9cb06a1ea5389b39a3f9cba5c9ca03a091fb123aeb5934c519b60181d097b8cc9455b96a
++Ctrl.type = type:E
++Output = 69b55cc82d0429979a3832a3be35483596ff1d26a0c1a62944695764f0eb85c3467528be225db2f516e79f23c0c7c23c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000810091473fb24a9fca3fd1639c029c0e6ae6390c83b3278336017068771569d0957bf7ff80a8f188b936f7e238502efc86e518ebafcc4ecdf1b44f01bb070b3cc88c1b23937dcd04c456987a3b75df3874ca54a10e7f4a3123a7fb47365a7552c9e3f7070ec19d1ebb9922dd10aa0280222db770a71ce9541b60b53d9e7783350100
++Ctrl.hexxcghash = hexxcghash:d0bbb1a81edca6ae7ac5c9e60bf447d198bf875b945fcba06b0074e640331b2205c2c055864c011913f6dad3e34ed44b
++Ctrl.hexsession_id = hexsession_id:58d7b77f0cc5480254c68e4e9cb06a1ea5389b39a3f9cba5c9ca03a091fb123aeb5934c519b60181d097b8cc9455b96a
++Ctrl.type = type:F
++Output = 6e06df643269751dfc9c8decefe466e1ab2ab99466661aa6f0dfab223c3b9bebcaed4c19cbc4109dfacda81cc8f902eb
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000801b8e7d2292f95d97c99e9c93fcc681f2a446437d7595137f761eb9351f50cfb71988aad2d9611a5e3d32c58b1efef596b2b495c12355b6caa5c647237670c7cbeb7b7ef5d39b600b44ab1cecc7ff454981f70366f5dc95f790c9744e55b0b5cee770df10dc3f081b8774b4735c86917384ed7da0b597bd932e676b7ef6fe2cd3
++Ctrl.hexxcghash = hexxcghash:d1ecf201e213b656e7e002d26b263ead5ef6f265a2cfd05eb83985dbc1dd0620f729800a92f676e6c8219aadbea0a037
++Ctrl.hexsession_id = hexsession_id:fc6bb80f9116c6746603327d5338e853f37b06593402e31bf5a43abd5e6de8f26166bb572ce0c88360a7bbbe83d0377b
++Ctrl.type = type:A
++Output = b2ada53484907db5
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000801b8e7d2292f95d97c99e9c93fcc681f2a446437d7595137f761eb9351f50cfb71988aad2d9611a5e3d32c58b1efef596b2b495c12355b6caa5c647237670c7cbeb7b7ef5d39b600b44ab1cecc7ff454981f70366f5dc95f790c9744e55b0b5cee770df10dc3f081b8774b4735c86917384ed7da0b597bd932e676b7ef6fe2cd3
++Ctrl.hexxcghash = hexxcghash:d1ecf201e213b656e7e002d26b263ead5ef6f265a2cfd05eb83985dbc1dd0620f729800a92f676e6c8219aadbea0a037
++Ctrl.hexsession_id = hexsession_id:fc6bb80f9116c6746603327d5338e853f37b06593402e31bf5a43abd5e6de8f26166bb572ce0c88360a7bbbe83d0377b
++Ctrl.type = type:B
++Output = 89224486fcb33030
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000801b8e7d2292f95d97c99e9c93fcc681f2a446437d7595137f761eb9351f50cfb71988aad2d9611a5e3d32c58b1efef596b2b495c12355b6caa5c647237670c7cbeb7b7ef5d39b600b44ab1cecc7ff454981f70366f5dc95f790c9744e55b0b5cee770df10dc3f081b8774b4735c86917384ed7da0b597bd932e676b7ef6fe2cd3
++Ctrl.hexxcghash = hexxcghash:d1ecf201e213b656e7e002d26b263ead5ef6f265a2cfd05eb83985dbc1dd0620f729800a92f676e6c8219aadbea0a037
++Ctrl.hexsession_id = hexsession_id:fc6bb80f9116c6746603327d5338e853f37b06593402e31bf5a43abd5e6de8f26166bb572ce0c88360a7bbbe83d0377b
++Ctrl.type = type:C
++Output = 38ccc00303d5aaf748f3c11d986b99f9bf36049a6f7ea92f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000801b8e7d2292f95d97c99e9c93fcc681f2a446437d7595137f761eb9351f50cfb71988aad2d9611a5e3d32c58b1efef596b2b495c12355b6caa5c647237670c7cbeb7b7ef5d39b600b44ab1cecc7ff454981f70366f5dc95f790c9744e55b0b5cee770df10dc3f081b8774b4735c86917384ed7da0b597bd932e676b7ef6fe2cd3
++Ctrl.hexxcghash = hexxcghash:d1ecf201e213b656e7e002d26b263ead5ef6f265a2cfd05eb83985dbc1dd0620f729800a92f676e6c8219aadbea0a037
++Ctrl.hexsession_id = hexsession_id:fc6bb80f9116c6746603327d5338e853f37b06593402e31bf5a43abd5e6de8f26166bb572ce0c88360a7bbbe83d0377b
++Ctrl.type = type:D
++Output = f8a7a4b2e1d28c6a38e120a2cb876ed49f454ea2aabc3a99
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000801b8e7d2292f95d97c99e9c93fcc681f2a446437d7595137f761eb9351f50cfb71988aad2d9611a5e3d32c58b1efef596b2b495c12355b6caa5c647237670c7cbeb7b7ef5d39b600b44ab1cecc7ff454981f70366f5dc95f790c9744e55b0b5cee770df10dc3f081b8774b4735c86917384ed7da0b597bd932e676b7ef6fe2cd3
++Ctrl.hexxcghash = hexxcghash:d1ecf201e213b656e7e002d26b263ead5ef6f265a2cfd05eb83985dbc1dd0620f729800a92f676e6c8219aadbea0a037
++Ctrl.hexsession_id = hexsession_id:fc6bb80f9116c6746603327d5338e853f37b06593402e31bf5a43abd5e6de8f26166bb572ce0c88360a7bbbe83d0377b
++Ctrl.type = type:E
++Output = 9f42ab15d0b041019960ff6a5a12e209c427dc334434126399fb8850ec8feda957b74f1976b4c8a97906d7d64c5c2a83
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000000801b8e7d2292f95d97c99e9c93fcc681f2a446437d7595137f761eb9351f50cfb71988aad2d9611a5e3d32c58b1efef596b2b495c12355b6caa5c647237670c7cbeb7b7ef5d39b600b44ab1cecc7ff454981f70366f5dc95f790c9744e55b0b5cee770df10dc3f081b8774b4735c86917384ed7da0b597bd932e676b7ef6fe2cd3
++Ctrl.hexxcghash = hexxcghash:d1ecf201e213b656e7e002d26b263ead5ef6f265a2cfd05eb83985dbc1dd0620f729800a92f676e6c8219aadbea0a037
++Ctrl.hexsession_id = hexsession_id:fc6bb80f9116c6746603327d5338e853f37b06593402e31bf5a43abd5e6de8f26166bb572ce0c88360a7bbbe83d0377b
++Ctrl.type = type:F
++Output = d383bedd3b80ddc470db9b819893e85dfab9e359e40bc77576e23ed8c5e73beecefb511ccdf1eb66416c271be5f90199
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:00000081008efe3279e8fc51acceea0ad5958364c2a36315d92ce4d68f6f8486b3160293e4eff79998474b954431a6981864a34445b4bd68e5b598dbaba4de5661ef0b09d5dae9b1633da886f1540d1df601c1acaa139de540d3d8d0b01602559a833aab87730de5c6875b78f5ec6d19145db46e2a77cbb9ec39b1bdbd5ca3be193dcfd622
++Ctrl.hexxcghash = hexxcghash:5f6f8bd8d664b1f31c615cf457a5c7eaa8733bba6557f15f300cfb364b0ea927bcfe406ea5fb7e03ac648fd18cd93372
++Ctrl.hexsession_id = hexsession_id:a89ecfd6636423e8d5ba8da3aa8367092b1a662df5693c55cbc5bfabb97320d90692e6c9305af47c25e6617200648752
++Ctrl.type = type:A
++Output = bac9e6c9553bba95
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:00000081008efe3279e8fc51acceea0ad5958364c2a36315d92ce4d68f6f8486b3160293e4eff79998474b954431a6981864a34445b4bd68e5b598dbaba4de5661ef0b09d5dae9b1633da886f1540d1df601c1acaa139de540d3d8d0b01602559a833aab87730de5c6875b78f5ec6d19145db46e2a77cbb9ec39b1bdbd5ca3be193dcfd622
++Ctrl.hexxcghash = hexxcghash:5f6f8bd8d664b1f31c615cf457a5c7eaa8733bba6557f15f300cfb364b0ea927bcfe406ea5fb7e03ac648fd18cd93372
++Ctrl.hexsession_id = hexsession_id:a89ecfd6636423e8d5ba8da3aa8367092b1a662df5693c55cbc5bfabb97320d90692e6c9305af47c25e6617200648752
++Ctrl.type = type:B
++Output = f29bdc017028a9ca
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:00000081008efe3279e8fc51acceea0ad5958364c2a36315d92ce4d68f6f8486b3160293e4eff79998474b954431a6981864a34445b4bd68e5b598dbaba4de5661ef0b09d5dae9b1633da886f1540d1df601c1acaa139de540d3d8d0b01602559a833aab87730de5c6875b78f5ec6d19145db46e2a77cbb9ec39b1bdbd5ca3be193dcfd622
++Ctrl.hexxcghash = hexxcghash:5f6f8bd8d664b1f31c615cf457a5c7eaa8733bba6557f15f300cfb364b0ea927bcfe406ea5fb7e03ac648fd18cd93372
++Ctrl.hexsession_id = hexsession_id:a89ecfd6636423e8d5ba8da3aa8367092b1a662df5693c55cbc5bfabb97320d90692e6c9305af47c25e6617200648752
++Ctrl.type = type:C
++Output = 840f7e966d633f57bf6cfb3e6aa6bb1435bbea5822c9db0c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:00000081008efe3279e8fc51acceea0ad5958364c2a36315d92ce4d68f6f8486b3160293e4eff79998474b954431a6981864a34445b4bd68e5b598dbaba4de5661ef0b09d5dae9b1633da886f1540d1df601c1acaa139de540d3d8d0b01602559a833aab87730de5c6875b78f5ec6d19145db46e2a77cbb9ec39b1bdbd5ca3be193dcfd622
++Ctrl.hexxcghash = hexxcghash:5f6f8bd8d664b1f31c615cf457a5c7eaa8733bba6557f15f300cfb364b0ea927bcfe406ea5fb7e03ac648fd18cd93372
++Ctrl.hexsession_id = hexsession_id:a89ecfd6636423e8d5ba8da3aa8367092b1a662df5693c55cbc5bfabb97320d90692e6c9305af47c25e6617200648752
++Ctrl.type = type:D
++Output = f78b485e49bf72584e45de78fbd75392e3e0b1ce2a57e7a3
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:00000081008efe3279e8fc51acceea0ad5958364c2a36315d92ce4d68f6f8486b3160293e4eff79998474b954431a6981864a34445b4bd68e5b598dbaba4de5661ef0b09d5dae9b1633da886f1540d1df601c1acaa139de540d3d8d0b01602559a833aab87730de5c6875b78f5ec6d19145db46e2a77cbb9ec39b1bdbd5ca3be193dcfd622
++Ctrl.hexxcghash = hexxcghash:5f6f8bd8d664b1f31c615cf457a5c7eaa8733bba6557f15f300cfb364b0ea927bcfe406ea5fb7e03ac648fd18cd93372
++Ctrl.hexsession_id = hexsession_id:a89ecfd6636423e8d5ba8da3aa8367092b1a662df5693c55cbc5bfabb97320d90692e6c9305af47c25e6617200648752
++Ctrl.type = type:E
++Output = 9dcadff513667aee5e2fda86c4a198db4252a9311635d3659db957570e448f3689444dd3e10d6097a07dba923db349ba
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:00000081008efe3279e8fc51acceea0ad5958364c2a36315d92ce4d68f6f8486b3160293e4eff79998474b954431a6981864a34445b4bd68e5b598dbaba4de5661ef0b09d5dae9b1633da886f1540d1df601c1acaa139de540d3d8d0b01602559a833aab87730de5c6875b78f5ec6d19145db46e2a77cbb9ec39b1bdbd5ca3be193dcfd622
++Ctrl.hexxcghash = hexxcghash:5f6f8bd8d664b1f31c615cf457a5c7eaa8733bba6557f15f300cfb364b0ea927bcfe406ea5fb7e03ac648fd18cd93372
++Ctrl.hexsession_id = hexsession_id:a89ecfd6636423e8d5ba8da3aa8367092b1a662df5693c55cbc5bfabb97320d90692e6c9305af47c25e6617200648752
++Ctrl.type = type:F
++Output = 5e7915ea90a0d81e3c2ada00c85890b6defbb64f45ac4f0e75b22cf6187978e630f356207c97362862389a1ef99fb51a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008100a89b3f9628a4f984336377edc37d3bed4aa748fa0b0a6bc80c366e8ffdf0ccbbe07229c5f02394b230759d5255e3a7d7f63a2395e2f07e2d31bf885abaea150e1f97808f26f8fe8c5113c12e4d137844160a433f8451faaf432bd7c0469dbe713304c8bed29c03cb7629cdffebc253d0a01362052f55576fdaf89702fa33cedd
++Ctrl.hexxcghash = hexxcghash:8467d0335e6e254eb02253f97cd14c0221f1b21431a4ffe1c20675039d0ac26fa70a0c4bad639834d88d01f6c1ea878e
++Ctrl.hexsession_id = hexsession_id:9a100a5b0ad81f1c603e05c5d24415f2aa7031c0d92f16de15cab350bb1a2cf3639c6906f4e220e057deb966813bbb35
++Ctrl.type = type:A
++Output = 11811427eaa92d61
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008100a89b3f9628a4f984336377edc37d3bed4aa748fa0b0a6bc80c366e8ffdf0ccbbe07229c5f02394b230759d5255e3a7d7f63a2395e2f07e2d31bf885abaea150e1f97808f26f8fe8c5113c12e4d137844160a433f8451faaf432bd7c0469dbe713304c8bed29c03cb7629cdffebc253d0a01362052f55576fdaf89702fa33cedd
++Ctrl.hexxcghash = hexxcghash:8467d0335e6e254eb02253f97cd14c0221f1b21431a4ffe1c20675039d0ac26fa70a0c4bad639834d88d01f6c1ea878e
++Ctrl.hexsession_id = hexsession_id:9a100a5b0ad81f1c603e05c5d24415f2aa7031c0d92f16de15cab350bb1a2cf3639c6906f4e220e057deb966813bbb35
++Ctrl.type = type:B
++Output = c13f22e0bd66a551
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008100a89b3f9628a4f984336377edc37d3bed4aa748fa0b0a6bc80c366e8ffdf0ccbbe07229c5f02394b230759d5255e3a7d7f63a2395e2f07e2d31bf885abaea150e1f97808f26f8fe8c5113c12e4d137844160a433f8451faaf432bd7c0469dbe713304c8bed29c03cb7629cdffebc253d0a01362052f55576fdaf89702fa33cedd
++Ctrl.hexxcghash = hexxcghash:8467d0335e6e254eb02253f97cd14c0221f1b21431a4ffe1c20675039d0ac26fa70a0c4bad639834d88d01f6c1ea878e
++Ctrl.hexsession_id = hexsession_id:9a100a5b0ad81f1c603e05c5d24415f2aa7031c0d92f16de15cab350bb1a2cf3639c6906f4e220e057deb966813bbb35
++Ctrl.type = type:C
++Output = 2b9c9c8ecae95d75472495363ca2d46dc79babdb2e0fda40
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008100a89b3f9628a4f984336377edc37d3bed4aa748fa0b0a6bc80c366e8ffdf0ccbbe07229c5f02394b230759d5255e3a7d7f63a2395e2f07e2d31bf885abaea150e1f97808f26f8fe8c5113c12e4d137844160a433f8451faaf432bd7c0469dbe713304c8bed29c03cb7629cdffebc253d0a01362052f55576fdaf89702fa33cedd
++Ctrl.hexxcghash = hexxcghash:8467d0335e6e254eb02253f97cd14c0221f1b21431a4ffe1c20675039d0ac26fa70a0c4bad639834d88d01f6c1ea878e
++Ctrl.hexsession_id = hexsession_id:9a100a5b0ad81f1c603e05c5d24415f2aa7031c0d92f16de15cab350bb1a2cf3639c6906f4e220e057deb966813bbb35
++Ctrl.type = type:D
++Output = f466d9b9871c1482c699a5d9f8636a041adb60920c6af855
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008100a89b3f9628a4f984336377edc37d3bed4aa748fa0b0a6bc80c366e8ffdf0ccbbe07229c5f02394b230759d5255e3a7d7f63a2395e2f07e2d31bf885abaea150e1f97808f26f8fe8c5113c12e4d137844160a433f8451faaf432bd7c0469dbe713304c8bed29c03cb7629cdffebc253d0a01362052f55576fdaf89702fa33cedd
++Ctrl.hexxcghash = hexxcghash:8467d0335e6e254eb02253f97cd14c0221f1b21431a4ffe1c20675039d0ac26fa70a0c4bad639834d88d01f6c1ea878e
++Ctrl.hexsession_id = hexsession_id:9a100a5b0ad81f1c603e05c5d24415f2aa7031c0d92f16de15cab350bb1a2cf3639c6906f4e220e057deb966813bbb35
++Ctrl.type = type:E
++Output = 1ecda0252461bd08960c54ba7c570e80715780e5e99ca0f754a3d451409ed2df928daab91ed6b4044fcc68bd5f907c96
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008100a89b3f9628a4f984336377edc37d3bed4aa748fa0b0a6bc80c366e8ffdf0ccbbe07229c5f02394b230759d5255e3a7d7f63a2395e2f07e2d31bf885abaea150e1f97808f26f8fe8c5113c12e4d137844160a433f8451faaf432bd7c0469dbe713304c8bed29c03cb7629cdffebc253d0a01362052f55576fdaf89702fa33cedd
++Ctrl.hexxcghash = hexxcghash:8467d0335e6e254eb02253f97cd14c0221f1b21431a4ffe1c20675039d0ac26fa70a0c4bad639834d88d01f6c1ea878e
++Ctrl.hexsession_id = hexsession_id:9a100a5b0ad81f1c603e05c5d24415f2aa7031c0d92f16de15cab350bb1a2cf3639c6906f4e220e057deb966813bbb35
++Ctrl.type = type:F
++Output = 202e4e3dda18306c7fa518ea849cf3a4788dbc5305f71267ba69fe8920d3b18d9fc59853a4d03b18480269698e24c190
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008100f6e899f2b7542fd95e88e06ff0a68e43df6f3d913f1295922bd01b98f7078b67311e002cafcb41a65262585a78b22ec97c81278f3f329d726f08fff23f4ce5b90abc694c92195fe7bc140579f54c6b89d81b836a8d3998446aab9055904ef1e0bb7553739d2351c8cfae0fbf50d8ced4bbd3975450569d0f9e441a3ed3aac776
++Ctrl.hexxcghash = hexxcghash:1853bb0d312eb00d1c700d25ddaed9680ecf28eeefe9323566dc91ef42a85b2e3049286621f43b928e2b821e5605bf60
++Ctrl.hexsession_id = hexsession_id:da7d22e3c7815b6a6089f381ddd957df3ed78e97902133d62d3ff6119d8c174b69cd26e627d6ccd98f847521aa0e3896
++Ctrl.type = type:A
++Output = 86183fd862bf42af
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008100f6e899f2b7542fd95e88e06ff0a68e43df6f3d913f1295922bd01b98f7078b67311e002cafcb41a65262585a78b22ec97c81278f3f329d726f08fff23f4ce5b90abc694c92195fe7bc140579f54c6b89d81b836a8d3998446aab9055904ef1e0bb7553739d2351c8cfae0fbf50d8ced4bbd3975450569d0f9e441a3ed3aac776
++Ctrl.hexxcghash = hexxcghash:1853bb0d312eb00d1c700d25ddaed9680ecf28eeefe9323566dc91ef42a85b2e3049286621f43b928e2b821e5605bf60
++Ctrl.hexsession_id = hexsession_id:da7d22e3c7815b6a6089f381ddd957df3ed78e97902133d62d3ff6119d8c174b69cd26e627d6ccd98f847521aa0e3896
++Ctrl.type = type:B
++Output = 04e146b085c71253
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008100f6e899f2b7542fd95e88e06ff0a68e43df6f3d913f1295922bd01b98f7078b67311e002cafcb41a65262585a78b22ec97c81278f3f329d726f08fff23f4ce5b90abc694c92195fe7bc140579f54c6b89d81b836a8d3998446aab9055904ef1e0bb7553739d2351c8cfae0fbf50d8ced4bbd3975450569d0f9e441a3ed3aac776
++Ctrl.hexxcghash = hexxcghash:1853bb0d312eb00d1c700d25ddaed9680ecf28eeefe9323566dc91ef42a85b2e3049286621f43b928e2b821e5605bf60
++Ctrl.hexsession_id = hexsession_id:da7d22e3c7815b6a6089f381ddd957df3ed78e97902133d62d3ff6119d8c174b69cd26e627d6ccd98f847521aa0e3896
++Ctrl.type = type:C
++Output = c4364d4e0e38fe4c5fc2b2a3ad42e49a57106ffa962f4c5e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008100f6e899f2b7542fd95e88e06ff0a68e43df6f3d913f1295922bd01b98f7078b67311e002cafcb41a65262585a78b22ec97c81278f3f329d726f08fff23f4ce5b90abc694c92195fe7bc140579f54c6b89d81b836a8d3998446aab9055904ef1e0bb7553739d2351c8cfae0fbf50d8ced4bbd3975450569d0f9e441a3ed3aac776
++Ctrl.hexxcghash = hexxcghash:1853bb0d312eb00d1c700d25ddaed9680ecf28eeefe9323566dc91ef42a85b2e3049286621f43b928e2b821e5605bf60
++Ctrl.hexsession_id = hexsession_id:da7d22e3c7815b6a6089f381ddd957df3ed78e97902133d62d3ff6119d8c174b69cd26e627d6ccd98f847521aa0e3896
++Ctrl.type = type:D
++Output = b9d1549032bf336c8708f13d8f5d281d696b8bddc296e709
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008100f6e899f2b7542fd95e88e06ff0a68e43df6f3d913f1295922bd01b98f7078b67311e002cafcb41a65262585a78b22ec97c81278f3f329d726f08fff23f4ce5b90abc694c92195fe7bc140579f54c6b89d81b836a8d3998446aab9055904ef1e0bb7553739d2351c8cfae0fbf50d8ced4bbd3975450569d0f9e441a3ed3aac776
++Ctrl.hexxcghash = hexxcghash:1853bb0d312eb00d1c700d25ddaed9680ecf28eeefe9323566dc91ef42a85b2e3049286621f43b928e2b821e5605bf60
++Ctrl.hexsession_id = hexsession_id:da7d22e3c7815b6a6089f381ddd957df3ed78e97902133d62d3ff6119d8c174b69cd26e627d6ccd98f847521aa0e3896
++Ctrl.type = type:E
++Output = c7ee72c40b26fce673ff23edea3265dfeb7b7f6fd66362bbc91548fac1819a08682c65c7d69d5e54e1c48b05e7233adc
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008100f6e899f2b7542fd95e88e06ff0a68e43df6f3d913f1295922bd01b98f7078b67311e002cafcb41a65262585a78b22ec97c81278f3f329d726f08fff23f4ce5b90abc694c92195fe7bc140579f54c6b89d81b836a8d3998446aab9055904ef1e0bb7553739d2351c8cfae0fbf50d8ced4bbd3975450569d0f9e441a3ed3aac776
++Ctrl.hexxcghash = hexxcghash:1853bb0d312eb00d1c700d25ddaed9680ecf28eeefe9323566dc91ef42a85b2e3049286621f43b928e2b821e5605bf60
++Ctrl.hexsession_id = hexsession_id:da7d22e3c7815b6a6089f381ddd957df3ed78e97902133d62d3ff6119d8c174b69cd26e627d6ccd98f847521aa0e3896
++Ctrl.type = type:F
++Output = 8b52078a6d45dfaa051193da8f9c8a18bfd0c058e7be145d0c4b5b677eec54a01f9e2a20c997e9c0a1ede9576800cfe5
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008008483322bb2efee6320ba1fe14f296e0b170f9a0c6f76a49d0b23abb74251da468b53fb86ddbbc55a5c4881686d1aaa9b309b65907d92352c83597126cf7e3d367f543c8887105403d9b2ba86cf2bbafd4a984dfe8ebb7b8155c51d6416c89b4efb91ef5953b0e54dbcdbe76443a80e5cd011d7d6c9bc69ec81a19749b95f6c0
++Ctrl.hexxcghash = hexxcghash:ed7b1464334bb8a04d128b791cd860c1546faaf860aff394872373f5ccac0835b47cfeb8c3d049b211cb7b570bcc1f83
++Ctrl.hexsession_id = hexsession_id:cac7b46b66372be67b4ce198311faed9ddc8f8b95f6c61d8c71a1788724ab6b8d159e2ba61f937e6d87bbb9cb24a9fe7
++Ctrl.type = type:A
++Output = 54f4be4a33dfa102
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008008483322bb2efee6320ba1fe14f296e0b170f9a0c6f76a49d0b23abb74251da468b53fb86ddbbc55a5c4881686d1aaa9b309b65907d92352c83597126cf7e3d367f543c8887105403d9b2ba86cf2bbafd4a984dfe8ebb7b8155c51d6416c89b4efb91ef5953b0e54dbcdbe76443a80e5cd011d7d6c9bc69ec81a19749b95f6c0
++Ctrl.hexxcghash = hexxcghash:ed7b1464334bb8a04d128b791cd860c1546faaf860aff394872373f5ccac0835b47cfeb8c3d049b211cb7b570bcc1f83
++Ctrl.hexsession_id = hexsession_id:cac7b46b66372be67b4ce198311faed9ddc8f8b95f6c61d8c71a1788724ab6b8d159e2ba61f937e6d87bbb9cb24a9fe7
++Ctrl.type = type:B
++Output = bbb084483803aab4
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008008483322bb2efee6320ba1fe14f296e0b170f9a0c6f76a49d0b23abb74251da468b53fb86ddbbc55a5c4881686d1aaa9b309b65907d92352c83597126cf7e3d367f543c8887105403d9b2ba86cf2bbafd4a984dfe8ebb7b8155c51d6416c89b4efb91ef5953b0e54dbcdbe76443a80e5cd011d7d6c9bc69ec81a19749b95f6c0
++Ctrl.hexxcghash = hexxcghash:ed7b1464334bb8a04d128b791cd860c1546faaf860aff394872373f5ccac0835b47cfeb8c3d049b211cb7b570bcc1f83
++Ctrl.hexsession_id = hexsession_id:cac7b46b66372be67b4ce198311faed9ddc8f8b95f6c61d8c71a1788724ab6b8d159e2ba61f937e6d87bbb9cb24a9fe7
++Ctrl.type = type:C
++Output = 466a038b3a5c0d72cf19cf33e5a551437933dad54bfed655
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008008483322bb2efee6320ba1fe14f296e0b170f9a0c6f76a49d0b23abb74251da468b53fb86ddbbc55a5c4881686d1aaa9b309b65907d92352c83597126cf7e3d367f543c8887105403d9b2ba86cf2bbafd4a984dfe8ebb7b8155c51d6416c89b4efb91ef5953b0e54dbcdbe76443a80e5cd011d7d6c9bc69ec81a19749b95f6c0
++Ctrl.hexxcghash = hexxcghash:ed7b1464334bb8a04d128b791cd860c1546faaf860aff394872373f5ccac0835b47cfeb8c3d049b211cb7b570bcc1f83
++Ctrl.hexsession_id = hexsession_id:cac7b46b66372be67b4ce198311faed9ddc8f8b95f6c61d8c71a1788724ab6b8d159e2ba61f937e6d87bbb9cb24a9fe7
++Ctrl.type = type:D
++Output = 44e09698e473edc642256e99bfbfbeab1db3e254d64a3ab7
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008008483322bb2efee6320ba1fe14f296e0b170f9a0c6f76a49d0b23abb74251da468b53fb86ddbbc55a5c4881686d1aaa9b309b65907d92352c83597126cf7e3d367f543c8887105403d9b2ba86cf2bbafd4a984dfe8ebb7b8155c51d6416c89b4efb91ef5953b0e54dbcdbe76443a80e5cd011d7d6c9bc69ec81a19749b95f6c0
++Ctrl.hexxcghash = hexxcghash:ed7b1464334bb8a04d128b791cd860c1546faaf860aff394872373f5ccac0835b47cfeb8c3d049b211cb7b570bcc1f83
++Ctrl.hexsession_id = hexsession_id:cac7b46b66372be67b4ce198311faed9ddc8f8b95f6c61d8c71a1788724ab6b8d159e2ba61f937e6d87bbb9cb24a9fe7
++Ctrl.type = type:E
++Output = 8e35d767e738c4282ec1925ba5d59dad723b7220c10ae8b69c9eb3da124ac1bea8195f5ecc1c3b03953938cd1e0e190b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000008008483322bb2efee6320ba1fe14f296e0b170f9a0c6f76a49d0b23abb74251da468b53fb86ddbbc55a5c4881686d1aaa9b309b65907d92352c83597126cf7e3d367f543c8887105403d9b2ba86cf2bbafd4a984dfe8ebb7b8155c51d6416c89b4efb91ef5953b0e54dbcdbe76443a80e5cd011d7d6c9bc69ec81a19749b95f6c0
++Ctrl.hexxcghash = hexxcghash:ed7b1464334bb8a04d128b791cd860c1546faaf860aff394872373f5ccac0835b47cfeb8c3d049b211cb7b570bcc1f83
++Ctrl.hexsession_id = hexsession_id:cac7b46b66372be67b4ce198311faed9ddc8f8b95f6c61d8c71a1788724ab6b8d159e2ba61f937e6d87bbb9cb24a9fe7
++Ctrl.type = type:F
++Output = 63e5c62c4e6f2700bfa5927ca2e730101c12a684808ddd6cf5f9da2bad3b49ba3d05d4f88a3a91f341ad2b63952e7db0
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:00000101008174aa2fab9372c253f3b993d723b55a2484430fb338095852b7a5099f9d609ca6afa6bff9d64a55f7ef0963c684f0d17ec6045ce57ce3382870d55fcac0e1341fb47a7f76f0d5d53b67fd5e0658ecb88ae2e2e42aa4b83b8cfcce9faae941450ace059a7f223623d1c8a9924638de7eebad35be9c9f1bf38aea041114351d585a1988ba53cccc6949150f367fd790fc427916afa2cccd1d2f1aa8583b948dfe56cf488b38ec2d2570a0e0441c07ccec8b5b4db5f60250741b1aeb0bf49a85cc779ad7465f0c197735698842be2a39af8591ab91c84b704e67e50cbcdb75c2799aaeba0184341dd520f6db8477f13d5815d37f191ccb20545e4a1eaca316370a
++Ctrl.hexxcghash = hexxcghash:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e
++Ctrl.hexsession_id = hexsession_id:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e
++Ctrl.type = type:A
++Output = e46fdb8c912658c34b7d509f6acc1111
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:00000101008174aa2fab9372c253f3b993d723b55a2484430fb338095852b7a5099f9d609ca6afa6bff9d64a55f7ef0963c684f0d17ec6045ce57ce3382870d55fcac0e1341fb47a7f76f0d5d53b67fd5e0658ecb88ae2e2e42aa4b83b8cfcce9faae941450ace059a7f223623d1c8a9924638de7eebad35be9c9f1bf38aea041114351d585a1988ba53cccc6949150f367fd790fc427916afa2cccd1d2f1aa8583b948dfe56cf488b38ec2d2570a0e0441c07ccec8b5b4db5f60250741b1aeb0bf49a85cc779ad7465f0c197735698842be2a39af8591ab91c84b704e67e50cbcdb75c2799aaeba0184341dd520f6db8477f13d5815d37f191ccb20545e4a1eaca316370a
++Ctrl.hexxcghash = hexxcghash:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e
++Ctrl.hexsession_id = hexsession_id:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e
++Ctrl.type = type:B
++Output = 959c339aaff2e2ed46da46c5286ddf3b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:00000101008174aa2fab9372c253f3b993d723b55a2484430fb338095852b7a5099f9d609ca6afa6bff9d64a55f7ef0963c684f0d17ec6045ce57ce3382870d55fcac0e1341fb47a7f76f0d5d53b67fd5e0658ecb88ae2e2e42aa4b83b8cfcce9faae941450ace059a7f223623d1c8a9924638de7eebad35be9c9f1bf38aea041114351d585a1988ba53cccc6949150f367fd790fc427916afa2cccd1d2f1aa8583b948dfe56cf488b38ec2d2570a0e0441c07ccec8b5b4db5f60250741b1aeb0bf49a85cc779ad7465f0c197735698842be2a39af8591ab91c84b704e67e50cbcdb75c2799aaeba0184341dd520f6db8477f13d5815d37f191ccb20545e4a1eaca316370a
++Ctrl.hexxcghash = hexxcghash:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e
++Ctrl.hexsession_id = hexsession_id:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e
++Ctrl.type = type:C
++Output = a1cb0f9c7349d6443494df14b4bd9aad
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:00000101008174aa2fab9372c253f3b993d723b55a2484430fb338095852b7a5099f9d609ca6afa6bff9d64a55f7ef0963c684f0d17ec6045ce57ce3382870d55fcac0e1341fb47a7f76f0d5d53b67fd5e0658ecb88ae2e2e42aa4b83b8cfcce9faae941450ace059a7f223623d1c8a9924638de7eebad35be9c9f1bf38aea041114351d585a1988ba53cccc6949150f367fd790fc427916afa2cccd1d2f1aa8583b948dfe56cf488b38ec2d2570a0e0441c07ccec8b5b4db5f60250741b1aeb0bf49a85cc779ad7465f0c197735698842be2a39af8591ab91c84b704e67e50cbcdb75c2799aaeba0184341dd520f6db8477f13d5815d37f191ccb20545e4a1eaca316370a
++Ctrl.hexxcghash = hexxcghash:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e
++Ctrl.hexsession_id = hexsession_id:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e
++Ctrl.type = type:D
++Output = cdcd2c2ccbda238e184058b76757ed5d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:00000101008174aa2fab9372c253f3b993d723b55a2484430fb338095852b7a5099f9d609ca6afa6bff9d64a55f7ef0963c684f0d17ec6045ce57ce3382870d55fcac0e1341fb47a7f76f0d5d53b67fd5e0658ecb88ae2e2e42aa4b83b8cfcce9faae941450ace059a7f223623d1c8a9924638de7eebad35be9c9f1bf38aea041114351d585a1988ba53cccc6949150f367fd790fc427916afa2cccd1d2f1aa8583b948dfe56cf488b38ec2d2570a0e0441c07ccec8b5b4db5f60250741b1aeb0bf49a85cc779ad7465f0c197735698842be2a39af8591ab91c84b704e67e50cbcdb75c2799aaeba0184341dd520f6db8477f13d5815d37f191ccb20545e4a1eaca316370a
++Ctrl.hexxcghash = hexxcghash:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e
++Ctrl.hexsession_id = hexsession_id:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e
++Ctrl.type = type:E
++Output = 026ae927b4a5b63a513c02faac55534dae5c219779f08e239f67df78c52be743aab628607e5a103127450ea51833eb84
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:00000101008174aa2fab9372c253f3b993d723b55a2484430fb338095852b7a5099f9d609ca6afa6bff9d64a55f7ef0963c684f0d17ec6045ce57ce3382870d55fcac0e1341fb47a7f76f0d5d53b67fd5e0658ecb88ae2e2e42aa4b83b8cfcce9faae941450ace059a7f223623d1c8a9924638de7eebad35be9c9f1bf38aea041114351d585a1988ba53cccc6949150f367fd790fc427916afa2cccd1d2f1aa8583b948dfe56cf488b38ec2d2570a0e0441c07ccec8b5b4db5f60250741b1aeb0bf49a85cc779ad7465f0c197735698842be2a39af8591ab91c84b704e67e50cbcdb75c2799aaeba0184341dd520f6db8477f13d5815d37f191ccb20545e4a1eaca316370a
++Ctrl.hexxcghash = hexxcghash:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e
++Ctrl.hexsession_id = hexsession_id:09d74bd79b47ceb3ada0d8df640595ba861ccfa3cc0d6c640eaac21d2d5f3f9fe61fb2e585fb6cc90bde11967a563c4e
++Ctrl.type = type:F
++Output = 759fd6bd386f4825e644521edfce4187a7104ea7380f2c6c5e283f205c7c025be46c5ee73bc54a956f268c2031026bf6
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100c10fff0a20858c36e41082abaa65b96c5424ab67563882a42237258e736b5cfbdb2867df55f8c40f81b34e8c4c55d39c4629dc2d833257dc68070a61d10417487ef0840b76169145402327ae81f35cbddae6c2a45d52f52f48a0c94acdb20db076393b5b1e3d1a7acee3f371bdaccfee696262eecd20238cc54322e6ca72e58708aeb19bf761054d9f7426e4ea0059bd252beee03dcad1a7d6d034b4d9d307218bb3d7bee3a57572ded304df1dd8f97ed9550ebb0f5c25ee3f8c6df3dfc2aac92f364ec91040d001c5cb1eee33c1d43112e5a289b46706c7f12a327620cd98fbce2e7fe7b7bd0e05ee0005182c35ded65ee1d86aefe816e5894e07536697a7db
++Ctrl.hexxcghash = hexxcghash:62b3155ba0c160f838a6949d0a99b144868a7b247c583a53f431129e39aebd40e2feb4dbac7527f993ccf1646d559134
++Ctrl.hexsession_id = hexsession_id:7e4674330fb6987b64ef7f30335d171676c705a6b9ed958adc6b6fd16949830d3f586eec44812d0518cc3ebd4292b422
++Ctrl.type = type:A
++Output = a433ac21ceda36a9d98abec722b2a5e7
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100c10fff0a20858c36e41082abaa65b96c5424ab67563882a42237258e736b5cfbdb2867df55f8c40f81b34e8c4c55d39c4629dc2d833257dc68070a61d10417487ef0840b76169145402327ae81f35cbddae6c2a45d52f52f48a0c94acdb20db076393b5b1e3d1a7acee3f371bdaccfee696262eecd20238cc54322e6ca72e58708aeb19bf761054d9f7426e4ea0059bd252beee03dcad1a7d6d034b4d9d307218bb3d7bee3a57572ded304df1dd8f97ed9550ebb0f5c25ee3f8c6df3dfc2aac92f364ec91040d001c5cb1eee33c1d43112e5a289b46706c7f12a327620cd98fbce2e7fe7b7bd0e05ee0005182c35ded65ee1d86aefe816e5894e07536697a7db
++Ctrl.hexxcghash = hexxcghash:62b3155ba0c160f838a6949d0a99b144868a7b247c583a53f431129e39aebd40e2feb4dbac7527f993ccf1646d559134
++Ctrl.hexsession_id = hexsession_id:7e4674330fb6987b64ef7f30335d171676c705a6b9ed958adc6b6fd16949830d3f586eec44812d0518cc3ebd4292b422
++Ctrl.type = type:B
++Output = ed580c2c7890d5f3da87870d71d96300
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100c10fff0a20858c36e41082abaa65b96c5424ab67563882a42237258e736b5cfbdb2867df55f8c40f81b34e8c4c55d39c4629dc2d833257dc68070a61d10417487ef0840b76169145402327ae81f35cbddae6c2a45d52f52f48a0c94acdb20db076393b5b1e3d1a7acee3f371bdaccfee696262eecd20238cc54322e6ca72e58708aeb19bf761054d9f7426e4ea0059bd252beee03dcad1a7d6d034b4d9d307218bb3d7bee3a57572ded304df1dd8f97ed9550ebb0f5c25ee3f8c6df3dfc2aac92f364ec91040d001c5cb1eee33c1d43112e5a289b46706c7f12a327620cd98fbce2e7fe7b7bd0e05ee0005182c35ded65ee1d86aefe816e5894e07536697a7db
++Ctrl.hexxcghash = hexxcghash:62b3155ba0c160f838a6949d0a99b144868a7b247c583a53f431129e39aebd40e2feb4dbac7527f993ccf1646d559134
++Ctrl.hexsession_id = hexsession_id:7e4674330fb6987b64ef7f30335d171676c705a6b9ed958adc6b6fd16949830d3f586eec44812d0518cc3ebd4292b422
++Ctrl.type = type:C
++Output = b310304108476a31154febce2bfcf44e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100c10fff0a20858c36e41082abaa65b96c5424ab67563882a42237258e736b5cfbdb2867df55f8c40f81b34e8c4c55d39c4629dc2d833257dc68070a61d10417487ef0840b76169145402327ae81f35cbddae6c2a45d52f52f48a0c94acdb20db076393b5b1e3d1a7acee3f371bdaccfee696262eecd20238cc54322e6ca72e58708aeb19bf761054d9f7426e4ea0059bd252beee03dcad1a7d6d034b4d9d307218bb3d7bee3a57572ded304df1dd8f97ed9550ebb0f5c25ee3f8c6df3dfc2aac92f364ec91040d001c5cb1eee33c1d43112e5a289b46706c7f12a327620cd98fbce2e7fe7b7bd0e05ee0005182c35ded65ee1d86aefe816e5894e07536697a7db
++Ctrl.hexxcghash = hexxcghash:62b3155ba0c160f838a6949d0a99b144868a7b247c583a53f431129e39aebd40e2feb4dbac7527f993ccf1646d559134
++Ctrl.hexsession_id = hexsession_id:7e4674330fb6987b64ef7f30335d171676c705a6b9ed958adc6b6fd16949830d3f586eec44812d0518cc3ebd4292b422
++Ctrl.type = type:D
++Output = 63d729b0e32d9d7efe7efdc6111489b7
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100c10fff0a20858c36e41082abaa65b96c5424ab67563882a42237258e736b5cfbdb2867df55f8c40f81b34e8c4c55d39c4629dc2d833257dc68070a61d10417487ef0840b76169145402327ae81f35cbddae6c2a45d52f52f48a0c94acdb20db076393b5b1e3d1a7acee3f371bdaccfee696262eecd20238cc54322e6ca72e58708aeb19bf761054d9f7426e4ea0059bd252beee03dcad1a7d6d034b4d9d307218bb3d7bee3a57572ded304df1dd8f97ed9550ebb0f5c25ee3f8c6df3dfc2aac92f364ec91040d001c5cb1eee33c1d43112e5a289b46706c7f12a327620cd98fbce2e7fe7b7bd0e05ee0005182c35ded65ee1d86aefe816e5894e07536697a7db
++Ctrl.hexxcghash = hexxcghash:62b3155ba0c160f838a6949d0a99b144868a7b247c583a53f431129e39aebd40e2feb4dbac7527f993ccf1646d559134
++Ctrl.hexsession_id = hexsession_id:7e4674330fb6987b64ef7f30335d171676c705a6b9ed958adc6b6fd16949830d3f586eec44812d0518cc3ebd4292b422
++Ctrl.type = type:E
++Output = 7443a278e0c47e4004ba1c534dfa5c460670d2dd4459a6dc7251664da187f633208f6c06470f6aed6148820187f35a25
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100c10fff0a20858c36e41082abaa65b96c5424ab67563882a42237258e736b5cfbdb2867df55f8c40f81b34e8c4c55d39c4629dc2d833257dc68070a61d10417487ef0840b76169145402327ae81f35cbddae6c2a45d52f52f48a0c94acdb20db076393b5b1e3d1a7acee3f371bdaccfee696262eecd20238cc54322e6ca72e58708aeb19bf761054d9f7426e4ea0059bd252beee03dcad1a7d6d034b4d9d307218bb3d7bee3a57572ded304df1dd8f97ed9550ebb0f5c25ee3f8c6df3dfc2aac92f364ec91040d001c5cb1eee33c1d43112e5a289b46706c7f12a327620cd98fbce2e7fe7b7bd0e05ee0005182c35ded65ee1d86aefe816e5894e07536697a7db
++Ctrl.hexxcghash = hexxcghash:62b3155ba0c160f838a6949d0a99b144868a7b247c583a53f431129e39aebd40e2feb4dbac7527f993ccf1646d559134
++Ctrl.hexsession_id = hexsession_id:7e4674330fb6987b64ef7f30335d171676c705a6b9ed958adc6b6fd16949830d3f586eec44812d0518cc3ebd4292b422
++Ctrl.type = type:F
++Output = 37500b699935ab38b9185018d3676f221dcd6643ba4cf3dccf8ede7ba2f0513c27ad2324158ae98df4e7fb52ffb96526
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100c9d019aa8ab57cdbd1600def08b92f4a90b8ddb1c3fd329475e28ad9388525d5a813756472458bed674332a649c56eecb6cbba726b9afcfd9ce1f490bf327de49978b34fb106ae1ab4ece2f241e0b67ddf03bf835aa2dcc5cde5aca913d2a5ed74d1ad0e945169f10772d830fa5c33c7f7d543e2d2ac09fa03ff1509b94977cc0dcb8a464104a3e8d9f99cbefac4361b92517f14eda2558d572ae7410a78962e596c542a20d3aeb49cf41b48b54b387dea7c24c72edfd656bcb64c605b741c7b03892020ca2ff34e0b13534228bd83c9c3ffbfa219602041ac4238904bd782da7e3c653f518891f7ac1e7b05b7e37baab18eb54e8de76dfa8c803a0df843a28e
++Ctrl.hexxcghash = hexxcghash:a970acc5597f7965dcc540dac7cefde594c0232180187a32364b42dbb8d0307f8c3f52678e303e2f315b2ba1cf62863a
++Ctrl.hexsession_id = hexsession_id:bad9943e089550d17b90f2a34409660c07a39be5d48a77d8e1ad25726c93096081831c24e876060cb96def95df9a7fcd
++Ctrl.type = type:A
++Output = 8ad38b03467ef0cac638f93b156e1c05
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100c9d019aa8ab57cdbd1600def08b92f4a90b8ddb1c3fd329475e28ad9388525d5a813756472458bed674332a649c56eecb6cbba726b9afcfd9ce1f490bf327de49978b34fb106ae1ab4ece2f241e0b67ddf03bf835aa2dcc5cde5aca913d2a5ed74d1ad0e945169f10772d830fa5c33c7f7d543e2d2ac09fa03ff1509b94977cc0dcb8a464104a3e8d9f99cbefac4361b92517f14eda2558d572ae7410a78962e596c542a20d3aeb49cf41b48b54b387dea7c24c72edfd656bcb64c605b741c7b03892020ca2ff34e0b13534228bd83c9c3ffbfa219602041ac4238904bd782da7e3c653f518891f7ac1e7b05b7e37baab18eb54e8de76dfa8c803a0df843a28e
++Ctrl.hexxcghash = hexxcghash:a970acc5597f7965dcc540dac7cefde594c0232180187a32364b42dbb8d0307f8c3f52678e303e2f315b2ba1cf62863a
++Ctrl.hexsession_id = hexsession_id:bad9943e089550d17b90f2a34409660c07a39be5d48a77d8e1ad25726c93096081831c24e876060cb96def95df9a7fcd
++Ctrl.type = type:B
++Output = c9a867164cad7619621c2390039db88f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100c9d019aa8ab57cdbd1600def08b92f4a90b8ddb1c3fd329475e28ad9388525d5a813756472458bed674332a649c56eecb6cbba726b9afcfd9ce1f490bf327de49978b34fb106ae1ab4ece2f241e0b67ddf03bf835aa2dcc5cde5aca913d2a5ed74d1ad0e945169f10772d830fa5c33c7f7d543e2d2ac09fa03ff1509b94977cc0dcb8a464104a3e8d9f99cbefac4361b92517f14eda2558d572ae7410a78962e596c542a20d3aeb49cf41b48b54b387dea7c24c72edfd656bcb64c605b741c7b03892020ca2ff34e0b13534228bd83c9c3ffbfa219602041ac4238904bd782da7e3c653f518891f7ac1e7b05b7e37baab18eb54e8de76dfa8c803a0df843a28e
++Ctrl.hexxcghash = hexxcghash:a970acc5597f7965dcc540dac7cefde594c0232180187a32364b42dbb8d0307f8c3f52678e303e2f315b2ba1cf62863a
++Ctrl.hexsession_id = hexsession_id:bad9943e089550d17b90f2a34409660c07a39be5d48a77d8e1ad25726c93096081831c24e876060cb96def95df9a7fcd
++Ctrl.type = type:C
++Output = 28d6e6a69e686b3b2ca02c7595b6a565
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100c9d019aa8ab57cdbd1600def08b92f4a90b8ddb1c3fd329475e28ad9388525d5a813756472458bed674332a649c56eecb6cbba726b9afcfd9ce1f490bf327de49978b34fb106ae1ab4ece2f241e0b67ddf03bf835aa2dcc5cde5aca913d2a5ed74d1ad0e945169f10772d830fa5c33c7f7d543e2d2ac09fa03ff1509b94977cc0dcb8a464104a3e8d9f99cbefac4361b92517f14eda2558d572ae7410a78962e596c542a20d3aeb49cf41b48b54b387dea7c24c72edfd656bcb64c605b741c7b03892020ca2ff34e0b13534228bd83c9c3ffbfa219602041ac4238904bd782da7e3c653f518891f7ac1e7b05b7e37baab18eb54e8de76dfa8c803a0df843a28e
++Ctrl.hexxcghash = hexxcghash:a970acc5597f7965dcc540dac7cefde594c0232180187a32364b42dbb8d0307f8c3f52678e303e2f315b2ba1cf62863a
++Ctrl.hexsession_id = hexsession_id:bad9943e089550d17b90f2a34409660c07a39be5d48a77d8e1ad25726c93096081831c24e876060cb96def95df9a7fcd
++Ctrl.type = type:D
++Output = a3486f9014731b15530dba7498d4b2ff
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100c9d019aa8ab57cdbd1600def08b92f4a90b8ddb1c3fd329475e28ad9388525d5a813756472458bed674332a649c56eecb6cbba726b9afcfd9ce1f490bf327de49978b34fb106ae1ab4ece2f241e0b67ddf03bf835aa2dcc5cde5aca913d2a5ed74d1ad0e945169f10772d830fa5c33c7f7d543e2d2ac09fa03ff1509b94977cc0dcb8a464104a3e8d9f99cbefac4361b92517f14eda2558d572ae7410a78962e596c542a20d3aeb49cf41b48b54b387dea7c24c72edfd656bcb64c605b741c7b03892020ca2ff34e0b13534228bd83c9c3ffbfa219602041ac4238904bd782da7e3c653f518891f7ac1e7b05b7e37baab18eb54e8de76dfa8c803a0df843a28e
++Ctrl.hexxcghash = hexxcghash:a970acc5597f7965dcc540dac7cefde594c0232180187a32364b42dbb8d0307f8c3f52678e303e2f315b2ba1cf62863a
++Ctrl.hexsession_id = hexsession_id:bad9943e089550d17b90f2a34409660c07a39be5d48a77d8e1ad25726c93096081831c24e876060cb96def95df9a7fcd
++Ctrl.type = type:E
++Output = 9640b7d6c1351a44dcd430f9728083949adbd8f3c47f1c7358b41d99730f0eeef9f8634cc99207b8d998c8aeb0085e4c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100c9d019aa8ab57cdbd1600def08b92f4a90b8ddb1c3fd329475e28ad9388525d5a813756472458bed674332a649c56eecb6cbba726b9afcfd9ce1f490bf327de49978b34fb106ae1ab4ece2f241e0b67ddf03bf835aa2dcc5cde5aca913d2a5ed74d1ad0e945169f10772d830fa5c33c7f7d543e2d2ac09fa03ff1509b94977cc0dcb8a464104a3e8d9f99cbefac4361b92517f14eda2558d572ae7410a78962e596c542a20d3aeb49cf41b48b54b387dea7c24c72edfd656bcb64c605b741c7b03892020ca2ff34e0b13534228bd83c9c3ffbfa219602041ac4238904bd782da7e3c653f518891f7ac1e7b05b7e37baab18eb54e8de76dfa8c803a0df843a28e
++Ctrl.hexxcghash = hexxcghash:a970acc5597f7965dcc540dac7cefde594c0232180187a32364b42dbb8d0307f8c3f52678e303e2f315b2ba1cf62863a
++Ctrl.hexsession_id = hexsession_id:bad9943e089550d17b90f2a34409660c07a39be5d48a77d8e1ad25726c93096081831c24e876060cb96def95df9a7fcd
++Ctrl.type = type:F
++Output = cef923f7cbc47534d9a6da613eea02117b19800995f66df9e49291203ad15e5d29cc08df86200bf09ca091b37cc45432
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100ba6b819aa094b3b9a2e93d37eda5df776720cce40858790532b8ab0de613b8e20efcef330eaa9e4ab290fd670b8f8ab1e2fc217d575655a7c39740ce223675a4376bd039f24165d83268a3e3a5b6e05f1b077dc752c90781d0cd6877c91c1fc865586bf661f28cbded4266f1b9364ae7233e6003b47088cb50f81a631d4b1d200f8c38455ad2217eaf03b6e0a0861aeebe28ef0fcbac5526bd06ebcc44f67de9b908f0359076527f6ff7bb959b3adfc9ac82728d7627bf506ffb2f8742ae28ce3ca7402c25b1cd3dac6781776a35549480ff537c33f63796dd5de4c64e1ff5546689d8f398be911707e0b5d347b8456e89eb2262270ee1de85902b7deb60b02b
++Ctrl.hexxcghash = hexxcghash:e94db0c0969c8f09c1c0d63fcca9f316ae85a0c034f118958c714fa165ac71a86bbcc7a4c017c11b9558bda897455f99
++Ctrl.hexsession_id = hexsession_id:a01426386ce69a9a9f101394e831dc9d17a6dc901349f3c3f4269788f5c5e20316c233d7632005b1771e5bc2f5ddf4c2
++Ctrl.type = type:A
++Output = 1e2fd838058e4569de0699e57eb9bb30
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100ba6b819aa094b3b9a2e93d37eda5df776720cce40858790532b8ab0de613b8e20efcef330eaa9e4ab290fd670b8f8ab1e2fc217d575655a7c39740ce223675a4376bd039f24165d83268a3e3a5b6e05f1b077dc752c90781d0cd6877c91c1fc865586bf661f28cbded4266f1b9364ae7233e6003b47088cb50f81a631d4b1d200f8c38455ad2217eaf03b6e0a0861aeebe28ef0fcbac5526bd06ebcc44f67de9b908f0359076527f6ff7bb959b3adfc9ac82728d7627bf506ffb2f8742ae28ce3ca7402c25b1cd3dac6781776a35549480ff537c33f63796dd5de4c64e1ff5546689d8f398be911707e0b5d347b8456e89eb2262270ee1de85902b7deb60b02b
++Ctrl.hexxcghash = hexxcghash:e94db0c0969c8f09c1c0d63fcca9f316ae85a0c034f118958c714fa165ac71a86bbcc7a4c017c11b9558bda897455f99
++Ctrl.hexsession_id = hexsession_id:a01426386ce69a9a9f101394e831dc9d17a6dc901349f3c3f4269788f5c5e20316c233d7632005b1771e5bc2f5ddf4c2
++Ctrl.type = type:B
++Output = d338052b2288e99bfdd16b5df26e3d3c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100ba6b819aa094b3b9a2e93d37eda5df776720cce40858790532b8ab0de613b8e20efcef330eaa9e4ab290fd670b8f8ab1e2fc217d575655a7c39740ce223675a4376bd039f24165d83268a3e3a5b6e05f1b077dc752c90781d0cd6877c91c1fc865586bf661f28cbded4266f1b9364ae7233e6003b47088cb50f81a631d4b1d200f8c38455ad2217eaf03b6e0a0861aeebe28ef0fcbac5526bd06ebcc44f67de9b908f0359076527f6ff7bb959b3adfc9ac82728d7627bf506ffb2f8742ae28ce3ca7402c25b1cd3dac6781776a35549480ff537c33f63796dd5de4c64e1ff5546689d8f398be911707e0b5d347b8456e89eb2262270ee1de85902b7deb60b02b
++Ctrl.hexxcghash = hexxcghash:e94db0c0969c8f09c1c0d63fcca9f316ae85a0c034f118958c714fa165ac71a86bbcc7a4c017c11b9558bda897455f99
++Ctrl.hexsession_id = hexsession_id:a01426386ce69a9a9f101394e831dc9d17a6dc901349f3c3f4269788f5c5e20316c233d7632005b1771e5bc2f5ddf4c2
++Ctrl.type = type:C
++Output = 020c58037db045fc2a20a9b12e34205d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100ba6b819aa094b3b9a2e93d37eda5df776720cce40858790532b8ab0de613b8e20efcef330eaa9e4ab290fd670b8f8ab1e2fc217d575655a7c39740ce223675a4376bd039f24165d83268a3e3a5b6e05f1b077dc752c90781d0cd6877c91c1fc865586bf661f28cbded4266f1b9364ae7233e6003b47088cb50f81a631d4b1d200f8c38455ad2217eaf03b6e0a0861aeebe28ef0fcbac5526bd06ebcc44f67de9b908f0359076527f6ff7bb959b3adfc9ac82728d7627bf506ffb2f8742ae28ce3ca7402c25b1cd3dac6781776a35549480ff537c33f63796dd5de4c64e1ff5546689d8f398be911707e0b5d347b8456e89eb2262270ee1de85902b7deb60b02b
++Ctrl.hexxcghash = hexxcghash:e94db0c0969c8f09c1c0d63fcca9f316ae85a0c034f118958c714fa165ac71a86bbcc7a4c017c11b9558bda897455f99
++Ctrl.hexsession_id = hexsession_id:a01426386ce69a9a9f101394e831dc9d17a6dc901349f3c3f4269788f5c5e20316c233d7632005b1771e5bc2f5ddf4c2
++Ctrl.type = type:D
++Output = b1e7b4361aaea7f9656151723c21b9a2
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100ba6b819aa094b3b9a2e93d37eda5df776720cce40858790532b8ab0de613b8e20efcef330eaa9e4ab290fd670b8f8ab1e2fc217d575655a7c39740ce223675a4376bd039f24165d83268a3e3a5b6e05f1b077dc752c90781d0cd6877c91c1fc865586bf661f28cbded4266f1b9364ae7233e6003b47088cb50f81a631d4b1d200f8c38455ad2217eaf03b6e0a0861aeebe28ef0fcbac5526bd06ebcc44f67de9b908f0359076527f6ff7bb959b3adfc9ac82728d7627bf506ffb2f8742ae28ce3ca7402c25b1cd3dac6781776a35549480ff537c33f63796dd5de4c64e1ff5546689d8f398be911707e0b5d347b8456e89eb2262270ee1de85902b7deb60b02b
++Ctrl.hexxcghash = hexxcghash:e94db0c0969c8f09c1c0d63fcca9f316ae85a0c034f118958c714fa165ac71a86bbcc7a4c017c11b9558bda897455f99
++Ctrl.hexsession_id = hexsession_id:a01426386ce69a9a9f101394e831dc9d17a6dc901349f3c3f4269788f5c5e20316c233d7632005b1771e5bc2f5ddf4c2
++Ctrl.type = type:E
++Output = 67d80666ba420d07153530859fed5a3a2f4b6decd37575714d4826f41a96a1638b89399cdd752af7f6ffd3db0214f0c1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100ba6b819aa094b3b9a2e93d37eda5df776720cce40858790532b8ab0de613b8e20efcef330eaa9e4ab290fd670b8f8ab1e2fc217d575655a7c39740ce223675a4376bd039f24165d83268a3e3a5b6e05f1b077dc752c90781d0cd6877c91c1fc865586bf661f28cbded4266f1b9364ae7233e6003b47088cb50f81a631d4b1d200f8c38455ad2217eaf03b6e0a0861aeebe28ef0fcbac5526bd06ebcc44f67de9b908f0359076527f6ff7bb959b3adfc9ac82728d7627bf506ffb2f8742ae28ce3ca7402c25b1cd3dac6781776a35549480ff537c33f63796dd5de4c64e1ff5546689d8f398be911707e0b5d347b8456e89eb2262270ee1de85902b7deb60b02b
++Ctrl.hexxcghash = hexxcghash:e94db0c0969c8f09c1c0d63fcca9f316ae85a0c034f118958c714fa165ac71a86bbcc7a4c017c11b9558bda897455f99
++Ctrl.hexsession_id = hexsession_id:a01426386ce69a9a9f101394e831dc9d17a6dc901349f3c3f4269788f5c5e20316c233d7632005b1771e5bc2f5ddf4c2
++Ctrl.type = type:F
++Output = c3fb2ab670e39885cbb98a4609d69a90afd37d383512ad222d63c9c6f1009e2a42065a232ab5b39f55247f8bf9e6ab2c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001001b9f110b05461796db3a0b751638b552e62a062d7b891591ac75e237d47f5f12d97a5d19be0718c8a2fbdd9100249c2d9ca59bf491b10afef75f61c53ae92455e8cb016e230408c869ea1c5f5d62e853ae84727e3d1f1bb0a0faa9ff575eede461f502b90ca38e8effae09478efedd16090202bf03530d03d0a2aa70825fb28c606b7545bdde26d606c059215a9f947e60c4b5de9b35a3704f73a5c8bc8811387431b7e90f1ddc71cf0696497fd640cb9b1b8866bff5d85e879e0a7848722d34cc62844afcc6318fe73ea80e484c3e62feb0cde9269c07edc0679683bc5427a163a4b4ac463802293f7c968e4188e7966b559c2581582c67ecda0c9b3b8eac94
++Ctrl.hexxcghash = hexxcghash:8886115c2324dede13be6895605a439c6ec48ca46f3d82170b863dcf1acc26176769626df893ebb7ce8c9432058633d8
++Ctrl.hexsession_id = hexsession_id:331f7e0103de46d90dbd885dadaf67c589bc6b3caf25e45e329d864c85b7c9ae17b27cb92a81c9b4421f431014cb0e03
++Ctrl.type = type:A
++Output = 6e9bb7681d56457fd93aea6d40860dd9
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001001b9f110b05461796db3a0b751638b552e62a062d7b891591ac75e237d47f5f12d97a5d19be0718c8a2fbdd9100249c2d9ca59bf491b10afef75f61c53ae92455e8cb016e230408c869ea1c5f5d62e853ae84727e3d1f1bb0a0faa9ff575eede461f502b90ca38e8effae09478efedd16090202bf03530d03d0a2aa70825fb28c606b7545bdde26d606c059215a9f947e60c4b5de9b35a3704f73a5c8bc8811387431b7e90f1ddc71cf0696497fd640cb9b1b8866bff5d85e879e0a7848722d34cc62844afcc6318fe73ea80e484c3e62feb0cde9269c07edc0679683bc5427a163a4b4ac463802293f7c968e4188e7966b559c2581582c67ecda0c9b3b8eac94
++Ctrl.hexxcghash = hexxcghash:8886115c2324dede13be6895605a439c6ec48ca46f3d82170b863dcf1acc26176769626df893ebb7ce8c9432058633d8
++Ctrl.hexsession_id = hexsession_id:331f7e0103de46d90dbd885dadaf67c589bc6b3caf25e45e329d864c85b7c9ae17b27cb92a81c9b4421f431014cb0e03
++Ctrl.type = type:B
++Output = 5d19ce6c6b16c5f2179753a7abdff3e4
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001001b9f110b05461796db3a0b751638b552e62a062d7b891591ac75e237d47f5f12d97a5d19be0718c8a2fbdd9100249c2d9ca59bf491b10afef75f61c53ae92455e8cb016e230408c869ea1c5f5d62e853ae84727e3d1f1bb0a0faa9ff575eede461f502b90ca38e8effae09478efedd16090202bf03530d03d0a2aa70825fb28c606b7545bdde26d606c059215a9f947e60c4b5de9b35a3704f73a5c8bc8811387431b7e90f1ddc71cf0696497fd640cb9b1b8866bff5d85e879e0a7848722d34cc62844afcc6318fe73ea80e484c3e62feb0cde9269c07edc0679683bc5427a163a4b4ac463802293f7c968e4188e7966b559c2581582c67ecda0c9b3b8eac94
++Ctrl.hexxcghash = hexxcghash:8886115c2324dede13be6895605a439c6ec48ca46f3d82170b863dcf1acc26176769626df893ebb7ce8c9432058633d8
++Ctrl.hexsession_id = hexsession_id:331f7e0103de46d90dbd885dadaf67c589bc6b3caf25e45e329d864c85b7c9ae17b27cb92a81c9b4421f431014cb0e03
++Ctrl.type = type:C
++Output = c550416e8ea0608a09051cfffe0494e7
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001001b9f110b05461796db3a0b751638b552e62a062d7b891591ac75e237d47f5f12d97a5d19be0718c8a2fbdd9100249c2d9ca59bf491b10afef75f61c53ae92455e8cb016e230408c869ea1c5f5d62e853ae84727e3d1f1bb0a0faa9ff575eede461f502b90ca38e8effae09478efedd16090202bf03530d03d0a2aa70825fb28c606b7545bdde26d606c059215a9f947e60c4b5de9b35a3704f73a5c8bc8811387431b7e90f1ddc71cf0696497fd640cb9b1b8866bff5d85e879e0a7848722d34cc62844afcc6318fe73ea80e484c3e62feb0cde9269c07edc0679683bc5427a163a4b4ac463802293f7c968e4188e7966b559c2581582c67ecda0c9b3b8eac94
++Ctrl.hexxcghash = hexxcghash:8886115c2324dede13be6895605a439c6ec48ca46f3d82170b863dcf1acc26176769626df893ebb7ce8c9432058633d8
++Ctrl.hexsession_id = hexsession_id:331f7e0103de46d90dbd885dadaf67c589bc6b3caf25e45e329d864c85b7c9ae17b27cb92a81c9b4421f431014cb0e03
++Ctrl.type = type:D
++Output = 33c9f3f03de395cef067684cb5b95200
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001001b9f110b05461796db3a0b751638b552e62a062d7b891591ac75e237d47f5f12d97a5d19be0718c8a2fbdd9100249c2d9ca59bf491b10afef75f61c53ae92455e8cb016e230408c869ea1c5f5d62e853ae84727e3d1f1bb0a0faa9ff575eede461f502b90ca38e8effae09478efedd16090202bf03530d03d0a2aa70825fb28c606b7545bdde26d606c059215a9f947e60c4b5de9b35a3704f73a5c8bc8811387431b7e90f1ddc71cf0696497fd640cb9b1b8866bff5d85e879e0a7848722d34cc62844afcc6318fe73ea80e484c3e62feb0cde9269c07edc0679683bc5427a163a4b4ac463802293f7c968e4188e7966b559c2581582c67ecda0c9b3b8eac94
++Ctrl.hexxcghash = hexxcghash:8886115c2324dede13be6895605a439c6ec48ca46f3d82170b863dcf1acc26176769626df893ebb7ce8c9432058633d8
++Ctrl.hexsession_id = hexsession_id:331f7e0103de46d90dbd885dadaf67c589bc6b3caf25e45e329d864c85b7c9ae17b27cb92a81c9b4421f431014cb0e03
++Ctrl.type = type:E
++Output = 99071b0615bdec08d040e731828028fac9a16d367b86d2d1302b607cd39ac9678ae7f9f87eb619fe2ba75d54da3b07d1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001001b9f110b05461796db3a0b751638b552e62a062d7b891591ac75e237d47f5f12d97a5d19be0718c8a2fbdd9100249c2d9ca59bf491b10afef75f61c53ae92455e8cb016e230408c869ea1c5f5d62e853ae84727e3d1f1bb0a0faa9ff575eede461f502b90ca38e8effae09478efedd16090202bf03530d03d0a2aa70825fb28c606b7545bdde26d606c059215a9f947e60c4b5de9b35a3704f73a5c8bc8811387431b7e90f1ddc71cf0696497fd640cb9b1b8866bff5d85e879e0a7848722d34cc62844afcc6318fe73ea80e484c3e62feb0cde9269c07edc0679683bc5427a163a4b4ac463802293f7c968e4188e7966b559c2581582c67ecda0c9b3b8eac94
++Ctrl.hexxcghash = hexxcghash:8886115c2324dede13be6895605a439c6ec48ca46f3d82170b863dcf1acc26176769626df893ebb7ce8c9432058633d8
++Ctrl.hexsession_id = hexsession_id:331f7e0103de46d90dbd885dadaf67c589bc6b3caf25e45e329d864c85b7c9ae17b27cb92a81c9b4421f431014cb0e03
++Ctrl.type = type:F
++Output = a11fc539c46d9314645e1f7517e19794a6ba4bf7d7d5a6f71bcb4621bfdedeae3bbcaa62fb638d994d1f21d14f5777d7
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001004db530516876fb9937bc2da16117f9675c721da6b80cd49e6b6eb0df6fe4af90ae755378e77e28dbc376e000903b1365a7b3cddfaf19410b31ae44e3e6641c5d47002ac5b261b1c4f7f301c8d16a917135c23bf7f84f15a6143e7e3466c52e1e3c30026f15d5254da11ced1b817739768de9913aca2d808acaa31e933763eb438238b347a6bd07834d4f661690cdb2372b4205aa9ad80df40340c1d0b1db320df1d1b13fa2ff4b9ee4500c9d03f45e75fb15a97b833ab9827708e4bca8fea562d69fea573ca7b5905c71e51dc9f24a74bd0c596051066acdeb66eb39c76fab66b10bdc88e1b72bba8aafa342088cd4a739a18e61c75be6b5df0904dc5094f0df
++Ctrl.hexxcghash = hexxcghash:12ce3e6a5407943831d65608c9fd59c972689136289af06071c015f8a41c9d1536d0afdad084322f832415fbf199d044
++Ctrl.hexsession_id = hexsession_id:939c41734aa3db9d9dfac7a7db54c889da38d8bbe00326f559a3b0f92a96b5ac3a454d8355ccd0f31099021d0ee43063
++Ctrl.type = type:A
++Output = 876692595fbf1239e03b1eb28890cedf
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001004db530516876fb9937bc2da16117f9675c721da6b80cd49e6b6eb0df6fe4af90ae755378e77e28dbc376e000903b1365a7b3cddfaf19410b31ae44e3e6641c5d47002ac5b261b1c4f7f301c8d16a917135c23bf7f84f15a6143e7e3466c52e1e3c30026f15d5254da11ced1b817739768de9913aca2d808acaa31e933763eb438238b347a6bd07834d4f661690cdb2372b4205aa9ad80df40340c1d0b1db320df1d1b13fa2ff4b9ee4500c9d03f45e75fb15a97b833ab9827708e4bca8fea562d69fea573ca7b5905c71e51dc9f24a74bd0c596051066acdeb66eb39c76fab66b10bdc88e1b72bba8aafa342088cd4a739a18e61c75be6b5df0904dc5094f0df
++Ctrl.hexxcghash = hexxcghash:12ce3e6a5407943831d65608c9fd59c972689136289af06071c015f8a41c9d1536d0afdad084322f832415fbf199d044
++Ctrl.hexsession_id = hexsession_id:939c41734aa3db9d9dfac7a7db54c889da38d8bbe00326f559a3b0f92a96b5ac3a454d8355ccd0f31099021d0ee43063
++Ctrl.type = type:B
++Output = 438afd7eae8454675ed5964122fcbb9e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001004db530516876fb9937bc2da16117f9675c721da6b80cd49e6b6eb0df6fe4af90ae755378e77e28dbc376e000903b1365a7b3cddfaf19410b31ae44e3e6641c5d47002ac5b261b1c4f7f301c8d16a917135c23bf7f84f15a6143e7e3466c52e1e3c30026f15d5254da11ced1b817739768de9913aca2d808acaa31e933763eb438238b347a6bd07834d4f661690cdb2372b4205aa9ad80df40340c1d0b1db320df1d1b13fa2ff4b9ee4500c9d03f45e75fb15a97b833ab9827708e4bca8fea562d69fea573ca7b5905c71e51dc9f24a74bd0c596051066acdeb66eb39c76fab66b10bdc88e1b72bba8aafa342088cd4a739a18e61c75be6b5df0904dc5094f0df
++Ctrl.hexxcghash = hexxcghash:12ce3e6a5407943831d65608c9fd59c972689136289af06071c015f8a41c9d1536d0afdad084322f832415fbf199d044
++Ctrl.hexsession_id = hexsession_id:939c41734aa3db9d9dfac7a7db54c889da38d8bbe00326f559a3b0f92a96b5ac3a454d8355ccd0f31099021d0ee43063
++Ctrl.type = type:C
++Output = b9cc0e2718c5853e0aebb43409fcaaef
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001004db530516876fb9937bc2da16117f9675c721da6b80cd49e6b6eb0df6fe4af90ae755378e77e28dbc376e000903b1365a7b3cddfaf19410b31ae44e3e6641c5d47002ac5b261b1c4f7f301c8d16a917135c23bf7f84f15a6143e7e3466c52e1e3c30026f15d5254da11ced1b817739768de9913aca2d808acaa31e933763eb438238b347a6bd07834d4f661690cdb2372b4205aa9ad80df40340c1d0b1db320df1d1b13fa2ff4b9ee4500c9d03f45e75fb15a97b833ab9827708e4bca8fea562d69fea573ca7b5905c71e51dc9f24a74bd0c596051066acdeb66eb39c76fab66b10bdc88e1b72bba8aafa342088cd4a739a18e61c75be6b5df0904dc5094f0df
++Ctrl.hexxcghash = hexxcghash:12ce3e6a5407943831d65608c9fd59c972689136289af06071c015f8a41c9d1536d0afdad084322f832415fbf199d044
++Ctrl.hexsession_id = hexsession_id:939c41734aa3db9d9dfac7a7db54c889da38d8bbe00326f559a3b0f92a96b5ac3a454d8355ccd0f31099021d0ee43063
++Ctrl.type = type:D
++Output = 8def9f93e633ac2d28a7c5b76567a4cb
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001004db530516876fb9937bc2da16117f9675c721da6b80cd49e6b6eb0df6fe4af90ae755378e77e28dbc376e000903b1365a7b3cddfaf19410b31ae44e3e6641c5d47002ac5b261b1c4f7f301c8d16a917135c23bf7f84f15a6143e7e3466c52e1e3c30026f15d5254da11ced1b817739768de9913aca2d808acaa31e933763eb438238b347a6bd07834d4f661690cdb2372b4205aa9ad80df40340c1d0b1db320df1d1b13fa2ff4b9ee4500c9d03f45e75fb15a97b833ab9827708e4bca8fea562d69fea573ca7b5905c71e51dc9f24a74bd0c596051066acdeb66eb39c76fab66b10bdc88e1b72bba8aafa342088cd4a739a18e61c75be6b5df0904dc5094f0df
++Ctrl.hexxcghash = hexxcghash:12ce3e6a5407943831d65608c9fd59c972689136289af06071c015f8a41c9d1536d0afdad084322f832415fbf199d044
++Ctrl.hexsession_id = hexsession_id:939c41734aa3db9d9dfac7a7db54c889da38d8bbe00326f559a3b0f92a96b5ac3a454d8355ccd0f31099021d0ee43063
++Ctrl.type = type:E
++Output = 3d80ed20f0703857154bda8531b12b96cf73aedfc662df6faf277321be6e38c904bfbd5f9206607684ac331dfc92bbbb
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001004db530516876fb9937bc2da16117f9675c721da6b80cd49e6b6eb0df6fe4af90ae755378e77e28dbc376e000903b1365a7b3cddfaf19410b31ae44e3e6641c5d47002ac5b261b1c4f7f301c8d16a917135c23bf7f84f15a6143e7e3466c52e1e3c30026f15d5254da11ced1b817739768de9913aca2d808acaa31e933763eb438238b347a6bd07834d4f661690cdb2372b4205aa9ad80df40340c1d0b1db320df1d1b13fa2ff4b9ee4500c9d03f45e75fb15a97b833ab9827708e4bca8fea562d69fea573ca7b5905c71e51dc9f24a74bd0c596051066acdeb66eb39c76fab66b10bdc88e1b72bba8aafa342088cd4a739a18e61c75be6b5df0904dc5094f0df
++Ctrl.hexxcghash = hexxcghash:12ce3e6a5407943831d65608c9fd59c972689136289af06071c015f8a41c9d1536d0afdad084322f832415fbf199d044
++Ctrl.hexsession_id = hexsession_id:939c41734aa3db9d9dfac7a7db54c889da38d8bbe00326f559a3b0f92a96b5ac3a454d8355ccd0f31099021d0ee43063
++Ctrl.type = type:F
++Output = 736e77ad5a8fac835795ab08522d834e34a4cbc48439db2845cb1d8636a4dcfd49a7ac5413713a8177c277eead96a0ff
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001004d7ba3e909e1e2886e00db333430d7cebe5107e9701672a2a1bc0bb5461c620c56fc8a8aa95a577cf48ac2e5b35d948e468bbc6232527f6a4e3bf5ea0b2f68b161ee3aadeef596c683e511bec1ff70df312d988eddd557952720f82f69882107f67880e38efcca68429374d85831eea3ac133a6a89b68a9ec27c71a67c87addfddb7040a7416ead43e29612dcdc5b7e6a82ad5cd243e8a6dd2997c44ad76a2a20145f89d7e6b2a26c2c0f2ce7d60b1f45410f9ebb79b52dde560f8c7c99b7a11d645f6ad6f94727cd2ea9d48ceb27467ee60371e6919a3ae044c8941a65182c94e8efd7b5c7eb45935baea722628d89d89de995d82b620059fe1054927864a91
++Ctrl.hexxcghash = hexxcghash:f3cc38427adf01b9483d1f9e4e9acef554a8c7d0d8dc088d3865f05bc06a4ff11efbbdbca7ab0e0c0e2df55a93f0b4b9
++Ctrl.hexsession_id = hexsession_id:aae879d8c0c6762d28c30fdc707b169a2155f8b8a943ced399a56419be89cc9f66ba9282d85ac4e53e0d5ae27adcf393
++Ctrl.type = type:A
++Output = c84a4fcd4ade28805b032174428a6f27
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001004d7ba3e909e1e2886e00db333430d7cebe5107e9701672a2a1bc0bb5461c620c56fc8a8aa95a577cf48ac2e5b35d948e468bbc6232527f6a4e3bf5ea0b2f68b161ee3aadeef596c683e511bec1ff70df312d988eddd557952720f82f69882107f67880e38efcca68429374d85831eea3ac133a6a89b68a9ec27c71a67c87addfddb7040a7416ead43e29612dcdc5b7e6a82ad5cd243e8a6dd2997c44ad76a2a20145f89d7e6b2a26c2c0f2ce7d60b1f45410f9ebb79b52dde560f8c7c99b7a11d645f6ad6f94727cd2ea9d48ceb27467ee60371e6919a3ae044c8941a65182c94e8efd7b5c7eb45935baea722628d89d89de995d82b620059fe1054927864a91
++Ctrl.hexxcghash = hexxcghash:f3cc38427adf01b9483d1f9e4e9acef554a8c7d0d8dc088d3865f05bc06a4ff11efbbdbca7ab0e0c0e2df55a93f0b4b9
++Ctrl.hexsession_id = hexsession_id:aae879d8c0c6762d28c30fdc707b169a2155f8b8a943ced399a56419be89cc9f66ba9282d85ac4e53e0d5ae27adcf393
++Ctrl.type = type:B
++Output = 27b0de69f3bc7d79d2f6b54101f3e10f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001004d7ba3e909e1e2886e00db333430d7cebe5107e9701672a2a1bc0bb5461c620c56fc8a8aa95a577cf48ac2e5b35d948e468bbc6232527f6a4e3bf5ea0b2f68b161ee3aadeef596c683e511bec1ff70df312d988eddd557952720f82f69882107f67880e38efcca68429374d85831eea3ac133a6a89b68a9ec27c71a67c87addfddb7040a7416ead43e29612dcdc5b7e6a82ad5cd243e8a6dd2997c44ad76a2a20145f89d7e6b2a26c2c0f2ce7d60b1f45410f9ebb79b52dde560f8c7c99b7a11d645f6ad6f94727cd2ea9d48ceb27467ee60371e6919a3ae044c8941a65182c94e8efd7b5c7eb45935baea722628d89d89de995d82b620059fe1054927864a91
++Ctrl.hexxcghash = hexxcghash:f3cc38427adf01b9483d1f9e4e9acef554a8c7d0d8dc088d3865f05bc06a4ff11efbbdbca7ab0e0c0e2df55a93f0b4b9
++Ctrl.hexsession_id = hexsession_id:aae879d8c0c6762d28c30fdc707b169a2155f8b8a943ced399a56419be89cc9f66ba9282d85ac4e53e0d5ae27adcf393
++Ctrl.type = type:C
++Output = 3200c39e6ed260f4f345cbd0c88cac1a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001004d7ba3e909e1e2886e00db333430d7cebe5107e9701672a2a1bc0bb5461c620c56fc8a8aa95a577cf48ac2e5b35d948e468bbc6232527f6a4e3bf5ea0b2f68b161ee3aadeef596c683e511bec1ff70df312d988eddd557952720f82f69882107f67880e38efcca68429374d85831eea3ac133a6a89b68a9ec27c71a67c87addfddb7040a7416ead43e29612dcdc5b7e6a82ad5cd243e8a6dd2997c44ad76a2a20145f89d7e6b2a26c2c0f2ce7d60b1f45410f9ebb79b52dde560f8c7c99b7a11d645f6ad6f94727cd2ea9d48ceb27467ee60371e6919a3ae044c8941a65182c94e8efd7b5c7eb45935baea722628d89d89de995d82b620059fe1054927864a91
++Ctrl.hexxcghash = hexxcghash:f3cc38427adf01b9483d1f9e4e9acef554a8c7d0d8dc088d3865f05bc06a4ff11efbbdbca7ab0e0c0e2df55a93f0b4b9
++Ctrl.hexsession_id = hexsession_id:aae879d8c0c6762d28c30fdc707b169a2155f8b8a943ced399a56419be89cc9f66ba9282d85ac4e53e0d5ae27adcf393
++Ctrl.type = type:D
++Output = 7b9e506a1baede9b80dff09253a9ab88
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001004d7ba3e909e1e2886e00db333430d7cebe5107e9701672a2a1bc0bb5461c620c56fc8a8aa95a577cf48ac2e5b35d948e468bbc6232527f6a4e3bf5ea0b2f68b161ee3aadeef596c683e511bec1ff70df312d988eddd557952720f82f69882107f67880e38efcca68429374d85831eea3ac133a6a89b68a9ec27c71a67c87addfddb7040a7416ead43e29612dcdc5b7e6a82ad5cd243e8a6dd2997c44ad76a2a20145f89d7e6b2a26c2c0f2ce7d60b1f45410f9ebb79b52dde560f8c7c99b7a11d645f6ad6f94727cd2ea9d48ceb27467ee60371e6919a3ae044c8941a65182c94e8efd7b5c7eb45935baea722628d89d89de995d82b620059fe1054927864a91
++Ctrl.hexxcghash = hexxcghash:f3cc38427adf01b9483d1f9e4e9acef554a8c7d0d8dc088d3865f05bc06a4ff11efbbdbca7ab0e0c0e2df55a93f0b4b9
++Ctrl.hexsession_id = hexsession_id:aae879d8c0c6762d28c30fdc707b169a2155f8b8a943ced399a56419be89cc9f66ba9282d85ac4e53e0d5ae27adcf393
++Ctrl.type = type:E
++Output = 3c860ae21a5dab865eb560ed9ddf51775d3b6603e4e06285cf5e9273115a77d8d5ddfb977fd21c0a70c35798a5ef596e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001004d7ba3e909e1e2886e00db333430d7cebe5107e9701672a2a1bc0bb5461c620c56fc8a8aa95a577cf48ac2e5b35d948e468bbc6232527f6a4e3bf5ea0b2f68b161ee3aadeef596c683e511bec1ff70df312d988eddd557952720f82f69882107f67880e38efcca68429374d85831eea3ac133a6a89b68a9ec27c71a67c87addfddb7040a7416ead43e29612dcdc5b7e6a82ad5cd243e8a6dd2997c44ad76a2a20145f89d7e6b2a26c2c0f2ce7d60b1f45410f9ebb79b52dde560f8c7c99b7a11d645f6ad6f94727cd2ea9d48ceb27467ee60371e6919a3ae044c8941a65182c94e8efd7b5c7eb45935baea722628d89d89de995d82b620059fe1054927864a91
++Ctrl.hexxcghash = hexxcghash:f3cc38427adf01b9483d1f9e4e9acef554a8c7d0d8dc088d3865f05bc06a4ff11efbbdbca7ab0e0c0e2df55a93f0b4b9
++Ctrl.hexsession_id = hexsession_id:aae879d8c0c6762d28c30fdc707b169a2155f8b8a943ced399a56419be89cc9f66ba9282d85ac4e53e0d5ae27adcf393
++Ctrl.type = type:F
++Output = c53cfa0836ac21bb13c58ed15ddf593e8e01c7437587112ba013058d411d262d87a5e56c098b69146d9019803206ef91
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001001cbe25a738580c94ae733a5d4e9e61860bf1a68dfac365edc5818814166cfaecf269d07293d656c8e99973934b5f14eb4bcd1ac3c388596221f65f66e1193463bd41fcff389e458ef7f1ef858439b600bca422cd29c84d2cbc684c7a85d8b44f6a43a5fc53bbaa4ad1a6b0f2b841278efb1fbdd2513e6603984027efb81c72d8c4cbadc8dec51089dcd43ed3109ddbc6db29534186a237c5d8c3a66dedbb51b09937b1c7d4cf6cac682ba2dd1c9cf901d66f1a995f945d5ad12bd7bfdd3fcc5b0852376b9834f0bee3f7a666f587bd2a3b562ccf129b6132c902738fd0dfea3ff9538961bf5f59ac1779dd4ed68986059881f5e08be5ecd1a59380392e81f0a6
++Ctrl.hexxcghash = hexxcghash:b32d4e6b47772e651b867558a03f488fc00c715c196c7abb1abf3ebc24a638edd058e77aeadd9aade5ce34f43e19f1fc
++Ctrl.hexsession_id = hexsession_id:5d2a819b135d8d985643ceab3461ede24ed192c60471676031b4b1f8ae71dec657547fdb3a43f75112855ffce72b60f4
++Ctrl.type = type:A
++Output = e34b595f755ff42a33126d8efabe1ec0
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001001cbe25a738580c94ae733a5d4e9e61860bf1a68dfac365edc5818814166cfaecf269d07293d656c8e99973934b5f14eb4bcd1ac3c388596221f65f66e1193463bd41fcff389e458ef7f1ef858439b600bca422cd29c84d2cbc684c7a85d8b44f6a43a5fc53bbaa4ad1a6b0f2b841278efb1fbdd2513e6603984027efb81c72d8c4cbadc8dec51089dcd43ed3109ddbc6db29534186a237c5d8c3a66dedbb51b09937b1c7d4cf6cac682ba2dd1c9cf901d66f1a995f945d5ad12bd7bfdd3fcc5b0852376b9834f0bee3f7a666f587bd2a3b562ccf129b6132c902738fd0dfea3ff9538961bf5f59ac1779dd4ed68986059881f5e08be5ecd1a59380392e81f0a6
++Ctrl.hexxcghash = hexxcghash:b32d4e6b47772e651b867558a03f488fc00c715c196c7abb1abf3ebc24a638edd058e77aeadd9aade5ce34f43e19f1fc
++Ctrl.hexsession_id = hexsession_id:5d2a819b135d8d985643ceab3461ede24ed192c60471676031b4b1f8ae71dec657547fdb3a43f75112855ffce72b60f4
++Ctrl.type = type:B
++Output = a873f52aa3b91a8dd019be8358c04de6
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001001cbe25a738580c94ae733a5d4e9e61860bf1a68dfac365edc5818814166cfaecf269d07293d656c8e99973934b5f14eb4bcd1ac3c388596221f65f66e1193463bd41fcff389e458ef7f1ef858439b600bca422cd29c84d2cbc684c7a85d8b44f6a43a5fc53bbaa4ad1a6b0f2b841278efb1fbdd2513e6603984027efb81c72d8c4cbadc8dec51089dcd43ed3109ddbc6db29534186a237c5d8c3a66dedbb51b09937b1c7d4cf6cac682ba2dd1c9cf901d66f1a995f945d5ad12bd7bfdd3fcc5b0852376b9834f0bee3f7a666f587bd2a3b562ccf129b6132c902738fd0dfea3ff9538961bf5f59ac1779dd4ed68986059881f5e08be5ecd1a59380392e81f0a6
++Ctrl.hexxcghash = hexxcghash:b32d4e6b47772e651b867558a03f488fc00c715c196c7abb1abf3ebc24a638edd058e77aeadd9aade5ce34f43e19f1fc
++Ctrl.hexsession_id = hexsession_id:5d2a819b135d8d985643ceab3461ede24ed192c60471676031b4b1f8ae71dec657547fdb3a43f75112855ffce72b60f4
++Ctrl.type = type:C
++Output = fce5c490a769fbd4aa31b0f5c7aad86b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001001cbe25a738580c94ae733a5d4e9e61860bf1a68dfac365edc5818814166cfaecf269d07293d656c8e99973934b5f14eb4bcd1ac3c388596221f65f66e1193463bd41fcff389e458ef7f1ef858439b600bca422cd29c84d2cbc684c7a85d8b44f6a43a5fc53bbaa4ad1a6b0f2b841278efb1fbdd2513e6603984027efb81c72d8c4cbadc8dec51089dcd43ed3109ddbc6db29534186a237c5d8c3a66dedbb51b09937b1c7d4cf6cac682ba2dd1c9cf901d66f1a995f945d5ad12bd7bfdd3fcc5b0852376b9834f0bee3f7a666f587bd2a3b562ccf129b6132c902738fd0dfea3ff9538961bf5f59ac1779dd4ed68986059881f5e08be5ecd1a59380392e81f0a6
++Ctrl.hexxcghash = hexxcghash:b32d4e6b47772e651b867558a03f488fc00c715c196c7abb1abf3ebc24a638edd058e77aeadd9aade5ce34f43e19f1fc
++Ctrl.hexsession_id = hexsession_id:5d2a819b135d8d985643ceab3461ede24ed192c60471676031b4b1f8ae71dec657547fdb3a43f75112855ffce72b60f4
++Ctrl.type = type:D
++Output = d36a9b7d2c63675d2b250d5a97b0e628
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001001cbe25a738580c94ae733a5d4e9e61860bf1a68dfac365edc5818814166cfaecf269d07293d656c8e99973934b5f14eb4bcd1ac3c388596221f65f66e1193463bd41fcff389e458ef7f1ef858439b600bca422cd29c84d2cbc684c7a85d8b44f6a43a5fc53bbaa4ad1a6b0f2b841278efb1fbdd2513e6603984027efb81c72d8c4cbadc8dec51089dcd43ed3109ddbc6db29534186a237c5d8c3a66dedbb51b09937b1c7d4cf6cac682ba2dd1c9cf901d66f1a995f945d5ad12bd7bfdd3fcc5b0852376b9834f0bee3f7a666f587bd2a3b562ccf129b6132c902738fd0dfea3ff9538961bf5f59ac1779dd4ed68986059881f5e08be5ecd1a59380392e81f0a6
++Ctrl.hexxcghash = hexxcghash:b32d4e6b47772e651b867558a03f488fc00c715c196c7abb1abf3ebc24a638edd058e77aeadd9aade5ce34f43e19f1fc
++Ctrl.hexsession_id = hexsession_id:5d2a819b135d8d985643ceab3461ede24ed192c60471676031b4b1f8ae71dec657547fdb3a43f75112855ffce72b60f4
++Ctrl.type = type:E
++Output = 92c8f89f84575cebb9c37be3a488d0b0312a12d9253dbada7db1318f5a193d4f8f75a212a75c1123bca89d5de43cbf08
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:000001001cbe25a738580c94ae733a5d4e9e61860bf1a68dfac365edc5818814166cfaecf269d07293d656c8e99973934b5f14eb4bcd1ac3c388596221f65f66e1193463bd41fcff389e458ef7f1ef858439b600bca422cd29c84d2cbc684c7a85d8b44f6a43a5fc53bbaa4ad1a6b0f2b841278efb1fbdd2513e6603984027efb81c72d8c4cbadc8dec51089dcd43ed3109ddbc6db29534186a237c5d8c3a66dedbb51b09937b1c7d4cf6cac682ba2dd1c9cf901d66f1a995f945d5ad12bd7bfdd3fcc5b0852376b9834f0bee3f7a666f587bd2a3b562ccf129b6132c902738fd0dfea3ff9538961bf5f59ac1779dd4ed68986059881f5e08be5ecd1a59380392e81f0a6
++Ctrl.hexxcghash = hexxcghash:b32d4e6b47772e651b867558a03f488fc00c715c196c7abb1abf3ebc24a638edd058e77aeadd9aade5ce34f43e19f1fc
++Ctrl.hexsession_id = hexsession_id:5d2a819b135d8d985643ceab3461ede24ed192c60471676031b4b1f8ae71dec657547fdb3a43f75112855ffce72b60f4
++Ctrl.type = type:F
++Output = 16dcf1bd1aa4d5d6edc2d2b23792872f53767d6b2589e4700469a9bbbbb659c1c8716393fe1ed717833f491cd32d874b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100c7f8bcaf17cb17db3d5c2c9e8db37fa77685463d604e6b577ace9ada1b5a7fb54a299684a5405973352262ed66a7e47e4cf9ba7981f76a0aa6bf407be5fc48f70869b6913f7d9b2395f73eda2f08ad5469df982bd82242c19bba0dbcc28fa5869bab99b84015a313cebcc3e86ec3fd15513e329a236487e909a6b37134bc75b03dbda7f9196738ae5f04ac3cae6a3c93150271eeed62f8c019f433df888acec09e947dee6537c4fee5e0dc37d3b4ae4ff77309382148f0127cd01b882f128ee844046c9f3052ff7fff81876c261ad6cdad0a9ebfc769a4308f124d2422f03c1b171ac3404d4d690e9c1d94fc3de479bda663c207120a18f1947a68179d19ecaa
++Ctrl.hexxcghash = hexxcghash:ce996d2b1198f069c24193526be1dd0d08a95d0b0a144da5a1303e84de4eb864d49ca71fa5a59f51c10b9d4257787626
++Ctrl.hexsession_id = hexsession_id:ed906230bdcff56bd239a8c52f3cb1e4e16d1249284162ca85b320e543f62a82d7270131231cf49e1b0c0b1e87643719
++Ctrl.type = type:A
++Output = bbdc47242c877cc70585a5d9f0b8067d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100c7f8bcaf17cb17db3d5c2c9e8db37fa77685463d604e6b577ace9ada1b5a7fb54a299684a5405973352262ed66a7e47e4cf9ba7981f76a0aa6bf407be5fc48f70869b6913f7d9b2395f73eda2f08ad5469df982bd82242c19bba0dbcc28fa5869bab99b84015a313cebcc3e86ec3fd15513e329a236487e909a6b37134bc75b03dbda7f9196738ae5f04ac3cae6a3c93150271eeed62f8c019f433df888acec09e947dee6537c4fee5e0dc37d3b4ae4ff77309382148f0127cd01b882f128ee844046c9f3052ff7fff81876c261ad6cdad0a9ebfc769a4308f124d2422f03c1b171ac3404d4d690e9c1d94fc3de479bda663c207120a18f1947a68179d19ecaa
++Ctrl.hexxcghash = hexxcghash:ce996d2b1198f069c24193526be1dd0d08a95d0b0a144da5a1303e84de4eb864d49ca71fa5a59f51c10b9d4257787626
++Ctrl.hexsession_id = hexsession_id:ed906230bdcff56bd239a8c52f3cb1e4e16d1249284162ca85b320e543f62a82d7270131231cf49e1b0c0b1e87643719
++Ctrl.type = type:B
++Output = 6dcc6458af049a81a6d3139c2725f67d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100c7f8bcaf17cb17db3d5c2c9e8db37fa77685463d604e6b577ace9ada1b5a7fb54a299684a5405973352262ed66a7e47e4cf9ba7981f76a0aa6bf407be5fc48f70869b6913f7d9b2395f73eda2f08ad5469df982bd82242c19bba0dbcc28fa5869bab99b84015a313cebcc3e86ec3fd15513e329a236487e909a6b37134bc75b03dbda7f9196738ae5f04ac3cae6a3c93150271eeed62f8c019f433df888acec09e947dee6537c4fee5e0dc37d3b4ae4ff77309382148f0127cd01b882f128ee844046c9f3052ff7fff81876c261ad6cdad0a9ebfc769a4308f124d2422f03c1b171ac3404d4d690e9c1d94fc3de479bda663c207120a18f1947a68179d19ecaa
++Ctrl.hexxcghash = hexxcghash:ce996d2b1198f069c24193526be1dd0d08a95d0b0a144da5a1303e84de4eb864d49ca71fa5a59f51c10b9d4257787626
++Ctrl.hexsession_id = hexsession_id:ed906230bdcff56bd239a8c52f3cb1e4e16d1249284162ca85b320e543f62a82d7270131231cf49e1b0c0b1e87643719
++Ctrl.type = type:C
++Output = f788d0b9ea5373031d44972fad39d8e6
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100c7f8bcaf17cb17db3d5c2c9e8db37fa77685463d604e6b577ace9ada1b5a7fb54a299684a5405973352262ed66a7e47e4cf9ba7981f76a0aa6bf407be5fc48f70869b6913f7d9b2395f73eda2f08ad5469df982bd82242c19bba0dbcc28fa5869bab99b84015a313cebcc3e86ec3fd15513e329a236487e909a6b37134bc75b03dbda7f9196738ae5f04ac3cae6a3c93150271eeed62f8c019f433df888acec09e947dee6537c4fee5e0dc37d3b4ae4ff77309382148f0127cd01b882f128ee844046c9f3052ff7fff81876c261ad6cdad0a9ebfc769a4308f124d2422f03c1b171ac3404d4d690e9c1d94fc3de479bda663c207120a18f1947a68179d19ecaa
++Ctrl.hexxcghash = hexxcghash:ce996d2b1198f069c24193526be1dd0d08a95d0b0a144da5a1303e84de4eb864d49ca71fa5a59f51c10b9d4257787626
++Ctrl.hexsession_id = hexsession_id:ed906230bdcff56bd239a8c52f3cb1e4e16d1249284162ca85b320e543f62a82d7270131231cf49e1b0c0b1e87643719
++Ctrl.type = type:D
++Output = e939b1367ea35c67ea990988c3c0c474
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100c7f8bcaf17cb17db3d5c2c9e8db37fa77685463d604e6b577ace9ada1b5a7fb54a299684a5405973352262ed66a7e47e4cf9ba7981f76a0aa6bf407be5fc48f70869b6913f7d9b2395f73eda2f08ad5469df982bd82242c19bba0dbcc28fa5869bab99b84015a313cebcc3e86ec3fd15513e329a236487e909a6b37134bc75b03dbda7f9196738ae5f04ac3cae6a3c93150271eeed62f8c019f433df888acec09e947dee6537c4fee5e0dc37d3b4ae4ff77309382148f0127cd01b882f128ee844046c9f3052ff7fff81876c261ad6cdad0a9ebfc769a4308f124d2422f03c1b171ac3404d4d690e9c1d94fc3de479bda663c207120a18f1947a68179d19ecaa
++Ctrl.hexxcghash = hexxcghash:ce996d2b1198f069c24193526be1dd0d08a95d0b0a144da5a1303e84de4eb864d49ca71fa5a59f51c10b9d4257787626
++Ctrl.hexsession_id = hexsession_id:ed906230bdcff56bd239a8c52f3cb1e4e16d1249284162ca85b320e543f62a82d7270131231cf49e1b0c0b1e87643719
++Ctrl.type = type:E
++Output = 069629f693b4d291ea6f16355eb4c57eef7824217d22651af095aadac27a789314fee4e86efa9bc63085a8ebfc606548
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100c7f8bcaf17cb17db3d5c2c9e8db37fa77685463d604e6b577ace9ada1b5a7fb54a299684a5405973352262ed66a7e47e4cf9ba7981f76a0aa6bf407be5fc48f70869b6913f7d9b2395f73eda2f08ad5469df982bd82242c19bba0dbcc28fa5869bab99b84015a313cebcc3e86ec3fd15513e329a236487e909a6b37134bc75b03dbda7f9196738ae5f04ac3cae6a3c93150271eeed62f8c019f433df888acec09e947dee6537c4fee5e0dc37d3b4ae4ff77309382148f0127cd01b882f128ee844046c9f3052ff7fff81876c261ad6cdad0a9ebfc769a4308f124d2422f03c1b171ac3404d4d690e9c1d94fc3de479bda663c207120a18f1947a68179d19ecaa
++Ctrl.hexxcghash = hexxcghash:ce996d2b1198f069c24193526be1dd0d08a95d0b0a144da5a1303e84de4eb864d49ca71fa5a59f51c10b9d4257787626
++Ctrl.hexsession_id = hexsession_id:ed906230bdcff56bd239a8c52f3cb1e4e16d1249284162ca85b320e543f62a82d7270131231cf49e1b0c0b1e87643719
++Ctrl.type = type:F
++Output = 731107905e3b9b36ba3dca504b35f1a51e75e2a3ee2595ade882c21410d439ec1ec31fbc62e64362a5fddc0f39e76da0
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100b41b41585296e85cce723619b40609b21799fb244d72fd87afa3088073819b232de7d9ab45ceaab3014099475e9314cff74149b5e4558962f31d3d2a84f24500558af928ff785dc32627f5062ea2d5bf6ff085edf6d200daca91037abda71b5c9c1660cbf60cfc3ec1fe590c3d6300aa279e42383f98f4000031bf57a2bb612c7a212bc0ec5057817b0843e01c14a9b353c26699670873db05de7049ac44951094c8b231713dab09ca641d3cea65c5e3b01d41d93351635b08a767afadfd7865388ebbe29e8f47033d1fe530d7d45fa1c266705b26d67282872da9551256d88708e1ec69ce9b94db6c7f3e6b7ae06418b36537b7839454c539b2bdd758af9c19
++Ctrl.hexxcghash = hexxcghash:5b168cac1113de12bac95aac34501866abd610c6ce0d51520f83c865db8d0c688b27af11e08deb4a2673c160edd1da93
++Ctrl.hexsession_id = hexsession_id:32dc32821483ed98f696813e712d229b6ff5a9e0f7f8e582a26f0a5204fa7655040ddbc791e00e7a979dded9354ea2dc
++Ctrl.type = type:A
++Output = 8e1af4ce3b9aa9f1e7493775f8846ac0
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100b41b41585296e85cce723619b40609b21799fb244d72fd87afa3088073819b232de7d9ab45ceaab3014099475e9314cff74149b5e4558962f31d3d2a84f24500558af928ff785dc32627f5062ea2d5bf6ff085edf6d200daca91037abda71b5c9c1660cbf60cfc3ec1fe590c3d6300aa279e42383f98f4000031bf57a2bb612c7a212bc0ec5057817b0843e01c14a9b353c26699670873db05de7049ac44951094c8b231713dab09ca641d3cea65c5e3b01d41d93351635b08a767afadfd7865388ebbe29e8f47033d1fe530d7d45fa1c266705b26d67282872da9551256d88708e1ec69ce9b94db6c7f3e6b7ae06418b36537b7839454c539b2bdd758af9c19
++Ctrl.hexxcghash = hexxcghash:5b168cac1113de12bac95aac34501866abd610c6ce0d51520f83c865db8d0c688b27af11e08deb4a2673c160edd1da93
++Ctrl.hexsession_id = hexsession_id:32dc32821483ed98f696813e712d229b6ff5a9e0f7f8e582a26f0a5204fa7655040ddbc791e00e7a979dded9354ea2dc
++Ctrl.type = type:B
++Output = 1796cee0aeb39eb1fbbaeaf15d600832
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100b41b41585296e85cce723619b40609b21799fb244d72fd87afa3088073819b232de7d9ab45ceaab3014099475e9314cff74149b5e4558962f31d3d2a84f24500558af928ff785dc32627f5062ea2d5bf6ff085edf6d200daca91037abda71b5c9c1660cbf60cfc3ec1fe590c3d6300aa279e42383f98f4000031bf57a2bb612c7a212bc0ec5057817b0843e01c14a9b353c26699670873db05de7049ac44951094c8b231713dab09ca641d3cea65c5e3b01d41d93351635b08a767afadfd7865388ebbe29e8f47033d1fe530d7d45fa1c266705b26d67282872da9551256d88708e1ec69ce9b94db6c7f3e6b7ae06418b36537b7839454c539b2bdd758af9c19
++Ctrl.hexxcghash = hexxcghash:5b168cac1113de12bac95aac34501866abd610c6ce0d51520f83c865db8d0c688b27af11e08deb4a2673c160edd1da93
++Ctrl.hexsession_id = hexsession_id:32dc32821483ed98f696813e712d229b6ff5a9e0f7f8e582a26f0a5204fa7655040ddbc791e00e7a979dded9354ea2dc
++Ctrl.type = type:C
++Output = 7a7485045a2f8cc86f82c8486f8e9f59
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100b41b41585296e85cce723619b40609b21799fb244d72fd87afa3088073819b232de7d9ab45ceaab3014099475e9314cff74149b5e4558962f31d3d2a84f24500558af928ff785dc32627f5062ea2d5bf6ff085edf6d200daca91037abda71b5c9c1660cbf60cfc3ec1fe590c3d6300aa279e42383f98f4000031bf57a2bb612c7a212bc0ec5057817b0843e01c14a9b353c26699670873db05de7049ac44951094c8b231713dab09ca641d3cea65c5e3b01d41d93351635b08a767afadfd7865388ebbe29e8f47033d1fe530d7d45fa1c266705b26d67282872da9551256d88708e1ec69ce9b94db6c7f3e6b7ae06418b36537b7839454c539b2bdd758af9c19
++Ctrl.hexxcghash = hexxcghash:5b168cac1113de12bac95aac34501866abd610c6ce0d51520f83c865db8d0c688b27af11e08deb4a2673c160edd1da93
++Ctrl.hexsession_id = hexsession_id:32dc32821483ed98f696813e712d229b6ff5a9e0f7f8e582a26f0a5204fa7655040ddbc791e00e7a979dded9354ea2dc
++Ctrl.type = type:D
++Output = 00a9d893e8c14aa3a316163d50d83378
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100b41b41585296e85cce723619b40609b21799fb244d72fd87afa3088073819b232de7d9ab45ceaab3014099475e9314cff74149b5e4558962f31d3d2a84f24500558af928ff785dc32627f5062ea2d5bf6ff085edf6d200daca91037abda71b5c9c1660cbf60cfc3ec1fe590c3d6300aa279e42383f98f4000031bf57a2bb612c7a212bc0ec5057817b0843e01c14a9b353c26699670873db05de7049ac44951094c8b231713dab09ca641d3cea65c5e3b01d41d93351635b08a767afadfd7865388ebbe29e8f47033d1fe530d7d45fa1c266705b26d67282872da9551256d88708e1ec69ce9b94db6c7f3e6b7ae06418b36537b7839454c539b2bdd758af9c19
++Ctrl.hexxcghash = hexxcghash:5b168cac1113de12bac95aac34501866abd610c6ce0d51520f83c865db8d0c688b27af11e08deb4a2673c160edd1da93
++Ctrl.hexsession_id = hexsession_id:32dc32821483ed98f696813e712d229b6ff5a9e0f7f8e582a26f0a5204fa7655040ddbc791e00e7a979dded9354ea2dc
++Ctrl.type = type:E
++Output = 46133b1cbab3e04043a1b336db99575183d5be76f9d56556493a8d4a8da37a020ae379ff2d470a99ca7e9d2b1cf85cb4
++
++KDF = SSHKDF
++Ctrl.md = md:SHA384
++Ctrl.hexkey = hexkey:0000010100b41b41585296e85cce723619b40609b21799fb244d72fd87afa3088073819b232de7d9ab45ceaab3014099475e9314cff74149b5e4558962f31d3d2a84f24500558af928ff785dc32627f5062ea2d5bf6ff085edf6d200daca91037abda71b5c9c1660cbf60cfc3ec1fe590c3d6300aa279e42383f98f4000031bf57a2bb612c7a212bc0ec5057817b0843e01c14a9b353c26699670873db05de7049ac44951094c8b231713dab09ca641d3cea65c5e3b01d41d93351635b08a767afadfd7865388ebbe29e8f47033d1fe530d7d45fa1c266705b26d67282872da9551256d88708e1ec69ce9b94db6c7f3e6b7ae06418b36537b7839454c539b2bdd758af9c19
++Ctrl.hexxcghash = hexxcghash:5b168cac1113de12bac95aac34501866abd610c6ce0d51520f83c865db8d0c688b27af11e08deb4a2673c160edd1da93
++Ctrl.hexsession_id = hexsession_id:32dc32821483ed98f696813e712d229b6ff5a9e0f7f8e582a26f0a5204fa7655040ddbc791e00e7a979dded9354ea2dc
++Ctrl.type = type:F
++Output = 9221abcc3db5a557cca60408e65528e937cc3673b548c350924cd9e6387de526f5cb35a0bbe4020c47318b59d1a0527d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:00000080575308ca395798bb21ec5438c46a88ffa3f7f7671c06f924abf7c3cfb46c78c025596e4aba50c3271089184a447a571abb7f4a1b1c41f5d5ca8062940d4369778589fde81a71b2228f018c4c836cf389f854f86de71a68b1693fe8ffa1c59ce7e9f9223debada2566d2b0e5678a48bfb530e7bee42bd2ac7304a0a5ae339a2cd
++Ctrl.hexxcghash = hexxcghash:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf
++Ctrl.hexsession_id = hexsession_id:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf
++Ctrl.type = type:A
++Output = 0e2693ade0524af8
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:00000080575308ca395798bb21ec5438c46a88ffa3f7f7671c06f924abf7c3cfb46c78c025596e4aba50c3271089184a447a571abb7f4a1b1c41f5d5ca8062940d4369778589fde81a71b2228f018c4c836cf389f854f86de71a68b1693fe8ffa1c59ce7e9f9223debada2566d2b0e5678a48bfb530e7bee42bd2ac7304a0a5ae339a2cd
++Ctrl.hexxcghash = hexxcghash:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf
++Ctrl.hexsession_id = hexsession_id:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf
++Ctrl.type = type:B
++Output = b13144de02295bb8
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:00000080575308ca395798bb21ec5438c46a88ffa3f7f7671c06f924abf7c3cfb46c78c025596e4aba50c3271089184a447a571abb7f4a1b1c41f5d5ca8062940d4369778589fde81a71b2228f018c4c836cf389f854f86de71a68b1693fe8ffa1c59ce7e9f9223debada2566d2b0e5678a48bfb530e7bee42bd2ac7304a0a5ae339a2cd
++Ctrl.hexxcghash = hexxcghash:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf
++Ctrl.hexsession_id = hexsession_id:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf
++Ctrl.type = type:C
++Output = 7e4a721fb7379ebb423306464d57db46afa3cca10a1d7feb
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:00000080575308ca395798bb21ec5438c46a88ffa3f7f7671c06f924abf7c3cfb46c78c025596e4aba50c3271089184a447a571abb7f4a1b1c41f5d5ca8062940d4369778589fde81a71b2228f018c4c836cf389f854f86de71a68b1693fe8ffa1c59ce7e9f9223debada2566d2b0e5678a48bfb530e7bee42bd2ac7304a0a5ae339a2cd
++Ctrl.hexxcghash = hexxcghash:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf
++Ctrl.hexsession_id = hexsession_id:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf
++Ctrl.type = type:D
++Output = bb84123b1fac400e0df4767d78d011427e1edd4d4c934b95
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:00000080575308ca395798bb21ec5438c46a88ffa3f7f7671c06f924abf7c3cfb46c78c025596e4aba50c3271089184a447a571abb7f4a1b1c41f5d5ca8062940d4369778589fde81a71b2228f018c4c836cf389f854f86de71a68b1693fe8ffa1c59ce7e9f9223debada2566d2b0e5678a48bfb530e7bee42bd2ac7304a0a5ae339a2cd
++Ctrl.hexxcghash = hexxcghash:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf
++Ctrl.hexsession_id = hexsession_id:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf
++Ctrl.type = type:E
++Output = 00fb0a45c650dd9c95666b0c7fcea8c98f0562f61b862054ee400aec875dbbc2bdef4806c09217709a5050569312efe3af513e7aa733c72457abe1607ac01c13
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:00000080575308ca395798bb21ec5438c46a88ffa3f7f7671c06f924abf7c3cfb46c78c025596e4aba50c3271089184a447a571abb7f4a1b1c41f5d5ca8062940d4369778589fde81a71b2228f018c4c836cf389f854f86de71a68b1693fe8ffa1c59ce7e9f9223debada2566d2b0e5678a48bfb530e7bee42bd2ac7304a0a5ae339a2cd
++Ctrl.hexxcghash = hexxcghash:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf
++Ctrl.hexsession_id = hexsession_id:a4125aa9898092ca50c3c1631c03dcbc9df95cebb409881e580108b6cc4704b76cc77b8795fd5940561e3224cc75848518992bd8d9b70fe0fc977a476063c8bf
++Ctrl.type = type:F
++Output = 70a8005e711fb96dea5991cb68831b9e86005821b45ceaf958c13d5c87cbd2953d0877c267796edf8c7fb3d768bb26b74e542f40bf9ac9f6a9d217077e85f511
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000802b2e6f7545fa66e1078c67c5457dbf5ee03801edef4421d4f0e797b947b79e293ef724253ec4adb53977f027a2d577d7779e96be4e093b0c36be62778c5bd48dbb0bff1335470e10cdec4df88e8feb00d322426baf3035e9fda1aaf819be48dacc640d52eb8750cc6fd8031d0cba0ef0a11973d43138dd2d11d2eef1fc926327
++Ctrl.hexxcghash = hexxcghash:4dc005dc6ad5075cf6abbedb53a0407104659cd168b58d014fb2465d6f1d1140d5fef634f345c6c38ac2a8db3771e4b0c71c51faf85a297bbdf7ddf8228c3159
++Ctrl.hexsession_id = hexsession_id:a674aaced8345324221bbd8356ab8355fd3d3e410ae974c0da196f4cd58cc0236a85900626da696dab8be23aaa529458ac6ccf64058fd2fd140ca1a1a0c57988
++Ctrl.type = type:A
++Output = c75c77791f7b67c2
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000802b2e6f7545fa66e1078c67c5457dbf5ee03801edef4421d4f0e797b947b79e293ef724253ec4adb53977f027a2d577d7779e96be4e093b0c36be62778c5bd48dbb0bff1335470e10cdec4df88e8feb00d322426baf3035e9fda1aaf819be48dacc640d52eb8750cc6fd8031d0cba0ef0a11973d43138dd2d11d2eef1fc926327
++Ctrl.hexxcghash = hexxcghash:4dc005dc6ad5075cf6abbedb53a0407104659cd168b58d014fb2465d6f1d1140d5fef634f345c6c38ac2a8db3771e4b0c71c51faf85a297bbdf7ddf8228c3159
++Ctrl.hexsession_id = hexsession_id:a674aaced8345324221bbd8356ab8355fd3d3e410ae974c0da196f4cd58cc0236a85900626da696dab8be23aaa529458ac6ccf64058fd2fd140ca1a1a0c57988
++Ctrl.type = type:B
++Output = dae1e8bfab1b4b7e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000802b2e6f7545fa66e1078c67c5457dbf5ee03801edef4421d4f0e797b947b79e293ef724253ec4adb53977f027a2d577d7779e96be4e093b0c36be62778c5bd48dbb0bff1335470e10cdec4df88e8feb00d322426baf3035e9fda1aaf819be48dacc640d52eb8750cc6fd8031d0cba0ef0a11973d43138dd2d11d2eef1fc926327
++Ctrl.hexxcghash = hexxcghash:4dc005dc6ad5075cf6abbedb53a0407104659cd168b58d014fb2465d6f1d1140d5fef634f345c6c38ac2a8db3771e4b0c71c51faf85a297bbdf7ddf8228c3159
++Ctrl.hexsession_id = hexsession_id:a674aaced8345324221bbd8356ab8355fd3d3e410ae974c0da196f4cd58cc0236a85900626da696dab8be23aaa529458ac6ccf64058fd2fd140ca1a1a0c57988
++Ctrl.type = type:C
++Output = 0e79f5b685ebe77ae6d62c344a5dd0f53502523a28e2b408
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000802b2e6f7545fa66e1078c67c5457dbf5ee03801edef4421d4f0e797b947b79e293ef724253ec4adb53977f027a2d577d7779e96be4e093b0c36be62778c5bd48dbb0bff1335470e10cdec4df88e8feb00d322426baf3035e9fda1aaf819be48dacc640d52eb8750cc6fd8031d0cba0ef0a11973d43138dd2d11d2eef1fc926327
++Ctrl.hexxcghash = hexxcghash:4dc005dc6ad5075cf6abbedb53a0407104659cd168b58d014fb2465d6f1d1140d5fef634f345c6c38ac2a8db3771e4b0c71c51faf85a297bbdf7ddf8228c3159
++Ctrl.hexsession_id = hexsession_id:a674aaced8345324221bbd8356ab8355fd3d3e410ae974c0da196f4cd58cc0236a85900626da696dab8be23aaa529458ac6ccf64058fd2fd140ca1a1a0c57988
++Ctrl.type = type:D
++Output = c5ec1aae5d26c2c5fe769576eb1b75c53d3dc67d452dca1c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000802b2e6f7545fa66e1078c67c5457dbf5ee03801edef4421d4f0e797b947b79e293ef724253ec4adb53977f027a2d577d7779e96be4e093b0c36be62778c5bd48dbb0bff1335470e10cdec4df88e8feb00d322426baf3035e9fda1aaf819be48dacc640d52eb8750cc6fd8031d0cba0ef0a11973d43138dd2d11d2eef1fc926327
++Ctrl.hexxcghash = hexxcghash:4dc005dc6ad5075cf6abbedb53a0407104659cd168b58d014fb2465d6f1d1140d5fef634f345c6c38ac2a8db3771e4b0c71c51faf85a297bbdf7ddf8228c3159
++Ctrl.hexsession_id = hexsession_id:a674aaced8345324221bbd8356ab8355fd3d3e410ae974c0da196f4cd58cc0236a85900626da696dab8be23aaa529458ac6ccf64058fd2fd140ca1a1a0c57988
++Ctrl.type = type:E
++Output = 6bc4e5d6049c69a8ffbf93c7617b6a168bd0f14d71471d199b81729250117272ad102772761a8c0b5d5240e589e48a4f85ab8c3e1bd030327e7c87428ee44d13
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000802b2e6f7545fa66e1078c67c5457dbf5ee03801edef4421d4f0e797b947b79e293ef724253ec4adb53977f027a2d577d7779e96be4e093b0c36be62778c5bd48dbb0bff1335470e10cdec4df88e8feb00d322426baf3035e9fda1aaf819be48dacc640d52eb8750cc6fd8031d0cba0ef0a11973d43138dd2d11d2eef1fc926327
++Ctrl.hexxcghash = hexxcghash:4dc005dc6ad5075cf6abbedb53a0407104659cd168b58d014fb2465d6f1d1140d5fef634f345c6c38ac2a8db3771e4b0c71c51faf85a297bbdf7ddf8228c3159
++Ctrl.hexsession_id = hexsession_id:a674aaced8345324221bbd8356ab8355fd3d3e410ae974c0da196f4cd58cc0236a85900626da696dab8be23aaa529458ac6ccf64058fd2fd140ca1a1a0c57988
++Ctrl.type = type:F
++Output = ce109babe86778542856e3934be12decd239120a4dcb948a0154c4cb7b8ac0a4a3cbd682698086123e6c0481ee351bd9fedfba58d37f7814ba9c2b584f6cfedf
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000810085874b95394d5ca3096b0a7e6444e129544e4acd8dd7078c46dc74633df1737986e7dc6f58ac09c7d734fd68378f1ee6df60c48bde343e55ab2a5796ca3ec295f15a75500f476a8a6f1725fdade3339cd7da0a2528449652d7ea21a834e42961ede8477f63bac84ccdba933c276512d3670477d2696402175208526276712541
++Ctrl.hexxcghash = hexxcghash:8540955867f6580e9c1e7e3dfaef9c4f810dbf3364e54f66c471b51d11686598fabff6c3f78a7ac1c90710ab991aa00980f9d5948d462662f6c439fa7b80483f
++Ctrl.hexsession_id = hexsession_id:f2ebb7479c714402275075725c4712994f04485c048fad37d1505f1ce2cd6e32051782848afbea4399231fea5b8d39ec596e118dcc95ea35ffddd8c5611f5298
++Ctrl.type = type:A
++Output = 6a71fc98f044591d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000810085874b95394d5ca3096b0a7e6444e129544e4acd8dd7078c46dc74633df1737986e7dc6f58ac09c7d734fd68378f1ee6df60c48bde343e55ab2a5796ca3ec295f15a75500f476a8a6f1725fdade3339cd7da0a2528449652d7ea21a834e42961ede8477f63bac84ccdba933c276512d3670477d2696402175208526276712541
++Ctrl.hexxcghash = hexxcghash:8540955867f6580e9c1e7e3dfaef9c4f810dbf3364e54f66c471b51d11686598fabff6c3f78a7ac1c90710ab991aa00980f9d5948d462662f6c439fa7b80483f
++Ctrl.hexsession_id = hexsession_id:f2ebb7479c714402275075725c4712994f04485c048fad37d1505f1ce2cd6e32051782848afbea4399231fea5b8d39ec596e118dcc95ea35ffddd8c5611f5298
++Ctrl.type = type:B
++Output = 9f1a35a5c79014c0
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000810085874b95394d5ca3096b0a7e6444e129544e4acd8dd7078c46dc74633df1737986e7dc6f58ac09c7d734fd68378f1ee6df60c48bde343e55ab2a5796ca3ec295f15a75500f476a8a6f1725fdade3339cd7da0a2528449652d7ea21a834e42961ede8477f63bac84ccdba933c276512d3670477d2696402175208526276712541
++Ctrl.hexxcghash = hexxcghash:8540955867f6580e9c1e7e3dfaef9c4f810dbf3364e54f66c471b51d11686598fabff6c3f78a7ac1c90710ab991aa00980f9d5948d462662f6c439fa7b80483f
++Ctrl.hexsession_id = hexsession_id:f2ebb7479c714402275075725c4712994f04485c048fad37d1505f1ce2cd6e32051782848afbea4399231fea5b8d39ec596e118dcc95ea35ffddd8c5611f5298
++Ctrl.type = type:C
++Output = 377901cc72e4c06e30e27b03902f65c4a58b9d3f5cf43431
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000810085874b95394d5ca3096b0a7e6444e129544e4acd8dd7078c46dc74633df1737986e7dc6f58ac09c7d734fd68378f1ee6df60c48bde343e55ab2a5796ca3ec295f15a75500f476a8a6f1725fdade3339cd7da0a2528449652d7ea21a834e42961ede8477f63bac84ccdba933c276512d3670477d2696402175208526276712541
++Ctrl.hexxcghash = hexxcghash:8540955867f6580e9c1e7e3dfaef9c4f810dbf3364e54f66c471b51d11686598fabff6c3f78a7ac1c90710ab991aa00980f9d5948d462662f6c439fa7b80483f
++Ctrl.hexsession_id = hexsession_id:f2ebb7479c714402275075725c4712994f04485c048fad37d1505f1ce2cd6e32051782848afbea4399231fea5b8d39ec596e118dcc95ea35ffddd8c5611f5298
++Ctrl.type = type:D
++Output = 82a9db94ea5c15dff736c3074a34951e828c8dfa3fef8596
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000810085874b95394d5ca3096b0a7e6444e129544e4acd8dd7078c46dc74633df1737986e7dc6f58ac09c7d734fd68378f1ee6df60c48bde343e55ab2a5796ca3ec295f15a75500f476a8a6f1725fdade3339cd7da0a2528449652d7ea21a834e42961ede8477f63bac84ccdba933c276512d3670477d2696402175208526276712541
++Ctrl.hexxcghash = hexxcghash:8540955867f6580e9c1e7e3dfaef9c4f810dbf3364e54f66c471b51d11686598fabff6c3f78a7ac1c90710ab991aa00980f9d5948d462662f6c439fa7b80483f
++Ctrl.hexsession_id = hexsession_id:f2ebb7479c714402275075725c4712994f04485c048fad37d1505f1ce2cd6e32051782848afbea4399231fea5b8d39ec596e118dcc95ea35ffddd8c5611f5298
++Ctrl.type = type:E
++Output = b3ce0202c966df307a0729a4bb3fcd0ee55d4c521a144ecd285a470830f60685b2d751883d85ccd29fcc2481f3f442fdedd58d17528e8c4fb28473ee5e539706
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000810085874b95394d5ca3096b0a7e6444e129544e4acd8dd7078c46dc74633df1737986e7dc6f58ac09c7d734fd68378f1ee6df60c48bde343e55ab2a5796ca3ec295f15a75500f476a8a6f1725fdade3339cd7da0a2528449652d7ea21a834e42961ede8477f63bac84ccdba933c276512d3670477d2696402175208526276712541
++Ctrl.hexxcghash = hexxcghash:8540955867f6580e9c1e7e3dfaef9c4f810dbf3364e54f66c471b51d11686598fabff6c3f78a7ac1c90710ab991aa00980f9d5948d462662f6c439fa7b80483f
++Ctrl.hexsession_id = hexsession_id:f2ebb7479c714402275075725c4712994f04485c048fad37d1505f1ce2cd6e32051782848afbea4399231fea5b8d39ec596e118dcc95ea35ffddd8c5611f5298
++Ctrl.type = type:F
++Output = c1ab7227f919cbda46cd6ac2bd4bb2ee5bd586cc55c7c1cb067df4c9a23209f716ff5e97ed76ebbc0354d683c5369937ca8db4cecf9e6c40886a186d9c4e2366
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008100e1436b5ef714092a6a0c8cc1593682a7ca4c05de423fb5f57c1d225943d8e4a5b526288a46a9a0fdb10b59c0beb8c1dc5b4d2bdf34eec2525df84bca2f8b769897183a45c7e61171ecea6e2be80d3becec8355ac3853bd8d077697af6e774133143265bdd538b4fb64786aaaa33e45138fd8697ff1c77b50f63dd8e9476a74c0
++Ctrl.hexxcghash = hexxcghash:367c80484d7e01e0915959e9fcb5124fa674489cf0ec4b0fee6a62dd77f677db901d9fb417cecf2a98f0b24bc24edbb1f34ab19f8d4d2976958f7d99ae2c78b3
++Ctrl.hexsession_id = hexsession_id:0a1bbfb890087ef260a88fafb92f16765444adc4dcb00efd4750d59f1d8f4b6662edd379d812ddc822cea79675731a5e5791f29ebd17f3f83e675e9e9f6af3e3
++Ctrl.type = type:A
++Output = 3832bf21b907daa3
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008100e1436b5ef714092a6a0c8cc1593682a7ca4c05de423fb5f57c1d225943d8e4a5b526288a46a9a0fdb10b59c0beb8c1dc5b4d2bdf34eec2525df84bca2f8b769897183a45c7e61171ecea6e2be80d3becec8355ac3853bd8d077697af6e774133143265bdd538b4fb64786aaaa33e45138fd8697ff1c77b50f63dd8e9476a74c0
++Ctrl.hexxcghash = hexxcghash:367c80484d7e01e0915959e9fcb5124fa674489cf0ec4b0fee6a62dd77f677db901d9fb417cecf2a98f0b24bc24edbb1f34ab19f8d4d2976958f7d99ae2c78b3
++Ctrl.hexsession_id = hexsession_id:0a1bbfb890087ef260a88fafb92f16765444adc4dcb00efd4750d59f1d8f4b6662edd379d812ddc822cea79675731a5e5791f29ebd17f3f83e675e9e9f6af3e3
++Ctrl.type = type:B
++Output = 4e04d7787ba7fa68
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008100e1436b5ef714092a6a0c8cc1593682a7ca4c05de423fb5f57c1d225943d8e4a5b526288a46a9a0fdb10b59c0beb8c1dc5b4d2bdf34eec2525df84bca2f8b769897183a45c7e61171ecea6e2be80d3becec8355ac3853bd8d077697af6e774133143265bdd538b4fb64786aaaa33e45138fd8697ff1c77b50f63dd8e9476a74c0
++Ctrl.hexxcghash = hexxcghash:367c80484d7e01e0915959e9fcb5124fa674489cf0ec4b0fee6a62dd77f677db901d9fb417cecf2a98f0b24bc24edbb1f34ab19f8d4d2976958f7d99ae2c78b3
++Ctrl.hexsession_id = hexsession_id:0a1bbfb890087ef260a88fafb92f16765444adc4dcb00efd4750d59f1d8f4b6662edd379d812ddc822cea79675731a5e5791f29ebd17f3f83e675e9e9f6af3e3
++Ctrl.type = type:C
++Output = d7be949edcfe4e4b877de1cc6a861fa721e137bf3dd1bb27
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008100e1436b5ef714092a6a0c8cc1593682a7ca4c05de423fb5f57c1d225943d8e4a5b526288a46a9a0fdb10b59c0beb8c1dc5b4d2bdf34eec2525df84bca2f8b769897183a45c7e61171ecea6e2be80d3becec8355ac3853bd8d077697af6e774133143265bdd538b4fb64786aaaa33e45138fd8697ff1c77b50f63dd8e9476a74c0
++Ctrl.hexxcghash = hexxcghash:367c80484d7e01e0915959e9fcb5124fa674489cf0ec4b0fee6a62dd77f677db901d9fb417cecf2a98f0b24bc24edbb1f34ab19f8d4d2976958f7d99ae2c78b3
++Ctrl.hexsession_id = hexsession_id:0a1bbfb890087ef260a88fafb92f16765444adc4dcb00efd4750d59f1d8f4b6662edd379d812ddc822cea79675731a5e5791f29ebd17f3f83e675e9e9f6af3e3
++Ctrl.type = type:D
++Output = 5361fc87e24ec3031d97f0099766ac9ff7b8f91ea87666de
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008100e1436b5ef714092a6a0c8cc1593682a7ca4c05de423fb5f57c1d225943d8e4a5b526288a46a9a0fdb10b59c0beb8c1dc5b4d2bdf34eec2525df84bca2f8b769897183a45c7e61171ecea6e2be80d3becec8355ac3853bd8d077697af6e774133143265bdd538b4fb64786aaaa33e45138fd8697ff1c77b50f63dd8e9476a74c0
++Ctrl.hexxcghash = hexxcghash:367c80484d7e01e0915959e9fcb5124fa674489cf0ec4b0fee6a62dd77f677db901d9fb417cecf2a98f0b24bc24edbb1f34ab19f8d4d2976958f7d99ae2c78b3
++Ctrl.hexsession_id = hexsession_id:0a1bbfb890087ef260a88fafb92f16765444adc4dcb00efd4750d59f1d8f4b6662edd379d812ddc822cea79675731a5e5791f29ebd17f3f83e675e9e9f6af3e3
++Ctrl.type = type:E
++Output = 40a6897606035ebb04907fa15e1545a8973b9b09423f3786be4bcb8db9e4561e0385bcf1e3c0cece5a788e9852ed1da56963f36bad78fede21405ce3ea92a3b8
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008100e1436b5ef714092a6a0c8cc1593682a7ca4c05de423fb5f57c1d225943d8e4a5b526288a46a9a0fdb10b59c0beb8c1dc5b4d2bdf34eec2525df84bca2f8b769897183a45c7e61171ecea6e2be80d3becec8355ac3853bd8d077697af6e774133143265bdd538b4fb64786aaaa33e45138fd8697ff1c77b50f63dd8e9476a74c0
++Ctrl.hexxcghash = hexxcghash:367c80484d7e01e0915959e9fcb5124fa674489cf0ec4b0fee6a62dd77f677db901d9fb417cecf2a98f0b24bc24edbb1f34ab19f8d4d2976958f7d99ae2c78b3
++Ctrl.hexsession_id = hexsession_id:0a1bbfb890087ef260a88fafb92f16765444adc4dcb00efd4750d59f1d8f4b6662edd379d812ddc822cea79675731a5e5791f29ebd17f3f83e675e9e9f6af3e3
++Ctrl.type = type:F
++Output = 727f9bade9334f97486f479c88614ce96b8cbc803a544fbfaf5fcaf0499a1b8edeb59daa1a824ca9b165879c63d9f0b6464bcd3121fb1ad29b38864fbaac7741
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008100f8cf4795508e2aba0d9c007ee0afb38a7d570e26d4ebe97d3b9cb46dfc05b9b18396054fa91f856758b036195a9b360ee48b65dcec1f2fcb901d5faa308125b30b804e53ac15b2f43c2a12fdbc987707af58c36ecdcd89376117f9655e14da7f1808baeaab020a47ac35166a4868dab970ce79de592c69164045fce4eb55872f
++Ctrl.hexxcghash = hexxcghash:40d59c8836500e523e6404ac03d9895b105c7feceaac52dc3c5e4113e256c0057fbc770b805f7a2f18bf0be13357eb99db906efc5fb772f96e5fe76088e2e6f2
++Ctrl.hexsession_id = hexsession_id:a619290ad553a2b0924f3ea6152883685e3f2cf6063487616f083fadae950451df5f6e8a144cd951b2d853c7ec2d1aece9c438a89850788edc6bd5e2a7a98a47
++Ctrl.type = type:A
++Output = 3f077a02dc957eb1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008100f8cf4795508e2aba0d9c007ee0afb38a7d570e26d4ebe97d3b9cb46dfc05b9b18396054fa91f856758b036195a9b360ee48b65dcec1f2fcb901d5faa308125b30b804e53ac15b2f43c2a12fdbc987707af58c36ecdcd89376117f9655e14da7f1808baeaab020a47ac35166a4868dab970ce79de592c69164045fce4eb55872f
++Ctrl.hexxcghash = hexxcghash:40d59c8836500e523e6404ac03d9895b105c7feceaac52dc3c5e4113e256c0057fbc770b805f7a2f18bf0be13357eb99db906efc5fb772f96e5fe76088e2e6f2
++Ctrl.hexsession_id = hexsession_id:a619290ad553a2b0924f3ea6152883685e3f2cf6063487616f083fadae950451df5f6e8a144cd951b2d853c7ec2d1aece9c438a89850788edc6bd5e2a7a98a47
++Ctrl.type = type:B
++Output = 3cc158e348e64a0a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008100f8cf4795508e2aba0d9c007ee0afb38a7d570e26d4ebe97d3b9cb46dfc05b9b18396054fa91f856758b036195a9b360ee48b65dcec1f2fcb901d5faa308125b30b804e53ac15b2f43c2a12fdbc987707af58c36ecdcd89376117f9655e14da7f1808baeaab020a47ac35166a4868dab970ce79de592c69164045fce4eb55872f
++Ctrl.hexxcghash = hexxcghash:40d59c8836500e523e6404ac03d9895b105c7feceaac52dc3c5e4113e256c0057fbc770b805f7a2f18bf0be13357eb99db906efc5fb772f96e5fe76088e2e6f2
++Ctrl.hexsession_id = hexsession_id:a619290ad553a2b0924f3ea6152883685e3f2cf6063487616f083fadae950451df5f6e8a144cd951b2d853c7ec2d1aece9c438a89850788edc6bd5e2a7a98a47
++Ctrl.type = type:C
++Output = 8770fb6792c2fc16a60c9f45c8d40db684fe52de7c60b482
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008100f8cf4795508e2aba0d9c007ee0afb38a7d570e26d4ebe97d3b9cb46dfc05b9b18396054fa91f856758b036195a9b360ee48b65dcec1f2fcb901d5faa308125b30b804e53ac15b2f43c2a12fdbc987707af58c36ecdcd89376117f9655e14da7f1808baeaab020a47ac35166a4868dab970ce79de592c69164045fce4eb55872f
++Ctrl.hexxcghash = hexxcghash:40d59c8836500e523e6404ac03d9895b105c7feceaac52dc3c5e4113e256c0057fbc770b805f7a2f18bf0be13357eb99db906efc5fb772f96e5fe76088e2e6f2
++Ctrl.hexsession_id = hexsession_id:a619290ad553a2b0924f3ea6152883685e3f2cf6063487616f083fadae950451df5f6e8a144cd951b2d853c7ec2d1aece9c438a89850788edc6bd5e2a7a98a47
++Ctrl.type = type:D
++Output = d417a07f1070a2e628424fa990ef436f137725a7cde43f1b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008100f8cf4795508e2aba0d9c007ee0afb38a7d570e26d4ebe97d3b9cb46dfc05b9b18396054fa91f856758b036195a9b360ee48b65dcec1f2fcb901d5faa308125b30b804e53ac15b2f43c2a12fdbc987707af58c36ecdcd89376117f9655e14da7f1808baeaab020a47ac35166a4868dab970ce79de592c69164045fce4eb55872f
++Ctrl.hexxcghash = hexxcghash:40d59c8836500e523e6404ac03d9895b105c7feceaac52dc3c5e4113e256c0057fbc770b805f7a2f18bf0be13357eb99db906efc5fb772f96e5fe76088e2e6f2
++Ctrl.hexsession_id = hexsession_id:a619290ad553a2b0924f3ea6152883685e3f2cf6063487616f083fadae950451df5f6e8a144cd951b2d853c7ec2d1aece9c438a89850788edc6bd5e2a7a98a47
++Ctrl.type = type:E
++Output = 20b810e4f6a540724f269194e37969a10e340d45c557eabe72c41f08a9fad85ab44a9c362e7fc5eea9ed5dd9b84cc837d2aaa46ee71b355cb1dfefa8dc544d1e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008100f8cf4795508e2aba0d9c007ee0afb38a7d570e26d4ebe97d3b9cb46dfc05b9b18396054fa91f856758b036195a9b360ee48b65dcec1f2fcb901d5faa308125b30b804e53ac15b2f43c2a12fdbc987707af58c36ecdcd89376117f9655e14da7f1808baeaab020a47ac35166a4868dab970ce79de592c69164045fce4eb55872f
++Ctrl.hexxcghash = hexxcghash:40d59c8836500e523e6404ac03d9895b105c7feceaac52dc3c5e4113e256c0057fbc770b805f7a2f18bf0be13357eb99db906efc5fb772f96e5fe76088e2e6f2
++Ctrl.hexsession_id = hexsession_id:a619290ad553a2b0924f3ea6152883685e3f2cf6063487616f083fadae950451df5f6e8a144cd951b2d853c7ec2d1aece9c438a89850788edc6bd5e2a7a98a47
++Ctrl.type = type:F
++Output = acd292ab652b49c7c2a5a35b93c31a71eeef8a629cbc6b1c782994ebc7566f7b0ae536cc0ccfe881bfd8cbfaff391fe23568fa5692198f188deff0c6d0808160
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000803105020875f56db2960579efb7509964f256c2b81009e5be554bcc8ebe84c492f0cd0990e78ef4e8582a45457712be71d6f6c0b33315668984f0a41cf45fb9a459193c710919b752be3b80b2c8c7de3be570f76df6fe1cbb9dc81085fff2ad1bbfb307c6fb21f434cf7c0b96ee9eb6bc0f9677136a6db91f5d953f8b104b3497
++Ctrl.hexxcghash = hexxcghash:5f45d483ef27aeb00ec7baef96f4b4d1b254260bf60671dbd00e35a32fdcb7ae06215d59e742158782e0626bd5e2e8bada1fd7ec5056679f4a1412eaa2ef10e5
++Ctrl.hexsession_id = hexsession_id:8ddcd28d02f2cb50661cf2111953c697c0e578e43a77dfeb593b2bf05189bb429f306bcb0bcb41219d5428c1795c84665bb1f0db33e55f52edbff2b781c7eb79
++Ctrl.type = type:A
++Output = 7cf213cec41701ff
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000803105020875f56db2960579efb7509964f256c2b81009e5be554bcc8ebe84c492f0cd0990e78ef4e8582a45457712be71d6f6c0b33315668984f0a41cf45fb9a459193c710919b752be3b80b2c8c7de3be570f76df6fe1cbb9dc81085fff2ad1bbfb307c6fb21f434cf7c0b96ee9eb6bc0f9677136a6db91f5d953f8b104b3497
++Ctrl.hexxcghash = hexxcghash:5f45d483ef27aeb00ec7baef96f4b4d1b254260bf60671dbd00e35a32fdcb7ae06215d59e742158782e0626bd5e2e8bada1fd7ec5056679f4a1412eaa2ef10e5
++Ctrl.hexsession_id = hexsession_id:8ddcd28d02f2cb50661cf2111953c697c0e578e43a77dfeb593b2bf05189bb429f306bcb0bcb41219d5428c1795c84665bb1f0db33e55f52edbff2b781c7eb79
++Ctrl.type = type:B
++Output = 81a44f6f95fff954
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000803105020875f56db2960579efb7509964f256c2b81009e5be554bcc8ebe84c492f0cd0990e78ef4e8582a45457712be71d6f6c0b33315668984f0a41cf45fb9a459193c710919b752be3b80b2c8c7de3be570f76df6fe1cbb9dc81085fff2ad1bbfb307c6fb21f434cf7c0b96ee9eb6bc0f9677136a6db91f5d953f8b104b3497
++Ctrl.hexxcghash = hexxcghash:5f45d483ef27aeb00ec7baef96f4b4d1b254260bf60671dbd00e35a32fdcb7ae06215d59e742158782e0626bd5e2e8bada1fd7ec5056679f4a1412eaa2ef10e5
++Ctrl.hexsession_id = hexsession_id:8ddcd28d02f2cb50661cf2111953c697c0e578e43a77dfeb593b2bf05189bb429f306bcb0bcb41219d5428c1795c84665bb1f0db33e55f52edbff2b781c7eb79
++Ctrl.type = type:C
++Output = e1610d85ea2c24b4af18076c2d7dc0c3f3b3bf1c8df232a4
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000803105020875f56db2960579efb7509964f256c2b81009e5be554bcc8ebe84c492f0cd0990e78ef4e8582a45457712be71d6f6c0b33315668984f0a41cf45fb9a459193c710919b752be3b80b2c8c7de3be570f76df6fe1cbb9dc81085fff2ad1bbfb307c6fb21f434cf7c0b96ee9eb6bc0f9677136a6db91f5d953f8b104b3497
++Ctrl.hexxcghash = hexxcghash:5f45d483ef27aeb00ec7baef96f4b4d1b254260bf60671dbd00e35a32fdcb7ae06215d59e742158782e0626bd5e2e8bada1fd7ec5056679f4a1412eaa2ef10e5
++Ctrl.hexsession_id = hexsession_id:8ddcd28d02f2cb50661cf2111953c697c0e578e43a77dfeb593b2bf05189bb429f306bcb0bcb41219d5428c1795c84665bb1f0db33e55f52edbff2b781c7eb79
++Ctrl.type = type:D
++Output = db146cbf4923693449b857fa927d112f3c8bd1bac73f618a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000803105020875f56db2960579efb7509964f256c2b81009e5be554bcc8ebe84c492f0cd0990e78ef4e8582a45457712be71d6f6c0b33315668984f0a41cf45fb9a459193c710919b752be3b80b2c8c7de3be570f76df6fe1cbb9dc81085fff2ad1bbfb307c6fb21f434cf7c0b96ee9eb6bc0f9677136a6db91f5d953f8b104b3497
++Ctrl.hexxcghash = hexxcghash:5f45d483ef27aeb00ec7baef96f4b4d1b254260bf60671dbd00e35a32fdcb7ae06215d59e742158782e0626bd5e2e8bada1fd7ec5056679f4a1412eaa2ef10e5
++Ctrl.hexsession_id = hexsession_id:8ddcd28d02f2cb50661cf2111953c697c0e578e43a77dfeb593b2bf05189bb429f306bcb0bcb41219d5428c1795c84665bb1f0db33e55f52edbff2b781c7eb79
++Ctrl.type = type:E
++Output = fac257f4544a0aa77659642c33a421cf27b2216a57399ff8ff48baab37519ce9c27f93bf447a02b3c10d9f9c6201745ed6ae28a13ff85e949e0e8048bf31e0c8
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000803105020875f56db2960579efb7509964f256c2b81009e5be554bcc8ebe84c492f0cd0990e78ef4e8582a45457712be71d6f6c0b33315668984f0a41cf45fb9a459193c710919b752be3b80b2c8c7de3be570f76df6fe1cbb9dc81085fff2ad1bbfb307c6fb21f434cf7c0b96ee9eb6bc0f9677136a6db91f5d953f8b104b3497
++Ctrl.hexxcghash = hexxcghash:5f45d483ef27aeb00ec7baef96f4b4d1b254260bf60671dbd00e35a32fdcb7ae06215d59e742158782e0626bd5e2e8bada1fd7ec5056679f4a1412eaa2ef10e5
++Ctrl.hexsession_id = hexsession_id:8ddcd28d02f2cb50661cf2111953c697c0e578e43a77dfeb593b2bf05189bb429f306bcb0bcb41219d5428c1795c84665bb1f0db33e55f52edbff2b781c7eb79
++Ctrl.type = type:F
++Output = 8532a1014a5a2feba5730823b0fb1781a7782a73f95a97697aedf60997e6cdf5107387be820b74c0e43e8caf42e83bbc703c6cd9d37b0e720aeacc115ce4633e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008045cafef6acb29ea351ad025a32cb0fb88fe52f138ac3cd7718140c883cffbc10778c2e6c573bdbfaf32eceaa2fc1e106170dadcdf1cb0e1653f2361c76f5153262295b16371daf9ae2015dfb407f4920240eb10293c48971d2086723507d2eb7e1481f2b737df223628ee602a49bb7f1ac52068f5c1a24b445786e35042fc6c0
++Ctrl.hexxcghash = hexxcghash:b1ce6e766a7340f40cec52585087c60e456cc390d0ee294bbc460d50b93c2170344cca3dd2e3067ebefe3efbd002ec4ed7f0fc1a8771eaffbc1fd4d5800aec21
++Ctrl.hexsession_id = hexsession_id:85ae5c53a8286dfddf295dd0b31237bc8c54e9858647e222db29a4f60ffb74a175e5de22c132a1a06826c6e0122e63aa657fc670ca44943159560ce1c48b6906
++Ctrl.type = type:A
++Output = c5dffc4eb99a1c36
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008045cafef6acb29ea351ad025a32cb0fb88fe52f138ac3cd7718140c883cffbc10778c2e6c573bdbfaf32eceaa2fc1e106170dadcdf1cb0e1653f2361c76f5153262295b16371daf9ae2015dfb407f4920240eb10293c48971d2086723507d2eb7e1481f2b737df223628ee602a49bb7f1ac52068f5c1a24b445786e35042fc6c0
++Ctrl.hexxcghash = hexxcghash:b1ce6e766a7340f40cec52585087c60e456cc390d0ee294bbc460d50b93c2170344cca3dd2e3067ebefe3efbd002ec4ed7f0fc1a8771eaffbc1fd4d5800aec21
++Ctrl.hexsession_id = hexsession_id:85ae5c53a8286dfddf295dd0b31237bc8c54e9858647e222db29a4f60ffb74a175e5de22c132a1a06826c6e0122e63aa657fc670ca44943159560ce1c48b6906
++Ctrl.type = type:B
++Output = 13cb7467ddf8ea7d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008045cafef6acb29ea351ad025a32cb0fb88fe52f138ac3cd7718140c883cffbc10778c2e6c573bdbfaf32eceaa2fc1e106170dadcdf1cb0e1653f2361c76f5153262295b16371daf9ae2015dfb407f4920240eb10293c48971d2086723507d2eb7e1481f2b737df223628ee602a49bb7f1ac52068f5c1a24b445786e35042fc6c0
++Ctrl.hexxcghash = hexxcghash:b1ce6e766a7340f40cec52585087c60e456cc390d0ee294bbc460d50b93c2170344cca3dd2e3067ebefe3efbd002ec4ed7f0fc1a8771eaffbc1fd4d5800aec21
++Ctrl.hexsession_id = hexsession_id:85ae5c53a8286dfddf295dd0b31237bc8c54e9858647e222db29a4f60ffb74a175e5de22c132a1a06826c6e0122e63aa657fc670ca44943159560ce1c48b6906
++Ctrl.type = type:C
++Output = 4d77a9a1a36500d9ea0389e3813a201fb9b30751d1fcf0b3
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008045cafef6acb29ea351ad025a32cb0fb88fe52f138ac3cd7718140c883cffbc10778c2e6c573bdbfaf32eceaa2fc1e106170dadcdf1cb0e1653f2361c76f5153262295b16371daf9ae2015dfb407f4920240eb10293c48971d2086723507d2eb7e1481f2b737df223628ee602a49bb7f1ac52068f5c1a24b445786e35042fc6c0
++Ctrl.hexxcghash = hexxcghash:b1ce6e766a7340f40cec52585087c60e456cc390d0ee294bbc460d50b93c2170344cca3dd2e3067ebefe3efbd002ec4ed7f0fc1a8771eaffbc1fd4d5800aec21
++Ctrl.hexsession_id = hexsession_id:85ae5c53a8286dfddf295dd0b31237bc8c54e9858647e222db29a4f60ffb74a175e5de22c132a1a06826c6e0122e63aa657fc670ca44943159560ce1c48b6906
++Ctrl.type = type:D
++Output = a0e4ec099492c752b98013d2176af6e601eeef3cdc2029a9
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008045cafef6acb29ea351ad025a32cb0fb88fe52f138ac3cd7718140c883cffbc10778c2e6c573bdbfaf32eceaa2fc1e106170dadcdf1cb0e1653f2361c76f5153262295b16371daf9ae2015dfb407f4920240eb10293c48971d2086723507d2eb7e1481f2b737df223628ee602a49bb7f1ac52068f5c1a24b445786e35042fc6c0
++Ctrl.hexxcghash = hexxcghash:b1ce6e766a7340f40cec52585087c60e456cc390d0ee294bbc460d50b93c2170344cca3dd2e3067ebefe3efbd002ec4ed7f0fc1a8771eaffbc1fd4d5800aec21
++Ctrl.hexsession_id = hexsession_id:85ae5c53a8286dfddf295dd0b31237bc8c54e9858647e222db29a4f60ffb74a175e5de22c132a1a06826c6e0122e63aa657fc670ca44943159560ce1c48b6906
++Ctrl.type = type:E
++Output = b4035effa78e6da307f4c096226150e5cab92794192bba492ff8576da3fdbbfdc87fbf79721de0e8f38647261dcad096fd536c4f724f09782a4b684902a4b979
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008045cafef6acb29ea351ad025a32cb0fb88fe52f138ac3cd7718140c883cffbc10778c2e6c573bdbfaf32eceaa2fc1e106170dadcdf1cb0e1653f2361c76f5153262295b16371daf9ae2015dfb407f4920240eb10293c48971d2086723507d2eb7e1481f2b737df223628ee602a49bb7f1ac52068f5c1a24b445786e35042fc6c0
++Ctrl.hexxcghash = hexxcghash:b1ce6e766a7340f40cec52585087c60e456cc390d0ee294bbc460d50b93c2170344cca3dd2e3067ebefe3efbd002ec4ed7f0fc1a8771eaffbc1fd4d5800aec21
++Ctrl.hexsession_id = hexsession_id:85ae5c53a8286dfddf295dd0b31237bc8c54e9858647e222db29a4f60ffb74a175e5de22c132a1a06826c6e0122e63aa657fc670ca44943159560ce1c48b6906
++Ctrl.type = type:F
++Output = eae8776eddb75cd4d14d2db129172bab92f0c8d2c8a439d4b63824c23e7481af502a45d2ebee77f3a801d658b59f6cbbdb797f479787ae4d5839b7ddf49ff908
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:00000081008b735b1cc9a88529c0d0faea307f79142abc920248b3495e56b7987605b5a7a93354c638752ae7ce47b2869600dc2ab8f240c0ce4e35147e00f8e69fbe940d6236daf01b38f3e74d7bff07d01111569e213cd8475e77de026c81dac6e40242cfc2df5af9d37e520c2d7aee165de9cc314750e856d7514b0b80c568e2292c733f
++Ctrl.hexxcghash = hexxcghash:c226bd264f49cba006b4806afa4edaf42c2c48992ec66c78ce3a982cb5b1d923344107eb77884b0d996af71997611fdffba499da38d5206db0d0a17c438d4d8a
++Ctrl.hexsession_id = hexsession_id:ae0f9a407aae7a964a900b1f5b7060a2e7d4c9de4e422fec063829a9ea1fcb74a6ae83b9eb08f8663e171bdf036bf0c263b23f8eff3053d617484cc3efd99990
++Ctrl.type = type:A
++Output = 31ef8e737ec154c0
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:00000081008b735b1cc9a88529c0d0faea307f79142abc920248b3495e56b7987605b5a7a93354c638752ae7ce47b2869600dc2ab8f240c0ce4e35147e00f8e69fbe940d6236daf01b38f3e74d7bff07d01111569e213cd8475e77de026c81dac6e40242cfc2df5af9d37e520c2d7aee165de9cc314750e856d7514b0b80c568e2292c733f
++Ctrl.hexxcghash = hexxcghash:c226bd264f49cba006b4806afa4edaf42c2c48992ec66c78ce3a982cb5b1d923344107eb77884b0d996af71997611fdffba499da38d5206db0d0a17c438d4d8a
++Ctrl.hexsession_id = hexsession_id:ae0f9a407aae7a964a900b1f5b7060a2e7d4c9de4e422fec063829a9ea1fcb74a6ae83b9eb08f8663e171bdf036bf0c263b23f8eff3053d617484cc3efd99990
++Ctrl.type = type:B
++Output = c0bb41f2c51a0503
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:00000081008b735b1cc9a88529c0d0faea307f79142abc920248b3495e56b7987605b5a7a93354c638752ae7ce47b2869600dc2ab8f240c0ce4e35147e00f8e69fbe940d6236daf01b38f3e74d7bff07d01111569e213cd8475e77de026c81dac6e40242cfc2df5af9d37e520c2d7aee165de9cc314750e856d7514b0b80c568e2292c733f
++Ctrl.hexxcghash = hexxcghash:c226bd264f49cba006b4806afa4edaf42c2c48992ec66c78ce3a982cb5b1d923344107eb77884b0d996af71997611fdffba499da38d5206db0d0a17c438d4d8a
++Ctrl.hexsession_id = hexsession_id:ae0f9a407aae7a964a900b1f5b7060a2e7d4c9de4e422fec063829a9ea1fcb74a6ae83b9eb08f8663e171bdf036bf0c263b23f8eff3053d617484cc3efd99990
++Ctrl.type = type:C
++Output = 3f9058812f36f302dc5ada7de8f4271c435dfe4589f22a00
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:00000081008b735b1cc9a88529c0d0faea307f79142abc920248b3495e56b7987605b5a7a93354c638752ae7ce47b2869600dc2ab8f240c0ce4e35147e00f8e69fbe940d6236daf01b38f3e74d7bff07d01111569e213cd8475e77de026c81dac6e40242cfc2df5af9d37e520c2d7aee165de9cc314750e856d7514b0b80c568e2292c733f
++Ctrl.hexxcghash = hexxcghash:c226bd264f49cba006b4806afa4edaf42c2c48992ec66c78ce3a982cb5b1d923344107eb77884b0d996af71997611fdffba499da38d5206db0d0a17c438d4d8a
++Ctrl.hexsession_id = hexsession_id:ae0f9a407aae7a964a900b1f5b7060a2e7d4c9de4e422fec063829a9ea1fcb74a6ae83b9eb08f8663e171bdf036bf0c263b23f8eff3053d617484cc3efd99990
++Ctrl.type = type:D
++Output = b342a447abcb67f6819a19b8b300946c89739fabd049a6e0
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:00000081008b735b1cc9a88529c0d0faea307f79142abc920248b3495e56b7987605b5a7a93354c638752ae7ce47b2869600dc2ab8f240c0ce4e35147e00f8e69fbe940d6236daf01b38f3e74d7bff07d01111569e213cd8475e77de026c81dac6e40242cfc2df5af9d37e520c2d7aee165de9cc314750e856d7514b0b80c568e2292c733f
++Ctrl.hexxcghash = hexxcghash:c226bd264f49cba006b4806afa4edaf42c2c48992ec66c78ce3a982cb5b1d923344107eb77884b0d996af71997611fdffba499da38d5206db0d0a17c438d4d8a
++Ctrl.hexsession_id = hexsession_id:ae0f9a407aae7a964a900b1f5b7060a2e7d4c9de4e422fec063829a9ea1fcb74a6ae83b9eb08f8663e171bdf036bf0c263b23f8eff3053d617484cc3efd99990
++Ctrl.type = type:E
++Output = a5d70cb0a3e351be09b9600c9b97f2781236bf549209a1fbf3304af145af0941c6cd9923f1f30cec946e8dea96332d284e01a4d8bcc90721fe2e515504073cb8
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:00000081008b735b1cc9a88529c0d0faea307f79142abc920248b3495e56b7987605b5a7a93354c638752ae7ce47b2869600dc2ab8f240c0ce4e35147e00f8e69fbe940d6236daf01b38f3e74d7bff07d01111569e213cd8475e77de026c81dac6e40242cfc2df5af9d37e520c2d7aee165de9cc314750e856d7514b0b80c568e2292c733f
++Ctrl.hexxcghash = hexxcghash:c226bd264f49cba006b4806afa4edaf42c2c48992ec66c78ce3a982cb5b1d923344107eb77884b0d996af71997611fdffba499da38d5206db0d0a17c438d4d8a
++Ctrl.hexsession_id = hexsession_id:ae0f9a407aae7a964a900b1f5b7060a2e7d4c9de4e422fec063829a9ea1fcb74a6ae83b9eb08f8663e171bdf036bf0c263b23f8eff3053d617484cc3efd99990
++Ctrl.type = type:F
++Output = dbc3ea086a49e220306cbe57b942d9409cbd205dec20c7b79fd6998906d173bcb2bc2eb5b7eea4c1d84f3926836bd15e0565a17af735596050d6161d9682f2e7
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008100c41430e9dfce9301082a4d034e0e1ffe73133e4c97afbd325d6bbe1f3a4f5a9103f57a05f66b1ac63a5f1724b3315daf7171f334e77eff356366daf4e23e55751422734d4d22e6dcac783bba0edc1be8fcc4c7c0d5a69d047291e33167057c774e46362dfb6f8432b427cf21c01304b23e2b49b664fd50dc463c17efffa146a0
++Ctrl.hexxcghash = hexxcghash:04aeff766f08c065092fdd7be43531f83d73682601069477ee10407821a0f0e8bf614e775dfab6f889a8d5120c2e39d96e38de4cda6f673fb7cb343de1e17b9c
++Ctrl.hexsession_id = hexsession_id:15f5653a107aee694bd1680d423c8da2dab8c1ec8e23c5208100ce3d8d4821b52bbb1d14791476253db4b07ebb715ae095b8b49e1545be3c92a3adcf39970be5
++Ctrl.type = type:A
++Output = 19d6bc79713a4622
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008100c41430e9dfce9301082a4d034e0e1ffe73133e4c97afbd325d6bbe1f3a4f5a9103f57a05f66b1ac63a5f1724b3315daf7171f334e77eff356366daf4e23e55751422734d4d22e6dcac783bba0edc1be8fcc4c7c0d5a69d047291e33167057c774e46362dfb6f8432b427cf21c01304b23e2b49b664fd50dc463c17efffa146a0
++Ctrl.hexxcghash = hexxcghash:04aeff766f08c065092fdd7be43531f83d73682601069477ee10407821a0f0e8bf614e775dfab6f889a8d5120c2e39d96e38de4cda6f673fb7cb343de1e17b9c
++Ctrl.hexsession_id = hexsession_id:15f5653a107aee694bd1680d423c8da2dab8c1ec8e23c5208100ce3d8d4821b52bbb1d14791476253db4b07ebb715ae095b8b49e1545be3c92a3adcf39970be5
++Ctrl.type = type:B
++Output = 7de9caf89d325dcd
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008100c41430e9dfce9301082a4d034e0e1ffe73133e4c97afbd325d6bbe1f3a4f5a9103f57a05f66b1ac63a5f1724b3315daf7171f334e77eff356366daf4e23e55751422734d4d22e6dcac783bba0edc1be8fcc4c7c0d5a69d047291e33167057c774e46362dfb6f8432b427cf21c01304b23e2b49b664fd50dc463c17efffa146a0
++Ctrl.hexxcghash = hexxcghash:04aeff766f08c065092fdd7be43531f83d73682601069477ee10407821a0f0e8bf614e775dfab6f889a8d5120c2e39d96e38de4cda6f673fb7cb343de1e17b9c
++Ctrl.hexsession_id = hexsession_id:15f5653a107aee694bd1680d423c8da2dab8c1ec8e23c5208100ce3d8d4821b52bbb1d14791476253db4b07ebb715ae095b8b49e1545be3c92a3adcf39970be5
++Ctrl.type = type:C
++Output = 1d5391d658abb9ec1b8df32cbf1db9a302a1301984ab06d4
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008100c41430e9dfce9301082a4d034e0e1ffe73133e4c97afbd325d6bbe1f3a4f5a9103f57a05f66b1ac63a5f1724b3315daf7171f334e77eff356366daf4e23e55751422734d4d22e6dcac783bba0edc1be8fcc4c7c0d5a69d047291e33167057c774e46362dfb6f8432b427cf21c01304b23e2b49b664fd50dc463c17efffa146a0
++Ctrl.hexxcghash = hexxcghash:04aeff766f08c065092fdd7be43531f83d73682601069477ee10407821a0f0e8bf614e775dfab6f889a8d5120c2e39d96e38de4cda6f673fb7cb343de1e17b9c
++Ctrl.hexsession_id = hexsession_id:15f5653a107aee694bd1680d423c8da2dab8c1ec8e23c5208100ce3d8d4821b52bbb1d14791476253db4b07ebb715ae095b8b49e1545be3c92a3adcf39970be5
++Ctrl.type = type:D
++Output = 5d37dab50814543d8d8674f4f491d73d21973f20844c96a7
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008100c41430e9dfce9301082a4d034e0e1ffe73133e4c97afbd325d6bbe1f3a4f5a9103f57a05f66b1ac63a5f1724b3315daf7171f334e77eff356366daf4e23e55751422734d4d22e6dcac783bba0edc1be8fcc4c7c0d5a69d047291e33167057c774e46362dfb6f8432b427cf21c01304b23e2b49b664fd50dc463c17efffa146a0
++Ctrl.hexxcghash = hexxcghash:04aeff766f08c065092fdd7be43531f83d73682601069477ee10407821a0f0e8bf614e775dfab6f889a8d5120c2e39d96e38de4cda6f673fb7cb343de1e17b9c
++Ctrl.hexsession_id = hexsession_id:15f5653a107aee694bd1680d423c8da2dab8c1ec8e23c5208100ce3d8d4821b52bbb1d14791476253db4b07ebb715ae095b8b49e1545be3c92a3adcf39970be5
++Ctrl.type = type:E
++Output = 3e882ae390a64c34f509bc9845df581987ae2524b2ff92d9243580168f32fa68750f3f732c8c5544c98fc585582fe743efbf55dd6c487fb5f9ffac1a156fa31c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000008100c41430e9dfce9301082a4d034e0e1ffe73133e4c97afbd325d6bbe1f3a4f5a9103f57a05f66b1ac63a5f1724b3315daf7171f334e77eff356366daf4e23e55751422734d4d22e6dcac783bba0edc1be8fcc4c7c0d5a69d047291e33167057c774e46362dfb6f8432b427cf21c01304b23e2b49b664fd50dc463c17efffa146a0
++Ctrl.hexxcghash = hexxcghash:04aeff766f08c065092fdd7be43531f83d73682601069477ee10407821a0f0e8bf614e775dfab6f889a8d5120c2e39d96e38de4cda6f673fb7cb343de1e17b9c
++Ctrl.hexsession_id = hexsession_id:15f5653a107aee694bd1680d423c8da2dab8c1ec8e23c5208100ce3d8d4821b52bbb1d14791476253db4b07ebb715ae095b8b49e1545be3c92a3adcf39970be5
++Ctrl.type = type:F
++Output = ce4bcf9cabe7ee7c0e216e64e5427ebd38cb41ba9e9a6d9ae441ca47d9278347a59afdf758ae7f7fd667ed3830bf9a33d7badfd40e2112580af514da9464a6d1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000810088181aaaa6b17924ced0033b1e4a3d007a464d4d53871f4da4689d477437b42f873d4b7d5f5c52909b6cca8be7a01d1a7a806f745500bb00b4fd6e6f8d0e1c9ad08d934c7d680a57ac5a4ed77f73182065f9295d745e1d50b8da0626f3e9ccb6651aad3b0c5c2cecd90c521318778f570333c011f02d5e2a406eb8b3d6036537
++Ctrl.hexxcghash = hexxcghash:3c4ecb173c39cedecbcd19ba0fc38454176b81b6451911b4422907b1b670dcedaabebaaa261fbac23b3b5738264c5eee3dccfd9e050a1cef17ac997527dd7095
++Ctrl.hexsession_id = hexsession_id:3b05253d9e5ab2f7f4ba2998bea5ed7d05afdf02b7499ac2dd554833b886b73d92e929316a366147e9af50201dbb4e54c123418d1a623bc2dc52766211dbe614
++Ctrl.type = type:A
++Output = 93fbb01815b63533
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000810088181aaaa6b17924ced0033b1e4a3d007a464d4d53871f4da4689d477437b42f873d4b7d5f5c52909b6cca8be7a01d1a7a806f745500bb00b4fd6e6f8d0e1c9ad08d934c7d680a57ac5a4ed77f73182065f9295d745e1d50b8da0626f3e9ccb6651aad3b0c5c2cecd90c521318778f570333c011f02d5e2a406eb8b3d6036537
++Ctrl.hexxcghash = hexxcghash:3c4ecb173c39cedecbcd19ba0fc38454176b81b6451911b4422907b1b670dcedaabebaaa261fbac23b3b5738264c5eee3dccfd9e050a1cef17ac997527dd7095
++Ctrl.hexsession_id = hexsession_id:3b05253d9e5ab2f7f4ba2998bea5ed7d05afdf02b7499ac2dd554833b886b73d92e929316a366147e9af50201dbb4e54c123418d1a623bc2dc52766211dbe614
++Ctrl.type = type:B
++Output = aea76dfe77a87471
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000810088181aaaa6b17924ced0033b1e4a3d007a464d4d53871f4da4689d477437b42f873d4b7d5f5c52909b6cca8be7a01d1a7a806f745500bb00b4fd6e6f8d0e1c9ad08d934c7d680a57ac5a4ed77f73182065f9295d745e1d50b8da0626f3e9ccb6651aad3b0c5c2cecd90c521318778f570333c011f02d5e2a406eb8b3d6036537
++Ctrl.hexxcghash = hexxcghash:3c4ecb173c39cedecbcd19ba0fc38454176b81b6451911b4422907b1b670dcedaabebaaa261fbac23b3b5738264c5eee3dccfd9e050a1cef17ac997527dd7095
++Ctrl.hexsession_id = hexsession_id:3b05253d9e5ab2f7f4ba2998bea5ed7d05afdf02b7499ac2dd554833b886b73d92e929316a366147e9af50201dbb4e54c123418d1a623bc2dc52766211dbe614
++Ctrl.type = type:C
++Output = 73a55e25a0a8ec0899c1074bf0845fefd84e42f741897a3f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000810088181aaaa6b17924ced0033b1e4a3d007a464d4d53871f4da4689d477437b42f873d4b7d5f5c52909b6cca8be7a01d1a7a806f745500bb00b4fd6e6f8d0e1c9ad08d934c7d680a57ac5a4ed77f73182065f9295d745e1d50b8da0626f3e9ccb6651aad3b0c5c2cecd90c521318778f570333c011f02d5e2a406eb8b3d6036537
++Ctrl.hexxcghash = hexxcghash:3c4ecb173c39cedecbcd19ba0fc38454176b81b6451911b4422907b1b670dcedaabebaaa261fbac23b3b5738264c5eee3dccfd9e050a1cef17ac997527dd7095
++Ctrl.hexsession_id = hexsession_id:3b05253d9e5ab2f7f4ba2998bea5ed7d05afdf02b7499ac2dd554833b886b73d92e929316a366147e9af50201dbb4e54c123418d1a623bc2dc52766211dbe614
++Ctrl.type = type:D
++Output = fead3a851502aa3c58734065eeaf3e63ed4c59c8f450bb1a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000810088181aaaa6b17924ced0033b1e4a3d007a464d4d53871f4da4689d477437b42f873d4b7d5f5c52909b6cca8be7a01d1a7a806f745500bb00b4fd6e6f8d0e1c9ad08d934c7d680a57ac5a4ed77f73182065f9295d745e1d50b8da0626f3e9ccb6651aad3b0c5c2cecd90c521318778f570333c011f02d5e2a406eb8b3d6036537
++Ctrl.hexxcghash = hexxcghash:3c4ecb173c39cedecbcd19ba0fc38454176b81b6451911b4422907b1b670dcedaabebaaa261fbac23b3b5738264c5eee3dccfd9e050a1cef17ac997527dd7095
++Ctrl.hexsession_id = hexsession_id:3b05253d9e5ab2f7f4ba2998bea5ed7d05afdf02b7499ac2dd554833b886b73d92e929316a366147e9af50201dbb4e54c123418d1a623bc2dc52766211dbe614
++Ctrl.type = type:E
++Output = 55bde99a692820ad809eb0a62311f8f3e9469ba2ee4d782d5432628ca52d829b9c5bffc41b58232363f97c5dab603268b1997fbe9b9b34ab2aca3da27467b0c8
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000000810088181aaaa6b17924ced0033b1e4a3d007a464d4d53871f4da4689d477437b42f873d4b7d5f5c52909b6cca8be7a01d1a7a806f745500bb00b4fd6e6f8d0e1c9ad08d934c7d680a57ac5a4ed77f73182065f9295d745e1d50b8da0626f3e9ccb6651aad3b0c5c2cecd90c521318778f570333c011f02d5e2a406eb8b3d6036537
++Ctrl.hexxcghash = hexxcghash:3c4ecb173c39cedecbcd19ba0fc38454176b81b6451911b4422907b1b670dcedaabebaaa261fbac23b3b5738264c5eee3dccfd9e050a1cef17ac997527dd7095
++Ctrl.hexsession_id = hexsession_id:3b05253d9e5ab2f7f4ba2998bea5ed7d05afdf02b7499ac2dd554833b886b73d92e929316a366147e9af50201dbb4e54c123418d1a623bc2dc52766211dbe614
++Ctrl.type = type:F
++Output = 756f65746c861f0985f3dd7d2f08004897ccb22be2f1d3b4791ca0c51d5ee0da776dd03d7dfb7f4db6c6cd37899871e63d75f7f60dff8348c313e99409ad2db5
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100e8d52da494d198252b87189223bffb0bc1b68335ae987df15bf7cf95bd74a951b5eaa87b1739f91efc97f28f5a7f0a206fdbcf33e39003e154b334009563abd62a4169462865ba931ca3f8f4d70611e8bcb46228ee74983d2ec79c690d86329c2daac8dbdafe4573f114313f29c7507bd4aa50d87bb83b1cebb628e37b2501ffc9b1200d8d360e1b46bf6fdecd486fae790352eb79aa3f37e4964963a84dbd80fb3b80491210565d9449599bc9306ee76a932a764070702cd09c87e1f26095b1b78042bcc37d5f097e3f7b2db6cb6f7b3e2a332021f756fe1784edd2a82802c1274b9944dff99fb1c181f41d6d2f4eac5aa33c619c48167dce1eb47ddafbe5eb
++Ctrl.hexxcghash = hexxcghash:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121
++Ctrl.hexsession_id = hexsession_id:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121
++Ctrl.type = type:A
++Output = a626c34c0a74b56262110185a34cd810
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100e8d52da494d198252b87189223bffb0bc1b68335ae987df15bf7cf95bd74a951b5eaa87b1739f91efc97f28f5a7f0a206fdbcf33e39003e154b334009563abd62a4169462865ba931ca3f8f4d70611e8bcb46228ee74983d2ec79c690d86329c2daac8dbdafe4573f114313f29c7507bd4aa50d87bb83b1cebb628e37b2501ffc9b1200d8d360e1b46bf6fdecd486fae790352eb79aa3f37e4964963a84dbd80fb3b80491210565d9449599bc9306ee76a932a764070702cd09c87e1f26095b1b78042bcc37d5f097e3f7b2db6cb6f7b3e2a332021f756fe1784edd2a82802c1274b9944dff99fb1c181f41d6d2f4eac5aa33c619c48167dce1eb47ddafbe5eb
++Ctrl.hexxcghash = hexxcghash:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121
++Ctrl.hexsession_id = hexsession_id:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121
++Ctrl.type = type:B
++Output = 223d6fc57263da9ad61dad9759454e0f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100e8d52da494d198252b87189223bffb0bc1b68335ae987df15bf7cf95bd74a951b5eaa87b1739f91efc97f28f5a7f0a206fdbcf33e39003e154b334009563abd62a4169462865ba931ca3f8f4d70611e8bcb46228ee74983d2ec79c690d86329c2daac8dbdafe4573f114313f29c7507bd4aa50d87bb83b1cebb628e37b2501ffc9b1200d8d360e1b46bf6fdecd486fae790352eb79aa3f37e4964963a84dbd80fb3b80491210565d9449599bc9306ee76a932a764070702cd09c87e1f26095b1b78042bcc37d5f097e3f7b2db6cb6f7b3e2a332021f756fe1784edd2a82802c1274b9944dff99fb1c181f41d6d2f4eac5aa33c619c48167dce1eb47ddafbe5eb
++Ctrl.hexxcghash = hexxcghash:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121
++Ctrl.hexsession_id = hexsession_id:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121
++Ctrl.type = type:C
++Output = 7c803e07506969666f446400b2372eee
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100e8d52da494d198252b87189223bffb0bc1b68335ae987df15bf7cf95bd74a951b5eaa87b1739f91efc97f28f5a7f0a206fdbcf33e39003e154b334009563abd62a4169462865ba931ca3f8f4d70611e8bcb46228ee74983d2ec79c690d86329c2daac8dbdafe4573f114313f29c7507bd4aa50d87bb83b1cebb628e37b2501ffc9b1200d8d360e1b46bf6fdecd486fae790352eb79aa3f37e4964963a84dbd80fb3b80491210565d9449599bc9306ee76a932a764070702cd09c87e1f26095b1b78042bcc37d5f097e3f7b2db6cb6f7b3e2a332021f756fe1784edd2a82802c1274b9944dff99fb1c181f41d6d2f4eac5aa33c619c48167dce1eb47ddafbe5eb
++Ctrl.hexxcghash = hexxcghash:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121
++Ctrl.hexsession_id = hexsession_id:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121
++Ctrl.type = type:D
++Output = 4ad705fbc9e89c03c15f9dbbf34981df
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100e8d52da494d198252b87189223bffb0bc1b68335ae987df15bf7cf95bd74a951b5eaa87b1739f91efc97f28f5a7f0a206fdbcf33e39003e154b334009563abd62a4169462865ba931ca3f8f4d70611e8bcb46228ee74983d2ec79c690d86329c2daac8dbdafe4573f114313f29c7507bd4aa50d87bb83b1cebb628e37b2501ffc9b1200d8d360e1b46bf6fdecd486fae790352eb79aa3f37e4964963a84dbd80fb3b80491210565d9449599bc9306ee76a932a764070702cd09c87e1f26095b1b78042bcc37d5f097e3f7b2db6cb6f7b3e2a332021f756fe1784edd2a82802c1274b9944dff99fb1c181f41d6d2f4eac5aa33c619c48167dce1eb47ddafbe5eb
++Ctrl.hexxcghash = hexxcghash:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121
++Ctrl.hexsession_id = hexsession_id:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121
++Ctrl.type = type:E
++Output = 36cac32cab8b943cd9d2142559c467593bfaf30d0be71560245c8b38a5671901a858ccc637b0ef6966a2bbfb1a7f51f2cf6d52c4165ca000d52bd908405c305f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100e8d52da494d198252b87189223bffb0bc1b68335ae987df15bf7cf95bd74a951b5eaa87b1739f91efc97f28f5a7f0a206fdbcf33e39003e154b334009563abd62a4169462865ba931ca3f8f4d70611e8bcb46228ee74983d2ec79c690d86329c2daac8dbdafe4573f114313f29c7507bd4aa50d87bb83b1cebb628e37b2501ffc9b1200d8d360e1b46bf6fdecd486fae790352eb79aa3f37e4964963a84dbd80fb3b80491210565d9449599bc9306ee76a932a764070702cd09c87e1f26095b1b78042bcc37d5f097e3f7b2db6cb6f7b3e2a332021f756fe1784edd2a82802c1274b9944dff99fb1c181f41d6d2f4eac5aa33c619c48167dce1eb47ddafbe5eb
++Ctrl.hexxcghash = hexxcghash:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121
++Ctrl.hexsession_id = hexsession_id:3e81bd3b4b609955df0deaab293876592122e2d7fdc719ecd503b572c5e98cfaaac1f7e085d4097c76515f5b70413944a464ce346ada6d85d7c39a8009d4b121
++Ctrl.type = type:F
++Output = 67d42301ce629c0f2a34b9dfb24ec60c138b4edc71f7123bb0db9447b3c915ebd8c54d3b20af04e30b484be3a2d4136f5d5c46f9c56de189b91fec78ecd53e1c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010034a5d2784c99976fb3b615c5b1bfacc9a749330d22bcf5a7c404c10f886e2a3115660a399d7c721d5dd141f458b0d27e0e6709a8290f9ef6f61681a11d876eb7bd52b930f79fb9516f5d2137c5bfa95a893890d26d7712fc9ecc4dc82a5171341b41a9f2c4a8f0c14efe82ef2a4db60a8a0b8e43d3f92992f8dcc2d6bae3759aea86a4f14f809fe648021fc4aa79936bd687450e801916d7d267dfab66bd86f9424b3460fa75b16af37151918cb2f8ba8ac33df5b0ccf7fb21c3ea9fb0ed2917a4eb9d6ed345c42a5a67a66fca7b7e69c1ad5c45c51866692f058ad537c0f59c83a2788ef9b9610cc06aa155aa1115f23fa36d7734152a0da209244c32d37e3a
++Ctrl.hexxcghash = hexxcghash:ab6f9c04514ae3f6591039c9cc6a9919279282d7c95971b4c27957e31cced5ef5b1c59a4418402203ab50a46df7dc03bd67d42a62592708b0581617a42ea6d71
++Ctrl.hexsession_id = hexsession_id:4e226639facaccf9894367cb1008663e989eb31757b912bd1cb3bd51058c7adf56e9a54eef87b63299a5cc092c047991dc9a380e749c7c5657bb99424bcce6d6
++Ctrl.type = type:A
++Output = 8ebbf0e9afd9f108498f1543104ba8e2
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010034a5d2784c99976fb3b615c5b1bfacc9a749330d22bcf5a7c404c10f886e2a3115660a399d7c721d5dd141f458b0d27e0e6709a8290f9ef6f61681a11d876eb7bd52b930f79fb9516f5d2137c5bfa95a893890d26d7712fc9ecc4dc82a5171341b41a9f2c4a8f0c14efe82ef2a4db60a8a0b8e43d3f92992f8dcc2d6bae3759aea86a4f14f809fe648021fc4aa79936bd687450e801916d7d267dfab66bd86f9424b3460fa75b16af37151918cb2f8ba8ac33df5b0ccf7fb21c3ea9fb0ed2917a4eb9d6ed345c42a5a67a66fca7b7e69c1ad5c45c51866692f058ad537c0f59c83a2788ef9b9610cc06aa155aa1115f23fa36d7734152a0da209244c32d37e3a
++Ctrl.hexxcghash = hexxcghash:ab6f9c04514ae3f6591039c9cc6a9919279282d7c95971b4c27957e31cced5ef5b1c59a4418402203ab50a46df7dc03bd67d42a62592708b0581617a42ea6d71
++Ctrl.hexsession_id = hexsession_id:4e226639facaccf9894367cb1008663e989eb31757b912bd1cb3bd51058c7adf56e9a54eef87b63299a5cc092c047991dc9a380e749c7c5657bb99424bcce6d6
++Ctrl.type = type:B
++Output = 38bfe6bed75f77675fa36d76b63816a4
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010034a5d2784c99976fb3b615c5b1bfacc9a749330d22bcf5a7c404c10f886e2a3115660a399d7c721d5dd141f458b0d27e0e6709a8290f9ef6f61681a11d876eb7bd52b930f79fb9516f5d2137c5bfa95a893890d26d7712fc9ecc4dc82a5171341b41a9f2c4a8f0c14efe82ef2a4db60a8a0b8e43d3f92992f8dcc2d6bae3759aea86a4f14f809fe648021fc4aa79936bd687450e801916d7d267dfab66bd86f9424b3460fa75b16af37151918cb2f8ba8ac33df5b0ccf7fb21c3ea9fb0ed2917a4eb9d6ed345c42a5a67a66fca7b7e69c1ad5c45c51866692f058ad537c0f59c83a2788ef9b9610cc06aa155aa1115f23fa36d7734152a0da209244c32d37e3a
++Ctrl.hexxcghash = hexxcghash:ab6f9c04514ae3f6591039c9cc6a9919279282d7c95971b4c27957e31cced5ef5b1c59a4418402203ab50a46df7dc03bd67d42a62592708b0581617a42ea6d71
++Ctrl.hexsession_id = hexsession_id:4e226639facaccf9894367cb1008663e989eb31757b912bd1cb3bd51058c7adf56e9a54eef87b63299a5cc092c047991dc9a380e749c7c5657bb99424bcce6d6
++Ctrl.type = type:C
++Output = f759f0ad2d72980f6b12f0fb317222f3
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010034a5d2784c99976fb3b615c5b1bfacc9a749330d22bcf5a7c404c10f886e2a3115660a399d7c721d5dd141f458b0d27e0e6709a8290f9ef6f61681a11d876eb7bd52b930f79fb9516f5d2137c5bfa95a893890d26d7712fc9ecc4dc82a5171341b41a9f2c4a8f0c14efe82ef2a4db60a8a0b8e43d3f92992f8dcc2d6bae3759aea86a4f14f809fe648021fc4aa79936bd687450e801916d7d267dfab66bd86f9424b3460fa75b16af37151918cb2f8ba8ac33df5b0ccf7fb21c3ea9fb0ed2917a4eb9d6ed345c42a5a67a66fca7b7e69c1ad5c45c51866692f058ad537c0f59c83a2788ef9b9610cc06aa155aa1115f23fa36d7734152a0da209244c32d37e3a
++Ctrl.hexxcghash = hexxcghash:ab6f9c04514ae3f6591039c9cc6a9919279282d7c95971b4c27957e31cced5ef5b1c59a4418402203ab50a46df7dc03bd67d42a62592708b0581617a42ea6d71
++Ctrl.hexsession_id = hexsession_id:4e226639facaccf9894367cb1008663e989eb31757b912bd1cb3bd51058c7adf56e9a54eef87b63299a5cc092c047991dc9a380e749c7c5657bb99424bcce6d6
++Ctrl.type = type:D
++Output = 39f294ec25afb520f5d7f1064b7078c9
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010034a5d2784c99976fb3b615c5b1bfacc9a749330d22bcf5a7c404c10f886e2a3115660a399d7c721d5dd141f458b0d27e0e6709a8290f9ef6f61681a11d876eb7bd52b930f79fb9516f5d2137c5bfa95a893890d26d7712fc9ecc4dc82a5171341b41a9f2c4a8f0c14efe82ef2a4db60a8a0b8e43d3f92992f8dcc2d6bae3759aea86a4f14f809fe648021fc4aa79936bd687450e801916d7d267dfab66bd86f9424b3460fa75b16af37151918cb2f8ba8ac33df5b0ccf7fb21c3ea9fb0ed2917a4eb9d6ed345c42a5a67a66fca7b7e69c1ad5c45c51866692f058ad537c0f59c83a2788ef9b9610cc06aa155aa1115f23fa36d7734152a0da209244c32d37e3a
++Ctrl.hexxcghash = hexxcghash:ab6f9c04514ae3f6591039c9cc6a9919279282d7c95971b4c27957e31cced5ef5b1c59a4418402203ab50a46df7dc03bd67d42a62592708b0581617a42ea6d71
++Ctrl.hexsession_id = hexsession_id:4e226639facaccf9894367cb1008663e989eb31757b912bd1cb3bd51058c7adf56e9a54eef87b63299a5cc092c047991dc9a380e749c7c5657bb99424bcce6d6
++Ctrl.type = type:E
++Output = ff2ad139997ff26e7f4393e49d57d5fc973ddb6225d8f4b5fe990e46b9943772f0d33aa98d01089ff0aeb5740bd388ada35dc44240180c99e522c817dedfc2cd
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010034a5d2784c99976fb3b615c5b1bfacc9a749330d22bcf5a7c404c10f886e2a3115660a399d7c721d5dd141f458b0d27e0e6709a8290f9ef6f61681a11d876eb7bd52b930f79fb9516f5d2137c5bfa95a893890d26d7712fc9ecc4dc82a5171341b41a9f2c4a8f0c14efe82ef2a4db60a8a0b8e43d3f92992f8dcc2d6bae3759aea86a4f14f809fe648021fc4aa79936bd687450e801916d7d267dfab66bd86f9424b3460fa75b16af37151918cb2f8ba8ac33df5b0ccf7fb21c3ea9fb0ed2917a4eb9d6ed345c42a5a67a66fca7b7e69c1ad5c45c51866692f058ad537c0f59c83a2788ef9b9610cc06aa155aa1115f23fa36d7734152a0da209244c32d37e3a
++Ctrl.hexxcghash = hexxcghash:ab6f9c04514ae3f6591039c9cc6a9919279282d7c95971b4c27957e31cced5ef5b1c59a4418402203ab50a46df7dc03bd67d42a62592708b0581617a42ea6d71
++Ctrl.hexsession_id = hexsession_id:4e226639facaccf9894367cb1008663e989eb31757b912bd1cb3bd51058c7adf56e9a54eef87b63299a5cc092c047991dc9a380e749c7c5657bb99424bcce6d6
++Ctrl.type = type:F
++Output = a670c9583c71f403207a192700d5e4fd7a007b60a4617b7f93708399a0cb771af08b9e5f4237e6975f055d6f0a4d91523fa0805013df6ae4a19f077646f1cd4b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:00000100192471d29d9fbc8b61570e4efa053a5f17b2efc0aa5415b3309f7dc3971c64d9f1093f6114941d4912f7bfb771db41d1f166d4bdaec8dde214aeb058e2227277393e3c0b12adc1b6a445870bc26e753e05e27b90b97d781e3e8493eb5e717c243213de4dcdd5a11d467b8d26759118692b10357c28b0efb0228cbe257b9ee0cb77bb7bc8b072edf418768c977e485635b4ab61078587128e9a8b3c6deca2a4e64cf9fd6eca880aebd1043deaf94447ea50b0c11b574259cdcafd208d9657c7177cf394de26dd8364b615786198c38e63c568e22b5263be41d6dd8843ad5254f61cf01b7162948652568c2b42833a95619fa5072adb0bfbf38e3eace7e1596066
++Ctrl.hexxcghash = hexxcghash:a0a53cb8bcc48ffe44fd9e50e0f7532d3e326f93d7ecb10135d4385dab550cd7be03a7374dfc2a92794be13e40c794811a9916c3d1c4e7ea31ed5269537c1c22
++Ctrl.hexsession_id = hexsession_id:9bcf3f3397ff464126cb2a99c04908721871354b842ffd3d873d49407db0382f98cc54d66665d950ec8277c374f19e9f0dd2e727f8759017c49b5b80baa87c63
++Ctrl.type = type:A
++Output = f68353f802d39a43c728641e44087cc5
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:00000100192471d29d9fbc8b61570e4efa053a5f17b2efc0aa5415b3309f7dc3971c64d9f1093f6114941d4912f7bfb771db41d1f166d4bdaec8dde214aeb058e2227277393e3c0b12adc1b6a445870bc26e753e05e27b90b97d781e3e8493eb5e717c243213de4dcdd5a11d467b8d26759118692b10357c28b0efb0228cbe257b9ee0cb77bb7bc8b072edf418768c977e485635b4ab61078587128e9a8b3c6deca2a4e64cf9fd6eca880aebd1043deaf94447ea50b0c11b574259cdcafd208d9657c7177cf394de26dd8364b615786198c38e63c568e22b5263be41d6dd8843ad5254f61cf01b7162948652568c2b42833a95619fa5072adb0bfbf38e3eace7e1596066
++Ctrl.hexxcghash = hexxcghash:a0a53cb8bcc48ffe44fd9e50e0f7532d3e326f93d7ecb10135d4385dab550cd7be03a7374dfc2a92794be13e40c794811a9916c3d1c4e7ea31ed5269537c1c22
++Ctrl.hexsession_id = hexsession_id:9bcf3f3397ff464126cb2a99c04908721871354b842ffd3d873d49407db0382f98cc54d66665d950ec8277c374f19e9f0dd2e727f8759017c49b5b80baa87c63
++Ctrl.type = type:B
++Output = 23c2377f826f77519871941b62cb9fdd
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:00000100192471d29d9fbc8b61570e4efa053a5f17b2efc0aa5415b3309f7dc3971c64d9f1093f6114941d4912f7bfb771db41d1f166d4bdaec8dde214aeb058e2227277393e3c0b12adc1b6a445870bc26e753e05e27b90b97d781e3e8493eb5e717c243213de4dcdd5a11d467b8d26759118692b10357c28b0efb0228cbe257b9ee0cb77bb7bc8b072edf418768c977e485635b4ab61078587128e9a8b3c6deca2a4e64cf9fd6eca880aebd1043deaf94447ea50b0c11b574259cdcafd208d9657c7177cf394de26dd8364b615786198c38e63c568e22b5263be41d6dd8843ad5254f61cf01b7162948652568c2b42833a95619fa5072adb0bfbf38e3eace7e1596066
++Ctrl.hexxcghash = hexxcghash:a0a53cb8bcc48ffe44fd9e50e0f7532d3e326f93d7ecb10135d4385dab550cd7be03a7374dfc2a92794be13e40c794811a9916c3d1c4e7ea31ed5269537c1c22
++Ctrl.hexsession_id = hexsession_id:9bcf3f3397ff464126cb2a99c04908721871354b842ffd3d873d49407db0382f98cc54d66665d950ec8277c374f19e9f0dd2e727f8759017c49b5b80baa87c63
++Ctrl.type = type:C
++Output = c92b86a099e2605037d531746a6af7cb
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:00000100192471d29d9fbc8b61570e4efa053a5f17b2efc0aa5415b3309f7dc3971c64d9f1093f6114941d4912f7bfb771db41d1f166d4bdaec8dde214aeb058e2227277393e3c0b12adc1b6a445870bc26e753e05e27b90b97d781e3e8493eb5e717c243213de4dcdd5a11d467b8d26759118692b10357c28b0efb0228cbe257b9ee0cb77bb7bc8b072edf418768c977e485635b4ab61078587128e9a8b3c6deca2a4e64cf9fd6eca880aebd1043deaf94447ea50b0c11b574259cdcafd208d9657c7177cf394de26dd8364b615786198c38e63c568e22b5263be41d6dd8843ad5254f61cf01b7162948652568c2b42833a95619fa5072adb0bfbf38e3eace7e1596066
++Ctrl.hexxcghash = hexxcghash:a0a53cb8bcc48ffe44fd9e50e0f7532d3e326f93d7ecb10135d4385dab550cd7be03a7374dfc2a92794be13e40c794811a9916c3d1c4e7ea31ed5269537c1c22
++Ctrl.hexsession_id = hexsession_id:9bcf3f3397ff464126cb2a99c04908721871354b842ffd3d873d49407db0382f98cc54d66665d950ec8277c374f19e9f0dd2e727f8759017c49b5b80baa87c63
++Ctrl.type = type:D
++Output = 1517de253a5b9f7d9c4c3f234b27392e
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:00000100192471d29d9fbc8b61570e4efa053a5f17b2efc0aa5415b3309f7dc3971c64d9f1093f6114941d4912f7bfb771db41d1f166d4bdaec8dde214aeb058e2227277393e3c0b12adc1b6a445870bc26e753e05e27b90b97d781e3e8493eb5e717c243213de4dcdd5a11d467b8d26759118692b10357c28b0efb0228cbe257b9ee0cb77bb7bc8b072edf418768c977e485635b4ab61078587128e9a8b3c6deca2a4e64cf9fd6eca880aebd1043deaf94447ea50b0c11b574259cdcafd208d9657c7177cf394de26dd8364b615786198c38e63c568e22b5263be41d6dd8843ad5254f61cf01b7162948652568c2b42833a95619fa5072adb0bfbf38e3eace7e1596066
++Ctrl.hexxcghash = hexxcghash:a0a53cb8bcc48ffe44fd9e50e0f7532d3e326f93d7ecb10135d4385dab550cd7be03a7374dfc2a92794be13e40c794811a9916c3d1c4e7ea31ed5269537c1c22
++Ctrl.hexsession_id = hexsession_id:9bcf3f3397ff464126cb2a99c04908721871354b842ffd3d873d49407db0382f98cc54d66665d950ec8277c374f19e9f0dd2e727f8759017c49b5b80baa87c63
++Ctrl.type = type:E
++Output = be48a82cd246cf4d6ddb397a39f1ed62d98b5265e75190624a523033796d05046d63e0810b4b7a6efe9b834cb043871203638557063968910ad1cfa0abe62bb1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:00000100192471d29d9fbc8b61570e4efa053a5f17b2efc0aa5415b3309f7dc3971c64d9f1093f6114941d4912f7bfb771db41d1f166d4bdaec8dde214aeb058e2227277393e3c0b12adc1b6a445870bc26e753e05e27b90b97d781e3e8493eb5e717c243213de4dcdd5a11d467b8d26759118692b10357c28b0efb0228cbe257b9ee0cb77bb7bc8b072edf418768c977e485635b4ab61078587128e9a8b3c6deca2a4e64cf9fd6eca880aebd1043deaf94447ea50b0c11b574259cdcafd208d9657c7177cf394de26dd8364b615786198c38e63c568e22b5263be41d6dd8843ad5254f61cf01b7162948652568c2b42833a95619fa5072adb0bfbf38e3eace7e1596066
++Ctrl.hexxcghash = hexxcghash:a0a53cb8bcc48ffe44fd9e50e0f7532d3e326f93d7ecb10135d4385dab550cd7be03a7374dfc2a92794be13e40c794811a9916c3d1c4e7ea31ed5269537c1c22
++Ctrl.hexsession_id = hexsession_id:9bcf3f3397ff464126cb2a99c04908721871354b842ffd3d873d49407db0382f98cc54d66665d950ec8277c374f19e9f0dd2e727f8759017c49b5b80baa87c63
++Ctrl.type = type:F
++Output = 0c9af3775d5dc49a1b9b85fa18420ce1ca10d5159f83f9e078c217289688639dbce5f85665f866d8f93b2c6823bc7b2655830d8bb51fba945ce6eac2b0e6ce8a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010015b3157b538e31a14797d981a6ef62814cd55fbea25ea88a16a5839484c7624d7befccc82d91e2ff2b6f402daba861b77c1016bab9e3d58bab985563f32d663407f9f3582856ee0aa3a56680c221ecddc48af6de71fd34626b716d9efe530df470c0b7b1e4131861bc4f12e44de7f1d1910047465c0eb95f7232d6e71d639d75ac58e6848e560210a5dc2e6996c1d96f9f688fb86558ba96422d1a69cf795ea67e66d534bef2160f4e9d4351c9c2faaad7c2ad2476ace5556c9b3c4c2d3bdac82bfb54d2e54eb6ed398b813c5928aa560b442c585a038571c4db98a44d8c8cdb02fa731b400adb859b591c1846900791d791927363d745042a38597ef883cbda
++Ctrl.hexxcghash = hexxcghash:651bdee255eef5fb47c7733df03d4346bc335cf1de2bfbd453f4ff18c775de475719a6ec4c5c55badadda4822e3fbf5ae3c0e6e9608a893fea68bfcc0af86d73
++Ctrl.hexsession_id = hexsession_id:ee603130d0bdec24952cd3392272dbd7a536c2e76c794cc2f678ca9dd789670453e6bcd330dbf4e93930ec0b3e506e4c629b3d156ab1171d247d0ba44217d292
++Ctrl.type = type:A
++Output = 7b802a74d216a41f7708c597b9053223
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010015b3157b538e31a14797d981a6ef62814cd55fbea25ea88a16a5839484c7624d7befccc82d91e2ff2b6f402daba861b77c1016bab9e3d58bab985563f32d663407f9f3582856ee0aa3a56680c221ecddc48af6de71fd34626b716d9efe530df470c0b7b1e4131861bc4f12e44de7f1d1910047465c0eb95f7232d6e71d639d75ac58e6848e560210a5dc2e6996c1d96f9f688fb86558ba96422d1a69cf795ea67e66d534bef2160f4e9d4351c9c2faaad7c2ad2476ace5556c9b3c4c2d3bdac82bfb54d2e54eb6ed398b813c5928aa560b442c585a038571c4db98a44d8c8cdb02fa731b400adb859b591c1846900791d791927363d745042a38597ef883cbda
++Ctrl.hexxcghash = hexxcghash:651bdee255eef5fb47c7733df03d4346bc335cf1de2bfbd453f4ff18c775de475719a6ec4c5c55badadda4822e3fbf5ae3c0e6e9608a893fea68bfcc0af86d73
++Ctrl.hexsession_id = hexsession_id:ee603130d0bdec24952cd3392272dbd7a536c2e76c794cc2f678ca9dd789670453e6bcd330dbf4e93930ec0b3e506e4c629b3d156ab1171d247d0ba44217d292
++Ctrl.type = type:B
++Output = 355223971bed70b804d191b64cde39e6
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010015b3157b538e31a14797d981a6ef62814cd55fbea25ea88a16a5839484c7624d7befccc82d91e2ff2b6f402daba861b77c1016bab9e3d58bab985563f32d663407f9f3582856ee0aa3a56680c221ecddc48af6de71fd34626b716d9efe530df470c0b7b1e4131861bc4f12e44de7f1d1910047465c0eb95f7232d6e71d639d75ac58e6848e560210a5dc2e6996c1d96f9f688fb86558ba96422d1a69cf795ea67e66d534bef2160f4e9d4351c9c2faaad7c2ad2476ace5556c9b3c4c2d3bdac82bfb54d2e54eb6ed398b813c5928aa560b442c585a038571c4db98a44d8c8cdb02fa731b400adb859b591c1846900791d791927363d745042a38597ef883cbda
++Ctrl.hexxcghash = hexxcghash:651bdee255eef5fb47c7733df03d4346bc335cf1de2bfbd453f4ff18c775de475719a6ec4c5c55badadda4822e3fbf5ae3c0e6e9608a893fea68bfcc0af86d73
++Ctrl.hexsession_id = hexsession_id:ee603130d0bdec24952cd3392272dbd7a536c2e76c794cc2f678ca9dd789670453e6bcd330dbf4e93930ec0b3e506e4c629b3d156ab1171d247d0ba44217d292
++Ctrl.type = type:C
++Output = 925f2b036ac2682e20f022377499c3e1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010015b3157b538e31a14797d981a6ef62814cd55fbea25ea88a16a5839484c7624d7befccc82d91e2ff2b6f402daba861b77c1016bab9e3d58bab985563f32d663407f9f3582856ee0aa3a56680c221ecddc48af6de71fd34626b716d9efe530df470c0b7b1e4131861bc4f12e44de7f1d1910047465c0eb95f7232d6e71d639d75ac58e6848e560210a5dc2e6996c1d96f9f688fb86558ba96422d1a69cf795ea67e66d534bef2160f4e9d4351c9c2faaad7c2ad2476ace5556c9b3c4c2d3bdac82bfb54d2e54eb6ed398b813c5928aa560b442c585a038571c4db98a44d8c8cdb02fa731b400adb859b591c1846900791d791927363d745042a38597ef883cbda
++Ctrl.hexxcghash = hexxcghash:651bdee255eef5fb47c7733df03d4346bc335cf1de2bfbd453f4ff18c775de475719a6ec4c5c55badadda4822e3fbf5ae3c0e6e9608a893fea68bfcc0af86d73
++Ctrl.hexsession_id = hexsession_id:ee603130d0bdec24952cd3392272dbd7a536c2e76c794cc2f678ca9dd789670453e6bcd330dbf4e93930ec0b3e506e4c629b3d156ab1171d247d0ba44217d292
++Ctrl.type = type:D
++Output = 37ae2bbbb1603c07d5274fc8f57126dc
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010015b3157b538e31a14797d981a6ef62814cd55fbea25ea88a16a5839484c7624d7befccc82d91e2ff2b6f402daba861b77c1016bab9e3d58bab985563f32d663407f9f3582856ee0aa3a56680c221ecddc48af6de71fd34626b716d9efe530df470c0b7b1e4131861bc4f12e44de7f1d1910047465c0eb95f7232d6e71d639d75ac58e6848e560210a5dc2e6996c1d96f9f688fb86558ba96422d1a69cf795ea67e66d534bef2160f4e9d4351c9c2faaad7c2ad2476ace5556c9b3c4c2d3bdac82bfb54d2e54eb6ed398b813c5928aa560b442c585a038571c4db98a44d8c8cdb02fa731b400adb859b591c1846900791d791927363d745042a38597ef883cbda
++Ctrl.hexxcghash = hexxcghash:651bdee255eef5fb47c7733df03d4346bc335cf1de2bfbd453f4ff18c775de475719a6ec4c5c55badadda4822e3fbf5ae3c0e6e9608a893fea68bfcc0af86d73
++Ctrl.hexsession_id = hexsession_id:ee603130d0bdec24952cd3392272dbd7a536c2e76c794cc2f678ca9dd789670453e6bcd330dbf4e93930ec0b3e506e4c629b3d156ab1171d247d0ba44217d292
++Ctrl.type = type:E
++Output = 8b36c7e175797bf7bbb079ac5d06e6f7f62fc5a957e0fefab7df565eb72ae0586dbebad978975aaa35846de667b44b7174315b2b932f0be538fba76b92531019
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010015b3157b538e31a14797d981a6ef62814cd55fbea25ea88a16a5839484c7624d7befccc82d91e2ff2b6f402daba861b77c1016bab9e3d58bab985563f32d663407f9f3582856ee0aa3a56680c221ecddc48af6de71fd34626b716d9efe530df470c0b7b1e4131861bc4f12e44de7f1d1910047465c0eb95f7232d6e71d639d75ac58e6848e560210a5dc2e6996c1d96f9f688fb86558ba96422d1a69cf795ea67e66d534bef2160f4e9d4351c9c2faaad7c2ad2476ace5556c9b3c4c2d3bdac82bfb54d2e54eb6ed398b813c5928aa560b442c585a038571c4db98a44d8c8cdb02fa731b400adb859b591c1846900791d791927363d745042a38597ef883cbda
++Ctrl.hexxcghash = hexxcghash:651bdee255eef5fb47c7733df03d4346bc335cf1de2bfbd453f4ff18c775de475719a6ec4c5c55badadda4822e3fbf5ae3c0e6e9608a893fea68bfcc0af86d73
++Ctrl.hexsession_id = hexsession_id:ee603130d0bdec24952cd3392272dbd7a536c2e76c794cc2f678ca9dd789670453e6bcd330dbf4e93930ec0b3e506e4c629b3d156ab1171d247d0ba44217d292
++Ctrl.type = type:F
++Output = 388ef310bce13188df3fd6285576041754a281548fcc6a212e0de564db661640320130e4df4a6ff31162edaa7ced5b7f05f3456f674ee8be0b03424142058795
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100b41c0bdf180d02ff459079925b32e54299128298da864be28b4c02532244b057219e3fa5fea09841351604ab713021622e6a6d0748f354fc3f29a9ac8bb64fdd984b725f00f56df3cf16d3bac786524a29105096f96f387422361bcc24774fd4d5b71bd6f757a8193fd691411b8e0aa14307e6ed1e97907925d93cee9ed266f387af66cd3da3e99d543e4baaf8a7fdb36c10869267767d80509717b5666e3fcdf8cca6486a1c18e3d3c15ba0c6773dcbe374d83de1c108a400998b25afa4d3b60917594a1120e449a57db1f3b2e048c3c64a408ed41bb32145364932f105788cd0b198522f0c59b1d774b1ac80cd76d18e06b53c3d599f625c72f38b15745478
++Ctrl.hexxcghash = hexxcghash:94ce7876dd7d98475ff8dd634b9b48e0e3416d1afd633637b49a49c525ee905ad8a17c12194746e210207c54628c453287a77515575a79ad40b270b5115030b8
++Ctrl.hexsession_id = hexsession_id:d2e7ea215f35381164a1382533f752eb21e6fa9f25d399b7914c0317998f2b7820f893557459f0773eca3dbafd8375021b955a8dfe7ad659dfe480e3107724f8
++Ctrl.type = type:A
++Output = efeb5305eda69b0bd6999b4a27479667
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100b41c0bdf180d02ff459079925b32e54299128298da864be28b4c02532244b057219e3fa5fea09841351604ab713021622e6a6d0748f354fc3f29a9ac8bb64fdd984b725f00f56df3cf16d3bac786524a29105096f96f387422361bcc24774fd4d5b71bd6f757a8193fd691411b8e0aa14307e6ed1e97907925d93cee9ed266f387af66cd3da3e99d543e4baaf8a7fdb36c10869267767d80509717b5666e3fcdf8cca6486a1c18e3d3c15ba0c6773dcbe374d83de1c108a400998b25afa4d3b60917594a1120e449a57db1f3b2e048c3c64a408ed41bb32145364932f105788cd0b198522f0c59b1d774b1ac80cd76d18e06b53c3d599f625c72f38b15745478
++Ctrl.hexxcghash = hexxcghash:94ce7876dd7d98475ff8dd634b9b48e0e3416d1afd633637b49a49c525ee905ad8a17c12194746e210207c54628c453287a77515575a79ad40b270b5115030b8
++Ctrl.hexsession_id = hexsession_id:d2e7ea215f35381164a1382533f752eb21e6fa9f25d399b7914c0317998f2b7820f893557459f0773eca3dbafd8375021b955a8dfe7ad659dfe480e3107724f8
++Ctrl.type = type:B
++Output = 806fca9189c02e7ec2a6459387b03506
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100b41c0bdf180d02ff459079925b32e54299128298da864be28b4c02532244b057219e3fa5fea09841351604ab713021622e6a6d0748f354fc3f29a9ac8bb64fdd984b725f00f56df3cf16d3bac786524a29105096f96f387422361bcc24774fd4d5b71bd6f757a8193fd691411b8e0aa14307e6ed1e97907925d93cee9ed266f387af66cd3da3e99d543e4baaf8a7fdb36c10869267767d80509717b5666e3fcdf8cca6486a1c18e3d3c15ba0c6773dcbe374d83de1c108a400998b25afa4d3b60917594a1120e449a57db1f3b2e048c3c64a408ed41bb32145364932f105788cd0b198522f0c59b1d774b1ac80cd76d18e06b53c3d599f625c72f38b15745478
++Ctrl.hexxcghash = hexxcghash:94ce7876dd7d98475ff8dd634b9b48e0e3416d1afd633637b49a49c525ee905ad8a17c12194746e210207c54628c453287a77515575a79ad40b270b5115030b8
++Ctrl.hexsession_id = hexsession_id:d2e7ea215f35381164a1382533f752eb21e6fa9f25d399b7914c0317998f2b7820f893557459f0773eca3dbafd8375021b955a8dfe7ad659dfe480e3107724f8
++Ctrl.type = type:C
++Output = 9e542282d0db345a6ba20eba7c5de531
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100b41c0bdf180d02ff459079925b32e54299128298da864be28b4c02532244b057219e3fa5fea09841351604ab713021622e6a6d0748f354fc3f29a9ac8bb64fdd984b725f00f56df3cf16d3bac786524a29105096f96f387422361bcc24774fd4d5b71bd6f757a8193fd691411b8e0aa14307e6ed1e97907925d93cee9ed266f387af66cd3da3e99d543e4baaf8a7fdb36c10869267767d80509717b5666e3fcdf8cca6486a1c18e3d3c15ba0c6773dcbe374d83de1c108a400998b25afa4d3b60917594a1120e449a57db1f3b2e048c3c64a408ed41bb32145364932f105788cd0b198522f0c59b1d774b1ac80cd76d18e06b53c3d599f625c72f38b15745478
++Ctrl.hexxcghash = hexxcghash:94ce7876dd7d98475ff8dd634b9b48e0e3416d1afd633637b49a49c525ee905ad8a17c12194746e210207c54628c453287a77515575a79ad40b270b5115030b8
++Ctrl.hexsession_id = hexsession_id:d2e7ea215f35381164a1382533f752eb21e6fa9f25d399b7914c0317998f2b7820f893557459f0773eca3dbafd8375021b955a8dfe7ad659dfe480e3107724f8
++Ctrl.type = type:D
++Output = 41e7962b57a67f75072f15a5ba405d15
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100b41c0bdf180d02ff459079925b32e54299128298da864be28b4c02532244b057219e3fa5fea09841351604ab713021622e6a6d0748f354fc3f29a9ac8bb64fdd984b725f00f56df3cf16d3bac786524a29105096f96f387422361bcc24774fd4d5b71bd6f757a8193fd691411b8e0aa14307e6ed1e97907925d93cee9ed266f387af66cd3da3e99d543e4baaf8a7fdb36c10869267767d80509717b5666e3fcdf8cca6486a1c18e3d3c15ba0c6773dcbe374d83de1c108a400998b25afa4d3b60917594a1120e449a57db1f3b2e048c3c64a408ed41bb32145364932f105788cd0b198522f0c59b1d774b1ac80cd76d18e06b53c3d599f625c72f38b15745478
++Ctrl.hexxcghash = hexxcghash:94ce7876dd7d98475ff8dd634b9b48e0e3416d1afd633637b49a49c525ee905ad8a17c12194746e210207c54628c453287a77515575a79ad40b270b5115030b8
++Ctrl.hexsession_id = hexsession_id:d2e7ea215f35381164a1382533f752eb21e6fa9f25d399b7914c0317998f2b7820f893557459f0773eca3dbafd8375021b955a8dfe7ad659dfe480e3107724f8
++Ctrl.type = type:E
++Output = 7bf8f25fd155e41d1dc85cc814704dd8732275b3a53dc1b8c6b330c08f307b5c0da31606cb7eaa1b37b2721f4a1bf70a6885c30d17d7acd32fcc894768fe4106
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100b41c0bdf180d02ff459079925b32e54299128298da864be28b4c02532244b057219e3fa5fea09841351604ab713021622e6a6d0748f354fc3f29a9ac8bb64fdd984b725f00f56df3cf16d3bac786524a29105096f96f387422361bcc24774fd4d5b71bd6f757a8193fd691411b8e0aa14307e6ed1e97907925d93cee9ed266f387af66cd3da3e99d543e4baaf8a7fdb36c10869267767d80509717b5666e3fcdf8cca6486a1c18e3d3c15ba0c6773dcbe374d83de1c108a400998b25afa4d3b60917594a1120e449a57db1f3b2e048c3c64a408ed41bb32145364932f105788cd0b198522f0c59b1d774b1ac80cd76d18e06b53c3d599f625c72f38b15745478
++Ctrl.hexxcghash = hexxcghash:94ce7876dd7d98475ff8dd634b9b48e0e3416d1afd633637b49a49c525ee905ad8a17c12194746e210207c54628c453287a77515575a79ad40b270b5115030b8
++Ctrl.hexsession_id = hexsession_id:d2e7ea215f35381164a1382533f752eb21e6fa9f25d399b7914c0317998f2b7820f893557459f0773eca3dbafd8375021b955a8dfe7ad659dfe480e3107724f8
++Ctrl.type = type:F
++Output = 66b8f8c1a38120c73cc55950455a69c426fda44b9c66c3becaf259dd57a620e5ed3a749a486d05eab52c289f489581cb655865d4388a81e79b06bd105e3ae858
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000001003ba71746e4622911dbcd76359dbd01a3958175cac500fac87146f4a2616782ac0328ea32046762f62080df8fe76ff112acbf4e4c7a36fa648ec60c50d4a0f7b27b67cdcd725ed2d51c3b5c438c45c8f46d953845a899e89378e981aa270bd6cc190a5ab53e9516f5c194f9b61ef782573b417702337b32776765e75d6efb371a3af98c1b0eaa90ee43a99e58d803bc645a65100371cda8316d51618e4ada4d9a46cd049673cbfcf6ce3ec66c964902eb9bd28514d1fce32ebf8ee2ae3c8e46f4bf18f153a6f1031cefc7e736d82105dbeb60db422b79f4c4f3f4838fee891341cc982e79917aefb82529d134648847de15cf3ba1d7b5000e74b78198d6a3efce
++Ctrl.hexxcghash = hexxcghash:327a1cfc89837c90fb7141ad3a7df293af5c9e2fd482fb77f6769db8e91417377fe0a0a30c072f8276e824975afdc0f73e1a1cbeda86d5c70c2799912602ee78
++Ctrl.hexsession_id = hexsession_id:46282b8a6dea1654de89199972c414ee512f33ab832e7284547cfc345af6eea9fbafb75f4646789755078a174c98c5aa1d740af1cf40844ae680cdd80466086b
++Ctrl.type = type:A
++Output = 8f6ac18ff5300849be34602630bb4102
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000001003ba71746e4622911dbcd76359dbd01a3958175cac500fac87146f4a2616782ac0328ea32046762f62080df8fe76ff112acbf4e4c7a36fa648ec60c50d4a0f7b27b67cdcd725ed2d51c3b5c438c45c8f46d953845a899e89378e981aa270bd6cc190a5ab53e9516f5c194f9b61ef782573b417702337b32776765e75d6efb371a3af98c1b0eaa90ee43a99e58d803bc645a65100371cda8316d51618e4ada4d9a46cd049673cbfcf6ce3ec66c964902eb9bd28514d1fce32ebf8ee2ae3c8e46f4bf18f153a6f1031cefc7e736d82105dbeb60db422b79f4c4f3f4838fee891341cc982e79917aefb82529d134648847de15cf3ba1d7b5000e74b78198d6a3efce
++Ctrl.hexxcghash = hexxcghash:327a1cfc89837c90fb7141ad3a7df293af5c9e2fd482fb77f6769db8e91417377fe0a0a30c072f8276e824975afdc0f73e1a1cbeda86d5c70c2799912602ee78
++Ctrl.hexsession_id = hexsession_id:46282b8a6dea1654de89199972c414ee512f33ab832e7284547cfc345af6eea9fbafb75f4646789755078a174c98c5aa1d740af1cf40844ae680cdd80466086b
++Ctrl.type = type:B
++Output = f2b45df2508656758529a1f4679839fd
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000001003ba71746e4622911dbcd76359dbd01a3958175cac500fac87146f4a2616782ac0328ea32046762f62080df8fe76ff112acbf4e4c7a36fa648ec60c50d4a0f7b27b67cdcd725ed2d51c3b5c438c45c8f46d953845a899e89378e981aa270bd6cc190a5ab53e9516f5c194f9b61ef782573b417702337b32776765e75d6efb371a3af98c1b0eaa90ee43a99e58d803bc645a65100371cda8316d51618e4ada4d9a46cd049673cbfcf6ce3ec66c964902eb9bd28514d1fce32ebf8ee2ae3c8e46f4bf18f153a6f1031cefc7e736d82105dbeb60db422b79f4c4f3f4838fee891341cc982e79917aefb82529d134648847de15cf3ba1d7b5000e74b78198d6a3efce
++Ctrl.hexxcghash = hexxcghash:327a1cfc89837c90fb7141ad3a7df293af5c9e2fd482fb77f6769db8e91417377fe0a0a30c072f8276e824975afdc0f73e1a1cbeda86d5c70c2799912602ee78
++Ctrl.hexsession_id = hexsession_id:46282b8a6dea1654de89199972c414ee512f33ab832e7284547cfc345af6eea9fbafb75f4646789755078a174c98c5aa1d740af1cf40844ae680cdd80466086b
++Ctrl.type = type:C
++Output = 3356d58f61bcca506058e0990c9821f5
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000001003ba71746e4622911dbcd76359dbd01a3958175cac500fac87146f4a2616782ac0328ea32046762f62080df8fe76ff112acbf4e4c7a36fa648ec60c50d4a0f7b27b67cdcd725ed2d51c3b5c438c45c8f46d953845a899e89378e981aa270bd6cc190a5ab53e9516f5c194f9b61ef782573b417702337b32776765e75d6efb371a3af98c1b0eaa90ee43a99e58d803bc645a65100371cda8316d51618e4ada4d9a46cd049673cbfcf6ce3ec66c964902eb9bd28514d1fce32ebf8ee2ae3c8e46f4bf18f153a6f1031cefc7e736d82105dbeb60db422b79f4c4f3f4838fee891341cc982e79917aefb82529d134648847de15cf3ba1d7b5000e74b78198d6a3efce
++Ctrl.hexxcghash = hexxcghash:327a1cfc89837c90fb7141ad3a7df293af5c9e2fd482fb77f6769db8e91417377fe0a0a30c072f8276e824975afdc0f73e1a1cbeda86d5c70c2799912602ee78
++Ctrl.hexsession_id = hexsession_id:46282b8a6dea1654de89199972c414ee512f33ab832e7284547cfc345af6eea9fbafb75f4646789755078a174c98c5aa1d740af1cf40844ae680cdd80466086b
++Ctrl.type = type:D
++Output = 78495438a5326cca5351a239545941c1
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000001003ba71746e4622911dbcd76359dbd01a3958175cac500fac87146f4a2616782ac0328ea32046762f62080df8fe76ff112acbf4e4c7a36fa648ec60c50d4a0f7b27b67cdcd725ed2d51c3b5c438c45c8f46d953845a899e89378e981aa270bd6cc190a5ab53e9516f5c194f9b61ef782573b417702337b32776765e75d6efb371a3af98c1b0eaa90ee43a99e58d803bc645a65100371cda8316d51618e4ada4d9a46cd049673cbfcf6ce3ec66c964902eb9bd28514d1fce32ebf8ee2ae3c8e46f4bf18f153a6f1031cefc7e736d82105dbeb60db422b79f4c4f3f4838fee891341cc982e79917aefb82529d134648847de15cf3ba1d7b5000e74b78198d6a3efce
++Ctrl.hexxcghash = hexxcghash:327a1cfc89837c90fb7141ad3a7df293af5c9e2fd482fb77f6769db8e91417377fe0a0a30c072f8276e824975afdc0f73e1a1cbeda86d5c70c2799912602ee78
++Ctrl.hexsession_id = hexsession_id:46282b8a6dea1654de89199972c414ee512f33ab832e7284547cfc345af6eea9fbafb75f4646789755078a174c98c5aa1d740af1cf40844ae680cdd80466086b
++Ctrl.type = type:E
++Output = dcfc5d099f5040513f76b012ab62ee45d5d8271aec9cbbdd1e1f7e0806f363d21c2eca730f9489ee70fbc7490a1901587b1d418c0e4f429c8098cd793c6d285c
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:000001003ba71746e4622911dbcd76359dbd01a3958175cac500fac87146f4a2616782ac0328ea32046762f62080df8fe76ff112acbf4e4c7a36fa648ec60c50d4a0f7b27b67cdcd725ed2d51c3b5c438c45c8f46d953845a899e89378e981aa270bd6cc190a5ab53e9516f5c194f9b61ef782573b417702337b32776765e75d6efb371a3af98c1b0eaa90ee43a99e58d803bc645a65100371cda8316d51618e4ada4d9a46cd049673cbfcf6ce3ec66c964902eb9bd28514d1fce32ebf8ee2ae3c8e46f4bf18f153a6f1031cefc7e736d82105dbeb60db422b79f4c4f3f4838fee891341cc982e79917aefb82529d134648847de15cf3ba1d7b5000e74b78198d6a3efce
++Ctrl.hexxcghash = hexxcghash:327a1cfc89837c90fb7141ad3a7df293af5c9e2fd482fb77f6769db8e91417377fe0a0a30c072f8276e824975afdc0f73e1a1cbeda86d5c70c2799912602ee78
++Ctrl.hexsession_id = hexsession_id:46282b8a6dea1654de89199972c414ee512f33ab832e7284547cfc345af6eea9fbafb75f4646789755078a174c98c5aa1d740af1cf40844ae680cdd80466086b
++Ctrl.type = type:F
++Output = a75817465c73517bd7884dcd230464583ae491ae5e39330873cd7a967188022cad63e712c7ec261abdb34c01bddd8989dfce8f5d8a8cdbdcc305429b3fd93c76
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100f3a28f9574691777f2a9e05a882295e5ae272a6af486e53a8574e0ce7633a5c6871a39e6ba3176a41ce3fe6c80aa8469df71401583987e34374586ec56268b37d42bc047cc898750379aa7ddc5549cc069fa10d29fca303e6063a2cb800322a84a63480d91606db0244d2dd456005bb4a4b33f91ddf33335ec4d4d519e430542e087d5b1e952b183a32b3f7b118c410c46dc44b7ad669e7d98b934e48830e61ddd2e6094e0d1fa39b9041b9ca9dc768af4da702f912b2e82738cf506479c68fa9a5f2a9153189cf83bd11a05a92428d7c7124094f684f7c848114dc272d8a308d7b65e47b1d3c2c70d5a63efbc191ff5f0359356f706ac703445778b2b43a8d6
++Ctrl.hexxcghash = hexxcghash:4f3aaea9ade34a07f46c11a4480461e2c523a740492b23b0bfa2a9e2e2c2ce542a09644154a4b3ab0e8b71ea950444a9954a156c0530a1436aa98951af7e1972
++Ctrl.hexsession_id = hexsession_id:c778cdc03ecc941ff7d37c41fe67dc84df375117abd62d099129f38d37375f3cde4e75a0160fb05edf392d1eac509d5a6796f635623794d81df9b4cf81021738
++Ctrl.type = type:A
++Output = 4fa1b8c53d25f7c1adb4810c46b48ae7
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100f3a28f9574691777f2a9e05a882295e5ae272a6af486e53a8574e0ce7633a5c6871a39e6ba3176a41ce3fe6c80aa8469df71401583987e34374586ec56268b37d42bc047cc898750379aa7ddc5549cc069fa10d29fca303e6063a2cb800322a84a63480d91606db0244d2dd456005bb4a4b33f91ddf33335ec4d4d519e430542e087d5b1e952b183a32b3f7b118c410c46dc44b7ad669e7d98b934e48830e61ddd2e6094e0d1fa39b9041b9ca9dc768af4da702f912b2e82738cf506479c68fa9a5f2a9153189cf83bd11a05a92428d7c7124094f684f7c848114dc272d8a308d7b65e47b1d3c2c70d5a63efbc191ff5f0359356f706ac703445778b2b43a8d6
++Ctrl.hexxcghash = hexxcghash:4f3aaea9ade34a07f46c11a4480461e2c523a740492b23b0bfa2a9e2e2c2ce542a09644154a4b3ab0e8b71ea950444a9954a156c0530a1436aa98951af7e1972
++Ctrl.hexsession_id = hexsession_id:c778cdc03ecc941ff7d37c41fe67dc84df375117abd62d099129f38d37375f3cde4e75a0160fb05edf392d1eac509d5a6796f635623794d81df9b4cf81021738
++Ctrl.type = type:B
++Output = 3c453d0f50b7f41826e74e5cce5b5996
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100f3a28f9574691777f2a9e05a882295e5ae272a6af486e53a8574e0ce7633a5c6871a39e6ba3176a41ce3fe6c80aa8469df71401583987e34374586ec56268b37d42bc047cc898750379aa7ddc5549cc069fa10d29fca303e6063a2cb800322a84a63480d91606db0244d2dd456005bb4a4b33f91ddf33335ec4d4d519e430542e087d5b1e952b183a32b3f7b118c410c46dc44b7ad669e7d98b934e48830e61ddd2e6094e0d1fa39b9041b9ca9dc768af4da702f912b2e82738cf506479c68fa9a5f2a9153189cf83bd11a05a92428d7c7124094f684f7c848114dc272d8a308d7b65e47b1d3c2c70d5a63efbc191ff5f0359356f706ac703445778b2b43a8d6
++Ctrl.hexxcghash = hexxcghash:4f3aaea9ade34a07f46c11a4480461e2c523a740492b23b0bfa2a9e2e2c2ce542a09644154a4b3ab0e8b71ea950444a9954a156c0530a1436aa98951af7e1972
++Ctrl.hexsession_id = hexsession_id:c778cdc03ecc941ff7d37c41fe67dc84df375117abd62d099129f38d37375f3cde4e75a0160fb05edf392d1eac509d5a6796f635623794d81df9b4cf81021738
++Ctrl.type = type:C
++Output = 22f47a00a5de0f56b3e586357eeebe57
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100f3a28f9574691777f2a9e05a882295e5ae272a6af486e53a8574e0ce7633a5c6871a39e6ba3176a41ce3fe6c80aa8469df71401583987e34374586ec56268b37d42bc047cc898750379aa7ddc5549cc069fa10d29fca303e6063a2cb800322a84a63480d91606db0244d2dd456005bb4a4b33f91ddf33335ec4d4d519e430542e087d5b1e952b183a32b3f7b118c410c46dc44b7ad669e7d98b934e48830e61ddd2e6094e0d1fa39b9041b9ca9dc768af4da702f912b2e82738cf506479c68fa9a5f2a9153189cf83bd11a05a92428d7c7124094f684f7c848114dc272d8a308d7b65e47b1d3c2c70d5a63efbc191ff5f0359356f706ac703445778b2b43a8d6
++Ctrl.hexxcghash = hexxcghash:4f3aaea9ade34a07f46c11a4480461e2c523a740492b23b0bfa2a9e2e2c2ce542a09644154a4b3ab0e8b71ea950444a9954a156c0530a1436aa98951af7e1972
++Ctrl.hexsession_id = hexsession_id:c778cdc03ecc941ff7d37c41fe67dc84df375117abd62d099129f38d37375f3cde4e75a0160fb05edf392d1eac509d5a6796f635623794d81df9b4cf81021738
++Ctrl.type = type:D
++Output = 8d32d1945e93c4982bd106567f8e481f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100f3a28f9574691777f2a9e05a882295e5ae272a6af486e53a8574e0ce7633a5c6871a39e6ba3176a41ce3fe6c80aa8469df71401583987e34374586ec56268b37d42bc047cc898750379aa7ddc5549cc069fa10d29fca303e6063a2cb800322a84a63480d91606db0244d2dd456005bb4a4b33f91ddf33335ec4d4d519e430542e087d5b1e952b183a32b3f7b118c410c46dc44b7ad669e7d98b934e48830e61ddd2e6094e0d1fa39b9041b9ca9dc768af4da702f912b2e82738cf506479c68fa9a5f2a9153189cf83bd11a05a92428d7c7124094f684f7c848114dc272d8a308d7b65e47b1d3c2c70d5a63efbc191ff5f0359356f706ac703445778b2b43a8d6
++Ctrl.hexxcghash = hexxcghash:4f3aaea9ade34a07f46c11a4480461e2c523a740492b23b0bfa2a9e2e2c2ce542a09644154a4b3ab0e8b71ea950444a9954a156c0530a1436aa98951af7e1972
++Ctrl.hexsession_id = hexsession_id:c778cdc03ecc941ff7d37c41fe67dc84df375117abd62d099129f38d37375f3cde4e75a0160fb05edf392d1eac509d5a6796f635623794d81df9b4cf81021738
++Ctrl.type = type:E
++Output = 9eefe581b1514160f81c94193d374d8f85879136e9ae494c487119b1974aac3e143948f656c1c1e837ff1368ef0d997cd3ca9f46c71056269eb8a1da8daf5678
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100f3a28f9574691777f2a9e05a882295e5ae272a6af486e53a8574e0ce7633a5c6871a39e6ba3176a41ce3fe6c80aa8469df71401583987e34374586ec56268b37d42bc047cc898750379aa7ddc5549cc069fa10d29fca303e6063a2cb800322a84a63480d91606db0244d2dd456005bb4a4b33f91ddf33335ec4d4d519e430542e087d5b1e952b183a32b3f7b118c410c46dc44b7ad669e7d98b934e48830e61ddd2e6094e0d1fa39b9041b9ca9dc768af4da702f912b2e82738cf506479c68fa9a5f2a9153189cf83bd11a05a92428d7c7124094f684f7c848114dc272d8a308d7b65e47b1d3c2c70d5a63efbc191ff5f0359356f706ac703445778b2b43a8d6
++Ctrl.hexxcghash = hexxcghash:4f3aaea9ade34a07f46c11a4480461e2c523a740492b23b0bfa2a9e2e2c2ce542a09644154a4b3ab0e8b71ea950444a9954a156c0530a1436aa98951af7e1972
++Ctrl.hexsession_id = hexsession_id:c778cdc03ecc941ff7d37c41fe67dc84df375117abd62d099129f38d37375f3cde4e75a0160fb05edf392d1eac509d5a6796f635623794d81df9b4cf81021738
++Ctrl.type = type:F
++Output = 8dd76f59e6692ff642894ee1bb147f3e1490cac944af29de6b2b5abcc4ab9eb41d236e9cd2f40cf83935097f307a246d7b35005dd302bacfe7e4fed37d2f46e9
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010012c99d1e0542b3b71e287b1ea15e54a3197f95cfbf7f6a209ada41fce3a6faad9bc4d569b690223e5d668019c11204716bb96a858c36c853bd41b28c1505ddce9df22b31dbdaa014b07ec53a79cfeb5b540902669c7a283f3647c1a9f685b5027bfb18e827818a76c23fa6ad20760f228a4239a4d558240130b5cc389d2be41b806cafd24d1d425c26a61508c974d62aae6f6830459c79e7a9ff5610291661bf03528fbafe47cf4c2e51f4856749ef543eb7cd8f72e84a4075fa7df9ad12565e5b3810c6d6292ff878ee8499611688989f0a04f4dc7275e01c0444a0321f0a0327fbe8a55689307b1bfd66d5d27ade78df5c1dfcef8868ebbe339d7efdae1973
++Ctrl.hexxcghash = hexxcghash:7317f576ce95d5bed93d08c65eb814d037ecd42f09b2d514fad58335e8e8bec807b9cf74b9044f449581c792ebb08843f2b80da87d91625e20f25de91b4d5d23
++Ctrl.hexsession_id = hexsession_id:7d153fda85bd3488962bdf03b8d0f26cf61f737173587ac6ee3d6f601a00f6474f5401370ef04720c620ea2b9668ab72cb6c40dc96057fc4537e7a6b0e79e9c5
++Ctrl.type = type:A
++Output = f335b3ab270d7e686c5e023b3a2da75b
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010012c99d1e0542b3b71e287b1ea15e54a3197f95cfbf7f6a209ada41fce3a6faad9bc4d569b690223e5d668019c11204716bb96a858c36c853bd41b28c1505ddce9df22b31dbdaa014b07ec53a79cfeb5b540902669c7a283f3647c1a9f685b5027bfb18e827818a76c23fa6ad20760f228a4239a4d558240130b5cc389d2be41b806cafd24d1d425c26a61508c974d62aae6f6830459c79e7a9ff5610291661bf03528fbafe47cf4c2e51f4856749ef543eb7cd8f72e84a4075fa7df9ad12565e5b3810c6d6292ff878ee8499611688989f0a04f4dc7275e01c0444a0321f0a0327fbe8a55689307b1bfd66d5d27ade78df5c1dfcef8868ebbe339d7efdae1973
++Ctrl.hexxcghash = hexxcghash:7317f576ce95d5bed93d08c65eb814d037ecd42f09b2d514fad58335e8e8bec807b9cf74b9044f449581c792ebb08843f2b80da87d91625e20f25de91b4d5d23
++Ctrl.hexsession_id = hexsession_id:7d153fda85bd3488962bdf03b8d0f26cf61f737173587ac6ee3d6f601a00f6474f5401370ef04720c620ea2b9668ab72cb6c40dc96057fc4537e7a6b0e79e9c5
++Ctrl.type = type:B
++Output = 857c9245c67bad84b7377c424c5e7e7a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010012c99d1e0542b3b71e287b1ea15e54a3197f95cfbf7f6a209ada41fce3a6faad9bc4d569b690223e5d668019c11204716bb96a858c36c853bd41b28c1505ddce9df22b31dbdaa014b07ec53a79cfeb5b540902669c7a283f3647c1a9f685b5027bfb18e827818a76c23fa6ad20760f228a4239a4d558240130b5cc389d2be41b806cafd24d1d425c26a61508c974d62aae6f6830459c79e7a9ff5610291661bf03528fbafe47cf4c2e51f4856749ef543eb7cd8f72e84a4075fa7df9ad12565e5b3810c6d6292ff878ee8499611688989f0a04f4dc7275e01c0444a0321f0a0327fbe8a55689307b1bfd66d5d27ade78df5c1dfcef8868ebbe339d7efdae1973
++Ctrl.hexxcghash = hexxcghash:7317f576ce95d5bed93d08c65eb814d037ecd42f09b2d514fad58335e8e8bec807b9cf74b9044f449581c792ebb08843f2b80da87d91625e20f25de91b4d5d23
++Ctrl.hexsession_id = hexsession_id:7d153fda85bd3488962bdf03b8d0f26cf61f737173587ac6ee3d6f601a00f6474f5401370ef04720c620ea2b9668ab72cb6c40dc96057fc4537e7a6b0e79e9c5
++Ctrl.type = type:C
++Output = 1c44ef56440f5856bdfd951305fd81e4
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010012c99d1e0542b3b71e287b1ea15e54a3197f95cfbf7f6a209ada41fce3a6faad9bc4d569b690223e5d668019c11204716bb96a858c36c853bd41b28c1505ddce9df22b31dbdaa014b07ec53a79cfeb5b540902669c7a283f3647c1a9f685b5027bfb18e827818a76c23fa6ad20760f228a4239a4d558240130b5cc389d2be41b806cafd24d1d425c26a61508c974d62aae6f6830459c79e7a9ff5610291661bf03528fbafe47cf4c2e51f4856749ef543eb7cd8f72e84a4075fa7df9ad12565e5b3810c6d6292ff878ee8499611688989f0a04f4dc7275e01c0444a0321f0a0327fbe8a55689307b1bfd66d5d27ade78df5c1dfcef8868ebbe339d7efdae1973
++Ctrl.hexxcghash = hexxcghash:7317f576ce95d5bed93d08c65eb814d037ecd42f09b2d514fad58335e8e8bec807b9cf74b9044f449581c792ebb08843f2b80da87d91625e20f25de91b4d5d23
++Ctrl.hexsession_id = hexsession_id:7d153fda85bd3488962bdf03b8d0f26cf61f737173587ac6ee3d6f601a00f6474f5401370ef04720c620ea2b9668ab72cb6c40dc96057fc4537e7a6b0e79e9c5
++Ctrl.type = type:D
++Output = 8d3496ac631bb3588abbb13d4ae2dc2d
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010012c99d1e0542b3b71e287b1ea15e54a3197f95cfbf7f6a209ada41fce3a6faad9bc4d569b690223e5d668019c11204716bb96a858c36c853bd41b28c1505ddce9df22b31dbdaa014b07ec53a79cfeb5b540902669c7a283f3647c1a9f685b5027bfb18e827818a76c23fa6ad20760f228a4239a4d558240130b5cc389d2be41b806cafd24d1d425c26a61508c974d62aae6f6830459c79e7a9ff5610291661bf03528fbafe47cf4c2e51f4856749ef543eb7cd8f72e84a4075fa7df9ad12565e5b3810c6d6292ff878ee8499611688989f0a04f4dc7275e01c0444a0321f0a0327fbe8a55689307b1bfd66d5d27ade78df5c1dfcef8868ebbe339d7efdae1973
++Ctrl.hexxcghash = hexxcghash:7317f576ce95d5bed93d08c65eb814d037ecd42f09b2d514fad58335e8e8bec807b9cf74b9044f449581c792ebb08843f2b80da87d91625e20f25de91b4d5d23
++Ctrl.hexsession_id = hexsession_id:7d153fda85bd3488962bdf03b8d0f26cf61f737173587ac6ee3d6f601a00f6474f5401370ef04720c620ea2b9668ab72cb6c40dc96057fc4537e7a6b0e79e9c5
++Ctrl.type = type:E
++Output = ac7899494cfcebbdaa8ee7c343a0a458228a0a5e59730c928e9c8775487e57c3a5f34fdb72c1b3b57cc35e0356e4b7c6a56368e74c68a017538a5b484886ec81
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010012c99d1e0542b3b71e287b1ea15e54a3197f95cfbf7f6a209ada41fce3a6faad9bc4d569b690223e5d668019c11204716bb96a858c36c853bd41b28c1505ddce9df22b31dbdaa014b07ec53a79cfeb5b540902669c7a283f3647c1a9f685b5027bfb18e827818a76c23fa6ad20760f228a4239a4d558240130b5cc389d2be41b806cafd24d1d425c26a61508c974d62aae6f6830459c79e7a9ff5610291661bf03528fbafe47cf4c2e51f4856749ef543eb7cd8f72e84a4075fa7df9ad12565e5b3810c6d6292ff878ee8499611688989f0a04f4dc7275e01c0444a0321f0a0327fbe8a55689307b1bfd66d5d27ade78df5c1dfcef8868ebbe339d7efdae1973
++Ctrl.hexxcghash = hexxcghash:7317f576ce95d5bed93d08c65eb814d037ecd42f09b2d514fad58335e8e8bec807b9cf74b9044f449581c792ebb08843f2b80da87d91625e20f25de91b4d5d23
++Ctrl.hexsession_id = hexsession_id:7d153fda85bd3488962bdf03b8d0f26cf61f737173587ac6ee3d6f601a00f6474f5401370ef04720c620ea2b9668ab72cb6c40dc96057fc4537e7a6b0e79e9c5
++Ctrl.type = type:F
++Output = d32d849b488594d0b8efce91604296393b2240121f2ed51fb7c0bb5b371c33775d184ffaf3028306bc8040b21887f6885e5916ae158ef74a3ba09a1f30654f1a
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100c6c401e7a417025fce8ca5d5e654de6cac8eb1bf24fffa1eefaba828f425b5df93323ad62565d9e74c0b45619c3e97a8e006a9b28a42e96e13ea2f3807319ac587850731f64c86a3a9acd4aaa04e8a586833faeb902f95177d27e89ce25307365b22b7bf444c8e72ef2bb0fce86fe326a90b787948085fd101f04a7311ed6cf65d5073a6a29c7d99fe9fa0b915fac1d9bb6b95143ca8936e10e6e319201112ba52823dbaad935972842361394999e5a67356076e9f0b528d62325181f80d66e9b3288ba7482458c737806f474867036a234201253a91a6246c8c2876d210d2579951dd12cbc153dcec403156739be9c7d291e4904f079a5a71c01b9a84481800
++Ctrl.hexxcghash = hexxcghash:b060195095692352bde81e90c1b648ec46d57476892e79489d42cb8e0da2027ec41fd2e62da8e8e2a9e1ebcb8eecfaadef75e6714008ed6a2cbdef6c321bbaaa
++Ctrl.hexsession_id = hexsession_id:5c910a53cafca6f8c0d97c4748f67aecd9a54c8ba96bf33327565f6f68ae0a2e7a62733a9051364ff9f68bdb416176522a0e5a2f28fe27a3f5ec402b3d99da13
++Ctrl.type = type:A
++Output = 5aa8ed531557a1dc934ed667029e062f
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100c6c401e7a417025fce8ca5d5e654de6cac8eb1bf24fffa1eefaba828f425b5df93323ad62565d9e74c0b45619c3e97a8e006a9b28a42e96e13ea2f3807319ac587850731f64c86a3a9acd4aaa04e8a586833faeb902f95177d27e89ce25307365b22b7bf444c8e72ef2bb0fce86fe326a90b787948085fd101f04a7311ed6cf65d5073a6a29c7d99fe9fa0b915fac1d9bb6b95143ca8936e10e6e319201112ba52823dbaad935972842361394999e5a67356076e9f0b528d62325181f80d66e9b3288ba7482458c737806f474867036a234201253a91a6246c8c2876d210d2579951dd12cbc153dcec403156739be9c7d291e4904f079a5a71c01b9a84481800
++Ctrl.hexxcghash = hexxcghash:b060195095692352bde81e90c1b648ec46d57476892e79489d42cb8e0da2027ec41fd2e62da8e8e2a9e1ebcb8eecfaadef75e6714008ed6a2cbdef6c321bbaaa
++Ctrl.hexsession_id = hexsession_id:5c910a53cafca6f8c0d97c4748f67aecd9a54c8ba96bf33327565f6f68ae0a2e7a62733a9051364ff9f68bdb416176522a0e5a2f28fe27a3f5ec402b3d99da13
++Ctrl.type = type:B
++Output = 11a810c69785949d5a0ef6eeff960fb4
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100c6c401e7a417025fce8ca5d5e654de6cac8eb1bf24fffa1eefaba828f425b5df93323ad62565d9e74c0b45619c3e97a8e006a9b28a42e96e13ea2f3807319ac587850731f64c86a3a9acd4aaa04e8a586833faeb902f95177d27e89ce25307365b22b7bf444c8e72ef2bb0fce86fe326a90b787948085fd101f04a7311ed6cf65d5073a6a29c7d99fe9fa0b915fac1d9bb6b95143ca8936e10e6e319201112ba52823dbaad935972842361394999e5a67356076e9f0b528d62325181f80d66e9b3288ba7482458c737806f474867036a234201253a91a6246c8c2876d210d2579951dd12cbc153dcec403156739be9c7d291e4904f079a5a71c01b9a84481800
++Ctrl.hexxcghash = hexxcghash:b060195095692352bde81e90c1b648ec46d57476892e79489d42cb8e0da2027ec41fd2e62da8e8e2a9e1ebcb8eecfaadef75e6714008ed6a2cbdef6c321bbaaa
++Ctrl.hexsession_id = hexsession_id:5c910a53cafca6f8c0d97c4748f67aecd9a54c8ba96bf33327565f6f68ae0a2e7a62733a9051364ff9f68bdb416176522a0e5a2f28fe27a3f5ec402b3d99da13
++Ctrl.type = type:C
++Output = 54e9402e4f85b08c271b2a9f15d56c75
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100c6c401e7a417025fce8ca5d5e654de6cac8eb1bf24fffa1eefaba828f425b5df93323ad62565d9e74c0b45619c3e97a8e006a9b28a42e96e13ea2f3807319ac587850731f64c86a3a9acd4aaa04e8a586833faeb902f95177d27e89ce25307365b22b7bf444c8e72ef2bb0fce86fe326a90b787948085fd101f04a7311ed6cf65d5073a6a29c7d99fe9fa0b915fac1d9bb6b95143ca8936e10e6e319201112ba52823dbaad935972842361394999e5a67356076e9f0b528d62325181f80d66e9b3288ba7482458c737806f474867036a234201253a91a6246c8c2876d210d2579951dd12cbc153dcec403156739be9c7d291e4904f079a5a71c01b9a84481800
++Ctrl.hexxcghash = hexxcghash:b060195095692352bde81e90c1b648ec46d57476892e79489d42cb8e0da2027ec41fd2e62da8e8e2a9e1ebcb8eecfaadef75e6714008ed6a2cbdef6c321bbaaa
++Ctrl.hexsession_id = hexsession_id:5c910a53cafca6f8c0d97c4748f67aecd9a54c8ba96bf33327565f6f68ae0a2e7a62733a9051364ff9f68bdb416176522a0e5a2f28fe27a3f5ec402b3d99da13
++Ctrl.type = type:D
++Output = 838209e0ebe7626cf6482f25c7774bfd
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100c6c401e7a417025fce8ca5d5e654de6cac8eb1bf24fffa1eefaba828f425b5df93323ad62565d9e74c0b45619c3e97a8e006a9b28a42e96e13ea2f3807319ac587850731f64c86a3a9acd4aaa04e8a586833faeb902f95177d27e89ce25307365b22b7bf444c8e72ef2bb0fce86fe326a90b787948085fd101f04a7311ed6cf65d5073a6a29c7d99fe9fa0b915fac1d9bb6b95143ca8936e10e6e319201112ba52823dbaad935972842361394999e5a67356076e9f0b528d62325181f80d66e9b3288ba7482458c737806f474867036a234201253a91a6246c8c2876d210d2579951dd12cbc153dcec403156739be9c7d291e4904f079a5a71c01b9a84481800
++Ctrl.hexxcghash = hexxcghash:b060195095692352bde81e90c1b648ec46d57476892e79489d42cb8e0da2027ec41fd2e62da8e8e2a9e1ebcb8eecfaadef75e6714008ed6a2cbdef6c321bbaaa
++Ctrl.hexsession_id = hexsession_id:5c910a53cafca6f8c0d97c4748f67aecd9a54c8ba96bf33327565f6f68ae0a2e7a62733a9051364ff9f68bdb416176522a0e5a2f28fe27a3f5ec402b3d99da13
++Ctrl.type = type:E
++Output = bc62048ddb762ac50336ae0e91a402cc78e73472fe180756a4686299967d2904318b8ad1b8dc622edd75e9ff0e74f7fcb8a1f8acb86e2567a5167084c648c7ef
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100c6c401e7a417025fce8ca5d5e654de6cac8eb1bf24fffa1eefaba828f425b5df93323ad62565d9e74c0b45619c3e97a8e006a9b28a42e96e13ea2f3807319ac587850731f64c86a3a9acd4aaa04e8a586833faeb902f95177d27e89ce25307365b22b7bf444c8e72ef2bb0fce86fe326a90b787948085fd101f04a7311ed6cf65d5073a6a29c7d99fe9fa0b915fac1d9bb6b95143ca8936e10e6e319201112ba52823dbaad935972842361394999e5a67356076e9f0b528d62325181f80d66e9b3288ba7482458c737806f474867036a234201253a91a6246c8c2876d210d2579951dd12cbc153dcec403156739be9c7d291e4904f079a5a71c01b9a84481800
++Ctrl.hexxcghash = hexxcghash:b060195095692352bde81e90c1b648ec46d57476892e79489d42cb8e0da2027ec41fd2e62da8e8e2a9e1ebcb8eecfaadef75e6714008ed6a2cbdef6c321bbaaa
++Ctrl.hexsession_id = hexsession_id:5c910a53cafca6f8c0d97c4748f67aecd9a54c8ba96bf33327565f6f68ae0a2e7a62733a9051364ff9f68bdb416176522a0e5a2f28fe27a3f5ec402b3d99da13
++Ctrl.type = type:F
++Output = 4e9644a01a3fe6c3f4f5aceddb00e2584e277354aee6392a1a5aef05024d37fcf25ff46fdd8fe52e7d1dd9a96e77328aadf44b8fc92ac22a14f63d64ad0db621
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100a82ae4062baef678d20dd9cf1704cdc69e9e78eea5faa435e4dffec06976ff73bd1e2ebd206658a26fb85a0911e2034eede31e7df2d7b87aa9700cf301b6b38502ba4db2b9723505455a7da0c6e0cf374b063921179d1bc69508f660bbb26d05ab16a2325716dbd0a733809cac36660d9a73ff0f61e09f55d1ff0652474130be7fcd2d37ebd1203960d788a1307fae48ec4e1042ab85f037a01bfd17f15725ee929d6e6246bbda00fe7105461ee873b0190c2f44692845e464949f909df46309a8eb72037278f792c87249897a0564d290bec1e09b2c9d3ad3011710fc4dcfabfa435611794dc7d1507b657229a2aab65ce2e789305d5d24ed955e89d8eb4f7e
++Ctrl.hexxcghash = hexxcghash:a6ef8e3102b16ce51b2a2fe17e8dc711a964c195ca4d597aabecce595187344ccb2ea37dc4cac0a77a47e7ea1b9055b1c9948e6e09793a9121f120b3bd07c5f2
++Ctrl.hexsession_id = hexsession_id:cc85cf95e29a5991306b21c1738de9a6612b8cb09f12b1738a4873c29f971e8d204aeb98bb7a7502cdab952eaaa6ec1e3a9655db3e5217afbff63ad588fbbf85
++Ctrl.type = type:A
++Output = 77cb432c67bf0ae658aa4e34376d01b5
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100a82ae4062baef678d20dd9cf1704cdc69e9e78eea5faa435e4dffec06976ff73bd1e2ebd206658a26fb85a0911e2034eede31e7df2d7b87aa9700cf301b6b38502ba4db2b9723505455a7da0c6e0cf374b063921179d1bc69508f660bbb26d05ab16a2325716dbd0a733809cac36660d9a73ff0f61e09f55d1ff0652474130be7fcd2d37ebd1203960d788a1307fae48ec4e1042ab85f037a01bfd17f15725ee929d6e6246bbda00fe7105461ee873b0190c2f44692845e464949f909df46309a8eb72037278f792c87249897a0564d290bec1e09b2c9d3ad3011710fc4dcfabfa435611794dc7d1507b657229a2aab65ce2e789305d5d24ed955e89d8eb4f7e
++Ctrl.hexxcghash = hexxcghash:a6ef8e3102b16ce51b2a2fe17e8dc711a964c195ca4d597aabecce595187344ccb2ea37dc4cac0a77a47e7ea1b9055b1c9948e6e09793a9121f120b3bd07c5f2
++Ctrl.hexsession_id = hexsession_id:cc85cf95e29a5991306b21c1738de9a6612b8cb09f12b1738a4873c29f971e8d204aeb98bb7a7502cdab952eaaa6ec1e3a9655db3e5217afbff63ad588fbbf85
++Ctrl.type = type:B
++Output = f55c74d112746001d8908edd347d7e69
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100a82ae4062baef678d20dd9cf1704cdc69e9e78eea5faa435e4dffec06976ff73bd1e2ebd206658a26fb85a0911e2034eede31e7df2d7b87aa9700cf301b6b38502ba4db2b9723505455a7da0c6e0cf374b063921179d1bc69508f660bbb26d05ab16a2325716dbd0a733809cac36660d9a73ff0f61e09f55d1ff0652474130be7fcd2d37ebd1203960d788a1307fae48ec4e1042ab85f037a01bfd17f15725ee929d6e6246bbda00fe7105461ee873b0190c2f44692845e464949f909df46309a8eb72037278f792c87249897a0564d290bec1e09b2c9d3ad3011710fc4dcfabfa435611794dc7d1507b657229a2aab65ce2e789305d5d24ed955e89d8eb4f7e
++Ctrl.hexxcghash = hexxcghash:a6ef8e3102b16ce51b2a2fe17e8dc711a964c195ca4d597aabecce595187344ccb2ea37dc4cac0a77a47e7ea1b9055b1c9948e6e09793a9121f120b3bd07c5f2
++Ctrl.hexsession_id = hexsession_id:cc85cf95e29a5991306b21c1738de9a6612b8cb09f12b1738a4873c29f971e8d204aeb98bb7a7502cdab952eaaa6ec1e3a9655db3e5217afbff63ad588fbbf85
++Ctrl.type = type:C
++Output = 34a48ab90890b385198ea6bf8c50c3f6
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100a82ae4062baef678d20dd9cf1704cdc69e9e78eea5faa435e4dffec06976ff73bd1e2ebd206658a26fb85a0911e2034eede31e7df2d7b87aa9700cf301b6b38502ba4db2b9723505455a7da0c6e0cf374b063921179d1bc69508f660bbb26d05ab16a2325716dbd0a733809cac36660d9a73ff0f61e09f55d1ff0652474130be7fcd2d37ebd1203960d788a1307fae48ec4e1042ab85f037a01bfd17f15725ee929d6e6246bbda00fe7105461ee873b0190c2f44692845e464949f909df46309a8eb72037278f792c87249897a0564d290bec1e09b2c9d3ad3011710fc4dcfabfa435611794dc7d1507b657229a2aab65ce2e789305d5d24ed955e89d8eb4f7e
++Ctrl.hexxcghash = hexxcghash:a6ef8e3102b16ce51b2a2fe17e8dc711a964c195ca4d597aabecce595187344ccb2ea37dc4cac0a77a47e7ea1b9055b1c9948e6e09793a9121f120b3bd07c5f2
++Ctrl.hexsession_id = hexsession_id:cc85cf95e29a5991306b21c1738de9a6612b8cb09f12b1738a4873c29f971e8d204aeb98bb7a7502cdab952eaaa6ec1e3a9655db3e5217afbff63ad588fbbf85
++Ctrl.type = type:D
++Output = f2b6046d3439c50a9000a63909146abc
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100a82ae4062baef678d20dd9cf1704cdc69e9e78eea5faa435e4dffec06976ff73bd1e2ebd206658a26fb85a0911e2034eede31e7df2d7b87aa9700cf301b6b38502ba4db2b9723505455a7da0c6e0cf374b063921179d1bc69508f660bbb26d05ab16a2325716dbd0a733809cac36660d9a73ff0f61e09f55d1ff0652474130be7fcd2d37ebd1203960d788a1307fae48ec4e1042ab85f037a01bfd17f15725ee929d6e6246bbda00fe7105461ee873b0190c2f44692845e464949f909df46309a8eb72037278f792c87249897a0564d290bec1e09b2c9d3ad3011710fc4dcfabfa435611794dc7d1507b657229a2aab65ce2e789305d5d24ed955e89d8eb4f7e
++Ctrl.hexxcghash = hexxcghash:a6ef8e3102b16ce51b2a2fe17e8dc711a964c195ca4d597aabecce595187344ccb2ea37dc4cac0a77a47e7ea1b9055b1c9948e6e09793a9121f120b3bd07c5f2
++Ctrl.hexsession_id = hexsession_id:cc85cf95e29a5991306b21c1738de9a6612b8cb09f12b1738a4873c29f971e8d204aeb98bb7a7502cdab952eaaa6ec1e3a9655db3e5217afbff63ad588fbbf85
++Ctrl.type = type:E
++Output = 70357486ca57c93418c6705b731b054bc41be03289c25a5ed29a937732807ae10a3604486c53d1f2431411808d87bfbaa6b25971fa2e4ec3719b5d2622aed2ff
++
++KDF = SSHKDF
++Ctrl.md = md:SHA512
++Ctrl.hexkey = hexkey:0000010100a82ae4062baef678d20dd9cf1704cdc69e9e78eea5faa435e4dffec06976ff73bd1e2ebd206658a26fb85a0911e2034eede31e7df2d7b87aa9700cf301b6b38502ba4db2b9723505455a7da0c6e0cf374b063921179d1bc69508f660bbb26d05ab16a2325716dbd0a733809cac36660d9a73ff0f61e09f55d1ff0652474130be7fcd2d37ebd1203960d788a1307fae48ec4e1042ab85f037a01bfd17f15725ee929d6e6246bbda00fe7105461ee873b0190c2f44692845e464949f909df46309a8eb72037278f792c87249897a0564d290bec1e09b2c9d3ad3011710fc4dcfabfa435611794dc7d1507b657229a2aab65ce2e789305d5d24ed955e89d8eb4f7e
++Ctrl.hexxcghash = hexxcghash:a6ef8e3102b16ce51b2a2fe17e8dc711a964c195ca4d597aabecce595187344ccb2ea37dc4cac0a77a47e7ea1b9055b1c9948e6e09793a9121f120b3bd07c5f2
++Ctrl.hexsession_id = hexsession_id:cc85cf95e29a5991306b21c1738de9a6612b8cb09f12b1738a4873c29f971e8d204aeb98bb7a7502cdab952eaaa6ec1e3a9655db3e5217afbff63ad588fbbf85
++Ctrl.type = type:F
++Output = 4e6428f7a87455bdef6026cdf68a2f6d93d6cda5145d6bca60ee4eb2d6248b399f6568c65ec92cee8d9b0c7fd83053c91c5be72bf96b5904080624a348243899
++
++Title = SSHKDF test error conditions
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.type = type:A
++Output = FF
++Result = KDF_DERIVE_ERROR
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59
++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.type = type:A
++Output = FF
++Result = KDF_DERIVE_ERROR
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59
++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.type = type:A
++Output = FF
++Result = KDF_DERIVE_ERROR
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59
++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
++Output = FF
++Result = KDF_DERIVE_ERROR
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59
++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.type = type:X
++Output = FF
++Result = KDF_CTRL_ERROR
++
++KDF = SSHKDF
++Ctrl.md = md:SHA1
++Ctrl.hexkey = hexkey:0000008055bae931c07fd824bf10add1902b6fbc7c665347383498a686929ff5a25f8e40cb6645ea814fb1a5e0a11f852f86255641e5ed986e83a78bc8269480eac0b0dfd770cab92e7a28dd87ff452466d6ae867cead63b366b1c286e6c4811a9f14c27aea14c5171d49b78c06e3735d36e6a3be321dd5fc82308f34ee1cb17fba94a59
++Ctrl.hexxcghash = hexxcghash:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.hexsession_id = hexsession_id:a4ebd45934f56792b5112dcd75a1075fdc889245
++Ctrl.type = type:A
++Output = FF
++Result = KDF_MISMATCH
+From 148cc5ee246e108b1e7332035037bab53574b0a9 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 18 Apr 2019 08:26:29 -0400
+Subject: [PATCH] Change the digest string from "md" to "digest"
+
+Conform to other modules which were changed at the last minute and this
+discrepancy was not noticed.
+Retain "md" as an alias so not to break 3rd party backports/tests scripts.
+
+Signed-off-by: Simo Sorce <simo@redhat.com>
+---
+ crypto/kdf/sshkdf.c        | 3 +++
+ test/recipes/20-test_kdf.t | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+ mode change 100644 => 100755 test/recipes/20-test_kdf.t
+
+diff --git a/crypto/kdf/sshkdf.c b/crypto/kdf/sshkdf.c
+index 300e1adbb23..f585e8a0d6d 100644
+--- a/crypto/kdf/sshkdf.c
++++ b/crypto/kdf/sshkdf.c
+@@ -125,6 +125,9 @@ static int kdf_sshkdf_ctrl_str(EVP_KDF_IMPL *impl, const char *type,
+         return 0;
+     }
+ 
++    if (strcmp(type, "digest") == 0)
++        return kdf_md2ctrl(impl, kdf_sshkdf_ctrl, EVP_KDF_CTRL_SET_MD, value);
++    /* alias, for historical reasons */
+     if (strcmp(type, "md") == 0)
+         return kdf_md2ctrl(impl, kdf_sshkdf_ctrl, EVP_KDF_CTRL_SET_MD, value);
+ 
diff --git a/openssl-1.1.1-system-cipherlist.patch b/openssl-1.1.1-system-cipherlist.patch
new file mode 100644
index 0000000..a70f20b
--- /dev/null
+++ b/openssl-1.1.1-system-cipherlist.patch
@@ -0,0 +1,310 @@
+diff -up openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1c/Configurations/unix-Makefile.tmpl
+--- openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist	2019-05-29 15:42:27.951329271 +0200
++++ openssl-1.1.1c/Configurations/unix-Makefile.tmpl	2019-05-29 15:42:27.974328867 +0200
+@@ -180,6 +180,10 @@ MANDIR=$(INSTALLTOP)/share/man
+ DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
+ HTMLDIR=$(DOCDIR)/html
+ 
++{- output_off() if $config{system_ciphers_file} eq ""; "" -}
++SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\""
++{- output_on() if $config{system_ciphers_file} eq ""; "" -}
++
+ # MANSUFFIX is for the benefit of anyone who may want to have a suffix
+ # appended after the manpage file section number.  "ssl" is popular,
+ # resulting in files such as config.5ssl rather than config.5.
+@@ -203,6 +207,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -}
+ CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -}
+ CPPFLAGS={- our $cppflags1 = join(" ",
+                                   (map { "-D".$_} @{$config{CPPDEFINES}}),
++                                  "\$(SYSTEM_CIPHERS_FILE_DEFINE)",
+                                   (map { "-I".$_} @{$config{CPPINCLUDES}}),
+                                   @{$config{CPPFLAGS}}) -}
+ CFLAGS={- join(' ', @{$config{CFLAGS}}) -}
+diff -up openssl-1.1.1c/Configure.system-cipherlist openssl-1.1.1c/Configure
+--- openssl-1.1.1c/Configure.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/Configure	2019-05-29 15:45:10.465469533 +0200
+@@ -24,7 +24,7 @@ use OpenSSL::Glob;
+ my $orig_death_handler = $SIG{__DIE__};
+ $SIG{__DIE__} = \&death_handler;
+ 
+-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
++my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
+ 
+ # Options:
+ #
+@@ -41,6 +41,9 @@ my $usage="Usage: Configure [no-<cipher>
+ #               This becomes the value of OPENSSLDIR in Makefile and in C.
+ #               (Default: PREFIX/ssl)
+ #
++# --system-ciphers-file  A file to read cipher string from when the PROFILE=SYSTEM
++#		cipher is specified (default).
++#
+ # --cross-compile-prefix Add specified prefix to binutils components.
+ #
+ # --api         One of 0.9.8, 1.0.0 or 1.1.0.  Do not compile support for
+@@ -295,6 +298,7 @@ $config{prefix}="";
+ $config{openssldir}="";
+ $config{processor}="";
+ $config{libdir}="";
++$config{system_ciphers_file}="";
+ my $auto_threads=1;    # enable threads automatically? true by default
+ my $default_ranlib;
+ 
+@@ -824,6 +828,10 @@ while (@argvcopy)
+                             push @seed_sources, $x;
+                             }
+                         }
++		elsif (/^--system-ciphers-file=(.*)$/)
++			{
++			$config{system_ciphers_file}=$1;
++			}
+                 elsif (/^--cross-compile-prefix=(.*)$/)
+                         {
+                         $user{CROSS_COMPILE}=$1;
+@@ -1016,6 +1024,8 @@ if ($target eq "HASH") {
+     exit 0;
+ }
+ 
++chop $config{system_ciphers_file} if $config{system_ciphers_file} =~ /\/$/;
++
+ print "Configuring OpenSSL version $config{version} ($config{version_num}) ";
+ print "for $target\n";
+ 
+diff -up openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1c/doc/man1/ciphers.pod
+--- openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/doc/man1/ciphers.pod	2019-05-29 15:42:27.975328849 +0200
+@@ -182,6 +182,15 @@ As of OpenSSL 1.0.0, the B<ALL> cipher s
+ 
+ The cipher suites not enabled by B<ALL>, currently B<eNULL>.
+ 
++=item B<PROFILE=SYSTEM>
++
++The list of enabled cipher suites will be loaded from the system crypto policy
++configuration file B</etc/crypto-policies/back-ends/openssl.config>.
++See also L<update-crypto-policies(8)>.
++This is the default behavior unless an application explicitly sets a cipher
++list. If used in a cipher list configuration value this string must be at the
++beginning of the cipher list, otherwise it will not be recognized.
++
+ =item B<HIGH>
+ 
+ "High" encryption cipher suites. This currently means those with key lengths
+diff -up openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist openssl-1.1.1c/include/openssl/ssl.h
+--- openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/include/openssl/ssl.h	2019-05-29 15:42:27.975328849 +0200
+@@ -186,6 +186,11 @@ extern "C" {
+  * throwing out anonymous and unencrypted ciphersuites! (The latter are not
+  * actually enabled by ALL, but "ALL:RSA" would enable some of them.)
+  */
++# ifdef SYSTEM_CIPHERS_FILE
++#  define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM"
++# else
++#  define SSL_SYSTEM_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST
++# endif
+ 
+ /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
+ # define SSL_SENT_SHUTDOWN       1
+diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_ciph.c
+--- openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/ssl/ssl_ciph.c	2019-05-29 15:42:27.976328831 +0200
+@@ -9,6 +9,8 @@
+  * https://www.openssl.org/source/license.html
+  */
+ 
++/* for secure_getenv */
++#define _GNU_SOURCE
+ #include <stdio.h>
+ #include <ctype.h>
+ #include <openssl/objects.h>
+@@ -1399,6 +1401,53 @@ int SSL_set_ciphersuites(SSL *s, const c
+     return ret;
+ }
+ 
++#ifdef SYSTEM_CIPHERS_FILE
++static char *load_system_str(const char *suffix)
++{
++    FILE *fp;
++    char buf[1024];
++    char *new_rules;
++    const char *ciphers_path;
++    unsigned len, slen;
++
++    if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL)
++        ciphers_path = SYSTEM_CIPHERS_FILE;
++    fp = fopen(ciphers_path, "r");
++    if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
++        /* cannot open or file is empty */
++        snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST);
++    }
++
++    if (fp)
++        fclose(fp);
++
++    slen = strlen(suffix);
++    len = strlen(buf);
++
++    if (buf[len - 1] == '\n') {
++        len--;
++        buf[len] = 0;
++    }
++    if (buf[len - 1] == '\r') {
++        len--;
++        buf[len] = 0;
++    }
++
++    new_rules = OPENSSL_malloc(len + slen + 1);
++    if (new_rules == 0)
++        return NULL;
++
++    memcpy(new_rules, buf, len);
++    if (slen > 0) {
++        memcpy(&new_rules[len], suffix, slen);
++        len += slen;
++    }
++    new_rules[len] = 0;
++
++    return new_rules;
++}
++#endif
++
+ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method,
+                                              STACK_OF(SSL_CIPHER) *tls13_ciphersuites,
+                                              STACK_OF(SSL_CIPHER) **cipher_list,
+@@ -1412,15 +1461,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+     const char *rule_p;
+     CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr;
+     const SSL_CIPHER **ca_list = NULL;
++#ifdef SYSTEM_CIPHERS_FILE
++    char *new_rules = NULL;
++
++    if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) {
++        char *p = rule_str + 14;
++    
++        new_rules = load_system_str(p);
++        rule_str = new_rules;
++    }
++#endif
+ 
+     /*
+      * Return with error if nothing to do.
+      */
+     if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL)
+-        return NULL;
++        goto err;
+ #ifndef OPENSSL_NO_EC
+     if (!check_suiteb_cipher_list(ssl_method, c, &rule_str))
+-        return NULL;
++        goto err;
+ #endif
+ 
+     /*
+@@ -1443,7 +1502,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+     co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers);
+     if (co_list == NULL) {
+         SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+-        return NULL;          /* Failure */
++        goto err;
+     }
+ 
+     ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers,
+@@ -1509,8 +1568,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+      * in force within each class
+      */
+     if (!ssl_cipher_strength_sort(&head, &tail)) {
+-        OPENSSL_free(co_list);
+-        return NULL;
++        goto err;
+     }
+ 
+     /*
+@@ -1555,9 +1613,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+     num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1;
+     ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max);
+     if (ca_list == NULL) {
+-        OPENSSL_free(co_list);
+         SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE);
+-        return NULL;          /* Failure */
++        goto err;
+     }
+     ssl_cipher_collect_aliases(ca_list, num_of_group_aliases,
+                                disabled_mkey, disabled_auth, disabled_enc,
+@@ -1583,8 +1640,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+     OPENSSL_free(ca_list);      /* Not needed anymore */
+ 
+     if (!ok) {                  /* Rule processing failure */
+-        OPENSSL_free(co_list);
+-        return NULL;
++        goto err;
+     }
+ 
+     /*
+@@ -1592,14 +1648,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+      * if we cannot get one.
+      */
+     if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) {
+-        OPENSSL_free(co_list);
+-        return NULL;
++        goto err;
+     }
+ 
++#ifdef SYSTEM_CIPHERS_FILE
++    OPENSSL_free(new_rules);    /* Not needed anymore */
++#endif
++
+     /* Add TLSv1.3 ciphers first - we always prefer those if possible */
+     for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) {
+         if (!sk_SSL_CIPHER_push(cipherstack,
+                                 sk_SSL_CIPHER_value(tls13_ciphersuites, i))) {
++            OPENSSL_free(co_list);
+             sk_SSL_CIPHER_free(cipherstack);
+             return NULL;
+         }
+@@ -1631,6 +1691,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+     *cipher_list = cipherstack;
+ 
+     return cipherstack;
++
++err:
++    OPENSSL_free(co_list);
++#ifdef SYSTEM_CIPHERS_FILE
++    OPENSSL_free(new_rules);
++#endif
++    return NULL;
++  
+ }
+ 
+ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
+diff -up openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1c/ssl/ssl_lib.c
+--- openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist	2019-05-29 15:42:27.970328937 +0200
++++ openssl-1.1.1c/ssl/ssl_lib.c	2019-05-29 15:42:27.977328814 +0200
+@@ -662,7 +662,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx
+                                 ctx->tls13_ciphersuites,
+                                 &(ctx->cipher_list),
+                                 &(ctx->cipher_list_by_id),
+-                                SSL_DEFAULT_CIPHER_LIST, ctx->cert);
++                                SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert);
+     if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) {
+         SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS);
+         return 0;
+@@ -2954,7 +2954,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
+     if (!ssl_create_cipher_list(ret->method,
+                                 ret->tls13_ciphersuites,
+                                 &ret->cipher_list, &ret->cipher_list_by_id,
+-                                SSL_DEFAULT_CIPHER_LIST, ret->cert)
++                                SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert)
+         || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) {
+         SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS);
+         goto err2;
+diff -up openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist openssl-1.1.1c/test/cipherlist_test.c
+--- openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist	2019-05-28 15:12:21.000000000 +0200
++++ openssl-1.1.1c/test/cipherlist_test.c	2019-05-29 15:42:27.977328814 +0200
+@@ -251,7 +251,9 @@ end:
+ 
+ int setup_tests(void)
+ {
++#ifndef SYSTEM_CIPHERS_FILE
+     ADD_TEST(test_default_cipherlist_implicit);
++#endif
+     ADD_TEST(test_default_cipherlist_explicit);
+     ADD_TEST(test_default_cipherlist_clear);
+     return 1;
diff --git a/openssl-1.1.1l.tar.gz.asc b/openssl-1.1.1l.tar.gz.asc
new file mode 100644
index 0000000..78fc75d
--- /dev/null
+++ b/openssl-1.1.1l.tar.gz.asc
@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAmEk9nQACgkQ2cTSbQ5g
+RJEWYAgAwRaW4k2SavaEeqwYzoZ7YN91Yax/pKpgKaRdg0Ypb/e+NSZ/xRMOnoHg
+sxr/UqrhUVtmhHrBeMd7JgjkYmO2SsG3tX8M9ap1uxeImUMXtyxUYoIRHb0fLuHO
+edklhU7ZP6NRxRdIw/huLoQwv3JEJ5PdhmK7QpX3kbSpybvSJr8+mE7ihrxI2Khc
+58tsT+BEuYqduTZTD6MfXdspKdz/sPyjNV0T+6eOkUnDihwfS1j3BcT1HR9+gJbJ
+qVXjQ/FZow9r3x+3shIHWXKQ0Iqytor5E/jnEIpG4O1WIhIqkjsZn8lJjoZtH0fP
+i57jU1U6DrYl7Mtj3slmkUuCCmszVw==
+=gSLl
+-----END PGP SIGNATURE-----
diff --git a/openssl-1_1-AES-GCM-performance-optimzation-with-stitched-method.patch b/openssl-1_1-AES-GCM-performance-optimzation-with-stitched-method.patch
new file mode 100644
index 0000000..89dc38c
--- /dev/null
+++ b/openssl-1_1-AES-GCM-performance-optimzation-with-stitched-method.patch
@@ -0,0 +1,1588 @@
+From 44a563dde1584cd9284e80b6e45ee5019be8d36c Mon Sep 17 00:00:00 2001
+From: Danny Tsen <dtsen@us.ibm.com>
+Date: Mon, 18 Oct 2021 10:51:42 -0400
+Subject: [PATCH] AES-GCM performance optimzation with stitched method for p9+
+ ppc64le
+
+Assembly code reviewed by Shricharan Srivatsan <ssrivat@us.ibm.com>
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/16854)
+---
+ Configurations/00-base-templates.conf |    2 
+ crypto/evp/e_aes.c                    |   33 
+ crypto/modes/asm/aes-gcm-ppc.pl       | 1439 ++++++++++++++++++++++++++++++++++
+ crypto/modes/build.info               |    1 
+ 4 files changed, 1466 insertions(+), 9 deletions(-)
+ create mode 100644 crypto/modes/asm/aes-gcm-ppc.pl
+ create mode 100644 providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc
+
+--- a/Configurations/00-base-templates.conf
++++ b/Configurations/00-base-templates.conf
+@@ -344,7 +344,7 @@ my %targets=(
+ 	bn_asm_src      => "bn-ppc.s ppc-mont.s",
+ 	aes_asm_src     => "aes_core.c aes_cbc.c aes-ppc.s vpaes-ppc.s aesp8-ppc.s",
+ 	sha1_asm_src    => "sha1-ppc.s sha256-ppc.s sha512-ppc.s sha256p8-ppc.s sha512p8-ppc.s",
+-	modes_asm_src   => "ghashp8-ppc.s",
++	modes_asm_src   => "ghashp8-ppc.s aes-gcm-ppc.s",
+ 	chacha_asm_src	=> "chacha-ppc.s",
+ 	poly1305_asm_src=> "poly1305-ppc.s poly1305-ppcfp.s",
+     },
+--- a/crypto/evp/e_aes.c
++++ b/crypto/evp/e_aes.c
+@@ -178,6 +178,20 @@ static void ctr64_inc(unsigned char *cou
+ # define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
+ # define HWAES_xts_encrypt aes_p8_xts_encrypt
+ # define HWAES_xts_decrypt aes_p8_xts_decrypt
++# define PPC_AES_GCM_CAPABLE (OPENSSL_ppccap_P & PPC_MADD300)
++# define AES_GCM_ENC_BYTES 128
++# define AES_GCM_DEC_BYTES 128
++size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len,
++                         const void *key, unsigned char ivec[16], u64 *Xi);
++size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len,
++                         const void *key, unsigned char ivec[16], u64 *Xi);
++void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len);
++# if PPC_AES_GCM_CAPABLE
++#  define AES_gcm_encrypt ppc_aes_gcm_encrypt
++#  define AES_gcm_decrypt ppc_aes_gcm_decrypt
++#  define AES_GCM_ASM(gctx) ((gctx)->ctr==aes_p8_ctr32_encrypt_blocks && \
++                             (gctx)->gcm.ghash==gcm_ghash_p8)
++# endif
+ #endif
+ 
+ #if     defined(OPENSSL_CPUID_OBJ) &&                   (  \
+@@ -199,6 +213,9 @@ extern unsigned int OPENSSL_ia32cap_P[];
+  */
+ # define AESNI_CAPABLE   (OPENSSL_ia32cap_P[1]&(1<<(57-32)))
+ 
++# define AES_GCM_ENC_BYTES 32
++# define AES_GCM_DEC_BYTES 16
++
+ int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
+                           AES_KEY *key);
+ int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
+@@ -3101,7 +3118,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER
+         if (gctx->ctr) {
+             size_t bulk = 0;
+ #if defined(AES_GCM_ASM)
+-            if (len >= 32 && AES_GCM_ASM(gctx)) {
++            if (len >= AES_GCM_ENC_BYTES && AES_GCM_ASM(gctx)) {
+                 if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
+                     return -1;
+ 
+@@ -3119,7 +3136,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER
+         } else {
+             size_t bulk = 0;
+ #if defined(AES_GCM_ASM2)
+-            if (len >= 32 && AES_GCM_ASM2(gctx)) {
++            if (len >= AES_GCM_ENC_BYTES && AES_GCM_ASM2(gctx)) {
+                 if (CRYPTO_gcm128_encrypt(&gctx->gcm, NULL, NULL, 0))
+                     return -1;
+ 
+@@ -3142,7 +3159,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER
+         if (gctx->ctr) {
+             size_t bulk = 0;
+ #if defined(AES_GCM_ASM)
+-            if (len >= 16 && AES_GCM_ASM(gctx)) {
++            if (len >= AES_GCM_DEC_BYTES && AES_GCM_ASM(gctx)) {
+                 if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
+                     return -1;
+ 
+@@ -3160,7 +3177,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER
+         } else {
+             size_t bulk = 0;
+ #if defined(AES_GCM_ASM2)
+-            if (len >= 16 && AES_GCM_ASM2(gctx)) {
++            if (len >= AES_GCM_DEC_BYTES && AES_GCM_ASM2(gctx)) {
+                 if (CRYPTO_gcm128_decrypt(&gctx->gcm, NULL, NULL, 0))
+                     return -1;
+ 
+@@ -3211,7 +3228,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
+             if (gctx->ctr) {
+                 size_t bulk = 0;
+ #if defined(AES_GCM_ASM)
+-                if (len >= 32 && AES_GCM_ASM(gctx)) {
++                if (len >= AES_GCM_ENC_BYTES && AES_GCM_ASM(gctx)) {
+                     size_t res = (16 - gctx->gcm.mres) % 16;
+ 
+                     if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
+@@ -3233,7 +3250,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
+             } else {
+                 size_t bulk = 0;
+ #if defined(AES_GCM_ASM2)
+-                if (len >= 32 && AES_GCM_ASM2(gctx)) {
++                if (len >= AES_GCM_ENC_BYTES && AES_GCM_ASM2(gctx)) {
+                     size_t res = (16 - gctx->gcm.mres) % 16;
+ 
+                     if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
+@@ -3255,7 +3272,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
+             if (gctx->ctr) {
+                 size_t bulk = 0;
+ #if defined(AES_GCM_ASM)
+-                if (len >= 16 && AES_GCM_ASM(gctx)) {
++                if (len >= AES_GCM_DEC_BYTES && AES_GCM_ASM(gctx)) {
+                     size_t res = (16 - gctx->gcm.mres) % 16;
+ 
+                     if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
+@@ -3277,7 +3294,7 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
+             } else {
+                 size_t bulk = 0;
+ #if defined(AES_GCM_ASM2)
+-                if (len >= 16 && AES_GCM_ASM2(gctx)) {
++                if (len >= AES_GCM_DEC_BYTES && AES_GCM_ASM2(gctx)) {
+                     size_t res = (16 - gctx->gcm.mres) % 16;
+ 
+                     if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
+--- /dev/null
++++ b/crypto/modes/asm/aes-gcm-ppc.pl
+@@ -0,0 +1,1439 @@
++#! /usr/bin/env perl
++# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
++# Copyright 2021- IBM Inc. All rights reserved
++#
++# Licensed under the Apache License 2.0 (the "License").  You may not use
++# this file except in compliance with the License.  You can obtain a copy
++# in the file LICENSE in the source distribution or at
++# https://www.openssl.org/source/license.html
++#
++#===================================================================================
++# Written by Danny Tsen <dtsen@us.ibm.com> for OpenSSL Project,
++#
++# GHASH is based on the Karatsuba multiplication method.
++#
++#    Xi xor X1
++#
++#    X1 * H^4 + X2 * H^3 + x3 * H^2 + X4 * H =
++#      (X1.h * H4.h + xX.l * H4.l + X1 * H4) +
++#      (X2.h * H3.h + X2.l * H3.l + X2 * H3) +
++#      (X3.h * H2.h + X3.l * H2.l + X3 * H2) +
++#      (X4.h * H.h + X4.l * H.l + X4 * H)
++#
++# Xi = v0
++# H Poly = v2
++# Hash keys = v3 - v14
++#     ( H.l, H, H.h)
++#     ( H^2.l, H^2, H^2.h)
++#     ( H^3.l, H^3, H^3.h)
++#     ( H^4.l, H^4, H^4.h)
++#
++# v30 is IV
++# v31 - counter 1
++#
++# AES used,
++#     vs0 - vs14 for round keys
++#     v15, v16, v17, v18, v19, v20, v21, v22 for 8 blocks (encrypted)
++#
++# This implementation uses stitched AES-GCM approach to improve overall performance.
++# AES is implemented with 8x blocks and GHASH is using 2 4x blocks.
++#
++# Current large block (16384 bytes) performance per second with 128 bit key --
++#
++#                        Encrypt  Decrypt
++# Power10[le] (3.5GHz)   5.32G    5.26G
++#
++# ===================================================================================
++#
++# $output is the last argument if it looks like a file (it has an extension)
++# $flavour is the first argument if it doesn't look like a file
++$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
++$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
++
++if ($flavour =~ /64/) {
++	$SIZE_T=8;
++	$LRSAVE=2*$SIZE_T;
++	$STU="stdu";
++	$POP="ld";
++	$PUSH="std";
++	$UCMP="cmpld";
++	$SHRI="srdi";
++} elsif ($flavour =~ /32/) {
++	$SIZE_T=4;
++	$LRSAVE=$SIZE_T;
++	$STU="stwu";
++	$POP="lwz";
++	$PUSH="stw";
++	$UCMP="cmplw";
++	$SHRI="srwi";
++} else { die "nonsense $flavour"; }
++
++$sp="r1";
++$FRAME=6*$SIZE_T+13*16;	# 13*16 is for v20-v31 offload
++
++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
++( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
++( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
++die "can't locate ppc-xlate.pl";
++
++open STDOUT,"| $^X $xlate $flavour \"$output\""
++    or die "can't call $xlate: $!";
++
++$code=<<___;
++.machine        "any"
++.abiversion     2
++.text
++
++# 4x loops
++# v15 - v18 - input states
++# vs1 - vs9 - round keys
++#
++.macro Loop_aes_middle4x
++	xxlor	19+32, 1, 1
++	xxlor	20+32, 2, 2
++	xxlor	21+32, 3, 3
++	xxlor	22+32, 4, 4
++
++	vcipher	15, 15, 19
++	vcipher	16, 16, 19
++	vcipher	17, 17, 19
++	vcipher	18, 18, 19
++
++	vcipher	15, 15, 20
++	vcipher	16, 16, 20
++	vcipher	17, 17, 20
++	vcipher	18, 18, 20
++
++	vcipher	15, 15, 21
++	vcipher	16, 16, 21
++	vcipher	17, 17, 21
++	vcipher	18, 18, 21
++
++	vcipher	15, 15, 22
++	vcipher	16, 16, 22
++	vcipher	17, 17, 22
++	vcipher	18, 18, 22
++
++	xxlor	19+32, 5, 5
++	xxlor	20+32, 6, 6
++	xxlor	21+32, 7, 7
++	xxlor	22+32, 8, 8
++
++	vcipher	15, 15, 19
++	vcipher	16, 16, 19
++	vcipher	17, 17, 19
++	vcipher	18, 18, 19
++
++	vcipher	15, 15, 20
++	vcipher	16, 16, 20
++	vcipher	17, 17, 20
++	vcipher	18, 18, 20
++
++	vcipher	15, 15, 21
++	vcipher	16, 16, 21
++	vcipher	17, 17, 21
++	vcipher	18, 18, 21
++
++	vcipher	15, 15, 22
++	vcipher	16, 16, 22
++	vcipher	17, 17, 22
++	vcipher	18, 18, 22
++
++	xxlor	23+32, 9, 9
++	vcipher	15, 15, 23
++	vcipher	16, 16, 23
++	vcipher	17, 17, 23
++	vcipher	18, 18, 23
++.endm
++
++# 8x loops
++# v15 - v22 - input states
++# vs1 - vs9 - round keys
++#
++.macro Loop_aes_middle8x
++	xxlor	23+32, 1, 1
++	xxlor	24+32, 2, 2
++	xxlor	25+32, 3, 3
++	xxlor	26+32, 4, 4
++
++	vcipher	15, 15, 23
++	vcipher	16, 16, 23
++	vcipher	17, 17, 23
++	vcipher	18, 18, 23
++	vcipher	19, 19, 23
++	vcipher	20, 20, 23
++	vcipher	21, 21, 23
++	vcipher	22, 22, 23
++
++	vcipher	15, 15, 24
++	vcipher	16, 16, 24
++	vcipher	17, 17, 24
++	vcipher	18, 18, 24
++	vcipher	19, 19, 24
++	vcipher	20, 20, 24
++	vcipher	21, 21, 24
++	vcipher	22, 22, 24
++
++	vcipher	15, 15, 25
++	vcipher	16, 16, 25
++	vcipher	17, 17, 25
++	vcipher	18, 18, 25
++	vcipher	19, 19, 25
++	vcipher	20, 20, 25
++	vcipher	21, 21, 25
++	vcipher	22, 22, 25
++
++	vcipher	15, 15, 26
++	vcipher	16, 16, 26
++	vcipher	17, 17, 26
++	vcipher	18, 18, 26
++	vcipher	19, 19, 26
++	vcipher	20, 20, 26
++	vcipher	21, 21, 26
++	vcipher	22, 22, 26
++
++	xxlor	23+32, 5, 5
++	xxlor	24+32, 6, 6
++	xxlor	25+32, 7, 7
++	xxlor	26+32, 8, 8
++
++	vcipher	15, 15, 23
++	vcipher	16, 16, 23
++	vcipher	17, 17, 23
++	vcipher	18, 18, 23
++	vcipher	19, 19, 23
++	vcipher	20, 20, 23
++	vcipher	21, 21, 23
++	vcipher	22, 22, 23
++
++	vcipher	15, 15, 24
++	vcipher	16, 16, 24
++	vcipher	17, 17, 24
++	vcipher	18, 18, 24
++	vcipher	19, 19, 24
++	vcipher	20, 20, 24
++	vcipher	21, 21, 24
++	vcipher	22, 22, 24
++
++	vcipher	15, 15, 25
++	vcipher	16, 16, 25
++	vcipher	17, 17, 25
++	vcipher	18, 18, 25
++	vcipher	19, 19, 25
++	vcipher	20, 20, 25
++	vcipher	21, 21, 25
++	vcipher	22, 22, 25
++
++	vcipher	15, 15, 26
++	vcipher	16, 16, 26
++	vcipher	17, 17, 26
++	vcipher	18, 18, 26
++	vcipher	19, 19, 26
++	vcipher	20, 20, 26
++	vcipher	21, 21, 26
++	vcipher	22, 22, 26
++
++	xxlor	23+32, 9, 9
++	vcipher	15, 15, 23
++	vcipher	16, 16, 23
++	vcipher	17, 17, 23
++	vcipher	18, 18, 23
++	vcipher	19, 19, 23
++	vcipher	20, 20, 23
++	vcipher	21, 21, 23
++	vcipher	22, 22, 23
++.endm
++
++#
++# Compute 4x hash values based on Karatsuba method.
++#
++ppc_aes_gcm_ghash:
++	vxor		15, 15, 0
++
++	xxlxor		29, 29, 29
++
++	vpmsumd		23, 12, 15		# H4.L * X.L
++	vpmsumd		24, 9, 16
++	vpmsumd		25, 6, 17
++	vpmsumd		26, 3, 18
++
++	vxor		23, 23, 24
++	vxor		23, 23, 25
++	vxor		23, 23, 26		# L
++
++	vpmsumd		24, 13, 15		# H4.L * X.H + H4.H * X.L
++	vpmsumd		25, 10, 16		# H3.L * X1.H + H3.H * X1.L
++	vpmsumd		26, 7, 17
++	vpmsumd		27, 4, 18
++
++	vxor		24, 24, 25
++	vxor		24, 24, 26
++	vxor		24, 24, 27		# M
++
++	# sum hash and reduction with H Poly
++	vpmsumd		28, 23, 2		# reduction
++
++	xxlor		29+32, 29, 29
++	vsldoi		26, 24, 29, 8		# mL
++	vsldoi		29, 29, 24, 8		# mH
++	vxor		23, 23, 26		# mL + L
++
++	vsldoi		23, 23, 23, 8		# swap
++	vxor		23, 23, 28
++
++	vpmsumd		24, 14, 15		# H4.H * X.H
++	vpmsumd		25, 11, 16
++	vpmsumd		26, 8, 17
++	vpmsumd		27, 5, 18
++
++	vxor		24, 24, 25
++	vxor		24, 24, 26
++	vxor		24, 24, 27
++
++	vxor		24, 24, 29
++
++	# sum hash and reduction with H Poly
++	vsldoi		27, 23, 23, 8		# swap
++	vpmsumd		23, 23, 2
++	vxor		27, 27, 24
++	vxor		23, 23, 27
++
++	xxlor		32, 23+32, 23+32		# update hash
++
++	blr
++
++#
++# Combine two 4x ghash
++# v15 - v22 - input blocks
++#
++.macro ppc_aes_gcm_ghash2_4x
++	# first 4x hash
++	vxor		15, 15, 0		# Xi + X
++
++	xxlxor		29, 29, 29
++
++	vpmsumd		23, 12, 15		# H4.L * X.L
++	vpmsumd		24, 9, 16
++	vpmsumd		25, 6, 17
++	vpmsumd		26, 3, 18
++
++	vxor		23, 23, 24
++	vxor		23, 23, 25
++	vxor		23, 23, 26		# L
++
++	vpmsumd		24, 13, 15		# H4.L * X.H + H4.H * X.L
++	vpmsumd		25, 10, 16		# H3.L * X1.H + H3.H * X1.L
++	vpmsumd		26, 7, 17
++	vpmsumd		27, 4, 18
++
++	vxor		24, 24, 25
++	vxor		24, 24, 26
++
++	# sum hash and reduction with H Poly
++	vpmsumd		28, 23, 2		# reduction
++
++	xxlor		29+32, 29, 29
++
++	vxor		24, 24, 27		# M
++	vsldoi		26, 24, 29, 8		# mL
++	vsldoi		29, 29, 24, 8		# mH
++	vxor		23, 23, 26		# mL + L
++
++	vsldoi		23, 23, 23, 8		# swap
++	vxor		23, 23, 28
++
++	vpmsumd		24, 14, 15		# H4.H * X.H
++	vpmsumd		25, 11, 16
++	vpmsumd		26, 8, 17
++	vpmsumd		27, 5, 18
++
++	vxor		24, 24, 25
++	vxor		24, 24, 26
++	vxor		24, 24, 27		# H
++
++	vxor		24, 24, 29		# H + mH
++
++	# sum hash and reduction with H Poly
++	vsldoi		27, 23, 23, 8		# swap
++	vpmsumd		23, 23, 2
++	vxor		27, 27, 24
++	vxor		27, 23, 27		# 1st Xi
++
++	# 2nd 4x hash
++	vpmsumd		24, 9, 20
++	vpmsumd		25, 6, 21
++	vpmsumd		26, 3, 22
++	vxor		19, 19, 27		# Xi + X
++	vpmsumd		23, 12, 19		# H4.L * X.L
++
++	vxor		23, 23, 24
++	vxor		23, 23, 25
++	vxor		23, 23, 26		# L
++
++	vpmsumd		24, 13, 19		# H4.L * X.H + H4.H * X.L
++	vpmsumd		25, 10, 20		# H3.L * X1.H + H3.H * X1.L
++	vpmsumd		26, 7, 21
++	vpmsumd		27, 4, 22
++
++	vxor		24, 24, 25
++	vxor		24, 24, 26
++
++	# sum hash and reduction with H Poly
++	vpmsumd		28, 23, 2		# reduction
++
++	xxlor		29+32, 29, 29
++
++	vxor		24, 24, 27		# M
++	vsldoi		26, 24, 29, 8		# mL
++	vsldoi		29, 29, 24, 8		# mH
++	vxor		23, 23, 26		# mL + L
++
++	vsldoi		23, 23, 23, 8		# swap
++	vxor		23, 23, 28
++
++	vpmsumd		24, 14, 19		# H4.H * X.H
++	vpmsumd		25, 11, 20
++	vpmsumd		26, 8, 21
++	vpmsumd		27, 5, 22
++
++	vxor		24, 24, 25
++	vxor		24, 24, 26
++	vxor		24, 24, 27		# H
++
++	vxor		24, 24, 29		# H + mH
++
++	# sum hash and reduction with H Poly
++	vsldoi		27, 23, 23, 8		# swap
++	vpmsumd		23, 23, 2
++	vxor		27, 27, 24
++	vxor		23, 23, 27
++
++	xxlor		32, 23+32, 23+32		# update hash
++
++.endm
++
++#
++# Compute update single hash
++#
++.macro ppc_update_hash_1x
++	vxor		28, 28, 0
++
++	vxor		19, 19, 19
++
++	vpmsumd		22, 3, 28		# L
++	vpmsumd		23, 4, 28		# M
++	vpmsumd		24, 5, 28		# H
++
++	vpmsumd		27, 22, 2		# reduction
++
++	vsldoi		25, 23, 19, 8		# mL
++	vsldoi		26, 19, 23, 8		# mH
++	vxor		22, 22, 25		# LL + LL
++	vxor		24, 24, 26		# HH + HH
++
++	vsldoi		22, 22, 22, 8		# swap
++	vxor		22, 22, 27
++
++	vsldoi		20, 22, 22, 8		# swap
++	vpmsumd		22, 22, 2		# reduction
++	vxor		20, 20, 24
++	vxor		22, 22, 20
++
++	vmr		0, 22			# update hash
++
++.endm
++
++#
++# ppc_aes_gcm_encrypt (const void *inp, void *out, size_t len,
++#               const AES_KEY *key, unsigned char iv[16],
++#               void *Xip);
++#
++#    r3 - inp
++#    r4 - out
++#    r5 - len
++#    r6 - AES round keys
++#    r7 - iv
++#    r8 - Xi, HPoli, hash keys
++#
++.global ppc_aes_gcm_encrypt
++.align 5
++ppc_aes_gcm_encrypt:
++_ppc_aes_gcm_encrypt:
++
++	stdu 1,-512(1)
++	mflr 0
++
++	std	14,112(1)
++	std	15,120(1)
++	std	16,128(1)
++	std	17,136(1)
++	std	18,144(1)
++	std	19,152(1)
++	std	20,160(1)
++	std	21,168(1)
++	li	9, 256
++	stvx	20, 9, 1
++	addi	9, 9, 16
++	stvx	21, 9, 1
++	addi	9, 9, 16
++	stvx	22, 9, 1
++	addi	9, 9, 16
++	stvx	23, 9, 1
++	addi	9, 9, 16
++	stvx	24, 9, 1
++	addi	9, 9, 16
++	stvx	25, 9, 1
++	addi	9, 9, 16
++	stvx	26, 9, 1
++	addi	9, 9, 16
++	stvx	27, 9, 1
++	addi	9, 9, 16
++	stvx	28, 9, 1
++	addi	9, 9, 16
++	stvx	29, 9, 1
++	addi	9, 9, 16
++	stvx	30, 9, 1
++	addi	9, 9, 16
++	stvx	31, 9, 1
++	std	0, 528(1)
++
++	# Load Xi
++	lxvb16x	32, 0, 8	# load Xi
++
++	# load Hash - h^4, h^3, h^2, h
++	li	10, 32
++	lxvd2x	2+32, 10, 8	# H Poli
++	li	10, 48
++	lxvd2x	3+32, 10, 8	# Hl
++	li	10, 64
++	lxvd2x	4+32, 10, 8	# H
++	li	10, 80
++	lxvd2x	5+32, 10, 8	# Hh
++
++	li	10, 96
++	lxvd2x	6+32, 10, 8	# H^2l
++	li	10, 112
++	lxvd2x	7+32, 10, 8	# H^2
++	li	10, 128
++	lxvd2x	8+32, 10, 8	# H^2h
++
++	li	10, 144
++	lxvd2x	9+32, 10, 8	# H^3l
++	li	10, 160
++	lxvd2x	10+32, 10, 8	# H^3
++	li	10, 176
++	lxvd2x	11+32, 10, 8	# H^3h
++
++	li	10, 192
++	lxvd2x	12+32, 10, 8	# H^4l
++	li	10, 208
++	lxvd2x	13+32, 10, 8	# H^4
++	li	10, 224
++	lxvd2x	14+32, 10, 8	# H^4h
++
++	# initialize ICB: GHASH( IV ), IV - r7
++	lxvb16x	30+32, 0, 7	# load IV  - v30
++
++	mr	12, 5		# length
++	li	11, 0		# block index
++
++	# counter 1
++	vxor	31, 31, 31
++	vspltisb 22, 1
++	vsldoi	31, 31, 22,1	# counter 1
++
++	# load round key to VSR
++	lxv	0, 0(6)
++	lxv	1, 0x10(6)
++	lxv	2, 0x20(6)
++	lxv	3, 0x30(6)
++	lxv	4, 0x40(6)
++	lxv	5, 0x50(6)
++	lxv	6, 0x60(6)
++	lxv	7, 0x70(6)
++	lxv	8, 0x80(6)
++	lxv	9, 0x90(6)
++	lxv	10, 0xa0(6)
++
++	# load rounds - 10 (128), 12 (192), 14 (256)
++	lwz	9,240(6)
++
++	#
++	# vxor	state, state, w # addroundkey
++	xxlor	32+29, 0, 0
++	vxor	15, 30, 29	# IV + round key - add round key 0
++
++	cmpdi	9, 10
++	beq	Loop_aes_gcm_8x
++
++	# load 2 more round keys (v11, v12)
++	lxv	11, 0xb0(6)
++	lxv	12, 0xc0(6)
++
++	cmpdi	9, 12
++	beq	Loop_aes_gcm_8x
++
++	# load 2 more round keys (v11, v12, v13, v14)
++	lxv	13, 0xd0(6)
++	lxv	14, 0xe0(6)
++	cmpdi	9, 14
++	beq	Loop_aes_gcm_8x
++
++	b	aes_gcm_out
++
++.align 5
++Loop_aes_gcm_8x:
++	mr	14, 3
++	mr	9, 4
++
++	# n blcoks
++	li	10, 128
++	divdu	10, 5, 10	# n 128 bytes-blocks
++	cmpdi	10, 0
++	beq	Loop_last_block
++
++	vaddudm	30, 30, 31	# IV + counter
++	vxor	16, 30, 29
++	vaddudm	30, 30, 31
++	vxor	17, 30, 29
++	vaddudm	30, 30, 31
++	vxor	18, 30, 29
++	vaddudm	30, 30, 31
++	vxor	19, 30, 29
++	vaddudm	30, 30, 31
++	vxor	20, 30, 29
++	vaddudm	30, 30, 31
++	vxor	21, 30, 29
++	vaddudm	30, 30, 31
++	vxor	22, 30, 29
++
++	mtctr	10
++
++	li	15, 16
++	li	16, 32
++	li	17, 48
++	li	18, 64
++	li	19, 80
++	li	20, 96
++	li	21, 112
++
++	lwz	10, 240(6)
++
++Loop_8x_block:
++
++	lxvb16x		15, 0, 14	# load block
++	lxvb16x		16, 15, 14	# load block
++	lxvb16x		17, 16, 14	# load block
++	lxvb16x		18, 17, 14	# load block
++	lxvb16x		19, 18, 14	# load block
++	lxvb16x		20, 19, 14	# load block
++	lxvb16x		21, 20, 14	# load block
++	lxvb16x		22, 21, 14	# load block
++	addi		14, 14, 128
++
++	Loop_aes_middle8x
++
++	xxlor	23+32, 10, 10
++
++	cmpdi	10, 10
++	beq	Do_next_ghash
++
++	# 192 bits
++	xxlor	24+32, 11, 11
++
++	vcipher	15, 15, 23
++	vcipher	16, 16, 23
++	vcipher	17, 17, 23
++	vcipher	18, 18, 23
++	vcipher	19, 19, 23
++	vcipher	20, 20, 23
++	vcipher	21, 21, 23
++	vcipher	22, 22, 23
++
++	vcipher	15, 15, 24
++	vcipher	16, 16, 24
++	vcipher	17, 17, 24
++	vcipher	18, 18, 24
++	vcipher	19, 19, 24
++	vcipher	20, 20, 24
++	vcipher	21, 21, 24
++	vcipher	22, 22, 24
++
++	xxlor	23+32, 12, 12
++
++	cmpdi	10, 12
++	beq	Do_next_ghash
++
++	# 256 bits
++	xxlor	24+32, 13, 13
++
++	vcipher	15, 15, 23
++	vcipher	16, 16, 23
++	vcipher	17, 17, 23
++	vcipher	18, 18, 23
++	vcipher	19, 19, 23
++	vcipher	20, 20, 23
++	vcipher	21, 21, 23
++	vcipher	22, 22, 23
++
++	vcipher	15, 15, 24
++	vcipher	16, 16, 24
++	vcipher	17, 17, 24
++	vcipher	18, 18, 24
++	vcipher	19, 19, 24
++	vcipher	20, 20, 24
++	vcipher	21, 21, 24
++	vcipher	22, 22, 24
++
++	xxlor	23+32, 14, 14
++
++	cmpdi	10, 14
++	beq	Do_next_ghash
++	b	aes_gcm_out
++
++Do_next_ghash:
++
++	#
++	# last round
++	vcipherlast     15, 15, 23
++	vcipherlast     16, 16, 23
++
++	xxlxor		47, 47, 15
++	stxvb16x        47, 0, 9	# store output
++	xxlxor		48, 48, 16
++	stxvb16x        48, 15, 9	# store output
++
++	vcipherlast     17, 17, 23
++	vcipherlast     18, 18, 23
++
++	xxlxor		49, 49, 17
++	stxvb16x        49, 16, 9	# store output
++	xxlxor		50, 50, 18
++	stxvb16x        50, 17, 9	# store output
++
++	vcipherlast     19, 19, 23
++	vcipherlast     20, 20, 23
++
++	xxlxor		51, 51, 19
++	stxvb16x        51, 18, 9	# store output
++	xxlxor		52, 52, 20
++	stxvb16x        52, 19, 9	# store output
++
++	vcipherlast     21, 21, 23
++	vcipherlast     22, 22, 23
++
++	xxlxor		53, 53, 21
++	stxvb16x        53, 20, 9	# store output
++	xxlxor		54, 54, 22
++	stxvb16x        54, 21, 9	# store output
++
++	addi		9, 9, 128
++
++	# ghash here
++	ppc_aes_gcm_ghash2_4x
++
++	xxlor	27+32, 0, 0
++	vaddudm 30, 30, 31		# IV + counter
++	vmr	29, 30
++	vxor    15, 30, 27		# add round key
++	vaddudm 30, 30, 31
++	vxor    16, 30, 27
++	vaddudm 30, 30, 31
++	vxor    17, 30, 27
++	vaddudm 30, 30, 31
++	vxor    18, 30, 27
++	vaddudm 30, 30, 31
++	vxor    19, 30, 27
++	vaddudm 30, 30, 31
++	vxor    20, 30, 27
++	vaddudm 30, 30, 31
++	vxor    21, 30, 27
++	vaddudm 30, 30, 31
++	vxor    22, 30, 27
++
++	addi    12, 12, -128
++	addi    11, 11, 128
++
++	bdnz	Loop_8x_block
++
++	vmr	30, 29
++
++Loop_last_block:
++	cmpdi   12, 0
++	beq     aes_gcm_out
++
++	# loop last few blocks
++	li      10, 16
++	divdu   10, 12, 10
++
++	mtctr   10
++
++	lwz	10, 240(6)
++
++	cmpdi   12, 16
++	blt     Final_block
++
++.macro Loop_aes_middle_1x
++	xxlor	19+32, 1, 1
++	xxlor	20+32, 2, 2
++	xxlor	21+32, 3, 3
++	xxlor	22+32, 4, 4
++
++	vcipher 15, 15, 19
++	vcipher 15, 15, 20
++	vcipher 15, 15, 21
++	vcipher 15, 15, 22
++
++	xxlor	19+32, 5, 5
++	xxlor	20+32, 6, 6
++	xxlor	21+32, 7, 7
++	xxlor	22+32, 8, 8
++
++	vcipher 15, 15, 19
++	vcipher 15, 15, 20
++	vcipher 15, 15, 21
++	vcipher 15, 15, 22
++
++	xxlor	19+32, 9, 9
++	vcipher 15, 15, 19
++.endm
++
++Next_rem_block:
++	lxvb16x 15, 0, 14		# load block
++
++	Loop_aes_middle_1x
++
++	xxlor	23+32, 10, 10
++
++	cmpdi	10, 10
++	beq	Do_next_1x
++
++	# 192 bits
++	xxlor	24+32, 11, 11
++
++	vcipher	15, 15, 23
++	vcipher	15, 15, 24
++
++	xxlor	23+32, 12, 12
++
++	cmpdi	10, 12
++	beq	Do_next_1x
++
++	# 256 bits
++	xxlor	24+32, 13, 13
++
++	vcipher	15, 15, 23
++	vcipher	15, 15, 24
++
++	xxlor	23+32, 14, 14
++
++	cmpdi	10, 14
++	beq	Do_next_1x
++
++Do_next_1x:
++	vcipherlast     15, 15, 23
++
++	xxlxor		47, 47, 15
++	stxvb16x	47, 0, 9	# store output
++	addi		14, 14, 16
++	addi		9, 9, 16
++
++	vmr		28, 15
++	ppc_update_hash_1x
++
++	addi		12, 12, -16
++	addi		11, 11, 16
++	xxlor		19+32, 0, 0
++	vaddudm		30, 30, 31		# IV + counter
++	vxor		15, 30, 19		# add round key
++
++	bdnz	Next_rem_block
++
++	cmpdi	12, 0
++	beq	aes_gcm_out
++
++Final_block:
++	Loop_aes_middle_1x
++
++	xxlor	23+32, 10, 10
++
++	cmpdi	10, 10
++	beq	Do_final_1x
++
++	# 192 bits
++	xxlor	24+32, 11, 11
++
++	vcipher	15, 15, 23
++	vcipher	15, 15, 24
++
++	xxlor	23+32, 12, 12
++
++	cmpdi	10, 12
++	beq	Do_final_1x
++
++	# 256 bits
++	xxlor	24+32, 13, 13
++
++	vcipher	15, 15, 23
++	vcipher	15, 15, 24
++
++	xxlor	23+32, 14, 14
++
++	cmpdi	10, 14
++	beq	Do_final_1x
++
++Do_final_1x:
++	vcipherlast     15, 15, 23
++
++	lxvb16x	15, 0, 14		# load last block
++	xxlxor	47, 47, 15
++
++	# create partial block mask
++	li	15, 16
++	sub	15, 15, 12		# index to the mask
++
++	vspltisb	16, -1		# first 16 bytes - 0xffff...ff
++	vspltisb	17, 0		# second 16 bytes - 0x0000...00
++	li	10, 192
++	stvx	16, 10, 1
++	addi	10, 10, 16
++	stvx	17, 10, 1
++
++	addi	10, 1, 192
++	lxvb16x	16, 15, 10		# load partial block mask
++	xxland	47, 47, 16
++
++	vmr	28, 15
++	ppc_update_hash_1x
++
++	# * should store only the remaining bytes.
++	bl	Write_partial_block
++
++	b aes_gcm_out
++
++#
++# Write partial block
++# r9 - output
++# r12 - remaining bytes
++# v15 - partial input data
++#
++Write_partial_block:
++	li		10, 192
++	stxvb16x	15+32, 10, 1		# last block
++
++	#add		10, 9, 11		# Output
++	addi		10, 9, -1
++	addi		16, 1, 191
++
++        mtctr		12			# remaining bytes
++	li		15, 0
++
++Write_last_byte:
++        lbzu		14, 1(16)
++	stbu		14, 1(10)
++        bdnz		Write_last_byte
++	blr
++
++aes_gcm_out:
++	# out = state
++	stxvb16x	32, 0, 8		# write out Xi
++	add	3, 11, 12		# return count
++
++	li	9, 256
++	lvx	20, 9, 1
++	addi	9, 9, 16
++	lvx	21, 9, 1
++	addi	9, 9, 16
++	lvx	22, 9, 1
++	addi	9, 9, 16
++	lvx	23, 9, 1
++	addi	9, 9, 16
++	lvx	24, 9, 1
++	addi	9, 9, 16
++	lvx	25, 9, 1
++	addi	9, 9, 16
++	lvx	26, 9, 1
++	addi	9, 9, 16
++	lvx	27, 9, 1
++	addi	9, 9, 16
++	lvx	28, 9, 1
++	addi	9, 9, 16
++	lvx	29, 9, 1
++	addi	9, 9, 16
++	lvx	30, 9, 1
++	addi	9, 9, 16
++	lvx	31, 9, 1
++
++	ld	0, 528(1)
++	ld      14,112(1)
++	ld      15,120(1)
++	ld      16,128(1)
++	ld      17,136(1)
++	ld      18,144(1)
++	ld      19,152(1)
++	ld      20,160(1)
++	ld	21,168(1)
++
++	mtlr	0
++	addi	1, 1, 512
++	blr
++
++#
++# 8x Decrypt
++#
++.global ppc_aes_gcm_decrypt
++.align 5
++ppc_aes_gcm_decrypt:
++_ppc_aes_gcm_decrypt:
++
++	stdu 1,-512(1)
++	mflr 0
++
++	std	14,112(1)
++	std	15,120(1)
++	std	16,128(1)
++	std	17,136(1)
++	std	18,144(1)
++	std	19,152(1)
++	std	20,160(1)
++	std	21,168(1)
++	li	9, 256
++	stvx	20, 9, 1
++	addi	9, 9, 16
++	stvx	21, 9, 1
++	addi	9, 9, 16
++	stvx	22, 9, 1
++	addi	9, 9, 16
++	stvx	23, 9, 1
++	addi	9, 9, 16
++	stvx	24, 9, 1
++	addi	9, 9, 16
++	stvx	25, 9, 1
++	addi	9, 9, 16
++	stvx	26, 9, 1
++	addi	9, 9, 16
++	stvx	27, 9, 1
++	addi	9, 9, 16
++	stvx	28, 9, 1
++	addi	9, 9, 16
++	stvx	29, 9, 1
++	addi	9, 9, 16
++	stvx	30, 9, 1
++	addi	9, 9, 16
++	stvx	31, 9, 1
++	std	0, 528(1)
++
++	# Load Xi
++	lxvb16x	32, 0, 8	# load Xi
++
++	# load Hash - h^4, h^3, h^2, h
++	li	10, 32
++	lxvd2x	2+32, 10, 8	# H Poli
++	li	10, 48
++	lxvd2x	3+32, 10, 8	# Hl
++	li	10, 64
++	lxvd2x	4+32, 10, 8	# H
++	li	10, 80
++	lxvd2x	5+32, 10, 8	# Hh
++
++	li	10, 96
++	lxvd2x	6+32, 10, 8	# H^2l
++	li	10, 112
++	lxvd2x	7+32, 10, 8	# H^2
++	li	10, 128
++	lxvd2x	8+32, 10, 8	# H^2h
++
++	li	10, 144
++	lxvd2x	9+32, 10, 8	# H^3l
++	li	10, 160
++	lxvd2x	10+32, 10, 8	# H^3
++	li	10, 176
++	lxvd2x	11+32, 10, 8	# H^3h
++
++	li	10, 192
++	lxvd2x	12+32, 10, 8	# H^4l
++	li	10, 208
++	lxvd2x	13+32, 10, 8	# H^4
++	li	10, 224
++	lxvd2x	14+32, 10, 8	# H^4h
++
++	# initialize ICB: GHASH( IV ), IV - r7
++	lxvb16x	30+32, 0, 7	# load IV  - v30
++
++	mr	12, 5		# length
++	li	11, 0		# block index
++
++	# counter 1
++	vxor	31, 31, 31
++	vspltisb 22, 1
++	vsldoi	31, 31, 22,1	# counter 1
++
++	# load round key to VSR
++	lxv	0, 0(6)
++	lxv	1, 0x10(6)
++	lxv	2, 0x20(6)
++	lxv	3, 0x30(6)
++	lxv	4, 0x40(6)
++	lxv	5, 0x50(6)
++	lxv	6, 0x60(6)
++	lxv	7, 0x70(6)
++	lxv	8, 0x80(6)
++	lxv	9, 0x90(6)
++	lxv	10, 0xa0(6)
++
++	# load rounds - 10 (128), 12 (192), 14 (256)
++	lwz	9,240(6)
++
++	#
++	# vxor	state, state, w # addroundkey
++	xxlor	32+29, 0, 0
++	vxor	15, 30, 29	# IV + round key - add round key 0
++
++	cmpdi	9, 10
++	beq	Loop_aes_gcm_8x_dec
++
++	# load 2 more round keys (v11, v12)
++	lxv	11, 0xb0(6)
++	lxv	12, 0xc0(6)
++
++	cmpdi	9, 12
++	beq	Loop_aes_gcm_8x_dec
++
++	# load 2 more round keys (v11, v12, v13, v14)
++	lxv	13, 0xd0(6)
++	lxv	14, 0xe0(6)
++	cmpdi	9, 14
++	beq	Loop_aes_gcm_8x_dec
++
++	b	aes_gcm_out
++
++.align 5
++Loop_aes_gcm_8x_dec:
++	mr	14, 3
++	mr	9, 4
++
++	# n blcoks
++	li	10, 128
++	divdu	10, 5, 10	# n 128 bytes-blocks
++	cmpdi	10, 0
++	beq	Loop_last_block_dec
++
++	vaddudm	30, 30, 31	# IV + counter
++	vxor	16, 30, 29
++	vaddudm	30, 30, 31
++	vxor	17, 30, 29
++	vaddudm	30, 30, 31
++	vxor	18, 30, 29
++	vaddudm	30, 30, 31
++	vxor	19, 30, 29
++	vaddudm	30, 30, 31
++	vxor	20, 30, 29
++	vaddudm	30, 30, 31
++	vxor	21, 30, 29
++	vaddudm	30, 30, 31
++	vxor	22, 30, 29
++
++	mtctr	10
++
++	li	15, 16
++	li	16, 32
++	li	17, 48
++	li	18, 64
++	li	19, 80
++	li	20, 96
++	li	21, 112
++
++	lwz	10, 240(6)
++
++Loop_8x_block_dec:
++
++	lxvb16x		15, 0, 14	# load block
++	lxvb16x		16, 15, 14	# load block
++	lxvb16x		17, 16, 14	# load block
++	lxvb16x		18, 17, 14	# load block
++	lxvb16x		19, 18, 14	# load block
++	lxvb16x		20, 19, 14	# load block
++	lxvb16x		21, 20, 14	# load block
++	lxvb16x		22, 21, 14	# load block
++	addi		14, 14, 128
++
++	Loop_aes_middle8x
++
++	xxlor	23+32, 10, 10
++
++	cmpdi	10, 10
++	beq	Do_last_aes_dec
++
++	# 192 bits
++	xxlor	24+32, 11, 11
++
++	vcipher	15, 15, 23
++	vcipher	16, 16, 23
++	vcipher	17, 17, 23
++	vcipher	18, 18, 23
++	vcipher	19, 19, 23
++	vcipher	20, 20, 23
++	vcipher	21, 21, 23
++	vcipher	22, 22, 23
++
++	vcipher	15, 15, 24
++	vcipher	16, 16, 24
++	vcipher	17, 17, 24
++	vcipher	18, 18, 24
++	vcipher	19, 19, 24
++	vcipher	20, 20, 24
++	vcipher	21, 21, 24
++	vcipher	22, 22, 24
++
++	xxlor	23+32, 12, 12
++
++	cmpdi	10, 12
++	beq	Do_last_aes_dec
++
++	# 256 bits
++	xxlor	24+32, 13, 13
++
++	vcipher	15, 15, 23
++	vcipher	16, 16, 23
++	vcipher	17, 17, 23
++	vcipher	18, 18, 23
++	vcipher	19, 19, 23
++	vcipher	20, 20, 23
++	vcipher	21, 21, 23
++	vcipher	22, 22, 23
++
++	vcipher	15, 15, 24
++	vcipher	16, 16, 24
++	vcipher	17, 17, 24
++	vcipher	18, 18, 24
++	vcipher	19, 19, 24
++	vcipher	20, 20, 24
++	vcipher	21, 21, 24
++	vcipher	22, 22, 24
++
++	xxlor	23+32, 14, 14
++
++	cmpdi	10, 14
++	beq	Do_last_aes_dec
++	b	aes_gcm_out
++
++Do_last_aes_dec:
++
++	#
++	# last round
++	vcipherlast     15, 15, 23
++	vcipherlast     16, 16, 23
++
++	xxlxor		47, 47, 15
++	stxvb16x        47, 0, 9	# store output
++	xxlxor		48, 48, 16
++	stxvb16x        48, 15, 9	# store output
++
++	vcipherlast     17, 17, 23
++	vcipherlast     18, 18, 23
++
++	xxlxor		49, 49, 17
++	stxvb16x        49, 16, 9	# store output
++	xxlxor		50, 50, 18
++	stxvb16x        50, 17, 9	# store output
++
++	vcipherlast     19, 19, 23
++	vcipherlast     20, 20, 23
++
++	xxlxor		51, 51, 19
++	stxvb16x        51, 18, 9	# store output
++	xxlxor		52, 52, 20
++	stxvb16x        52, 19, 9	# store output
++
++	vcipherlast     21, 21, 23
++	vcipherlast     22, 22, 23
++
++	xxlxor		53, 53, 21
++	stxvb16x        53, 20, 9	# store output
++	xxlxor		54, 54, 22
++	stxvb16x        54, 21, 9	# store output
++
++	addi		9, 9, 128
++
++	xxlor		15+32, 15, 15
++	xxlor		16+32, 16, 16
++	xxlor		17+32, 17, 17
++	xxlor		18+32, 18, 18
++	xxlor		19+32, 19, 19
++	xxlor		20+32, 20, 20
++	xxlor		21+32, 21, 21
++	xxlor		22+32, 22, 22
++
++	# ghash here
++	ppc_aes_gcm_ghash2_4x
++
++	xxlor	27+32, 0, 0
++	vaddudm 30, 30, 31		# IV + counter
++	vmr	29, 30
++	vxor    15, 30, 27		# add round key
++	vaddudm 30, 30, 31
++	vxor    16, 30, 27
++	vaddudm 30, 30, 31
++	vxor    17, 30, 27
++	vaddudm 30, 30, 31
++	vxor    18, 30, 27
++	vaddudm 30, 30, 31
++	vxor    19, 30, 27
++	vaddudm 30, 30, 31
++	vxor    20, 30, 27
++	vaddudm 30, 30, 31
++	vxor    21, 30, 27
++	vaddudm 30, 30, 31
++	vxor    22, 30, 27
++	addi    12, 12, -128
++	addi    11, 11, 128
++
++	bdnz	Loop_8x_block_dec
++
++	vmr	30, 29
++
++Loop_last_block_dec:
++	cmpdi   12, 0
++	beq     aes_gcm_out
++
++	# loop last few blocks
++	li      10, 16
++	divdu   10, 12, 10
++
++	mtctr   10
++
++	lwz	10,240(6)
++
++	cmpdi   12, 16
++	blt     Final_block_dec
++
++Next_rem_block_dec:
++	lxvb16x 15, 0, 14		# load block
++
++	Loop_aes_middle_1x
++
++	xxlor	23+32, 10, 10
++
++	cmpdi	10, 10
++	beq	Do_next_1x_dec
++
++	# 192 bits
++	xxlor	24+32, 11, 11
++
++	vcipher	15, 15, 23
++	vcipher	15, 15, 24
++
++	xxlor	23+32, 12, 12
++
++	cmpdi	10, 12
++	beq	Do_next_1x_dec
++
++	# 256 bits
++	xxlor	24+32, 13, 13
++
++	vcipher	15, 15, 23
++	vcipher	15, 15, 24
++
++	xxlor	23+32, 14, 14
++
++	cmpdi	10, 14
++	beq	Do_next_1x_dec
++
++Do_next_1x_dec:
++	vcipherlast     15, 15, 23
++
++	xxlxor  47, 47, 15
++	stxvb16x        47, 0, 9	# store output
++	addi	14, 14, 16
++	addi	9, 9, 16
++
++	xxlor	28+32, 15, 15
++	ppc_update_hash_1x
++
++	addi    12, 12, -16
++	addi    11, 11, 16
++	xxlor	19+32, 0, 0
++	vaddudm 30, 30, 31		# IV + counter
++	vxor	15, 30, 19		# add round key
++
++	bdnz	Next_rem_block_dec
++
++	cmpdi	12, 0
++	beq	aes_gcm_out
++
++Final_block_dec:
++	Loop_aes_middle_1x
++
++	xxlor	23+32, 10, 10
++
++	cmpdi	10, 10
++	beq	Do_final_1x_dec
++
++	# 192 bits
++	xxlor	24+32, 11, 11
++
++	vcipher	15, 15, 23
++	vcipher	15, 15, 24
++
++	xxlor	23+32, 12, 12
++
++	cmpdi	10, 12
++	beq	Do_final_1x_dec
++
++	# 256 bits
++	xxlor	24+32, 13, 13
++
++	vcipher	15, 15, 23
++	vcipher	15, 15, 24
++
++	xxlor	23+32, 14, 14
++
++	cmpdi	10, 14
++	beq	Do_final_1x_dec
++
++Do_final_1x_dec:
++	vcipherlast     15, 15, 23
++
++	lxvb16x	15, 0, 14		# load block
++	xxlxor	47, 47, 15
++
++	# create partial block mask
++	li	15, 16
++	sub	15, 15, 12		# index to the mask
++
++	vspltisb	16, -1		# first 16 bytes - 0xffff...ff
++	vspltisb	17, 0		# second 16 bytes - 0x0000...00
++	li	10, 192
++	stvx	16, 10, 1
++	addi	10, 10, 16
++	stvx	17, 10, 1
++
++	addi	10, 1, 192
++	lxvb16x	16, 15, 10		# load block mask
++	xxland	47, 47, 16
++
++	xxlor	28+32, 15, 15
++	ppc_update_hash_1x
++
++	# * should store only the remaining bytes.
++	bl	Write_partial_block
++
++	b aes_gcm_out
++
++
++___
++
++foreach (split("\n",$code)) {
++	s/\`([^\`]*)\`/eval $1/geo;
++
++	if ($flavour =~ /le$/o) {	# little-endian
++	    s/le\?//o		or
++	    s/be\?/#be#/o;
++	} else {
++	    s/le\?/#le#/o	or
++	    s/be\?//o;
++	}
++	print $_,"\n";
++}
++
++close STDOUT or die "error closing STDOUT: $!"; # enforce flush
+--- a/crypto/modes/build.info
++++ b/crypto/modes/build.info
+@@ -16,6 +16,7 @@ INCLUDE[ghash-sparcv9.o]=..
+ GENERATE[ghash-alpha.S]=asm/ghash-alpha.pl $(PERLASM_SCHEME)
+ GENERATE[ghash-parisc.s]=asm/ghash-parisc.pl $(PERLASM_SCHEME)
+ GENERATE[ghashp8-ppc.s]=asm/ghashp8-ppc.pl $(PERLASM_SCHEME)
++GENERATE[aes-gcm-ppc.s]=asm/aes-gcm-ppc.pl $(PERLASM_SCHEME)
+ GENERATE[ghash-armv4.S]=asm/ghash-armv4.pl $(PERLASM_SCHEME)
+ INCLUDE[ghash-armv4.o]=..
+ GENERATE[ghashv8-armx.S]=asm/ghashv8-armx.pl $(PERLASM_SCHEME)
diff --git a/openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch b/openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch
new file mode 100644
index 0000000..5d331d1
--- /dev/null
+++ b/openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch
@@ -0,0 +1,45 @@
+Index: openssl-1.1.1l/crypto/fips/fips_kdf_selftest.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/fips/fips_kdf_selftest.c
++++ openssl-1.1.1l/crypto/fips/fips_kdf_selftest.c
+@@ -63,18 +63,20 @@ int FIPS_selftest_pbkdf2(void)
+ {
+     int ret = 0;
+     EVP_KDF_CTX *kctx;
+-    unsigned char out[32];
++    unsigned char out[40];
+ 
+     if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) {
+         goto err;
+     }
+-    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS,
++		     "passwordPASSWORDpassword", (size_t)24) <= 0) {
+         goto err;
+     }
+-    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
++		     "saltSALTsaltSALTsaltSALTsaltSALTsalt", (size_t)36) <= 0) {
+         goto err;
+     }
+-    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) {
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 4096) <= 0) {
+         goto err;
+     }
+     if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
+@@ -86,10 +88,11 @@ int FIPS_selftest_pbkdf2(void)
+ 
+     {
+         const unsigned char expected[sizeof(out)] = {
+-            0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
+-            0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
+-            0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
+-            0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43
++            0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f,
++            0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf,
++            0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18,
++            0x1c, 0x4e, 0x2a, 0x1f, 0xb8, 0xdd, 0x53, 0xe1,
++            0xc6, 0x35, 0x51, 0x8c, 0x7d, 0xac, 0x47, 0xe9
+         };
+         if (memcmp(out, expected, sizeof(expected))) {
+             goto err;
diff --git a/openssl-1_1-FIPS-default-RFC7919.patch b/openssl-1_1-FIPS-default-RFC7919.patch
new file mode 100644
index 0000000..270e58b
--- /dev/null
+++ b/openssl-1_1-FIPS-default-RFC7919.patch
@@ -0,0 +1,91 @@
+Index: openssl-1.1.1l/apps/dhparam.c
+===================================================================
+--- openssl-1.1.1l.orig/apps/dhparam.c
++++ openssl-1.1.1l/apps/dhparam.c
+@@ -194,15 +194,42 @@ int dhparam_main(int argc, char **argv)
+         } else
+ #endif
+         {
+-            dh = DH_new();
+-            BIO_printf(bio_err,
+-                       "Generating DH parameters, %d bit long safe prime, generator %d\n",
+-                       num, g);
+-            BIO_printf(bio_err, "This is going to take a long time\n");
+-            if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) {
+-                BN_GENCB_free(cb);
+-                ERR_print_errors(bio_err);
+-                goto end;
++#ifdef OPENSSL_FIPS
++            if (FIPS_mode()) {
++                /* In FIPS mode, instead of generating DH parameters, we use parameters
++                 * from an approved group, in this case, RFC-7919. */
++                int param_nid;
++                switch (num) {
++                case 8192:
++                  param_nid = NID_ffdhe8192;
++                  break;
++                case 6144:
++                  param_nid = NID_ffdhe6144;
++                  break;
++                case 4096:
++                  param_nid = NID_ffdhe4096;
++                  break;
++                case 3072:
++                  param_nid = NID_ffdhe3072;
++                  break;
++                default:
++                  param_nid = NID_ffdhe2048;
++                  break;
++                }
++                dh = DH_new_by_nid(param_nid);
++            } else
++#endif /* OPENSSL_FIPS */
++            {
++                dh = DH_new();
++                BIO_printf(bio_err,
++                           "Generating DH parameters, %d bit long safe prime, generator %d\n",
++                           num, g);
++                BIO_printf(bio_err, "This is going to take a long time\n");
++                if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) {
++                    BN_GENCB_free(cb);
++                    ERR_print_errors(bio_err);
++                    goto end;
++                }
+             }
+         }
+ 
+Index: openssl-1.1.1l/crypto/dh/dh_pmeth.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/dh/dh_pmeth.c
++++ openssl-1.1.1l/crypto/dh/dh_pmeth.c
+@@ -330,6 +330,30 @@ static int pkey_dh_paramgen(EVP_PKEY_CTX
+     DH_PKEY_CTX *dctx = ctx->data;
+     BN_GENCB *pcb;
+     int ret;
++
++#ifdef OPENSSL_FIPS
++    /* In FIPS mode we default to an appropriate group. */
++    if (FIPS_mode() && (!(dctx->rfc5114_param)) && (dctx->param_nid == 0)) {
++        switch (dctx->prime_len) {
++        case 8192:
++            dctx->param_nid = NID_ffdhe8192;
++            break;
++        case 6144:
++            dctx->param_nid = NID_ffdhe6144;
++            break;
++        case 4096:
++            dctx->param_nid = NID_ffdhe4096;
++            break;
++        case 3072:
++            dctx->param_nid = NID_ffdhe3072;
++            break;
++        default:
++            dctx->param_nid = NID_ffdhe2048;
++            break;
++        }
++    }
++#endif /* OPENSSL_FIPS */
++
+     if (dctx->rfc5114_param) {
+         switch (dctx->rfc5114_param) {
+         case 1:
diff --git a/openssl-1_1-FIPS-fix-error-reason-codes.patch b/openssl-1_1-FIPS-fix-error-reason-codes.patch
new file mode 100644
index 0000000..bdb2d59
--- /dev/null
+++ b/openssl-1_1-FIPS-fix-error-reason-codes.patch
@@ -0,0 +1,38 @@
+Index: openssl-1.1.1l/crypto/err/err_all.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/err/err_all.c
++++ openssl-1.1.1l/crypto/err/err_all.c
+@@ -38,6 +38,7 @@
+ #include <openssl/asyncerr.h>
+ #include <openssl/kdferr.h>
+ #include <openssl/storeerr.h>
++#include <openssl/fips.h>
+ 
+ int err_load_crypto_strings_int(void)
+ {
+@@ -92,10 +93,11 @@ int err_load_crypto_strings_int(void)
+         ERR_load_CT_strings() == 0 ||
+ # endif
+         ERR_load_ASYNC_strings() == 0 ||
+-#endif
+         ERR_load_KDF_strings() == 0 ||
+-        ERR_load_OSSL_STORE_strings() == 0)
++        ERR_load_OSSL_STORE_strings() == 0 ||
++        ERR_load_FIPS_strings() == 0)
+         return 0;
++#endif
+ 
+     return 1;
+ }
+Index: openssl-1.1.1l/crypto/err/openssl.ec
+===================================================================
+--- openssl-1.1.1l.orig/crypto/err/openssl.ec
++++ openssl-1.1.1l/crypto/err/openssl.ec
+@@ -34,6 +34,7 @@ L ASYNC         include/openssl/async.h
+ L KDF           include/openssl/kdf.h           crypto/kdf/kdf_err.c
+ L SM2           include/crypto/sm2.h            crypto/sm2/sm2_err.c
+ L OSSL_STORE    include/openssl/store.h         crypto/store/store_err.c
++L FIPS          include/crypto/fips.h           crypto/fips/fips_ers.c
+ 
+ # additional header files to be scanned for function names
+ L NONE          include/openssl/x509_vfy.h      NONE
diff --git a/openssl-1_1-FIPS_drbg-rewire.patch b/openssl-1_1-FIPS_drbg-rewire.patch
new file mode 100644
index 0000000..48c3ff6
--- /dev/null
+++ b/openssl-1_1-FIPS_drbg-rewire.patch
@@ -0,0 +1,182 @@
+Index: openssl-1.1.1l/crypto/fips/fips_drbg_lib.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/fips/fips_drbg_lib.c
++++ openssl-1.1.1l/crypto/fips/fips_drbg_lib.c
+@@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx,
+ int FIPS_drbg_reseed(DRBG_CTX *dctx,
+                      const unsigned char *adin, size_t adinlen)
+ {
++    int len = (int)adinlen;
++
++    if (len < 0 || (size_t)len != adinlen) {
++        FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG);
++        return 0;
++    }
++    RAND_seed(adin, len);
++    return 1;
++}
++
++int FIPS_drbg_reseed_internal(DRBG_CTX *dctx,
++                     const unsigned char *adin, size_t adinlen)
++{
+     return drbg_reseed(dctx, adin, adinlen, 1);
+ }
+ 
+@@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u
+                        int prediction_resistance,
+                        const unsigned char *adin, size_t adinlen)
+ {
++    int len = (int)outlen;
++
++    if (len < 0 || (size_t)len != outlen) {
++        FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG);
++        return 0;
++    }
++    return RAND_bytes(out, len);
++}
++
++int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen,
++                       int prediction_resistance,
++                       const unsigned char *adin, size_t adinlen)
++{
+     int r = 0;
+ 
+     if (FIPS_selftest_failed()) {
+Index: openssl-1.1.1l/crypto/fips/fips_drbg_rand.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/fips/fips_drbg_rand.c
++++ openssl-1.1.1l/crypto/fips/fips_drbg_rand.c
+@@ -57,6 +57,8 @@
+ #include <openssl/err.h>
+ #include <openssl/rand.h>
+ #include <openssl/fips.h>
++#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
++#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
+ #include <openssl/fips_rand.h>
+ #include "fips_rand_lcl.h"
+ 
+Index: openssl-1.1.1l/crypto/fips/fips_drbg_selftest.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/fips/fips_drbg_selftest.c
++++ openssl-1.1.1l/crypto/fips/fips_drbg_selftest.c
+@@ -55,6 +55,8 @@
+ #include <openssl/crypto.h>
+ #include <openssl/err.h>
+ #include <openssl/fips.h>
++#define FIPS_DRBG_generate FIPS_DRBG_generate_internal
++#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal
+ #include <openssl/fips_rand.h>
+ #include "fips_rand_lcl.h"
+ #include "fips_locl.h"
+Index: openssl-1.1.1l/crypto/fips/fips_rand_lib.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/fips/fips_rand_lib.c
++++ openssl-1.1.1l/crypto/fips/fips_rand_lib.c
+@@ -120,6 +120,7 @@ void FIPS_rand_reset(void)
+ 
+ int FIPS_rand_seed(const void *buf, int num)
+ {
++#if 0
+     if (!fips_approved_rand_meth && FIPS_module_mode()) {
+         FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD);
+         return 0;
+@@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int
+     if (fips_rand_meth && fips_rand_meth->seed)
+         fips_rand_meth->seed(buf, num);
+     return 1;
++#else
++    RAND_seed(buf, num);
++    return 1;
++#endif
+ }
+ 
+ int FIPS_rand_bytes(unsigned char *buf, int num)
+ {
++#if 0
+     if (!fips_approved_rand_meth && FIPS_module_mode()) {
+         FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD);
+         return 0;
+@@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf,
+     if (fips_rand_meth && fips_rand_meth->bytes)
+         return fips_rand_meth->bytes(buf, num);
+     return 0;
++#else
++    return RAND_bytes(buf, num);
++#endif
+ }
+ 
+ int FIPS_rand_status(void)
+ {
++#if 0
+     if (!fips_approved_rand_meth && FIPS_module_mode()) {
+         FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD);
+         return 0;
+@@ -149,6 +159,9 @@ int FIPS_rand_status(void)
+     if (fips_rand_meth && fips_rand_meth->status)
+         return fips_rand_meth->status();
+     return 0;
++#else
++    return RAND_status();
++#endif
+ }
+ 
+ /* Return instantiated strength of PRNG. For DRBG this is an internal
+Index: openssl-1.1.1l/include/openssl/fips.h
+===================================================================
+--- openssl-1.1.1l.orig/include/openssl/fips.h
++++ openssl-1.1.1l/include/openssl/fips.h
+@@ -64,6 +64,11 @@ extern "C" {
+ 
+     int FIPS_selftest(void);
+     int FIPS_selftest_failed(void);
++
++    /*
++     * This function is deprecated as it performs selftest of the old FIPS drbg
++     * implementation that is not validated.
++     */
+     int FIPS_selftest_drbg_all(void);
+     void NONFIPS_selftest_check(void);
+ 
+Index: openssl-1.1.1l/include/openssl/fips_rand.h
+===================================================================
+--- openssl-1.1.1l.orig/include/openssl/fips_rand.h
++++ openssl-1.1.1l/include/openssl/fips_rand.h
+@@ -60,6 +60,20 @@
+ #  ifdef  __cplusplus
+ extern "C" {
+ #  endif
++
++/*
++ * IMPORTANT NOTE:
++ * All functions in this header file are deprecated and should not be used
++ * as they use the old FIPS_drbg implementation that is not FIPS validated
++ * anymore.
++ * To provide backwards compatibility for applications that need FIPS compliant
++ * RNG number generation and use FIPS_drbg_generate, this function was
++ * re-wired to call the FIPS validated DRBG instance instead through
++ * the RAND_bytes() call.
++ *
++ * All these functions will be removed in future.
++ */
++
+     typedef struct drbg_ctx_st DRBG_CTX;
+ /* DRBG external flags */
+ /* Flag for CTR mode only: use derivation function ctr_df */
+Index: openssl-1.1.1l/crypto/fips/fips_post.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/fips/fips_post.c
++++ openssl-1.1.1l/crypto/fips/fips_post.c
+@@ -72,8 +72,13 @@
+ int FIPS_selftest(void)
+ {
+     int rv = 1;
++#if 0
++    /* This selftest is deprecated as it uses the old FIPS_drbg
++     * implementation that is not FIPS validated.
++     */
+     if (!FIPS_selftest_drbg_all())
+         rv = 0;
++#endif
+     if (!FIPS_selftest_sha1())
+         rv = 0;
+     if (!FIPS_selftest_sha2())
diff --git a/openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch b/openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch
new file mode 100644
index 0000000..8f67f62
--- /dev/null
+++ b/openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch
@@ -0,0 +1,208 @@
+From 9ab6b64ac856157a31a54c0d12207c2338bfa8e2 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Fri, 9 Sep 2022 14:46:24 +0200
+Subject: [PATCH] Fix AES-GCM on Power 8 CPUs
+
+Properly fallback to the default implementation on CPUs
+missing necessary instructions.
+
+Fixes #19163
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/19182)
+---
+ crypto/evp/e_aes.c |  146 ++++++++++++++++++++++++++---------------------------
+ 1 file changed, 74 insertions(+), 72 deletions(-)
+
+--- a/crypto/evp/e_aes.c
++++ b/crypto/evp/e_aes.c
+@@ -181,30 +181,16 @@ static void ctr64_inc(unsigned char *cou
+ # define PPC_AES_GCM_CAPABLE (OPENSSL_ppccap_P & PPC_MADD300)
+ # define AES_GCM_ENC_BYTES 128
+ # define AES_GCM_DEC_BYTES 128
+-# if PPC_AES_GCM_CAPABLE
+ size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out,
+                            size_t len, const void *key, unsigned char ivec[16],
+                            u64 *Xi);
+ size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out,
+                            size_t len, const void *key, unsigned char ivec[16],
+                            u64 *Xi);
+-size_t ppc_aes_gcm_encrypt_wrap(const unsigned char *in, unsigned char *out,
+-                                size_t len, const void *key,
+-                                unsigned char ivec[16], u64 *Xi);
+-size_t ppc_aes_gcm_decrypt_wrap(const unsigned char *in, unsigned char *out,
+-                                size_t len, const void *key,
+-                                unsigned char ivec[16], u64 *Xi);
+-#  define AES_gcm_encrypt ppc_aes_gcm_encrypt_wrap
+-#  define AES_gcm_decrypt ppc_aes_gcm_decrypt_wrap
+-#  define AES_GCM_ASM(gctx) ((gctx)->ctr==aes_p8_ctr32_encrypt_blocks && \
+-                             (gctx)->gcm.ghash==gcm_ghash_p8)
++# define AES_GCM_ASM_PPC(gctx) ((gctx)->ctr==aes_p8_ctr32_encrypt_blocks && \
++                                (gctx)->gcm.ghash==gcm_ghash_p8)
+ void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len);
+ 
+-extern size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len,
+-                                  const void *key, unsigned char ivec[16], u64 *Xi);
+-extern size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len,
+-                                  const void *key, unsigned char ivec[16], u64 *Xi);
+-
+ static inline u32 UTO32(unsigned char *buf)
+ {
+     return ((u32) buf[0] << 24) | ((u32) buf[1] << 16) | ((u32) buf[2] << 8) | ((u32) buf[3]);
+@@ -223,62 +209,6 @@ static inline u32 add32TOU(unsigned char
+     return r;
+ }
+ 
+-static size_t aes_p10_gcm_crypt(const unsigned char *in, unsigned char *out, size_t len,
+-                                const void *key, unsigned char ivec[16], u64 *Xi, int encrypt)
+-{
+-    int s = 0;
+-    int ndone = 0;
+-    int ctr_reset = 0;
+-    u64 blocks_unused;
+-    u64 nb = len / 16;
+-    u64 next_ctr = 0;
+-    unsigned char ctr_saved[12];
+-
+-    memcpy(ctr_saved, ivec, 12);
+-
+-    while (nb) {
+-        blocks_unused = (u64) 0xffffffffU + 1 - (u64) UTO32 (ivec + 12);
+-        if (nb > blocks_unused) {
+-            len = blocks_unused * 16;
+-            nb -= blocks_unused;
+-            next_ctr = blocks_unused;
+-            ctr_reset = 1;
+-        } else {
+-            len = nb * 16;
+-            next_ctr = nb;
+-            nb = 0;
+-        }
+-
+-        s = encrypt ? ppc_aes_gcm_encrypt(in, out, len, key, ivec, Xi)
+-                    : ppc_aes_gcm_decrypt(in, out, len, key, ivec, Xi);
+-
+-        /* add counter to ivec */
+-        add32TOU(ivec + 12, (u32) next_ctr);
+-        if (ctr_reset) {
+-            ctr_reset = 0;
+-            in += len;
+-            out += len;
+-        }
+-        memcpy(ivec, ctr_saved, 12);
+-        ndone += s;
+-    }
+-
+-    return ndone;
+-}
+-
+-size_t ppc_aes_gcm_encrypt_wrap(const unsigned char *in, unsigned char *out, size_t len,
+-                                const void *key, unsigned char ivec[16], u64 *Xi)
+-{
+-    return aes_p10_gcm_crypt(in, out, len, key, ivec, Xi, 1);
+-}
+-
+-size_t ppc_aes_gcm_decrypt_wrap(const unsigned char *in, unsigned char *out, size_t len,
+-                                const void *key, unsigned char ivec[16], u64 *Xi)
+-{
+-    return aes_p10_gcm_crypt(in, out, len, key, ivec, Xi, 0);
+-}
+-
+-# endif
+ #endif
+ 
+ #if     defined(OPENSSL_CPUID_OBJ) &&                   (  \
+@@ -3294,6 +3224,51 @@ static int aes_gcm_tls_cipher(EVP_CIPHER
+     return rv;
+ }
+ 
++#if defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
++static size_t ppc_aes_gcm_crypt(const unsigned char *in, unsigned char *out, size_t len,
++                                const void *key, unsigned char ivec[16], u64 *Xi, int encrypt)
++{
++    int s = 0;
++    int ndone = 0;
++    int ctr_reset = 0;
++    u64 blocks_unused;
++    u64 nb = len / 16;
++    u64 next_ctr = 0;
++    unsigned char ctr_saved[12];
++
++    memcpy(ctr_saved, ivec, 12);
++
++    while (nb) {
++        blocks_unused = (u64) 0xffffffffU + 1 - (u64) UTO32 (ivec + 12);
++        if (nb > blocks_unused) {
++            len = blocks_unused * 16;
++            nb -= blocks_unused;
++            next_ctr = blocks_unused;
++            ctr_reset = 1;
++        } else {
++            len = nb * 16;
++            next_ctr = nb;
++            nb = 0;
++        }
++
++        s = encrypt ? ppc_aes_gcm_encrypt(in, out, len, key, ivec, Xi)
++                    : ppc_aes_gcm_decrypt(in, out, len, key, ivec, Xi);
++
++        /* add counter to ivec */
++        add32TOU(ivec + 12, (u32) next_ctr);
++        if (ctr_reset) {
++            ctr_reset = 0;
++            in += len;
++            out += len;
++        }
++        memcpy(ivec, ctr_saved, 12);
++        ndone += s;
++    }
++
++    return ndone;
++}
++#endif
++
+ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+                           const unsigned char *in, size_t len)
+ {
+@@ -3325,6 +3300,20 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
+                                            out + res, len - res,
+                                            gctx->gcm.key, gctx->gcm.Yi.c,
+                                            gctx->gcm.Xi.u);
++
++                    gctx->gcm.len.u[1] += bulk;
++                    bulk += res;
++                }
++#elif defined(AES_GCM_ASM_PPC) && defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
++                if (PPC_AES_GCM_CAPABLE && len >= AES_GCM_ENC_BYTES && AES_GCM_ASM_PPC(gctx)) {
++                    size_t res = (16 - gctx->gcm.mres) % 16;
++
++                    if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, res))
++                        return -1;
++
++                    bulk = ppc_aes_gcm_crypt(in + res, out + res, len - res,
++                                             gctx->gcm.key,
++                                             gctx->gcm.Yi.c, gctx->gcm.Xi.u, 1);
+                     gctx->gcm.len.u[1] += bulk;
+                     bulk += res;
+                 }
+@@ -3372,6 +3361,19 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX
+                     gctx->gcm.len.u[1] += bulk;
+                     bulk += res;
+                 }
++#elif defined(AES_GCM_ASM_PPC) && defined(OPENSSL_CPUID_OBJ) && (defined(__powerpc__) || defined(__ppc__) || defined(_ARCH_PPC))
++                if (PPC_AES_GCM_CAPABLE && len >= AES_GCM_DEC_BYTES && AES_GCM_ASM_PPC(gctx)) {
++                    size_t res = (16 - gctx->gcm.mres) % 16;
++
++                    if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, res))
++                        return -1;
++
++                    bulk = ppc_aes_gcm_crypt(in + res, out + res, len - res,
++                                             gctx->gcm.key,
++                                             gctx->gcm.Yi.c, gctx->gcm.Xi.u, 0);
++                    gctx->gcm.len.u[1] += bulk;
++                    bulk += res;
++                }
+ #endif
+                 if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
+                                                 in + bulk,
diff --git a/openssl-1_1-Fix-file-operations-in-c_rehash.patch b/openssl-1_1-Fix-file-operations-in-c_rehash.patch
new file mode 100644
index 0000000..e582a80
--- /dev/null
+++ b/openssl-1_1-Fix-file-operations-in-c_rehash.patch
@@ -0,0 +1,242 @@
+@@ -, +, @@ 
+---
+ tools/c_rehash.in | 216 +++++++++++++++++++++++-----------------------
+ 1 file changed, 107 insertions(+), 109 deletions(-)
+--- a/tools/c_rehash.in	
++++ a/tools/c_rehash.in	
+@@ -104,52 +104,76 @@ foreach (@dirlist) {
+ }
+ exit($errorcount);
+ 
++sub copy_file {
++    my ($src_fname, $dst_fname) = @_;
++
++    if (open(my $in, "<", $src_fname)) {
++        if (open(my $out, ">", $dst_fname)) {
++            print $out $_ while (<$in>);
++            close $out;
++        } else {
++            warn "Cannot open $dst_fname for write, $!";
++        }
++        close $in;
++    } else {
++        warn "Cannot open $src_fname for read, $!";
++    }
++}
++
+ sub hash_dir {
+-	my %hashlist;
+-	print "Doing $_[0]\n";
+-	chdir $_[0];
+-	opendir(DIR, ".");
+-	my @flist = sort readdir(DIR);
+-	closedir DIR;
+-	if ( $removelinks ) {
+-		# Delete any existing symbolic links
+-		foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
+-			if (-l $_) {
+-				print "unlink $_" if $verbose;
+-				unlink $_ || warn "Can't unlink $_, $!\n";
+-			}
+-		}
+-	}
+-	FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
+-		# Check to see if certificates and/or CRLs present.
+-		my ($cert, $crl) = check_file($fname);
+-		if (!$cert && !$crl) {
+-			print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
+-			next;
+-		}
+-		link_hash_cert($fname) if ($cert);
+-		link_hash_crl($fname) if ($crl);
+-	}
++    my $dir = shift;
++    my %hashlist;
++
++    print "Doing $dir\n";
++
++    if (!chdir $dir) {
++        print STDERR "WARNING: Cannot chdir to '$dir', $!\n";
++        return;
++    }
++
++    opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n";
++    my @flist = sort readdir(DIR);
++    closedir DIR;
++    if ( $removelinks ) {
++        # Delete any existing symbolic links
++        foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
++            if (-l $_) {
++                print "unlink $_\n" if $verbose;
++                unlink $_ || warn "Can't unlink $_, $!\n";
++            }
++        }
++    }
++    FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) {
++        # Check to see if certificates and/or CRLs present.
++        my ($cert, $crl) = check_file($fname);
++        if (!$cert && !$crl) {
++            print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
++            next;
++        }
++        link_hash_cert($fname) if ($cert);
++        link_hash_crl($fname) if ($crl);
++    }
+ }
+ 
+ sub check_file {
+-	my ($is_cert, $is_crl) = (0,0);
+-	my $fname = $_[0];
+-	open IN, $fname;
+-	while(<IN>) {
+-		if (/^-----BEGIN (.*)-----/) {
+-			my $hdr = $1;
+-			if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
+-				$is_cert = 1;
+-				last if ($is_crl);
+-			} elsif ($hdr eq "X509 CRL") {
+-				$is_crl = 1;
+-				last if ($is_cert);
+-			}
+-		}
+-	}
+-	close IN;
+-	return ($is_cert, $is_crl);
++    my ($is_cert, $is_crl) = (0,0);
++    my $fname = $_[0];
++
++    open(my $in, "<", $fname);
++    while(<$in>) {
++        if (/^-----BEGIN (.*)-----/) {
++            my $hdr = $1;
++            if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
++                $is_cert = 1;
++                last if ($is_crl);
++            } elsif ($hdr eq "X509 CRL") {
++                $is_crl = 1;
++                last if ($is_cert);
++            }
++        }
++    }
++    close $in;
++    return ($is_cert, $is_crl);
+ }
+ 
+ sub compute_hash {
+@@ -177,76 +203,48 @@ sub compute_hash {
+ # certificate fingerprints
+ 
+ sub link_hash_cert {
+-		my $fname = $_[0];
+-		my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
+-						   "-fingerprint", "-noout",
+-						   "-in", $fname);
+-		chomp $hash;
+-		chomp $fprint;
+-		return if !$hash;
+-		$fprint =~ s/^.*=//;
+-		$fprint =~ tr/://d;
+-		my $suffix = 0;
+-		# Search for an unused hash filename
+-		while(exists $hashlist{"$hash.$suffix"}) {
+-			# Hash matches: if fingerprint matches its a duplicate cert
+-			if ($hashlist{"$hash.$suffix"} eq $fprint) {
+-				print STDERR "WARNING: Skipping duplicate certificate $fname\n";
+-				return;
+-			}
+-			$suffix++;
+-		}
+-		$hash .= ".$suffix";
+-		if ($symlink_exists) {
+-			print "link $fname -> $hash\n" if $verbose;
+-			symlink $fname, $hash || warn "Can't symlink, $!";
+-		} else {
+-			print "copy $fname -> $hash\n" if $verbose;
+-                        if (open($in, "<", $fname)) {
+-                            if (open($out,">", $hash)) {
+-                                print $out $_ while (<$in>);
+-                                close $out;
+-                            } else {
+-                                warn "can't open $hash for write, $!";
+-                            }
+-                            close $in;
+-                        } else {
+-                            warn "can't open $fname for read, $!";
+-                        }
+-		}
+-		$hashlist{$hash} = $fprint;
++    link_hash($_[0], 'cert');
+ }
+ 
+ # Same as above except for a CRL. CRL links are of the form <hash>.r<n>
+ 
+ sub link_hash_crl {
+-		my $fname = $_[0];
+-		my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
+-						   "-fingerprint", "-noout",
+-						   "-in", $fname);
+-		chomp $hash;
+-		chomp $fprint;
+-		return if !$hash;
+-		$fprint =~ s/^.*=//;
+-		$fprint =~ tr/://d;
+-		my $suffix = 0;
+-		# Search for an unused hash filename
+-		while(exists $hashlist{"$hash.r$suffix"}) {
+-			# Hash matches: if fingerprint matches its a duplicate cert
+-			if ($hashlist{"$hash.r$suffix"} eq $fprint) {
+-				print STDERR "WARNING: Skipping duplicate CRL $fname\n";
+-				return;
+-			}
+-			$suffix++;
+-		}
+-		$hash .= ".r$suffix";
+-		if ($symlink_exists) {
+-			print "link $fname -> $hash\n" if $verbose;
+-			symlink $fname, $hash || warn "Can't symlink, $!";
+-		} else {
+-			print "cp $fname -> $hash\n" if $verbose;
+-			system ("cp", $fname, $hash);
+-                        warn "Can't copy, $!" if ($? >> 8) != 0;
+-		}
+-		$hashlist{$hash} = $fprint;
++    link_hash($_[0], 'crl');
++}
++
++sub link_hash {
++    my ($fname, $type) = @_;
++    my $is_cert = $type eq 'cert';
++
++    my ($hash, $fprint) = compute_hash($openssl,
++                                       $is_cert ? "x509" : "crl",
++                                       $is_cert ? $x509hash : $crlhash,
++                                       "-fingerprint", "-noout",
++                                       "-in", $fname);
++    chomp $hash;
++    chomp $fprint;
++    return if !$hash;
++    $fprint =~ s/^.*=//;
++    $fprint =~ tr/://d;
++    my $suffix = 0;
++    # Search for an unused hash filename
++    my $crlmark = $is_cert ? "" : "r";
++    while(exists $hashlist{"$hash.$crlmark$suffix"}) {
++        # Hash matches: if fingerprint matches its a duplicate cert
++        if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) {
++            my $what = $is_cert ? 'certificate' : 'CRL';
++            print STDERR "WARNING: Skipping duplicate $what $fname\n";
++            return;
++        }
++        $suffix++;
++    }
++    $hash .= ".$crlmark$suffix";
++    if ($symlink_exists) {
++        print "link $fname -> $hash\n" if $verbose;
++        symlink $fname, $hash || warn "Can't symlink, $!";
++    } else {
++        print "copy $fname -> $hash\n" if $verbose;
++        copy_file($fname, $hash);
++    }
++    $hashlist{$hash} = $fprint;
+ }
+--
diff --git a/openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch b/openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch
new file mode 100644
index 0000000..e6fe83e
--- /dev/null
+++ b/openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch
@@ -0,0 +1,103 @@
+From 7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa Mon Sep 17 00:00:00 2001
+From: Danny Tsen <dtsen@us.ibm.com>
+Date: Wed, 23 Feb 2022 13:18:35 -0600
+Subject: [PATCH] Fixed conditional statement testing 64 and 256 bytes
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/17760)
+---
+ crypto/chacha/asm/chachap10-ppc.pl |   68 -------------------------------------
+ 1 file changed, 1 insertion(+), 67 deletions(-)
+
+--- a/crypto/chacha/asm/chachap10-ppc.pl
++++ b/crypto/chacha/asm/chachap10-ppc.pl
+@@ -101,29 +101,6 @@ my ($x00,$x10,$x20,$x30) = (0, map("r$_"
+ 
+ my $FRAME=$LOCALS+64+7*16;	# 7*16 is for v26-v31 offload
+ 
+-sub VSX_lane_ROUND_1x {
+-my $a=@_[0];
+-my $b=@_[1];
+-my $c=@_[2];
+-my $d=@_[3];
+-my $odd=@_[4];
+-	vadduwm		($a,$a,$b);
+-	vxor		($d,$d,$a);
+-	vrlw		($d,$d,$sixteen);
+-	vadduwm		($c,$c,$d);
+-	vxor		($b,$b,$c);
+-	vrlw		($b,$b,$twelve);
+-	vadduwm		($a,$a,$b);
+-	vxor		($d,$d,$a);
+-	vrlw		($d,$d,$eight);
+-	vadduwm		($c,$c,$d);
+-	vxor		($b,$b,$c);
+-	vrlw		($b,$b,$seven);
+-	xxsldwi		($c,$c,$c,2);
+-	xxsldwi		($b,$b,$b,$odd?3:1);
+-	xxsldwi		($d,$d,$d,$odd?1:3);
+-}
+-
+ 
+ sub VSX_lane_ROUND_4x {
+ my ($a0,$b0,$c0,$d0)=@_;
+@@ -192,7 +169,7 @@ $code.=<<___;
+ .globl	.ChaCha20_ctr32_vsx_p10
+ .align	5
+ .ChaCha20_ctr32_vsx_p10:
+-	${UCMP}i $len,256
++	${UCMP}i $len,255
+ 	bgt 	ChaCha20_ctr32_vsx_8x
+ 	$STU	$sp,-$FRAME($sp)
+ 	mflr	r0
+@@ -268,49 +245,6 @@ Loop_outer_vsx:
+ 	vspltisw $eight,8
+ 	vspltisw $seven,7
+ 
+-	${UCMP}i $len,64
+-	bgt 	Loop_vsx_4x
+-
+-	vmr	$xa0,@K[0]
+-	vmr	$xb0,@K[1]
+-	vmr	$xc0,@K[2]
+-	vmr 	$xd0,@K[3]
+-
+-Loop_vsx_1x:
+-___
+-	VSX_lane_ROUND_1x($xa0, $xb0, $xc0,$xd0,0);
+-	VSX_lane_ROUND_1x($xa0, $xb0, $xc0,$xd0,1);
+-
+-$code.=<<___;
+-
+-	bdnz	Loop_vsx_1x
+-
+-	vadduwm $xa0, $xa0, @K[0]
+-	vadduwm $xb0, $xb0, @K[1]
+-	vadduwm $xc0, $xc0, @K[2]
+-	vadduwm $xd0, $xd0, @K[3]
+-	${UCMP}i $len,0x40
+-	blt	Ltail_vsx
+-
+-	lvx_4w  $xt0,$x00, $inp
+-	lvx_4w  $xt1,$x10, $inp
+-	lvx_4w  $xt2,$x20, $inp
+-	lvx_4w  $xt3,$x30, $inp
+-
+-	vxor	$xa0,$xa0,$xt0
+-	vxor	$xb0,$xb0,$xt1
+-	vxor	$xc0,$xc0,$xt2
+-	vxor	$xd0,$xd0,$xt3
+-
+-	stvx_4w	$xa0,$x00,$out
+-	stvx_4w	$xb0,$x10,$out
+-	addi	$inp,$inp,0x40
+-	stvx_4w	$xc0,$x20,$out
+-	subi	$len,$len,0x40
+-	stvx_4w	$xd0,$x30,$out
+-	addi	$out,$out,0x40
+-	beq	Ldone_vsx
+-
+ Loop_vsx_4x:
+ ___
+ 	foreach (&VSX_lane_ROUND_4x(0, 4, 8,12)) { eval; }
diff --git a/openssl-1_1-Fixed-counter-overflow.patch b/openssl-1_1-Fixed-counter-overflow.patch
new file mode 100644
index 0000000..082de5a
--- /dev/null
+++ b/openssl-1_1-Fixed-counter-overflow.patch
@@ -0,0 +1,136 @@
+From 345c99b6654b8313c792d54f829943068911ddbd Mon Sep 17 00:00:00 2001
+From: Danny Tsen <dtsen@us.ibm.com>
+Date: Thu, 27 Jan 2022 18:49:59 -0600
+Subject: [PATCH] Fixed counter overflow
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/17607)
+---
+ crypto/evp/e_aes.c              |  101 +++++++++++++++++++++++++++++++++++++---
+ crypto/modes/asm/aes-gcm-ppc.pl |    1 
+ 2 files changed, 94 insertions(+), 8 deletions(-)
+
+--- a/crypto/evp/e_aes.c
++++ b/crypto/evp/e_aes.c
+@@ -181,16 +181,103 @@ static void ctr64_inc(unsigned char *cou
+ # define PPC_AES_GCM_CAPABLE (OPENSSL_ppccap_P & PPC_MADD300)
+ # define AES_GCM_ENC_BYTES 128
+ # define AES_GCM_DEC_BYTES 128
+-size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len,
+-                         const void *key, unsigned char ivec[16], u64 *Xi);
+-size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len,
+-                         const void *key, unsigned char ivec[16], u64 *Xi);
+-void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len);
+ # if PPC_AES_GCM_CAPABLE
+-#  define AES_gcm_encrypt ppc_aes_gcm_encrypt
+-#  define AES_gcm_decrypt ppc_aes_gcm_decrypt
++size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out,
++                           size_t len, const void *key, unsigned char ivec[16],
++                           u64 *Xi);
++size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out,
++                           size_t len, const void *key, unsigned char ivec[16],
++                           u64 *Xi);
++size_t ppc_aes_gcm_encrypt_wrap(const unsigned char *in, unsigned char *out,
++                                size_t len, const void *key,
++                                unsigned char ivec[16], u64 *Xi);
++size_t ppc_aes_gcm_decrypt_wrap(const unsigned char *in, unsigned char *out,
++                                size_t len, const void *key,
++                                unsigned char ivec[16], u64 *Xi);
++#  define AES_gcm_encrypt ppc_aes_gcm_encrypt_wrap
++#  define AES_gcm_decrypt ppc_aes_gcm_decrypt_wrap
+ #  define AES_GCM_ASM(gctx) ((gctx)->ctr==aes_p8_ctr32_encrypt_blocks && \
+                              (gctx)->gcm.ghash==gcm_ghash_p8)
++void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len);
++
++extern size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len,
++                                  const void *key, unsigned char ivec[16], u64 *Xi);
++extern size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len,
++                                  const void *key, unsigned char ivec[16], u64 *Xi);
++
++static inline u32 UTO32(unsigned char *buf)
++{
++    return ((u32) buf[0] << 24) | ((u32) buf[1] << 16) | ((u32) buf[2] << 8) | ((u32) buf[3]);
++}
++
++static inline u32 add32TOU(unsigned char buf[4], u32 n)
++{
++    u32 r;
++
++    r = UTO32(buf);
++    r += n;
++    buf[0] = (unsigned char) (r >> 24) & 0xFF;
++    buf[1] = (unsigned char) (r >> 16) & 0xFF;
++    buf[2] = (unsigned char) (r >> 8) & 0xFF;
++    buf[3] = (unsigned char) r & 0xFF;
++    return r;
++}
++
++static size_t aes_p10_gcm_crypt(const unsigned char *in, unsigned char *out, size_t len,
++                                const void *key, unsigned char ivec[16], u64 *Xi, int encrypt)
++{
++    int s = 0;
++    int ndone = 0;
++    int ctr_reset = 0;
++    u64 blocks_unused;
++    u64 nb = len / 16;
++    u64 next_ctr = 0;
++    unsigned char ctr_saved[12];
++
++    memcpy(ctr_saved, ivec, 12);
++
++    while (nb) {
++        blocks_unused = (u64) 0xffffffffU + 1 - (u64) UTO32 (ivec + 12);
++        if (nb > blocks_unused) {
++            len = blocks_unused * 16;
++            nb -= blocks_unused;
++            next_ctr = blocks_unused;
++            ctr_reset = 1;
++        } else {
++            len = nb * 16;
++            next_ctr = nb;
++            nb = 0;
++        }
++
++        s = encrypt ? ppc_aes_gcm_encrypt(in, out, len, key, ivec, Xi)
++                    : ppc_aes_gcm_decrypt(in, out, len, key, ivec, Xi);
++
++        /* add counter to ivec */
++        add32TOU(ivec + 12, (u32) next_ctr);
++        if (ctr_reset) {
++            ctr_reset = 0;
++            in += len;
++            out += len;
++        }
++        memcpy(ivec, ctr_saved, 12);
++        ndone += s;
++    }
++
++    return ndone;
++}
++
++size_t ppc_aes_gcm_encrypt_wrap(const unsigned char *in, unsigned char *out, size_t len,
++                                const void *key, unsigned char ivec[16], u64 *Xi)
++{
++    return aes_p10_gcm_crypt(in, out, len, key, ivec, Xi, 1);
++}
++
++size_t ppc_aes_gcm_decrypt_wrap(const unsigned char *in, unsigned char *out, size_t len,
++                                const void *key, unsigned char ivec[16], u64 *Xi)
++{
++    return aes_p10_gcm_crypt(in, out, len, key, ivec, Xi, 0);
++}
++
+ # endif
+ #endif
+ 
+--- a/crypto/modes/asm/aes-gcm-ppc.pl
++++ b/crypto/modes/asm/aes-gcm-ppc.pl
+@@ -81,7 +81,6 @@ open STDOUT,"| $^X $xlate $flavour \"$ou
+ 
+ $code=<<___;
+ .machine        "any"
+-.abiversion     2
+ .text
+ 
+ # 4x loops
diff --git a/openssl-1_1-Optimize-AES-GCM-uarchs.patch b/openssl-1_1-Optimize-AES-GCM-uarchs.patch
new file mode 100644
index 0000000..a1e3ba5
--- /dev/null
+++ b/openssl-1_1-Optimize-AES-GCM-uarchs.patch
@@ -0,0 +1,7739 @@
+From 954f45ba4c504570206ff5bed811e512cf92dc8e Mon Sep 17 00:00:00 2001
+From: XiaokangQian <xiaokang.qian@arm.com>
+Date: Wed, 9 Jun 2021 06:35:46 +0000
+Subject: [PATCH] Optimize AES-GCM for uarchs with unroll and new instructions
+
+Increase the block numbers to 8 for every iteration.  Increase the hash
+table capacity.  Make use of EOR3 instruction to improve the performance.
+
+This can improve performance 25-40% on out-of-order microarchitectures
+with a large number of fast execution units, such as Neoverse V1.  We also
+see 20-30% performance improvements on other architectures such as the M1.
+
+Assembly code reviewd by Tom Cosgrove (ARM).
+
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/15916)
+---
+ crypto/arm64cpuid.pl                          |    8 +
+ crypto/arm_arch.h                             |    6 +
+ crypto/armcap.c                               |   24 +-
+ crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl  | 7369 +++++++++++++++++
+ crypto/modes/asm/ghashv8-armx.pl              |  105 +-
+ crypto/modes/build.info                       |    4 +-
+ include/crypto/aes_platform.h                 |   12 +
+ .../ciphers/cipher_aes_gcm_hw_armv8.inc       |   36 +-
+ 8 files changed, 7546 insertions(+), 18 deletions(-)
+ create mode 100644 crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl
+
+Index: openssl-1.1.1l/crypto/arm64cpuid.pl
+===================================================================
+--- openssl-1.1.1l.orig/crypto/arm64cpuid.pl
++++ openssl-1.1.1l/crypto/arm64cpuid.pl
+@@ -78,6 +78,14 @@ _armv8_sha512_probe:
+ 	ret
+ .size	_armv8_sha512_probe,.-_armv8_sha512_probe
+ 
++.globl	_armv8_eor3_probe
++.type	_armv8_eor3_probe,%function
++_armv8_eor3_probe:
++	AARCH64_VALID_CALL_TARGET
++	.long	0xce010800	// eor3	v0.16b, v0.16b, v1.16b, v2.16b
++	ret
++.size	_armv8_eor3_probe,.-_armv8_eor3_probe
++
+ .globl	_armv8_cpuid_probe
+ .type	_armv8_cpuid_probe,%function
+ _armv8_cpuid_probe:
+Index: openssl-1.1.1l/crypto/arm_arch.h
+===================================================================
+--- openssl-1.1.1l.orig/crypto/arm_arch.h
++++ openssl-1.1.1l/crypto/arm_arch.h
+@@ -83,6 +83,9 @@ extern unsigned int OPENSSL_arm_midr;
+ # define ARMV8_SHA512    (1<<6)
+ # define ARMV8_CPUID     (1<<7)
+ 
++# define ARMV8_SHA3      (1<<11)
++# define ARMV8_UNROLL8_EOR3      (1<<12)
++
+ /*
+  * MIDR_EL1 system register
+  *
+@@ -97,6 +100,7 @@ extern unsigned int OPENSSL_arm_midr;
+ 
+ # define ARM_CPU_PART_CORTEX_A72   0xD08
+ # define ARM_CPU_PART_N1           0xD0C
++# define ARM_CPU_PART_V1           0xD40
+ 
+ # define MIDR_PARTNUM_SHIFT       4
+ # define MIDR_PARTNUM_MASK        (0xfff << MIDR_PARTNUM_SHIFT)
+@@ -125,4 +129,29 @@ extern unsigned int OPENSSL_arm_midr;
+ 
+ # define MIDR_IS_CPU_MODEL(midr, imp, partnum) \
+            (((midr) & MIDR_CPU_MODEL_MASK) == MIDR_CPU_MODEL(imp, partnum))
++
++# define IS_CPU_SUPPORT_UNROLL8_EOR3() \
++           (OPENSSL_armcap_P & ARMV8_UNROLL8_EOR3)
++
++#if defined(__ASSEMBLER__)
++
++   /*
++    * Support macros for
++    *   - Armv8.3-A Pointer Authentication and
++    *   - Armv8.5-A Branch Target Identification
++    * features which require emitting a .note.gnu.property section with the
++    * appropriate architecture-dependent feature bits set.
++    * Read more: "ELF for the Arm® 64-bit Architecture"
++    */
++
++#  if defined(__ARM_FEATURE_BTI_DEFAULT) && __ARM_FEATURE_BTI_DEFAULT == 1
++#   define GNU_PROPERTY_AARCH64_BTI (1 << 0)   /* Has Branch Target Identification */
++#   define AARCH64_VALID_CALL_TARGET hint #34  /* BTI 'c' */
++#  else
++#   define GNU_PROPERTY_AARCH64_BTI 0  /* No Branch Target Identification */
++#   define AARCH64_VALID_CALL_TARGET
++#  endif
++
++# endif  /* defined __ASSEMBLER__ */
++
+ #endif
+Index: openssl-1.1.1l/crypto/armcap.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/armcap.c
++++ openssl-1.1.1l/crypto/armcap.c
+@@ -13,6 +13,9 @@
+ #include <setjmp.h>
+ #include <signal.h>
+ #include <openssl/crypto.h>
++#ifdef __APPLE__
++#include <sys/sysctl.h>
++#endif
+ #include "internal/cryptlib.h"
+ 
+ #include "arm_arch.h"
+@@ -109,20 +112,23 @@ static unsigned long getauxval(unsigned
+  * ARM puts the feature bits for Crypto Extensions in AT_HWCAP2, whereas
+  * AArch64 used AT_HWCAP.
+  */
++# ifndef AT_HWCAP
++#  define AT_HWCAP               16
++# endif
++# ifndef AT_HWCAP2
++#  define AT_HWCAP2              26
++# endif
+ # if defined(__arm__) || defined (__arm)
+-#  define HWCAP                  16
+-                                  /* AT_HWCAP */
++#  define HWCAP                  AT_HWCAP
+ #  define HWCAP_NEON             (1 << 12)
+ 
+-#  define HWCAP_CE               26
+-                                  /* AT_HWCAP2 */
++#  define HWCAP_CE               AT_HWCAP2
+ #  define HWCAP_CE_AES           (1 << 0)
+ #  define HWCAP_CE_PMULL         (1 << 1)
+ #  define HWCAP_CE_SHA1          (1 << 2)
+ #  define HWCAP_CE_SHA256        (1 << 3)
+ # elif defined(__aarch64__)
+-#  define HWCAP                  16
+-                                  /* AT_HWCAP */
++#  define HWCAP                  AT_HWCAP
+ #  define HWCAP_NEON             (1 << 1)
+ 
+ #  define HWCAP_CE               HWCAP
+@@ -131,6 +137,7 @@ static unsigned long getauxval(unsigned
+ #  define HWCAP_CE_SHA1          (1 << 5)
+ #  define HWCAP_CE_SHA256        (1 << 6)
+ #  define HWCAP_CPUID            (1 << 11)
++#  define HWCAP_SHA3             (1 << 17)
+ #  define HWCAP_CE_SHA512        (1 << 21)
+ # endif
+ 
+@@ -145,12 +152,15 @@ void OPENSSL_cpuid_setup(void)
+         return;
+     trigger = 1;
+ 
++    OPENSSL_armcap_P = 0;
++
+     if ((e = getenv("OPENSSL_armcap"))) {
+         OPENSSL_armcap_P = (unsigned int)strtoul(e, NULL, 0);
+         return;
+     }
+ 
+-# if defined(__APPLE__) && !defined(__aarch64__)
++# if defined(__APPLE__)
++#   if !defined(__aarch64__)
+     /*
+      * Capability probing by catching SIGILL appears to be problematic
+      * on iOS. But since Apple universe is "monocultural", it's actually
+@@ -166,9 +176,25 @@ void OPENSSL_cpuid_setup(void)
+      * Unified code works because it never triggers SIGILL on Apple
+      * devices...
+      */
+-# endif
++#   else
++    {
++        unsigned int feature;
++        size_t len = sizeof(feature);
++        char uarch[64];
+ 
+-    OPENSSL_armcap_P = 0;
++        if (sysctlbyname("hw.optional.armv8_2_sha512", &feature, &len, NULL, 0) == 0 && feature == 1)
++            OPENSSL_armcap_P |= ARMV8_SHA512;
++	feature = 0;
++        if (sysctlbyname("hw.optional.armv8_2_sha3", &feature, &len, NULL, 0) == 0 && feature == 1) {
++            OPENSSL_armcap_P |= ARMV8_SHA3;
++            len = sizeof(uarch);
++            if ((sysctlbyname("machdep.cpu.brand_string", uarch, &len, NULL, 0) == 0) &&
++                (strncmp(uarch, "Apple M1", 8) == 0))
++                OPENSSL_armcap_P |= ARMV8_UNROLL8_EOR3;
++        }
++    }
++#   endif
++# endif
+ 
+ # ifdef OSSL_IMPLEMENT_GETAUXVAL
+     if (getauxval(HWCAP) & HWCAP_NEON) {
+@@ -194,6 +220,9 @@ void OPENSSL_cpuid_setup(void)
+ 
+         if (hwcap & HWCAP_CPUID)
+             OPENSSL_armcap_P |= ARMV8_CPUID;
++
++	if (hwcap & HWCAP_SHA3)
++            OPENSSL_armcap_P |= ARMV8_SHA3;
+ #  endif
+     }
+ # endif
+@@ -237,6 +266,10 @@ void OPENSSL_cpuid_setup(void)
+             _armv8_sha512_probe();
+             OPENSSL_armcap_P |= ARMV8_SHA512;
+         }
++        if (sigsetjmp(ill_jmp, 1) == 0) {
++            _armv8_eor3_probe();
++            OPENSSL_armcap_P |= ARMV8_SHA3;
++        }
+ #  endif
+     }
+ # endif
+@@ -259,6 +292,9 @@ void OPENSSL_cpuid_setup(void)
+         (OPENSSL_armcap_P & ARMV7_NEON)) {
+             OPENSSL_armv8_rsa_neonized = 1;
+     }
++    if ((MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_V1)) &&
++        (OPENSSL_armcap_P & ARMV8_SHA3))
++        OPENSSL_armcap_P |= ARMV8_UNROLL8_EOR3;
+ # endif
+ }
+ #endif
+Index: openssl-1.1.1l/crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl
+===================================================================
+--- /dev/null
++++ openssl-1.1.1l/crypto/modes/asm/aes-gcm-armv8-unroll8_64.pl
+@@ -0,0 +1,7369 @@
++#! /usr/bin/env perl
++# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
++#
++# Licensed under the Apache License 2.0 (the "License").  You may not use
++# this file except in compliance with the License.  You can obtain a copy
++# in the file LICENSE in the source distribution or at
++# https://www.openssl.org/source/license.html
++
++#
++#========================================================================
++# Written by Xiaokang Qian <xiaokang.qian@arm.com> for the OpenSSL project,
++# derived from https://github.com/ARM-software/AArch64cryptolib, original
++# author Samuel Lee <Samuel.Lee@arm.com>. The module is, however, dual
++# licensed under OpenSSL and SPDX BSD-3-Clause licenses depending on where you
++# obtain it.
++#========================================================================
++#
++# Approach - We want to reload constants as we have plenty of spare ASIMD slots around crypto units for loading
++# Unroll x8 in main loop, main loop to act on 8 16B blocks per iteration, and then do modulo of the accumulated
++# intermediate hashesfrom the 8 blocks.
++#
++#  ____________________________________________________
++# |                                                    |
++# | PRE                                                |
++# |____________________________________________________|
++# |                |                |                  |
++# | CTR block 8k+13| AES block 8k+8 | GHASH block 8k+0 |
++# |________________|________________|__________________|
++# |                |                |                  |
++# | CTR block 8k+14| AES block 8k+9 | GHASH block 8k+1 |
++# |________________|________________|__________________|
++# |                |                |                  |
++# | CTR block 8k+15| AES block 8k+10| GHASH block 8k+2 |
++# |________________|________________|__________________|
++# |                |                |                  |
++# | CTR block 8k+16| AES block 8k+11| GHASH block 8k+3 |
++# |________________|________________|__________________|
++# |                |                |                  |
++# | CTR block 8k+17| AES block 8k+12| GHASH block 8k+4 |
++# |________________|________________|__________________|
++# |                |                |                  |
++# | CTR block 8k+18| AES block 8k+13| GHASH block 8k+5 |
++# |________________|________________|__________________|
++# |                |                |                  |
++# | CTR block 8k+19| AES block 8k+14| GHASH block 8k+6 |
++# |________________|________________|__________________|
++# |                |                |                  |
++# | CTR block 8k+20| AES block 8k+15| GHASH block 8k+7 |
++# |________________|____(mostly)____|__________________|
++# |                                                    |
++# | MODULO                                             |
++# |____________________________________________________|
++#
++# PRE:
++#     Ensure previous generated intermediate hash is aligned and merged with result for GHASH 4k+0
++# EXT low_acc, low_acc, low_acc, #8
++# EOR res_curr (8k+0), res_curr (4k+0), low_acc
++#
++# CTR block:
++#     Increment and byte reverse counter in scalar registers and transfer to SIMD registers
++# REV     ctr32, rev_ctr32
++# ORR     ctr64, constctr96_top32, ctr32, LSL #32
++# INS     ctr_next.d[0], constctr96_bottom64      // Keeping this in scalar registers to free up space in SIMD RF
++# INS     ctr_next.d[1], ctr64X
++# ADD     rev_ctr32, #1
++#
++# AES block:
++#      Do AES encryption/decryption on CTR block X and EOR it with input block X. Take 256 bytes key below for example.
++#      Doing small trick here of loading input in scalar registers, EORing with last key and then transferring
++#      Given we are very constrained in our ASIMD registers this is quite important
++#
++#      Encrypt:
++# LDR     input_low, [ input_ptr  ], #8
++# LDR     input_high, [ input_ptr  ], #8
++# EOR     input_low, k14_low
++# EOR     input_high, k14_high
++# INS     res_curr.d[0], input_low
++# INS     res_curr.d[1], input_high
++# AESE    ctr_curr, k0; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k1; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k2; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k3; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k4; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k5; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k6; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k7; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k8; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k9; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k10; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k11; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k12; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k13
++# EOR     res_curr, res_curr, ctr_curr
++# ST1     { res_curr.16b  }, [ output_ptr  ], #16
++#
++#     Decrypt:
++# AESE    ctr_curr, k0; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k1; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k2; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k3; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k4; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k5; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k6; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k7; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k8; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k9; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k10; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k11; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k12; AESMC ctr_curr, ctr_curr
++# AESE    ctr_curr, k13
++# LDR     res_curr, [ input_ptr  ], #16
++# EOR     res_curr, res_curr, ctr_curr
++# MOV     output_low, res_curr.d[0]
++# MOV     output_high, res_curr.d[1]
++# EOR     output_low, k14_low
++# EOR     output_high, k14_high
++# STP     output_low, output_high, [ output_ptr  ], #16
++
++# GHASH block X:
++#     Do 128b karatsuba polynomial multiplication on block
++#     We only have 64b->128b polynomial multipliers, naively that means we need to do 4 64b multiplies to generate a 128b
++#
++# multiplication:
++#     Pmull(A,B) == (Pmull(Ah,Bh)<<128 | Pmull(Al,Bl)) ^ (Pmull(Ah,Bl) ^ Pmull(Al,Bh))<<64
++#
++#     The idea behind Karatsuba multiplication is that we can do just 3 64b multiplies:
++#     Pmull(A,B) == (Pmull(Ah,Bh)<<128 | Pmull(Al,Bl)) ^ (Pmull(Ah^Al,Bh^Bl) ^ Pmull(Ah,Bh) ^ Pmull(Al,Bl))<<64
++#
++#     There is some complication here because the bit order of GHASH's PMULL is reversed compared to elsewhere, so we are
++#     multiplying with "twisted" powers of H
++#
++# Note: We can PMULL directly into the acc_x in first GHASH of the loop
++# Note: For scheduling big cores we want to split the processing to happen over two loop iterations - otherwise the critical
++#       path latency dominates the performance
++#
++#       This has a knock on effect on register pressure, so we have to be a bit more clever with our temporary registers
++#       than indicated here
++# REV64   res_curr, res_curr
++# INS     t_m.d[0], res_curr.d[1]
++# EOR     t_m.8B, t_m.8B, res_curr.8B
++# PMULL2  t_h, res_curr, HX
++# PMULL   t_l, res_curr, HX
++# PMULL   t_m, t_m, HX_k
++# EOR     acc_h, acc_h, t_h
++# EOR     acc_l, acc_l, t_l
++# EOR     acc_m, acc_m, t_m
++#
++# MODULO: take the partial accumulators (~representing sum of 256b multiplication results), from GHASH and do modulo reduction on them
++#         There is some complication here because the bit order of GHASH's PMULL is reversed compared to elsewhere, so we are doing modulo
++#         with a reversed constant
++# EOR3    acc_m, acc_m, acc_l, acc_h                     // Finish off karatsuba processing
++# PMULL   t_mod, acc_h, mod_constant
++# EXT     acc_h, acc_h, acc_h, #8
++# EOR3     acc_m, acc_m, t_mod, acc_h
++# PMULL   acc_h, acc_m, mod_constant
++# EXT     acc_m, acc_m, acc_m, #8
++# EOR3    acc_l, acc_l, acc_m, acc_h
++
++$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
++$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
++
++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
++( $xlate="${dir}arm-xlate.pl" and -f $xlate  ) or
++( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate ) or
++die "can't locate arm-xlate.pl";
++
++die "only for 64 bit" if $flavour !~ /64/;
++
++open OUT,"| \"$^X\" $xlate $flavour $output";
++*STDOUT=*OUT;
++
++$code=<<___;
++#include "arm_arch.h"
++
++#if __ARM_MAX_ARCH__>=8
++___
++$code.=".arch   armv8.2-a+crypto\n.arch_extension sha3\n.text\n";
++
++$input_ptr="x0";  #argument block
++$bit_length="x1";
++$output_ptr="x2";
++$current_tag="x3";
++$counter="x16";
++$constant_temp="x15";
++$modulo_constant="x10";
++$cc="x8";
++{
++my ($end_input_ptr,$main_end_input_ptr,$temp0_x,$temp1_x)=map("x$_",(4..7));
++my ($temp2_x,$temp3_x)=map("x$_",(13..14));
++my ($ctr0b,$ctr1b,$ctr2b,$ctr3b,$ctr4b,$ctr5b,$ctr6b,$ctr7b,$res0b,$res1b,$res2b,$res3b,$res4b,$res5b,$res6b,$res7b)=map("v$_.16b",(0..15));
++my ($ctr0,$ctr1,$ctr2,$ctr3,$ctr4,$ctr5,$ctr6,$ctr7,$res0,$res1,$res2,$res3,$res4,$res5,$res6,$res7)=map("v$_",(0..15));
++my ($ctr0d,$ctr1d,$ctr2d,$ctr3d,$ctr4d,$ctr5d,$ctr6d,$ctr7d)=map("d$_",(0..7));
++my ($ctr0q,$ctr1q,$ctr2q,$ctr3q,$ctr4q,$ctr5q,$ctr6q,$ctr7q)=map("q$_",(0..7));
++my ($res0q,$res1q,$res2q,$res3q,$res4q,$res5q,$res6q,$res7q)=map("q$_",(8..15));
++
++my ($ctr_t0,$ctr_t1,$ctr_t2,$ctr_t3,$ctr_t4,$ctr_t5,$ctr_t6,$ctr_t7)=map("v$_",(8..15));
++my ($ctr_t0b,$ctr_t1b,$ctr_t2b,$ctr_t3b,$ctr_t4b,$ctr_t5b,$ctr_t6b,$ctr_t7b)=map("v$_.16b",(8..15));
++my ($ctr_t0q,$ctr_t1q,$ctr_t2q,$ctr_t3q,$ctr_t4q,$ctr_t5q,$ctr_t6q,$ctr_t7q)=map("q$_",(8..15));
++
++my ($acc_hb,$acc_mb,$acc_lb)=map("v$_.16b",(17..19));
++my ($acc_h,$acc_m,$acc_l)=map("v$_",(17..19));
++
++my ($h1,$h12k,$h2,$h3,$h34k,$h4)=map("v$_",(20..25));
++my ($h5,$h56k,$h6,$h7,$h78k,$h8)=map("v$_",(20..25));
++my ($h1q,$h12kq,$h2q,$h3q,$h34kq,$h4q)=map("q$_",(20..25));
++my ($h5q,$h56kq,$h6q,$h7q,$h78kq,$h8q)=map("q$_",(20..25));
++
++my $t0="v16";
++my $t0d="d16";
++
++my $t1="v29";
++my $t2=$res1;
++my $t3=$t1;
++
++my $t4=$res0;
++my $t5=$res2;
++my $t6=$t0;
++
++my $t7=$res3;
++my $t8=$res4;
++my $t9=$res5;
++
++my $t10=$res6;
++my $t11="v21";
++my $t12=$t1;
++
++my $rtmp_ctr="v30";
++my $rtmp_ctrq="q30";
++my $rctr_inc="v31";
++my $rctr_incd="d31";
++
++my $mod_constantd=$t0d;
++my $mod_constant=$t0;
++
++my ($rk0,$rk1,$rk2)=map("v$_.16b",(26..28));
++my ($rk3,$rk4,$rk5)=map("v$_.16b",(26..28));
++my ($rk6,$rk7,$rk8)=map("v$_.16b",(26..28));
++my ($rk9,$rk10,$rk11)=map("v$_.16b",(26..28));
++my ($rk12,$rk13,$rk14)=map("v$_.16b",(26..28));
++my ($rk0q,$rk1q,$rk2q)=map("q$_",(26..28));
++my ($rk3q,$rk4q,$rk5q)=map("q$_",(26..28));
++my ($rk6q,$rk7q,$rk8q)=map("q$_",(26..28));
++my ($rk9q,$rk10q,$rk11q)=map("q$_",(26..28));
++my ($rk12q,$rk13q,$rk14q)=map("q$_",(26..28));
++my $rk2q1="v28.1q";
++my $rk3q1="v26.1q";
++my $rk4v="v27";
++
++
++#########################################################################################
++# size_t unroll8_eor3_aes_gcm_enc_128_kernel(const unsigned char *in,
++#                               size_t len,
++#                               unsigned char *out,
++#                               const void *key,
++#                               unsigned char ivec[16],
++#                               u64 *Xi);
++#
++$code.=<<___;
++.global unroll8_eor3_aes_gcm_enc_128_kernel
++.type   unroll8_eor3_aes_gcm_enc_128_kernel,%function
++.align  4
++unroll8_eor3_aes_gcm_enc_128_kernel:
++	AARCH64_VALID_CALL_TARGET
++	cbz	x1, .L128_enc_ret
++	stp	d8, d9, [sp, #-80]!
++	mov	$counter, x4
++	mov	$cc, x5
++	stp	d10, d11, [sp, #16]
++	stp	d12, d13, [sp, #32]
++	stp	d14, d15, [sp, #48]
++	mov	x5, #0xc200000000000000
++	stp	x5, xzr, [sp, #64]
++	add	$modulo_constant, sp, #64
++
++	mov	$constant_temp, #0x100000000				@ set up counter increment
++	movi	$rctr_inc.16b, #0x0
++	mov	$rctr_inc.d[1], $constant_temp
++	lsr	$main_end_input_ptr, $bit_length, #3		  	@ byte_len
++	ld1	{ $ctr0b}, [$counter]					@ CTR block 0
++
++	sub	$main_end_input_ptr, $main_end_input_ptr, #1	 	@ byte_len - 1
++
++	and	$main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffff80		@ number of bytes to be processed in main loop (at least 1 byte must be handled by tail)
++
++	rev32	$rtmp_ctr.16b, $ctr0.16b				@ set up reversed counter
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 0
++
++	rev32	$ctr1.16b, $rtmp_ctr.16b				@ CTR block 1
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 1
++
++	rev32	$ctr2.16b, $rtmp_ctr.16b				@ CTR block 2
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 2
++
++	rev32	$ctr3.16b, $rtmp_ctr.16b				@ CTR block 3
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 3
++
++	rev32	$ctr4.16b, $rtmp_ctr.16b				@ CTR block 4
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 4
++
++	rev32	$ctr5.16b, $rtmp_ctr.16b				@ CTR block 5
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 5
++	ldp	$rk0q, $rk1q, [$cc, #0]				  	@ load rk0, rk1
++
++	rev32	$ctr6.16b, $rtmp_ctr.16b				@ CTR block 6
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 6
++
++	rev32	$ctr7.16b, $rtmp_ctr.16b				@ CTR block 7
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 7
++
++	aese	$ctr4b, $rk0  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 0
++	aese	$ctr6b, $rk0  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 0
++	aese	$ctr3b, $rk0  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 0
++
++	aese	$ctr0b, $rk0  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 0
++	aese	$ctr1b, $rk0  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 0
++	aese	$ctr2b, $rk0  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 0
++
++	aese	$ctr7b, $rk0  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 0
++	aese	$ctr5b, $rk0  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 0
++	ldp	$rk2q, $rk3q, [$cc, #32]				@ load rk2, rk3
++
++	aese	$ctr3b, $rk1  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 1
++
++	aese	$ctr7b, $rk1  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 1
++	aese	$ctr5b, $rk1  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 1
++	aese	$ctr4b, $rk1  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 1
++
++	aese	$ctr2b, $rk1  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 1
++	aese	$ctr6b, $rk1  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 1
++	aese	$ctr0b, $rk1  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 1
++
++	aese	$ctr5b, $rk2  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 2
++	aese	$ctr1b, $rk1  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 1
++	aese	$ctr0b, $rk2  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 2
++
++	aese	$ctr2b, $rk2  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 2
++	aese	$ctr3b, $rk2  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 2
++	aese	$ctr7b, $rk2  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 2
++
++	aese	$ctr1b, $rk2  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 2
++	aese	$ctr6b, $rk2  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 2
++	aese	$ctr4b, $rk2  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 2
++
++	aese	$ctr2b, $rk3  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 3
++
++	ldp	$rk4q, $rk5q, [$cc, #64]				@ load rk4, rk5
++	aese	$ctr5b, $rk3  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 3
++	aese	$ctr0b, $rk3  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 3
++
++	aese	$ctr4b, $rk3  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 3
++	aese	$ctr3b, $rk3  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 3
++	aese	$ctr6b, $rk3  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 3
++
++	aese	$ctr7b, $rk3  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 3
++
++	aese	$ctr6b, $rk4  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 4
++	aese	$ctr1b, $rk3  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 3
++	aese	$ctr5b, $rk4  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 4
++
++	aese	$ctr7b, $rk4  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 4
++	aese	$ctr4b, $rk4  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 4
++	aese	$ctr0b, $rk4  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 4
++
++	aese	$ctr1b, $rk4  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 4
++	aese	$ctr2b, $rk4  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 4
++	aese	$ctr3b, $rk4  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 4
++
++	aese	$ctr7b, $rk5  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 5
++	aese	$ctr0b, $rk5  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 5
++	ldp	$rk6q, $rk7q, [$cc, #96]				@ load rk6, rk7
++
++	aese	$ctr1b, $rk5  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 5
++	aese	$ctr3b, $rk5  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 5
++	aese	$ctr2b, $rk5  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 5
++
++	aese	$ctr4b, $rk5  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 5
++	aese	$ctr5b, $rk5  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 5
++	aese	$ctr6b, $rk5  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 5
++
++	aese	$ctr4b, $rk6  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 6
++	aese	$ctr3b, $rk6  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 6
++	aese	$ctr2b, $rk6  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 6
++
++	aese	$ctr7b, $rk6  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 6
++	aese	$ctr6b, $rk6  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 6
++	aese	$ctr5b, $rk6  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 6
++
++	aese	$ctr0b, $rk6  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 6
++	aese	$ctr1b, $rk6  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 6
++	ldp	$rk8q, $rk9q, [$cc, #128]				@ load rk8, rk9
++
++	aese	$ctr5b, $rk7  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 7
++
++	ld1	{ $acc_lb}, [$current_tag]
++	ext	$acc_lb, $acc_lb, $acc_lb, #8
++	rev64	$acc_lb, $acc_lb
++
++	aese	$ctr7b, $rk7  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 7
++
++	aese	$ctr4b, $rk7  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 7
++	aese	$ctr3b, $rk7  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 7
++	aese	$ctr6b, $rk7  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 7
++
++	aese	$ctr1b, $rk7  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 7
++	aese	$ctr2b, $rk7  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 7
++	aese	$ctr0b, $rk7  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 7
++
++	aese	$ctr3b, $rk8  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 8
++	aese	$ctr6b, $rk8  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 8
++	aese	$ctr2b, $rk8  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 8
++
++	aese	$ctr7b, $rk8  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 8
++	aese	$ctr0b, $rk8  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 8
++	ldr	$rk10q, [$cc, #160]					@ load rk10
++
++	aese	$ctr3b, $rk9						@ AES block 8k+11 - round 9
++	aese	$ctr4b, $rk8  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 8
++	aese	$ctr2b, $rk9						@ AES block 8k+10 - round 9
++
++	aese	$ctr5b, $rk8  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 8
++	aese	$ctr1b, $rk8  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 8
++	aese	$ctr6b, $rk9						@ AES block 8k+14 - round 9
++
++	aese	$ctr4b, $rk9						@ AES block 8k+12 - round 9
++	add	$main_end_input_ptr, $main_end_input_ptr, $input_ptr
++	aese	$ctr0b, $rk9						@ AES block 8k+8 - round 9
++
++	aese	$ctr7b, $rk9						@ AES block 8k+15 - round 9
++	aese	$ctr5b, $rk9						@ AES block 8k+13 - round 9
++	aese	$ctr1b, $rk9						@ AES block 8k+9 - round 9
++
++	add	$end_input_ptr, $input_ptr, $bit_length, lsr #3		@ end_input_ptr
++	cmp	$input_ptr, $main_end_input_ptr				@ check if we have <= 8 blocks
++	b.ge	.L128_enc_tail						@ handle tail
++
++	ldp	$ctr_t0q, $ctr_t1q, [$input_ptr], #32			@ AES block 0, 1 - load plaintext
++
++	ldp	$ctr_t2q, $ctr_t3q, [$input_ptr], #32			@ AES block 2, 3 - load plaintext
++
++	ldp	$ctr_t4q, $ctr_t5q, [$input_ptr], #32			@ AES block 4, 5 - load plaintext
++
++	ldp	$ctr_t6q, $ctr_t7q, [$input_ptr], #32			@ AES block 6, 7 - load plaintext
++	cmp	$input_ptr, $main_end_input_ptr				@ check if we have <= 8 blocks
++
++	eor3	$res0b, $ctr_t0b, $ctr0b, $rk10				@ AES block 0 - result
++	rev32	$ctr0.16b, $rtmp_ctr.16b				@ CTR block 8
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8
++
++	eor3	$res1b, $ctr_t1b, $ctr1b, $rk10				@ AES block 1 - result
++	stp	$res0q, $res1q, [$output_ptr], #32			@ AES block 0, 1 - store result
++
++	rev32	$ctr1.16b, $rtmp_ctr.16b				@ CTR block 9
++	eor3	$res5b, $ctr_t5b, $ctr5b, $rk10				@ AES block 5 - result
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 9
++
++	eor3	$res2b, $ctr_t2b, $ctr2b, $rk10				@ AES block 2 - result
++	eor3	$res6b, $ctr_t6b, $ctr6b, $rk10				@ AES block 6 - result
++	eor3	$res4b, $ctr_t4b, $ctr4b, $rk10				@ AES block 4 - result
++
++	rev32	$ctr2.16b, $rtmp_ctr.16b				@ CTR block 10
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 10
++
++	eor3	$res3b, $ctr_t3b, $ctr3b, $rk10				@ AES block 3 - result
++	eor3	$res7b, $ctr_t7b, $ctr7b,$rk10				@ AES block 7 - result
++	stp	$res2q, $res3q, [$output_ptr], #32			@ AES block 2, 3 - store result
++
++	rev32	$ctr3.16b, $rtmp_ctr.16b				@ CTR block 11
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 11
++	stp	$res4q, $res5q, [$output_ptr], #32			@ AES block 4, 5 - store result
++
++	stp	$res6q, $res7q, [$output_ptr], #32			@ AES block 6, 7 - store result
++
++	rev32	$ctr4.16b, $rtmp_ctr.16b				@ CTR block 12
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 12
++	b.ge	.L128_enc_prepretail					@ do prepretail
++
++.L128_enc_main_loop:							@ main loop start
++	rev32	$ctr5.16b, $rtmp_ctr.16b				@ CTR block 8k+13
++	ldr	$h5q, [$current_tag, #128]				@ load h5l | h5h
++	ext     $h5.16b, $h5.16b, $h5.16b, #8
++	ldr	$h6q, [$current_tag, #160]				@ load h6l | h6h
++	ext     $h6.16b, $h6.16b, $h6.16b, #8
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+13
++
++	rev64	$res1b, $res1b						@ GHASH block 8k+1
++	rev64	$res0b, $res0b						@ GHASH block 8k
++	ldr	$h7q, [$current_tag, #176]				@ load h7l | h7h
++	ext     $h7.16b, $h7.16b, $h7.16b, #8
++	ldr	$h8q, [$current_tag, #208]				@ load h8l | h8h
++	ext     $h8.16b, $h8.16b, $h8.16b, #8
++
++	rev32	$ctr6.16b, $rtmp_ctr.16b				@ CTR block 8k+14
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+14
++	ext	$acc_lb, $acc_lb, $acc_lb, #8				@ PRE 0
++
++	ldr	$h56kq, [$current_tag, #144]				@ load h6k | h5k
++	ldr	$h78kq, [$current_tag, #192]				@ load h8k | h7k
++	rev64	$res5b, $res5b						@ GHASH block 8k+5 (t0, t1, t2 and t3 free)
++	rev64	$res3b, $res3b						@ GHASH block 8k+3
++
++	ldp	$rk0q, $rk1q, [$cc, #0]				 	@ load rk0, rk1
++	eor	$res0b, $res0b, $acc_lb				 	@ PRE 1
++	rev32	$ctr7.16b, $rtmp_ctr.16b				@ CTR block 8k+15
++
++	rev64	$res7b, $res7b						@ GHASH block 8k+7 (t0, t1, t2 and t3 free)
++
++	pmull2  $t0.1q, $res1.2d, $h7.2d				@ GHASH block 8k+1 - high
++	rev64	$res2b, $res2b						@ GHASH block 8k+2
++	pmull2  $acc_h.1q, $res0.2d, $h8.2d				@ GHASH block 8k - high
++
++	pmull	$h7.1q, $res1.1d, $h7.1d				@ GHASH block 8k+1 - low
++	trn1	$acc_m.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++	pmull	$acc_l.1q, $res0.1d, $h8.1d				@ GHASH block 8k - low
++
++	trn2	$res0.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++	pmull2  $t1.1q, $res2.2d, $h6.2d				@ GHASH block 8k+2 - high
++	pmull2  $t2.1q, $res3.2d, $h5.2d				@ GHASH block 8k+3 - high
++
++	eor	$acc_lb, $acc_lb, $h7.16b				@ GHASH block 8k+1 - low
++	ldr	$h3q, [$current_tag, #80]				@ load h3l | h3h
++	ext     $h3.16b, $h3.16b, $h3.16b, #8
++	ldr	$h4q, [$current_tag, #112]				@ load h3l | h3h
++	ext     $h4.16b, $h4.16b, $h4.16b, #8
++	aese	$ctr5b, $rk0  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 0
++
++	aese	$ctr1b, $rk0  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 0
++	aese	$ctr4b, $rk0  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 0
++	eor	$acc_hb, $acc_hb, $t0.16b				@ GHASH block 8k+1 - high
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+15
++	aese	$ctr2b, $rk0  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 0
++	eor	$res0.16b, $res0.16b, $acc_m.16b			@ GHASH block 8k, 8k+1 - mid
++
++	aese	$ctr6b, $rk0  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 0
++	aese	$ctr1b, $rk1  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 1
++	aese	$ctr0b, $rk0  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 0
++
++	aese	$ctr2b, $rk1  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 1
++	aese	$ctr3b, $rk0  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 0
++	pmull	$h6.1q, $res2.1d, $h6.1d				@ GHASH block 8k+2 - low
++
++	aese	$ctr5b, $rk1  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 1
++	aese	$ctr7b, $rk0  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 0
++	aese	$ctr0b, $rk1  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 1
++
++	eor3	$acc_hb, $acc_hb, $t1.16b,$t2.16b			@ GHASH block 8k+2, 8k+3 - high
++	trn1	$t3.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++	trn2	$res2.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++
++	ldp	$rk2q, $rk3q, [$cc, #32]				@ load rk2, rk3
++	aese	$ctr4b, $rk1  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 1
++	aese	$ctr3b, $rk1  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 1
++
++	pmull	$h5.1q, $res3.1d, $h5.1d				@ GHASH block 8k+3 - low
++	aese	$ctr7b, $rk1  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 1
++	aese	$ctr6b, $rk1  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 1
++
++	pmull2  $acc_m.1q, $res0.2d, $h78k.2d				@ GHASH block 8k	- mid
++	eor	$res2.16b, $res2.16b, $t3.16b				@ GHASH block 8k+2, 8k+3 - mid
++	pmull	$h78k.1q, $res0.1d, $h78k.1d				@ GHASH block 8k+1 - mid
++
++	rev64	$res6b, $res6b						@ GHASH block 8k+6 (t0, t1, and t2 free)
++	eor3	$acc_lb, $acc_lb, $h6.16b, $h5.16b			@ GHASH block 8k+2, 8k+3 - low
++
++	pmull2  $t3.1q, $res2.2d, $h56k.2d				@ GHASH block 8k+2 - mid
++	eor	$acc_mb, $acc_mb, $h78k.16b				@ GHASH block 8k+1 - mid
++	pmull	$h56k.1q, $res2.1d, $h56k.1d				@ GHASH block 8k+3 - mid
++
++	aese	$ctr5b, $rk2  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 2
++	aese	$ctr4b, $rk2  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 2
++	aese	$ctr2b, $rk2  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 2
++
++	aese	$ctr1b, $rk2  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 2
++	eor3	$acc_mb, $acc_mb, $h56k.16b, $t3.16b			@ GHASH block 8k+2, 8k+3 - mid
++	aese	$ctr6b, $rk2  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 2
++
++	aese	$ctr0b, $rk2  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 2
++	aese	$ctr3b, $rk2  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 2
++	aese	$ctr7b, $rk2  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 2
++
++	aese	$ctr6b, $rk3  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 3
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++	rev64	$res4b, $res4b						@ GHASH block 8k+4 (t0, t1, and t2 free)
++
++	ldp	$rk4q, $rk5q, [$cc, #64]				@ load rk4, rk5
++	aese	$ctr2b, $rk3  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 3
++	aese	$ctr1b, $rk3  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 3
++
++	ldr	$h1q, [$current_tag, #32]				@ load h1l | h1h
++	ext     $h1.16b, $h1.16b, $h1.16b, #8
++	ldr	$h2q, [$current_tag, #64]				@ load h1l | h1h
++	ext     $h2.16b, $h2.16b, $h2.16b, #8
++	pmull2  $t4.1q, $res4.2d, $h4.2d				@ GHASH block 8k+4 - high
++	pmull	$h4.1q, $res4.1d, $h4.1d				@ GHASH block 8k+4 - low
++
++	trn1	$t6.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++	trn2	$res4.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++
++	aese	$ctr0b, $rk3  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 3
++	aese	$ctr3b, $rk3  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 3
++
++	aese	$ctr7b, $rk3  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 3
++	aese	$ctr4b, $rk3  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 3
++
++	aese	$ctr5b, $rk3  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 3
++	aese	$ctr0b, $rk4  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 4
++
++	aese	$ctr7b, $rk4  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 4
++	aese	$ctr3b, $rk4  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 4
++	aese	$ctr4b, $rk4  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 4
++
++	aese	$ctr5b, $rk4  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 4
++	aese	$ctr6b, $rk4  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 4
++	aese	$ctr1b, $rk4  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 4
++
++	pmull2  $t5.1q, $res5.2d, $h3.2d				@ GHASH block 8k+5 - high
++	eor	$res4.16b, $res4.16b, $t6.16b				@ GHASH block 8k+4, 8k+5 - mid
++	pmull	$h3.1q, $res5.1d, $h3.1d				@ GHASH block 8k+5 - low
++
++	aese	$ctr2b, $rk4  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 4
++	ldp	$rk6q, $rk7q, [$cc, #96]				@ load rk6, rk7
++	trn1	$t9.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++
++	pmull2  $t6.1q, $res4.2d, $h34k.2d				@ GHASH block 8k+4 - mid
++	pmull	$h34k.1q, $res4.1d, $h34k.1d				@ GHASH block 8k+5 - mid
++	pmull2  $t7.1q, $res6.2d, $h2.2d				@ GHASH block 8k+6 - high
++
++	pmull2  $t8.1q, $res7.2d, $h1.2d				@ GHASH block 8k+7 - high
++	aese	$ctr2b, $rk5  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 5
++	aese	$ctr5b, $rk5  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 5
++
++	pmull	$h2.1q, $res6.1d, $h2.1d				@ GHASH block 8k+6 - low
++	eor3	$acc_hb, $acc_hb, $t4.16b, $t5.16b			@ GHASH block 8k+4, 8k+5 - high
++	trn2	$res6.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++
++	eor3	$acc_lb, $acc_lb, $h4.16b, $h3.16b			@ GHASH block 8k+4, 8k+5 - low
++	aese	$ctr6b, $rk5  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 5
++
++	eor	$res6.16b, $res6.16b, $t9.16b				@ GHASH block 8k+6, 8k+7 - mid
++	aese	$ctr7b, $rk5  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 5
++	aese	$ctr1b, $rk5  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 5
++
++	aese	$ctr3b, $rk5  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 5
++	aese	$ctr4b, $rk5  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 5
++	aese	$ctr0b, $rk5  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 5
++
++	eor3	$acc_mb, $acc_mb, $h34k.16b, $t6.16b			@ GHASH block 8k+4, 8k+5 - mid
++	ldr	$mod_constantd, [$modulo_constant]			@ MODULO - load modulo constant
++	pmull	$h1.1q, $res7.1d, $h1.1d				@ GHASH block 8k+7 - low
++
++	aese	$ctr7b, $rk6  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 6
++	aese	$ctr5b, $rk6  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 6
++
++	pmull2  $t9.1q, $res6.2d, $h12k.2d				@ GHASH block 8k+6 - mid
++	aese	$ctr1b, $rk6  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 6
++	aese	$ctr2b, $rk6  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 6
++
++	pmull	$h12k.1q, $res6.1d, $h12k.1d				@ GHASH block 8k+7 - mid
++	eor3	$acc_lb, $acc_lb, $h2.16b, $h1.16b			@ GHASH block 8k+6, 8k+7 - low
++	ldp	$ctr_t0q, $ctr_t1q, [$input_ptr], #32			@ AES block 8k+8, 8k+9 - load plaintext
++
++	aese	$ctr3b, $rk6  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 6
++	rev32	$h1.16b, $rtmp_ctr.16b					@ CTR block 8k+16
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+16
++
++	aese	$ctr4b, $rk6  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 6
++	aese	$ctr0b, $rk6  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 6
++	aese	$ctr6b, $rk6  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 6
++
++	eor3	$acc_mb, $acc_mb, $h12k.16b, $t9.16b			@ GHASH block 8k+6, 8k+7 - mid
++	ldp	$rk8q, $rk9q, [$cc, #128]				@ load rk8, rk9
++	eor3	$acc_hb, $acc_hb, $t7.16b, $t8.16b			@ GHASH block 8k+6, 8k+7 - high
++
++	aese	$ctr2b, $rk7  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 7
++	aese	$ctr7b, $rk7  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 7
++	ldp	$ctr_t2q, $ctr_t3q, [$input_ptr], #32			@ AES block 8k+10, 8k+11 - load plaintext
++
++	aese	$ctr5b, $rk7  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 7
++	aese	$ctr6b, $rk7  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 7
++	aese	$ctr1b, $rk7  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 7
++
++	pmull	$t11.1q, $acc_h.1d, $mod_constant.1d		 	@ MODULO - top 64b align with mid
++	aese	$ctr0b, $rk7  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 7
++	aese	$ctr4b, $rk7  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 7
++
++	rev32	$h2.16b, $rtmp_ctr.16b					@ CTR block 8k+17
++	aese	$ctr3b, $rk7  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 7
++
++	aese	$ctr5b, $rk8  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 8
++	ldp	$ctr_t4q, $ctr_t5q, [$input_ptr], #32			@ AES block 8k+12, 8k+13 - load plaintext
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+17
++
++	aese	$ctr2b, $rk8  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 8
++	aese	$ctr1b, $rk8  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 8
++	aese	$ctr7b, $rk8  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 8
++
++	aese	$ctr4b, $rk8  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 8
++	eor3	$acc_mb, $acc_mb, $acc_hb, $acc_lb		 	@ MODULO - karatsuba tidy up
++	ldr	$rk10q, [$cc, #160]					@ load rk10
++
++	ext	$t12.16b, $acc_hb, $acc_hb, #8				@ MODULO - other top alignment
++	rev32	$h3.16b, $rtmp_ctr.16b					@ CTR block 8k+18
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+18
++	aese	$ctr3b, $rk8  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 8
++
++	aese	$ctr0b, $rk8  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 8
++	eor3	$acc_mb, $acc_mb, $t12.16b, $t11.16b			@ MODULO - fold into mid
++	aese	$ctr6b, $rk8  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 8
++
++	aese	$ctr2b, $rk9						@ AES block 8k+10 - round 9
++	aese	$ctr4b, $rk9						@ AES block 8k+12 - round 9
++	aese	$ctr1b, $rk9						@ AES block 8k+9 - round 9
++
++	ldp	$ctr_t6q, $ctr_t7q, [$input_ptr], #32			@ AES block 8k+14, 8k+15 - load plaintext
++	rev32	$h4.16b, $rtmp_ctr.16b					@ CTR block 8k+19
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+19
++
++	cmp	$input_ptr, $main_end_input_ptr				@ LOOP CONTROL
++	eor3	$res4b, $ctr_t4b, $ctr4b, $rk10				@ AES block 4 - result
++	aese	$ctr7b, $rk9						@ AES block 8k+15 - round 9
++
++	aese	$ctr6b, $rk9						@ AES block 8k+14 - round 9
++	aese	$ctr3b, $rk9						@ AES block 8k+11 - round 9
++
++	eor3	$res2b, $ctr_t2b, $ctr2b, $rk10				@ AES block 8k+10 - result
++
++	mov	$ctr2.16b, $h3.16b					@ CTR block 8k+18
++	aese	$ctr0b, $rk9						@ AES block 8k+8 - round 9
++
++	rev32	$ctr4.16b, $rtmp_ctr.16b				@ CTR block 8k+20
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+20
++
++	eor3	$res7b, $ctr_t7b, $ctr7b, $rk10				@ AES block 7 - result
++	aese	$ctr5b, $rk9						@ AES block 8k+13 - round 9
++	pmull	$acc_h.1q, $acc_m.1d, $mod_constant.1d			@ MODULO - mid 64b align with low
++
++	eor3	$res1b, $ctr_t1b, $ctr1b, $rk10				@ AES block 8k+9 - result
++	eor3	$res3b, $ctr_t3b, $ctr3b, $rk10				@ AES block 8k+11 - result
++	mov	$ctr3.16b, $h4.16b					@ CTR block 8k+19
++
++	ext	$t11.16b, $acc_mb, $acc_mb, #8				@ MODULO - other mid alignment
++	eor3	$res5b, $ctr_t5b, $ctr5b, $rk10				@ AES block 5 - result
++	mov	$ctr1.16b, $h2.16b					@ CTR block 8k+17
++
++	eor3	$res0b, $ctr_t0b, $ctr0b, $rk10				@ AES block 8k+8 - result
++	mov	$ctr0.16b, $h1.16b					@ CTR block 8k+16
++	stp	$res0q, $res1q, [$output_ptr], #32			@ AES block 8k+8, 8k+9 - store result
++
++	stp	$res2q, $res3q, [$output_ptr], #32			@ AES block 8k+10, 8k+11 - store result
++	eor3	$res6b, $ctr_t6b, $ctr6b, $rk10				@ AES block 6 - result
++
++	stp	$res4q, $res5q, [$output_ptr], #32			@ AES block 8k+12, 8k+13 - store result
++	eor3	$acc_lb, $acc_lb, $acc_hb, $t11.16b		 	@ MODULO - fold into low
++
++	stp	$res6q, $res7q, [$output_ptr], #32			@ AES block 8k+14, 8k+15 - store result
++	b.lt	.L128_enc_main_loop
++
++.L128_enc_prepretail:							@ PREPRETAIL
++	rev32	$ctr5.16b, $rtmp_ctr.16b				@ CTR block 8k+13
++	ldr	$h7q, [$current_tag, #176]				@ load h7l | h7h
++	ext     $h7.16b, $h7.16b, $h7.16b, #8
++	ldr	$h8q, [$current_tag, #208]				@ load h8l | h8h
++	ext     $h8.16b, $h8.16b, $h8.16b, #8
++	ext	$acc_lb, $acc_lb, $acc_lb, #8				@ PRE 0
++
++	ldr	$h5q, [$current_tag, #128]				@ load h5l | h5h
++	ext     $h5.16b, $h5.16b, $h5.16b, #8
++	ldr	$h6q, [$current_tag, #160]				@ load h6l | h6h
++	ext     $h6.16b, $h6.16b, $h6.16b, #8
++	rev64	$res0b, $res0b						@ GHASH block 8k
++	rev64	$res1b, $res1b						@ GHASH block 8k+1
++
++	ldr	$h56kq, [$current_tag, #144]				@ load h6k | h5k
++	ldr	$h78kq, [$current_tag, #192]				@ load h6k | h5k
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+13
++	rev64	$res3b, $res3b						@ GHASH block 8k+3
++
++	rev64	$res2b, $res2b						@ GHASH block 8k+2
++	eor	$res0b, $res0b, $acc_lb				 	@ PRE 1
++
++	rev32	$ctr6.16b, $rtmp_ctr.16b				@ CTR block 8k+14
++
++	pmull2  $t0.1q, $res1.2d, $h7.2d				@ GHASH block 8k+1 - high
++	pmull	$acc_l.1q, $res0.1d, $h8.1d				@ GHASH block 8k - low
++	pmull2  $acc_h.1q, $res0.2d, $h8.2d				@ GHASH block 8k - high
++
++	rev64	$res5b, $res5b						@ GHASH block 8k+5 (t0, t1, t2 and t3 free)
++	trn1	$acc_m.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++
++	pmull	$h7.1q, $res1.1d, $h7.1d				@ GHASH block 8k+1 - low
++	eor	$acc_hb, $acc_hb, $t0.16b				@ GHASH block 8k+1 - high
++	trn2	$res0.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++
++	eor	$acc_lb, $acc_lb, $h7.16b				@ GHASH block 8k+1 - low
++	eor	$res0.16b, $res0.16b, $acc_m.16b			@ GHASH block 8k, 8k+1 - mid
++
++	ldp	$rk0q, $rk1q, [$cc, #0]				 	@ load rk0, rk1
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+14
++
++	pmull2  $acc_m.1q, $res0.2d, $h78k.2d				@ GHASH block 8k	- mid
++	pmull	$h78k.1q, $res0.1d, $h78k.1d				@ GHASH block 8k+1 - mid
++
++	rev64	$res4b, $res4b						@ GHASH block 8k+4 (t0, t1, and t2 free)
++	rev64	$res7b, $res7b						@ GHASH block 8k+7 (t0, t1, t2 and t3 free)
++
++	eor	$acc_mb, $acc_mb, $h78k.16b				@ GHASH block 8k+1 - mid
++
++	rev32	$ctr7.16b, $rtmp_ctr.16b				@ CTR block 8k+15
++
++	rev64	$res6b, $res6b						@ GHASH block 8k+6 (t0, t1, and t2 free)
++
++	aese	$ctr2b, $rk0  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 0
++
++	pmull2  $t2.1q, $res3.2d, $h5.2d				@ GHASH block 8k+3 - high
++	pmull2  $t1.1q, $res2.2d, $h6.2d				@ GHASH block 8k+2 - high
++
++	aese	$ctr6b, $rk0  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 0
++	aese	$ctr3b, $rk0  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 0
++
++	pmull	$h6.1q, $res2.1d, $h6.1d				@ GHASH block 8k+2 - low
++	aese	$ctr1b, $rk0  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 0
++
++	eor3	$acc_hb, $acc_hb, $t1.16b, $t2.16b			@ GHASH block 8k+2, 8k+3 - high
++	trn1	$t3.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++	trn2	$res2.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++
++	aese	$ctr5b, $rk0  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 0
++	aese	$ctr7b, $rk0  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 0
++
++	eor	$res2.16b, $res2.16b, $t3.16b				@ GHASH block 8k+2, 8k+3 - mid
++	aese	$ctr4b, $rk0  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 0
++	aese	$ctr0b, $rk0  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 0
++
++	aese	$ctr3b, $rk1  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 1
++	pmull	$h5.1q, $res3.1d, $h5.1d				@ GHASH block 8k+3 - low
++
++	ldr	$h3q, [$current_tag, #80]				@ load h3l | h3h
++	ext     $h3.16b, $h3.16b, $h3.16b, #8
++	ldr	$h4q, [$current_tag, #112]				@ load h4l | h4h
++	ext     $h4.16b, $h4.16b, $h4.16b, #8
++
++	ldp	$rk2q, $rk3q, [$cc, #32]				@ load rk2, rk3
++	aese	$ctr5b, $rk1  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 1
++	pmull2  $t3.1q, $res2.2d, $h56k.2d				@ GHASH block 8k+2 - mid
++
++	eor3	$acc_lb, $acc_lb, $h6.16b, $h5.16b			@ GHASH block 8k+2, 8k+3 - low
++	pmull	$h56k.1q, $res2.1d, $h56k.1d				@ GHASH block 8k+3 - mid
++
++	aese	$ctr1b, $rk1  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 1
++	aese	$ctr0b, $rk1  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 1
++
++	eor3	$acc_mb, $acc_mb, $h56k.16b, $t3.16b			@ GHASH block 8k+2, 8k+3 - mid
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++	aese	$ctr2b, $rk1  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 1
++
++	aese	$ctr4b, $rk1  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 1
++	aese	$ctr7b, $rk1  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 1
++
++	aese	$ctr5b, $rk2  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 2
++	aese	$ctr2b, $rk2  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 2
++	aese	$ctr3b, $rk2  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 2
++
++	aese	$ctr1b, $rk2  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 2
++	aese	$ctr6b, $rk1  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 1
++	aese	$ctr4b, $rk2  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 2
++
++	aese	$ctr5b, $rk3  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 3
++	aese	$ctr0b, $rk2  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 2
++
++	aese	$ctr6b, $rk2  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 2
++	aese	$ctr7b, $rk2  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 2
++	ldp	$rk4q, $rk5q, [$cc, #64]				@ load rk4, rk5
++
++	ldr	$h1q, [$current_tag, #32]				@ load h1l | h1h
++	ext     $h1.16b, $h1.16b, $h1.16b, #8
++	ldr	$h2q, [$current_tag, #64]				@ load h1l | h1h
++	ext     $h2.16b, $h2.16b, $h2.16b, #8
++	trn1	$t6.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++	aese	$ctr0b, $rk3  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 3
++
++	pmull2  $t4.1q, $res4.2d, $h4.2d				@ GHASH block 8k+4 - high
++	aese	$ctr6b, $rk3  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 3
++	aese	$ctr3b, $rk3  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 3
++
++	pmull	$h4.1q, $res4.1d, $h4.1d				@ GHASH block 8k+4 - low
++	trn2	$res4.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++	pmull2  $t5.1q, $res5.2d, $h3.2d				@ GHASH block 8k+5 - high
++
++	aese	$ctr2b, $rk3  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 3
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+15
++
++	aese	$ctr7b, $rk3  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 3
++	aese	$ctr1b, $rk3  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 3
++	eor	$res4.16b, $res4.16b, $t6.16b				@ GHASH block 8k+4, 8k+5 - mid
++
++	pmull	$h3.1q, $res5.1d, $h3.1d				@ GHASH block 8k+5 - low
++	aese	$ctr4b, $rk3  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 3
++	pmull2  $t7.1q, $res6.2d, $h2.2d				@ GHASH block 8k+6 - high
++
++	trn1	$t9.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++	pmull	$h2.1q, $res6.1d, $h2.1d				@ GHASH block 8k+6 - low
++	trn2	$res6.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++
++	aese	$ctr1b, $rk4  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 4
++	aese	$ctr3b, $rk4  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 4
++	eor3	$acc_hb, $acc_hb, $t4.16b, $t5.16b			@ GHASH block 8k+4, 8k+5 - high
++
++	eor3	$acc_lb, $acc_lb, $h4.16b, $h3.16b			@ GHASH block 8k+4, 8k+5 - low
++	eor	$res6.16b, $res6.16b, $t9.16b				@ GHASH block 8k+6, 8k+7 - mid
++	pmull2  $t6.1q, $res4.2d, $h34k.2d				@ GHASH block 8k+4 - mid
++
++	aese	$ctr1b, $rk5  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 5
++	aese	$ctr6b, $rk4  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 4
++	aese	$ctr0b, $rk4  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 4
++
++	aese	$ctr7b, $rk4  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 4
++	aese	$ctr2b, $rk4  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 4
++
++	pmull	$h34k.1q, $res4.1d, $h34k.1d				@ GHASH block 8k+5 - mid
++	aese	$ctr4b, $rk4  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 4
++	aese	$ctr5b, $rk4  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 4
++
++	pmull2  $t8.1q, $res7.2d, $h1.2d				@ GHASH block 8k+7 - high
++	ldp	$rk6q, $rk7q, [$cc, #96]				@ load rk6, rk7
++	pmull	$h1.1q, $res7.1d, $h1.1d				@ GHASH block 8k+7 - low
++
++	eor3	$acc_mb, $acc_mb, $h34k.16b, $t6.16b			@ GHASH block 8k+4, 8k+5 - mid
++	pmull2  $t9.1q, $res6.2d, $h12k.2d				@ GHASH block 8k+6 - mid
++	pmull	$h12k.1q, $res6.1d, $h12k.1d				@ GHASH block 8k+7 - mid
++
++	aese	$ctr0b, $rk5  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 5
++	aese	$ctr7b, $rk5  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 5
++	ldr	$mod_constantd, [$modulo_constant]			@ MODULO - load modulo constant
++
++	aese	$ctr2b, $rk5  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 5
++	aese	$ctr4b, $rk5  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 5
++
++	eor3	$acc_hb, $acc_hb, $t7.16b, $t8.16b			@ GHASH block 8k+6, 8k+7 - high
++	aese	$ctr5b, $rk5  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 5
++	aese	$ctr6b, $rk5  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 5
++
++	aese	$ctr3b, $rk5  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 5
++	aese	$ctr4b, $rk6  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 6
++
++	aese	$ctr5b, $rk6  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 6
++	aese	$ctr2b, $rk6  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 6
++	aese	$ctr0b, $rk6  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 6
++
++	aese	$ctr3b, $rk6  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 6
++	eor3	$acc_lb, $acc_lb, $h2.16b, $h1.16b			@ GHASH block 8k+6, 8k+7 - low
++	eor3	$acc_mb, $acc_mb, $h12k.16b, $t9.16b			@ GHASH block 8k+6, 8k+7 - mid
++
++	aese	$ctr6b, $rk6  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 6
++	aese	$ctr1b, $rk6  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 6
++	aese	$ctr7b, $rk6  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 6
++
++	pmull	$t11.1q, $acc_h.1d, $mod_constant.1d		 	@ MODULO - top 64b align with mid
++	eor3	$acc_mb, $acc_mb, $acc_hb, $acc_lb		 	@ MODULO - karatsuba tidy up
++	ldp	$rk8q, $rk9q, [$cc, #128]				@ load rk8, rk9
++
++	aese	$ctr3b, $rk7  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 7
++	aese	$ctr6b, $rk7  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 7
++	aese	$ctr1b, $rk7  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 7
++	ext	$t12.16b, $acc_hb, $acc_hb, #8				@ MODULO - other top alignment
++
++	aese	$ctr5b, $rk7  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 7
++	aese	$ctr0b, $rk7  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 7
++	eor3	$acc_mb, $acc_mb, $t12.16b, $t11.16b			@ MODULO - fold into mid
++
++	aese	$ctr2b, $rk7  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 7
++	aese	$ctr7b, $rk7  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 7
++
++	pmull	$acc_h.1q, $acc_m.1d, $mod_constant.1d			@ MODULO - mid 64b align with low
++	aese	$ctr4b, $rk7  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 7
++
++	aese	$ctr7b, $rk8  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 8
++	aese	$ctr2b, $rk8  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 8
++	aese	$ctr1b, $rk8  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 8
++	ext	$acc_mb, $acc_mb, $acc_mb, #8				@ MODULO - other mid alignment
++
++	aese	$ctr6b, $rk8  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 8
++	eor3	$acc_lb, $acc_lb, $acc_hb, $acc_mb		 	@ MODULO - fold into low
++	aese	$ctr4b, $rk8  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 8
++
++	aese	$ctr3b, $rk8  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 8
++	aese	$ctr0b, $rk8  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 8
++	aese	$ctr5b, $rk8  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 8
++
++	ldr	$rk10q, [$cc, #160]					@ load rk10
++	aese	$ctr6b, $rk9						@ AES block 8k+14 - round 9
++	aese	$ctr2b, $rk9						@ AES block 8k+10 - round 9
++
++	aese	$ctr0b, $rk9						@ AES block 8k+8 - round 9
++	aese	$ctr1b, $rk9						@ AES block 8k+9 - round 9
++
++	aese	$ctr3b, $rk9						@ AES block 8k+11 - round 9
++	aese	$ctr5b, $rk9						@ AES block 8k+13 - round 9
++
++	aese	$ctr4b, $rk9						@ AES block 8k+12 - round 9
++	aese	$ctr7b, $rk9						@ AES block 8k+15 - round 9
++.L128_enc_tail:								@ TAIL
++
++	sub	$main_end_input_ptr, $end_input_ptr, $input_ptr 	@ main_end_input_ptr is number of bytes left to process
++	ldr	$ctr_t0q, [$input_ptr], #16				@ AES block 8k+8 - load plaintext
++
++	mov	$t1.16b, $rk10
++	ldp	$h5q, $h56kq, [$current_tag, #128]			@ load h5l | h5h
++	ext     $h5.16b, $h5.16b, $h5.16b, #8
++
++	eor3	$res1b, $ctr_t0b, $ctr0b, $t1.16b			@ AES block 8k+8 - result
++	ext	$t0.16b, $acc_lb, $acc_lb, #8				@ prepare final partial tag
++	ldp	$h6q, $h7q, [$current_tag, #160]			@ load h6k | h5k
++	ext     $h6.16b, $h6.16b, $h6.16b, #8
++	ext     $h7.16b, $h7.16b, $h7.16b, #8
++
++	ldp	$h78kq, $h8q, [$current_tag, #192]			@ load h7l | h7h
++	ext     $h8.16b, $h8.16b, $h8.16b, #8
++	cmp	$main_end_input_ptr, #112
++	b.gt	.L128_enc_blocks_more_than_7
++
++	mov	$ctr7b, $ctr6b
++	mov	$ctr6b, $ctr5b
++	movi	$acc_h.8b, #0
++
++	cmp	$main_end_input_ptr, #96
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	mov	$ctr5b, $ctr4b
++
++	mov	$ctr4b, $ctr3b
++	mov	$ctr3b, $ctr2b
++	mov	$ctr2b, $ctr1b
++
++	movi	$acc_l.8b, #0
++	movi	$acc_m.8b, #0
++	b.gt	.L128_enc_blocks_more_than_6
++
++	mov	$ctr7b, $ctr6b
++	cmp	$main_end_input_ptr, #80
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	mov	$ctr6b, $ctr5b
++	mov	$ctr5b, $ctr4b
++
++	mov	$ctr4b, $ctr3b
++	mov	$ctr3b, $ctr1b
++	b.gt	.L128_enc_blocks_more_than_5
++
++	cmp	$main_end_input_ptr, #64
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++
++	mov	$ctr7b, $ctr6b
++	mov	$ctr6b, $ctr5b
++
++	mov	$ctr5b, $ctr4b
++	mov	$ctr4b, $ctr1b
++	b.gt	.L128_enc_blocks_more_than_4
++
++	mov	$ctr7b, $ctr6b
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	mov	$ctr6b, $ctr5b
++
++	mov	$ctr5b, $ctr1b
++	cmp	$main_end_input_ptr, #48
++	b.gt	.L128_enc_blocks_more_than_3
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	mov	$ctr7b, $ctr6b
++	mov	$ctr6b, $ctr1b
++
++	cmp	$main_end_input_ptr, #32
++	ldr	$h34kq, [$current_tag, #96]					@ load h4k | h3k
++	b.gt	.L128_enc_blocks_more_than_2
++
++	cmp	$main_end_input_ptr, #16
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	mov	$ctr7b, $ctr1b
++	b.gt	.L128_enc_blocks_more_than_1
++
++	ldr	$h12kq, [$current_tag, #48]					@ load h2k | h1k
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	b	 .L128_enc_blocks_less_than_1
++.L128_enc_blocks_more_than_7:						@ blocks left >  7
++	st1	{ $res1b}, [$output_ptr], #16				@ AES final-7 block  - store result
++
++	rev64	$res0b, $res1b						@ GHASH final-7 block
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final-6 block - load plaintext
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-7 block - mid
++
++	pmull2  $acc_h.1q, $res0.2d, $h8.2d				@ GHASH final-7 block - high
++
++	ins	$acc_m.d[0], $h78k.d[1]					@ GHASH final-7 block - mid
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-7 block - mid
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	eor3	$res1b, $ctr_t1b, $ctr1b, $t1.16b			@ AES final-6 block - result
++
++	pmull	$acc_m.1q, $rk4v.1d, $acc_m.1d				@ GHASH final-7 block - mid
++	pmull	$acc_l.1q, $res0.1d, $h8.1d				@ GHASH final-7 block - low
++.L128_enc_blocks_more_than_6:						@ blocks left >  6
++
++	st1	{ $res1b}, [$output_ptr], #16				@ AES final-6 block - store result
++
++	rev64	$res0b, $res1b						@ GHASH final-6 block
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final-5 block - load plaintext
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-6 block - mid
++
++	eor3	$res1b, $ctr_t1b, $ctr2b, $t1.16b			@ AES final-5 block - result
++	pmull	$rk3q1, $res0.1d, $h7.1d				@ GHASH final-6 block - low
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-6 block - mid
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	pmull	$rk4v.1q, $rk4v.1d, $h78k.1d				@ GHASH final-6 block - mid
++	pmull2  $rk2q1, $res0.2d, $h7.2d				@ GHASH final-6 block - high
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-6 block - low
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-6 block - mid
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-6 block - high
++.L128_enc_blocks_more_than_5:						@ blocks left >  5
++
++	st1	{ $res1b}, [$output_ptr], #16				@ AES final-5 block - store result
++
++	rev64	$res0b, $res1b						@ GHASH final-5 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-5 block - mid
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final-4 block - load plaintext
++	pmull2  $rk2q1, $res0.2d, $h6.2d				@ GHASH final-5 block - high
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-5 block - high
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-5 block - mid
++
++	ins	$rk4v.d[1], $rk4v.d[0]					@ GHASH final-5 block - mid
++
++	eor3	$res1b, $ctr_t1b, $ctr3b, $t1.16b			@ AES final-4 block - result
++	pmull	$rk3q1, $res0.1d, $h6.1d				@ GHASH final-5 block - low
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	pmull2  $rk4v.1q, $rk4v.2d, $h56k.2d				@ GHASH final-5 block - mid
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-5 block - low
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-5 block - mid
++.L128_enc_blocks_more_than_4:						@ blocks left >  4
++
++	st1	{ $res1b}, [$output_ptr], #16			  	@ AES final-4 block - store result
++
++	rev64	$res0b, $res1b						@ GHASH final-4 block
++
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final-3 block - load plaintext
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-4 block - mid
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++	pmull2  $rk2q1, $res0.2d, $h5.2d				@ GHASH final-4 block - high
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-4 block - mid
++
++	pmull	$rk3q1, $res0.1d, $h5.1d				@ GHASH final-4 block - low
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-4 block - high
++	pmull	$rk4v.1q, $rk4v.1d, $h56k.1d				@ GHASH final-4 block - mid
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-4 block - low
++
++	eor3	$res1b, $ctr_t1b, $ctr4b, $t1.16b			@ AES final-3 block - result
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-4 block - mid
++.L128_enc_blocks_more_than_3:						@ blocks left >  3
++
++	st1	{ $res1b}, [$output_ptr], #16			  	@ AES final-3 block - store result
++
++	ldr	$h4q, [$current_tag, #112]					@ load h4l | h4h
++	ext     $h4.16b, $h4.16b, $h4.16b, #8
++
++	rev64	$res0b, $res1b						@ GHASH final-3 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-3 block - mid
++	ldr	$h34kq, [$current_tag, #96]					@ load h4k | h3k
++	pmull	$rk3q1, $res0.1d, $h4.1d				@ GHASH final-3 block - low
++
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final-2 block - load plaintext
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-3 block - mid
++
++	ins	$rk4v.d[1], $rk4v.d[0]					@ GHASH final-3 block - mid
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-3 block - low
++
++	eor3	$res1b, $ctr_t1b, $ctr5b, $t1.16b			@ AES final-2 block - result
++
++	pmull2  $rk4v.1q, $rk4v.2d, $h34k.2d				@ GHASH final-3 block - mid
++	pmull2  $rk2q1, $res0.2d, $h4.2d				@ GHASH final-3 block - high
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-3 block - mid
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-3 block - high
++.L128_enc_blocks_more_than_2:						@ blocks left >  2
++
++	st1	{ $res1b}, [$output_ptr], #16			  	@ AES final-2 block - store result
++
++	rev64	$res0b, $res1b						@ GHASH final-2 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final-1 block - load plaintext
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-2 block - mid
++	ldr	$h3q, [$current_tag, #80]					@ load h3l | h3h
++	ext     $h3.16b, $h3.16b, $h3.16b, #8
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-2 block - mid
++	eor3	$res1b, $ctr_t1b, $ctr6b, $t1.16b			@ AES final-1 block - result
++
++	pmull2  $rk2q1, $res0.2d, $h3.2d				@ GHASH final-2 block - high
++
++	pmull	$rk3q1, $res0.1d, $h3.1d				@ GHASH final-2 block - low
++	pmull	$rk4v.1q, $rk4v.1d, $h34k.1d				@ GHASH final-2 block - mid
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-2 block - high
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-2 block - mid
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-2 block - low
++.L128_enc_blocks_more_than_1:						@ blocks left >  1
++
++	st1	{ $res1b}, [$output_ptr], #16			  	@ AES final-1 block - store result
++
++	ldr	$h2q, [$current_tag, #64]					@ load h2l | h2h
++	ext     $h2.16b, $h2.16b, $h2.16b, #8
++	rev64	$res0b, $res1b						@ GHASH final-1 block
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final block - load plaintext
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-1 block - mid
++	eor3	$res1b, $ctr_t1b, $ctr7b, $t1.16b			@ AES final block - result
++
++	pmull2  $rk2q1, $res0.2d, $h2.2d				@ GHASH final-1 block - high
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-1 block - mid
++
++	ldr	$h12kq, [$current_tag, #48]					@ load h2k | h1k
++
++	ins	$rk4v.d[1], $rk4v.d[0]					@ GHASH final-1 block - mid
++
++	pmull	$rk3q1, $res0.1d, $h2.1d				@ GHASH final-1 block - low
++	pmull2  $rk4v.1q, $rk4v.2d, $h12k.2d				@ GHASH final-1 block - mid
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-1 block - high
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-1 block - mid
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-1 block - low
++.L128_enc_blocks_less_than_1:						@ blocks left <= 1
++
++	rev32	$rtmp_ctr.16b, $rtmp_ctr.16b
++	str	$rtmp_ctrq, [$counter]					@ store the updated counter
++	and	$bit_length, $bit_length, #127			 	@ bit_length %= 128
++
++	sub	$bit_length, $bit_length, #128			 	@ bit_length -= 128
++
++	neg	$bit_length, $bit_length				@ bit_length = 128 - #bits in input (in range [1,128])
++
++	mvn	$temp0_x, xzr						@ temp0_x = 0xffffffffffffffff
++	ld1	{ $rk0}, [$output_ptr]					@ load existing bytes where the possibly partial last block is to be stored
++	and	$bit_length, $bit_length, #127			 	@ bit_length %= 128
++
++	lsr	$temp0_x, $temp0_x, $bit_length				@ temp0_x is mask for top 64b of last block
++	mvn	$temp1_x, xzr						@ temp1_x = 0xffffffffffffffff
++	cmp	$bit_length, #64
++
++	csel	$temp2_x, $temp1_x, $temp0_x, lt
++	csel	$temp3_x, $temp0_x, xzr, lt
++
++	mov	$ctr0.d[1], $temp3_x
++	mov	$ctr0.d[0], $temp2_x					@ ctr0b is mask for last block
++
++	and	$res1b, $res1b, $ctr0b					@ possibly partial last block has zeroes in highest bits
++
++	rev64	$res0b, $res1b						@ GHASH final block
++
++	bif	$res1b, $rk0, $ctr0b					@ insert existing bytes in top end of result before storing
++	st1	{ $res1b}, [$output_ptr]				@ store all 16B
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$t0.d[0], $res0.d[1]					@ GHASH final block - mid
++
++	eor	$t0.8b, $t0.8b, $res0.8b				@ GHASH final block - mid
++	ldr	$h1q, [$current_tag, #32]					@ load h1l | h1h
++	ext	$h1.16b, $h1.16b, $h1.16b, #8
++
++	pmull	$t0.1q, $t0.1d, $h12k.1d				@ GHASH final block - mid
++
++	pmull2  $rk2q1, $res0.2d, $h1.2d				@ GHASH final block - high
++	eor	$acc_mb, $acc_mb, $t0.16b				@ GHASH final block - mid
++	ldr	$mod_constantd, [$modulo_constant]			@ MODULO - load modulo constant
++
++	pmull	$rk3q1, $res0.1d, $h1.1d				@ GHASH final block - low
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final block - high
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final block - low
++
++	ext	$t11.16b, $acc_hb, $acc_hb, #8			 	@ MODULO - other top alignment
++	pmull	$t12.1q, $acc_h.1d, $mod_constant.1d		  	@ MODULO - top 64b align with mid
++
++	eor3	$acc_mb, $acc_mb, $acc_hb, $acc_lb		  	@ MODULO - karatsuba tidy up
++
++	eor3	$acc_mb, $acc_mb, $t12.16b, $t11.16b		 	@ MODULO - fold into mid
++
++	pmull	$acc_h.1q, $acc_m.1d, $mod_constant.1d			@ MODULO - mid 64b align with low
++	ext	$t11.16b, $acc_mb, $acc_mb, #8			  	@ MODULO - other mid alignment
++
++	eor3	$acc_lb, $acc_lb, $acc_hb, $t11.16b		  	@ MODULO - fold into low
++	ext	$acc_lb, $acc_lb, $acc_lb, #8
++	rev64	$acc_lb, $acc_lb
++	st1	{ $acc_l.16b }, [$current_tag]
++	lsr	x0, $bit_length, #3					@ return sizes
++
++	ldp	d10, d11, [sp, #16]
++	ldp	d12, d13, [sp, #32]
++	ldp	d14, d15, [sp, #48]
++	ldp	d8, d9, [sp], #80
++	ret
++
++.L128_enc_ret:
++	mov w0, #0x0
++	ret
++.size unroll8_eor3_aes_gcm_enc_128_kernel,.-unroll8_eor3_aes_gcm_enc_128_kernel
++___
++
++#########################################################################################
++# size_t unroll8_eor3_aes_gcm_dec_128_kernel(const unsigned char *in,
++#                               size_t len,
++#                               unsigned char *out,
++#                               u64 *Xi,
++#                               unsigned char ivec[16],
++#                               const void *key);
++#
++$code.=<<___;
++.global unroll8_eor3_aes_gcm_dec_128_kernel
++.type   unroll8_eor3_aes_gcm_dec_128_kernel,%function
++.align  4
++unroll8_eor3_aes_gcm_dec_128_kernel:
++	AARCH64_VALID_CALL_TARGET
++	cbz	x1, .L128_dec_ret
++	stp	d8, d9, [sp, #-80]!
++	mov	$counter, x4
++	mov	$cc, x5
++	stp	d10, d11, [sp, #16]
++	stp	d12, d13, [sp, #32]
++	stp	d14, d15, [sp, #48]
++	mov	x5, #0xc200000000000000
++	stp	x5, xzr, [sp, #64]
++	add	$modulo_constant, sp, #64
++
++	lsr	$main_end_input_ptr, $bit_length, #3		 	@ byte_len
++	ld1	{ $ctr0b}, [$counter]					@ CTR block 0
++
++	ldp	$rk0q, $rk1q, [$cc, #0]				 	@ load rk0, rk1
++	sub	$main_end_input_ptr, $main_end_input_ptr, #1		@ byte_len - 1
++
++	mov	$constant_temp, #0x100000000			@ set up counter increment
++	movi	$rctr_inc.16b, #0x0
++	mov	$rctr_inc.d[1], $constant_temp
++	ld1	{ $acc_lb}, [$current_tag]
++	  ext	$acc_lb, $acc_lb, $acc_lb, #8
++	rev64	$acc_lb, $acc_lb
++
++	rev32	$rtmp_ctr.16b, $ctr0.16b				@ set up reversed counter
++
++	aese	$ctr0b, $rk0  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 0
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 0
++
++	rev32	$ctr1.16b, $rtmp_ctr.16b				@ CTR block 1
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 1
++
++	and	$main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffff80	@ number of bytes to be processed in main loop (at least 1 byte must be handled by tail)
++
++	rev32	$ctr2.16b, $rtmp_ctr.16b				@ CTR block 2
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 2
++	aese	$ctr1b, $rk0  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 0
++
++	rev32	$ctr3.16b, $rtmp_ctr.16b				@ CTR block 3
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 3
++
++	aese	$ctr0b, $rk1  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 1
++	aese	$ctr1b, $rk1  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 1
++
++	rev32	$ctr4.16b, $rtmp_ctr.16b				@ CTR block 4
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 4
++
++	rev32	$ctr5.16b, $rtmp_ctr.16b				@ CTR block 5
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 5
++
++	aese	$ctr2b, $rk0  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 0
++
++	rev32	$ctr6.16b, $rtmp_ctr.16b				@ CTR block 6
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 6
++	aese	$ctr5b, $rk0  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 0
++
++	aese	$ctr3b, $rk0  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 0
++	aese	$ctr4b, $rk0  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 0
++
++	rev32	$ctr7.16b, $rtmp_ctr.16b				@ CTR block 7
++
++	aese	$ctr6b, $rk0  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 0
++	aese	$ctr2b, $rk1  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 1
++
++	aese	$ctr7b, $rk0  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 0
++
++	ldp	$rk2q, $rk3q, [$cc, #32]				@ load rk2, rk3
++
++	aese	$ctr6b, $rk1  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 1
++	aese	$ctr5b, $rk1  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 1
++
++	aese	$ctr4b, $rk1  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 1
++	aese	$ctr7b, $rk1  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 1
++
++	aese	$ctr7b, $rk2  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 2
++	aese	$ctr0b, $rk2  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 2
++	aese	$ctr3b, $rk1  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 1
++
++	aese	$ctr6b, $rk2  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 2
++	aese	$ctr2b, $rk2  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 2
++	aese	$ctr5b, $rk2  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 2
++
++	aese	$ctr4b, $rk2  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 2
++	aese	$ctr3b, $rk2  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 2
++	aese	$ctr1b, $rk2  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 2
++
++	aese	$ctr6b, $rk3  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 3
++	aese	$ctr2b, $rk3  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 3
++
++	ldp	$rk4q, $rk5q, [$cc, #64]				@ load rk4, rk5
++	aese	$ctr5b, $rk3  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 3
++
++	aese	$ctr0b, $rk3  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 3
++	aese	$ctr7b, $rk3  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 3
++
++	aese	$ctr3b, $rk3  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 3
++	aese	$ctr1b, $rk3  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 3
++
++	aese	$ctr0b, $rk4  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 4
++	aese	$ctr7b, $rk4  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 4
++	aese	$ctr4b, $rk3  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 3
++
++	aese	$ctr6b, $rk4  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 4
++	aese	$ctr1b, $rk4  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 4
++	aese	$ctr3b, $rk4  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 4
++
++	aese	$ctr5b, $rk4  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 4
++	aese	$ctr4b, $rk4  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 4
++	aese	$ctr2b, $rk4  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 4
++
++	ldp	$rk6q, $rk7q, [$cc, #96]				@ load rk6, rk7
++	aese	$ctr2b, $rk5  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 5
++	aese	$ctr3b, $rk5  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 5
++
++	aese	$ctr6b, $rk5  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 5
++	aese	$ctr1b, $rk5  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 5
++
++	aese	$ctr7b, $rk5  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 5
++	aese	$ctr5b, $rk5  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 5
++
++	aese	$ctr4b, $rk5  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 5
++
++	aese	$ctr3b, $rk6  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 6
++	aese	$ctr2b, $rk6  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 6
++	aese	$ctr0b, $rk5  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 5
++
++	aese	$ctr5b, $rk6  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 6
++	aese	$ctr4b, $rk6  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 6
++	aese	$ctr1b, $rk6  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 6
++
++	aese	$ctr0b, $rk6  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 6
++	aese	$ctr7b, $rk6  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 6
++	aese	$ctr6b, $rk6  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 6
++
++	aese	$ctr3b, $rk7  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 7
++	aese	$ctr4b, $rk7  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 7
++	aese	$ctr1b, $rk7  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 7
++
++	aese	$ctr7b, $rk7  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 7
++	aese	$ctr5b, $rk7  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 7
++	ldp	$rk8q, $rk9q, [$cc, #128]				@ load rk8, rk9
++
++	aese	$ctr6b, $rk7  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 7
++	aese	$ctr2b, $rk7  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 7
++	aese	$ctr0b, $rk7  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 7
++
++	add	$main_end_input_ptr, $main_end_input_ptr, $input_ptr
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 7
++
++	aese	$ctr6b, $rk8  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 8
++	aese	$ctr0b, $rk8  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 8
++
++	aese	$ctr1b, $rk8  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 8
++	aese	$ctr7b, $rk8  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 8
++	aese	$ctr3b, $rk8  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 8
++
++	aese	$ctr5b, $rk8  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 8
++	aese	$ctr2b, $rk8  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 8
++	aese	$ctr4b, $rk8  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 8
++
++	aese	$ctr0b, $rk9						@ AES block 0 - round 9
++	aese	$ctr1b, $rk9						@ AES block 1 - round 9
++	aese	$ctr6b, $rk9						@ AES block 6 - round 9
++
++	ldr	$rk10q, [$cc, #160]					@ load rk10
++	aese	$ctr4b, $rk9						@ AES block 4 - round 9
++	aese	$ctr3b, $rk9						@ AES block 3 - round 9
++
++	aese	$ctr2b, $rk9						@ AES block 2 - round 9
++	aese	$ctr5b, $rk9						@ AES block 5 - round 9
++	aese	$ctr7b, $rk9						@ AES block 7 - round 9
++
++	add	$end_input_ptr, $input_ptr, $bit_length, lsr #3		@ end_input_ptr
++	cmp	$input_ptr, $main_end_input_ptr				@ check if we have <= 8 blocks
++	b.ge	.L128_dec_tail						@ handle tail
++
++	ldp	$res0q, $res1q, [$input_ptr], #32			@ AES block 0, 1 - load ciphertext
++
++	eor3	$ctr0b, $res0b, $ctr0b, $rk10				@ AES block 0 - result
++	eor3	$ctr1b, $res1b, $ctr1b, $rk10				@ AES block 1 - result
++	stp	$ctr0q, $ctr1q, [$output_ptr], #32			@ AES block 0, 1 - store result
++
++	rev32	$ctr0.16b, $rtmp_ctr.16b				@ CTR block 8
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8
++	ldp	$res2q, $res3q, [$input_ptr], #32			@ AES block 2, 3 - load ciphertext
++
++	ldp	$res4q, $res5q, [$input_ptr], #32			@ AES block 4, 5 - load ciphertext
++
++	rev32	$ctr1.16b, $rtmp_ctr.16b				@ CTR block 9
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 9
++	ldp	$res6q, $res7q, [$input_ptr], #32			@ AES block 6, 7 - load ciphertext
++
++	eor3	$ctr3b, $res3b, $ctr3b, $rk10				@ AES block 3 - result
++	eor3	$ctr2b, $res2b, $ctr2b, $rk10				@ AES block 2 - result
++	stp	$ctr2q, $ctr3q, [$output_ptr], #32			@ AES block 2, 3 - store result
++
++	rev32	$ctr2.16b, $rtmp_ctr.16b				@ CTR block 10
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 10
++
++	eor3	$ctr6b, $res6b, $ctr6b, $rk10				@ AES block 6 - result
++
++	rev32	$ctr3.16b, $rtmp_ctr.16b				@ CTR block 11
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 11
++
++	eor3	$ctr4b, $res4b, $ctr4b, $rk10				@ AES block 4 - result
++	eor3	$ctr5b, $res5b, $ctr5b, $rk10				@ AES block 5 - result
++	stp	$ctr4q, $ctr5q, [$output_ptr], #32			@ AES block 4, 5 - store result
++
++	eor3	$ctr7b, $res7b, $ctr7b, $rk10				@ AES block 7 - result
++	stp	$ctr6q, $ctr7q, [$output_ptr], #32			@ AES block 6, 7 - store result
++	rev32	$ctr4.16b, $rtmp_ctr.16b				@ CTR block 12
++
++	cmp	$input_ptr, $main_end_input_ptr				@ check if we have <= 8 blocks
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 12
++	b.ge	.L128_dec_prepretail					@ do prepretail
++
++.L128_dec_main_loop:							@ main loop start
++	ldr	$h7q, [$current_tag, #176]				 	@ load h7l | h7h
++	ext     $h7.16b, $h7.16b, $h7.16b, #8
++	ldr	$h8q, [$current_tag, #208]				 	@ load h7l | h7h
++	ext     $h8.16b, $h8.16b, $h8.16b, #8
++
++	rev64	$res1b, $res1b						@ GHASH block 8k+1
++	rev64	$res0b, $res0b						@ GHASH block 8k
++	ext	$acc_lb, $acc_lb, $acc_lb, #8				@ PRE 0
++
++	rev64	$res6b, $res6b						@ GHASH block 8k+6
++	ldr	$h5q, [$current_tag, #128]				@ load h5l | h5h
++	ext     $h5.16b, $h5.16b, $h5.16b, #8
++	ldr	$h6q, [$current_tag, #160]				@ load h6l | h6h
++	ext     $h6.16b, $h6.16b, $h6.16b, #8
++
++	eor	$res0b, $res0b, $acc_lb				 	@ PRE 1
++	rev32	$ctr5.16b, $rtmp_ctr.16b				@ CTR block 8k+13
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+13
++
++	rev64	$res2b, $res2b						@ GHASH block 8k+2
++	rev64	$res4b, $res4b						@ GHASH block 8k+4
++	ldp	$rk0q, $rk1q, [$cc, #0]				 	@ load rk0, rk1
++
++	rev32	$ctr6.16b, $rtmp_ctr.16b				@ CTR block 8k+14
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+14
++	ldr	$h56kq, [$current_tag, #144]				@ load h6k | h5k
++	ldr	$h78kq, [$current_tag, #192]				@ load h6k | h5k
++
++	pmull2  $t0.1q, $res1.2d, $h7.2d				@ GHASH block 8k+1 - high
++	pmull2  $acc_h.1q, $res0.2d, $h8.2d				@ GHASH block 8k - high
++	rev64	$res3b, $res3b						@ GHASH block 8k+3
++
++	rev32	$ctr7.16b, $rtmp_ctr.16b				@ CTR block 8k+15
++	trn1	$acc_m.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++	rev64	$res5b, $res5b						@ GHASH block 8k+5
++
++	pmull	$h7.1q, $res1.1d, $h7.1d				@ GHASH block 8k+1 - low
++	pmull	$acc_l.1q, $res0.1d, $h8.1d				@ GHASH block 8k - low
++	trn2	$res0.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++
++	pmull2  $t1.1q, $res2.2d, $h6.2d				@ GHASH block 8k+2 - high
++	aese	$ctr4b, $rk0  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 0
++	pmull2  $t2.1q, $res3.2d, $h5.2d				@ GHASH block 8k+3 - high
++
++	aese	$ctr6b, $rk0  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 0
++	aese	$ctr5b, $rk0  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 0
++	aese	$ctr7b, $rk0  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 0
++
++	aese	$ctr3b, $rk0  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 0
++	aese	$ctr2b, $rk0  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 0
++	eor	$acc_hb, $acc_hb, $t0.16b				@ GHASH block 8k+1 - high
++
++	aese	$ctr1b, $rk0  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 0
++	eor	$res0.16b, $res0.16b, $acc_m.16b			@ GHASH block 8k, 8k+1 - mid
++	aese	$ctr0b, $rk0  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 0
++
++	aese	$ctr2b, $rk1  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 1
++	eor	$acc_lb, $acc_lb, $h7.16b				@ GHASH block 8k+1 - low
++	eor3	$acc_hb, $acc_hb, $t1.16b, $t2.16b			@ GHASH block 8k+2, 8k+3 - high
++
++	ldp	$rk2q, $rk3q, [$cc, #32]				@ load rk2, rk3
++	trn1	$t3.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++	aese	$ctr7b, $rk1  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 1
++
++	pmull	$h6.1q, $res2.1d, $h6.1d				 	@ GHASH block 8k+2 - low
++	trn2	$res2.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++	pmull2  $acc_m.1q, $res0.2d, $h78k.2d				@ GHASH block 8k	- mid
++
++	ldr	$h3q, [$current_tag, #80]				@ load h3l | h3h
++	ext     $h3.16b, $h3.16b, $h3.16b, #8
++	ldr	$h4q, [$current_tag, #112]				@ load h4l | h4h
++	ext     $h4.16b, $h4.16b, $h4.16b, #8
++	pmull	$h78k.1q, $res0.1d, $h78k.1d				@ GHASH block 8k+1 - mid
++	aese	$ctr6b, $rk1  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 1
++
++	aese	$ctr4b, $rk1  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 1
++	aese	$ctr5b, $rk1  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 1
++	pmull	$h5.1q, $res3.1d, $h5.1d				@ GHASH block 8k+3 - low
++
++	aese	$ctr3b, $rk1  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 1
++	aese	$ctr0b, $rk1  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 1
++	aese	$ctr1b, $rk1  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 1
++
++	aese	$ctr7b, $rk2  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 2
++	aese	$ctr2b, $rk2  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 2
++	eor3	$acc_lb, $acc_lb, $h6.16b, $h5.16b			@ GHASH block 8k+2, 8k+3 - low
++
++	aese	$ctr4b, $rk2  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 2
++	eor	$res2.16b, $res2.16b, $t3.16b				@ GHASH block 8k+2, 8k+3 - mid
++	ldr	$h1q, [$current_tag, #32]				@ load h1l | h1h
++	ext     $h1.16b, $h1.16b, $h1.16b, #8
++	ldr	$h2q, [$current_tag, #64]				@ load h1l | h1h
++	ext     $h2.16b, $h2.16b, $h2.16b, #8
++
++	eor	$acc_mb, $acc_mb, $h78k.16b				@ GHASH block 8k+1 - mid
++	aese	$ctr1b, $rk2  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 2
++	aese	$ctr3b, $rk2  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 2
++
++	trn1	$t6.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++	aese	$ctr5b, $rk2  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 2
++	aese	$ctr0b, $rk2  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 2
++
++	aese	$ctr6b, $rk2  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 2
++	pmull2  $t3.1q, $res2.2d, $h56k.2d				@ GHASH block 8k+2 - mid
++	pmull	$h56k.1q, $res2.1d, $h56k.1d				@ GHASH block 8k+3 - mid
++
++	aese	$ctr7b, $rk3  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 3
++	rev64	$res7b, $res7b						@ GHASH block 8k+7
++	pmull2  $t4.1q, $res4.2d, $h4.2d				@ GHASH block 8k+4 - high
++
++	ldp	$rk4q, $rk5q, [$cc, #64]				@ load rk4, rk5
++	pmull	$h4.1q, $res4.1d, $h4.1d				@ GHASH block 8k+4 - low
++	eor3	$acc_mb, $acc_mb, $h56k.16b, $t3.16b			@ GHASH block 8k+2, 8k+3 - mid
++
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++	aese	$ctr2b, $rk3  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 3
++	trn2	$res4.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++
++	aese	$ctr4b, $rk3  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 3
++	aese	$ctr3b, $rk3  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 3
++	aese	$ctr1b, $rk3  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 3
++
++	aese	$ctr0b, $rk3  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 3
++	aese	$ctr6b, $rk3  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 3
++	aese	$ctr5b, $rk3  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 3
++
++	pmull2  $t5.1q, $res5.2d, $h3.2d				@ GHASH block 8k+5 - high
++	pmull	$h3.1q, $res5.1d, $h3.1d				@ GHASH block 8k+5 - low
++	pmull2  $t7.1q, $res6.2d, $h2.2d				@ GHASH block 8k+6 - high
++
++	pmull	$h2.1q, $res6.1d, $h2.1d				@ GHASH block 8k+6 - low
++	aese	$ctr0b, $rk4  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 4
++	aese	$ctr7b, $rk4  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 4
++
++	eor	$res4.16b, $res4.16b, $t6.16b				@ GHASH block 8k+4, 8k+5 - mid
++	trn1	$t9.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++	aese	$ctr3b, $rk4  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 4
++
++	aese	$ctr1b, $rk4  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 4
++	aese	$ctr5b, $rk4  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 4
++	aese	$ctr6b, $rk4  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 4
++
++	aese	$ctr2b, $rk4  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 4
++	aese	$ctr4b, $rk4  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 4
++	trn2	$res6.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++
++	ldp	$rk6q, $rk7q, [$cc, #96]				@ load rk6, rk7
++	aese	$ctr0b, $rk5  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 5
++	pmull2  $t6.1q, $res4.2d, $h34k.2d				@ GHASH block 8k+4 - mid
++
++	aese	$ctr2b, $rk5  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 5
++	eor	$res6.16b, $res6.16b, $t9.16b				@ GHASH block 8k+6, 8k+7 - mid
++	aese	$ctr1b, $rk5  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 5
++
++	pmull	$h34k.1q, $res4.1d, $h34k.1d				@ GHASH block 8k+5 - mid
++	aese	$ctr6b, $rk5  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 5
++	aese	$ctr7b, $rk5  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 5
++
++	aese	$ctr3b, $rk5  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 5
++	aese	$ctr5b, $rk5  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 5
++	aese	$ctr4b, $rk5  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 5
++
++	pmull2  $t8.1q, $res7.2d, $h1.2d				@ GHASH block 8k+7 - high
++	eor3	$acc_mb, $acc_mb, $h34k.16b, $t6.16b 			@ GHASH block 8k+4, 8k+5 - mid
++	eor3	$acc_lb, $acc_lb, $h4.16b, $h3.16b			@ GHASH block 8k+4, 8k+5 - low
++
++	aese	$ctr3b, $rk6  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 6
++	eor3	$acc_hb, $acc_hb, $t4.16b, $t5.16b			@ GHASH block 8k+4, 8k+5 - high
++	aese	$ctr7b, $rk6  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 6
++
++	aese	$ctr1b, $rk6  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 6
++	pmull2  $t9.1q, $res6.2d, $h12k.2d				@ GHASH block 8k+6 - mid
++	aese	$ctr6b, $rk6  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 6
++
++	aese	$ctr2b, $rk6  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 6
++	aese	$ctr5b, $rk6  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 6
++	pmull	$h1.1q, $res7.1d, $h1.1d				@ GHASH block 8k+7 - low
++
++	pmull	$h12k.1q, $res6.1d, $h12k.1d				@ GHASH block 8k+7 - mid
++	aese	$ctr0b, $rk6  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 6
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+15
++
++	eor3	$acc_hb, $acc_hb, $t7.16b, $t8.16b			@ GHASH block 8k+6, 8k+7 - high
++	aese	$ctr4b, $rk6  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 6
++	ldp	$rk8q, $rk9q, [$cc, #128]				@ load rk8, rk9
++
++	ldr	$mod_constantd, [$modulo_constant]			@ MODULO - load modulo constant
++	eor3	$acc_lb, $acc_lb, $h2.16b, $h1.16b			@ GHASH block 8k+6, 8k+7 - low
++	aese	$ctr5b, $rk7  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 7
++
++	rev32	$h1.16b, $rtmp_ctr.16b					@ CTR block 8k+16
++	eor3	$acc_mb, $acc_mb, $h12k.16b, $t9.16b			@ GHASH block 8k+6, 8k+7 - mid
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+16
++
++	aese	$ctr6b, $rk7  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 7
++	aese	$ctr3b, $rk7  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 7
++	aese	$ctr7b, $rk7  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 7
++
++	aese	$ctr2b, $rk7  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 7
++	aese	$ctr1b, $rk7  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 7
++	rev32	$h2.16b, $rtmp_ctr.16b					@ CTR block 8k+17
++
++	aese	$ctr4b, $rk7  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 7
++	ext	$t11.16b, $acc_hb, $acc_hb, #8			 	@ MODULO - other top alignment
++	pmull	$t12.1q, $acc_h.1d, $mod_constant.1d		 	@ MODULO - top 64b align with mid
++
++	eor3	$acc_mb, $acc_mb, $acc_hb, $acc_lb		 	@ MODULO - karatsuba tidy up
++	aese	$ctr0b, $rk7  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 7
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+17
++
++	aese	$ctr5b, $rk8  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 8
++	aese	$ctr1b, $rk8  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 8
++	ldp	$res0q, $res1q, [$input_ptr], #32			@ AES block 8k+8, 8k+9 - load ciphertext
++
++	ldp	$res2q, $res3q, [$input_ptr], #32			@ AES block 8k+10, 8k+11 - load ciphertext
++	aese	$ctr0b, $rk8  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 8
++	rev32	$h3.16b, $rtmp_ctr.16b					@ CTR block 8k+18
++
++	ldp	$res4q, $res5q, [$input_ptr], #32			@ AES block 8k+12, 8k+13 - load ciphertext
++	aese	$ctr4b, $rk8  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 8
++	eor3	$acc_mb, $acc_mb, $t12.16b, $t11.16b			@ MODULO - fold into mid
++
++	ldp	$res6q, $res7q, [$input_ptr], #32			@ AES block 8k+14, 8k+15 - load ciphertext
++	aese	$ctr3b, $rk8  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 8
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+18
++
++	aese	$ctr7b, $rk8  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 8
++	aese	$ctr2b, $rk8  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 8
++	aese	$ctr6b, $rk8  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 8
++
++	aese	$ctr0b, $rk9						@ AES block 8k+8 - round 9
++	aese	$ctr1b, $rk9						@ AES block 8k+9 - round 9
++	ldr	$rk10q, [$cc, #160]					@ load rk10
++
++	aese	$ctr6b, $rk9						@ AES block 8k+14 - round 9
++	pmull	$acc_h.1q, $acc_m.1d, $mod_constant.1d			@ MODULO - mid 64b align with low
++	aese	$ctr2b, $rk9						@ AES block 8k+10 - round 9
++
++	aese	$ctr7b, $rk9						@ AES block 8k+15 - round 9
++	aese	$ctr4b, $rk9						@ AES block 8k+12 - round 9
++	ext	$t11.16b, $acc_mb, $acc_mb, #8			 	@ MODULO - other mid alignment
++
++	rev32	$h4.16b, $rtmp_ctr.16b					@ CTR block 8k+19
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+19
++
++	aese	$ctr3b, $rk9						@ AES block 8k+11 - round 9
++	aese	$ctr5b, $rk9						@ AES block 8k+13 - round 9
++	eor3	$ctr1b, $res1b, $ctr1b, $rk10				@ AES block 8k+9 - result
++
++	eor3	$ctr0b, $res0b, $ctr0b, $rk10				@ AES block 8k+8 - result
++	eor3	$ctr7b, $res7b, $ctr7b, $rk10				@ AES block 8k+15 - result
++	eor3	$ctr6b, $res6b, $ctr6b, $rk10				@ AES block 8k+14 - result
++
++	eor3	$ctr2b, $res2b, $ctr2b, $rk10				@ AES block 8k+10 - result
++	stp	$ctr0q, $ctr1q, [$output_ptr], #32			@ AES block 8k+8, 8k+9 - store result
++	mov	$ctr1.16b, $h2.16b					@ CTR block 8k+17
++
++	eor3	$ctr4b, $res4b, $ctr4b, $rk10				@ AES block 8k+12 - result
++	eor3	$acc_lb, $acc_lb, $acc_hb, $t11.16b		 	@ MODULO - fold into low
++	mov	$ctr0.16b, $h1.16b					@ CTR block 8k+16
++
++	eor3	$ctr3b, $res3b, $ctr3b, $rk10				@ AES block 8k+11 - result
++	cmp	$input_ptr, $main_end_input_ptr				@ LOOP CONTROL
++	stp	$ctr2q, $ctr3q, [$output_ptr], #32			@ AES block 8k+10, 8k+11 - store result
++
++	eor3	$ctr5b, $res5b, $ctr5b, $rk10				@ AES block 8k+13 - result
++	mov	$ctr2.16b, $h3.16b					@ CTR block 8k+18
++
++	stp	$ctr4q, $ctr5q, [$output_ptr], #32			@ AES block 8k+12, 8k+13 - store result
++	rev32	$ctr4.16b, $rtmp_ctr.16b				@ CTR block 8k+20
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+20
++
++	stp	$ctr6q, $ctr7q, [$output_ptr], #32			@ AES block 8k+14, 8k+15 - store result
++	mov	$ctr3.16b, $h4.16b					@ CTR block 8k+19
++	b.lt	.L128_dec_main_loop
++
++.L128_dec_prepretail:							@ PREPRETAIL
++	rev64	$res3b, $res3b						@ GHASH block 8k+3
++	ext	$acc_lb, $acc_lb, $acc_lb, #8				@ PRE 0
++	rev64	$res0b, $res0b						@ GHASH block 8k
++
++	rev64	$res2b, $res2b						@ GHASH block 8k+2
++	rev32	$ctr5.16b, $rtmp_ctr.16b					@ CTR block 8k+13
++	ldp	$rk0q, $rk1q, [$cc, #0]				 	@ load rk0, rk1
++
++	ldr	$h7q, [$current_tag, #176]				@ load h7l | h7h
++	ext     $h7.16b, $h7.16b, $h7.16b, #8
++	ldr	$h8q, [$current_tag, #208]				@ load h8l | h8h
++	ext     $h8.16b, $h8.16b, $h8.16b, #8
++	eor	$res0b, $res0b, $acc_lb				 	@ PRE 1
++	rev64	$res1b, $res1b						@ GHASH block 8k+1
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+13
++	ldr	$h5q, [$current_tag, #128]				@ load h5l | h5h
++	ext     $h5.16b, $h5.16b, $h5.16b, #8
++	ldr	$h6q, [$current_tag, #160]				@ load h6l | h6h
++	ext     $h6.16b, $h6.16b, $h6.16b, #8
++	rev64	$res5b, $res5b						@ GHASH block 8k+5
++
++	rev64	$res4b, $res4b						@ GHASH block 8k+4
++
++	rev64	$res6b, $res6b						@ GHASH block 8k+6
++
++	ldr	$h56kq, [$current_tag, #144]				@ load h6k | h5k
++	ldr	$h78kq, [$current_tag, #192]				@ load h6k | h5k
++	rev32	$ctr6.16b, $rtmp_ctr.16b				@ CTR block 8k+14
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+14
++
++	pmull2  $t0.1q, $res1.2d, $h7.2d				@ GHASH block 8k+1 - high
++	pmull	$acc_l.1q, $res0.1d, $h8.1d				@ GHASH block 8k - low
++	pmull2  $acc_h.1q, $res0.2d, $h8.2d				@ GHASH block 8k - high
++
++	trn1	$acc_m.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++	trn2	$res0.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++	pmull2  $t1.1q, $res2.2d, $h6.2d				@ GHASH block 8k+2 - high
++
++	pmull	$h7.1q, $res1.1d, $h7.1d				@ GHASH block 8k+1 - low
++	pmull2  $t2.1q, $res3.2d, $h5.2d				@ GHASH block 8k+3 - high
++	aese	$ctr0b, $rk0  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 0
++
++	eor	$acc_hb, $acc_hb, $t0.16b				@ GHASH block 8k+1 - high
++	aese	$ctr4b, $rk0  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 0
++	eor	$res0.16b, $res0.16b, $acc_m.16b			@ GHASH block 8k, 8k+1 - mid
++
++	pmull	$h6.1q, $res2.1d, $h6.1d				@ GHASH block 8k+2 - low
++	rev32	$ctr7.16b, $rtmp_ctr.16b				@ CTR block 8k+15
++	aese	$ctr3b, $rk0  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 0
++
++	eor3	$acc_hb, $acc_hb, $t1.16b, $t2.16b			@ GHASH block 8k+2, 8k+3 - high
++	trn1	$t3.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++	trn2	$res2.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++
++	aese	$ctr2b, $rk0  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 0
++	aese	$ctr1b, $rk0  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 0
++	aese	$ctr5b, $rk0  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 0
++
++	pmull2  $acc_m.1q, $res0.2d, $h78k.2d				@ GHASH block 8k	- mid
++	pmull	$h78k.1q, $res0.1d, $h78k.1d				@ GHASH block 8k+1 - mid
++	pmull	$h5.1q, $res3.1d, $h5.1d				@ GHASH block 8k+3 - low
++
++	aese	$ctr2b, $rk1  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 1
++	aese	$ctr7b, $rk0  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 0
++	aese	$ctr6b, $rk0  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 0
++
++	eor	$acc_lb, $acc_lb, $h7.16b				@ GHASH block 8k+1 - low
++	eor	$res2.16b, $res2.16b, $t3.16b				@ GHASH block 8k+2, 8k+3 - mid
++	eor	$acc_mb, $acc_mb, $h78k.16b				@ GHASH block 8k+1 - mid
++
++	aese	$ctr6b, $rk1  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 1
++	aese	$ctr4b, $rk1  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 1
++	aese	$ctr5b, $rk1  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 1
++
++	ldp	$rk2q, $rk3q, [$cc, #32]				@ load rk2, rk3
++	eor3	$acc_lb, $acc_lb, $h6.16b, $h5.16b			@ GHASH block 8k+2, 8k+3 - low
++	pmull2  $t3.1q, $res2.2d, $h56k.2d				@ GHASH block 8k+2 - mid
++
++	ldr	$h3q, [$current_tag, #80]				@ load h3l | h3h
++	ext     $h3.16b, $h3.16b, $h3.16b, #8
++	ldr	$h4q, [$current_tag, #112]				@ load h4l | h4h
++	ext     $h4.16b, $h4.16b, $h4.16b, #8
++	aese	$ctr1b, $rk1  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 1
++	pmull	$h56k.1q, $res2.1d, $h56k.1d				@ GHASH block 8k+3 - mid
++
++	aese	$ctr3b, $rk1  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 1
++	aese	$ctr7b, $rk1  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 1
++	aese	$ctr0b, $rk1  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 1
++
++	ldr	$h1q, [$current_tag, #32]				@ load h1l | h1h
++	ext     $h1.16b, $h1.16b, $h1.16b, #8
++	ldr	$h2q, [$current_tag, #64]				@ load h1l | h1h
++	ext     $h2.16b, $h2.16b, $h2.16b, #8
++	eor3	$acc_mb, $acc_mb, $h56k.16b, $t3.16b			@ GHASH block 8k+2, 8k+3 - mid
++
++	aese	$ctr0b, $rk2  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 2
++	aese	$ctr6b, $rk2  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 2
++	aese	$ctr2b, $rk2  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 2
++
++	aese	$ctr4b, $rk2  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 2
++	trn1	$t6.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++	aese	$ctr7b, $rk2  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 2
++
++	aese	$ctr1b, $rk2  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 2
++	aese	$ctr5b, $rk2  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 2
++	aese	$ctr3b, $rk2  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 2
++
++	pmull2  $t4.1q, $res4.2d, $h4.2d				@ GHASH block 8k+4 - high
++	pmull	$h4.1q, $res4.1d, $h4.1d				@ GHASH block 8k+4 - low
++	trn2	$res4.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++
++	ldp	$rk4q, $rk5q, [$cc, #64]				@ load rk4, rk5
++	rev64	$res7b, $res7b						@ GHASH block 8k+7
++	aese	$ctr6b, $rk3  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 3
++
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++	pmull2  $t5.1q, $res5.2d, $h3.2d				@ GHASH block 8k+5 - high
++	pmull	$h3.1q, $res5.1d, $h3.1d				@ GHASH block 8k+5 - low
++
++	aese	$ctr2b, $rk3  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 3
++	aese	$ctr0b, $rk3  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 3
++	trn1	$t9.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++
++	pmull2  $t7.1q, $res6.2d, $h2.2d				@ GHASH block 8k+6 - high
++	pmull	$h2.1q, $res6.1d, $h2.1d				@ GHASH block 8k+6 - low
++	trn2	$res6.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++
++	aese	$ctr4b, $rk3  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 3
++	aese	$ctr3b, $rk3  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 3
++	aese	$ctr7b, $rk3  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 3
++
++	aese	$ctr1b, $rk3  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 3
++	aese	$ctr5b, $rk3  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 3
++	eor	$res4.16b, $res4.16b, $t6.16b				@ GHASH block 8k+4, 8k+5 - mid
++
++	eor3	$acc_hb, $acc_hb, $t4.16b, $t5.16b			@ GHASH block 8k+4, 8k+5 - high
++	aese	$ctr0b, $rk4  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 4
++	aese	$ctr2b, $rk4  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 4
++
++	eor	$res6.16b, $res6.16b, $t9.16b				@ GHASH block 8k+6, 8k+7 - mid
++	aese	$ctr5b, $rk4  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 4
++	pmull2  $t6.1q, $res4.2d, $h34k.2d				@ GHASH block 8k+4 - mid
++
++	aese	$ctr1b, $rk4  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 4
++	aese	$ctr6b, $rk4  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 4
++	aese	$ctr4b, $rk4  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 4
++
++	aese	$ctr7b, $rk4  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 4
++	aese	$ctr3b, $rk4  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 4
++	pmull	$h34k.1q, $res4.1d, $h34k.1d				@ GHASH block 8k+5 - mid
++
++	pmull2  $t8.1q, $res7.2d, $h1.2d				@ GHASH block 8k+7 - high
++	pmull2  $t9.1q, $res6.2d, $h12k.2d				@ GHASH block 8k+6 - mid
++	pmull	$h12k.1q, $res6.1d, $h12k.1d				@ GHASH block 8k+7 - mid
++
++	ldp	$rk6q, $rk7q, [$cc, #96]				@ load rk6, rk7
++	eor3	$acc_mb, $acc_mb, $h34k.16b, $t6.16b			@ GHASH block 8k+4, 8k+5 - mid
++	aese	$ctr6b, $rk5  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 5
++
++	ldr	$mod_constantd, [$modulo_constant]			@ MODULO - load modulo constant
++	pmull	$h1.1q, $res7.1d, $h1.1d				@ GHASH block 8k+7 - low
++	eor3	$acc_lb, $acc_lb, $h4.16b, $h3.16b			@ GHASH block 8k+4, 8k+5 - low
++
++	aese	$ctr0b, $rk5  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 5
++	aese	$ctr2b, $rk5  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 5
++	aese	$ctr4b, $rk5  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 5
++
++	aese	$ctr3b, $rk5  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 5
++	aese	$ctr1b, $rk5  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 5
++	aese	$ctr5b, $rk5  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 5
++
++	aese	$ctr7b, $rk5  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 5
++	eor3	$acc_mb, $acc_mb, $h12k.16b, $t9.16b			@ GHASH block 8k+6, 8k+7 - mid
++	eor3	$acc_lb, $acc_lb, $h2.16b, $h1.16b			@ GHASH block 8k+6, 8k+7 - low
++
++	aese	$ctr4b, $rk6  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 6
++	aese	$ctr1b, $rk6  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 6
++	aese	$ctr2b, $rk6  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 6
++
++	eor3	$acc_hb, $acc_hb, $t7.16b, $t8.16b			@ GHASH block 8k+6, 8k+7 - high
++	aese	$ctr5b, $rk6  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 6
++	aese	$ctr0b, $rk6  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 6
++
++	aese	$ctr3b, $rk6  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 6
++	aese	$ctr6b, $rk6  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 6
++	aese	$ctr7b, $rk6  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 6
++
++	aese	$ctr4b, $rk7  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 7
++	eor3	$acc_mb, $acc_mb, $acc_hb, $acc_lb		 	@ MODULO - karatsuba tidy up
++	ldp	$rk8q, $rk9q, [$cc, #128]				@ load rk8, rk9
++
++	pmull	$t12.1q, $acc_h.1d, $mod_constant.1d		 	@ MODULO - top 64b align with mid
++	aese	$ctr3b, $rk7  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 7
++	ext	$t11.16b, $acc_hb, $acc_hb, #8			 	@ MODULO - other top alignment
++
++	aese	$ctr5b, $rk7  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 7
++	aese	$ctr6b, $rk7  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 7
++	aese	$ctr0b, $rk7  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 7
++
++	aese	$ctr7b, $rk7  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 7
++	aese	$ctr1b, $rk7  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 7
++	aese	$ctr2b, $rk7  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 7
++
++	eor3	$acc_mb, $acc_mb, $t12.16b, $t11.16b			@ MODULO - fold into mid
++	ldr	$rk10q, [$cc, #160]					@ load rk10
++
++	aese	$ctr3b, $rk8  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 8
++	aese	$ctr0b, $rk8  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 8
++
++	pmull	$acc_h.1q, $acc_m.1d, $mod_constant.1d			@ MODULO - mid 64b align with low
++	aese	$ctr6b, $rk8  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 8
++	ext	$t11.16b, $acc_mb, $acc_mb, #8			 	@ MODULO - other mid alignment
++
++	aese	$ctr2b, $rk8  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 8
++	aese	$ctr1b, $rk8  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 8
++	aese	$ctr7b, $rk8  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 8
++
++	aese	$ctr6b, $rk9						@ AES block 8k+14 - round 9
++	aese	$ctr5b, $rk8  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 8
++	aese	$ctr4b, $rk8  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 8
++
++	eor3	$acc_lb, $acc_lb, $acc_hb, $t11.16b		 	@ MODULO - fold into low
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+15
++	aese	$ctr2b, $rk9						@ AES block 8k+10 - round 9
++
++	aese	$ctr3b, $rk9						@ AES block 8k+11 - round 9
++	aese	$ctr5b, $rk9						@ AES block 8k+13 - round 9
++	aese	$ctr0b, $rk9						@ AES block 8k+8 - round 9
++
++	aese	$ctr4b, $rk9						@ AES block 8k+12 - round 9
++	aese	$ctr1b, $rk9						@ AES block 8k+9 - round 9
++	aese	$ctr7b, $rk9						@ AES block 8k+15 - round 9
++
++.L128_dec_tail:								@ TAIL
++
++	mov	$t1.16b, $rk10
++	sub	$main_end_input_ptr, $end_input_ptr, $input_ptr 	@ main_end_input_ptr is number of bytes left to process
++
++	cmp	$main_end_input_ptr, #112
++
++	ldp	$h78kq, $h8q, [$current_tag, #192]			@ load h7l | h7h
++	ext     $h8.16b, $h8.16b, $h8.16b, #8
++	ldr	$res1q, [$input_ptr], #16				@ AES block 8k+8 - load ciphertext
++
++	ldp	$h5q, $h56kq, [$current_tag, #128]			@ load h5l | h5h
++	ext     $h5.16b, $h5.16b, $h5.16b, #8
++	ext	$t0.16b, $acc_lb, $acc_lb, #8				@ prepare final partial tag
++
++	ldp	$h6q, $h7q, [$current_tag, #160]			@ load h6k | h5k
++	ext     $h6.16b, $h6.16b, $h6.16b, #8
++	ext     $h7.16b, $h7.16b, $h7.16b, #8
++
++	eor3	$res4b, $res1b, $ctr0b, $t1.16b				@ AES block 8k+8 - result
++	b.gt	.L128_dec_blocks_more_than_7
++
++	cmp	$main_end_input_ptr, #96
++	mov	$ctr7b, $ctr6b
++	movi	$acc_l.8b, #0
++
++	movi	$acc_h.8b, #0
++	mov	$ctr6b, $ctr5b
++	mov	$ctr5b, $ctr4b
++
++	mov	$ctr4b, $ctr3b
++	mov	$ctr3b, $ctr2b
++	mov	$ctr2b, $ctr1b
++
++	movi	$acc_m.8b, #0
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	b.gt	.L128_dec_blocks_more_than_6
++
++	cmp	$main_end_input_ptr, #80
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++
++	mov	$ctr7b, $ctr6b
++	mov	$ctr6b, $ctr5b
++	mov	$ctr5b, $ctr4b
++
++	mov	$ctr4b, $ctr3b
++	mov	$ctr3b, $ctr1b
++	b.gt	.L128_dec_blocks_more_than_5
++
++	cmp	$main_end_input_ptr, #64
++
++	mov	$ctr7b, $ctr6b
++	mov	$ctr6b, $ctr5b
++	mov	$ctr5b, $ctr4b
++
++	mov	$ctr4b, $ctr1b
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	b.gt	.L128_dec_blocks_more_than_4
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	mov	$ctr7b, $ctr6b
++	mov	$ctr6b, $ctr5b
++
++	mov	$ctr5b, $ctr1b
++	cmp	$main_end_input_ptr, #48
++	b.gt	.L128_dec_blocks_more_than_3
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	mov	$ctr7b, $ctr6b
++	cmp	$main_end_input_ptr, #32
++
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++	mov	$ctr6b, $ctr1b
++	b.gt	.L128_dec_blocks_more_than_2
++
++	cmp	$main_end_input_ptr, #16
++
++	mov	$ctr7b, $ctr1b
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	b.gt	L128_dec_blocks_more_than_1
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++	b	 .L128_dec_blocks_less_than_1
++.L128_dec_blocks_more_than_7:						@ blocks left >  7
++	rev64	$res0b, $res1b						@ GHASH final-7 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$acc_m.d[0], $h78k.d[1]					@ GHASH final-7 block - mid
++
++	pmull	$acc_l.1q, $res0.1d, $h8.1d				@ GHASH final-7 block - low
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-7 block - mid
++
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++	ldr	$res1q, [$input_ptr], #16				@ AES final-6 block - load ciphertext
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-7 block - mid
++
++	pmull2  $acc_h.1q, $res0.2d, $h8.2d				@ GHASH final-7 block - high
++	st1	{ $res4b}, [$output_ptr], #16			 	@ AES final-7 block  - store result
++	eor3	$res4b, $res1b, $ctr1b, $t1.16b				@ AES final-6 block - result
++
++	pmull	$acc_m.1q, $rk4v.1d, $acc_m.1d			 	@ GHASH final-7 block - mid
++.L128_dec_blocks_more_than_6:						@ blocks left >  6
++
++	rev64	$res0b, $res1b						@ GHASH final-6 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-6 block - mid
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-6 block - mid
++
++	pmull	$rk3q1, $res0.1d, $h7.1d				@ GHASH final-6 block - low
++	ldr	$res1q, [$input_ptr], #16				@ AES final-5 block - load ciphertext
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	pmull	$rk4v.1q, $rk4v.1d, $h78k.1d				@ GHASH final-6 block - mid
++	st1	{ $res4b}, [$output_ptr], #16			 	@ AES final-6 block - store result
++	pmull2  $rk2q1, $res0.2d, $h7.2d				@ GHASH final-6 block - high
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-6 block - low
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-6 block - high
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-6 block - mid
++	eor3	$res4b, $res1b, $ctr2b, $t1.16b				@ AES final-5 block - result
++.L128_dec_blocks_more_than_5:						@ blocks left >  5
++
++	rev64	$res0b, $res1b						@ GHASH final-5 block
++
++	ldr	$res1q, [$input_ptr], #16				@ AES final-4 block - load ciphertext
++	st1	{ $res4b}, [$output_ptr], #16			 	@ AES final-5 block - store result
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-5 block - mid
++
++	eor3	$res4b, $res1b, $ctr3b, $t1.16b				@ AES final-4 block - result
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-5 block - mid
++
++	ins	$rk4v.d[1], $rk4v.d[0]					@ GHASH final-5 block - mid
++	pmull	$rk3q1, $res0.1d, $h6.1d				@ GHASH final-5 block - low
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	pmull2  $rk4v.1q, $rk4v.2d, $h56k.2d				@ GHASH final-5 block - mid
++	pmull2  $rk2q1, $res0.2d, $h6.2d				@ GHASH final-5 block - high
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-5 block - low
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-5 block - mid
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-5 block - high
++.L128_dec_blocks_more_than_4:						@ blocks left >  4
++
++	rev64	$res0b, $res1b						@ GHASH final-4 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++	ldr	$res1q, [$input_ptr], #16				@ AES final-3 block - load ciphertext
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-4 block - mid
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++	pmull2  $rk2q1, $res0.2d, $h5.2d				@ GHASH final-4 block - high
++
++	pmull	$rk3q1, $res0.1d, $h5.1d				@ GHASH final-4 block - low
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-4 block - high
++
++	st1	{ $res4b}, [$output_ptr], #16			 	@ AES final-4 block - store result
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-4 block - mid
++
++	eor3	$res4b, $res1b, $ctr4b, $t1.16b				@ AES final-3 block - result
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-4 block - low
++
++	pmull	$rk4v.1q, $rk4v.1d, $h56k.1d				@ GHASH final-4 block - mid
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-4 block - mid
++.L128_dec_blocks_more_than_3:						@ blocks left >  3
++
++	st1	{ $res4b}, [$output_ptr], #16			 	@ AES final-3 block - store result
++	rev64	$res0b, $res1b						@ GHASH final-3 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-3 block - mid
++
++	ldr	$h4q, [$current_tag, #112]				@ load h4l | h4h
++	ext     $h4.16b, $h4.16b, $h4.16b, #8
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-3 block - mid
++
++	ldr	$res1q, [$input_ptr], #16				@ AES final-2 block - load ciphertext
++
++	ins	$rk4v.d[1], $rk4v.d[0]					@ GHASH final-3 block - mid
++	pmull	$rk3q1, $res0.1d, $h4.1d				@ GHASH final-3 block - low
++	pmull2  $rk2q1, $res0.2d, $h4.2d				@ GHASH final-3 block - high
++
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++	eor3	$res4b, $res1b, $ctr5b, $t1.16b				@ AES final-2 block - result
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-3 block - low
++
++	pmull2  $rk4v.1q, $rk4v.2d, $h34k.2d				@ GHASH final-3 block - mid
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-3 block - high
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-3 block - mid
++.L128_dec_blocks_more_than_2:						@ blocks left >  2
++
++	rev64	$res0b, $res1b						@ GHASH final-2 block
++
++	st1	{ $res4b}, [$output_ptr], #16			 	@ AES final-2 block - store result
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++	ldr	$h3q, [$current_tag, #80]				@ load h3l | h3h
++	ext     $h3.16b, $h3.16b, $h3.16b, #8
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-2 block - mid
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-2 block - mid
++
++	pmull	$rk3q1, $res0.1d, $h3.1d				@ GHASH final-2 block - low
++
++	pmull2  $rk2q1, $res0.2d, $h3.2d				@ GHASH final-2 block - high
++	pmull	$rk4v.1q, $rk4v.1d, $h34k.1d				@ GHASH final-2 block - mid
++	ldr	$res1q, [$input_ptr], #16				@ AES final-1 block - load ciphertext
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-2 block - mid
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-2 block - low
++
++	eor3	$res4b, $res1b, $ctr6b, $t1.16b				@ AES final-1 block - result
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-2 block - high
++.L128_dec_blocks_more_than_1:						@ blocks left >  1
++
++	st1	{ $res4b}, [$output_ptr], #16			 	@ AES final-1 block - store result
++	rev64	$res0b, $res1b						@ GHASH final-1 block
++
++	ldr	$h2q, [$current_tag, #64]				@ load h1l | h1h
++	ext     $h2.16b, $h2.16b, $h2.16b, #8
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-1 block - mid
++
++	ldr	$res1q, [$input_ptr], #16				@ AES final block - load ciphertext
++	pmull2  $rk2q1, $res0.2d, $h2.2d				@ GHASH final-1 block - high
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-1 block - mid
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-1 block - high
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++
++	ins	$rk4v.d[1], $rk4v.d[0]					@ GHASH final-1 block - mid
++	eor3	$res4b, $res1b, $ctr7b, $t1.16b				@ AES final block - result
++
++	pmull	$rk3q1, $res0.1d, $h2.1d				@ GHASH final-1 block - low
++
++	pmull2  $rk4v.1q, $rk4v.2d, $h12k.2d				@ GHASH final-1 block - mid
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-1 block - low
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-1 block - mid
++.L128_dec_blocks_less_than_1:						@ blocks left <= 1
++
++	and	$bit_length, $bit_length, #127				@ bit_length %= 128
++
++	sub	$bit_length, $bit_length, #128				@ bit_length -= 128
++
++	neg	$bit_length, $bit_length				@ bit_length = 128 - #bits in input (in range [1,128])
++
++	mvn	$temp0_x, xzr						@ temp0_x = 0xffffffffffffffff
++	and	$bit_length, $bit_length, #127				@ bit_length %= 128
++
++	lsr	$temp0_x, $temp0_x, $bit_length				@ temp0_x is mask for top 64b of last block
++	cmp	$bit_length, #64
++	mvn	$temp1_x, xzr						@ temp1_x = 0xffffffffffffffff
++
++	csel	$temp2_x, $temp1_x, $temp0_x, lt
++	csel	$temp3_x, $temp0_x, xzr, lt
++
++	mov	$ctr0.d[1], $temp3_x
++	mov	$ctr0.d[0], $temp2_x					@ ctr0b is mask for last block
++
++	ldr	$h1q, [$current_tag, #32]				@ load h1l | h1h
++	ext     $h1.16b, $h1.16b, $h1.16b, #8
++	ld1	{ $rk0}, [$output_ptr]					@ load existing bytes where the possibly partial last block is to be stored
++
++	and	$res1b, $res1b, $ctr0b					@ possibly partial last block has zeroes in highest bits
++
++	rev64	$res0b, $res1b						@ GHASH final block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	pmull2  $rk2q1, $res0.2d, $h1.2d				@ GHASH final block - high
++	ins	$t0.d[0], $res0.d[1]					@ GHASH final block - mid
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final block - high
++	eor	$t0.8b, $t0.8b, $res0.8b				@ GHASH final block - mid
++
++	bif	$res4b, $rk0, $ctr0b					@ insert existing bytes in top end of result before storing
++
++	pmull	$t0.1q, $t0.1d, $h12k.1d				@ GHASH final block - mid
++	st1	{ $res4b}, [$output_ptr]				@ store all 16B
++
++	pmull	$rk3q1, $res0.1d, $h1.1d				@ GHASH final block - low
++
++	eor	$acc_mb, $acc_mb, $t0.16b				@ GHASH final block - mid
++	ldr	$mod_constantd, [$modulo_constant]			@ MODULO - load modulo constant
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final block - low
++
++	eor	$t10.16b, $acc_hb, $acc_lb				@ MODULO - karatsuba tidy up
++
++	pmull	$t11.1q, $acc_h.1d, $mod_constant.1d		 	@ MODULO - top 64b align with mid
++	ext	$acc_hb, $acc_hb, $acc_hb, #8				@ MODULO - other top alignment
++
++	eor	$acc_mb, $acc_mb, $t10.16b				@ MODULO - karatsuba tidy up
++
++	eor3	$acc_mb, $acc_mb, $acc_hb, $t11.16b			@ MODULO - fold into mid
++
++	pmull	$acc_h.1q, $acc_m.1d, $mod_constant.1d			@ MODULO - mid 64b align with low
++	ext	$acc_mb, $acc_mb, $acc_mb, #8				@ MODULO - other mid alignment
++
++	eor3	$acc_lb, $acc_lb, $acc_mb, $acc_hb			@ MODULO - fold into low
++	ext	$acc_lb, $acc_lb, $acc_lb, #8
++	rev64	$acc_lb, $acc_lb
++	st1	{ $acc_l.16b }, [$current_tag]
++	rev32	$rtmp_ctr.16b, $rtmp_ctr.16b
++
++	str	$rtmp_ctrq, [$counter]					@ store the updated counter
++
++	lsr	x0, $bit_length, #3
++
++	ldp	d10, d11, [sp, #16]
++	ldp	d12, d13, [sp, #32]
++	ldp	d14, d15, [sp, #48]
++	ldp	d8, d9, [sp], #80
++	ret
++.L128_dec_ret:
++	mov w0, #0x0
++	ret
++.size unroll8_eor3_aes_gcm_dec_128_kernel,.-unroll8_eor3_aes_gcm_dec_128_kernel
++___
++}
++
++{
++my ($end_input_ptr,$main_end_input_ptr,$temp0_x,$temp1_x)=map("x$_",(4..7));
++my ($temp2_x,$temp3_x)=map("x$_",(13..14));
++my ($ctr0b,$ctr1b,$ctr2b,$ctr3b,$ctr4b,$ctr5b,$ctr6b,$ctr7b,$res0b,$res1b,$res2b,$res3b,$res4b,$res5b,$res6b,$res7b)=map("v$_.16b",(0..15));
++my ($ctr0,$ctr1,$ctr2,$ctr3,$ctr4,$ctr5,$ctr6,$ctr7,$res0,$res1,$res2,$res3,$res4,$res5,$res6,$res7)=map("v$_",(0..15));
++my ($ctr0d,$ctr1d,$ctr2d,$ctr3d,$ctr4d,$ctr5d,$ctr6d,$ctr7d)=map("d$_",(0..7));
++my ($ctr0q,$ctr1q,$ctr2q,$ctr3q,$ctr4q,$ctr5q,$ctr6q,$ctr7q)=map("q$_",(0..7));
++my ($res0q,$res1q,$res2q,$res3q,$res4q,$res5q,$res6q,$res7q)=map("q$_",(8..15));
++
++my ($ctr_t0,$ctr_t1,$ctr_t2,$ctr_t3,$ctr_t4,$ctr_t5,$ctr_t6,$ctr_t7)=map("v$_",(8..15));
++my ($ctr_t0b,$ctr_t1b,$ctr_t2b,$ctr_t3b,$ctr_t4b,$ctr_t5b,$ctr_t6b,$ctr_t7b)=map("v$_.16b",(8..15));
++my ($ctr_t0q,$ctr_t1q,$ctr_t2q,$ctr_t3q,$ctr_t4q,$ctr_t5q,$ctr_t6q,$ctr_t7q)=map("q$_",(8..15));
++
++my ($acc_hb,$acc_mb,$acc_lb)=map("v$_.16b",(17..19));
++my ($acc_h,$acc_m,$acc_l)=map("v$_",(17..19));
++
++my ($h1,$h12k,$h2,$h3,$h34k,$h4)=map("v$_",(20..25));
++my ($h5,$h56k,$h6,$h7,$h78k,$h8)=map("v$_",(20..25));
++my ($h1q,$h12kq,$h2q,$h3q,$h34kq,$h4q)=map("q$_",(20..25));
++my ($h5q,$h56kq,$h6q,$h7q,$h78kq,$h8q)=map("q$_",(20..25));
++
++my $t0="v16";
++my $t0d="d16";
++
++my $t1="v29";
++my $t2=$res1;
++my $t3=$t1;
++
++my $t4=$res0;
++my $t5=$res2;
++my $t6=$t0;
++
++my $t7=$res3;
++my $t8=$res4;
++my $t9=$res5;
++
++my $t10=$res6;
++my $t11="v21";
++my $t12=$t1;
++
++my $rtmp_ctr="v30";
++my $rtmp_ctrq="q30";
++my $rctr_inc="v31";
++my $rctr_incd="d31";
++
++my $mod_constantd=$t0d;
++my $mod_constant=$t0;
++
++my ($rk0,$rk1,$rk2)=map("v$_.16b",(26..28));
++my ($rk3,$rk4,$rk5)=map("v$_.16b",(26..28));
++my ($rk6,$rk7,$rk8)=map("v$_.16b",(26..28));
++my ($rk9,$rk10,$rk11)=map("v$_.16b",(26..28));
++my ($rk12,$rk13,$rk14)=map("v$_.16b",(26..28));
++my ($rk0q,$rk1q,$rk2q)=map("q$_",(26..28));
++my ($rk3q,$rk4q,$rk5q)=map("q$_",(26..28));
++my ($rk6q,$rk7q,$rk8q)=map("q$_",(26..28));
++my ($rk9q,$rk10q,$rk11q)=map("q$_",(26..28));
++my ($rk12q,$rk13q,$rk14q)=map("q$_",(26..28));
++my $rk2q1="v28.1q";
++my $rk3q1="v26.1q";
++my $rk4v="v27";
++
++#########################################################################################
++# size_t unroll8_eor3_aes_gcm_enc_192_kernel(const unsigned char *in,
++#                               size_t len,
++#                               unsigned char *out,
++#                               const void *key,
++#                               unsigned char ivec[16],
++#                               u64 *Xi);
++#
++$code.=<<___;
++.global unroll8_eor3_aes_gcm_enc_192_kernel
++.type   unroll8_eor3_aes_gcm_enc_192_kernel,%function
++.align  4
++unroll8_eor3_aes_gcm_enc_192_kernel:
++	AARCH64_VALID_CALL_TARGET
++	cbz	x1, .L192_enc_ret
++	stp	d8, d9, [sp, #-80]!
++	mov	$counter, x4
++	mov	$cc, x5
++	stp	d10, d11, [sp, #16]
++	stp	d12, d13, [sp, #32]
++	stp	d14, d15, [sp, #48]
++	mov	x5, #0xc200000000000000
++	stp	x5, xzr, [sp, #64]
++	add	$modulo_constant, sp, #64
++
++	lsr	$main_end_input_ptr, $bit_length, #3		 	@ byte_len
++	ld1	{ $ctr0b}, [$counter]					@ CTR block 0
++
++	mov	$constant_temp, #0x100000000				@ set up counter increment
++	movi	$rctr_inc.16b, #0x0
++	mov	$rctr_inc.d[1], $constant_temp
++
++	rev32	$rtmp_ctr.16b, $ctr0.16b				@ set up reversed counter
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 0
++
++	rev32	$ctr1.16b, $rtmp_ctr.16b				@ CTR block 1
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 1
++
++	rev32	$ctr2.16b, $rtmp_ctr.16b				@ CTR block 2
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 2
++
++	rev32	$ctr3.16b, $rtmp_ctr.16b				@ CTR block 3
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 3
++
++	rev32	$ctr4.16b, $rtmp_ctr.16b				@ CTR block 4
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 4
++	sub	$main_end_input_ptr, $main_end_input_ptr, #1		@ byte_len - 1
++
++	and	$main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffff80	@ number of bytes to be processed in main loop (at least 1 byte must be handled by tail)
++
++	rev32	$ctr5.16b, $rtmp_ctr.16b				@ CTR block 5
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 5
++	ldp	$rk0q, $rk1q, [$cc, #0]				 	@ load rk0, rk1
++
++	add	$main_end_input_ptr, $main_end_input_ptr, $input_ptr
++
++	rev32	$ctr6.16b, $rtmp_ctr.16b				@ CTR block 6
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 6
++
++	rev32	$ctr7.16b, $rtmp_ctr.16b				@ CTR block 7
++
++	aese	$ctr5b, $rk0  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 0
++	aese	$ctr4b, $rk0  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 0
++	aese	$ctr3b, $rk0  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 0
++
++	aese	$ctr0b, $rk0  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 0
++	aese	$ctr1b, $rk0  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 0
++	aese	$ctr7b, $rk0  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 0
++
++	aese	$ctr6b, $rk0  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 0
++	aese	$ctr2b, $rk0  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 0
++	ldp	$rk2q, $rk3q, [$cc, #32]				@ load rk2, rk3
++
++	aese	$ctr5b, $rk1  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 1
++	aese	$ctr7b, $rk1  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 1
++
++	aese	$ctr2b, $rk1  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 1
++	aese	$ctr3b, $rk1  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 1
++	aese	$ctr6b, $rk1  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 1
++
++	aese	$ctr5b, $rk2  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 2
++	aese	$ctr4b, $rk1  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 1
++	aese	$ctr0b, $rk1  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 1
++
++	aese	$ctr1b, $rk1  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 1
++	aese	$ctr7b, $rk2  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 2
++	aese	$ctr3b, $rk2  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 2
++
++	aese	$ctr2b, $rk2  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 2
++	aese	$ctr0b, $rk2  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 2
++
++	aese	$ctr1b, $rk2  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 2
++	aese	$ctr4b, $rk2  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 2
++	aese	$ctr6b, $rk2  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 2
++
++	ldp	$rk4q, $rk5q, [$cc, #64]				@ load rk4, rk5
++	aese	$ctr4b, $rk3  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 3
++
++	aese	$ctr7b, $rk3  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 3
++	aese	$ctr3b, $rk3  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 3
++	aese	$ctr2b, $rk3  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 3
++
++	aese	$ctr1b, $rk3  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 3
++
++	aese	$ctr0b, $rk3  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 3
++
++	aese	$ctr6b, $rk3  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 3
++
++	aese	$ctr0b, $rk4  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 4
++	aese	$ctr1b, $rk4  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 4
++	aese	$ctr5b, $rk3  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 3
++
++	aese	$ctr3b, $rk4  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 4
++	aese	$ctr2b, $rk4  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 4
++	aese	$ctr4b, $rk4  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 4
++
++	aese	$ctr6b, $rk4  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 4
++	aese	$ctr7b, $rk4  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 4
++	aese	$ctr5b, $rk4  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 4
++
++	aese	$ctr1b, $rk5  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 5
++	ldp	$rk6q, $rk7q, [$cc, #96]						@ load rk6, rk7
++	aese	$ctr2b, $rk5  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 5
++
++	aese	$ctr4b, $rk5  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 5
++	aese	$ctr7b, $rk5  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 5
++	aese	$ctr0b, $rk5  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 5
++
++	aese	$ctr5b, $rk5  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 5
++	aese	$ctr6b, $rk5  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 5
++	aese	$ctr3b, $rk5  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 5
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 7
++
++	aese	$ctr5b, $rk6  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 6
++	aese	$ctr4b, $rk6  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 6
++	aese	$ctr3b, $rk6  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 6
++
++	aese	$ctr2b, $rk6  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 6
++	aese	$ctr6b, $rk6  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 6
++	aese	$ctr1b, $rk6  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 6
++
++	aese	$ctr0b, $rk6  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 6
++	aese	$ctr7b, $rk6  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 6
++	ldp	$rk8q, $rk9q, [$cc, #128]				@ load rk8, rk9
++
++	aese	$ctr6b, $rk7  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 7
++	aese	$ctr3b, $rk7  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 7
++
++	aese	$ctr4b, $rk7  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 7
++	aese	$ctr0b, $rk7  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 7
++
++	aese	$ctr7b, $rk7  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 7
++	aese	$ctr1b, $rk7  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 7
++
++	aese	$ctr2b, $rk7  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 7
++	aese	$ctr5b, $rk7  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 7
++
++	aese	$ctr7b, $rk8  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 8
++	aese	$ctr0b, $rk8  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 8
++
++	aese	$ctr4b, $rk8  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 8
++	aese	$ctr3b, $rk8  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 8
++	aese	$ctr5b, $rk8  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 8
++
++	aese	$ctr2b, $rk8  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 8
++	aese	$ctr1b, $rk8  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 8
++	aese	$ctr6b, $rk8  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 8
++
++	add	$end_input_ptr, $input_ptr, $bit_length, lsr #3		@ end_input_ptr
++	cmp	$input_ptr, $main_end_input_ptr				@ check if we have <= 8 blocks
++	aese	$ctr3b, $rk9  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 9
++
++        ld1     { $acc_lb}, [$current_tag]
++	ext     $acc_lb, $acc_lb, $acc_lb, #8
++	rev64   $acc_lb, $acc_lb
++	ldp	$rk10q, $rk11q, [$cc, #160]				@ load rk10, rk11
++
++	aese	$ctr6b, $rk9  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 9
++	aese	$ctr1b, $rk9  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 9
++
++	aese	$ctr5b, $rk9  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 9
++	aese	$ctr2b, $rk9  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 9
++
++	aese	$ctr0b, $rk9  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 9
++	aese	$ctr4b, $rk9  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 9
++
++	aese	$ctr6b, $rk10 \n  aesmc	$ctr6b, $ctr6b			@ AES block 14 - round 10
++	aese	$ctr7b, $rk9  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 9
++	aese	$ctr3b, $rk10 \n  aesmc	$ctr3b, $ctr3b			@ AES block 11 - round 10
++
++	aese	$ctr1b, $rk10 \n  aesmc	$ctr1b, $ctr1b			@ AES block 9 - round 10
++	aese	$ctr5b, $rk10 \n  aesmc	$ctr5b, $ctr5b			@ AES block 13 - round 10
++	aese	$ctr4b, $rk10 \n  aesmc	$ctr4b, $ctr4b			@ AES block 12 - round 10
++
++	aese	$ctr0b, $rk10 \n  aesmc	$ctr0b, $ctr0b			@ AES block 8 - round 10
++	aese	$ctr2b, $rk10 \n  aesmc	$ctr2b, $ctr2b			@ AES block 10 - round 10
++	aese	$ctr7b, $rk10 \n  aesmc	$ctr7b, $ctr7b			@ AES block 15 - round 10
++
++	aese	$ctr6b, $rk11						@ AES block 14 - round 11
++	aese	$ctr3b, $rk11						@ AES block 11 - round 11
++
++	aese	$ctr4b, $rk11						@ AES block 12 - round 11
++	aese	$ctr7b, $rk11						@ AES block 15 - round 11
++	ldr	$rk12q, [$cc, #192]					@ load rk12
++
++	aese	$ctr1b, $rk11						@ AES block 9 - round 11
++	aese	$ctr5b, $rk11						@ AES block 13 - round 11
++
++	aese	$ctr2b, $rk11						@ AES block 10 - round 11
++	aese	$ctr0b, $rk11						@ AES block 8 - round 11
++	b.ge	.L192_enc_tail						@ handle tail
++
++	ldp	$ctr_t0q, $ctr_t1q, [$input_ptr], #32			@ AES block 0, 1 - load plaintext
++
++	ldp	$ctr_t2q, $ctr_t3q, [$input_ptr], #32			@ AES block 2, 3 - load plaintext
++
++	ldp	$ctr_t4q, $ctr_t5q, [$input_ptr], #32			@ AES block 4, 5 - load plaintext
++
++	ldp	$ctr_t6q, $ctr_t7q, [$input_ptr], #32			@ AES block 6, 7 - load plaintext
++
++	eor3	$res0b, $ctr_t0b, $ctr0b, $rk12				@ AES block 0 - result
++	rev32	$ctr0.16b, $rtmp_ctr.16b				@ CTR block 8
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8
++
++	eor3	$res3b, $ctr_t3b, $ctr3b, $rk12				@ AES block 3 - result
++	eor3	$res1b, $ctr_t1b, $ctr1b, $rk12				@ AES block 1 - result
++
++	rev32	$ctr1.16b, $rtmp_ctr.16b				@ CTR block 9
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 9
++	eor3	$res4b, $ctr_t4b, $ctr4b, $rk12				@ AES block 4 - result
++
++	eor3	$res5b, $ctr_t5b, $ctr5b, $rk12				@ AES block 5 - result
++	eor3	$res7b, $ctr_t7b, $ctr7b, $rk12				@ AES block 7 - result
++	stp	$res0q, $res1q, [$output_ptr], #32			@ AES block 0, 1 - store result
++
++	eor3	$res2b, $ctr_t2b, $ctr2b, $rk12				@ AES block 2 - result
++	rev32	$ctr2.16b, $rtmp_ctr.16b				@ CTR block 10
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 10
++
++	stp	$res2q, $res3q, [$output_ptr], #32			@ AES block 2, 3 - store result
++	cmp	$input_ptr, $main_end_input_ptr				@ check if we have <= 8 blocks
++
++	rev32	$ctr3.16b, $rtmp_ctr.16b				@ CTR block 11
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 11
++	eor3	$res6b, $ctr_t6b, $ctr6b, $rk12				@ AES block 6 - result
++
++	stp	$res4q, $res5q, [$output_ptr], #32			@ AES block 4, 5 - store result
++
++	rev32	$ctr4.16b, $rtmp_ctr.16b				@ CTR block 12
++	stp	$res6q, $res7q, [$output_ptr], #32			@ AES block 6, 7 - store result
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 12
++
++	b.ge	.L192_enc_prepretail					@ do prepretail
++
++.L192_enc_main_loop:							@ main loop start
++	rev64	$res4b, $res4b						@ GHASH block 8k+4 (t0, t1, and t2 free)
++	ldp	$rk0q, $rk1q, [$cc, #0]				 	@ load rk0, rk1
++	rev64	$res2b, $res2b						@ GHASH block 8k+2
++
++	rev32	$ctr5.16b, $rtmp_ctr.16b				@ CTR block 8k+13
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+13
++	ldr	$h7q, [$current_tag, #176]				@ load h7l | h7h
++	ext     $h7.16b, $h7.16b, $h7.16b, #8
++	ldr	$h8q, [$current_tag, #208]				@ load h8l | h8h
++	ext     $h8.16b, $h8.16b, $h8.16b, #8
++
++	ext	$acc_lb, $acc_lb, $acc_lb, #8				@ PRE 0
++	rev64	$res0b, $res0b						@ GHASH block 8k
++	ldr	$h5q, [$current_tag, #128]				@ load h5l | h5h
++	ext     $h5.16b, $h5.16b, $h5.16b, #8
++	ldr	$h6q, [$current_tag, #160]				@ load h6l | h6h
++	ext     $h6.16b, $h6.16b, $h6.16b, #8
++
++	rev64	$res1b, $res1b						@ GHASH block 8k+1
++	rev32	$ctr6.16b, $rtmp_ctr.16b				@ CTR block 8k+14
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+14
++
++	eor	$res0b, $res0b, $acc_lb				 	@ PRE 1
++	rev64	$res3b, $res3b						@ GHASH block 8k+3
++	rev64	$res5b, $res5b						@ GHASH block 8k+5 (t0, t1, t2 and t3 free)
++
++	aese	$ctr0b, $rk0  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 0
++	rev32	$ctr7.16b, $rtmp_ctr.16b				@ CTR block 8k+15
++	aese	$ctr1b, $rk0  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 0
++
++	aese	$ctr3b, $rk0  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 0
++	aese	$ctr5b, $rk0  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 0
++	aese	$ctr2b, $rk0  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 0
++
++	aese	$ctr7b, $rk0  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 0
++	aese	$ctr4b, $rk0  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 0
++	aese	$ctr6b, $rk0  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 0
++
++	ldp	$rk2q, $rk3q, [$cc, #32]				@ load rk2, rk3
++	pmull2  $acc_h.1q, $res0.2d, $h8.2d				@ GHASH block 8k - high
++	aese	$ctr0b, $rk1  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 1
++
++	aese	$ctr4b, $rk1  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 1
++	pmull2  $t0.1q, $res1.2d, $h7.2d				@ GHASH block 8k+1 - high
++	pmull	$h7.1q, $res1.1d, $h7.1d				@ GHASH block 8k+1 - low
++
++	trn1	$acc_m.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++	aese	$ctr3b, $rk1  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 1
++	ldr	$h56kq, [$current_tag, #144]				@ load h6k | h5k
++	ldr	$h78kq, [$current_tag, #192]				@ load h8k | h7k
++
++	pmull2  $t1.1q, $res2.2d, $h6.2d				@ GHASH block 8k+2 - high
++	pmull	$acc_l.1q, $res0.1d, $h8.1d				@ GHASH block 8k - low
++	trn2	$res0.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++
++	aese	$ctr1b, $rk1  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 1
++	aese	$ctr2b, $rk1  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 1
++	aese	$ctr5b, $rk1  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 1
++
++	eor	$acc_hb, $acc_hb, $t0.16b				@ GHASH block 8k+1 - high
++	aese	$ctr6b, $rk1  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 1
++	aese	$ctr7b, $rk1  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 1
++
++	pmull2  $t2.1q, $res3.2d, $h5.2d				@ GHASH block 8k+3 - high
++	eor	$res0.16b, $res0.16b, $acc_m.16b			@ GHASH block 8k, 8k+1 - mid
++	aese	$ctr1b, $rk2  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 2
++
++	aese	$ctr3b, $rk2  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 2
++	aese	$ctr4b, $rk2  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 2
++	aese	$ctr6b, $rk2  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 2
++
++	aese	$ctr5b, $rk2  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 2
++	aese	$ctr1b, $rk3  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 3
++	eor3	$acc_hb, $acc_hb, $t1.16b, $t2.16b			@ GHASH block 8k+2, 8k+3 - high
++
++	pmull	$h6.1q, $res2.1d, $h6.1d				@ GHASH block 8k+2 - low
++	aese	$ctr7b, $rk2  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 2
++	aese	$ctr4b, $rk3  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 3
++
++	aese	$ctr2b, $rk2  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 2
++	trn1	$t3.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++	aese	$ctr0b, $rk2  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 2
++
++	trn2	$res2.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++	aese	$ctr3b, $rk3  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 3
++	ldp	$rk4q, $rk5q, [$cc, #64]				@ load rk4, rk5
++
++	aese	$ctr0b, $rk3  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 3
++	eor	$acc_lb, $acc_lb, $h7.16b				@ GHASH block 8k+1 - low
++	ldr	$h3q, [$current_tag, #80]				@ load h3l | h3h
++	ext     $h3.16b, $h3.16b, $h3.16b, #8
++	ldr	$h4q, [$current_tag, #112]				@ load h4l | h4h
++	ext     $h4.16b, $h4.16b, $h4.16b, #8
++
++	pmull2  $acc_m.1q, $res0.2d, $h78k.2d				@ GHASH block 8k	- mid
++	pmull	$h78k.1q, $res0.1d, $h78k.1d				@ GHASH block 8k+1 - mid
++	pmull	$h5.1q, $res3.1d, $h5.1d				@ GHASH block 8k+3 - low
++
++	aese	$ctr5b, $rk3  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 3
++	eor	$res2.16b, $res2.16b, $t3.16b				@ GHASH block 8k+2, 8k+3 - mid
++	trn1	$t6.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++
++	eor	$acc_mb, $acc_mb, $h78k.16b				@ GHASH block 8k+1 - mid
++	aese	$ctr6b, $rk3  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 3
++	eor3	$acc_lb, $acc_lb, $h6.16b, $h5.16b			@ GHASH block 8k+2, 8k+3 - low
++
++	aese	$ctr1b, $rk4  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 4
++	aese	$ctr3b, $rk4  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 4
++	aese	$ctr7b, $rk3  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 3
++
++	pmull2  $t3.1q, $res2.2d, $h56k.2d				@ GHASH block 8k+2 - mid
++	aese	$ctr6b, $rk4  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 4
++	aese	$ctr2b, $rk3  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 3
++
++	pmull	$h56k.1q, $res2.1d, $h56k.1d				@ GHASH block 8k+3 - mid
++	aese	$ctr0b, $rk4  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 4
++	aese	$ctr4b, $rk4  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 4
++
++	aese	$ctr2b, $rk4  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 4
++	aese	$ctr5b, $rk4  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 4
++	aese	$ctr7b, $rk4  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 4
++
++	eor3	$acc_mb, $acc_mb, $h56k.16b, $t3.16b			@ GHASH block 8k+2, 8k+3 - mid
++	aese	$ctr4b, $rk5  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 5
++	ldr	$h1q, [$current_tag, #32]				@ load h1l | h1h
++	ext     $h1.16b, $h1.16b, $h1.16b, #8
++	ldr	$h2q, [$current_tag, #64]				@ load h1l | h1h
++	ext     $h2.16b, $h2.16b, $h2.16b, #8
++
++	ldp	$rk6q, $rk7q, [$cc, #96]				@ load rk6, rk7
++	aese	$ctr2b, $rk5  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 5
++	rev64	$res7b, $res7b						@ GHASH block 8k+7 (t0, t1, t2 and t3 free)
++
++	rev64	$res6b, $res6b						@ GHASH block 8k+6 (t0, t1, and t2 free)
++	pmull2  $t4.1q, $res4.2d, $h4.2d				@ GHASH block 8k+4 - high
++	pmull	$h4.1q, $res4.1d, $h4.1d				@ GHASH block 8k+4 - low
++
++	aese	$ctr5b, $rk5  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 5
++	trn2	$res4.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++
++	aese	$ctr6b, $rk5  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 5
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++
++	aese	$ctr1b, $rk5  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 5
++	pmull2  $t5.1q, $res5.2d, $h3.2d				@ GHASH block 8k+5 - high
++	eor	$res4.16b, $res4.16b, $t6.16b				@ GHASH block 8k+4, 8k+5 - mid
++
++	aese	$ctr3b, $rk5  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 5
++	aese	$ctr7b, $rk5  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 5
++	aese	$ctr0b, $rk5  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 5
++
++	pmull	$h3.1q, $res5.1d, $h3.1d				@ GHASH block 8k+5 - low
++	aese	$ctr4b, $rk6  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 6
++	trn1	$t9.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++
++	aese	$ctr0b, $rk6  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 6
++	aese	$ctr3b, $rk6  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 6
++	pmull2  $t7.1q, $res6.2d, $h2.2d				@ GHASH block 8k+6 - high
++
++	pmull	$h2.1q, $res6.1d, $h2.1d				@ GHASH block 8k+6 - low
++	trn2	$res6.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++	aese	$ctr2b, $rk6  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 6
++
++	aese	$ctr6b, $rk6  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 6
++	aese	$ctr5b, $rk6  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 6
++
++	aese	$ctr7b, $rk6  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 6
++	aese	$ctr2b, $rk7  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 7
++	aese	$ctr1b, $rk6  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 6
++
++	aese	$ctr6b, $rk7  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 7
++	eor	$res6.16b, $res6.16b, $t9.16b				@ GHASH block 8k+6, 8k+7 - mid
++
++	pmull2  $t6.1q, $res4.2d, $h34k.2d				@ GHASH block 8k+4 - mid
++	ldp	$rk8q, $rk9q, [$cc, #128]				@ load rk8, rk9
++	pmull	$h34k.1q, $res4.1d, $h34k.1d				@ GHASH block 8k+5 - mid
++
++	aese	$ctr4b, $rk7  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 7
++	pmull2  $t8.1q, $res7.2d, $h1.2d				@ GHASH block 8k+7 - high
++	aese	$ctr5b, $rk7  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 7
++
++	eor3	$acc_mb, $acc_mb, $h34k.16b, $t6.16b			@ GHASH block 8k+4, 8k+5 - mid
++	aese	$ctr7b, $rk7  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 7
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+15
++
++	ldr	$mod_constantd, [$modulo_constant]			@ MODULO - load modulo constant
++	eor3	$acc_hb, $acc_hb, $t4.16b, $t5.16b			@ GHASH block 8k+4, 8k+5 - high
++	aese	$ctr0b, $rk7  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 7
++
++	pmull2  $t9.1q, $res6.2d, $h12k.2d				@ GHASH block 8k+6 - mid
++	pmull	$h1.1q, $res7.1d, $h1.1d				@ GHASH block 8k+7 - low
++	aese	$ctr3b, $rk7  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 7
++
++	aese	$ctr5b, $rk8  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 8
++	aese	$ctr4b, $rk8  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 8
++	aese	$ctr0b, $rk8  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 8
++
++	aese	$ctr6b, $rk8  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 8
++	eor3	$acc_lb, $acc_lb, $h4.16b, $h3.16b			@ GHASH block 8k+4, 8k+5 - low
++	aese	$ctr1b, $rk7  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 7
++
++	aese	$ctr7b, $rk8  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 8
++	aese	$ctr2b, $rk8  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 8
++	pmull	$h12k.1q, $res6.1d, $h12k.1d				@ GHASH block 8k+7 - mid
++
++	aese	$ctr1b, $rk8  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 8
++	aese	$ctr3b, $rk8  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 8
++	ldp	$rk10q, $rk11q, [$cc, #160]				@ load rk10, rk11
++
++	eor3	$acc_lb, $acc_lb, $h2.16b, $h1.16b			@ GHASH block 8k+6, 8k+7 - low
++	rev32	$h1.16b, $rtmp_ctr.16b					@ CTR block 8k+16
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+16
++
++	aese	$ctr2b, $rk9  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 9
++	eor3	$acc_mb, $acc_mb, $h12k.16b, $t9.16b			@ GHASH block 8k+6, 8k+7 - mid
++	eor3	$acc_hb, $acc_hb, $t7.16b, $t8.16b			@ GHASH block 8k+6, 8k+7 - high
++
++	aese	$ctr6b, $rk9  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 9
++	aese	$ctr3b, $rk9  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 9
++	ldp	$ctr_t0q, $ctr_t1q, [$input_ptr], #32			@ AES block 8k+8, 8k+9 - load plaintext
++
++	pmull	$t11.1q, $acc_h.1d, $mod_constant.1d		 	@ MODULO - top 64b align with mid
++	rev32	$h2.16b, $rtmp_ctr.16b					@ CTR block 8k+17
++	aese	$ctr0b, $rk9  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 9
++
++	aese	$ctr4b, $rk9  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 9
++	aese	$ctr1b, $rk9  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 9
++	aese	$ctr7b, $rk9  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 9
++
++	eor3	$acc_mb, $acc_mb, $acc_hb, $acc_lb		 	@ MODULO - karatsuba tidy up
++	aese	$ctr5b, $rk9  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 9
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+17
++
++	aese	$ctr2b, $rk10 \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 10
++	aese	$ctr4b, $rk10 \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 10
++	ldr	$rk12q, [$cc, #192]					@ load rk12
++	ext	$t12.16b, $acc_hb, $acc_hb, #8				@ MODULO - other top alignment
++
++	aese	$ctr0b, $rk10 \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 10
++	aese	$ctr7b, $rk10 \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 10
++	ldp	$ctr_t2q, $ctr_t3q, [$input_ptr], #32			@ AES block 8k+10, 8k+11 - load plaintext
++
++	aese	$ctr4b, $rk11						@ AES block 8k+12 - round 11
++	eor3	$acc_mb, $acc_mb, $t12.16b, $t11.16b			@ MODULO - fold into mid
++	ldp	$ctr_t4q, $ctr_t5q, [$input_ptr], #32			@ AES block 8k+12, 8k+13 - load plaintext
++
++	ldp	$ctr_t6q, $ctr_t7q, [$input_ptr], #32			@ AES block 8k+14, 8k+15 - load plaintext
++	aese	$ctr2b, $rk11						@ AES block 8k+10 - round 11
++	aese	$ctr1b, $rk10 \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 10
++
++	rev32	$h3.16b, $rtmp_ctr.16b					@ CTR block 8k+18
++	aese	$ctr5b, $rk10 \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 10
++
++	aese	$ctr3b, $rk10 \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 10
++	pmull	$acc_h.1q, $acc_m.1d, $mod_constant.1d			@ MODULO - mid 64b align with low
++
++	aese	$ctr6b, $rk10 \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 10
++	aese	$ctr5b, $rk11						@ AES block 8k+13 - round 11
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+18
++
++	aese	$ctr7b, $rk11						@ AES block 8k+15 - round 11
++	aese	$ctr0b, $rk11						@ AES block 8k+8 - round 11
++	eor3	$res4b, $ctr_t4b, $ctr4b, $rk12				@ AES block 4 - result
++
++	aese	$ctr6b, $rk11						@ AES block 8k+14 - round 11
++	aese	$ctr3b, $rk11						@ AES block 8k+11 - round 11
++	aese	$ctr1b, $rk11						@ AES block 8k+9 - round 11
++
++	rev32	$h4.16b, $rtmp_ctr.16b					@ CTR block 8k+19
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+19
++	eor3	$res7b, $ctr_t7b, $ctr7b, $rk12				@ AES block 7 - result
++
++	eor3	$res2b, $ctr_t2b, $ctr2b, $rk12				@ AES block 8k+10 - result
++	eor3	$res0b, $ctr_t0b, $ctr0b, $rk12				@ AES block 8k+8 - result
++	mov	$ctr2.16b, $h3.16b					@ CTR block 8k+18
++
++	eor3	$res1b, $ctr_t1b, $ctr1b, $rk12				@ AES block 8k+9 - result
++	mov	$ctr1.16b, $h2.16b					@ CTR block 8k+17
++	stp	$res0q, $res1q, [$output_ptr], #32			@ AES block 8k+8, 8k+9 - store result
++	ext	$t11.16b, $acc_mb, $acc_mb, #8				@ MODULO - other mid alignment
++
++	eor3	$res6b, $ctr_t6b, $ctr6b, $rk12				@ AES block 6 - result
++	mov	$ctr0.16b, $h1.16b					@ CTR block 8k+16
++	rev32	$ctr4.16b, $rtmp_ctr.16b				@ CTR block 8k+20
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+20
++	eor3	$res5b, $ctr_t5b, $ctr5b, $rk12				@ AES block 5 - result
++	eor3	$acc_lb, $acc_lb, $acc_hb, $t11.16b		 	@ MODULO - fold into low
++
++	eor3	$res3b, $ctr_t3b, $ctr3b, $rk12				@ AES block 8k+11 - result
++	mov	$ctr3.16b, $h4.16b					@ CTR block 8k+19
++
++	stp	$res2q, $res3q, [$output_ptr], #32			@ AES block 8k+10, 8k+11 - store result
++
++	stp	$res4q, $res5q, [$output_ptr], #32			@ AES block 8k+12, 8k+13 - store result
++
++	cmp	$input_ptr, $main_end_input_ptr				@ LOOP CONTROL
++	stp	$res6q, $res7q, [$output_ptr], #32			@ AES block 8k+14, 8k+15 - store result
++	b.lt	.L192_enc_main_loop
++
++.L192_enc_prepretail:							@ PREPRETAIL
++	rev32	$ctr5.16b, $rtmp_ctr.16b				@ CTR block 8k+13
++	ldp	$rk0q, $rk1q, [$cc, #0]				 	@ load rk0, rk1
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+13
++
++	ldr	$h7q, [$current_tag, #176]				@ load h7l | h7h
++	ext     $h7.16b, $h7.16b, $h7.16b, #8
++	ldr	$h8q, [$current_tag, #208]				@ load h8l | h8h
++	ext     $h8.16b, $h8.16b, $h8.16b, #8
++	rev64	$res0b, $res0b						@ GHASH block 8k
++	ext	$acc_lb, $acc_lb, $acc_lb, #8				@ PRE 0
++
++	rev32	$ctr6.16b, $rtmp_ctr.16b				@ CTR block 8k+14
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+14
++	ldr	$h56kq, [$current_tag, #144]				@ load h6k | h5k
++	ldr	$h78kq, [$current_tag, #192]				@ load h8k | h7k
++
++	rev64	$res3b, $res3b						@ GHASH block 8k+3
++	rev64	$res2b, $res2b						@ GHASH block 8k+2
++	ldr	$h5q, [$current_tag, #128]				@ load h5l | h5h
++	ext     $h5.16b, $h5.16b, $h5.16b, #8
++	ldr	$h6q, [$current_tag, #160]				@ load h6l | h6h
++	ext     $h6.16b, $h6.16b, $h6.16b, #8
++
++	eor	$res0b, $res0b, $acc_lb				 	@ PRE 1
++	rev32	$ctr7.16b, $rtmp_ctr.16b				@ CTR block 8k+15
++	rev64	$res1b, $res1b						@ GHASH block 8k+1
++
++	aese	$ctr5b, $rk0  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 0
++	aese	$ctr2b, $rk0  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 0
++	aese	$ctr3b, $rk0  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 0
++
++	pmull2  $t0.1q, $res1.2d, $h7.2d				@ GHASH block 8k+1 - high
++	aese	$ctr0b, $rk0  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 0
++	aese	$ctr6b, $rk0  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 0
++
++	aese	$ctr1b, $rk0  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 0
++	aese	$ctr4b, $rk0  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 0
++	pmull2  $acc_h.1q, $res0.2d, $h8.2d				@ GHASH block 8k - high
++
++	aese	$ctr6b, $rk1  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 1
++	pmull	$acc_l.1q, $res0.1d, $h8.1d				@ GHASH block 8k - low
++	trn1	$acc_m.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++
++	trn2	$res0.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++	aese	$ctr7b, $rk0  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 0
++	ldp	$rk2q, $rk3q, [$cc, #32]				@ load rk2, rk3
++
++	pmull	$h7.1q, $res1.1d, $h7.1d				@ GHASH block 8k+1 - low
++	eor	$acc_hb, $acc_hb, $t0.16b				@ GHASH block 8k+1 - high
++	aese	$ctr2b, $rk1  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 1
++
++	aese	$ctr5b, $rk1  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 1
++	eor	$res0.16b, $res0.16b, $acc_m.16b			@ GHASH block 8k, 8k+1 - mid
++	aese	$ctr1b, $rk1  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 1
++
++	aese	$ctr7b, $rk1  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 1
++	pmull2  $t2.1q, $res3.2d, $h5.2d				@ GHASH block 8k+3 - high
++	pmull2  $t1.1q, $res2.2d, $h6.2d				@ GHASH block 8k+2 - high
++
++	aese	$ctr3b, $rk1  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 1
++	aese	$ctr0b, $rk1  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 1
++	aese	$ctr4b, $rk1  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 1
++
++	pmull	$h6.1q, $res2.1d, $h6.1d				@ GHASH block 8k+2 - low
++	aese	$ctr5b, $rk2  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 2
++	eor	$acc_lb, $acc_lb, $h7.16b				@ GHASH block 8k+1 - low
++
++	pmull	$h5.1q, $res3.1d, $h5.1d				@ GHASH block 8k+3 - low
++	aese	$ctr7b, $rk2  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 2
++	eor3	$acc_hb, $acc_hb, $t1.16b, $t2.16b			@ GHASH block 8k+2, 8k+3 - high
++
++	aese	$ctr5b, $rk3  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 3
++	trn1	$t3.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++	aese	$ctr6b, $rk2  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 2
++
++	aese	$ctr0b, $rk2  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 2
++	pmull2  $acc_m.1q, $res0.2d, $h78k.2d				@ GHASH block 8k	- mid
++	trn2	$res2.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++
++	aese	$ctr3b, $rk2  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 2
++	rev64	$res5b, $res5b						@ GHASH block 8k+5 (t0, t1, t2 and t3 free)
++	rev64	$res6b, $res6b						@ GHASH block 8k+6 (t0, t1, and t2 free)
++
++	aese	$ctr2b, $rk2  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 2
++	aese	$ctr1b, $rk2  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 2
++	aese	$ctr4b, $rk2  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 2
++
++	eor	$res2.16b, $res2.16b, $t3.16b				@ GHASH block 8k+2, 8k+3 - mid
++	pmull	$h78k.1q, $res0.1d, $h78k.1d				@ GHASH block 8k+1 - mid
++	ldp	$rk4q, $rk5q, [$cc, #64]				@ load rk4, rk5
++
++	aese	$ctr1b, $rk3  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 3
++	aese	$ctr6b, $rk3  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 3
++	aese	$ctr2b, $rk3  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 3
++
++	eor	$acc_mb, $acc_mb, $h78k.16b				@ GHASH block 8k+1 - mid
++	eor3	$acc_lb, $acc_lb, $h6.16b, $h5.16b			@ GHASH block 8k+2, 8k+3 - low
++	aese	$ctr7b, $rk3  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 3
++
++	ldr	$h3q, [$current_tag, #80]				@ load h3l | h3h
++	ext     $h3.16b, $h3.16b, $h3.16b, #8
++	ldr	$h4q, [$current_tag, #112]				@ load h4l | h4h
++	ext     $h4.16b, $h4.16b, $h4.16b, #8
++	aese	$ctr3b, $rk3  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 3
++	pmull2  $t3.1q, $res2.2d, $h56k.2d				@ GHASH block 8k+2 - mid
++
++	ldr	$h1q, [$current_tag, #32]				@ load h1l | h1h
++	ext     $h1.16b, $h1.16b, $h1.16b, #8
++	ldr	$h2q, [$current_tag, #64]				@ load h1l | h1h
++	ext     $h2.16b, $h2.16b, $h2.16b, #8
++	aese	$ctr4b, $rk3  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 3
++	rev64	$res4b, $res4b						@ GHASH block 8k+4 (t0, t1, and t2 free)
++
++	aese	$ctr0b, $rk3  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 3
++	pmull	$h56k.1q, $res2.1d, $h56k.1d				@ GHASH block 8k+3 - mid
++	aese	$ctr6b, $rk4  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 4
++
++	trn1	$t6.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++	aese	$ctr7b, $rk4  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 4
++	aese	$ctr5b, $rk4  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 4
++
++	eor3	$acc_mb, $acc_mb, $h56k.16b, $t3.16b			@ GHASH block 8k+2, 8k+3 - mid
++	aese	$ctr3b, $rk4  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 4
++	aese	$ctr0b, $rk4  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 4
++
++	aese	$ctr1b, $rk4  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 4
++	aese	$ctr4b, $rk4  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 4
++	aese	$ctr2b, $rk4  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 4
++
++	aese	$ctr0b, $rk5  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 5
++	rev64	$res7b, $res7b						@ GHASH block 8k+7 (t0, t1, t2 and t3 free)
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++
++	aese	$ctr1b, $rk5  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 5
++	aese	$ctr2b, $rk5  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 5
++	ldp	$rk6q, $rk7q, [$cc, #96]				@ load rk6, rk7
++
++	pmull2  $t7.1q, $res6.2d, $h2.2d				@ GHASH block 8k+6 - high
++	pmull2  $t4.1q, $res4.2d, $h4.2d				@ GHASH block 8k+4 - high
++	pmull	$h4.1q, $res4.1d, $h4.1d				@ GHASH block 8k+4 - low
++
++	aese	$ctr4b, $rk5  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 5
++	trn2	$res4.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++
++	pmull2  $t5.1q, $res5.2d, $h3.2d				@ GHASH block 8k+5 - high
++	pmull	$h3.1q, $res5.1d, $h3.1d				@ GHASH block 8k+5 - low
++	pmull	$h2.1q, $res6.1d, $h2.1d				@ GHASH block 8k+6 - low
++
++	trn1	$t9.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++	eor	$res4.16b, $res4.16b, $t6.16b				@ GHASH block 8k+4, 8k+5 - mid
++	trn2	$res6.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++
++	aese	$ctr5b, $rk5  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 5
++	aese	$ctr1b, $rk6  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 6
++	aese	$ctr7b, $rk5  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 5
++
++	aese	$ctr6b, $rk5  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 5
++	eor	$res6.16b, $res6.16b, $t9.16b				@ GHASH block 8k+6, 8k+7 - mid
++	aese	$ctr3b, $rk5  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 5
++
++	pmull2  $t6.1q, $res4.2d, $h34k.2d				@ GHASH block 8k+4 - mid
++	pmull	$h34k.1q, $res4.1d, $h34k.1d				@ GHASH block 8k+5 - mid
++
++	aese	$ctr4b, $rk6  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 6
++	aese	$ctr5b, $rk6  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 6
++	aese	$ctr1b, $rk7  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 7
++
++	aese	$ctr0b, $rk6  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 6
++	aese	$ctr7b, $rk6  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 6
++	eor3	$acc_mb, $acc_mb, $h34k.16b, $t6.16b			@ GHASH block 8k+4, 8k+5 - mid
++
++	aese	$ctr2b, $rk6  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 6
++	eor3	$acc_hb, $acc_hb, $t4.16b, $t5.16b			@ GHASH block 8k+4, 8k+5 - high
++	aese	$ctr5b, $rk7  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 7
++
++	aese	$ctr6b, $rk6  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 6
++	ldr	$mod_constantd, [$modulo_constant]			@ MODULO - load modulo constant
++	aese	$ctr3b, $rk6  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 6
++
++	pmull2  $t9.1q, $res6.2d, $h12k.2d				@ GHASH block 8k+6 - mid
++	aese	$ctr0b, $rk7  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 7
++	eor3	$acc_lb, $acc_lb, $h4.16b, $h3.16b			@ GHASH block 8k+4, 8k+5 - low
++
++	pmull2  $t8.1q, $res7.2d, $h1.2d				@ GHASH block 8k+7 - high
++	pmull	$h12k.1q, $res6.1d, $h12k.1d				@ GHASH block 8k+7 - mid
++	pmull	$h1.1q, $res7.1d, $h1.1d				@ GHASH block 8k+7 - low
++
++	aese	$ctr4b, $rk7  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 7
++	aese	$ctr2b, $rk7  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 7
++	ldp	$rk8q, $rk9q, [$cc, #128]				@ load rk8, rk9
++
++	aese	$ctr3b, $rk7  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 7
++	eor3	$acc_mb, $acc_mb, $h12k.16b, $t9.16b			@ GHASH block 8k+6, 8k+7 - mid
++
++	eor3	$acc_lb, $acc_lb, $h2.16b, $h1.16b			@ GHASH block 8k+6, 8k+7 - low
++	eor3	$acc_hb, $acc_hb, $t7.16b, $t8.16b			@ GHASH block 8k+6, 8k+7 - high
++
++	eor3	$acc_mb, $acc_mb, $acc_hb, $acc_lb		 	@ MODULO - karatsuba tidy up
++	ext	$t12.16b, $acc_hb, $acc_hb, #8				@ MODULO - other top alignment
++	aese	$ctr7b, $rk7  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 7
++	pmull	$t11.1q, $acc_h.1d, $mod_constant.1d		 	@ MODULO - top 64b align with mid
++
++	aese	$ctr5b, $rk8  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 8
++	aese	$ctr1b, $rk8  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 8
++
++	aese	$ctr6b, $rk7  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 7
++	aese	$ctr2b, $rk8  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 8
++	eor3	$acc_mb, $acc_mb, $t12.16b, $t11.16b			@ MODULO - fold into mid
++
++	aese	$ctr3b, $rk8  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 8
++	aese	$ctr5b, $rk9  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 9
++	aese	$ctr4b, $rk8  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 8
++
++	aese	$ctr0b, $rk8  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 8
++	aese	$ctr7b, $rk8  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 8
++	aese	$ctr6b, $rk8  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 8
++
++	aese	$ctr3b, $rk9  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 9
++	ldp	$rk10q, $rk11q, [$cc, #160]				@ load rk10, rk11
++	aese	$ctr4b, $rk9  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 9
++
++	aese	$ctr2b, $rk9  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 9
++	aese	$ctr7b, $rk9  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 9
++
++	ext	$t11.16b, $acc_mb, $acc_mb, #8				@ MODULO - other mid alignment
++	aese	$ctr6b, $rk9  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 9
++	aese	$ctr0b, $rk9  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 9
++	aese	$ctr1b, $rk9  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 9
++
++	pmull	$acc_h.1q, $acc_m.1d, $mod_constant.1d			@ MODULO - mid 64b align with low
++	ldr	$rk12q, [$cc, #192]					@ load rk12
++
++	aese	$ctr7b, $rk10 \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 10
++	aese	$ctr1b, $rk10 \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 10
++	aese	$ctr2b, $rk10 \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 10
++
++	eor3	$acc_lb, $acc_lb, $acc_hb, $t11.16b		 	@ MODULO - fold into low
++	aese	$ctr0b, $rk10 \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 10
++	aese	$ctr3b, $rk10 \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 10
++
++	aese	$ctr1b, $rk11						@ AES block 8k+9 - round 11
++	aese	$ctr7b, $rk11						@ AES block 8k+15 - round 11
++
++	aese	$ctr4b, $rk10 \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 10
++	aese	$ctr3b, $rk11						@ AES block 8k+11 - round 11
++
++	aese	$ctr5b, $rk10 \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 10
++	aese	$ctr6b, $rk10 \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 10
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+15
++	aese	$ctr2b, $rk11						@ AES block 8k+10 - round 11
++	aese	$ctr0b, $rk11						@ AES block 8k+8 - round 11
++
++	aese	$ctr6b, $rk11						@ AES block 8k+14 - round 11
++	aese	$ctr4b, $rk11						@ AES block 8k+12 - round 11
++	aese	$ctr5b, $rk11						@ AES block 8k+13 - round 11
++
++.L192_enc_tail:								@ TAIL
++
++	ldp	$h5q, $h56kq, [$current_tag, #128]			@ load h5l | h5h
++        ext     $h5.16b, $h5.16b, $h5.16b, #8
++	sub	$main_end_input_ptr, $end_input_ptr, $input_ptr 	@ main_end_input_ptr is number of bytes left to process
++
++	ldr	$ctr_t0q, [$input_ptr], #16				@ AES block 8k+8 - l3ad plaintext
++
++	ldp	$h78kq, $h8q, [$current_tag, #192]			@ load h8l | h8h
++        ext     $h8.16b, $h8.16b, $h8.16b, #8
++
++	mov	$t1.16b, $rk12
++
++	ldp	$h6q, $h7q, [$current_tag, #160]			@ load h6l | h6h
++        ext     $h6.16b, $h6.16b, $h6.16b, #8
++	ext     $h7.16b, $h7.16b, $h7.16b, #8
++	cmp	$main_end_input_ptr, #112
++
++	eor3	$res1b, $ctr_t0b, $ctr0b, $t1.16b			@ AES block 8k+8 - result
++	ext	$t0.16b, $acc_lb, $acc_lb, #8				@ prepare final partial tag
++	b.gt	.L192_enc_blocks_more_than_7
++
++	cmp	$main_end_input_ptr, #96
++	mov	$ctr7b, $ctr6b
++	movi	$acc_h.8b, #0
++
++	mov	$ctr6b, $ctr5b
++	movi	$acc_l.8b, #0
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++
++	mov	$ctr5b, $ctr4b
++	mov	$ctr4b, $ctr3b
++	mov	$ctr3b, $ctr2b
++
++	mov	$ctr2b, $ctr1b
++	movi	$acc_m.8b, #0
++	b.gt	.L192_enc_blocks_more_than_6
++
++	mov	$ctr7b, $ctr6b
++	cmp	$main_end_input_ptr, #80
++
++	mov	$ctr6b, $ctr5b
++	mov	$ctr5b, $ctr4b
++	mov	$ctr4b, $ctr3b
++
++	mov	$ctr3b, $ctr1b
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	b.gt	.L192_enc_blocks_more_than_5
++
++	cmp	$main_end_input_ptr, #64
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++
++	mov	$ctr7b, $ctr6b
++	mov	$ctr6b, $ctr5b
++	mov	$ctr5b, $ctr4b
++
++	mov	$ctr4b, $ctr1b
++	b.gt	.L192_enc_blocks_more_than_4
++
++	mov	$ctr7b, $ctr6b
++	mov	$ctr6b, $ctr5b
++	mov	$ctr5b, $ctr1b
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	cmp	$main_end_input_ptr, #48
++	b.gt	.L192_enc_blocks_more_than_3
++
++	mov	$ctr7b, $ctr6b
++	mov	$ctr6b, $ctr1b
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++	cmp	$main_end_input_ptr, #32
++	b.gt	.L192_enc_blocks_more_than_2
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++
++	cmp	$main_end_input_ptr, #16
++	mov	$ctr7b, $ctr1b
++	b.gt	.L192_enc_blocks_more_than_1
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++	b	 .L192_enc_blocks_less_than_1
++.L192_enc_blocks_more_than_7:						@ blocks left >  7
++	st1	{ $res1b}, [$output_ptr], #16			 	@ AES final-7 block  - store result
++
++	rev64	$res0b, $res1b						@ GHASH final-7 block
++	ins	$acc_m.d[0], $h78k.d[1]					@ GHASH final-7 block - mid
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-7 block - mid
++
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final-6 block - load plaintext
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-7 block - mid
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++	pmull	$acc_l.1q, $res0.1d, $h8.1d				@ GHASH final-7 block - low
++
++	pmull2  $acc_h.1q, $res0.2d, $h8.2d				@ GHASH final-7 block - high
++
++	pmull	$acc_m.1q, $rk4v.1d, $acc_m.1d			 	@ GHASH final-7 block - mid
++	eor3	$res1b, $ctr_t1b, $ctr1b, $t1.16b			@ AES final-6 block - result
++.L192_enc_blocks_more_than_6:						@ blocks left >  6
++
++	st1	{ $res1b}, [$output_ptr], #16			 	@ AES final-6 block - store result
++
++	rev64	$res0b, $res1b						@ GHASH final-6 block
++
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final-5 block - load plaintext
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-6 block - mid
++
++	pmull	$rk3q1, $res0.1d, $h7.1d				@ GHASH final-6 block - low
++	eor3	$res1b, $ctr_t1b, $ctr2b, $t1.16b			@ AES final-5 block - result
++
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++	pmull2  $rk2q1, $res0.2d, $h7.2d				@ GHASH final-6 block - high
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-6 block - mid
++
++	pmull	$rk4v.1q, $rk4v.1d, $h78k.1d				@ GHASH final-6 block - mid
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-6 block - high
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-6 block - low
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-6 block - mid
++.L192_enc_blocks_more_than_5:						@ blocks left >  5
++
++	st1	{ $res1b}, [$output_ptr], #16			 	@ AES final-5 block - store result
++
++	rev64	$res0b, $res1b						@ GHASH final-5 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-5 block - mid
++
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final-4 block - load plaintext
++	pmull2  $rk2q1, $res0.2d, $h6.2d				@ GHASH final-5 block - high
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-5 block - mid
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-5 block - high
++
++	ins	$rk4v.d[1], $rk4v.d[0]					@ GHASH final-5 block - mid
++	pmull	$rk3q1, $res0.1d, $h6.1d				@ GHASH final-5 block - low
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-5 block - low
++	pmull2  $rk4v.1q, $rk4v.2d, $h56k.2d				@ GHASH final-5 block - mid
++
++	eor3	$res1b, $ctr_t1b, $ctr3b, $t1.16b			@ AES final-4 block - result
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-5 block - mid
++.L192_enc_blocks_more_than_4:						@ blocks left >  4
++
++	st1	{ $res1b}, [$output_ptr], #16				@ AES final-4 block - store result
++
++	rev64	$res0b, $res1b						@ GHASH final-4 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final-3 block - load plaintext
++	pmull2  $rk2q1, $res0.2d, $h5.2d				@ GHASH final-4 block - high
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-4 block - mid
++
++	pmull	$rk3q1, $res0.1d, $h5.1d				@ GHASH final-4 block - low
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-4 block - high
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-4 block - mid
++
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-4 block - low
++
++	pmull	$rk4v.1q, $rk4v.1d, $h56k.1d				@ GHASH final-4 block - mid
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-4 block - mid
++	eor3	$res1b, $ctr_t1b, $ctr4b, $t1.16b			@ AES final-3 block - result
++.L192_enc_blocks_more_than_3:						@ blocks left >  3
++
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++	st1	{ $res1b}, [$output_ptr], #16			 	@ AES final-3 block - store result
++
++	rev64	$res0b, $res1b						@ GHASH final-3 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final-2 block - load plaintext
++	ldr	$h4q, [$current_tag, #112]				@ load h4l | h4h
++	ext     $h4.16b, $h4.16b, $h4.16b, #8
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-3 block - mid
++
++	eor3	$res1b, $ctr_t1b, $ctr5b, $t1.16b			@ AES final-2 block - result
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-3 block - mid
++
++	ins	$rk4v.d[1], $rk4v.d[0]					@ GHASH final-3 block - mid
++	pmull	$rk3q1, $res0.1d, $h4.1d				@ GHASH final-3 block - low
++
++	pmull2  $rk2q1, $res0.2d, $h4.2d				@ GHASH final-3 block - high
++	pmull2  $rk4v.1q, $rk4v.2d, $h34k.2d				@ GHASH final-3 block - mid
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-3 block - low
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-3 block - mid
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-3 block - high
++.L192_enc_blocks_more_than_2:						@ blocks left >  2
++
++	st1	{ $res1b}, [$output_ptr], #16			 	@ AES final-2 block - store result
++
++	rev64	$res0b, $res1b						@ GHASH final-2 block
++	ldr	$h3q, [$current_tag, #80]				@ load h3l | h3h
++	ext     $h3.16b, $h3.16b, $h3.16b, #8
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final-1 block - load plaintext
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-2 block - mid
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-2 block - mid
++
++	pmull	$rk3q1, $res0.1d, $h3.1d				@ GHASH final-2 block - low
++	pmull2  $rk2q1, $res0.2d, $h3.2d				@ GHASH final-2 block - high
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	pmull	$rk4v.1q, $rk4v.1d, $h34k.1d				@ GHASH final-2 block - mid
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-2 block - low
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-2 block - high
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-2 block - mid
++	eor3	$res1b, $ctr_t1b, $ctr6b, $t1.16b			@ AES final-1 block - result
++.L192_enc_blocks_more_than_1:						@ blocks left >  1
++
++	ldr	$h2q, [$current_tag, #64]				@ load h1l | h1h
++	ext     $h2.16b, $h2.16b, $h2.16b, #8
++	st1	{ $res1b}, [$output_ptr], #16			 	@ AES final-1 block - store result
++
++	rev64	$res0b, $res1b						@ GHASH final-1 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-1 block - mid
++	pmull	$rk3q1, $res0.1d, $h2.1d				@ GHASH final-1 block - low
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-1 block - low
++	pmull2  $rk2q1, $res0.2d, $h2.2d				@ GHASH final-1 block - high
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-1 block - mid
++
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final block - load plaintext
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++
++	ins	$rk4v.d[1], $rk4v.d[0]					@ GHASH final-1 block - mid
++
++	eor3	$res1b, $ctr_t1b, $ctr7b, $t1.16b			@ AES final block - result
++	pmull2  $rk4v.1q, $rk4v.2d, $h12k.2d				@ GHASH final-1 block - mid
++
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-1 block - mid
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-1 block - high
++.L192_enc_blocks_less_than_1:						@ blocks left <= 1
++
++	mvn	$temp0_x, xzr						@ temp0_x = 0xffffffffffffffff
++	and	$bit_length, $bit_length, #127				@ bit_length %= 128
++
++	sub	$bit_length, $bit_length, #128				@ bit_length -= 128
++
++	neg	$bit_length, $bit_length				@ bit_length = 128 - #bits in input (in range [1,128])
++
++	and	$bit_length, $bit_length, #127				@ bit_length %= 128
++
++	lsr	$temp0_x, $temp0_x, $bit_length				@ temp0_x is mask for top 64b of last block
++	cmp	$bit_length, #64
++	mvn	$temp1_x, xzr						@ temp1_x = 0xffffffffffffffff
++
++	csel	$temp2_x, $temp1_x, $temp0_x, lt
++	csel	$temp3_x, $temp0_x, xzr, lt
++
++	mov	$ctr0.d[1], $temp3_x
++	ldr	$h1q, [$current_tag, #32]				@ load h1l | h1h
++	ext     $h1.16b, $h1.16b, $h1.16b, #8
++
++	ld1	{ $rk0}, [$output_ptr]					@ load existing bytes where the possibly partial last block is to be stored
++	mov	$ctr0.d[0], $temp2_x					@ ctr0b is mask for last block
++
++	and	$res1b, $res1b, $ctr0b					@ possibly partial last block has zeroes in highest bits
++
++	rev64	$res0b, $res1b						@ GHASH final block
++	bif	$res1b, $rk0, $ctr0b					@ insert existing bytes in top end of result before storing
++
++	st1	{ $res1b}, [$output_ptr]				@ store all 16B
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$t0.d[0], $res0.d[1]					@ GHASH final block - mid
++	pmull2  $rk2q1, $res0.2d, $h1.2d				@ GHASH final block - high
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final block - high
++	pmull	$rk3q1, $res0.1d, $h1.1d				@ GHASH final block - low
++
++	eor	$t0.8b, $t0.8b, $res0.8b				@ GHASH final block - mid
++
++	pmull	$t0.1q, $t0.1d, $h12k.1d				@ GHASH final block - mid
++
++	eor	$acc_mb, $acc_mb, $t0.16b				@ GHASH final block - mid
++	ldr	$mod_constantd, [$modulo_constant]			@ MODULO - load modulo constant
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final block - low
++	ext	$t11.16b, $acc_hb, $acc_hb, #8			 	@ MODULO - other top alignment
++
++	rev32	$rtmp_ctr.16b, $rtmp_ctr.16b
++
++	str	$rtmp_ctrq, [$counter]					@ store the updated counter
++	eor3	$acc_mb, $acc_mb, $acc_hb, $acc_lb		 	@ MODULO - karatsuba tidy up
++
++	pmull	$t12.1q, $acc_h.1d, $mod_constant.1d		 	@ MODULO - top 64b align with mid
++
++	eor3	$acc_mb, $acc_mb, $t12.16b, $t11.16b			@ MODULO - fold into mid
++
++	pmull	$acc_h.1q, $acc_m.1d, $mod_constant.1d			@ MODULO - mid 64b align with low
++	ext	$t11.16b, $acc_mb, $acc_mb, #8			 	@ MODULO - other mid alignment
++
++	eor3	$acc_lb, $acc_lb, $acc_hb, $t11.16b		 	@ MODULO - fold into low
++		ext	$acc_lb, $acc_lb, $acc_lb, #8
++	rev64	$acc_lb, $acc_lb
++	st1	{ $acc_l.16b }, [$current_tag]
++
++	lsr	x0, $bit_length, #3					@ return sizes
++
++	ldp	d10, d11, [sp, #16]
++	ldp	d12, d13, [sp, #32]
++	ldp	d14, d15, [sp, #48]
++	ldp	d8, d9, [sp], #80
++	ret
++
++.L192_enc_ret:
++	mov w0, #0x0
++	ret
++.size unroll8_eor3_aes_gcm_enc_192_kernel,.-unroll8_eor3_aes_gcm_enc_192_kernel
++___
++
++#########################################################################################
++# size_t unroll8_eor3_aes_gcm_dec_192_kernel(const unsigned char *in,
++#                               size_t len,
++#                               unsigned char *out,
++#                               const void *key,
++#                               unsigned char ivec[16],
++#                               u64 *Xi);
++#
++$code.=<<___;
++.global unroll8_eor3_aes_gcm_dec_192_kernel
++.type   unroll8_eor3_aes_gcm_dec_192_kernel,%function
++.align  4
++unroll8_eor3_aes_gcm_dec_192_kernel:
++	AARCH64_VALID_CALL_TARGET
++	cbz	x1, .L192_dec_ret
++	stp	d8, d9, [sp, #-80]!
++	mov	$counter, x4
++	mov	$cc, x5
++	stp	d10, d11, [sp, #16]
++	stp	d12, d13, [sp, #32]
++	stp	d14, d15, [sp, #48]
++        mov     x5, #0xc200000000000000
++	stp     x5, xzr, [sp, #64]
++	add     $modulo_constant, sp, #64
++
++	lsr	$main_end_input_ptr, $bit_length, #3		 	@ byte_len
++	ld1	{ $ctr0b}, [$counter]					@ CTR block 0
++	ld1	{ $acc_lb}, [$current_tag]
++
++		mov	$constant_temp, #0x100000000			@ set up counter increment
++	movi	$rctr_inc.16b, #0x0
++	mov	$rctr_inc.d[1], $constant_temp
++
++	rev32	$rtmp_ctr.16b, $ctr0.16b				@ set up reversed counter
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 0
++
++	rev32	$ctr1.16b, $rtmp_ctr.16b				@ CTR block 1
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 1
++
++	rev32	$ctr2.16b, $rtmp_ctr.16b				@ CTR block 2
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 2
++
++	rev32	$ctr3.16b, $rtmp_ctr.16b				@ CTR block 3
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 3
++
++	rev32	$ctr4.16b, $rtmp_ctr.16b				@ CTR block 4
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 4
++
++	rev32	$ctr5.16b, $rtmp_ctr.16b				@ CTR block 5
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 5
++	ldp	$rk0q, $rk1q, [$cc, #0]				 	@ load rk0, rk1
++
++	rev32	$ctr6.16b, $rtmp_ctr.16b				@ CTR block 6
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 6
++
++	rev32	$ctr7.16b, $rtmp_ctr.16b				@ CTR block 7
++
++	aese	$ctr3b, $rk0  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 0
++	aese	$ctr6b, $rk0  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 0
++	aese	$ctr5b, $rk0  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 0
++
++	aese	$ctr0b, $rk0  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 0
++	aese	$ctr1b, $rk0  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 0
++	aese	$ctr7b, $rk0  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 0
++
++	aese	$ctr2b, $rk0  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 0
++	aese	$ctr4b, $rk0  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 0
++	ldp	$rk2q, $rk3q, [$cc, #32]				@ load rk2, rk3
++
++	aese	$ctr1b, $rk1  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 1
++
++	aese	$ctr2b, $rk1  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 1
++
++	aese	$ctr0b, $rk1  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 1
++	aese	$ctr3b, $rk1  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 1
++	aese	$ctr7b, $rk1  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 1
++
++	aese	$ctr5b, $rk1  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 1
++	aese	$ctr6b, $rk1  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 1
++
++	aese	$ctr7b, $rk2  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 2
++	aese	$ctr0b, $rk2  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 2
++	aese	$ctr4b, $rk1  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 1
++
++	aese	$ctr5b, $rk2  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 2
++	aese	$ctr1b, $rk2  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 2
++	aese	$ctr2b, $rk2  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 2
++
++	aese	$ctr3b, $rk2  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 2
++	aese	$ctr4b, $rk2  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 2
++	aese	$ctr6b, $rk2  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 2
++
++	aese	$ctr7b, $rk3  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 3
++
++	ldp	$rk4q, $rk5q, [$cc, #64]				@ load rk4, rk5
++	aese	$ctr2b, $rk3  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 3
++	aese	$ctr5b, $rk3  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 3
++
++	aese	$ctr0b, $rk3  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 3
++	aese	$ctr3b, $rk3  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 3
++
++	aese	$ctr4b, $rk3  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 3
++	aese	$ctr1b, $rk3  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 3
++	aese	$ctr6b, $rk3  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 3
++
++	aese	$ctr3b, $rk4  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 4
++	aese	$ctr2b, $rk4  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 4
++	aese	$ctr5b, $rk4  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 4
++
++	aese	$ctr1b, $rk4  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 4
++	aese	$ctr7b, $rk4  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 4
++	aese	$ctr6b, $rk4  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 4
++
++	aese	$ctr0b, $rk4  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 4
++	aese	$ctr5b, $rk5  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 5
++	aese	$ctr4b, $rk4  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 4
++
++	aese	$ctr6b, $rk5  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 5
++	ldp	$rk6q, $rk7q, [$cc, #96]				@ load rk6, rk7
++
++	aese	$ctr0b, $rk5  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 5
++	aese	$ctr4b, $rk5  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 5
++	aese	$ctr1b, $rk5  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 5
++
++	aese	$ctr3b, $rk5  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 5
++	aese	$ctr2b, $rk5  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 5
++	aese	$ctr7b, $rk5  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 5
++
++	sub	$main_end_input_ptr, $main_end_input_ptr, #1		@ byte_len - 1
++
++	aese	$ctr4b, $rk6  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 6
++	aese	$ctr5b, $rk6  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 6
++	aese	$ctr1b, $rk6  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 6
++
++	aese	$ctr0b, $rk6  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 6
++	aese	$ctr3b, $rk6  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 6
++	aese	$ctr6b, $rk6  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 6
++
++	aese	$ctr7b, $rk6  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 6
++	aese	$ctr2b, $rk6  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 6
++	ldp	$rk8q, $rk9q, [$cc, #128]				@ load rk8, rk9
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 7
++
++	aese	$ctr3b, $rk7  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 7
++	aese	$ctr7b, $rk7  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 7
++
++	aese	$ctr2b, $rk7  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 7
++	aese	$ctr1b, $rk7  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 7
++	aese	$ctr4b, $rk7  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 7
++
++	aese	$ctr6b, $rk7  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 7
++	aese	$ctr0b, $rk7  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 7
++	aese	$ctr5b, $rk7  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 7
++
++	aese	$ctr1b, $rk8  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 8
++	aese	$ctr2b, $rk8  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 8
++	and	$main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffff80	@ number of bytes to be processed in main loop (at least 1 byte must be handled by tail)
++
++	aese	$ctr7b, $rk8  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 8
++	aese	$ctr6b, $rk8  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 8
++	aese	$ctr5b, $rk8  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 8
++
++	aese	$ctr4b, $rk8  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 8
++	aese	$ctr3b, $rk8  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 8
++	aese	$ctr0b, $rk8  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 8
++
++	add	$end_input_ptr, $input_ptr, $bit_length, lsr #3		@ end_input_ptr
++	aese	$ctr6b, $rk9  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 9
++
++	ld1	{ $acc_lb}, [$current_tag]
++	ext	$acc_lb, $acc_lb, $acc_lb, #8
++	rev64	$acc_lb, $acc_lb
++
++	ldp	$rk10q, $rk11q, [$cc, #160]				@ load rk10, rk11
++
++	aese	$ctr0b, $rk9  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 9
++	add	$main_end_input_ptr, $main_end_input_ptr, $input_ptr
++
++	aese	$ctr1b, $rk9  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 9
++	aese	$ctr7b, $rk9  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 9
++	aese	$ctr4b, $rk9  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 9
++
++	cmp	$input_ptr, $main_end_input_ptr				@ check if we have <= 8 blocks
++	aese	$ctr3b, $rk9  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 9
++
++	aese	$ctr5b, $rk9  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 9
++	aese	$ctr2b, $rk9  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 9
++
++	aese	$ctr3b, $rk10 \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 10
++	aese	$ctr1b, $rk10 \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 10
++	aese	$ctr7b, $rk10 \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 10
++
++	aese	$ctr4b, $rk10 \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 10
++	aese	$ctr0b, $rk10 \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 10
++	aese	$ctr2b, $rk10 \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 10
++
++	aese	$ctr6b, $rk10 \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 10
++	aese	$ctr5b, $rk10 \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 10
++	ldr	$rk12q, [$cc, #192]					@ load rk12
++
++	aese	$ctr0b, $rk11						@ AES block 0 - round 11
++	aese	$ctr1b, $rk11						@ AES block 1 - round 11
++	aese	$ctr4b, $rk11						@ AES block 4 - round 11
++
++	aese	$ctr6b, $rk11						@ AES block 6 - round 11
++	aese	$ctr5b, $rk11						@ AES block 5 - round 11
++	aese	$ctr7b, $rk11						@ AES block 7 - round 11
++
++	aese	$ctr2b, $rk11						@ AES block 2 - round 11
++	aese	$ctr3b, $rk11						@ AES block 3 - round 11
++	b.ge	.L192_dec_tail						@ handle tail
++
++	ldp	$res0q, $res1q, [$input_ptr], #32			@ AES block 0, 1 - load ciphertext
++
++	ldp	$res2q, $res3q, [$input_ptr], #32			@ AES block 2, 3 - load ciphertext
++
++	ldp	$res4q, $res5q, [$input_ptr], #32			@ AES block 4, 5 - load ciphertext
++
++	eor3	$ctr1b, $res1b, $ctr1b, $rk12				@ AES block 1 - result
++	eor3	$ctr0b, $res0b, $ctr0b, $rk12				@ AES block 0 - result
++	stp	$ctr0q, $ctr1q, [$output_ptr], #32			@ AES block 0, 1 - store result
++
++	rev32	$ctr0.16b, $rtmp_ctr.16b				@ CTR block 8
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8
++
++	rev32	$ctr1.16b, $rtmp_ctr.16b				@ CTR block 9
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 9
++	eor3	$ctr3b, $res3b, $ctr3b, $rk12				@ AES block 3 - result
++
++	eor3	$ctr2b, $res2b, $ctr2b, $rk12				@ AES block 2 - result
++	stp	$ctr2q, $ctr3q, [$output_ptr], #32			@ AES block 2, 3 - store result
++	ldp	$res6q, $res7q, [$input_ptr], #32			@ AES block 6, 7 - load ciphertext
++
++	rev32	$ctr2.16b, $rtmp_ctr.16b				@ CTR block 10
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 10
++
++	eor3	$ctr4b, $res4b, $ctr4b, $rk12				@ AES block 4 - result
++
++	rev32	$ctr3.16b, $rtmp_ctr.16b				@ CTR block 11
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 11
++
++	eor3	$ctr5b, $res5b, $ctr5b, $rk12				@ AES block 5 - result
++	stp	$ctr4q, $ctr5q, [$output_ptr], #32			@ AES block 4, 5 - store result
++	cmp	$input_ptr, $main_end_input_ptr				@ check if we have <= 8 blocks
++
++	eor3	$ctr6b, $res6b, $ctr6b, $rk12				@ AES block 6 - result
++	eor3	$ctr7b, $res7b, $ctr7b, $rk12				@ AES block 7 - result
++	rev32	$ctr4.16b, $rtmp_ctr.16b				@ CTR block 12
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 12
++	stp	$ctr6q, $ctr7q, [$output_ptr], #32			@ AES block 6, 7 - store result
++	b.ge	.L192_dec_prepretail					@ do prepretail
++
++.L192_dec_main_loop:							@ main loop start
++	rev64	$res1b, $res1b						@ GHASH block 8k+1
++	ldp	$rk0q, $rk1q, [$cc, #0]				 	@ load rk0, rk1
++	ext	$acc_lb, $acc_lb, $acc_lb, #8				@ PRE 0
++
++	rev64	$res0b, $res0b						@ GHASH block 8k
++	rev32	$ctr5.16b, $rtmp_ctr.16b				@ CTR block 8k+13
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+13
++
++	ldr	$h7q, [$current_tag, #176]				@ load h7l | h7h
++	ext     $h7.16b, $h7.16b, $h7.16b, #8
++	ldr	$h8q, [$current_tag, #208]				@ load h8l | h8h
++	ext     $h8.16b, $h8.16b, $h8.16b, #8
++	rev64	$res4b, $res4b						@ GHASH block 8k+4
++	rev64	$res3b, $res3b						@ GHASH block 8k+3
++
++	eor	$res0b, $res0b, $acc_lb				 	@ PRE 1
++	rev32	$ctr6.16b, $rtmp_ctr.16b				@ CTR block 8k+14
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+14
++
++	rev64	$res5b, $res5b						@ GHASH block 8k+5
++
++	rev32	$ctr7.16b, $rtmp_ctr.16b				@ CTR block 8k+15
++	aese	$ctr1b, $rk0  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 0
++	aese	$ctr6b, $rk0  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 0
++
++	aese	$ctr5b, $rk0  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 0
++	aese	$ctr4b, $rk0  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 0
++	aese	$ctr0b, $rk0  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 0
++
++	aese	$ctr7b, $rk0  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 0
++	aese	$ctr2b, $rk0  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 0
++	aese	$ctr3b, $rk0  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 0
++
++	pmull	$acc_l.1q, $res0.1d, $h8.1d				@ GHASH block 8k - low
++	pmull2  $t0.1q, $res1.2d, $h7.2d				@ GHASH block 8k+1 - high
++	ldp	$rk2q, $rk3q, [$cc, #32]				@ load rk2, rk3
++
++	aese	$ctr6b, $rk1  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 1
++	pmull	$h7.1q, $res1.1d, $h7.1d				@ GHASH block 8k+1 - low
++	ldr	$h5q, [$current_tag, #128]				@ load h5l | h5h
++	ext     $h5.16b, $h5.16b, $h5.16b, #8
++	ldr	$h6q, [$current_tag, #160]				@ load h6l | h6h
++	ext     $h6.16b, $h6.16b, $h6.16b, #8
++
++	aese	$ctr0b, $rk1  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 1
++	aese	$ctr3b, $rk1  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 1
++	aese	$ctr7b, $rk1  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 1
++
++	pmull2  $acc_h.1q, $res0.2d, $h8.2d				@ GHASH block 8k - high
++	aese	$ctr2b, $rk1  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 1
++	aese	$ctr4b, $rk1  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 1
++
++	trn1	$acc_m.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++	rev64	$res2b, $res2b						@ GHASH block 8k+2
++	aese	$ctr1b, $rk1  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 1
++
++	aese	$ctr5b, $rk1  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 1
++	ldr	$h56kq, [$current_tag, #144]				@ load h6k | h5k
++	ldr	$h78kq, [$current_tag, #192]				@ load h8k | h7k
++	trn2	$res0.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++
++	eor	$acc_hb, $acc_hb, $t0.16b				@ GHASH block 8k+1 - high
++	pmull2  $t2.1q, $res3.2d, $h5.2d				@ GHASH block 8k+3 - high
++	pmull2  $t1.1q, $res2.2d, $h6.2d				@ GHASH block 8k+2 - high
++
++	eor	$res0.16b, $res0.16b, $acc_m.16b			@ GHASH block 8k, 8k+1 - mid
++	eor	$acc_lb, $acc_lb, $h7.16b				@ GHASH block 8k+1 - low
++	aese	$ctr6b, $rk2  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 2
++
++	aese	$ctr2b, $rk2  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 2
++	pmull	$h5.1q, $res3.1d, $h5.1d				@ GHASH block 8k+3 - low
++	eor3	$acc_hb, $acc_hb, $t1.16b, $t2.16b			@ GHASH block 8k+2, 8k+3 - high
++
++	aese	$ctr1b, $rk2  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 2
++	aese	$ctr6b, $rk3  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 3
++	aese	$ctr4b, $rk2  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 2
++
++	aese	$ctr0b, $rk2  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 2
++	aese	$ctr7b, $rk2  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 2
++	aese	$ctr3b, $rk2  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 2
++
++	ldr	$h3q, [$current_tag, #80]				@ load h3l | h3h
++	ext     $h3.16b, $h3.16b, $h3.16b, #8
++	ldr	$h4q, [$current_tag, #112]				@ load h4l | h4h
++	ext     $h4.16b, $h4.16b, $h4.16b, #8
++	aese	$ctr5b, $rk2  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 2
++	aese	$ctr2b, $rk3  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 3
++
++	pmull	$h6.1q, $res2.1d, $h6.1d				@ GHASH block 8k+2 - low
++	trn1	$t3.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++	trn2	$res2.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++
++	aese	$ctr3b, $rk3  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 3
++	aese	$ctr4b, $rk3  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 3
++
++	aese	$ctr0b, $rk3  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 3
++	aese	$ctr7b, $rk3  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 3
++	ldp	$rk4q, $rk5q, [$cc, #64]				@ load rk4, rk5
++
++	eor	$res2.16b, $res2.16b, $t3.16b				@ GHASH block 8k+2, 8k+3 - mid
++	eor3	$acc_lb, $acc_lb, $h6.16b, $h5.16b			@ GHASH block 8k+2, 8k+3 - low
++	aese	$ctr1b, $rk3  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 3
++
++	trn1	$t6.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+15
++
++	pmull2  $t3.1q, $res2.2d, $h56k.2d				@ GHASH block 8k+2 - mid
++	pmull2  $acc_m.1q, $res0.2d, $h78k.2d				@ GHASH block 8k	- mid
++	pmull	$h78k.1q, $res0.1d, $h78k.1d				@ GHASH block 8k+1 - mid
++
++	aese	$ctr5b, $rk3  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 3
++	pmull	$h56k.1q, $res2.1d, $h56k.1d				@ GHASH block 8k+3 - mid
++	pmull2  $t4.1q, $res4.2d, $h4.2d				@ GHASH block 8k+4 - high
++
++	aese	$ctr4b, $rk4  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 4
++	aese	$ctr6b, $rk4  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 4
++	eor	$acc_mb, $acc_mb, $h78k.16b				@ GHASH block 8k+1 - mid
++
++	aese	$ctr5b, $rk4  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 4
++	aese	$ctr1b, $rk4  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 4
++	aese	$ctr3b, $rk4  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 4
++
++	aese	$ctr2b, $rk4  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 4
++	aese	$ctr0b, $rk4  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 4
++	aese	$ctr7b, $rk4  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 4
++
++	ldr	$h1q, [$current_tag, #32]				@ load h1l | h1h
++	ext     $h1.16b, $h1.16b, $h1.16b, #8
++	ldr	$h2q, [$current_tag, #64]				@ load h1l | h1h
++	ext     $h2.16b, $h2.16b, $h2.16b, #8
++	aese	$ctr3b, $rk5  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 5
++	aese	$ctr5b, $rk5  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 5
++
++	ldp	$rk6q, $rk7q, [$cc, #96]				@ load rk6, rk7
++	aese	$ctr7b, $rk5  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 5
++	rev64	$res7b, $res7b						@ GHASH block 8k+7
++
++	aese	$ctr4b, $rk5  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 5
++	eor3	$acc_mb, $acc_mb, $h56k.16b, $t3.16b			@ GHASH block 8k+2, 8k+3 - mid
++	aese	$ctr1b, $rk5  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 5
++
++	pmull	$h4.1q, $res4.1d, $h4.1d				@ GHASH block 8k+4 - low
++	trn2	$res4.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++	aese	$ctr2b, $rk5  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 5
++
++	aese	$ctr6b, $rk5  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 5
++	aese	$ctr0b, $rk5  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 5
++	rev64	$res6b, $res6b						@ GHASH block 8k+6
++
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++	pmull2  $t5.1q, $res5.2d, $h3.2d				@ GHASH block 8k+5 - high
++	pmull	$h3.1q, $res5.1d, $h3.1d				@ GHASH block 8k+5 - low
++
++	aese	$ctr0b, $rk6  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 6
++	eor	$res4.16b, $res4.16b, $t6.16b				@ GHASH block 8k+4, 8k+5 - mid
++	trn1	$t9.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++
++	aese	$ctr7b, $rk6  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 6
++	aese	$ctr2b, $rk6  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 6
++	aese	$ctr6b, $rk6  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 6
++
++	pmull2  $t7.1q, $res6.2d, $h2.2d				@ GHASH block 8k+6 - high
++	aese	$ctr3b, $rk6  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 6
++	aese	$ctr1b, $rk6  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 6
++
++	aese	$ctr2b, $rk7  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 7
++	aese	$ctr6b, $rk7  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 7
++	aese	$ctr5b, $rk6  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 6
++
++	pmull2  $t6.1q, $res4.2d, $h34k.2d				@ GHASH block 8k+4 - mid
++	eor3	$acc_hb, $acc_hb, $t4.16b, $t5.16b			@ GHASH block 8k+4, 8k+5 - high
++	eor3	$acc_lb, $acc_lb, $h4.16b, $h3.16b			@ GHASH block 8k+4, 8k+5 - low
++
++	pmull	$h2.1q, $res6.1d, $h2.1d				@ GHASH block 8k+6 - low
++	trn2	$res6.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++	aese	$ctr4b, $rk6  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 6
++
++	aese	$ctr5b, $rk7  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 7
++	ldp	$rk8q, $rk9q, [$cc, #128]				@ load rk8, rk9
++	aese	$ctr3b, $rk7  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 7
++
++	eor	$res6.16b, $res6.16b, $t9.16b				@ GHASH block 8k+6, 8k+7 - mid
++	pmull	$h34k.1q, $res4.1d, $h34k.1d				@ GHASH block 8k+5 - mid
++	aese	$ctr1b, $rk7  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 7
++
++	aese	$ctr4b, $rk7  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 7
++	aese	$ctr0b, $rk7  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 7
++	aese	$ctr7b, $rk7  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 7
++
++	eor3	$acc_mb, $acc_mb, $h34k.16b, $t6.16b			@ GHASH block 8k+4, 8k+5 - mid
++	pmull2  $t9.1q, $res6.2d, $h12k.2d				@ GHASH block 8k+6 - mid
++	pmull2  $t8.1q, $res7.2d, $h1.2d				@ GHASH block 8k+7 - high
++
++	pmull	$h12k.1q, $res6.1d, $h12k.1d				@ GHASH block 8k+7 - mid
++	ldr	$mod_constantd, [$modulo_constant]			@ MODULO - load modulo constant
++	pmull	$h1.1q, $res7.1d, $h1.1d				@ GHASH block 8k+7 - low
++
++	aese	$ctr2b, $rk8  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 8
++	aese	$ctr5b, $rk8  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 8
++	aese	$ctr7b, $rk8  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 8
++
++	aese	$ctr0b, $rk8  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 8
++	aese	$ctr3b, $rk8  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 8
++	eor3	$acc_lb, $acc_lb, $h2.16b, $h1.16b			@ GHASH block 8k+6, 8k+7 - low
++
++	aese	$ctr4b, $rk8  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 8
++	aese	$ctr1b, $rk8  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 8
++	aese	$ctr6b, $rk8  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 8
++
++	eor3	$acc_hb, $acc_hb, $t7.16b, $t8.16b			@ GHASH block 8k+6, 8k+7 - high
++	rev32	$h1.16b, $rtmp_ctr.16b					@ CTR block 8k+16
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+16
++
++	aese	$ctr5b, $rk9  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 9
++	eor3	$acc_mb, $acc_mb, $h12k.16b, $t9.16b			@ GHASH block 8k+6, 8k+7 - mid
++	aese	$ctr1b, $rk9  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 9
++
++	aese	$ctr3b, $rk9  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 9
++	aese	$ctr7b, $rk9  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 9
++	ldp	$rk10q, $rk11q, [$cc, #160]				@ load rk10, rk11
++
++	eor3	$acc_mb, $acc_mb, $acc_hb, $acc_lb		 	@ MODULO - karatsuba tidy up
++	ldp	$res0q, $res1q, [$input_ptr], #32			@ AES block 8k+8, 8k+9 - load ciphertext
++
++	aese	$ctr2b, $rk9  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 9
++	aese	$ctr0b, $rk9  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 9
++	ldp	$res2q, $res3q, [$input_ptr], #32			@ AES block 8k+10, 8k+11 - load ciphertext
++
++	rev32	$h2.16b, $rtmp_ctr.16b					@ CTR block 8k+17
++	pmull	$t12.1q, $acc_h.1d, $mod_constant.1d		 	@ MODULO - top 64b align with mid
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+17
++
++	aese	$ctr6b, $rk9  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 9
++	aese	$ctr4b, $rk9  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 9
++	ext	$t11.16b, $acc_hb, $acc_hb, #8			 	@ MODULO - other top alignment
++
++	aese	$ctr3b, $rk10 \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 10
++	aese	$ctr7b, $rk10 \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 10
++	ldp	$res4q, $res5q, [$input_ptr], #32			@ AES block 8k+12, 8k+13 - load ciphertext
++
++	rev32	$h3.16b, $rtmp_ctr.16b					@ CTR block 8k+18
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+18
++	eor3	$acc_mb, $acc_mb, $t12.16b, $t11.16b			@ MODULO - fold into mid
++
++	aese	$ctr0b, $rk10 \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 10
++	aese	$ctr1b, $rk10 \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 10
++	ldr	$rk12q, [$cc, #192]					@ load rk12
++
++	ldp	$res6q, $res7q, [$input_ptr], #32			@ AES block 8k+14, 8k+15 - load ciphertext
++	aese	$ctr4b, $rk10 \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 10
++	aese	$ctr6b, $rk10 \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 10
++
++	aese	$ctr0b, $rk11						@ AES block 8k+8 - round 11
++	ext	$t11.16b, $acc_mb, $acc_mb, #8			 	@ MODULO - other mid alignment
++	aese	$ctr1b, $rk11						@ AES block 8k+9 - round 11
++
++	aese	$ctr2b, $rk10 \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 10
++	aese	$ctr6b, $rk11						@ AES block 8k+14 - round 11
++	aese	$ctr3b, $rk11						@ AES block 8k+11 - round 11
++
++	eor3	$ctr0b, $res0b, $ctr0b, $rk12				@ AES block 8k+8 - result
++	rev32	$h4.16b, $rtmp_ctr.16b					@ CTR block 8k+19
++	aese	$ctr5b, $rk10 \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 10
++
++	aese	$ctr4b, $rk11						@ AES block 8k+12 - round 11
++	aese	$ctr2b, $rk11						@ AES block 8k+10 - round 11
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+19
++
++	aese	$ctr7b, $rk11						@ AES block 8k+15 - round 11
++	aese	$ctr5b, $rk11						@ AES block 8k+13 - round 11
++	pmull	$acc_h.1q, $acc_m.1d, $mod_constant.1d			@ MODULO - mid 64b align with low
++
++	eor3	$ctr1b, $res1b, $ctr1b, $rk12				@ AES block 8k+9 - result
++	stp	$ctr0q, $ctr1q, [$output_ptr], #32			@ AES block 8k+8, 8k+9 - store result
++	eor3	$ctr3b, $res3b, $ctr3b, $rk12				@ AES block 8k+11 - result
++
++	eor3	$ctr2b, $res2b, $ctr2b, $rk12				@ AES block 8k+10 - result
++	eor3	$ctr7b, $res7b, $ctr7b, $rk12				@ AES block 8k+15 - result
++	stp	$ctr2q, $ctr3q, [$output_ptr], #32			@ AES block 8k+10, 8k+11 - store result
++
++	eor3	$ctr5b, $res5b, $ctr5b, $rk12				@ AES block 8k+13 - result
++	eor3	$acc_lb, $acc_lb, $acc_hb, $t11.16b		 	@ MODULO - fold into low
++	mov	$ctr3.16b, $h4.16b					@ CTR block 8k+19
++
++	eor3	$ctr4b, $res4b, $ctr4b, $rk12				@ AES block 8k+12 - result
++	stp	$ctr4q, $ctr5q, [$output_ptr], #32			@ AES block 8k+12, 8k+13 - store result
++	cmp	$input_ptr, $main_end_input_ptr				@ LOOP CONTROL
++
++	eor3	$ctr6b, $res6b, $ctr6b, $rk12				@ AES block 8k+14 - result
++	stp	$ctr6q, $ctr7q, [$output_ptr], #32			@ AES block 8k+14, 8k+15 - store result
++	mov	$ctr0.16b, $h1.16b					@ CTR block 8k+16
++
++	mov	$ctr1.16b, $h2.16b					@ CTR block 8k+17
++	mov	$ctr2.16b, $h3.16b					@ CTR block 8k+18
++
++	rev32	$ctr4.16b, $rtmp_ctr.16b				@ CTR block 8k+20
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+20
++	b.lt	.L192_dec_main_loop
++
++.L192_dec_prepretail:							@ PREPRETAIL
++	ldp	$rk0q, $rk1q, [$cc, #0]				 	@ load rk0, rk1
++	rev32	$ctr5.16b, $rtmp_ctr.16b				@ CTR block 8k+13
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+13
++
++	ldr	$h7q, [$current_tag, #176]				@ load h7l | h7h
++	ext     $h7.16b, $h7.16b, $h7.16b, #8
++	ldr	$h8q, [$current_tag, #208]				@ load h8l | h8h
++	ext     $h8.16b, $h8.16b, $h8.16b, #8
++	rev64	$res0b, $res0b						@ GHASH block 8k
++	ext	$acc_lb, $acc_lb, $acc_lb, #8				@ PRE 0
++
++	rev64	$res3b, $res3b						@ GHASH block 8k+3
++	rev32	$ctr6.16b, $rtmp_ctr.16b				@ CTR block 8k+14
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+14
++
++	eor	$res0b, $res0b, $acc_lb				 	@ PRE 1
++	rev64	$res2b, $res2b						@ GHASH block 8k+2
++	rev64	$res1b, $res1b						@ GHASH block 8k+1
++
++	ldr	$h5q, [$current_tag, #128]				@ load h5l | h5h
++	ext     $h5.16b, $h5.16b, $h5.16b, #8
++	ldr	$h6q, [$current_tag, #160]				@ load h6l | h6h
++	ext     $h6.16b, $h6.16b, $h6.16b, #8
++	rev32	$ctr7.16b, $rtmp_ctr.16b				@ CTR block 8k+15
++
++	aese	$ctr0b, $rk0  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 0
++	aese	$ctr6b, $rk0  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 0
++	aese	$ctr5b, $rk0  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 0
++
++	aese	$ctr3b, $rk0  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 0
++	aese	$ctr2b, $rk0  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 0
++	pmull2  $t0.1q, $res1.2d, $h7.2d				@ GHASH block 8k+1 - high
++
++	aese	$ctr4b, $rk0  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 0
++	pmull2  $acc_h.1q, $res0.2d, $h8.2d				@ GHASH block 8k - high
++	aese	$ctr1b, $rk0  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 0
++
++	aese	$ctr6b, $rk1  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 1
++	aese	$ctr7b, $rk0  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 0
++	ldp	$rk2q, $rk3q, [$cc, #32]				@ load rk2, rk3
++
++	aese	$ctr4b, $rk1  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 1
++	pmull2  $t1.1q, $res2.2d, $h6.2d				@ GHASH block 8k+2 - high
++	pmull	$h6.1q, $res2.1d, $h6.1d				@ GHASH block 8k+2 - low
++
++	pmull	$h7.1q, $res1.1d, $h7.1d				@ GHASH block 8k+1 - low
++	eor	$acc_hb, $acc_hb, $t0.16b				@ GHASH block 8k+1 - high
++	aese	$ctr3b, $rk1  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 1
++
++	pmull	$acc_l.1q, $res0.1d, $h8.1d				@ GHASH block 8k - low
++	aese	$ctr7b, $rk1  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 1
++	aese	$ctr0b, $rk1  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 1
++
++	trn1	$acc_m.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++	trn2	$res0.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++	pmull2  $t2.1q, $res3.2d, $h5.2d				@ GHASH block 8k+3 - high
++
++	aese	$ctr2b, $rk1  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 1
++	aese	$ctr1b, $rk1  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 1
++	aese	$ctr5b, $rk1  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 1
++
++	ldr	$h56kq, [$current_tag, #144]				@ load h6k | h5k
++	ldr	$h78kq, [$current_tag, #192]				@ load h8k | h7k
++	aese	$ctr3b, $rk2  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 2
++	eor	$res0.16b, $res0.16b, $acc_m.16b			@ GHASH block 8k, 8k+1 - mid
++
++	aese	$ctr6b, $rk2  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 2
++	rev64	$res5b, $res5b						@ GHASH block 8k+5
++	pmull	$h5.1q, $res3.1d, $h5.1d				@ GHASH block 8k+3 - low
++
++	eor3	$acc_hb, $acc_hb, $t1.16b, $t2.16b			@ GHASH block 8k+2, 8k+3 - high
++	aese	$ctr4b, $rk2  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 2
++	aese	$ctr5b, $rk2  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 2
++
++	trn1	$t3.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++	aese	$ctr3b, $rk3  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 3
++	aese	$ctr7b, $rk2  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 2
++
++	aese	$ctr0b, $rk2  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 2
++	aese	$ctr2b, $rk2  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 2
++	trn2	$res2.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++
++	pmull2  $acc_m.1q, $res0.2d, $h78k.2d				@ GHASH block 8k	- mid
++	aese	$ctr1b, $rk2  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 2
++	pmull	$h78k.1q, $res0.1d, $h78k.1d				@ GHASH block 8k+1 - mid
++
++	aese	$ctr5b, $rk3  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 3
++	eor	$res2.16b, $res2.16b, $t3.16b				@ GHASH block 8k+2, 8k+3 - mid
++	eor	$acc_lb, $acc_lb, $h7.16b				@ GHASH block 8k+1 - low
++
++	aese	$ctr7b, $rk3  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 3
++	aese	$ctr6b, $rk3  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 3
++	aese	$ctr4b, $rk3  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 3
++
++	eor3	$acc_lb, $acc_lb, $h6.16b, $h5.16b			@ GHASH block 8k+2, 8k+3 - low
++	ldp	$rk4q, $rk5q, [$cc, #64]				@ load rk4, rk5
++	aese	$ctr0b, $rk3  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 3
++
++	ldr	$h3q, [$current_tag, #80]				@ load h3l | h3h
++	ext     $h3.16b, $h3.16b, $h3.16b, #8
++	ldr	$h4q, [$current_tag, #112]				@ load h4l | h4h
++	ext     $h4.16b, $h4.16b, $h4.16b, #8
++	pmull2  $t3.1q, $res2.2d, $h56k.2d				@ GHASH block 8k+2 - mid
++	pmull	$h56k.1q, $res2.1d, $h56k.1d				@ GHASH block 8k+3 - mid
++
++	ldr	$h1q, [$current_tag, #32]				@ load h1l | h1h
++	ext     $h1.16b, $h1.16b, $h1.16b, #8
++	ldr	$h2q, [$current_tag, #64]				@ load h1l | h1h
++	ext     $h2.16b, $h2.16b, $h2.16b, #8
++	eor	$acc_mb, $acc_mb, $h78k.16b				@ GHASH block 8k+1 - mid
++	aese	$ctr2b, $rk3  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 3
++
++	rev64	$res7b, $res7b						@ GHASH block 8k+7
++
++	eor3	$acc_mb, $acc_mb, $h56k.16b, $t3.16b			@ GHASH block 8k+2, 8k+3 - mid
++	rev64	$res4b, $res4b						@ GHASH block 8k+4
++
++	aese	$ctr5b, $rk4  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 4
++	aese	$ctr4b, $rk4  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 4
++	aese	$ctr1b, $rk3  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 3
++
++	aese	$ctr2b, $rk4  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 4
++	aese	$ctr0b, $rk4  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 4
++	aese	$ctr3b, $rk4  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 4
++
++	aese	$ctr1b, $rk4  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 4
++	aese	$ctr6b, $rk4  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 4
++	aese	$ctr7b, $rk4  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 4
++
++	rev64	$res6b, $res6b						@ GHASH block 8k+6
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++	trn1	$t6.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++
++	aese	$ctr7b, $rk5  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 5
++	aese	$ctr1b, $rk5  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 5
++	aese	$ctr2b, $rk5  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 5
++
++	ldp	$rk6q, $rk7q, [$cc, #96]				@ load rk6, rk7
++	aese	$ctr6b, $rk5  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 5
++	aese	$ctr5b, $rk5  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 5
++
++	pmull2  $t7.1q, $res6.2d, $h2.2d				@ GHASH block 8k+6 - high
++	pmull2  $t4.1q, $res4.2d, $h4.2d				@ GHASH block 8k+4 - high
++	pmull	$h2.1q, $res6.1d, $h2.1d				@ GHASH block 8k+6 - low
++
++	aese	$ctr4b, $rk5  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 5
++
++	pmull	$h4.1q, $res4.1d, $h4.1d				@ GHASH block 8k+4 - low
++	trn2	$res4.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++	pmull2  $t5.1q, $res5.2d, $h3.2d				@ GHASH block 8k+5 - high
++
++	pmull	$h3.1q, $res5.1d, $h3.1d				@ GHASH block 8k+5 - low
++	trn1	$t9.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++	aese	$ctr0b, $rk5  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 5
++
++	trn2	$res6.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++	aese	$ctr3b, $rk5  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 5
++	eor	$res4.16b, $res4.16b, $t6.16b				@ GHASH block 8k+4, 8k+5 - mid
++
++	aese	$ctr4b, $rk6  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 6
++	aese	$ctr2b, $rk6  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 6
++
++	eor	$res6.16b, $res6.16b, $t9.16b				@ GHASH block 8k+6, 8k+7 - mid
++	aese	$ctr1b, $rk6  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 6
++	aese	$ctr7b, $rk6  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 6
++
++	pmull2  $t6.1q, $res4.2d, $h34k.2d				@ GHASH block 8k+4 - mid
++	pmull	$h34k.1q, $res4.1d, $h34k.1d				@ GHASH block 8k+5 - mid
++	aese	$ctr0b, $rk6  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 6
++
++	pmull2  $t9.1q, $res6.2d, $h12k.2d				@ GHASH block 8k+6 - mid
++	aese	$ctr5b, $rk6  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 6
++	pmull2  $t8.1q, $res7.2d, $h1.2d				@ GHASH block 8k+7 - high
++
++	eor3	$acc_mb, $acc_mb, $h34k.16b, $t6.16b			@ GHASH block 8k+4, 8k+5 - mid
++	aese	$ctr4b, $rk7  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 7
++	eor3	$acc_lb, $acc_lb, $h4.16b, $h3.16b			@ GHASH block 8k+4, 8k+5 - low
++
++	aese	$ctr3b, $rk6  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 6
++	aese	$ctr6b, $rk6  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 6
++	aese	$ctr5b, $rk7  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 7
++
++	ldp	$rk8q, $rk9q, [$cc, #128]				@ load rk8, rk9
++	pmull	$h12k.1q, $res6.1d, $h12k.1d				@ GHASH block 8k+7 - mid
++	aese	$ctr2b, $rk7  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 7
++
++	ldr	$mod_constantd, [$modulo_constant]			@ MODULO - load modulo constant
++	eor3	$acc_hb, $acc_hb, $t4.16b, $t5.16b			@ GHASH block 8k+4, 8k+5 - high
++	pmull	$h1.1q, $res7.1d, $h1.1d				@ GHASH block 8k+7 - low
++
++	aese	$ctr1b, $rk7  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 7
++	aese	$ctr7b, $rk7  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 7
++	aese	$ctr6b, $rk7  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 7
++
++	eor3	$acc_hb, $acc_hb, $t7.16b, $t8.16b			@ GHASH block 8k+6, 8k+7 - high
++	eor3	$acc_lb, $acc_lb, $h2.16b, $h1.16b			@ GHASH block 8k+6, 8k+7 - low
++	eor3	$acc_mb, $acc_mb, $h12k.16b, $t9.16b			@ GHASH block 8k+6, 8k+7 - mid
++
++	aese	$ctr0b, $rk7  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 7
++	aese	$ctr3b, $rk7  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 7
++
++	eor3	$acc_mb, $acc_mb, $acc_hb, $acc_lb		 	@ MODULO - karatsuba tidy up
++	ext	$t11.16b, $acc_hb, $acc_hb, #8			 	@ MODULO - other top alignment
++	aese	$ctr2b, $rk8  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 8
++
++	aese	$ctr6b, $rk8  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 8
++	aese	$ctr7b, $rk8  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 8
++	aese	$ctr1b, $rk8  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 8
++
++	aese	$ctr3b, $rk8  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 8
++	pmull	$t12.1q, $acc_h.1d, $mod_constant.1d		 	@ MODULO - top 64b align with mid
++	aese	$ctr0b, $rk8  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 8
++
++	aese	$ctr5b, $rk8  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 8
++	aese	$ctr4b, $rk8  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 8
++	ldp	$rk10q, $rk11q, [$cc, #160]				@ load rk10, rk11
++
++	eor3	$acc_mb, $acc_mb, $t12.16b, $t11.16b			@ MODULO - fold into mid
++	aese	$ctr7b, $rk9  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 9
++	aese	$ctr6b, $rk9  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 9
++
++	aese	$ctr5b, $rk9  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 9
++	aese	$ctr2b, $rk9  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 9
++	aese	$ctr3b, $rk9  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 9
++
++	aese	$ctr0b, $rk9  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 9
++	aese	$ctr1b, $rk9  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 9
++	aese	$ctr4b, $rk9  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 9
++
++	pmull	$acc_h.1q, $acc_m.1d, $mod_constant.1d			@ MODULO - mid 64b align with low
++	ldr	$rk12q, [$cc, #192]					@ load rk12
++	ext	$t11.16b, $acc_mb, $acc_mb, #8			 	@ MODULO - other mid alignment
++
++	aese	$ctr2b, $rk10 \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 10
++	aese	$ctr5b, $rk10 \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 10
++	aese	$ctr0b, $rk10 \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 10
++
++	aese	$ctr4b, $rk10 \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 10
++	aese	$ctr6b, $rk10 \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 10
++	aese	$ctr7b, $rk10 \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 10
++
++	aese	$ctr0b, $rk11						@ AES block 8k+8 - round 11
++	eor3	$acc_lb, $acc_lb, $acc_hb, $t11.16b		 	@ MODULO - fold into low
++	aese	$ctr5b, $rk11						@ AES block 8k+13 - round 11
++
++	aese	$ctr2b, $rk11						@ AES block 8k+10 - round 11
++	aese	$ctr3b, $rk10 \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 10
++	aese	$ctr1b, $rk10 \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 10
++
++	aese	$ctr6b, $rk11						@ AES block 8k+14 - round 11
++	aese	$ctr4b, $rk11						@ AES block 8k+12 - round 11
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+15
++
++	aese	$ctr3b, $rk11						@ AES block 8k+11 - round 11
++	aese	$ctr1b, $rk11						@ AES block 8k+9 - round 11
++	aese	$ctr7b, $rk11						@ AES block 8k+15 - round 11
++
++.L192_dec_tail:								@ TAIL
++
++	sub	$main_end_input_ptr, $end_input_ptr, $input_ptr 	@ main_end_input_ptr is number of bytes left to process
++
++	ldp	$h5q, $h56kq, [$current_tag, #128]			@ load h5l | h5h
++        ext     $h5.16b, $h5.16b, $h5.16b, #8
++	ldr	$res1q, [$input_ptr], #16				@ AES block 8k+8 - load ciphertext
++
++	ldp	$h78kq, $h8q, [$current_tag, #192]			@ load h8l | h8h
++        ext     $h8.16b, $h8.16b, $h8.16b, #8
++
++	mov	$t1.16b, $rk12
++
++	ldp	$h6q, $h7q, [$current_tag, #160]			@ load h6l | h6h
++        ext     $h6.16b, $h6.16b, $h6.16b, #8
++        ext     $h7.16b, $h7.16b, $h7.16b, #8
++	ext	$t0.16b, $acc_lb, $acc_lb, #8				@ prepare final partial tag
++
++	eor3	$res4b, $res1b, $ctr0b, $t1.16b				@ AES block 8k+8 - result
++	cmp	$main_end_input_ptr, #112
++	b.gt	.L192_dec_blocks_more_than_7
++
++	mov	$ctr7b, $ctr6b
++	movi	$acc_h.8b, #0
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++
++	mov	$ctr6b, $ctr5b
++	mov	$ctr5b, $ctr4b
++	mov	$ctr4b, $ctr3b
++
++	cmp	$main_end_input_ptr, #96
++	movi	$acc_l.8b, #0
++	mov	$ctr3b, $ctr2b
++
++	mov	$ctr2b, $ctr1b
++	movi	$acc_m.8b, #0
++	b.gt	.L192_dec_blocks_more_than_6
++
++	mov	$ctr7b, $ctr6b
++	mov	$ctr6b, $ctr5b
++	mov	$ctr5b, $ctr4b
++
++	mov	$ctr4b, $ctr3b
++	mov	$ctr3b, $ctr1b
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	cmp	$main_end_input_ptr, #80
++	b.gt	.L192_dec_blocks_more_than_5
++
++	mov	$ctr7b, $ctr6b
++	mov	$ctr6b, $ctr5b
++
++	mov	$ctr5b, $ctr4b
++	mov	$ctr4b, $ctr1b
++	cmp	$main_end_input_ptr, #64
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	b.gt	.L192_dec_blocks_more_than_4
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	mov	$ctr7b, $ctr6b
++	mov	$ctr6b, $ctr5b
++
++	mov	$ctr5b, $ctr1b
++	cmp	$main_end_input_ptr, #48
++	b.gt	.L192_dec_blocks_more_than_3
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	mov	$ctr7b, $ctr6b
++	cmp	$main_end_input_ptr, #32
++
++	mov	$ctr6b, $ctr1b
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++	b.gt	.L192_dec_blocks_more_than_2
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++
++	mov	$ctr7b, $ctr1b
++	cmp	$main_end_input_ptr, #16
++	b.gt	.L192_dec_blocks_more_than_1
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++	b	 .L192_dec_blocks_less_than_1
++.L192_dec_blocks_more_than_7:						@ blocks left >  7
++	rev64	$res0b, $res1b						@ GHASH final-7 block
++
++	ins	$acc_m.d[0], $h78k.d[1]					@ GHASH final-7 block - mid
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	pmull2  $acc_h.1q, $res0.2d, $h8.2d				@ GHASH final-7 block - high
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-7 block - mid
++	ldr	$res1q, [$input_ptr], #16				@ AES final-6 block - load ciphertext
++
++	pmull	$acc_l.1q, $res0.1d, $h8.1d				@ GHASH final-7 block - low
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-7 block - mid
++	st1	{ $res4b}, [$output_ptr], #16			 	@ AES final-7 block  - store result
++
++	eor3	$res4b, $res1b, $ctr1b, $t1.16b				@ AES final-6 block - result
++
++	pmull	$acc_m.1q, $rk4v.1d, $acc_m.1d			 	@ GHASH final-7 block - mid
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++.L192_dec_blocks_more_than_6:						@ blocks left >  6
++
++	rev64	$res0b, $res1b						@ GHASH final-6 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ldr	$res1q, [$input_ptr], #16				@ AES final-5 block - load ciphertext
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-6 block - mid
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-6 block - mid
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++	pmull2  $rk2q1, $res0.2d, $h7.2d				@ GHASH final-6 block - high
++
++	st1	{ $res4b}, [$output_ptr], #16			 	@ AES final-6 block - store result
++	eor3	$res4b, $res1b, $ctr2b, $t1.16b				@ AES final-5 block - result
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-6 block - high
++	pmull	$rk4v.1q, $rk4v.1d, $h78k.1d				@ GHASH final-6 block - mid
++	pmull	$rk3q1, $res0.1d, $h7.1d				@ GHASH final-6 block - low
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-6 block - mid
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-6 block - low
++.L192_dec_blocks_more_than_5:						@ blocks left >  5
++
++	rev64	$res0b, $res1b						@ GHASH final-5 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-5 block - mid
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-5 block - mid
++
++	ins	$rk4v.d[1], $rk4v.d[0]					@ GHASH final-5 block - mid
++	pmull2  $rk2q1, $res0.2d, $h6.2d				@ GHASH final-5 block - high
++
++	ldr	$res1q, [$input_ptr], #16				@ AES final-4 block - load ciphertext
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-5 block - high
++	pmull	$rk3q1, $res0.1d, $h6.1d				@ GHASH final-5 block - low
++
++	pmull2  $rk4v.1q, $rk4v.2d, $h56k.2d				@ GHASH final-5 block - mid
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-5 block - low
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++	st1	{ $res4b}, [$output_ptr], #16			 	@ AES final-5 block - store result
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-5 block - mid
++	eor3	$res4b, $res1b, $ctr3b, $t1.16b				@ AES final-4 block - result
++.L192_dec_blocks_more_than_4:						@ blocks left >  4
++
++	rev64	$res0b, $res1b						@ GHASH final-4 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	ldr	$res1q, [$input_ptr], #16				@ AES final-3 block - load ciphertext
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-4 block - mid
++	pmull	$rk3q1, $res0.1d, $h5.1d				@ GHASH final-4 block - low
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-4 block - mid
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-4 block - low
++
++	pmull	$rk4v.1q, $rk4v.1d, $h56k.1d				@ GHASH final-4 block - mid
++	st1	{ $res4b}, [$output_ptr], #16			 	@ AES final-4 block - store result
++	pmull2  $rk2q1, $res0.2d, $h5.2d				@ GHASH final-4 block - high
++
++	eor3	$res4b, $res1b, $ctr4b, $t1.16b				@ AES final-3 block - result
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-4 block - mid
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-4 block - high
++.L192_dec_blocks_more_than_3:						@ blocks left >  3
++
++	ldr	$h4q, [$current_tag, #112]				@ load h4l | h4h
++	ext     $h4.16b, $h4.16b, $h4.16b, #8
++	rev64	$res0b, $res1b						@ GHASH final-3 block
++	ldr	$res1q, [$input_ptr], #16				@ AES final-2 block - load ciphertext
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-3 block - mid
++	pmull2  $rk2q1, $res0.2d, $h4.2d				@ GHASH final-3 block - high
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-3 block - high
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++	pmull	$rk3q1, $res0.1d, $h4.1d				@ GHASH final-3 block - low
++
++	st1	{ $res4b}, [$output_ptr], #16			 	@ AES final-3 block - store result
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-3 block - mid
++	eor3	$res4b, $res1b, $ctr5b, $t1.16b				@ AES final-2 block - result
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-3 block - low
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++
++	ins	$rk4v.d[1], $rk4v.d[0]					@ GHASH final-3 block - mid
++
++	pmull2  $rk4v.1q, $rk4v.2d, $h34k.2d				@ GHASH final-3 block - mid
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-3 block - mid
++.L192_dec_blocks_more_than_2:						@ blocks left >  2
++
++	rev64	$res0b, $res1b						@ GHASH final-2 block
++	ldr	$h3q, [$current_tag, #80]				@ load h3l | h3h
++	ext     $h3.16b, $h3.16b, $h3.16b, #8
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-2 block - mid
++	ldr	$res1q, [$input_ptr], #16				@ AES final-1 block - load ciphertext
++
++	pmull2  $rk2q1, $res0.2d, $h3.2d				@ GHASH final-2 block - high
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-2 block - mid
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-2 block - high
++	pmull	$rk3q1, $res0.1d, $h3.1d				@ GHASH final-2 block - low
++
++	pmull	$rk4v.1q, $rk4v.1d, $h34k.1d				@ GHASH final-2 block - mid
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-2 block - low
++	st1	{ $res4b}, [$output_ptr], #16			 	@ AES final-2 block - store result
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-2 block - mid
++	eor3	$res4b, $res1b, $ctr6b, $t1.16b				@ AES final-1 block - result
++.L192_dec_blocks_more_than_1:						@ blocks left >  1
++
++	rev64	$res0b, $res1b						@ GHASH final-1 block
++	ldr	$res1q, [$input_ptr], #16				@ AES final block - load ciphertext
++	ldr	$h2q, [$current_tag, #64]				@ load h1l | h1h
++	ext     $h2.16b, $h2.16b, $h2.16b, #8
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++
++	pmull	$rk3q1, $res0.1d, $h2.1d				@ GHASH final-1 block - low
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-1 block - mid
++	st1	{ $res4b}, [$output_ptr], #16			 	@ AES final-1 block - store result
++
++	pmull2  $rk2q1, $res0.2d, $h2.2d				@ GHASH final-1 block - high
++
++	eor3	$res4b, $res1b, $ctr7b, $t1.16b				@ AES final block - result
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-1 block - mid
++
++	ins	$rk4v.d[1], $rk4v.d[0]					@ GHASH final-1 block - mid
++
++	pmull2  $rk4v.1q, $rk4v.2d, $h12k.2d				@ GHASH final-1 block - mid
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-1 block - low
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-1 block - mid
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-1 block - high
++.L192_dec_blocks_less_than_1:						@ blocks left <= 1
++
++	rev32	$rtmp_ctr.16b, $rtmp_ctr.16b
++	and	$bit_length, $bit_length, #127				@ bit_length %= 128
++
++	sub	$bit_length, $bit_length, #128				@ bit_length -= 128
++	str	$rtmp_ctrq, [$counter]					@ store the updated counter
++
++	neg	$bit_length, $bit_length				@ bit_length = 128 - #bits in input (in range [1,128])
++	mvn	$temp0_x, xzr						@ temp0_x = 0xffffffffffffffff
++
++	and	$bit_length, $bit_length, #127				@ bit_length %= 128
++
++	mvn	$temp1_x, xzr						@ temp1_x = 0xffffffffffffffff
++	lsr	$temp0_x, $temp0_x, $bit_length				@ temp0_x is mask for top 64b of last block
++	cmp	$bit_length, #64
++
++	csel	$temp2_x, $temp1_x, $temp0_x, lt
++	csel	$temp3_x, $temp0_x, xzr, lt
++	ldr	$h1q, [$current_tag, #32]				@ load h1l | h1h
++	ext     $h1.16b, $h1.16b, $h1.16b, #8
++
++	mov	$ctr0.d[1], $temp3_x
++	ld1	{ $rk0}, [$output_ptr]					@ load existing bytes where the possibly partial last block is to be stored
++
++	mov	$ctr0.d[0], $temp2_x					@ ctr0b is mask for last block
++
++	and	$res1b, $res1b, $ctr0b					@ possibly partial last block has zeroes in highest bits
++	bif	$res4b, $rk0, $ctr0b					@ insert existing bytes in top end of result before storing
++
++	rev64	$res0b, $res1b						@ GHASH final block
++
++	st1	{ $res4b}, [$output_ptr]				@ store all 16B
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$t0.d[0], $res0.d[1]					@ GHASH final block - mid
++	pmull	$rk3q1, $res0.1d, $h1.1d				@ GHASH final block - low
++
++	eor	$t0.8b, $t0.8b, $res0.8b				@ GHASH final block - mid
++	pmull2  $rk2q1, $res0.2d, $h1.2d				@ GHASH final block - high
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final block - low
++
++	pmull	$t0.1q, $t0.1d, $h12k.1d				@ GHASH final block - mid
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final block - high
++
++	eor	$t10.16b, $acc_hb, $acc_lb				@ MODULO - karatsuba tidy up
++	eor	$acc_mb, $acc_mb, $t0.16b				@ GHASH final block - mid
++	ldr	$mod_constantd, [$modulo_constant]			@ MODULO - load modulo constant
++
++	pmull	$t11.1q, $acc_h.1d, $mod_constant.1d			@ MODULO - top 64b align with mid
++	ext	$acc_hb, $acc_hb, $acc_hb, #8				@ MODULO - other top alignment
++
++	eor	$acc_mb, $acc_mb, $t10.16b				@ MODULO - karatsuba tidy up
++
++	eor3	$acc_mb, $acc_mb, $acc_hb, $t11.16b			@ MODULO - fold into mid
++
++	pmull	$acc_h.1q, $acc_m.1d, $mod_constant.1d			@ MODULO - mid 64b align with low
++	ext	$acc_mb, $acc_mb, $acc_mb, #8				@ MODULO - other mid alignment
++
++	eor3	$acc_lb, $acc_lb, $acc_mb, $acc_hb			@ MODULO - fold into low
++	ext	$acc_lb, $acc_lb, $acc_lb, #8
++	rev64	$acc_lb, $acc_lb
++	st1	{ $acc_l.16b }, [$current_tag]
++
++	ldp	d10, d11, [sp, #16]
++	ldp	d12, d13, [sp, #32]
++	ldp	d14, d15, [sp, #48]
++	ldp	d8, d9, [sp], #80
++	ret
++
++.L192_dec_ret:
++	mov w0, #0x0
++	ret
++.size unroll8_eor3_aes_gcm_dec_192_kernel,.-unroll8_eor3_aes_gcm_dec_192_kernel
++___
++}
++
++{
++
++my ($end_input_ptr,$main_end_input_ptr,$temp0_x,$temp1_x)=map("x$_",(4..7));
++my ($temp2_x,$temp3_x)=map("x$_",(13..14));
++my ($ctr0b,$ctr1b,$ctr2b,$ctr3b,$ctr4b,$ctr5b,$ctr6b,$ctr7b,$res0b,$res1b,$res2b,$res3b,$res4b,$res5b,$res6b,$res7b)=map("v$_.16b",(0..15));
++my ($ctr0,$ctr1,$ctr2,$ctr3,$ctr4,$ctr5,$ctr6,$ctr7,$res0,$res1,$res2,$res3,$res4,$res5,$res6,$res7)=map("v$_",(0..15));
++my ($ctr0d,$ctr1d,$ctr2d,$ctr3d,$ctr4d,$ctr5d,$ctr6d,$ctr7d)=map("d$_",(0..7));
++my ($ctr0q,$ctr1q,$ctr2q,$ctr3q,$ctr4q,$ctr5q,$ctr6q,$ctr7q)=map("q$_",(0..7));
++my ($res0q,$res1q,$res2q,$res3q,$res4q,$res5q,$res6q,$res7q)=map("q$_",(8..15));
++
++my ($ctr_t0,$ctr_t1,$ctr_t2,$ctr_t3,$ctr_t4,$ctr_t5,$ctr_t6,$ctr_t7)=map("v$_",(8..15));
++my ($ctr_t0b,$ctr_t1b,$ctr_t2b,$ctr_t3b,$ctr_t4b,$ctr_t5b,$ctr_t6b,$ctr_t7b)=map("v$_.16b",(8..15));
++my ($ctr_t0q,$ctr_t1q,$ctr_t2q,$ctr_t3q,$ctr_t4q,$ctr_t5q,$ctr_t6q,$ctr_t7q)=map("q$_",(8..15));
++
++my ($acc_hb,$acc_mb,$acc_lb)=map("v$_.16b",(17..19));
++my ($acc_h,$acc_m,$acc_l)=map("v$_",(17..19));
++
++my ($h1,$h12k,$h2,$h3,$h34k,$h4)=map("v$_",(20..25));
++my ($h5,$h56k,$h6,$h7,$h78k,$h8)=map("v$_",(20..25));
++my ($h1q,$h12kq,$h2q,$h3q,$h34kq,$h4q)=map("q$_",(20..25));
++my ($h5q,$h56kq,$h6q,$h7q,$h78kq,$h8q)=map("q$_",(20..25));
++
++my $t0="v16";
++my $t0d="d16";
++
++my $t1="v29";
++my $t2=$res1;
++my $t3=$t1;
++
++my $t4=$res0;
++my $t5=$res2;
++my $t6=$t0;
++
++my $t7=$res3;
++my $t8=$res4;
++my $t9=$res5;
++
++my $t10=$res6;
++my $t11="v21";
++my $t12=$t1;
++
++my $rtmp_ctr="v30";
++my $rtmp_ctrq="q30";
++my $rctr_inc="v31";
++my $rctr_incd="d31";
++
++my $mod_constantd=$t0d;
++my $mod_constant=$t0;
++
++my ($rk0,$rk1,$rk2)=map("v$_.16b",(26..28));
++my ($rk3,$rk4,$rk5)=map("v$_.16b",(26..28));
++my ($rk6,$rk7,$rk8)=map("v$_.16b",(26..28));
++my ($rk9,$rk10,$rk11)=map("v$_.16b",(26..28));
++my ($rk12,$rk13,$rk14)=map("v$_.16b",(26..28));
++my ($rk0q,$rk1q,$rk2q)=map("q$_",(26..28));
++my ($rk3q,$rk4q,$rk5q)=map("q$_",(26..28));
++my ($rk6q,$rk7q,$rk8q)=map("q$_",(26..28));
++my ($rk9q,$rk10q,$rk11q)=map("q$_",(26..28));
++my ($rk12q,$rk13q,$rk14q)=map("q$_",(26..28));
++my $rk2q1="v28.1q";
++my $rk3q1="v26.1q";
++my $rk4v="v27";
++#########################################################################################
++# size_t unroll8_eor3_aes_gcm_enc_256_kernel(const unsigned char *in,
++#                               size_t len,
++#                               unsigned char *out,
++#                               const void *key,
++#                               unsigned char ivec[16],
++#                               u64 *Xi);
++#
++$code.=<<___;
++.global unroll8_eor3_aes_gcm_enc_256_kernel
++.type   unroll8_eor3_aes_gcm_enc_256_kernel,%function
++.align  4
++unroll8_eor3_aes_gcm_enc_256_kernel:
++	AARCH64_VALID_CALL_TARGET
++	cbz	x1, .L256_enc_ret
++	stp	d8, d9, [sp, #-80]!
++	mov	$counter, x4
++	mov	$cc, x5
++	stp	d10, d11, [sp, #16]
++	stp	d12, d13, [sp, #32]
++	stp	d14, d15, [sp, #48]
++	mov	x5, #0xc200000000000000
++	stp	x5, xzr, [sp, #64]
++	add	$modulo_constant, sp, #64
++
++	ld1	{ $ctr0b}, [$counter]					@ CTR block 0
++
++	lsr	$main_end_input_ptr, $bit_length, #3		 	@ byte_len
++
++	mov	$constant_temp, #0x100000000			@ set up counter increment
++	movi	$rctr_inc.16b, #0x0
++	mov	$rctr_inc.d[1], $constant_temp
++	sub	$main_end_input_ptr, $main_end_input_ptr, #1		@ byte_len - 1
++
++	and	$main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffff80	@ number of bytes to be processed in main loop (at least 1 byte must be handled by tail)
++
++	add	$main_end_input_ptr, $main_end_input_ptr, $input_ptr
++
++	rev32	$rtmp_ctr.16b, $ctr0.16b				@ set up reversed counter
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 0
++
++	rev32	$ctr1.16b, $rtmp_ctr.16b				@ CTR block 1
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 1
++
++	rev32	$ctr2.16b, $rtmp_ctr.16b				@ CTR block 2
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 2
++
++	rev32	$ctr3.16b, $rtmp_ctr.16b				@ CTR block 3
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 3
++
++	rev32	$ctr4.16b, $rtmp_ctr.16b				@ CTR block 4
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 4
++
++	rev32	$ctr5.16b, $rtmp_ctr.16b				@ CTR block 5
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 5
++	ldp	$rk0q, $rk1q, [$cc, #0]				 	@ load rk0, rk1
++
++	rev32	$ctr6.16b, $rtmp_ctr.16b				@ CTR block 6
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 6
++
++	rev32	$ctr7.16b, $rtmp_ctr.16b				@ CTR block 7
++
++	aese	$ctr3b, $rk0  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 0
++	aese	$ctr4b, $rk0  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 0
++	aese	$ctr2b, $rk0  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 0
++
++	aese	$ctr0b, $rk0  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 0
++	aese	$ctr1b, $rk0  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 0
++	aese	$ctr6b, $rk0  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 0
++
++	aese	$ctr5b, $rk0  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 0
++	aese	$ctr7b, $rk0  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 0
++	ldp	$rk2q, $rk3q, [$cc, #32]				@ load rk2, rk3
++
++	aese	$ctr4b, $rk1  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 1
++	aese	$ctr1b, $rk1  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 1
++	aese	$ctr3b, $rk1  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 1
++
++	aese	$ctr6b, $rk1  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 1
++	aese	$ctr5b, $rk1  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 1
++
++	aese	$ctr2b, $rk1  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 1
++
++	aese	$ctr7b, $rk1  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 1
++
++	aese	$ctr2b, $rk2  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 2
++	aese	$ctr3b, $rk2  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 2
++	aese	$ctr0b, $rk1  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 1
++
++	aese	$ctr7b, $rk2  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 2
++	aese	$ctr6b, $rk2  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 2
++	aese	$ctr5b, $rk2  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 2
++
++	aese	$ctr4b, $rk2  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 2
++	aese	$ctr0b, $rk2  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 2
++	aese	$ctr1b, $rk2  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 2
++
++	aese	$ctr5b, $rk3  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 3
++	aese	$ctr3b, $rk3  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 3
++	ldp	$rk4q, $rk5q, [$cc, #64]				@ load rk4, rk5
++
++	aese	$ctr4b, $rk3  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 3
++
++	aese	$ctr1b, $rk3  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 3
++	aese	$ctr6b, $rk3  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 3
++	aese	$ctr7b, $rk3  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 3
++
++	aese	$ctr2b, $rk3  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 3
++	aese	$ctr0b, $rk3  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 3
++
++	aese	$ctr4b, $rk4  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 4
++	aese	$ctr6b, $rk4  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 4
++	aese	$ctr1b, $rk4  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 4
++
++	aese	$ctr2b, $rk4  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 4
++	aese	$ctr0b, $rk4  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 4
++
++	aese	$ctr3b, $rk4  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 4
++	aese	$ctr7b, $rk4  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 4
++	aese	$ctr5b, $rk4  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 4
++
++	aese	$ctr0b, $rk5  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 5
++	aese	$ctr2b, $rk5  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 5
++	ldp	$rk6q, $rk7q, [$cc, #96]				@ load rk6, rk7
++
++	aese	$ctr1b, $rk5  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 5
++	aese	$ctr4b, $rk5  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 5
++	aese	$ctr5b, $rk5  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 5
++
++	aese	$ctr3b, $rk5  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 5
++	aese	$ctr6b, $rk5  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 5
++	aese	$ctr7b, $rk5  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 5
++
++	aese	$ctr1b, $rk6  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 6
++	aese	$ctr5b, $rk6  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 6
++	aese	$ctr4b, $rk6  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 6
++
++	aese	$ctr2b, $rk6  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 6
++	aese	$ctr6b, $rk6  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 6
++	aese	$ctr0b, $rk6  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 6
++
++	aese	$ctr7b, $rk6  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 6
++	aese	$ctr3b, $rk6  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 6
++	ldp	$rk8q, $rk9q, [$cc, #128]				@ load rk8, rk9
++
++	aese	$ctr2b, $rk7  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 7
++	aese	$ctr0b, $rk7  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 7
++
++	aese	$ctr7b, $rk7  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 7
++	aese	$ctr6b, $rk7  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 7
++	aese	$ctr1b, $rk7  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 7
++
++	aese	$ctr5b, $rk7  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 7
++	aese	$ctr3b, $rk7  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 7
++
++	aese	$ctr4b, $rk7  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 7
++
++	aese	$ctr6b, $rk8  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 8
++	aese	$ctr1b, $rk8  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 8
++
++	aese	$ctr3b, $rk8  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 8
++	aese	$ctr0b, $rk8  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 8
++	aese	$ctr7b, $rk8  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 8
++
++	aese	$ctr5b, $rk8  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 8
++	aese	$ctr4b, $rk8  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 8
++	aese	$ctr2b, $rk8  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 8
++
++	ld1	{ $acc_lb}, [$current_tag]
++	ext	$acc_lb, $acc_lb, $acc_lb, #8
++	rev64	$acc_lb, $acc_lb
++	ldp	$rk10q, $rk11q, [$cc, #160]				@ load rk10, rk11
++
++	aese	$ctr6b, $rk9  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 9
++	aese	$ctr7b, $rk9  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 9
++	aese	$ctr3b, $rk9  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 9
++
++	aese	$ctr4b, $rk9  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 9
++	aese	$ctr5b, $rk9  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 9
++	aese	$ctr2b, $rk9  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 9
++
++	aese	$ctr1b, $rk9  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 9
++
++	aese	$ctr7b, $rk10 \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 10
++	aese	$ctr4b, $rk10 \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 10
++	aese	$ctr0b, $rk9  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 9
++
++	aese	$ctr1b, $rk10 \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 10
++	aese	$ctr5b, $rk10 \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 10
++	aese	$ctr3b, $rk10 \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 10
++
++	aese	$ctr2b, $rk10 \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 10
++	aese	$ctr0b, $rk10 \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 10
++	aese	$ctr6b, $rk10 \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 10
++
++	aese	$ctr4b, $rk11 \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 11
++	ldp	$rk12q, $rk13q, [$cc, #192]				@ load rk12, rk13
++	aese	$ctr5b, $rk11 \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 11
++
++	aese	$ctr2b, $rk11 \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 11
++	aese	$ctr6b, $rk11 \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 11
++	aese	$ctr1b, $rk11 \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 11
++
++	aese	$ctr0b, $rk11 \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 11
++	aese	$ctr3b, $rk11 \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 11
++	aese	$ctr7b, $rk11 \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 11
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 7
++	ldr	$rk14q, [$cc, #224]					@ load rk14
++
++	aese	$ctr4b, $rk12 \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 12
++	aese	$ctr2b, $rk12 \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 12
++	aese	$ctr1b, $rk12 \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 12
++
++	aese	$ctr0b, $rk12 \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 12
++	aese	$ctr5b, $rk12 \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 12
++	aese	$ctr3b, $rk12 \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 12
++
++	aese	$ctr2b, $rk13						@ AES block 2 - round 13
++	aese	$ctr1b, $rk13						@ AES block 1 - round 13
++	aese	$ctr4b, $rk13						@ AES block 4 - round 13
++
++	aese	$ctr6b, $rk12 \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 12
++	aese	$ctr7b, $rk12 \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 12
++
++	aese	$ctr0b, $rk13						@ AES block 0 - round 13
++	aese	$ctr5b, $rk13						@ AES block 5 - round 13
++
++	aese	$ctr6b, $rk13						@ AES block 6 - round 13
++	aese	$ctr7b, $rk13						@ AES block 7 - round 13
++	aese	$ctr3b, $rk13						@ AES block 3 - round 13
++
++	add	$end_input_ptr, $input_ptr, $bit_length, lsr #3		@ end_input_ptr
++	cmp	$input_ptr, $main_end_input_ptr				@ check if we have <= 8 blocks
++	b.ge	.L256_enc_tail						@ handle tail
++
++	ldp	$ctr_t0q, $ctr_t1q, [$input_ptr], #32			@ AES block 0, 1 - load plaintext
++
++	ldp	$ctr_t2q, $ctr_t3q, [$input_ptr], #32			@ AES block 2, 3 - load plaintext
++
++	eor3	$res0b, $ctr_t0b, $ctr0b, $rk14				@ AES block 0 - result
++	rev32	$ctr0.16b, $rtmp_ctr.16b				@ CTR block 8
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8
++
++	eor3	$res1b, $ctr_t1b, $ctr1b, $rk14				@ AES block 1 - result
++	eor3	$res3b, $ctr_t3b, $ctr3b, $rk14				@ AES block 3 - result
++
++	rev32	$ctr1.16b, $rtmp_ctr.16b				@ CTR block 9
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 9
++	ldp	$ctr_t4q, $ctr_t5q, [$input_ptr], #32			@ AES block 4, 5 - load plaintext
++
++	ldp	$ctr_t6q, $ctr_t7q, [$input_ptr], #32			@ AES block 6, 7 - load plaintext
++	eor3	$res2b, $ctr_t2b, $ctr2b, $rk14				@ AES block 2 - result
++	cmp	$input_ptr, $main_end_input_ptr				@ check if we have <= 8 blocks
++
++	rev32	$ctr2.16b, $rtmp_ctr.16b				@ CTR block 10
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 10
++	stp	$res0q, $res1q, [$output_ptr], #32			@ AES block 0, 1 - store result
++
++	stp	$res2q, $res3q, [$output_ptr], #32			@ AES block 2, 3 - store result
++
++	rev32	$ctr3.16b, $rtmp_ctr.16b				@ CTR block 11
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 11
++
++	eor3	$res4b, $ctr_t4b, $ctr4b, $rk14				@ AES block 4 - result
++
++	eor3	$res7b, $ctr_t7b, $ctr7b, $rk14				@ AES block 7 - result
++	eor3	$res6b, $ctr_t6b, $ctr6b, $rk14				@ AES block 6 - result
++	eor3	$res5b, $ctr_t5b, $ctr5b, $rk14				@ AES block 5 - result
++
++	stp	$res4q, $res5q, [$output_ptr], #32			@ AES block 4, 5 - store result
++	rev32	$ctr4.16b, $rtmp_ctr.16b				@ CTR block 12
++
++	stp	$res6q, $res7q, [$output_ptr], #32			@ AES block 6, 7 - store result
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 12
++	b.ge	.L256_enc_prepretail					@ do prepretail
++
++.L256_enc_main_loop:							@ main loop start
++	ldp	$rk0q, $rk1q, [$cc, #0]					@ load rk0, rk1
++
++	rev32	$ctr5.16b, $rtmp_ctr.16b				@ CTR block 8k+13
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+13
++	ldr	$h56kq, [$current_tag, #144]				@ load h6k | h5k
++	ldr	$h78kq, [$current_tag, #192]				@ load h8k | h7k
++
++	rev64	$res3b, $res3b						@ GHASH block 8k+3
++	ldr	$h5q, [$current_tag, #128]				@ load h5l | h5h
++	ext     $h5.16b, $h5.16b, $h5.16b, #8
++	ldr	$h6q, [$current_tag, #160]				@ load h6l | h6h
++	ext     $h6.16b, $h6.16b, $h6.16b, #8
++	rev64	$res1b, $res1b						@ GHASH block 8k+1
++
++	rev32	$ctr6.16b, $rtmp_ctr.16b				@ CTR block 8k+14
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+14
++	rev64	$res0b, $res0b						@ GHASH block 8k
++
++	rev64	$res4b, $res4b						@ GHASH block 8k+4
++	ext	$acc_lb, $acc_lb, $acc_lb, #8				@ PRE 0
++	ldr	$h7q, [$current_tag, #176]				@ load h7l | h7h
++	ext     $h7.16b, $h7.16b, $h7.16b, #8
++	ldr	$h8q, [$current_tag, #208]				@ load h8l | h8h
++	ext     $h8.16b, $h8.16b, $h8.16b, #8
++
++	aese	$ctr3b, $rk0  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 0
++	aese	$ctr5b, $rk0  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 0
++	rev32	$ctr7.16b, $rtmp_ctr.16b				@ CTR block 8k+15
++
++	aese	$ctr0b, $rk0  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 0
++	aese	$ctr1b, $rk0  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 0
++	aese	$ctr6b, $rk0  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 0
++
++	aese	$ctr7b, $rk0  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 0
++	aese	$ctr2b, $rk0  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 0
++	aese	$ctr4b, $rk0  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 0
++
++	ldp	$rk2q, $rk3q, [$cc, #32]				@ load rk2, rk3
++	eor	$res0b, $res0b, $acc_lb				 	@ PRE 1
++	aese	$ctr6b, $rk1  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 1
++
++	aese	$ctr2b, $rk1  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 1
++	aese	$ctr1b, $rk1  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 1
++	aese	$ctr0b, $rk1  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 1
++
++	aese	$ctr4b, $rk1  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 1
++	aese	$ctr3b, $rk1  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 1
++	aese	$ctr5b, $rk1  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 1
++
++	pmull2  $acc_h.1q, $res0.2d, $h8.2d				@ GHASH block 8k - high
++	pmull	$acc_l.1q, $res0.1d, $h8.1d				@ GHASH block 8k - low
++	pmull2  $t0.1q, $res1.2d, $h7.2d				@ GHASH block 8k+1 - high
++
++	trn1	$acc_m.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++	trn2	$res0.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++	aese	$ctr7b, $rk1  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 1
++
++	aese	$ctr1b, $rk2  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 2
++	aese	$ctr5b, $rk2  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 2
++	aese	$ctr6b, $rk2  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 2
++
++	aese	$ctr2b, $rk2  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 2
++	pmull	$h7.1q, $res1.1d, $h7.1d				@ GHASH block 8k+1 - low
++	aese	$ctr4b, $rk2  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 2
++
++	aese	$ctr5b, $rk3  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 3
++	aese	$ctr6b, $rk3  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 3
++	aese	$ctr0b, $rk2  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 2
++
++	aese	$ctr1b, $rk3  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 3
++	aese	$ctr7b, $rk2  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 2
++	aese	$ctr3b, $rk2  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 2
++
++	aese	$ctr4b, $rk3  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 3
++	rev64	$res6b, $res6b						@ GHASH block 8k+6
++	pmull2  $t2.1q, $res3.2d, $h5.2d				@ GHASH block 8k+3 - high
++
++	aese	$ctr3b, $rk3  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 3
++	ldp	$rk4q, $rk5q, [$cc, #64]				@ load rk4, rk5
++	rev64	$res2b, $res2b						@ GHASH block 8k+2
++
++	aese	$ctr2b, $rk3  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 3
++	aese	$ctr7b, $rk3  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 3
++	aese	$ctr0b, $rk3  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 3
++
++	eor	$acc_hb, $acc_hb, $t0.16b				@ GHASH block 8k+1 - high
++	pmull2  $t1.1q, $res2.2d, $h6.2d				@ GHASH block 8k+2 - high
++	rev64	$res5b, $res5b						@ GHASH block 8k+5
++
++	pmull	$h5.1q, $res3.1d, $h5.1d				@ GHASH block 8k+3 - low
++	eor	$acc_lb, $acc_lb, $h7.16b				@ GHASH block 8k+1 - low
++	ldr	$h3q, [$current_tag, #80]				@ load h3l | h3h
++	ext     $h3.16b, $h3.16b, $h3.16b, #8
++	ldr	$h4q, [$current_tag, #112]				@ load h4l | h4h
++	ext     $h4.16b, $h4.16b, $h4.16b, #8
++
++	trn1	$t6.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++	eor3	$acc_hb, $acc_hb, $t1.16b, $t2.16b			@ GHASH block 8k+2, 8k+3 - high
++	pmull	$h6.1q, $res2.1d, $h6.1d				@ GHASH block 8k+2 - low
++
++	aese	$ctr4b, $rk4  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 4
++	aese	$ctr1b, $rk4  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 4
++	aese	$ctr5b, $rk4  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 4
++
++	aese	$ctr7b, $rk4  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 4
++	aese	$ctr3b, $rk4  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 4
++	aese	$ctr2b, $rk4  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 4
++
++	trn1	$t3.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++	aese	$ctr6b, $rk4  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 4
++	aese	$ctr0b, $rk4  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 4
++
++	trn2	$res2.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++	eor	$res0.16b, $res0.16b, $acc_m.16b			@ GHASH block 8k, 8k+1 - mid
++	ldp	$rk6q, $rk7q, [$cc, #96]				@ load rk6, rk7
++
++	aese	$ctr5b, $rk5  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 5
++	aese	$ctr7b, $rk5  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 5
++	aese	$ctr4b, $rk5  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 5
++
++	eor	$res2.16b, $res2.16b, $t3.16b				@ GHASH block 8k+2, 8k+3 - mid
++	aese	$ctr2b, $rk5  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 5
++	rev64	$res7b, $res7b						@ GHASH block 8k+7
++
++	aese	$ctr3b, $rk5  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 5
++	aese	$ctr6b, $rk5  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 5
++	aese	$ctr1b, $rk5  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 5
++
++	pmull2  $t3.1q, $res2.2d, $h56k.2d				@ GHASH block 8k+2 - mid
++	pmull2  $acc_m.1q, $res0.2d, $h78k.2d				@ GHASH block 8k	- mid
++	aese	$ctr0b, $rk5  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 5
++
++	pmull	$h78k.1q, $res0.1d, $h78k.1d				@ GHASH block 8k+1 - mid
++	aese	$ctr4b, $rk6  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 6
++	aese	$ctr2b, $rk6  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 6
++
++	aese	$ctr6b, $rk6  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 6
++	aese	$ctr1b, $rk6  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 6
++	aese	$ctr7b, $rk6  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 6
++
++	eor	$acc_mb, $acc_mb, $h78k.16b				@ GHASH block 8k+1 - mid
++	pmull	$h56k.1q, $res2.1d, $h56k.1d				@ GHASH block 8k+3 - mid
++	aese	$ctr5b, $rk6  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 6
++
++	eor3	$acc_lb, $acc_lb, $h6.16b, $h5.16b			@ GHASH block 8k+2, 8k+3 - low
++	aese	$ctr3b, $rk6  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 6
++	aese	$ctr0b, $rk6  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 6
++
++	ldp	$rk8q, $rk9q, [$cc, #128]				@ load rk8, rk9
++	pmull2  $t4.1q, $res4.2d, $h4.2d				@ GHASH block 8k+4 - high
++	aese	$ctr5b, $rk7  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 7
++
++	ldr	$h1q, [$current_tag, #32]				@ load h1l | h1h
++	ext     $h1.16b, $h1.16b, $h1.16b, #8
++	ldr	$h2q, [$current_tag, #64]				@ load h1l | h1h
++	ext     $h2.16b, $h2.16b, $h2.16b, #8
++	aese	$ctr2b, $rk7  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 7
++	eor3	$acc_mb, $acc_mb, $h56k.16b, $t3.16b			@ GHASH block 8k+2, 8k+3 - mid
++
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++	aese	$ctr6b, $rk7  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 7
++	aese	$ctr3b, $rk7  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 7
++
++	aese	$ctr0b, $rk7  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 7
++	aese	$ctr7b, $rk7  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 7
++	pmull	$h4.1q, $res4.1d, $h4.1d				@ GHASH block 8k+4 - low
++
++	trn2	$res4.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++	aese	$ctr4b, $rk7  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 7
++	aese	$ctr1b, $rk7  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 7
++
++	pmull2  $t5.1q, $res5.2d, $h3.2d				@ GHASH block 8k+5 - high
++	aese	$ctr7b, $rk8  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 8
++	aese	$ctr0b, $rk8  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 8
++
++	pmull	$h3.1q, $res5.1d, $h3.1d				@ GHASH block 8k+5 - low
++	trn1	$t9.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++	eor	$res4.16b, $res4.16b, $t6.16b				@ GHASH block 8k+4, 8k+5 - mid
++
++	aese	$ctr3b, $rk8  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 8
++	aese	$ctr0b, $rk9  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 9
++	aese	$ctr1b, $rk8  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 8
++
++	pmull2  $t6.1q, $res4.2d, $h34k.2d				@ GHASH block 8k+4 - mid
++	pmull	$h34k.1q, $res4.1d, $h34k.1d				@ GHASH block 8k+5 - mid
++	aese	$ctr2b, $rk8  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 8
++
++	aese	$ctr5b, $rk8  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 8
++	pmull2  $t7.1q, $res6.2d, $h2.2d				@ GHASH block 8k+6 - high
++	pmull	$h2.1q, $res6.1d, $h2.1d				@ GHASH block 8k+6 - low
++
++	aese	$ctr6b, $rk8  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 8
++	trn2	$res6.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++	aese	$ctr4b, $rk8  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 8
++
++	eor3	$acc_mb, $acc_mb, $h34k.16b, $t6.16b			@ GHASH block 8k+4, 8k+5 - mid
++	aese	$ctr7b, $rk9  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 9
++	aese	$ctr5b, $rk9  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 9
++
++	eor	$res6.16b, $res6.16b, $t9.16b				@ GHASH block 8k+6, 8k+7 - mid
++	aese	$ctr6b, $rk9  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 9
++	aese	$ctr4b, $rk9  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 9
++
++	ldp	$rk10q, $rk11q, [$cc, #160]				@ load rk10, rk11
++	aese	$ctr2b, $rk9  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 9
++	aese	$ctr3b, $rk9  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 9
++
++	pmull2  $t8.1q, $res7.2d, $h1.2d				@ GHASH block 8k+7 - high
++	eor3	$acc_lb, $acc_lb, $h4.16b, $h3.16b			@ GHASH block 8k+4, 8k+5 - low
++	pmull	$h1.1q, $res7.1d, $h1.1d				@ GHASH block 8k+7 - low
++
++	ldr	$mod_constantd, [$modulo_constant]			@ MODULO - load modulo constant
++	pmull2  $t9.1q, $res6.2d, $h12k.2d				@ GHASH block 8k+6 - mid
++	pmull	$h12k.1q, $res6.1d, $h12k.1d				@ GHASH block 8k+7 - mid
++
++	aese	$ctr1b, $rk9  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 9
++
++	eor3	$acc_mb, $acc_mb, $h12k.16b, $t9.16b			@ GHASH block 8k+6, 8k+7 - mid
++	eor3	$acc_lb, $acc_lb, $h2.16b, $h1.16b			@ GHASH block 8k+6, 8k+7 - low
++	eor3	$acc_hb, $acc_hb, $t4.16b, $t5.16b			@ GHASH block 8k+4, 8k+5 - high
++
++	aese	$ctr4b, $rk10 \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 10
++	aese	$ctr3b, $rk10 \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 10
++	aese	$ctr5b, $rk10 \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 10
++
++	aese	$ctr0b, $rk10 \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 10
++	aese	$ctr2b, $rk10 \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 10
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+15
++
++	aese	$ctr1b, $rk10 \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 10
++	aese	$ctr7b, $rk10 \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 10
++	aese	$ctr6b, $rk10 \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 10
++
++	eor3	$acc_hb, $acc_hb, $t7.16b, $t8.16b			@ GHASH block 8k+6, 8k+7 - high
++
++	ldp	$rk12q, $rk13q, [$cc, #192]				@ load rk12, rk13
++	rev32	$h1.16b, $rtmp_ctr.16b					@ CTR block 8k+16
++
++	ext	$t11.16b, $acc_hb, $acc_hb, #8			 	@ MODULO - other top alignment
++	ldp	$ctr_t0q, $ctr_t1q, [$input_ptr], #32			@ AES block 8k+8, 8k+9 - load plaintext
++	aese	$ctr2b, $rk11 \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 11
++
++	aese	$ctr6b, $rk11 \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 11
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+16
++	aese	$ctr3b, $rk11 \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 11
++
++	aese	$ctr0b, $rk11 \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 11
++	aese	$ctr7b, $rk11 \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 11
++
++	pmull	$t12.1q, $acc_h.1d, $mod_constant.1d		 	@ MODULO - top 64b align with mid
++	aese	$ctr1b, $rk11 \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 11
++
++	aese	$ctr7b, $rk12 \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 12
++	aese	$ctr5b, $rk11 \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 11
++
++	aese	$ctr3b, $rk12 \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 12
++	aese	$ctr6b, $rk12 \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 12
++	rev32	$h2.16b, $rtmp_ctr.16b					@ CTR block 8k+17
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+17
++	aese	$ctr4b, $rk11 \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 11
++	eor3	$acc_mb, $acc_mb, $acc_hb, $acc_lb		 	@ MODULO - karatsuba tidy up
++
++	aese	$ctr5b, $rk12 \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 12
++	ldr	$rk14q, [$cc, #224]					@ load rk14
++	aese	$ctr7b, $rk13						@ AES block 8k+15 - round 13
++
++	ldp	$ctr_t2q, $ctr_t3q, [$input_ptr], #32			@ AES block 8k+10, 8k+11 - load plaintext
++	aese	$ctr2b, $rk12 \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 12
++	aese	$ctr4b, $rk12 \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 12
++
++	eor3	$acc_mb, $acc_mb, $t12.16b, $t11.16b			@ MODULO - fold into mid
++	aese	$ctr1b, $rk12 \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 12
++	ldp	$ctr_t4q, $ctr_t5q, [$input_ptr], #32			@ AES block 4, 5 - load plaintext
++
++	ldp	$ctr_t6q, $ctr_t7q, [$input_ptr], #32			@ AES block 6, 7 - load plaintext
++	aese	$ctr2b, $rk13						@ AES block 8k+10 - round 13
++	aese	$ctr4b, $rk13						@ AES block 8k+12 - round 13
++
++	rev32	$h3.16b, $rtmp_ctr.16b					@ CTR block 8k+18
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+18
++	aese	$ctr5b, $rk13						@ AES block 8k+13 - round 13
++
++	aese	$ctr0b, $rk12 \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 12
++	aese	$ctr3b, $rk13						@ AES block 8k+11 - round 13
++	cmp	$input_ptr, $main_end_input_ptr				@ LOOP CONTROL
++
++	eor3	$res2b, $ctr_t2b, $ctr2b, $rk14				@ AES block 8k+10 - result
++	rev32	$h4.16b, $rtmp_ctr.16b					@ CTR block 8k+19
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+19
++
++	aese	$ctr0b, $rk13						@ AES block 8k+8 - round 13
++	aese	$ctr6b, $rk13						@ AES block 8k+14 - round 13
++	eor3	$res5b, $ctr_t5b, $ctr5b, $rk14				@ AES block 5 - result
++
++	ext	$t11.16b, $acc_mb, $acc_mb, #8				@ MODULO - other mid alignment
++	pmull	$acc_h.1q, $acc_m.1d, $mod_constant.1d			@ MODULO - mid 64b align with low
++	aese	$ctr1b, $rk13						@ AES block 8k+9 - round 13
++
++	eor3	$res4b, $ctr_t4b, $ctr4b, $rk14				@ AES block 4 - result
++	rev32	$ctr4.16b, $rtmp_ctr.16b				@ CTR block 8k+20
++	eor3	$res3b, $ctr_t3b, $ctr3b, $rk14				@ AES block 8k+11 - result
++
++	mov	$ctr3.16b, $h4.16b					@ CTR block 8k+19
++	eor3	$res1b, $ctr_t1b, $ctr1b, $rk14				@ AES block 8k+9 - result
++	eor3	$res0b, $ctr_t0b, $ctr0b, $rk14				@ AES block 8k+8 - result
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+20
++	stp	$res0q, $res1q, [$output_ptr], #32			@ AES block 8k+8, 8k+9 - store result
++	mov	$ctr2.16b, $h3.16b					@ CTR block 8k+18
++
++	eor3	$res7b, $ctr_t7b, $ctr7b, $rk14				@ AES block 7 - result
++	eor3	$acc_lb, $acc_lb, $t11.16b, $acc_hb		 	@ MODULO - fold into low
++	stp	$res2q, $res3q, [$output_ptr], #32			@ AES block 8k+10, 8k+11 - store result
++
++	eor3	$res6b, $ctr_t6b, $ctr6b, $rk14				@ AES block 6 - result
++	mov	$ctr1.16b, $h2.16b					@ CTR block 8k+17
++	stp	$res4q, $res5q, [$output_ptr], #32			@ AES block 4, 5 - store result
++
++	stp	$res6q, $res7q, [$output_ptr], #32			@ AES block 6, 7 - store result
++	mov	$ctr0.16b, $h1.16b					@ CTR block 8k+16
++	b.lt	.L256_enc_main_loop
++
++.L256_enc_prepretail:							@ PREPRETAIL
++	rev32	$ctr5.16b, $rtmp_ctr.16b				@ CTR block 8k+13
++	ldp	$rk0q, $rk1q, [$cc, #0]					@ load rk0, rk1
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+13
++
++	rev64	$res2b, $res2b						@ GHASH block 8k+2
++
++	rev32	$ctr6.16b, $rtmp_ctr.16b				@ CTR block 8k+14
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+14
++
++	rev64	$res5b, $res5b						@ GHASH block 8k+5
++	ldr	$h56kq, [$current_tag, #144]				@ load h6k | h5k
++	ldr	$h78kq, [$current_tag, #192]				@ load h8k | h7k
++
++	rev32	$ctr7.16b, $rtmp_ctr.16b				@ CTR block 8k+15
++
++	aese	$ctr6b, $rk0  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 0
++	aese	$ctr4b, $rk0  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 0
++	aese	$ctr1b, $rk0  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 0
++
++	aese	$ctr5b, $rk0  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 0
++	aese	$ctr0b, $rk0  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 0
++
++	aese	$ctr2b, $rk0  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 0
++	aese	$ctr7b, $rk0  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 0
++	aese	$ctr3b, $rk0  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 0
++
++	ext	$acc_lb, $acc_lb, $acc_lb, #8				@ PRE 0
++	rev64	$res0b, $res0b						@ GHASH block 8k
++	aese	$ctr1b, $rk1  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 1
++
++	rev64	$res1b, $res1b						@ GHASH block 8k+1
++	ldp	$rk2q, $rk3q, [$cc, #32]				@ load rk2, rk3
++	aese	$ctr3b, $rk1  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 1
++
++	ldr	$h7q, [$current_tag, #176]				@ load h7l | h7h
++	ext     $h7.16b, $h7.16b, $h7.16b, #8
++	ldr	$h8q, [$current_tag, #208]				@ load h8l | h8h
++	ext     $h8.16b, $h8.16b, $h8.16b, #8
++	aese	$ctr2b, $rk1  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 1
++
++	ldr	$h5q, [$current_tag, #128]				@ load h5l | h5h
++	ext     $h5.16b, $h5.16b, $h5.16b, #8
++	ldr	$h6q, [$current_tag, #160]				@ load h6l | h6h
++	ext     $h6.16b, $h6.16b, $h6.16b, #8
++	aese	$ctr0b, $rk1  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 1
++	aese	$ctr5b, $rk1  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 1
++
++	aese	$ctr4b, $rk1  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 1
++	eor	$res0b, $res0b, $acc_lb					@ PRE 1
++
++	rev64	$res3b, $res3b						@ GHASH block 8k+3
++	aese	$ctr6b, $rk1  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 1
++
++	aese	$ctr1b, $rk2  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 2
++	aese	$ctr2b, $rk2  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 2
++	aese	$ctr7b, $rk1  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 1
++
++	aese	$ctr4b, $rk2  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 2
++	aese	$ctr0b, $rk2  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 2
++	aese	$ctr6b, $rk2  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 2
++
++	aese	$ctr5b, $rk2  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 2
++	aese	$ctr7b, $rk2  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 2
++	aese	$ctr3b, $rk2  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 2
++
++	ldp	$rk4q, $rk5q, [$cc, #64]				@ load rk4, rk5
++	trn1	$acc_m.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++	pmull2  $acc_h.1q, $res0.2d, $h8.2d				@ GHASH block 8k - high
++
++	rev64	$res6b, $res6b						@ GHASH block 8k+6
++	aese	$ctr4b, $rk3  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 3
++	pmull2  $t0.1q, $res1.2d, $h7.2d				@ GHASH block 8k+1 - high
++
++	aese	$ctr7b, $rk3  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 3
++	pmull	$acc_l.1q, $res0.1d, $h8.1d				@ GHASH block 8k - low
++	trn2	$res0.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++
++	pmull2  $t1.1q, $res2.2d, $h6.2d				@ GHASH block 8k+2 - high
++	aese	$ctr6b, $rk3  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 3
++
++	aese	$ctr2b, $rk3  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 3
++	aese	$ctr3b, $rk3  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 3
++	eor	$acc_hb, $acc_hb, $t0.16b				@ GHASH block 8k+1 - high
++
++	pmull	$h7.1q, $res1.1d, $h7.1d				@ GHASH block 8k+1 - low
++	pmull2  $t2.1q, $res3.2d, $h5.2d				@ GHASH block 8k+3 - high
++	aese	$ctr1b, $rk3  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 3
++
++	aese	$ctr0b, $rk3  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 3
++	eor	$res0.16b, $res0.16b, $acc_m.16b			@ GHASH block 8k, 8k+1 - mid
++	aese	$ctr5b, $rk3  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 3
++
++	pmull	$h6.1q, $res2.1d, $h6.1d				@ GHASH block 8k+2 - low
++	aese	$ctr1b, $rk4  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 4
++	aese	$ctr6b, $rk4  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 4
++
++	aese	$ctr0b, $rk4  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 4
++	aese	$ctr2b, $rk4  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 4
++	aese	$ctr4b, $rk4  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 4
++
++	aese	$ctr6b, $rk5  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 5
++	pmull2  $acc_m.1q, $res0.2d, $h78k.2d				@ GHASH block 8k	- mid
++	eor3	$acc_hb, $acc_hb, $t1.16b, $t2.16b			@ GHASH block 8k+2, 8k+3 - high
++
++	aese	$ctr7b, $rk4  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 4
++	trn1	$t3.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++	trn2	$res2.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++
++	aese	$ctr5b, $rk4  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 4
++	eor	$acc_lb, $acc_lb, $h7.16b				@ GHASH block 8k+1 - low
++	aese	$ctr3b, $rk4  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 4
++
++	pmull	$h5.1q, $res3.1d, $h5.1d				@ GHASH block 8k+3 - low
++	pmull	$h78k.1q, $res0.1d, $h78k.1d				@ GHASH block 8k+1 - mid
++	eor	$res2.16b, $res2.16b, $t3.16b				@ GHASH block 8k+2, 8k+3 - mid
++
++	rev64	$res4b, $res4b						@ GHASH block 8k+4
++	aese	$ctr1b, $rk5  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 5
++	aese	$ctr0b, $rk5  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 5
++
++	aese	$ctr7b, $rk5  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 5
++	aese	$ctr4b, $rk5  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 5
++	ldp	$rk6q, $rk7q, [$cc, #96]				@ load rk6, rk7
++
++	ldr	$h3q, [$current_tag, #80]				@ load h3l | h3h
++	ext     $h3.16b, $h3.16b, $h3.16b, #8
++	ldr	$h4q, [$current_tag, #112]				@ load h4l | h4h
++	ext     $h4.16b, $h4.16b, $h4.16b, #8
++	pmull2  $t3.1q, $res2.2d, $h56k.2d				@ GHASH block 8k+2 - mid
++	pmull	$h56k.1q, $res2.1d, $h56k.1d				@ GHASH block 8k+3 - mid
++
++	eor3	$acc_lb, $acc_lb, $h6.16b, $h5.16b			@ GHASH block 8k+2, 8k+3 - low
++	eor	$acc_mb, $acc_mb, $h78k.16b				@ GHASH block 8k+1 - mid
++
++	aese	$ctr5b, $rk5  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 5
++	rev64	$res7b, $res7b						@ GHASH block 8k+7
++	trn1	$t6.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++
++	aese	$ctr3b, $rk5  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 5
++	aese	$ctr2b, $rk5  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 5
++	eor3	$acc_mb, $acc_mb, $h56k.16b, $t3.16b			@ GHASH block 8k+2, 8k+3 - mid
++
++	aese	$ctr7b, $rk6  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 6
++	aese	$ctr4b, $rk6  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 6
++	aese	$ctr6b, $rk6  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 6
++
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++	aese	$ctr5b, $rk6  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 6
++	aese	$ctr3b, $rk6  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 6
++
++	aese	$ctr0b, $rk6  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 6
++	aese	$ctr1b, $rk6  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 6
++	aese	$ctr2b, $rk6  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 6
++
++	pmull2  $t4.1q, $res4.2d, $h4.2d				@ GHASH block 8k+4 - high
++	pmull	$h4.1q, $res4.1d, $h4.1d				@ GHASH block 8k+4 - low
++	ldr	$h1q, [$current_tag, #32]				@ load h1l | h1h
++	ext     $h1.16b, $h1.16b, $h1.16b, #8
++	ldr	$h2q, [$current_tag, #64]				@ load h1l | h1h
++	ext     $h2.16b, $h2.16b, $h2.16b, #8
++
++	ldp	$rk8q, $rk9q, [$cc, #128]				@ load rk8, rk9
++	aese	$ctr1b, $rk7  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 7
++	aese	$ctr4b, $rk7  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 7
++
++	pmull2  $t5.1q, $res5.2d, $h3.2d				@ GHASH block 8k+5 - high
++	trn2	$res4.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++
++	aese	$ctr5b, $rk7  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 7
++	aese	$ctr6b, $rk7  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 7
++	pmull	$h3.1q, $res5.1d, $h3.1d				@ GHASH block 8k+5 - low
++
++	aese	$ctr7b, $rk7  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 7
++	aese	$ctr3b, $rk7  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 7
++	eor	$res4.16b, $res4.16b, $t6.16b				@ GHASH block 8k+4, 8k+5 - mid
++
++	pmull2  $t7.1q, $res6.2d, $h2.2d				@ GHASH block 8k+6 - high
++	pmull	$h2.1q, $res6.1d, $h2.1d				@ GHASH block 8k+6 - low
++	aese	$ctr2b, $rk7  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 7
++
++	trn1	$t9.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++	trn2	$res6.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++	aese	$ctr0b, $rk7  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 7
++
++	aese	$ctr7b, $rk8  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 8
++	eor3	$acc_lb, $acc_lb, $h4.16b, $h3.16b			@ GHASH block 8k+4, 8k+5 - low
++	aese	$ctr2b, $rk8  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 8
++
++	aese	$ctr6b, $rk8  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 8
++	aese	$ctr4b, $rk8  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 8
++	aese	$ctr3b, $rk8  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 8
++
++	aese	$ctr5b, $rk8  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 8
++	eor	$res6.16b, $res6.16b, $t9.16b				@ GHASH block 8k+6, 8k+7 - mid
++	aese	$ctr0b, $rk8  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 8
++
++	pmull2  $t6.1q, $res4.2d, $h34k.2d				@ GHASH block 8k+4 - mid
++	pmull	$h34k.1q, $res4.1d, $h34k.1d				@ GHASH block 8k+5 - mid
++	aese	$ctr1b, $rk8  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 8
++
++	pmull2  $t8.1q, $res7.2d, $h1.2d				@ GHASH block 8k+7 - high
++	pmull2  $t9.1q, $res6.2d, $h12k.2d				@ GHASH block 8k+6 - mid
++	pmull	$h12k.1q, $res6.1d, $h12k.1d				@ GHASH block 8k+7 - mid
++
++	pmull	$h1.1q, $res7.1d, $h1.1d				@ GHASH block 8k+7 - low
++	eor3	$acc_mb, $acc_mb, $h34k.16b, $t6.16b			@ GHASH block 8k+4, 8k+5 - mid
++	eor3	$acc_hb, $acc_hb, $t4.16b, $t5.16b			@ GHASH block 8k+4, 8k+5 - high
++
++	ldp	$rk10q, $rk11q, [$cc, #160]				@ load rk10, rk11
++	aese	$ctr1b, $rk9  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 9
++	aese	$ctr0b, $rk9  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 9
++
++	eor3	$acc_hb, $acc_hb, $t7.16b, $t8.16b			@ GHASH block 8k+6, 8k+7 - high
++	eor3	$acc_mb, $acc_mb, $h12k.16b, $t9.16b			@ GHASH block 8k+6, 8k+7 - mid
++	ldr	$mod_constantd, [$modulo_constant]			@ MODULO - load modulo constant
++
++	eor3	$acc_lb, $acc_lb, $h2.16b, $h1.16b			@ GHASH block 8k+6, 8k+7 - low
++
++	aese	$ctr3b, $rk9  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 9
++	aese	$ctr7b, $rk9  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 9
++	aese	$ctr5b, $rk9  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 9
++
++	aese	$ctr2b, $rk9  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 9
++	aese	$ctr6b, $rk9  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 9
++
++	aese	$ctr5b, $rk10 \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 10
++	aese	$ctr1b, $rk10 \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 10
++	aese	$ctr4b, $rk9  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 9
++
++	aese	$ctr7b, $rk10 \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 10
++	aese	$ctr6b, $rk10 \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 10
++	aese	$ctr3b, $rk10 \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 10
++
++	aese	$ctr4b, $rk10 \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 10
++	aese	$ctr0b, $rk10 \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 10
++	aese	$ctr2b, $rk10 \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 10
++
++	pmull	$t12.1q, $acc_h.1d, $mod_constant.1d		 	@ MODULO - top 64b align with mid
++	eor3	$acc_mb, $acc_mb, $acc_hb, $acc_lb		 	@ MODULO - karatsuba tidy up
++	aese	$ctr7b, $rk11 \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 11
++
++	ldp	$rk12q, $rk13q, [$cc, #192]				@ load rk12, rk13
++	ext	$t11.16b, $acc_hb, $acc_hb, #8			 	@ MODULO - other top alignment
++	aese	$ctr2b, $rk11 \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 11
++
++	eor3	$acc_mb, $acc_mb, $t12.16b, $t11.16b			@ MODULO - fold into mid
++	aese	$ctr1b, $rk11 \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 11
++	aese	$ctr6b, $rk11 \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 11
++
++	aese	$ctr0b, $rk11 \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 11
++	aese	$ctr4b, $rk11 \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 11
++	aese	$ctr5b, $rk11 \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 11
++
++	pmull	$acc_h.1q, $acc_m.1d, $mod_constant.1d			@ MODULO - mid 64b align with low
++	aese	$ctr3b, $rk11 \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 11
++	ldr	$rk14q, [$cc, #224]					@ load rk14
++
++	aese	$ctr1b, $rk12 \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 12
++	aese	$ctr2b, $rk12 \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 12
++	aese	$ctr0b, $rk12 \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 12
++
++	aese	$ctr6b, $rk12 \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 12
++	aese	$ctr5b, $rk12 \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 12
++	ext	$t11.16b, $acc_mb, $acc_mb, #8			 	@ MODULO - other mid alignment
++
++	aese	$ctr4b, $rk12 \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 12
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+15
++
++	aese	$ctr3b, $rk12 \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 12
++	aese	$ctr7b, $rk12 \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 12
++	aese	$ctr0b, $rk13						@ AES block 8k+8 - round 13
++
++	eor3	$acc_lb, $acc_lb, $t11.16b, $acc_hb		 	@ MODULO - fold into low
++	aese	$ctr5b, $rk13						@ AES block 8k+13 - round 13
++	aese	$ctr1b, $rk13						@ AES block 8k+9 - round 13
++
++	aese	$ctr3b, $rk13						@ AES block 8k+11 - round 13
++	aese	$ctr4b, $rk13						@ AES block 8k+12 - round 13
++	aese	$ctr7b, $rk13						@ AES block 8k+15 - round 13
++
++	aese	$ctr2b, $rk13						@ AES block 8k+10 - round 13
++	aese	$ctr6b, $rk13						@ AES block 8k+14 - round 13
++.L256_enc_tail:								@ TAIL
++
++	ldp	$h78kq, $h8q, [$current_tag, #192]			@ load h8l | h8h
++        ext     $h8.16b, $h8.16b, $h8.16b, #8
++	sub	$main_end_input_ptr, $end_input_ptr, $input_ptr		@ main_end_input_ptr is number of bytes left to process
++
++	ldr	$ctr_t0q, [$input_ptr], #16				@ AES block 8k+8 - load plaintext
++
++	ldp	$h5q, $h56kq, [$current_tag, #128]			@ load h5l | h5h
++        ext     $h5.16b, $h5.16b, $h5.16b, #8
++
++	ext	$t0.16b, $acc_lb, $acc_lb, #8				@ prepare final partial tag
++	ldp	$h6q, $h7q, [$current_tag, #160]			@ load h6l | h6h
++        ext     $h6.16b, $h6.16b, $h6.16b, #8
++        ext     $h7.16b, $h7.16b, $h7.16b, #8
++	mov	$t1.16b, $rk14
++
++	cmp	$main_end_input_ptr, #112
++	eor3	$res1b, $ctr_t0b, $ctr0b, $t1.16b				@ AES block 8k+8 - result
++	b.gt	.L256_enc_blocks_more_than_7
++
++	movi	$acc_l.8b, #0
++	mov	$ctr7b, $ctr6b
++	movi	$acc_h.8b, #0
++
++	mov	$ctr6b, $ctr5b
++	mov	$ctr5b, $ctr4b
++	mov	$ctr4b, $ctr3b
++
++	mov	$ctr3b, $ctr2b
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	mov	$ctr2b, $ctr1b
++
++	movi	$acc_m.8b, #0
++	cmp	$main_end_input_ptr, #96
++	b.gt	.L256_enc_blocks_more_than_6
++
++	mov	$ctr7b, $ctr6b
++	mov	$ctr6b, $ctr5b
++	cmp	$main_end_input_ptr, #80
++
++	mov	$ctr5b, $ctr4b
++	mov	$ctr4b, $ctr3b
++	mov	$ctr3b, $ctr1b
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	b.gt	.L256_enc_blocks_more_than_5
++
++	mov	$ctr7b, $ctr6b
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++
++	mov	$ctr6b, $ctr5b
++	mov	$ctr5b, $ctr4b
++
++	cmp	$main_end_input_ptr, #64
++	mov	$ctr4b, $ctr1b
++	b.gt	.L256_enc_blocks_more_than_4
++
++	cmp	$main_end_input_ptr, #48
++	mov	$ctr7b, $ctr6b
++	mov	$ctr6b, $ctr5b
++
++	mov	$ctr5b, $ctr1b
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	b.gt	.L256_enc_blocks_more_than_3
++
++	cmp	$main_end_input_ptr, #32
++	mov	$ctr7b, $ctr6b
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++
++	mov	$ctr6b, $ctr1b
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	b.gt	.L256_enc_blocks_more_than_2
++
++	mov	$ctr7b, $ctr1b
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	cmp	$main_end_input_ptr, #16
++	b.gt	.L256_enc_blocks_more_than_1
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++	b	 .L256_enc_blocks_less_than_1
++.L256_enc_blocks_more_than_7:						@ blocks left >  7
++	st1	{ $res1b}, [$output_ptr], #16				@ AES final-7 block  - store result
++
++	rev64	$res0b, $res1b						@ GHASH final-7 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final-6 block - load plaintext
++
++	pmull2  $acc_h.1q, $res0.2d, $h8.2d				@ GHASH final-7 block - high
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-7 block - mid
++	ins	$acc_m.d[0], $h78k.d[1]					@ GHASH final-7 block - mid
++
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-7 block - mid
++	eor3	$res1b, $ctr_t1b, $ctr1b, $t1.16b			@ AES final-6 block - result
++
++	pmull	$acc_m.1q, $rk4v.1d, $acc_m.1d				@ GHASH final-7 block - mid
++	pmull	$acc_l.1q, $res0.1d, $h8.1d				@ GHASH final-7 block - low
++.L256_enc_blocks_more_than_6:						@ blocks left >  6
++
++	st1	{ $res1b}, [$output_ptr], #16				@ AES final-6 block - store result
++
++	rev64	$res0b, $res1b						@ GHASH final-6 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	pmull	$rk3q1, $res0.1d, $h7.1d				@ GHASH final-6 block - low
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-6 block - mid
++	pmull2  $rk2q1, $res0.2d, $h7.2d				@ GHASH final-6 block - high
++
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final-5 block - load plaintext
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-6 block - low
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-6 block - mid
++
++	pmull	$rk4v.1q, $rk4v.1d, $h78k.1d				@ GHASH final-6 block - mid
++	eor3	$res1b, $ctr_t1b, $ctr2b, $t1.16b			@ AES final-5 block - result
++
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-6 block - mid
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-6 block - high
++.L256_enc_blocks_more_than_5:						@ blocks left >  5
++
++	st1	{ $res1b}, [$output_ptr], #16				@ AES final-5 block - store result
++
++	rev64	$res0b, $res1b						@ GHASH final-5 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-5 block - mid
++
++	pmull2  $rk2q1, $res0.2d, $h6.2d				@ GHASH final-5 block - high
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-5 block - high
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-5 block - mid
++
++	ins	$rk4v.d[1], $rk4v.d[0]					@ GHASH final-5 block - mid
++
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final-4 block - load plaintext
++	pmull	$rk3q1, $res0.1d, $h6.1d				  @ GHASH final-5 block - low
++
++	pmull2  $rk4v.1q, $rk4v.2d, $h56k.2d				@ GHASH final-5 block - mid
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-5 block - low
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-5 block - mid
++	eor3	$res1b, $ctr_t1b, $ctr3b, $t1.16b			@ AES final-4 block - result
++.L256_enc_blocks_more_than_4:						@ blocks left >  4
++
++	st1	{ $res1b}, [$output_ptr], #16				@ AES final-4 block - store result
++
++	rev64	$res0b, $res1b						@ GHASH final-4 block
++
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final-3 block - load plaintext
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-4 block - mid
++	pmull2  $rk2q1, $res0.2d, $h5.2d				@ GHASH final-4 block - high
++
++	eor3	$res1b, $ctr_t1b, $ctr4b, $t1.16b			@ AES final-3 block - result
++	pmull	$rk3q1, $res0.1d, $h5.1d				@ GHASH final-4 block - low
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-4 block - mid
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-4 block - low
++
++	pmull	$rk4v.1q, $rk4v.1d, $h56k.1d				@ GHASH final-4 block - mid
++
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-4 block - mid
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-4 block - high
++.L256_enc_blocks_more_than_3:						@ blocks left >  3
++
++	st1	{ $res1b}, [$output_ptr], #16				@ AES final-3 block - store result
++
++	ldr	$h4q, [$current_tag, #112]				@ load h4l | h4h
++	ext     $h4.16b, $h4.16b, $h4.16b, #8
++	rev64	$res0b, $res1b						@ GHASH final-3 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-3 block - mid
++	pmull2  $rk2q1, $res0.2d, $h4.2d				@ GHASH final-3 block - high
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-3 block - high
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-3 block - mid
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++
++	ins	$rk4v.d[1], $rk4v.d[0]					@ GHASH final-3 block - mid
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final-2 block - load plaintext
++
++	pmull2  $rk4v.1q, $rk4v.2d, $h34k.2d				@ GHASH final-3 block - mid
++	pmull	$rk3q1, $res0.1d, $h4.1d				@ GHASH final-3 block - low
++
++	eor3	$res1b, $ctr_t1b, $ctr5b, $t1.16b			@ AES final-2 block - result
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-3 block - mid
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-3 block - low
++.L256_enc_blocks_more_than_2:						@ blocks left >  2
++
++	ldr	$h3q, [$current_tag, #80]				@ load h3l | h3h
++	ext     $h3.16b, $h3.16b, $h3.16b, #8
++
++	st1	{ $res1b}, [$output_ptr], #16			 	@ AES final-2 block - store result
++
++	rev64	$res0b, $res1b						@ GHASH final-2 block
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final-1 block - load plaintext
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-2 block - mid
++
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	pmull2  $rk2q1, $res0.2d, $h3.2d				@ GHASH final-2 block - high
++	eor3	$res1b, $ctr_t1b, $ctr6b, $t1.16b			@ AES final-1 block - result
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-2 block - mid
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-2 block - high
++
++	pmull	$rk4v.1q, $rk4v.1d, $h34k.1d				@ GHASH final-2 block - mid
++	pmull	$rk3q1, $res0.1d, $h3.1d				@ GHASH final-2 block - low
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-2 block - mid
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-2 block - low
++.L256_enc_blocks_more_than_1:						@ blocks left >  1
++
++	st1	{ $res1b}, [$output_ptr], #16				@ AES final-1 block - store result
++
++	ldr	$h2q, [$current_tag, #64]				@ load h1l | h1h
++	ext     $h2.16b, $h2.16b, $h2.16b, #8
++	rev64	$res0b, $res1b						@ GHASH final-1 block
++	ldr	$ctr_t1q, [$input_ptr], #16				@ AES final block - load plaintext
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-1 block - mid
++	pmull2  $rk2q1, $res0.2d, $h2.2d				@ GHASH final-1 block - high
++
++	eor3	$res1b, $ctr_t1b, $ctr7b, $t1.16b			@ AES final block - result
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-1 block - high
++
++	pmull	$rk3q1, $res0.1d, $h2.1d				@ GHASH final-1 block - low
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-1 block - mid
++
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-1 block - low
++	ins	$rk4v.d[1], $rk4v.d[0]					@ GHASH final-1 block - mid
++
++	pmull2  $rk4v.1q, $rk4v.2d, $h12k.2d				@ GHASH final-1 block - mid
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-1 block - mid
++.L256_enc_blocks_less_than_1:						@ blocks left <= 1
++
++	and	$bit_length, $bit_length, #127				@ bit_length %= 128
++
++	sub	$bit_length, $bit_length, #128				@ bit_length -= 128
++
++	neg	$bit_length, $bit_length				@ bit_length = 128 - #bits in input (in range [1,128])
++
++	mvn	$temp0_x, xzr						@ temp0_x = 0xffffffffffffffff
++	and	$bit_length, $bit_length, #127				@ bit_length %= 128
++
++	lsr	$temp0_x, $temp0_x, $bit_length				@ temp0_x is mask for top 64b of last block
++	cmp	$bit_length, #64
++	mvn	$temp1_x, xzr						@ temp1_x = 0xffffffffffffffff
++
++	csel	$temp3_x, $temp0_x, xzr, lt
++	csel	$temp2_x, $temp1_x, $temp0_x, lt
++
++	mov	$ctr0.d[0], $temp2_x					@ ctr0b is mask for last block
++	ldr	$h1q, [$current_tag, #32]				@ load h1l | h1h
++	ext     $h1.16b, $h1.16b, $h1.16b, #8
++
++	ld1	{ $rk0}, [$output_ptr]					@ load existing bytes where the possibly partial last block is to be stored
++	mov	$ctr0.d[1], $temp3_x
++
++	and	$res1b, $res1b, $ctr0b					@ possibly partial last block has zeroes in highest bits
++
++	rev64	$res0b, $res1b						@ GHASH final block
++
++	rev32	$rtmp_ctr.16b, $rtmp_ctr.16b
++	bif	$res1b, $rk0, $ctr0b					@ insert existing bytes in top end of result before storing
++	str	$rtmp_ctrq, [$counter]					@ store the updated counter
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++	st1	{ $res1b}, [$output_ptr]				@ store all 16B
++
++	ins	$t0.d[0], $res0.d[1]					@ GHASH final block - mid
++	pmull2	$rk2q1, $res0.2d, $h1.2d				@ GHASH final block - high
++	pmull	$rk3q1, $res0.1d, $h1.1d				@ GHASH final block - low
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final block - high
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final block - low
++
++	eor	$t0.8b, $t0.8b, $res0.8b				@ GHASH final block - mid
++
++	pmull	$t0.1q, $t0.1d, $h12k.1d				@ GHASH final block - mid
++
++	eor	$acc_mb, $acc_mb, $t0.16b				@ GHASH final block - mid
++	ldr	$mod_constantd, [$modulo_constant]			@ MODULO - load modulo constant
++
++	ext	$t11.16b, $acc_hb, $acc_hb, #8				@ MODULO - other top alignment
++
++	eor3	$acc_mb, $acc_mb, $acc_hb, $acc_lb		 	@ MODULO - karatsuba tidy up
++	pmull	$t12.1q, $acc_h.1d, $mod_constant.1d			@ MODULO - top 64b align with mid
++
++	eor3	$acc_mb, $acc_mb, $t12.16b, $t11.16b			@ MODULO - fold into mid
++
++	pmull	$acc_h.1q, $acc_m.1d, $mod_constant.1d			@ MODULO - mid 64b align with low
++	ext	$t11.16b, $acc_mb, $acc_mb, #8				@ MODULO - other mid alignment
++
++	eor3	$acc_lb, $acc_lb, $acc_hb, $t11.16b		 	@ MODULO - fold into low
++		ext	$acc_lb, $acc_lb, $acc_lb, #8
++	rev64	$acc_lb, $acc_lb
++	st1	{ $acc_l.16b }, [$current_tag]
++	lsr	x0, $bit_length, #3					@ return sizes
++
++        ldp     d10, d11, [sp, #16]
++	ldp     d12, d13, [sp, #32]
++	ldp     d14, d15, [sp, #48]
++	ldp     d8, d9, [sp], #80
++	ret
++
++.L256_enc_ret:
++	mov w0, #0x0
++	ret
++.size unroll8_eor3_aes_gcm_enc_256_kernel,.-unroll8_eor3_aes_gcm_enc_256_kernel
++___
++
++{
++#########################################################################################
++# size_t unroll8_eor3_aes_gcm_dec_256_kernel(const unsigned char *in,
++#                               size_t len,
++#                               unsigned char *out,
++#                               const void *key,
++#                               unsigned char ivec[16],
++#                               u64 *Xi);
++#
++$code.=<<___;
++.global unroll8_eor3_aes_gcm_dec_256_kernel
++.type   unroll8_eor3_aes_gcm_dec_256_kernel,%function
++.align  4
++unroll8_eor3_aes_gcm_dec_256_kernel:
++	AARCH64_VALID_CALL_TARGET
++	cbz	x1, .L256_dec_ret
++	stp	d8, d9, [sp, #-80]!
++	mov	$counter, x4
++	mov	$cc, x5
++	stp	d10, d11, [sp, #16]
++	stp	d12, d13, [sp, #32]
++	stp	d14, d15, [sp, #48]
++	mov	x5, #0xc200000000000000
++	stp	x5, xzr, [sp, #64]
++	add	$modulo_constant, sp, #64
++
++	ld1	{ $ctr0b}, [$counter]					@ CTR block 0
++
++	mov	$constant_temp, #0x100000000			@ set up counter increment
++	movi	$rctr_inc.16b, #0x0
++	mov	$rctr_inc.d[1], $constant_temp
++	lsr	$main_end_input_ptr, $bit_length, #3		  	@ byte_len
++
++	sub	$main_end_input_ptr, $main_end_input_ptr, #1		@ byte_len - 1
++
++	rev32	$rtmp_ctr.16b, $ctr0.16b				@ set up reversed counter
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 0
++
++	rev32	$ctr1.16b, $rtmp_ctr.16b				@ CTR block 1
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 1
++
++	rev32	$ctr2.16b, $rtmp_ctr.16b				@ CTR block 2
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 2
++	ldp	$rk0q, $rk1q, [$cc, #0]				  	@ load rk0, rk1
++
++	rev32	$ctr3.16b, $rtmp_ctr.16b				@ CTR block 3
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 3
++
++	rev32	$ctr4.16b, $rtmp_ctr.16b				@ CTR block 4
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 4
++
++	aese	$ctr0b, $rk0  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 0
++
++	rev32	$ctr5.16b, $rtmp_ctr.16b				@ CTR block 5
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 5
++
++	aese	$ctr1b, $rk0  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 0
++	aese	$ctr2b, $rk0  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 0
++
++	rev32	$ctr6.16b, $rtmp_ctr.16b				@ CTR block 6
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 6
++
++	rev32	$ctr7.16b, $rtmp_ctr.16b				@ CTR block 7
++	aese	$ctr4b, $rk0  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 0
++
++	aese	$ctr6b, $rk0  \n  aesmc	$ctr6b, $ctr6b		        @ AES block 6 - round 0
++	aese	$ctr5b, $rk0  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 0
++
++	aese	$ctr3b, $rk0  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 0
++	aese	$ctr7b, $rk0  \n  aesmc	$ctr7b, $ctr7b		        @ AES block 7 - round 0
++	ldp	$rk2q, $rk3q, [$cc, #32]				@ load rk2, rk3
++
++	aese	$ctr6b, $rk1  \n  aesmc	$ctr6b, $ctr6b		        @ AES block 6 - round 1
++	aese	$ctr4b, $rk1  \n  aesmc	$ctr4b, $ctr4b		        @ AES block 4 - round 1
++	aese	$ctr0b, $rk1  \n  aesmc	$ctr0b, $ctr0b		        @ AES block 0 - round 1
++
++	aese	$ctr5b, $rk1  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 1
++	aese	$ctr7b, $rk1  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 1
++	aese	$ctr1b, $rk1  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 1
++
++	aese	$ctr2b, $rk1  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 1
++	aese	$ctr3b, $rk1  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 1
++
++	aese	$ctr3b, $rk2  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 2
++	aese	$ctr2b, $rk2  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 2
++	aese	$ctr6b, $rk2  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 2
++
++	aese	$ctr1b, $rk2  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 2
++	aese	$ctr7b, $rk2  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 2
++	aese	$ctr5b, $rk2  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 2
++
++	aese	$ctr0b, $rk2  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 2
++	aese	$ctr4b, $rk2  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 2
++	ldp	$rk4q, $rk5q, [$cc, #64]						@ load rk4, rk5
++
++	aese	$ctr1b, $rk3  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 3
++	aese	$ctr2b, $rk3  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 3
++
++	aese	$ctr3b, $rk3  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 3
++	aese	$ctr4b, $rk3  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 3
++
++	aese	$ctr5b, $rk3  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 3
++	aese	$ctr7b, $rk3  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 3
++	aese	$ctr0b, $rk3  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 3
++
++	aese	$ctr6b, $rk3  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 3
++
++	aese	$ctr7b, $rk4  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 4
++	aese	$ctr3b, $rk4  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 4
++
++	aese	$ctr6b, $rk4  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 4
++	aese	$ctr2b, $rk4  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 4
++	aese	$ctr0b, $rk4  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 4
++
++	aese	$ctr4b, $rk4  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 4
++	aese	$ctr1b, $rk4  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 4
++	aese	$ctr5b, $rk4  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 4
++
++	aese	$ctr0b, $rk5  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 5
++	aese	$ctr6b, $rk5  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 5
++
++	ldp	$rk6q, $rk7q, [$cc, #96]				@ load rk6, rk7
++	aese	$ctr4b, $rk5  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 5
++	aese	$ctr7b, $rk5  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 5
++
++	aese	$ctr5b, $rk5  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 5
++
++	aese	$ctr2b, $rk5  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 5
++	aese	$ctr3b, $rk5  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 5
++
++	aese	$ctr1b, $rk5  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 5
++
++	aese	$ctr4b, $rk6  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 6
++	aese	$ctr3b, $rk6  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 6
++	aese	$ctr7b, $rk6  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 6
++
++	aese	$ctr6b, $rk6  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 6
++	aese	$ctr0b, $rk6  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 6
++	aese	$ctr5b, $rk6  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 6
++
++	aese	$ctr2b, $rk6  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 6
++	aese	$ctr1b, $rk6  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 6
++	ldp	$rk8q, $rk9q, [$cc, #128]				@ load rk8, rk9
++
++	aese	$ctr5b, $rk7  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 7
++	aese	$ctr0b, $rk7  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 7
++
++	aese	$ctr3b, $rk7  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 7
++	aese	$ctr2b, $rk7  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 7
++	aese	$ctr7b, $rk7  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 7
++
++	aese	$ctr4b, $rk7  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 7
++	aese	$ctr1b, $rk7  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 7
++	aese	$ctr6b, $rk7  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 7
++
++	and	$main_end_input_ptr, $main_end_input_ptr, #0xffffffffffffff80 @ number of bytes to be processed in main loop (at least 1 byte must be handled by tail)
++	aese	$ctr7b, $rk8  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 8
++	aese	$ctr5b, $rk8  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 8
++
++	aese	$ctr0b, $rk8  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 8
++	aese	$ctr1b, $rk8  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 8
++	aese	$ctr2b, $rk8  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 8
++
++	aese	$ctr4b, $rk8  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 8
++	aese	$ctr3b, $rk8  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 8
++	aese	$ctr6b, $rk8  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 8
++
++	aese	$ctr2b, $rk9  \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 9
++
++	ld1	{ $acc_lb}, [$current_tag]
++	ext	$acc_lb, $acc_lb, $acc_lb, #8
++	rev64	$acc_lb, $acc_lb
++	ldp	$rk10q, $rk11q, [$cc, #160]				@ load rk10, rk11
++	add	$end_input_ptr, $input_ptr, $bit_length, lsr #3 @ end_input_ptr
++	add	$main_end_input_ptr, $main_end_input_ptr, $input_ptr
++
++	aese	$ctr3b, $rk9  \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 9
++	aese	$ctr6b, $rk9  \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 9
++
++	aese	$ctr4b, $rk9  \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 9
++	aese	$ctr5b, $rk9  \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 9
++
++	aese	$ctr7b, $rk9  \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 9
++
++	aese	$ctr0b, $rk9  \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 9
++	aese	$ctr1b, $rk9  \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 9
++
++	aese	$ctr4b, $rk10 \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 10
++	aese	$ctr7b, $rk10 \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 10
++	aese	$ctr5b, $rk10 \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 10
++
++	aese	$ctr1b, $rk10 \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 10
++	aese	$ctr2b, $rk10 \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 10
++	aese	$ctr0b, $rk10 \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 10
++
++	aese	$ctr6b, $rk10 \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 10
++	aese	$ctr3b, $rk10 \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 10
++	ldp	$rk12q, $rk13q, [$cc, #192]				@ load rk12, rk13
++
++	aese	$ctr0b, $rk11 \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 11
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s @ CTR block 7
++
++	aese	$ctr7b, $rk11 \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 11
++	aese	$ctr3b, $rk11 \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 11
++	aese	$ctr1b, $rk11 \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 11
++
++	aese	$ctr5b, $rk11 \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 11
++	aese	$ctr4b, $rk11 \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 11
++	aese	$ctr2b, $rk11 \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 11
++
++	aese	$ctr6b, $rk11 \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 11
++	ldr	$rk14q, [$cc, #224]					@ load rk14
++
++	aese	$ctr1b, $rk12 \n  aesmc	$ctr1b, $ctr1b			@ AES block 1 - round 12
++	aese	$ctr4b, $rk12 \n  aesmc	$ctr4b, $ctr4b			@ AES block 4 - round 12
++	aese	$ctr5b, $rk12 \n  aesmc	$ctr5b, $ctr5b			@ AES block 5 - round 12
++
++	cmp	$input_ptr, $main_end_input_ptr				@ check if we have <= 8 blocks
++	aese	$ctr3b, $rk12 \n  aesmc	$ctr3b, $ctr3b			@ AES block 3 - round 12
++	aese	$ctr2b, $rk12 \n  aesmc	$ctr2b, $ctr2b			@ AES block 2 - round 12
++
++	aese	$ctr6b, $rk12 \n  aesmc	$ctr6b, $ctr6b			@ AES block 6 - round 12
++	aese	$ctr0b, $rk12 \n  aesmc	$ctr0b, $ctr0b			@ AES block 0 - round 12
++	aese	$ctr7b, $rk12 \n  aesmc	$ctr7b, $ctr7b			@ AES block 7 - round 12
++
++	aese	$ctr5b, $rk13						@ AES block 5 - round 13
++	aese	$ctr1b, $rk13						@ AES block 1 - round 13
++	aese	$ctr2b, $rk13						@ AES block 2 - round 13
++
++	aese	$ctr0b, $rk13						@ AES block 0 - round 13
++	aese	$ctr4b, $rk13						@ AES block 4 - round 13
++	aese	$ctr6b, $rk13						@ AES block 6 - round 13
++
++	aese	$ctr3b, $rk13						@ AES block 3 - round 13
++	aese	$ctr7b, $rk13						@ AES block 7 - round 13
++	b.ge	.L256_dec_tail						@ handle tail
++
++	ldp	$res0q, $res1q, [$input_ptr], #32			@ AES block 0, 1 - load ciphertext
++
++	ldp	$res2q, $res3q, [$input_ptr], #32			@ AES block 2, 3 - load ciphertext
++
++	ldp	$res4q, $res5q, [$input_ptr], #32			@ AES block 4, 5 - load ciphertext
++
++	ldp	$res6q, $res7q, [$input_ptr], #32			@ AES block 6, 7 - load ciphertext
++	cmp	$input_ptr, $main_end_input_ptr				@ check if we have <= 8 blocks
++
++	eor3	$ctr1b, $res1b, $ctr1b, $rk14				@ AES block 1 - result
++	eor3	$ctr0b, $res0b, $ctr0b, $rk14				@ AES block 0 - result
++	stp	$ctr0q, $ctr1q, [$output_ptr], #32			@ AES block 0, 1 - store result
++
++	rev32	$ctr0.16b, $rtmp_ctr.16b				@ CTR block 8
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8
++	eor3	$ctr3b, $res3b, $ctr3b, $rk14				@ AES block 3 - result
++
++	eor3	$ctr5b, $res5b, $ctr5b, $rk14				@ AES block 5 - result
++
++	eor3	$ctr4b, $res4b, $ctr4b, $rk14				@ AES block 4 - result
++	rev32	$ctr1.16b, $rtmp_ctr.16b				@ CTR block 9
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 9
++
++	eor3	$ctr2b, $res2b, $ctr2b, $rk14				@ AES block 2 - result
++	stp	$ctr2q, $ctr3q, [$output_ptr], #32			@ AES block 2, 3 - store result
++
++	rev32	$ctr2.16b, $rtmp_ctr.16b				@ CTR block 10
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 10
++
++	eor3	$ctr6b, $res6b, $ctr6b, $rk14				@ AES block 6 - result
++
++	rev32	$ctr3.16b, $rtmp_ctr.16b				@ CTR block 11
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 11
++	stp	$ctr4q, $ctr5q, [$output_ptr], #32			@ AES block 4, 5 - store result
++
++	eor3	$ctr7b, $res7b, $ctr7b, $rk14				@ AES block 7 - result
++	stp	$ctr6q, $ctr7q, [$output_ptr], #32			@ AES block 6, 7 - store result
++
++	rev32	$ctr4.16b, $rtmp_ctr.16b				@ CTR block 12
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 12
++	b.ge	.L256_dec_prepretail					@ do prepretail
++
++.L256_dec_main_loop:							@ main loop start
++	rev32	$ctr5.16b, $rtmp_ctr.16b				@ CTR block 8k+13
++	ldp	$rk0q, $rk1q, [$cc, #0]					@ load rk0, rk1
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+13
++
++	rev64	$res1b, $res1b						@ GHASH block 8k+1
++	ldr	$h7q, [$current_tag, #176]				@ load h7l | h7h
++	ext     $h7.16b, $h7.16b, $h7.16b, #8
++	ldr	$h8q, [$current_tag, #208]				@ load h8l | h8h
++	ext     $h8.16b, $h8.16b, $h8.16b, #8
++
++	rev32	$ctr6.16b, $rtmp_ctr.16b				@ CTR block 8k+14
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+14
++	rev64	$res0b, $res0b						@ GHASH block 8k
++
++	ext	$acc_lb, $acc_lb, $acc_lb, #8				@ PRE 0
++	rev64	$res4b, $res4b						@ GHASH block 8k+4
++	rev64	$res3b, $res3b						@ GHASH block 8k+3
++
++	rev32	$ctr7.16b, $rtmp_ctr.16b				@ CTR block 8k+15
++	rev64	$res7b, $res7b						@ GHASH block 8k+7
++
++	aese	$ctr3b, $rk0  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 0
++	aese	$ctr6b, $rk0  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 0
++	aese	$ctr2b, $rk0  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 0
++
++	aese	$ctr7b, $rk0  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 0
++	aese	$ctr0b, $rk0  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 0
++	aese	$ctr5b, $rk0  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 0
++
++	aese	$ctr4b, $rk0  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 0
++	aese	$ctr1b, $rk0  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 0
++	ldp	$rk2q, $rk3q, [$cc, #32]				@ load rk2, rk3
++
++	eor	$res0b, $res0b, $acc_lb					@ PRE 1
++	ldr	$h5q, [$current_tag, #128]				@ load h5l | h5h
++	ext     $h5.16b, $h5.16b, $h5.16b, #8
++	ldr	$h6q, [$current_tag, #160]				@ load h6l | h6h
++	ext     $h6.16b, $h6.16b, $h6.16b, #8
++	aese	$ctr6b, $rk1  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 1
++
++	aese	$ctr4b, $rk1  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 1
++	rev64	$res2b, $res2b						@ GHASH block 8k+2
++	aese	$ctr3b, $rk1  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 1
++
++	aese	$ctr0b, $rk1  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 1
++	aese	$ctr5b, $rk1  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 1
++	aese	$ctr2b, $rk1  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 1
++
++	trn1	$acc_m.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++	aese	$ctr7b, $rk1  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 1
++	aese	$ctr1b, $rk1  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 1
++
++	aese	$ctr4b, $rk2  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 2
++	aese	$ctr0b, $rk2  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 2
++	aese	$ctr3b, $rk2  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 2
++
++	aese	$ctr6b, $rk2  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 2
++	aese	$ctr7b, $rk2  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 2
++	pmull	$acc_l.1q, $res0.1d, $h8.1d				@ GHASH block 8k - low
++
++	aese	$ctr5b, $rk2  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 2
++	aese	$ctr2b, $rk2  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 2
++	aese	$ctr1b, $rk2  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 2
++
++	ldp	$rk4q, $rk5q, [$cc, #64]				@ load rk4, rk5
++	pmull2  $t1.1q, $res2.2d, $h6.2d				@ GHASH block 8k+2 - high
++	aese	$ctr3b, $rk3  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 3
++
++	aese	$ctr0b, $rk3  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 3
++	pmull2  $t0.1q, $res1.2d, $h7.2d				@ GHASH block 8k+1 - high
++	pmull	$h7.1q, $res1.1d, $h7.1d				@ GHASH block 8k+1 - low
++
++	aese	$ctr5b, $rk3  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 3
++	aese	$ctr6b, $rk3  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 3
++	pmull2  $acc_h.1q, $res0.2d, $h8.2d				@ GHASH block 8k - high
++
++	aese	$ctr4b, $rk3  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 3
++	aese	$ctr1b, $rk3  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 3
++	trn2	$res0.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++
++	pmull2  $t2.1q, $res3.2d, $h5.2d				@ GHASH block 8k+3 - high
++	aese	$ctr2b, $rk3  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 3
++	eor	$acc_hb, $acc_hb, $t0.16b				@ GHASH block 8k+1 - high
++
++	aese	$ctr5b, $rk4  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 4
++	aese	$ctr7b, $rk3  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 3
++	aese	$ctr3b, $rk4  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 4
++
++	aese	$ctr2b, $rk4  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 4
++	aese	$ctr0b, $rk4  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 4
++	aese	$ctr1b, $rk4  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 4
++
++	aese	$ctr6b, $rk4  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 4
++	aese	$ctr7b, $rk4  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 4
++	aese	$ctr4b, $rk4  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 4
++
++	ldr	$h56kq, [$current_tag, #144]				@ load h6k | h5k
++	ldr	$h78kq, [$current_tag, #192]				@ load h8k | h7k
++	eor	$res0.16b, $res0.16b, $acc_m.16b			@ GHASH block 8k, 8k+1 - mid
++	pmull	$h6.1q, $res2.1d, $h6.1d				@ GHASH block 8k+2 - low
++
++	ldp	$rk6q, $rk7q, [$cc, #96]				@ load rk6, rk7
++	aese	$ctr5b, $rk5  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 5
++	eor	$acc_lb, $acc_lb, $h7.16b				@ GHASH block 8k+1 - low
++
++	aese	$ctr0b, $rk5  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 5
++	aese	$ctr3b, $rk5  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 5
++	aese	$ctr7b, $rk5  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 5
++
++	aese	$ctr1b, $rk5  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 5
++	aese	$ctr2b, $rk5  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 5
++	aese	$ctr6b, $rk5  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 5
++
++	eor3	$acc_hb, $acc_hb, $t1.16b, $t2.16b			@ GHASH block 8k+2, 8k+3 - high
++	trn1	$t3.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++	rev64	$res5b, $res5b						@ GHASH block 8k+5
++
++	pmull2  $acc_m.1q, $res0.2d, $h78k.2d				@ GHASH block 8k	- mid
++	pmull	$h78k.1q, $res0.1d, $h78k.1d				@ GHASH block 8k+1 - mid
++	trn2	$res2.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++
++	aese	$ctr3b, $rk6  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 6
++	aese	$ctr0b, $rk6  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 6
++	aese	$ctr4b, $rk5  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 5
++
++	trn1	$t6.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++	aese	$ctr1b, $rk6  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 6
++	aese	$ctr6b, $rk6  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 6
++
++	eor	$res2.16b, $res2.16b, $t3.16b				@ GHASH block 8k+2, 8k+3 - mid
++	pmull	$h5.1q, $res3.1d, $h5.1d				@ GHASH block 8k+3 - low
++	aese	$ctr4b, $rk6  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 6
++
++	aese	$ctr2b, $rk6  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 6
++	aese	$ctr5b, $rk6  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 6
++	aese	$ctr7b, $rk6  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 6
++
++	pmull2  $t3.1q, $res2.2d, $h56k.2d				@ GHASH block 8k+2 - mid
++	pmull	$h56k.1q, $res2.1d, $h56k.1d				@ GHASH block 8k+3 - mid
++	eor3	$acc_lb, $acc_lb, $h6.16b, $h5.16b			@ GHASH block 8k+2, 8k+3 - low
++
++	ldr	$h3q, [$current_tag, #80]				@ load h3l | h3h
++	ext     $h3.16b, $h3.16b, $h3.16b, #8
++	ldr	$h4q, [$current_tag, #112]				@ load h4l | h4h
++	ext     $h4.16b, $h4.16b, $h4.16b, #8
++	rev64	$res6b, $res6b						@ GHASH block 8k+6
++	eor	$acc_mb, $acc_mb, $h78k.16b				@ GHASH block 8k+1 - mid
++
++	aese	$ctr2b, $rk7  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 7
++	aese	$ctr5b, $rk7  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 7
++	ldp	$rk8q, $rk9q, [$cc, #128]				@ load rk8, rk9
++
++	ldr	$h1q, [$current_tag, #32]				@ load h1l | h1h
++	ext     $h1.16b, $h1.16b, $h1.16b, #8
++	ldr	$h2q, [$current_tag, #64]				@ load h1l | h1h
++	ext     $h2.16b, $h2.16b, $h2.16b, #8
++	eor3	$acc_mb, $acc_mb, $h56k.16b, $t3.16b			@ GHASH block 8k+2, 8k+3 - mid
++	aese	$ctr7b, $rk7  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 7
++
++	aese	$ctr1b, $rk7  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 7
++	aese	$ctr3b, $rk7  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 7
++	aese	$ctr6b, $rk7  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 7
++
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++	aese	$ctr0b, $rk7  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 7
++	aese	$ctr4b, $rk7  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 7
++
++	pmull2  $t4.1q, $res4.2d, $h4.2d				@ GHASH block 8k+4 - high
++	pmull	$h4.1q, $res4.1d, $h4.1d				@ GHASH block 8k+4 - low
++	trn2	$res4.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++
++	aese	$ctr5b, $rk8  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 8
++	pmull2  $t5.1q, $res5.2d, $h3.2d				@ GHASH block 8k+5 - high
++	aese	$ctr2b, $rk8  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 8
++
++	aese	$ctr6b, $rk8  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 8
++	pmull	$h3.1q, $res5.1d, $h3.1d				@ GHASH block 8k+5 - low
++	aese	$ctr1b, $rk8  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 8
++
++	aese	$ctr4b, $rk8  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 8
++	aese	$ctr0b, $rk8  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 8
++	pmull2  $t7.1q, $res6.2d, $h2.2d				@ GHASH block 8k+6 - high
++
++	trn1	$t9.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++	aese	$ctr3b, $rk8  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 8
++	aese	$ctr7b, $rk8  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 8
++
++	ldp	$rk10q, $rk11q, [$cc, #160]				@ load rk10, rk11
++	pmull	$h2.1q, $res6.1d, $h2.1d				@ GHASH block 8k+6 - low
++	trn2	$res6.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+15
++	eor3	$acc_hb, $acc_hb, $t4.16b, $t5.16b			@ GHASH block 8k+4, 8k+5 - high
++	aese	$ctr3b, $rk9  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 9
++
++	aese	$ctr6b, $rk9  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 9
++	eor	$res6.16b, $res6.16b, $t9.16b				@ GHASH block 8k+6, 8k+7 - mid
++	aese	$ctr5b, $rk9  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 9
++
++	ldp	$res0q, $res1q, [$input_ptr], #32			@ AES block 8k+8, 8k+9 - load ciphertext
++	eor	$res4.16b, $res4.16b, $t6.16b				@ GHASH block 8k+4, 8k+5 - mid
++	aese	$ctr7b, $rk9  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 9
++
++	pmull2  $t9.1q, $res6.2d, $h12k.2d				@ GHASH block 8k+6 - mid
++	aese	$ctr2b, $rk9  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 9
++	aese	$ctr1b, $rk9  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 9
++
++	pmull2  $t6.1q, $res4.2d, $h34k.2d				@ GHASH block 8k+4 - mid
++	pmull	$h34k.1q, $res4.1d, $h34k.1d				@ GHASH block 8k+5 - mid
++	pmull2  $t8.1q, $res7.2d, $h1.2d				@ GHASH block 8k+7 - high
++
++	pmull	$h1.1q, $res7.1d, $h1.1d				@ GHASH block 8k+7 - low
++	aese	$ctr3b, $rk10 \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 10
++	aese	$ctr6b, $rk10 \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 10
++
++	pmull	$h12k.1q, $res6.1d, $h12k.1d				@ GHASH block 8k+7 - mid
++	aese	$ctr0b, $rk9  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 9
++	eor3	$acc_lb, $acc_lb, $h4.16b, $h3.16b			@ GHASH block 8k+4, 8k+5 - low
++
++	aese	$ctr4b, $rk9  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 9
++	eor3	$acc_mb, $acc_mb, $h34k.16b, $t6.16b			@ GHASH block 8k+4, 8k+5 - mid
++	eor3	$acc_hb, $acc_hb, $t7.16b, $t8.16b			@ GHASH block 8k+6, 8k+7 - high
++
++	aese	$ctr2b, $rk10 \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 10
++	aese	$ctr5b, $rk10 \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 10
++	aese	$ctr7b, $rk10 \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 10
++
++	aese	$ctr1b, $rk10 \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 10
++	aese	$ctr0b, $rk10 \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 10
++	aese	$ctr4b, $rk10 \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 10
++
++	eor3	$acc_lb, $acc_lb, $h2.16b, $h1.16b			@ GHASH block 8k+6, 8k+7 - low
++	rev32	$h1.16b, $rtmp_ctr.16b					@ CTR block 8k+16
++	ldr	$mod_constantd, [$modulo_constant]			@ MODULO - load modulo constant
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+16
++	aese	$ctr1b, $rk11 \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 11
++	ldp	$rk12q, $rk13q, [$cc, #192]				@ load rk12, rk13
++
++	aese	$ctr0b, $rk11 \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 11
++	aese	$ctr6b, $rk11 \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 11
++
++	eor3	$acc_mb, $acc_mb, $h12k.16b, $t9.16b			@ GHASH block 8k+6, 8k+7 - mid
++	rev32	$h2.16b, $rtmp_ctr.16b					@ CTR block 8k+17
++	aese	$ctr2b, $rk11 \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 11
++
++	ldp	$res2q, $res3q, [$input_ptr], #32			@ AES block 8k+10, 8k+11 - load ciphertext
++	aese	$ctr7b, $rk11 \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 11
++	ext	$t11.16b, $acc_hb, $acc_hb, #8				 @ MODULO - other top alignment
++
++	aese	$ctr5b, $rk11 \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 11
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+17
++	aese	$ctr3b, $rk11 \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 11
++
++	aese	$ctr2b, $rk12 \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 12
++	aese	$ctr7b, $rk12 \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 12
++	aese	$ctr6b, $rk12 \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 12
++
++	rev32	$h3.16b, $rtmp_ctr.16b					@ CTR block 8k+18
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+18
++	pmull	$t12.1q, $acc_h.1d, $mod_constant.1d			@ MODULO - top 64b align with mid
++
++	eor3	$acc_mb, $acc_mb, $acc_hb, $acc_lb		 	@ MODULO - karatsuba tidy up
++	aese	$ctr1b, $rk12 \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 12
++	aese	$ctr4b, $rk11 \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 11
++
++	ldr	$rk14q, [$cc, #224]					@ load rk14
++	aese	$ctr5b, $rk12 \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 12
++	aese	$ctr3b, $rk12 \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 12
++
++	eor3	$acc_mb, $acc_mb, $t12.16b, $t11.16b			@ MODULO - fold into mid
++	aese	$ctr0b, $rk12 \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 12
++	aese	$ctr4b, $rk12 \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 12
++
++	ldp	$res4q, $res5q, [$input_ptr], #32			@ AES block 8k+12, 8k+13 - load ciphertext
++	aese	$ctr1b, $rk13						@ AES block 8k+9 - round 13
++	aese	$ctr2b, $rk13						@ AES block 8k+10 - round 13
++
++	ldp	$res6q, $res7q, [$input_ptr], #32			@ AES block 8k+14, 8k+15 - load ciphertext
++	aese	$ctr0b, $rk13						@ AES block 8k+8 - round 13
++	aese	$ctr5b, $rk13						@ AES block 8k+13 - round 13
++
++	rev32	$h4.16b, $rtmp_ctr.16b					@ CTR block 8k+19
++	eor3	$ctr2b, $res2b, $ctr2b, $rk14				@ AES block 8k+10 - result
++	eor3	$ctr1b, $res1b, $ctr1b, $rk14				@ AES block 8k+9 - result
++
++	ext	$t11.16b, $acc_mb, $acc_mb, #8				@ MODULO - other mid alignment
++	aese	$ctr7b, $rk13						@ AES block 8k+15 - round 13
++
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+19
++	pmull	$acc_h.1q, $acc_m.1d, $mod_constant.1d			@ MODULO - mid 64b align with low
++	aese	$ctr4b, $rk13						@ AES block 8k+12 - round 13
++
++	eor3	$ctr5b, $res5b, $ctr5b, $rk14				@ AES block 8k+13 - result
++	eor3	$ctr0b, $res0b, $ctr0b, $rk14				@ AES block 8k+8 - result
++	aese	$ctr3b, $rk13						@ AES block 8k+11 - round 13
++
++	stp	$ctr0q, $ctr1q, [$output_ptr], #32			@ AES block 8k+8, 8k+9 - store result
++	mov	$ctr0.16b, $h1.16b					@ CTR block 8k+16
++	eor3	$ctr4b, $res4b, $ctr4b, $rk14				@ AES block 8k+12 - result
++
++	eor3	$acc_lb, $acc_lb, $t11.16b, $acc_hb		 	@ MODULO - fold into low
++	eor3	$ctr3b, $res3b, $ctr3b, $rk14				@ AES block 8k+11 - result
++	stp	$ctr2q, $ctr3q, [$output_ptr], #32			@ AES block 8k+10, 8k+11 - store result
++
++	mov	$ctr3.16b, $h4.16b					@ CTR block 8k+19
++	mov	$ctr2.16b, $h3.16b					@ CTR block 8k+18
++	aese	$ctr6b, $rk13						@ AES block 8k+14 - round 13
++
++	mov	$ctr1.16b, $h2.16b					@ CTR block 8k+17
++	stp	$ctr4q, $ctr5q, [$output_ptr], #32			@ AES block 8k+12, 8k+13 - store result
++	eor3	$ctr7b, $res7b, $ctr7b, $rk14				@ AES block 8k+15 - result
++
++	eor3	$ctr6b, $res6b, $ctr6b, $rk14				@ AES block 8k+14 - result
++	rev32	$ctr4.16b, $rtmp_ctr.16b				@ CTR block 8k+20
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+20
++
++	cmp	$input_ptr, $main_end_input_ptr				@ LOOP CONTROL
++	stp	$ctr6q, $ctr7q, [$output_ptr], #32			@ AES block 8k+14, 8k+15 - store result
++	b.lt	.L256_dec_main_loop
++
++.L256_dec_prepretail:							@ PREPRETAIL
++	ldp	$rk0q, $rk1q, [$cc, #0]					@ load rk0, rk1
++	rev32	$ctr5.16b, $rtmp_ctr.16b				@ CTR block 8k+13
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+13
++
++	rev64	$res4b, $res4b						@ GHASH block 8k+4
++	ldr	$h56kq, [$current_tag, #144]				@ load h6k | h5k
++	ldr	$h78kq, [$current_tag, #192]				@ load h8k | h7k
++
++	rev32	$ctr6.16b, $rtmp_ctr.16b				@ CTR block 8k+14
++	rev64	$res0b, $res0b						@ GHASH block 8k
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+14
++
++	ext	$acc_lb, $acc_lb, $acc_lb, #8				@ PRE 0
++	ldr	$h7q, [$current_tag, #176]				@ load h7l | h7h
++	ext     $h7.16b, $h7.16b, $h7.16b, #8
++	ldr	$h8q, [$current_tag, #208]				@ load h8l | h8h
++	ext     $h8.16b, $h8.16b, $h8.16b, #8
++	rev64	$res1b, $res1b						@ GHASH block 8k+1
++
++	rev32	$ctr7.16b, $rtmp_ctr.16b				@ CTR block 8k+15
++	rev64	$res2b, $res2b						@ GHASH block 8k+2
++	ldr	$h5q, [$current_tag, #128]				@ load h5l | h5h
++	ext     $h5.16b, $h5.16b, $h5.16b, #8
++	ldr	$h6q, [$current_tag, #160]				@ load h6l | h6h
++	ext     $h6.16b, $h6.16b, $h6.16b, #8
++
++	aese	$ctr0b, $rk0  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 0
++	aese	$ctr1b, $rk0  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 0
++	aese	$ctr4b, $rk0  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 0
++
++	aese	$ctr3b, $rk0  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 0
++	aese	$ctr5b, $rk0  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 0
++	aese	$ctr6b, $rk0  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 0
++
++	aese	$ctr4b, $rk1  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 1
++	aese	$ctr7b, $rk0  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 0
++	aese	$ctr2b, $rk0  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 0
++
++	ldp	$rk2q, $rk3q, [$cc, #32]				@ load rk2, rk3
++	aese	$ctr0b, $rk1  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 1
++	eor	$res0b, $res0b, $acc_lb					@ PRE 1
++
++	aese	$ctr7b, $rk1  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 1
++	aese	$ctr6b, $rk1  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 1
++	aese	$ctr2b, $rk1  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 1
++
++	aese	$ctr3b, $rk1  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 1
++	aese	$ctr1b, $rk1  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 1
++	aese	$ctr5b, $rk1  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 1
++
++	pmull2  $t0.1q, $res1.2d, $h7.2d				@ GHASH block 8k+1 - high
++	trn1	$acc_m.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++	pmull	$acc_l.1q, $res0.1d, $h8.1d				@ GHASH block 8k - low
++
++	rev64	$res3b, $res3b						@ GHASH block 8k+3
++	pmull	$h7.1q, $res1.1d, $h7.1d				@ GHASH block 8k+1 - low
++
++	aese	$ctr5b, $rk2  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 2
++	aese	$ctr7b, $rk2  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 2
++	aese	$ctr1b, $rk2  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 2
++
++	aese	$ctr3b, $rk2  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 2
++	aese	$ctr6b, $rk2  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 2
++	pmull2  $acc_h.1q, $res0.2d, $h8.2d				@ GHASH block 8k - high
++
++	aese	$ctr0b, $rk2  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 2
++	aese	$ctr7b, $rk3  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 3
++
++	aese	$ctr5b, $rk3  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 3
++	rev64	$res6b, $res6b						@ GHASH block 8k+6
++
++	aese	$ctr0b, $rk3  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 3
++	aese	$ctr2b, $rk2  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 2
++	aese	$ctr6b, $rk3  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 3
++
++	pmull2  $t1.1q, $res2.2d, $h6.2d				@ GHASH block 8k+2 - high
++	trn2	$res0.2d, $res1.2d, $res0.2d				@ GHASH block 8k, 8k+1 - mid
++	aese	$ctr4b, $rk2  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 2
++
++	ldp	$rk4q, $rk5q, [$cc, #64]				@ load rk4, rk5
++	aese	$ctr1b, $rk3  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 3
++	pmull2  $t2.1q, $res3.2d, $h5.2d				@ GHASH block 8k+3 - high
++
++	aese	$ctr2b, $rk3  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 3
++	eor	$acc_hb, $acc_hb, $t0.16b				@ GHASH block 8k+1 - high
++	eor	$res0.16b, $res0.16b, $acc_m.16b			@ GHASH block 8k, 8k+1 - mid
++
++	aese	$ctr4b, $rk3  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 3
++	pmull	$h6.1q, $res2.1d, $h6.1d				@ GHASH block 8k+2 - low
++	aese	$ctr3b, $rk3  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 3
++
++	eor3	$acc_hb, $acc_hb, $t1.16b, $t2.16b			@ GHASH block 8k+2, 8k+3 - high
++	trn1	$t3.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++	trn2	$res2.2d, $res3.2d, $res2.2d				@ GHASH block 8k+2, 8k+3 - mid
++
++	pmull2  $acc_m.1q, $res0.2d, $h78k.2d				@ GHASH block 8k	- mid
++	pmull	$h5.1q, $res3.1d, $h5.1d				@ GHASH block 8k+3 - low
++	eor	$acc_lb, $acc_lb, $h7.16b				@ GHASH block 8k+1 - low
++
++	pmull	$h78k.1q, $res0.1d, $h78k.1d				@ GHASH block 8k+1 - mid
++	aese	$ctr5b, $rk4  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 4
++	aese	$ctr0b, $rk4  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 4
++
++	eor3	$acc_lb, $acc_lb, $h6.16b, $h5.16b			@ GHASH block 8k+2, 8k+3 - low
++	ldr	$h1q, [$current_tag, #32]				@ load h1l | h1h
++	ext     $h1.16b, $h1.16b, $h1.16b, #8
++	ldr	$h2q, [$current_tag, #64]				@ load h1l | h1h
++	ext     $h2.16b, $h2.16b, $h2.16b, #8
++	aese	$ctr7b, $rk4  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 4
++
++	aese	$ctr2b, $rk4  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 4
++	aese	$ctr6b, $rk4  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 4
++	eor	$acc_mb, $acc_mb, $h78k.16b				@ GHASH block 8k+1 - mid
++
++	eor	$res2.16b, $res2.16b, $t3.16b				@ GHASH block 8k+2, 8k+3 - mid
++	aese	$ctr7b, $rk5  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 5
++	aese	$ctr1b, $rk4  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 4
++
++	aese	$ctr2b, $rk5  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 5
++	aese	$ctr3b, $rk4  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 4
++	aese	$ctr4b, $rk4  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 4
++
++	aese	$ctr1b, $rk5  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 5
++	pmull2  $t3.1q, $res2.2d, $h56k.2d				@ GHASH block 8k+2 - mid
++	aese	$ctr6b, $rk5  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 5
++
++	aese	$ctr4b, $rk5  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 5
++	aese	$ctr3b, $rk5  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 5
++	pmull	$h56k.1q, $res2.1d, $h56k.1d				@ GHASH block 8k+3 - mid
++
++	aese	$ctr0b, $rk5  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 5
++	aese	$ctr5b, $rk5  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 5
++	ldp	$rk6q, $rk7q, [$cc, #96]				@ load rk6, rk7
++
++	ldr	$h3q, [$current_tag, #80]				@ load h3l | h3h
++	ext     $h3.16b, $h3.16b, $h3.16b, #8
++	ldr	$h4q, [$current_tag, #112]				@ load h4l | h4h
++	ext     $h4.16b, $h4.16b, $h4.16b, #8
++	rev64	$res7b, $res7b						@ GHASH block 8k+7
++	rev64	$res5b, $res5b						@ GHASH block 8k+5
++
++	eor3	$acc_mb, $acc_mb, $h56k.16b, $t3.16b			@ GHASH block 8k+2, 8k+3 - mid
++
++	trn1	$t6.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++
++	aese	$ctr0b, $rk6  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 6
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++	aese	$ctr6b, $rk6  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 6
++
++	aese	$ctr5b, $rk6  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 6
++	aese	$ctr7b, $rk6  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 6
++
++	pmull2  $t4.1q, $res4.2d, $h4.2d				@ GHASH block 8k+4 - high
++	pmull2  $t5.1q, $res5.2d, $h3.2d				@ GHASH block 8k+5 - high
++	pmull	$h4.1q, $res4.1d, $h4.1d				@ GHASH block 8k+4 - low
++
++	trn2	$res4.2d, $res5.2d, $res4.2d				@ GHASH block 8k+4, 8k+5 - mid
++	pmull	$h3.1q, $res5.1d, $h3.1d				@ GHASH block 8k+5 - low
++	trn1	$t9.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++
++	aese	$ctr7b, $rk7  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 7
++	pmull2  $t7.1q, $res6.2d, $h2.2d				@ GHASH block 8k+6 - high
++	aese	$ctr1b, $rk6  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 6
++
++	aese	$ctr2b, $rk6  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 6
++	aese	$ctr3b, $rk6  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 6
++	aese	$ctr4b, $rk6  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 6
++
++	ldp	$rk8q, $rk9q, [$cc, #128]				@ load rk8, rk9
++	pmull	$h2.1q, $res6.1d, $h2.1d				@ GHASH block 8k+6 - low
++	aese	$ctr5b, $rk7  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 7
++
++	aese	$ctr1b, $rk7  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 7
++	aese	$ctr4b, $rk7  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 7
++
++	aese	$ctr6b, $rk7  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 7
++	aese	$ctr2b, $rk7  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 7
++	eor3	$acc_hb, $acc_hb, $t4.16b, $t5.16b			@ GHASH block 8k+4, 8k+5 - high
++
++	aese	$ctr0b, $rk7  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 7
++	trn2	$res6.2d, $res7.2d, $res6.2d				@ GHASH block 8k+6, 8k+7 - mid
++	aese	$ctr3b, $rk7  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 7
++
++	aese	$ctr0b, $rk8  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 8
++	aese	$ctr7b, $rk8  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 8
++	aese	$ctr4b, $rk8  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 8
++
++	aese	$ctr1b, $rk8  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 8
++	aese	$ctr5b, $rk8  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 8
++	aese	$ctr6b, $rk8  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 8
++
++	aese	$ctr3b, $rk8  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 8
++	aese	$ctr4b, $rk9  \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 9
++	eor	$res4.16b, $res4.16b, $t6.16b				@ GHASH block 8k+4, 8k+5 - mid
++
++	aese	$ctr0b, $rk9  \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 9
++	aese	$ctr1b, $rk9  \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 9
++	eor	$res6.16b, $res6.16b, $t9.16b				@ GHASH block 8k+6, 8k+7 - mid
++
++	aese	$ctr6b, $rk9  \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 9
++	aese	$ctr7b, $rk9  \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 9
++	pmull2  $t6.1q, $res4.2d, $h34k.2d				@ GHASH block 8k+4 - mid
++
++	aese	$ctr2b, $rk8  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 8
++	pmull	$h34k.1q, $res4.1d, $h34k.1d				@ GHASH block 8k+5 - mid
++	pmull2  $t8.1q, $res7.2d, $h1.2d				@ GHASH block 8k+7 - high
++
++	pmull2  $t9.1q, $res6.2d, $h12k.2d				@ GHASH block 8k+6 - mid
++	pmull	$h12k.1q, $res6.1d, $h12k.1d				@ GHASH block 8k+7 - mid
++	pmull	$h1.1q, $res7.1d, $h1.1d				@ GHASH block 8k+7 - low
++
++	ldp	$rk10q, $rk11q, [$cc, #160]				@ load rk10, rk11
++	eor3	$acc_lb, $acc_lb, $h4.16b, $h3.16b			@ GHASH block 8k+4, 8k+5 - low
++	eor3	$acc_mb, $acc_mb, $h34k.16b, $t6.16b			@ GHASH block 8k+4, 8k+5 - mid
++
++	aese	$ctr2b, $rk9  \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 9
++	aese	$ctr3b, $rk9  \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 9
++	aese	$ctr5b, $rk9  \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 9
++
++	eor3	$acc_hb, $acc_hb, $t7.16b, $t8.16b			@ GHASH block 8k+6, 8k+7 - high
++	eor3	$acc_lb, $acc_lb, $h2.16b, $h1.16b			@ GHASH block 8k+6, 8k+7 - low
++	ldr	$mod_constantd, [$modulo_constant]			@ MODULO - load modulo constant
++
++	eor3	$acc_mb, $acc_mb, $h12k.16b, $t9.16b			@ GHASH block 8k+6, 8k+7 - mid
++
++	aese	$ctr4b, $rk10 \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 10
++	aese	$ctr6b, $rk10 \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 10
++	aese	$ctr5b, $rk10 \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 10
++
++	aese	$ctr0b, $rk10 \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 10
++	aese	$ctr2b, $rk10 \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 10
++	aese	$ctr3b, $rk10 \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 10
++
++	eor3	$acc_mb, $acc_mb, $acc_hb, $acc_lb		 	@ MODULO - karatsuba tidy up
++
++	aese	$ctr7b, $rk10 \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 10
++	aese	$ctr1b, $rk10 \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 10
++	ldp	$rk12q, $rk13q, [$cc, #192]				@ load rk12, rk13
++
++	ext	$t11.16b, $acc_hb, $acc_hb, #8				@ MODULO - other top alignment
++
++	aese	$ctr2b, $rk11 \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 11
++	aese	$ctr1b, $rk11 \n  aesmc	$ctr1b, $ctr1b			@ AES block 8k+9 - round 11
++	aese	$ctr0b, $rk11 \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 11
++
++	pmull	$t12.1q, $acc_h.1d, $mod_constant.1d			@ MODULO - top 64b align with mid
++	aese	$ctr3b, $rk11 \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 11
++
++	aese	$ctr7b, $rk11 \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 11
++	aese	$ctr6b, $rk11 \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 11
++	aese	$ctr4b, $rk11 \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 11
++
++	aese	$ctr5b, $rk11 \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 11
++	aese	$ctr3b, $rk12 \n  aesmc	$ctr3b, $ctr3b			@ AES block 8k+11 - round 12
++
++	eor3	$acc_mb, $acc_mb, $t12.16b, $t11.16b			@ MODULO - fold into mid
++
++	aese	$ctr3b, $rk13						@ AES block 8k+11 - round 13
++	aese	$ctr2b, $rk12 \n  aesmc	$ctr2b, $ctr2b			@ AES block 8k+10 - round 12
++	aese	$ctr6b, $rk12 \n  aesmc	$ctr6b, $ctr6b			@ AES block 8k+14 - round 12
++
++	pmull	$acc_h.1q, $acc_m.1d, $mod_constant.1d			@ MODULO - mid 64b align with low
++	aese	$ctr4b, $rk12 \n  aesmc	$ctr4b, $ctr4b			@ AES block 8k+12 - round 12
++	aese	$ctr7b, $rk12 \n  aesmc	$ctr7b, $ctr7b			@ AES block 8k+15 - round 12
++
++	aese	$ctr0b, $rk12 \n  aesmc	$ctr0b, $ctr0b			@ AES block 8k+8 - round 12
++	ldr	$rk14q, [$cc, #224]					@ load rk14
++	aese	$ctr1b, $rk12 \n  aesmc	$ctr1b, $ctr1b	        	@ AES block 8k+9 - round 12
++
++	aese	$ctr4b, $rk13						@ AES block 8k+12 - round 13
++	ext	$t11.16b, $acc_mb, $acc_mb, #8			 	@ MODULO - other mid alignment
++	aese	$ctr5b, $rk12 \n  aesmc	$ctr5b, $ctr5b			@ AES block 8k+13 - round 12
++
++	aese	$ctr6b, $rk13						@ AES block 8k+14 - round 13
++	aese	$ctr2b, $rk13						@ AES block 8k+10 - round 13
++	aese	$ctr1b, $rk13						@ AES block 8k+9 - round 13
++
++	aese	$ctr5b, $rk13						@ AES block 8k+13 - round 13
++	eor3	$acc_lb, $acc_lb, $t11.16b, $acc_hb		 	@ MODULO - fold into low
++	add	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s		@ CTR block 8k+15
++
++	aese	$ctr7b, $rk13						@ AES block 8k+15 - round 13
++	aese	$ctr0b, $rk13						@ AES block 8k+8 - round 13
++.L256_dec_tail:								@ TAIL
++
++	ext	$t0.16b, $acc_lb, $acc_lb, #8				@ prepare final partial tag
++	sub	$main_end_input_ptr, $end_input_ptr, $input_ptr		@ main_end_input_ptr is number of bytes left to process
++	cmp	$main_end_input_ptr, #112
++
++	ldr	$res1q, [$input_ptr], #16				@ AES block 8k+8 - load ciphertext
++
++	ldp	$h78kq, $h8q, [$current_tag, #192]			@ load h8l | h8h
++        ext     $h8.16b, $h8.16b, $h8.16b, #8
++	mov	$t1.16b, $rk14
++
++	ldp	$h5q, $h56kq, [$current_tag, #128]			@ load h5l | h5h
++        ext     $h5.16b, $h5.16b, $h5.16b, #8
++
++	eor3	$res4b, $res1b, $ctr0b, $t1.16b				@ AES block 8k+8 - result
++	ldp	$h6q, $h7q, [$current_tag, #160]			@ load h6l | h6h
++        ext     $h6.16b, $h6.16b, $h6.16b, #8
++        ext     $h7.16b, $h7.16b, $h7.16b, #8
++	b.gt	.L256_dec_blocks_more_than_7
++
++	mov	$ctr7b, $ctr6b
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	mov	$ctr6b, $ctr5b
++
++	mov	$ctr5b, $ctr4b
++	mov	$ctr4b, $ctr3b
++	movi	$acc_l.8b, #0
++
++	movi	$acc_h.8b, #0
++	movi	$acc_m.8b, #0
++	mov	$ctr3b, $ctr2b
++
++	cmp	$main_end_input_ptr, #96
++	mov	$ctr2b, $ctr1b
++	b.gt	.L256_dec_blocks_more_than_6
++
++	mov	$ctr7b, $ctr6b
++	mov	$ctr6b, $ctr5b
++
++	mov	$ctr5b, $ctr4b
++	cmp	$main_end_input_ptr, #80
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++
++	mov	$ctr4b, $ctr3b
++	mov	$ctr3b, $ctr1b
++	b.gt	.L256_dec_blocks_more_than_5
++
++	cmp	$main_end_input_ptr, #64
++	mov	$ctr7b, $ctr6b
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++
++	mov	$ctr6b, $ctr5b
++
++	mov	$ctr5b, $ctr4b
++	mov	$ctr4b, $ctr1b
++	b.gt	.L256_dec_blocks_more_than_4
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	mov	$ctr7b, $ctr6b
++	cmp	$main_end_input_ptr, #48
++
++	mov	$ctr6b, $ctr5b
++	mov	$ctr5b, $ctr1b
++	b.gt	.L256_dec_blocks_more_than_3
++
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	mov	$ctr7b, $ctr6b
++
++	cmp	$main_end_input_ptr, #32
++	mov	$ctr6b, $ctr1b
++	b.gt	.L256_dec_blocks_more_than_2
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++
++	mov	$ctr7b, $ctr1b
++	cmp	$main_end_input_ptr, #16
++	b.gt	.L256_dec_blocks_more_than_1
++
++	sub	$rtmp_ctr.4s, $rtmp_ctr.4s, $rctr_inc.4s
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++	b	 .L256_dec_blocks_less_than_1
++.L256_dec_blocks_more_than_7:						@ blocks left >  7
++	rev64	$res0b, $res1b						@ GHASH final-7 block
++	ldr	$res1q, [$input_ptr], #16				@ AES final-6 block - load ciphertext
++	st1	{ $res4b}, [$output_ptr], #16				@ AES final-7 block  - store result
++
++	ins	$acc_m.d[0], $h78k.d[1]					@ GHASH final-7 block - mid
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-7 block - mid
++	eor3	$res4b, $res1b, $ctr1b, $t1.16b				@ AES final-6 block - result
++
++	pmull2  $acc_h.1q, $res0.2d, $h8.2d				@ GHASH final-7 block - high
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-7 block - mid
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	pmull	$acc_l.1q, $res0.1d, $h8.1d				@ GHASH final-7 block - low
++	pmull	$acc_m.1q, $rk4v.1d, $acc_m.1d			 	@ GHASH final-7 block - mid
++.L256_dec_blocks_more_than_6:						@ blocks left >  6
++
++	rev64	$res0b, $res1b						@ GHASH final-6 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++	ldr	$res1q, [$input_ptr], #16				@ AES final-5 block - load ciphertext
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-6 block - mid
++	st1	{ $res4b}, [$output_ptr], #16				@ AES final-6 block - store result
++	pmull2  $rk2q1, $res0.2d, $h7.2d				@ GHASH final-6 block - high
++
++	pmull	$rk3q1, $res0.1d, $h7.1d				@ GHASH final-6 block - low
++
++	eor3	$res4b, $res1b, $ctr2b, $t1.16b				@ AES final-5 block - result
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-6 block - low
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-6 block - mid
++
++	pmull	$rk4v.1q, $rk4v.1d, $h78k.1d				@ GHASH final-6 block - mid
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-6 block - mid
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-6 block - high
++.L256_dec_blocks_more_than_5:						@ blocks left >  5
++
++	rev64	$res0b, $res1b						@ GHASH final-5 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	pmull2  $rk2q1, $res0.2d, $h6.2d				@ GHASH final-5 block - high
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-5 block - mid
++
++	ldr	$res1q, [$input_ptr], #16				@ AES final-4 block - load ciphertext
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-5 block - mid
++	st1	{ $res4b}, [$output_ptr], #16			  	@ AES final-5 block - store result
++
++	pmull	$rk3q1, $res0.1d, $h6.1d				@ GHASH final-5 block - low
++	ins	$rk4v.d[1], $rk4v.d[0]					@ GHASH final-5 block - mid
++
++	pmull2  $rk4v.1q, $rk4v.2d, $h56k.2d				@ GHASH final-5 block - mid
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-5 block - high
++	eor3	$res4b, $res1b, $ctr3b, $t1.16b				@ AES final-4 block - result
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-5 block - low
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-5 block - mid
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++.L256_dec_blocks_more_than_4:						@ blocks left >  4
++
++	rev64	$res0b, $res1b						@ GHASH final-4 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-4 block - mid
++	ldr	$res1q, [$input_ptr], #16				@ AES final-3 block - load ciphertext
++
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	pmull	$rk3q1, $res0.1d, $h5.1d				@ GHASH final-4 block - low
++	pmull2  $rk2q1, $res0.2d, $h5.2d				@ GHASH final-4 block - high
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-4 block - mid
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-4 block - high
++
++	pmull	$rk4v.1q, $rk4v.1d, $h56k.1d				@ GHASH final-4 block - mid
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-4 block - low
++	st1	{ $res4b}, [$output_ptr], #16			 	@ AES final-4 block - store result
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-4 block - mid
++	eor3	$res4b, $res1b, $ctr4b, $t1.16b				@ AES final-3 block - result
++.L256_dec_blocks_more_than_3:						@ blocks left >  3
++
++	ldr	$h4q, [$current_tag, #112]				@ load h4l | h4h
++	ext     $h4.16b, $h4.16b, $h4.16b, #8
++	rev64	$res0b, $res1b						@ GHASH final-3 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++	ldr	$res1q, [$input_ptr], #16				@ AES final-2 block - load ciphertext
++	ldr	$h34kq, [$current_tag, #96]				@ load h4k | h3k
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-3 block - mid
++	st1	{ $res4b}, [$output_ptr], #16			 	@ AES final-3 block - store result
++
++	eor3	$res4b, $res1b, $ctr5b, $t1.16b				@ AES final-2 block - result
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-3 block - mid
++
++	ins	$rk4v.d[1], $rk4v.d[0]					@ GHASH final-3 block - mid
++	pmull	$rk3q1, $res0.1d, $h4.1d				@ GHASH final-3 block - low
++	pmull2  $rk2q1, $res0.2d, $h4.2d				@ GHASH final-3 block - high
++
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++	pmull2  $rk4v.1q, $rk4v.2d, $h34k.2d				@ GHASH final-3 block - mid
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-3 block - low
++
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-3 block - high
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-3 block - mid
++.L256_dec_blocks_more_than_2:						@ blocks left >  2
++
++	rev64	$res0b, $res1b						@ GHASH final-2 block
++
++	ldr	$h3q, [$current_tag, #80]				@ load h3l | h3h
++	ext     $h3.16b, $h3.16b, $h3.16b, #8
++	ldr	$res1q, [$input_ptr], #16				@ AES final-1 block - load ciphertext
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-2 block - mid
++
++	pmull	$rk3q1, $res0.1d, $h3.1d				@ GHASH final-2 block - low
++	st1	{ $res4b}, [$output_ptr], #16			  	@ AES final-2 block - store result
++	eor3	$res4b, $res1b, $ctr6b, $t1.16b				@ AES final-1 block - result
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-2 block - mid
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-2 block - low
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++
++	pmull	$rk4v.1q, $rk4v.1d, $h34k.1d				@ GHASH final-2 block - mid
++	pmull2  $rk2q1, $res0.2d, $h3.2d				@ GHASH final-2 block - high
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-2 block - mid
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-2 block - high
++.L256_dec_blocks_more_than_1:						@ blocks left >  1
++
++	rev64	$res0b, $res1b						@ GHASH final-1 block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$rk4v.d[0], $res0.d[1]					@ GHASH final-1 block - mid
++	ldr	$h2q, [$current_tag, #64]				@ load h1l | h1h
++	ext     $h2.16b, $h2.16b, $h2.16b, #8
++
++	eor	$rk4v.8b, $rk4v.8b, $res0.8b				@ GHASH final-1 block - mid
++	ldr	$res1q, [$input_ptr], #16				@ AES final block - load ciphertext
++	st1	{ $res4b}, [$output_ptr], #16			 	@ AES final-1 block - store result
++
++	ldr	$h12kq, [$current_tag, #48]				@ load h2k | h1k
++	pmull	$rk3q1, $res0.1d, $h2.1d				@ GHASH final-1 block - low
++
++	ins	$rk4v.d[1], $rk4v.d[0]					@ GHASH final-1 block - mid
++
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final-1 block - low
++
++	eor3	$res4b, $res1b, $ctr7b, $t1.16b				@ AES final block - result
++	pmull2  $rk2q1, $res0.2d, $h2.2d				@ GHASH final-1 block - high
++
++	pmull2  $rk4v.1q, $rk4v.2d, $h12k.2d				@ GHASH final-1 block - mid
++
++	movi	$t0.8b, #0						@ surpress further partial tag feed in
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final-1 block - high
++
++	eor	$acc_mb, $acc_mb, $rk4v.16b				@ GHASH final-1 block - mid
++.L256_dec_blocks_less_than_1:						@ blocks left <= 1
++
++	ld1	{ $rk0}, [$output_ptr]					@ load existing bytes where the possibly partial last block is to be stored
++	mvn	$temp0_x, xzr						@ temp0_x = 0xffffffffffffffff
++	and	$bit_length, $bit_length, #127				@ bit_length %= 128
++
++	sub	$bit_length, $bit_length, #128				@ bit_length -= 128
++	rev32	$rtmp_ctr.16b, $rtmp_ctr.16b
++	str	$rtmp_ctrq, [$counter]					@ store the updated counter
++
++	neg	$bit_length, $bit_length				@ bit_length = 128 - #bits in input (in range [1,128])
++
++	and	$bit_length, $bit_length, #127			 	@ bit_length %= 128
++
++	lsr	$temp0_x, $temp0_x, $bit_length				@ temp0_x is mask for top 64b of last block
++	cmp	$bit_length, #64
++	mvn	$temp1_x, xzr						@ temp1_x = 0xffffffffffffffff
++
++	csel	$temp3_x, $temp0_x, xzr, lt
++	csel	$temp2_x, $temp1_x, $temp0_x, lt
++
++	mov	$ctr0.d[0], $temp2_x					@ ctr0b is mask for last block
++	mov	$ctr0.d[1], $temp3_x
++
++	and	$res1b, $res1b, $ctr0b					@ possibly partial last block has zeroes in highest bits
++	ldr	$h1q, [$current_tag, #32]				@ load h1l | h1h
++	ext     $h1.16b, $h1.16b, $h1.16b, #8
++	bif	$res4b, $rk0, $ctr0b					@ insert existing bytes in top end of result before storing
++
++	rev64	$res0b, $res1b						@ GHASH final block
++
++	eor	$res0b, $res0b, $t0.16b					@ feed in partial tag
++
++	ins	$t0.d[0], $res0.d[1]					@ GHASH final block - mid
++	pmull2  $rk2q1, $res0.2d, $h1.2d				@ GHASH final block - high
++
++	eor	$t0.8b, $t0.8b, $res0.8b				@ GHASH final block - mid
++
++	pmull	$rk3q1, $res0.1d, $h1.1d				@ GHASH final block - low
++	eor	$acc_hb, $acc_hb, $rk2					@ GHASH final block - high
++
++	pmull	$t0.1q, $t0.1d, $h12k.1d				@ GHASH final block - mid
++
++	eor	$acc_mb, $acc_mb, $t0.16b				@ GHASH final block - mid
++	ldr	$mod_constantd, [$modulo_constant]			@ MODULO - load modulo constant
++	eor	$acc_lb, $acc_lb, $rk3					@ GHASH final block - low
++
++	pmull	$t11.1q, $acc_h.1d, $mod_constant.1d		 	@ MODULO - top 64b align with mid
++	eor	$t10.16b, $acc_hb, $acc_lb				@ MODULO - karatsuba tidy up
++
++	ext	$acc_hb, $acc_hb, $acc_hb, #8				@ MODULO - other top alignment
++	st1	{ $res4b}, [$output_ptr]				@ store all 16B
++
++	eor	$acc_mb, $acc_mb, $t10.16b				@ MODULO - karatsuba tidy up
++
++	eor	$t11.16b, $acc_hb, $t11.16b				@ MODULO - fold into mid
++	eor	$acc_mb, $acc_mb, $t11.16b				@ MODULO - fold into mid
++
++	pmull	$acc_h.1q, $acc_m.1d, $mod_constant.1d			@ MODULO - mid 64b align with low
++
++	ext	$acc_mb, $acc_mb, $acc_mb, #8				@ MODULO - other mid alignment
++	eor	$acc_lb, $acc_lb, $acc_hb				@ MODULO - fold into low
++
++	eor	$acc_lb, $acc_lb, $acc_mb				@ MODULO - fold into low
++	ext	$acc_lb, $acc_lb, $acc_lb, #8
++	rev64	$acc_lb, $acc_lb
++	st1	{ $acc_l.16b }, [$current_tag]
++	lsr	x0, $bit_length, #3					@ return sizes
++
++        ldp     d10, d11, [sp, #16]
++	ldp     d12, d13, [sp, #32]
++	ldp     d14, d15, [sp, #48]
++	ldp     d8, d9, [sp], #80
++	ret
++
++.L256_dec_ret:
++	mov w0, #0x0
++	ret
++.size unroll8_eor3_aes_gcm_dec_256_kernel,.-unroll8_eor3_aes_gcm_dec_256_kernel
++___
++}
++}
++
++$code.=<<___;
++.asciz  "AES GCM module for ARMv8, SPDX BSD-3-Clause by <xiaokang.qian\@arm.com>"
++.align  2
++#endif
++___
++
++{
++    my  %opcode = (
++    "rax1"    => 0xce608c00,    "eor3"    => 0xce000000,
++    "bcax"    => 0xce200000,    "xar"    => 0xce800000    );
++
++    sub unsha3 {
++         my ($mnemonic,$arg)=@_;
++
++         $arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)[^,]*(?:,\s*[qv]([0-9]+)[^,]*(?:,\s*[qv#]([0-9\-]+))?)?/
++         &&
++         sprintf ".inst\t0x%08x\t//%s %s",
++            $opcode{$mnemonic}|$1|($2<<5)|($3<<16)|(eval($4)<<10),
++            $mnemonic,$arg;
++    }
++    sub unvmov {
++        my $arg=shift;
++
++        $arg =~ m/q([0-9]+)#(lo|hi),\s*q([0-9]+)#(lo|hi)/o &&
++        sprintf "ins    v%d.d[%d],v%d.d[%d]",$1<8?$1:$1+8,($2 eq "lo")?0:1,
++                             $3<8?$3:$3+8,($4 eq "lo")?0:1;
++    }
++
++     foreach(split("\n",$code)) {
++        s/@\s/\/\//o;               # old->new style commentary
++        s/\`([^\`]*)\`/eval($1)/ge;
++
++        m/\bld1r\b/ and s/\.16b/.2d/g    or
++        s/\b(eor3|rax1|xar|bcax)\s+(v.*)/unsha3($1,$2)/ge;
++        print $_,"\n";
++     }
++}
++
++close STDOUT or die "error closing STDOUT: $!"; # enforce flush
+Index: openssl-1.1.1l/crypto/modes/asm/ghashv8-armx.pl
+===================================================================
+--- openssl-1.1.1l.orig/crypto/modes/asm/ghashv8-armx.pl
++++ openssl-1.1.1l/crypto/modes/asm/ghashv8-armx.pl
+@@ -141,6 +141,7 @@ gcm_init_v8:
+ ___
+ if ($flavour =~ /64/) {
+ my ($t3,$Yl,$Ym,$Yh) = map("q$_",(4..7));
++my ($H3,$H34k,$H4,$H5,$H56k,$H6,$H7,$H78k,$H8) = map("q$_",(15..23));
+ 
+ $code.=<<___;
+ 	@ calculate H^3 and H^4
+@@ -175,15 +176,103 @@ $code.=<<___;
+ 	 vpmull.p64	$Yl,$Yl,$xC2
+ 	veor		$t2,$t2,$Xh
+ 	 veor		$t3,$t3,$Yh
+-	veor		$H, $Xl,$t2		@ H^3
+-	 veor		$H2,$Yl,$t3		@ H^4
++	veor		$H3, $Xl,$t2		@ H^3
++	 veor		$H4,$Yl,$t3		@ H^4
+ 
+-	vext.8		$t0,$H, $H,#8		@ Karatsuba pre-processing
+-	 vext.8		$t1,$H2,$H2,#8
+-	veor		$t0,$t0,$H
+-	 veor		$t1,$t1,$H2
+-	vext.8		$Hhl,$t0,$t1,#8		@ pack Karatsuba pre-processed
+-	vst1.64		{$H-$H2},[x0]		@ store Htable[3..5]
++	vext.8		$t0,$H3, $H3,#8		@ Karatsuba pre-processing
++	 vext.8		$t1,$H4,$H4,#8
++	 vext.8		$t2,$H2,$H2,#8
++	veor		$t0,$t0,$H3
++	 veor		$t1,$t1,$H4
++	 veor		$t2,$t2,$H2
++	vext.8		$H34k,$t0,$t1,#8		@ pack Karatsuba pre-processed
++	vst1.64		{$H3-$H4},[x0],#48		@ store Htable[3..5]
++
++	@ calculate H^5 and H^6
++	vpmull.p64	$Xl,$H2, $H3
++	 vpmull.p64	$Yl,$H3,$H3
++	vpmull2.p64	$Xh,$H2, $H3
++	 vpmull2.p64	$Yh,$H3,$H3
++	vpmull.p64	$Xm,$t0,$t2
++	 vpmull.p64	$Ym,$t0,$t0
++
++	vext.8		$t0,$Xl,$Xh,#8		@ Karatsuba post-processing
++	 vext.8		$t1,$Yl,$Yh,#8
++	veor		$t2,$Xl,$Xh
++	veor		$Xm,$Xm,$t0
++	 veor		$t3,$Yl,$Yh
++	 veor		$Ym,$Ym,$t1
++	veor		$Xm,$Xm,$t2
++	vpmull.p64	$t2,$Xl,$xC2		@ 1st phase
++	 veor		$Ym,$Ym,$t3
++	 vpmull.p64	$t3,$Yl,$xC2
++
++	vmov		$Xh#lo,$Xm#hi		@ Xh|Xm - 256-bit result
++	 vmov		$Yh#lo,$Ym#hi
++	vmov		$Xm#hi,$Xl#lo		@ Xm is rotated Xl
++	 vmov		$Ym#hi,$Yl#lo
++	veor		$Xl,$Xm,$t2
++	 veor		$Yl,$Ym,$t3
++
++	vext.8		$t2,$Xl,$Xl,#8		@ 2nd phase
++	 vext.8		$t3,$Yl,$Yl,#8
++	vpmull.p64	$Xl,$Xl,$xC2
++	 vpmull.p64	$Yl,$Yl,$xC2
++	veor		$t2,$t2,$Xh
++	 veor		$t3,$t3,$Yh
++	veor		$H5,$Xl,$t2		@ H^5
++	 veor		$H6,$Yl,$t3		@ H^6
++
++	vext.8		$t0,$H5, $H5,#8		@ Karatsuba pre-processing
++	 vext.8		$t1,$H6,$H6,#8
++	 vext.8		$t2,$H2,$H2,#8
++	veor		$t0,$t0,$H5
++	 veor		$t1,$t1,$H6
++	 veor		$t2,$t2,$H2
++	vext.8		$H56k,$t0,$t1,#8		@ pack Karatsuba pre-processed
++	vst1.64		{$H5-$H6},[x0],#48		@ store Htable[6..8]
++
++	@ calculate H^7 and H^8
++	vpmull.p64	$Xl,$H2,$H5
++	 vpmull.p64	$Yl,$H2,$H6
++	vpmull2.p64	$Xh,$H2,$H5
++	 vpmull2.p64	$Yh,$H2,$H6
++	vpmull.p64	$Xm,$t0,$t2
++	 vpmull.p64	$Ym,$t1,$t2
++
++	vext.8		$t0,$Xl,$Xh,#8		@ Karatsuba post-processing
++	 vext.8		$t1,$Yl,$Yh,#8
++	veor		$t2,$Xl,$Xh
++	veor		$Xm,$Xm,$t0
++	 veor		$t3,$Yl,$Yh
++	 veor		$Ym,$Ym,$t1
++	veor		$Xm,$Xm,$t2
++	vpmull.p64	$t2,$Xl,$xC2		@ 1st phase
++	 veor		$Ym,$Ym,$t3
++	 vpmull.p64	$t3,$Yl,$xC2
++
++	vmov		$Xh#lo,$Xm#hi		@ Xh|Xm - 256-bit result
++	 vmov		$Yh#lo,$Ym#hi
++	vmov		$Xm#hi,$Xl#lo		@ Xm is rotated Xl
++	 vmov		$Ym#hi,$Yl#lo
++	veor		$Xl,$Xm,$t2
++	 veor		$Yl,$Ym,$t3
++
++	vext.8		$t2,$Xl,$Xl,#8		@ 2nd phase
++	 vext.8		$t3,$Yl,$Yl,#8
++	vpmull.p64	$Xl,$Xl,$xC2
++	 vpmull.p64	$Yl,$Yl,$xC2
++	veor		$t2,$t2,$Xh
++	 veor		$t3,$t3,$Yh
++	veor		$H7,$Xl,$t2		@ H^7
++	 veor		$H8,$Yl,$t3		@ H^8
++
++	vext.8		$t0,$H7,$H7,#8		@ Karatsuba pre-processing
++	 vext.8		$t1,$H8,$H8,#8
++	veor		$t0,$t0,$H7
++	 veor		$t1,$t1,$H8
++	vext.8		$H78k,$t0,$t1,#8		@ pack Karatsuba pre-processed
++	vst1.64		{$H7-$H8},[x0]		@ store Htable[9..11]
+ ___
+ }
+ $code.=<<___;
+Index: openssl-1.1.1l/crypto/modes/build.info
+===================================================================
+--- openssl-1.1.1l.orig/crypto/modes/build.info
++++ openssl-1.1.1l/crypto/modes/build.info
+@@ -20,6 +20,8 @@ GENERATE[ghash-armv4.S]=asm/ghash-armv4.
+ INCLUDE[ghash-armv4.o]=..
+ GENERATE[ghashv8-armx.S]=asm/ghashv8-armx.pl $(PERLASM_SCHEME)
+ INCLUDE[ghashv8-armx.o]=..
++GENERATE[aes-gcm-armv8-unroll8_64.S]=asm/aes-gcm-armv8-unroll8_64.pl $(PERLASM_SCHEME)
++INCLUDE[aes-gcm-armv8-unroll8_64.o]=..
+ GENERATE[ghash-s390x.S]=asm/ghash-s390x.pl $(PERLASM_SCHEME)
+ INCLUDE[ghash-s390x.o]=..
+ 
diff --git a/openssl-1_1-Optimize-AES-XTS-aarch64.patch b/openssl-1_1-Optimize-AES-XTS-aarch64.patch
new file mode 100644
index 0000000..2630902
--- /dev/null
+++ b/openssl-1_1-Optimize-AES-XTS-aarch64.patch
@@ -0,0 +1,1616 @@
+From 9ce8e0d17e608de4f85f7543c52b146e3c6a2291 Mon Sep 17 00:00:00 2001
+From: XiaokangQian <xiaokang.qian@arm.com>
+Date: Fri, 13 Mar 2020 03:27:34 +0000
+Subject: [PATCH] Optimize AES-XTS mode in OpenSSL for aarch64
+
+Aes-xts mode can be optimized by interleaving cipher operation on
+several blocks and loop unrolling. Interleaving needs one ideal
+unrolling factor, here we adopt the same factor with aes-cbc,
+which is described as below:
+	If blocks number > 5, select 5 blocks as one iteration,every
+	loop, decrease the blocks number by 5.
+	If left blocks < 5, treat them as tail blocks.
+Detailed implementation has a little adjustment for squeezing
+code space.
+With this way, for small size such as 16 bytes, the performance is
+similar as before, but for big size such as 16k bytes, the performance
+improves a lot, even reaches to 2x uplift, for some arches such as A57,
+the improvement even reaches more than 2x uplift. We collect many
+performance datas on different micro-archs such as thunderx2,
+ampere-emag, a72, a75, a57, a53 and N1, all of which reach 0.5-2x uplift.
+The following table lists the encryption performance data on aarch64,
+take a72, a75, a57, a53 and N1 as examples. Performance value takes the
+unit of cycles per byte, takes the format as comparision of values.
+List them as below:
+
+A72:
+                            Before optimization     After optimization  Improve
+evp-aes-128-xts@16          8.899913518             5.949087263         49.60%
+evp-aes-128-xts@64          4.525512668             3.389141845         33.53%
+evp-aes-128-xts@256         3.502906908             1.633573479         114.43%
+evp-aes-128-xts@1024        3.174210419             1.155952639         174.60%
+evp-aes-128-xts@8192        3.053019303             1.028134888         196.95%
+evp-aes-128-xts@16384       3.025292462             1.02021169          196.54%
+evp-aes-256-xts@16          9.971105023             6.754233758         47.63%
+evp-aes-256-xts@64          4.931479093             3.786527393         30.24%
+evp-aes-256-xts@256         3.746788153             1.943975947         92.74%
+evp-aes-256-xts@1024        3.401743802             1.477394648         130.25%
+evp-aes-256-xts@8192        3.278769327             1.32950421          146.62%
+evp-aes-256-xts@16384       3.27093296              1.325276257         146.81%
+
+A75:
+                            Before optimization     After optimization  Improve
+evp-aes-128-xts@16          8.397965173             5.126839098         63.80%
+evp-aes-128-xts@64          4.176860631             2.59817764          60.76%
+evp-aes-128-xts@256         3.069126585             1.284561028         138.92%
+evp-aes-128-xts@1024        2.805962699             0.932754655         200.83%
+evp-aes-128-xts@8192        2.725820131             0.829820397         228.48%
+evp-aes-128-xts@16384       2.71521905              0.823251591         229.82%
+evp-aes-256-xts@16          11.24790935             7.383914448         52.33%
+evp-aes-256-xts@64          5.294128847             3.048641998         73.66%
+evp-aes-256-xts@256         3.861649617             1.570359905         145.91%
+evp-aes-256-xts@1024        3.537646797             1.200493533         194.68%
+evp-aes-256-xts@8192        3.435353012             1.085345319         216.52%
+evp-aes-256-xts@16384       3.437952563             1.097963822         213.12%
+
+A57:
+                            Before optimization     After optimization  Improve
+evp-aes-128-xts@16          10.57455446             7.165438012         47.58%
+evp-aes-128-xts@64          5.418185447             3.721241202         45.60%
+evp-aes-128-xts@256         3.855184592             1.747145379         120.66%
+evp-aes-128-xts@1024        3.477199757             1.253049735         177.50%
+evp-aes-128-xts@8192        3.36768104              1.091943159         208.41%
+evp-aes-128-xts@16384       3.360373443             1.088942789         208.59%
+evp-aes-256-xts@16          12.54559459             8.745489036         43.45%
+evp-aes-256-xts@64          6.542808937             4.326387568         51.23%
+evp-aes-256-xts@256         4.62668822              2.119908754         118.25%
+evp-aes-256-xts@1024        4.161716505             1.557335554         167.23%
+evp-aes-256-xts@8192        4.032462227             1.377749511         192.68%
+evp-aes-256-xts@16384       4.023293877             1.371558933         193.34%
+
+A53:
+                            Before optimization     After optimization  Improve
+evp-aes-128-xts@16          18.07842135             13.96980808         29.40%
+evp-aes-128-xts@64          7.933818397             6.07159276          30.70%
+evp-aes-128-xts@256         5.264604704             2.611155744         101.60%
+evp-aes-128-xts@1024        4.606660117             1.722713454         167.40%
+evp-aes-128-xts@8192        4.405160115             1.454379201         202.90%
+evp-aes-128-xts@16384       4.401592028             1.442279392         205.20%
+evp-aes-256-xts@16          20.07084054             16.00803726         25.40%
+evp-aes-256-xts@64          9.192647294             6.883876732         33.50%
+evp-aes-256-xts@256         6.336143161             3.108140452         103.90%
+evp-aes-256-xts@1024        5.62502952              2.097960651         168.10%
+evp-aes-256-xts@8192        5.412085608             1.807294191         199.50%
+evp-aes-256-xts@16384       5.403062591             1.790135764         201.80%
+
+N1:
+                            Before optimization     After optimization  Improve
+evp-aes-128-xts@16          6.48147613              4.209415473         53.98%
+evp-aes-128-xts@64          2.847744115             1.950757468         45.98%
+evp-aes-128-xts@256         2.085711968             1.061903238         96.41%
+evp-aes-128-xts@1024        1.842014669             0.798486302         130.69%
+evp-aes-128-xts@8192        1.760449052             0.713853939         146.61%
+evp-aes-128-xts@16384       1.760763546             0.707702009         148.80%
+evp-aes-256-xts@16          7.264142817             5.265970454         37.94%
+evp-aes-256-xts@64          3.251356212             2.41176323          34.81%
+evp-aes-256-xts@256         2.380488469             1.342095742         77.37%
+evp-aes-256-xts@1024        2.08853022              1.041718215         100.49%
+evp-aes-256-xts@8192        2.027432668             0.944571334         114.64%
+evp-aes-256-xts@16384       2.00740782              0.941991415         113.10%
+
+Add more XTS test cases to cover the cipher stealing mode and cases of different
+number of blocks.
+
+CustomizedGitHooks: yes
+Change-Id: I93ee31b2575e1413764e27b599af62994deb4c96
+
+Reviewed-by: Paul Dale <paul.dale@oracle.com>
+Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
+(Merged from https://github.com/openssl/openssl/pull/11399)
+---
+ crypto/aes/asm/aesv8-armx.pl                  | 1426 +++++++++++++++++
+ include/crypto/aes_platform.h                 |    4 +
+ .../30-test_evp_data/evpciph_aes_common.txt   |   38 +
+ 3 files changed, 1468 insertions(+)
+
+Index: openssl-1.1.1d/crypto/aes/asm/aesv8-armx.pl
+===================================================================
+--- openssl-1.1.1d.orig/crypto/aes/asm/aesv8-armx.pl
++++ openssl-1.1.1d/crypto/aes/asm/aesv8-armx.pl
+@@ -897,6 +897,1432 @@ $code.=<<___;
+ .size	${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks
+ ___
+ }}}
++# Performance in cycles per byte.
++# Processed with AES-XTS different key size.
++# It shows the value before and after optimization as below:
++# (before/after):
++#
++#		AES-128-XTS		AES-256-XTS
++# Cortex-A57	3.36/1.09		4.02/1.37
++# Cortex-A72	3.03/1.02		3.28/1.33
++
++# Optimization is implemented by loop unrolling and interleaving.
++# Commonly, we choose the unrolling factor as 5, if the input
++# data size smaller than 5 blocks, but not smaller than 3 blocks,
++# choose 3 as the unrolling factor.
++# If the input data size dsize >= 5*16 bytes, then take 5 blocks
++# as one iteration, every loop the left size lsize -= 5*16.
++# If lsize < 5*16 bytes, treat them as the tail. Note: left 4*16 bytes
++# will be processed specially, which be integrated into the 5*16 bytes
++# loop to improve the efficiency.
++# There is one special case, if the original input data size dsize
++# = 16 bytes, we will treat it seperately to improve the
++# performance: one independent code block without LR, FP load and
++# store.
++# Encryption will process the (length -tailcnt) bytes as mentioned
++# previously, then encrypt the composite block as last second
++# cipher block.
++# Decryption will process the (length -tailcnt -1) bytes as mentioned
++# previously, then decrypt the last second cipher block to get the
++# last plain block(tail), decrypt the composite block as last second
++# plain text block.
++
++{{{
++my ($inp,$out,$len,$key1,$key2,$ivp)=map("x$_",(0..5));
++my ($rounds0,$rounds,$key_,$step,$ivl,$ivh)=("w5","w6","x7","x8","x9","x10");
++my ($tmpoutp,$loutp,$l2outp,$tmpinp)=("x13","w14","w15","x20");
++my ($tailcnt,$midnum,$midnumx,$constnum,$constnumx)=("x21","w22","x22","w19","x19");
++my ($xoffset,$tmpmx,$tmpmw)=("x6","x11","w11");
++my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$tmp2,$rndlast)=map("q$_",(0..7));
++my ($iv0,$iv1,$iv2,$iv3,$iv4)=("v6.16b","v8.16b","v9.16b","v10.16b","v11.16b");
++my ($ivd00,$ivd01,$ivd20,$ivd21)=("d6","v6.d[1]","d9","v9.d[1]");
++my ($ivd10,$ivd11,$ivd30,$ivd31,$ivd40,$ivd41)=("d8","v8.d[1]","d10","v10.d[1]","d11","v11.d[1]");
++
++my ($tmpin)=("v26.16b");
++my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1);
++
++# q7	last round key
++# q10-q15, q7	Last 7 round keys
++# q8-q9	preloaded round keys except last 7 keys for big size
++# q20, q21, q8-q9	preloaded round keys except last 7 keys for only 16 byte
++
++
++my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
++
++my ($dat3,$in3,$tmp3);	# used only in 64-bit mode
++my ($dat4,$in4,$tmp4);
++if ($flavour =~ /64/) {
++    ($dat2,$dat3,$dat4,$in2,$in3,$in4,$tmp3,$tmp4)=map("q$_",(16..23));
++}
++
++$code.=<<___	if ($flavour =~ /64/);
++.globl	${prefix}_xts_encrypt
++.type	${prefix}_xts_encrypt,%function
++.align	5
++${prefix}_xts_encrypt:
++___
++$code.=<<___	if ($flavour =~ /64/);
++	cmp	$len,#16
++	// Original input data size bigger than 16, jump to big size processing.
++	b.ne	.Lxts_enc_big_size
++	// Encrypt the iv with key2, as the first XEX iv.
++	ldr	$rounds,[$key2,#240]
++	vld1.8	{$dat},[$key2],#16
++	vld1.8	{$iv0},[$ivp]
++	sub	$rounds,$rounds,#2
++	vld1.8	{$dat1},[$key2],#16
++
++.Loop_enc_iv_enc:
++	aese	$iv0,$dat
++	aesmc	$iv0,$iv0
++	vld1.32	{$dat},[$key2],#16
++	subs	$rounds,$rounds,#2
++	aese	$iv0,$dat1
++	aesmc	$iv0,$iv0
++	vld1.32	{$dat1},[$key2],#16
++	b.gt	.Loop_enc_iv_enc
++
++	aese	$iv0,$dat
++	aesmc	$iv0,$iv0
++	vld1.32	{$dat},[$key2]
++	aese	$iv0,$dat1
++	veor	$iv0,$iv0,$dat
++
++	vld1.8	{$dat0},[$inp]
++	veor	$dat0,$iv0,$dat0
++
++	ldr	$rounds,[$key1,#240]
++	vld1.32	{q20-q21},[$key1],#32		// load key schedule...
++
++	aese	$dat0,q20
++	aesmc	$dat0,$dat0
++	vld1.32	{q8-q9},[$key1],#32		// load key schedule...
++	aese	$dat0,q21
++	aesmc	$dat0,$dat0
++	subs	$rounds,$rounds,#10		// if rounds==10, jump to aes-128-xts processing
++	b.eq	.Lxts_128_enc
++.Lxts_enc_round_loop:
++	aese	$dat0,q8
++	aesmc	$dat0,$dat0
++	vld1.32	{q8},[$key1],#16		// load key schedule...
++	aese	$dat0,q9
++	aesmc	$dat0,$dat0
++	vld1.32	{q9},[$key1],#16		// load key schedule...
++	subs	$rounds,$rounds,#2		// bias
++	b.gt	.Lxts_enc_round_loop
++.Lxts_128_enc:
++	vld1.32	{q10-q11},[$key1],#32		// load key schedule...
++	aese	$dat0,q8
++	aesmc	$dat0,$dat0
++	aese	$dat0,q9
++	aesmc	$dat0,$dat0
++	vld1.32	{q12-q13},[$key1],#32		// load key schedule...
++	aese	$dat0,q10
++	aesmc	$dat0,$dat0
++	aese	$dat0,q11
++	aesmc	$dat0,$dat0
++	vld1.32	{q14-q15},[$key1],#32		// load key schedule...
++	aese	$dat0,q12
++	aesmc	$dat0,$dat0
++	aese	$dat0,q13
++	aesmc	$dat0,$dat0
++	vld1.32	{$rndlast},[$key1]
++	aese	$dat0,q14
++	aesmc	$dat0,$dat0
++	aese	$dat0,q15
++	veor	$dat0,$dat0,$rndlast
++	veor	$dat0,$dat0,$iv0
++	vst1.8	{$dat0},[$out]
++	b	.Lxts_enc_final_abort
++
++.align	4
++.Lxts_enc_big_size:
++___
++$code.=<<___	if ($flavour =~ /64/);
++	stp	$constnumx,$tmpinp,[sp,#-64]!
++	stp	$tailcnt,$midnumx,[sp,#48]
++	stp	$ivd10,$ivd20,[sp,#32]
++	stp	$ivd30,$ivd40,[sp,#16]
++
++	// tailcnt store the tail value of length%16.
++	and	$tailcnt,$len,#0xf
++	and	$len,$len,#-16
++	subs	$len,$len,#16
++	mov	$step,#16
++	b.lo	.Lxts_abort
++	csel	$step,xzr,$step,eq
++
++	// Firstly, encrypt the iv with key2, as the first iv of XEX.
++	ldr	$rounds,[$key2,#240]
++	vld1.32	{$dat},[$key2],#16
++	vld1.8	{$iv0},[$ivp]
++	sub	$rounds,$rounds,#2
++	vld1.32	{$dat1},[$key2],#16
++
++.Loop_iv_enc:
++	aese	$iv0,$dat
++	aesmc	$iv0,$iv0
++	vld1.32	{$dat},[$key2],#16
++	subs	$rounds,$rounds,#2
++	aese	$iv0,$dat1
++	aesmc	$iv0,$iv0
++	vld1.32	{$dat1},[$key2],#16
++	b.gt	.Loop_iv_enc
++
++	aese	$iv0,$dat
++	aesmc	$iv0,$iv0
++	vld1.32	{$dat},[$key2]
++	aese	$iv0,$dat1
++	veor	$iv0,$iv0,$dat
++
++	// The iv for second block
++	// $ivl- iv(low), $ivh - iv(high)
++	// the five ivs stored into, $iv0,$iv1,$iv2,$iv3,$iv4
++	fmov	$ivl,$ivd00
++	fmov	$ivh,$ivd01
++	mov	$constnum,#0x87
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr#31
++	eor	$ivl,$tmpmx,$ivl,lsl#1
++	fmov	$ivd10,$ivl
++	fmov	$ivd11,$ivh
++
++	ldr	$rounds0,[$key1,#240]		// next starting point
++	vld1.8	{$dat},[$inp],$step
++
++	vld1.32	{q8-q9},[$key1]			// load key schedule...
++	sub	$rounds0,$rounds0,#6
++	add	$key_,$key1,$ivp,lsl#4		// pointer to last 7 round keys
++	sub	$rounds0,$rounds0,#2
++	vld1.32	{q10-q11},[$key_],#32
++	vld1.32	{q12-q13},[$key_],#32
++	vld1.32	{q14-q15},[$key_],#32
++	vld1.32	{$rndlast},[$key_]
++
++	add	$key_,$key1,#32
++	mov	$rounds,$rounds0
++
++	// Encryption
++.Lxts_enc:
++	vld1.8	{$dat2},[$inp],#16
++	subs	$len,$len,#32			// bias
++	add	$rounds,$rounds0,#2
++	vorr	$in1,$dat,$dat
++	vorr	$dat1,$dat,$dat
++	vorr	$in3,$dat,$dat
++	vorr	$in2,$dat2,$dat2
++	vorr	$in4,$dat2,$dat2
++	b.lo	.Lxts_inner_enc_tail
++	veor	$dat,$dat,$iv0			// before encryption, xor with iv
++	veor	$dat2,$dat2,$iv1
++
++	// The iv for third block
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr#31
++	eor	$ivl,$tmpmx,$ivl,lsl#1
++	fmov	$ivd20,$ivl
++	fmov	$ivd21,$ivh
++
++
++	vorr	$dat1,$dat2,$dat2
++	vld1.8	{$dat2},[$inp],#16
++	vorr	$in0,$dat,$dat
++	vorr	$in1,$dat1,$dat1
++	veor	$in2,$dat2,$iv2 		// the third block
++	veor	$dat2,$dat2,$iv2
++	cmp	$len,#32
++	b.lo	.Lxts_outer_enc_tail
++
++	// The iv for fourth block
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr#31
++	eor	$ivl,$tmpmx,$ivl,lsl#1
++	fmov	$ivd30,$ivl
++	fmov	$ivd31,$ivh
++
++	vld1.8	{$dat3},[$inp],#16
++	// The iv for fifth block
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr#31
++	eor	$ivl,$tmpmx,$ivl,lsl#1
++	fmov	$ivd40,$ivl
++	fmov	$ivd41,$ivh
++
++	vld1.8	{$dat4},[$inp],#16
++	veor	$dat3,$dat3,$iv3		// the fourth block
++	veor	$dat4,$dat4,$iv4
++	sub	$len,$len,#32			// bias
++	mov	$rounds,$rounds0
++	b	.Loop5x_xts_enc
++
++.align	4
++.Loop5x_xts_enc:
++	aese	$dat0,q8
++	aesmc	$dat0,$dat0
++	aese	$dat1,q8
++	aesmc	$dat1,$dat1
++	aese	$dat2,q8
++	aesmc	$dat2,$dat2
++	aese	$dat3,q8
++	aesmc	$dat3,$dat3
++	aese	$dat4,q8
++	aesmc	$dat4,$dat4
++	vld1.32	{q8},[$key_],#16
++	subs	$rounds,$rounds,#2
++	aese	$dat0,q9
++	aesmc	$dat0,$dat0
++	aese	$dat1,q9
++	aesmc	$dat1,$dat1
++	aese	$dat2,q9
++	aesmc	$dat2,$dat2
++	aese	$dat3,q9
++	aesmc	$dat3,$dat3
++	aese	$dat4,q9
++	aesmc	$dat4,$dat4
++	vld1.32	{q9},[$key_],#16
++	b.gt	.Loop5x_xts_enc
++
++	aese	$dat0,q8
++	aesmc	$dat0,$dat0
++	aese	$dat1,q8
++	aesmc	$dat1,$dat1
++	aese	$dat2,q8
++	aesmc	$dat2,$dat2
++	aese	$dat3,q8
++	aesmc	$dat3,$dat3
++	aese	$dat4,q8
++	aesmc	$dat4,$dat4
++	subs	$len,$len,#0x50			// because .Lxts_enc_tail4x
++
++	aese	$dat0,q9
++	aesmc	$dat0,$dat0
++	aese	$dat1,q9
++	aesmc	$dat1,$dat1
++	aese	$dat2,q9
++	aesmc	$dat2,$dat2
++	aese	$dat3,q9
++	aesmc	$dat3,$dat3
++	aese	$dat4,q9
++	aesmc	$dat4,$dat4
++	csel	$xoffset,xzr,$len,gt		// borrow x6, w6, "gt" is not typo
++	mov	$key_,$key1
++
++	aese	$dat0,q10
++	aesmc	$dat0,$dat0
++	aese	$dat1,q10
++	aesmc	$dat1,$dat1
++	aese	$dat2,q10
++	aesmc	$dat2,$dat2
++	aese	$dat3,q10
++	aesmc	$dat3,$dat3
++	aese	$dat4,q10
++	aesmc	$dat4,$dat4
++	add	$inp,$inp,$xoffset		// x0 is adjusted in such way that
++						// at exit from the loop v1.16b-v26.16b
++						// are loaded with last "words"
++	add	$xoffset,$len,#0x60		// because .Lxts_enc_tail4x
++
++	aese	$dat0,q11
++	aesmc	$dat0,$dat0
++	aese	$dat1,q11
++	aesmc	$dat1,$dat1
++	aese	$dat2,q11
++	aesmc	$dat2,$dat2
++	aese	$dat3,q11
++	aesmc	$dat3,$dat3
++	aese	$dat4,q11
++	aesmc	$dat4,$dat4
++
++	aese	$dat0,q12
++	aesmc	$dat0,$dat0
++	aese	$dat1,q12
++	aesmc	$dat1,$dat1
++	aese	$dat2,q12
++	aesmc	$dat2,$dat2
++	aese	$dat3,q12
++	aesmc	$dat3,$dat3
++	aese	$dat4,q12
++	aesmc	$dat4,$dat4
++
++	aese	$dat0,q13
++	aesmc	$dat0,$dat0
++	aese	$dat1,q13
++	aesmc	$dat1,$dat1
++	aese	$dat2,q13
++	aesmc	$dat2,$dat2
++	aese	$dat3,q13
++	aesmc	$dat3,$dat3
++	aese	$dat4,q13
++	aesmc	$dat4,$dat4
++
++	aese	$dat0,q14
++	aesmc	$dat0,$dat0
++	aese	$dat1,q14
++	aesmc	$dat1,$dat1
++	aese	$dat2,q14
++	aesmc	$dat2,$dat2
++	aese	$dat3,q14
++	aesmc	$dat3,$dat3
++	aese	$dat4,q14
++	aesmc	$dat4,$dat4
++
++	veor	$tmp0,$rndlast,$iv0
++	aese	$dat0,q15
++	// The iv for first block of one iteration
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr#31
++	eor	$ivl,$tmpmx,$ivl,lsl#1
++	fmov	$ivd00,$ivl
++	fmov	$ivd01,$ivh
++	veor	$tmp1,$rndlast,$iv1
++	vld1.8	{$in0},[$inp],#16
++	aese	$dat1,q15
++	// The iv for second block
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr#31
++	eor	$ivl,$tmpmx,$ivl,lsl#1
++	fmov	$ivd10,$ivl
++	fmov	$ivd11,$ivh
++	veor	$tmp2,$rndlast,$iv2
++	vld1.8	{$in1},[$inp],#16
++	aese	$dat2,q15
++	// The iv for third block
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr#31
++	eor	$ivl,$tmpmx,$ivl,lsl#1
++	fmov	$ivd20,$ivl
++	fmov	$ivd21,$ivh
++	veor	$tmp3,$rndlast,$iv3
++	vld1.8	{$in2},[$inp],#16
++	aese	$dat3,q15
++	// The iv for fourth block
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr#31
++	eor	$ivl,$tmpmx,$ivl,lsl#1
++	fmov	$ivd30,$ivl
++	fmov	$ivd31,$ivh
++	veor	$tmp4,$rndlast,$iv4
++	vld1.8	{$in3},[$inp],#16
++	aese	$dat4,q15
++
++	// The iv for fifth block
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr #31
++	eor	$ivl,$tmpmx,$ivl,lsl #1
++	fmov	$ivd40,$ivl
++	fmov	$ivd41,$ivh
++
++	vld1.8	{$in4},[$inp],#16
++	cbz	$xoffset,.Lxts_enc_tail4x
++	vld1.32 {q8},[$key_],#16		// re-pre-load rndkey[0]
++	veor	$tmp0,$tmp0,$dat0
++	veor	$dat0,$in0,$iv0
++	veor	$tmp1,$tmp1,$dat1
++	veor	$dat1,$in1,$iv1
++	veor	$tmp2,$tmp2,$dat2
++	veor	$dat2,$in2,$iv2
++	veor	$tmp3,$tmp3,$dat3
++	veor	$dat3,$in3,$iv3
++	veor	$tmp4,$tmp4,$dat4
++	vst1.8	{$tmp0},[$out],#16
++	veor	$dat4,$in4,$iv4
++	vst1.8	{$tmp1},[$out],#16
++	mov	$rounds,$rounds0
++	vst1.8	{$tmp2},[$out],#16
++	vld1.32	{q9},[$key_],#16		// re-pre-load rndkey[1]
++	vst1.8	{$tmp3},[$out],#16
++	vst1.8	{$tmp4},[$out],#16
++	b.hs	.Loop5x_xts_enc
++
++
++	// If left 4 blocks, borrow the five block's processing.
++	cmn	$len,#0x10
++	b.ne	.Loop5x_enc_after
++	vorr	$iv4,$iv3,$iv3
++	vorr	$iv3,$iv2,$iv2
++	vorr	$iv2,$iv1,$iv1
++	vorr	$iv1,$iv0,$iv0
++	fmov	$ivl,$ivd40
++	fmov	$ivh,$ivd41
++	veor	$dat0,$iv0,$in0
++	veor	$dat1,$iv1,$in1
++	veor	$dat2,$in2,$iv2
++	veor	$dat3,$in3,$iv3
++	veor	$dat4,$in4,$iv4
++	b.eq	.Loop5x_xts_enc
++
++.Loop5x_enc_after:
++	add	$len,$len,#0x50
++	cbz	$len,.Lxts_enc_done
++
++	add	$rounds,$rounds0,#2
++	subs	$len,$len,#0x30
++	b.lo	.Lxts_inner_enc_tail
++
++	veor	$dat0,$iv0,$in2
++	veor	$dat1,$iv1,$in3
++	veor	$dat2,$in4,$iv2
++	b	.Lxts_outer_enc_tail
++
++.align	4
++.Lxts_enc_tail4x:
++	add	$inp,$inp,#16
++	veor	$tmp1,$dat1,$tmp1
++	vst1.8	{$tmp1},[$out],#16
++	veor	$tmp2,$dat2,$tmp2
++	vst1.8	{$tmp2},[$out],#16
++	veor	$tmp3,$dat3,$tmp3
++	veor	$tmp4,$dat4,$tmp4
++	vst1.8	{$tmp3-$tmp4},[$out],#32
++
++	b	.Lxts_enc_done
++.align	4
++.Lxts_outer_enc_tail:
++	aese	$dat0,q8
++	aesmc	$dat0,$dat0
++	aese	$dat1,q8
++	aesmc	$dat1,$dat1
++	aese	$dat2,q8
++	aesmc	$dat2,$dat2
++	vld1.32	{q8},[$key_],#16
++	subs	$rounds,$rounds,#2
++	aese	$dat0,q9
++	aesmc	$dat0,$dat0
++	aese	$dat1,q9
++	aesmc	$dat1,$dat1
++	aese	$dat2,q9
++	aesmc	$dat2,$dat2
++	vld1.32	{q9},[$key_],#16
++	b.gt	.Lxts_outer_enc_tail
++
++	aese	$dat0,q8
++	aesmc	$dat0,$dat0
++	aese	$dat1,q8
++	aesmc	$dat1,$dat1
++	aese	$dat2,q8
++	aesmc	$dat2,$dat2
++	veor	$tmp0,$iv0,$rndlast
++	subs	$len,$len,#0x30
++	// The iv for first block
++	fmov	$ivl,$ivd20
++	fmov	$ivh,$ivd21
++	//mov	$constnum,#0x87
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr#31
++	eor	$ivl,$tmpmx,$ivl,lsl#1
++	fmov	$ivd00,$ivl
++	fmov	$ivd01,$ivh
++	veor	$tmp1,$iv1,$rndlast
++	csel	$xoffset,$len,$xoffset,lo       // x6, w6, is zero at this point
++	aese	$dat0,q9
++	aesmc	$dat0,$dat0
++	aese	$dat1,q9
++	aesmc	$dat1,$dat1
++	aese	$dat2,q9
++	aesmc	$dat2,$dat2
++	veor	$tmp2,$iv2,$rndlast
++
++	add	$xoffset,$xoffset,#0x20
++	add	$inp,$inp,$xoffset
++	mov	$key_,$key1
++
++	aese	$dat0,q12
++	aesmc	$dat0,$dat0
++	aese	$dat1,q12
++	aesmc	$dat1,$dat1
++	aese	$dat2,q12
++	aesmc	$dat2,$dat2
++	aese	$dat0,q13
++	aesmc	$dat0,$dat0
++	aese	$dat1,q13
++	aesmc	$dat1,$dat1
++	aese	$dat2,q13
++	aesmc	$dat2,$dat2
++	aese	$dat0,q14
++	aesmc	$dat0,$dat0
++	aese	$dat1,q14
++	aesmc	$dat1,$dat1
++	aese	$dat2,q14
++	aesmc	$dat2,$dat2
++	aese	$dat0,q15
++	aese	$dat1,q15
++	aese	$dat2,q15
++	vld1.8	{$in2},[$inp],#16
++	add	$rounds,$rounds0,#2
++	vld1.32	{q8},[$key_],#16                // re-pre-load rndkey[0]
++	veor	$tmp0,$tmp0,$dat0
++	veor	$tmp1,$tmp1,$dat1
++	veor	$dat2,$dat2,$tmp2
++	vld1.32	{q9},[$key_],#16                // re-pre-load rndkey[1]
++	vst1.8	{$tmp0},[$out],#16
++	vst1.8	{$tmp1},[$out],#16
++	vst1.8	{$dat2},[$out],#16
++	cmn	$len,#0x30
++	b.eq	.Lxts_enc_done
++.Lxts_encxor_one:
++	vorr	$in3,$in1,$in1
++	vorr	$in4,$in2,$in2
++	nop
++
++.Lxts_inner_enc_tail:
++	cmn	$len,#0x10
++	veor	$dat1,$in3,$iv0
++	veor	$dat2,$in4,$iv1
++	b.eq	.Lxts_enc_tail_loop
++	veor	$dat2,$in4,$iv0
++.Lxts_enc_tail_loop:
++	aese	$dat1,q8
++	aesmc	$dat1,$dat1
++	aese	$dat2,q8
++	aesmc	$dat2,$dat2
++	vld1.32	{q8},[$key_],#16
++	subs	$rounds,$rounds,#2
++	aese	$dat1,q9
++	aesmc	$dat1,$dat1
++	aese	$dat2,q9
++	aesmc	$dat2,$dat2
++	vld1.32	{q9},[$key_],#16
++	b.gt	.Lxts_enc_tail_loop
++
++	aese	$dat1,q8
++	aesmc	$dat1,$dat1
++	aese	$dat2,q8
++	aesmc	$dat2,$dat2
++	aese	$dat1,q9
++	aesmc	$dat1,$dat1
++	aese	$dat2,q9
++	aesmc	$dat2,$dat2
++	aese	$dat1,q12
++	aesmc	$dat1,$dat1
++	aese	$dat2,q12
++	aesmc	$dat2,$dat2
++	cmn	$len,#0x20
++	aese	$dat1,q13
++	aesmc	$dat1,$dat1
++	aese	$dat2,q13
++	aesmc	$dat2,$dat2
++	veor	$tmp1,$iv0,$rndlast
++	aese	$dat1,q14
++	aesmc	$dat1,$dat1
++	aese	$dat2,q14
++	aesmc	$dat2,$dat2
++	veor	$tmp2,$iv1,$rndlast
++	aese	$dat1,q15
++	aese	$dat2,q15
++	b.eq	.Lxts_enc_one
++	veor	$tmp1,$tmp1,$dat1
++	vst1.8	{$tmp1},[$out],#16
++	veor	$tmp2,$tmp2,$dat2
++	vorr	$iv0,$iv1,$iv1
++	vst1.8	{$tmp2},[$out],#16
++	fmov	$ivl,$ivd10
++	fmov	$ivh,$ivd11
++	mov	$constnum,#0x87
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr #31
++	eor	$ivl,$tmpmx,$ivl,lsl #1
++	fmov	$ivd00,$ivl
++	fmov	$ivd01,$ivh
++	b	.Lxts_enc_done
++
++.Lxts_enc_one:
++	veor	$tmp1,$tmp1,$dat2
++	vorr	$iv0,$iv0,$iv0
++	vst1.8	{$tmp1},[$out],#16
++	fmov	$ivl,$ivd00
++	fmov	$ivh,$ivd01
++	mov	$constnum,#0x87
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr #31
++	eor	$ivl,$tmpmx,$ivl,lsl #1
++	fmov	$ivd00,$ivl
++	fmov	$ivd01,$ivh
++	b	.Lxts_enc_done
++.align	5
++.Lxts_enc_done:
++	// Process the tail block with cipher stealing.
++	tst	$tailcnt,#0xf
++	b.eq	.Lxts_abort
++
++	mov	$tmpinp,$inp
++	mov	$tmpoutp,$out
++	sub	$out,$out,#16
++.composite_enc_loop:
++	subs	$tailcnt,$tailcnt,#1
++	ldrb	$l2outp,[$out,$tailcnt]
++	ldrb	$loutp,[$tmpinp,$tailcnt]
++	strb	$l2outp,[$tmpoutp,$tailcnt]
++	strb	$loutp,[$out,$tailcnt]
++	b.gt	.composite_enc_loop
++.Lxts_enc_load_done:
++	vld1.8	{$tmpin},[$out]
++	veor	$tmpin,$tmpin,$iv0
++
++	// Encrypt the composite block to get the last second encrypted text block
++	ldr	$rounds,[$key1,#240]		// load key schedule...
++	vld1.8	{$dat},[$key1],#16
++	sub	$rounds,$rounds,#2
++	vld1.8	{$dat1},[$key1],#16		// load key schedule...
++.Loop_final_enc:
++	aese	$tmpin,$dat0
++	aesmc	$tmpin,$tmpin
++	vld1.32	{$dat0},[$key1],#16
++	subs	$rounds,$rounds,#2
++	aese	$tmpin,$dat1
++	aesmc	$tmpin,$tmpin
++	vld1.32	{$dat1},[$key1],#16
++	b.gt	.Loop_final_enc
++
++	aese	$tmpin,$dat0
++	aesmc	$tmpin,$tmpin
++	vld1.32	{$dat0},[$key1]
++	aese	$tmpin,$dat1
++	veor	$tmpin,$tmpin,$dat0
++	veor	$tmpin,$tmpin,$iv0
++	vst1.8	{$tmpin},[$out]
++
++.Lxts_abort:
++	ldp	$tailcnt,$midnumx,[sp,#48]
++	ldp	$ivd10,$ivd20,[sp,#32]
++	ldp	$ivd30,$ivd40,[sp,#16]
++	ldp	$constnumx,$tmpinp,[sp],#64
++.Lxts_enc_final_abort:
++	ret
++.size	${prefix}_xts_encrypt,.-${prefix}_xts_encrypt
++___
++
++}}}
++{{{
++my ($inp,$out,$len,$key1,$key2,$ivp)=map("x$_",(0..5));
++my ($rounds0,$rounds,$key_,$step,$ivl,$ivh)=("w5","w6","x7","x8","x9","x10");
++my ($tmpoutp,$loutp,$l2outp,$tmpinp)=("x13","w14","w15","x20");
++my ($tailcnt,$midnum,$midnumx,$constnum,$constnumx)=("x21","w22","x22","w19","x19");
++my ($xoffset,$tmpmx,$tmpmw)=("x6","x11","w11");
++my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$tmp2,$rndlast)=map("q$_",(0..7));
++my ($iv0,$iv1,$iv2,$iv3,$iv4,$tmpin)=("v6.16b","v8.16b","v9.16b","v10.16b","v11.16b","v26.16b");
++my ($ivd00,$ivd01,$ivd20,$ivd21)=("d6","v6.d[1]","d9","v9.d[1]");
++my ($ivd10,$ivd11,$ivd30,$ivd31,$ivd40,$ivd41)=("d8","v8.d[1]","d10","v10.d[1]","d11","v11.d[1]");
++
++my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1);
++
++# q7	last round key
++# q10-q15, q7	Last 7 round keys
++# q8-q9	preloaded round keys except last 7 keys for big size
++# q20, q21, q8-q9	preloaded round keys except last 7 keys for only 16 byte
++
++{
++my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
++
++my ($dat3,$in3,$tmp3);	# used only in 64-bit mode
++my ($dat4,$in4,$tmp4);
++if ($flavour =~ /64/) {
++    ($dat2,$dat3,$dat4,$in2,$in3,$in4,$tmp3,$tmp4)=map("q$_",(16..23));
++}
++
++$code.=<<___	if ($flavour =~ /64/);
++.globl	${prefix}_xts_decrypt
++.type	${prefix}_xts_decrypt,%function
++.align	5
++${prefix}_xts_decrypt:
++___
++$code.=<<___	if ($flavour =~ /64/);
++	cmp	$len,#16
++	// Original input data size bigger than 16, jump to big size processing.
++	b.ne	.Lxts_dec_big_size
++	// Encrypt the iv with key2, as the first XEX iv.
++	ldr	$rounds,[$key2,#240]
++	vld1.8	{$dat},[$key2],#16
++	vld1.8	{$iv0},[$ivp]
++	sub	$rounds,$rounds,#2
++	vld1.8	{$dat1},[$key2],#16
++
++.Loop_dec_small_iv_enc:
++	aese	$iv0,$dat
++	aesmc	$iv0,$iv0
++	vld1.32	{$dat},[$key2],#16
++	subs	$rounds,$rounds,#2
++	aese	$iv0,$dat1
++	aesmc	$iv0,$iv0
++	vld1.32	{$dat1},[$key2],#16
++	b.gt	.Loop_dec_small_iv_enc
++
++	aese	$iv0,$dat
++	aesmc	$iv0,$iv0
++	vld1.32	{$dat},[$key2]
++	aese	$iv0,$dat1
++	veor	$iv0,$iv0,$dat
++
++	vld1.8	{$dat0},[$inp]
++	veor	$dat0,$iv0,$dat0
++
++	ldr	$rounds,[$key1,#240]
++	vld1.32	{q20-q21},[$key1],#32			// load key schedule...
++
++	aesd	$dat0,q20
++	aesimc	$dat0,$dat0
++	vld1.32	{q8-q9},[$key1],#32			// load key schedule...
++	aesd	$dat0,q21
++	aesimc	$dat0,$dat0
++	subs	$rounds,$rounds,#10			// bias
++	b.eq	.Lxts_128_dec
++.Lxts_dec_round_loop:
++	aesd	$dat0,q8
++	aesimc	$dat0,$dat0
++	vld1.32	{q8},[$key1],#16			// load key schedule...
++	aesd	$dat0,q9
++	aesimc	$dat0,$dat0
++	vld1.32	{q9},[$key1],#16			// load key schedule...
++	subs	$rounds,$rounds,#2			// bias
++	b.gt	.Lxts_dec_round_loop
++.Lxts_128_dec:
++	vld1.32	{q10-q11},[$key1],#32			// load key schedule...
++	aesd	$dat0,q8
++	aesimc	$dat0,$dat0
++	aesd	$dat0,q9
++	aesimc	$dat0,$dat0
++	vld1.32	{q12-q13},[$key1],#32			// load key schedule...
++	aesd	$dat0,q10
++	aesimc	$dat0,$dat0
++	aesd	$dat0,q11
++	aesimc	$dat0,$dat0
++	vld1.32	{q14-q15},[$key1],#32			// load key schedule...
++	aesd	$dat0,q12
++	aesimc	$dat0,$dat0
++	aesd	$dat0,q13
++	aesimc	$dat0,$dat0
++	vld1.32	{$rndlast},[$key1]
++	aesd	$dat0,q14
++	aesimc	$dat0,$dat0
++	aesd	$dat0,q15
++	veor	$dat0,$dat0,$rndlast
++	veor	$dat0,$iv0,$dat0
++	vst1.8	{$dat0},[$out]
++	b	.Lxts_dec_final_abort
++.Lxts_dec_big_size:
++___
++$code.=<<___	if ($flavour =~ /64/);
++	stp	$constnumx,$tmpinp,[sp,#-64]!
++	stp	$tailcnt,$midnumx,[sp,#48]
++	stp	$ivd10,$ivd20,[sp,#32]
++	stp	$ivd30,$ivd40,[sp,#16]
++
++	and	$tailcnt,$len,#0xf
++	and	$len,$len,#-16
++	subs	$len,$len,#16
++	mov	$step,#16
++	b.lo	.Lxts_dec_abort
++
++	// Encrypt the iv with key2, as the first XEX iv
++	ldr	$rounds,[$key2,#240]
++	vld1.8	{$dat},[$key2],#16
++	vld1.8	{$iv0},[$ivp]
++	sub	$rounds,$rounds,#2
++	vld1.8	{$dat1},[$key2],#16
++
++.Loop_dec_iv_enc:
++	aese	$iv0,$dat
++	aesmc	$iv0,$iv0
++	vld1.32	{$dat},[$key2],#16
++	subs	$rounds,$rounds,#2
++	aese	$iv0,$dat1
++	aesmc	$iv0,$iv0
++	vld1.32	{$dat1},[$key2],#16
++	b.gt	.Loop_dec_iv_enc
++
++	aese	$iv0,$dat
++	aesmc	$iv0,$iv0
++	vld1.32	{$dat},[$key2]
++	aese	$iv0,$dat1
++	veor	$iv0,$iv0,$dat
++
++	// The iv for second block
++	// $ivl- iv(low), $ivh - iv(high)
++	// the five ivs stored into, $iv0,$iv1,$iv2,$iv3,$iv4
++	fmov	$ivl,$ivd00
++	fmov	$ivh,$ivd01
++	mov	$constnum,#0x87
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr #31
++	eor	$ivl,$tmpmx,$ivl,lsl #1
++	fmov	$ivd10,$ivl
++	fmov	$ivd11,$ivh
++
++	ldr	$rounds0,[$key1,#240]		// load rounds number
++
++	// The iv for third block
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr #31
++	eor	$ivl,$tmpmx,$ivl,lsl #1
++	fmov	$ivd20,$ivl
++	fmov	$ivd21,$ivh
++
++	vld1.32	{q8-q9},[$key1]			// load key schedule...
++	sub	$rounds0,$rounds0,#6
++	add	$key_,$key1,$ivp,lsl#4		// pointer to last 7 round keys
++	sub	$rounds0,$rounds0,#2
++	vld1.32	{q10-q11},[$key_],#32		// load key schedule...
++	vld1.32	{q12-q13},[$key_],#32
++	vld1.32	{q14-q15},[$key_],#32
++	vld1.32	{$rndlast},[$key_]
++
++	// The iv for fourth block
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr #31
++	eor	$ivl,$tmpmx,$ivl,lsl #1
++	fmov	$ivd30,$ivl
++	fmov	$ivd31,$ivh
++
++	add	$key_,$key1,#32
++	mov	$rounds,$rounds0
++	b	.Lxts_dec
++
++	// Decryption
++.align	5
++.Lxts_dec:
++	tst	$tailcnt,#0xf
++	b.eq	.Lxts_dec_begin
++	subs	$len,$len,#16
++	csel	$step,xzr,$step,eq
++	vld1.8	{$dat},[$inp],#16
++	b.lo	.Lxts_done
++	sub	$inp,$inp,#16
++.Lxts_dec_begin:
++	vld1.8	{$dat},[$inp],$step
++	subs	$len,$len,#32			// bias
++	add	$rounds,$rounds0,#2
++	vorr	$in1,$dat,$dat
++	vorr	$dat1,$dat,$dat
++	vorr	$in3,$dat,$dat
++	vld1.8	{$dat2},[$inp],#16
++	vorr	$in2,$dat2,$dat2
++	vorr	$in4,$dat2,$dat2
++	b.lo	.Lxts_inner_dec_tail
++	veor	$dat,$dat,$iv0			// before decryt, xor with iv
++	veor	$dat2,$dat2,$iv1
++
++	vorr	$dat1,$dat2,$dat2
++	vld1.8	{$dat2},[$inp],#16
++	vorr	$in0,$dat,$dat
++	vorr	$in1,$dat1,$dat1
++	veor	$in2,$dat2,$iv2			// third block xox with third iv
++	veor	$dat2,$dat2,$iv2
++	cmp	$len,#32
++	b.lo	.Lxts_outer_dec_tail
++
++	vld1.8	{$dat3},[$inp],#16
++
++	// The iv for fifth block
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr #31
++	eor	$ivl,$tmpmx,$ivl,lsl #1
++	fmov	$ivd40,$ivl
++	fmov	$ivd41,$ivh
++
++	vld1.8	{$dat4},[$inp],#16
++	veor	$dat3,$dat3,$iv3		// the fourth block
++	veor	$dat4,$dat4,$iv4
++	sub $len,$len,#32			// bias
++	mov	$rounds,$rounds0
++	b	.Loop5x_xts_dec
++
++.align	4
++.Loop5x_xts_dec:
++	aesd	$dat0,q8
++	aesimc	$dat0,$dat0
++	aesd	$dat1,q8
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q8
++	aesimc	$dat2,$dat2
++	aesd	$dat3,q8
++	aesimc	$dat3,$dat3
++	aesd	$dat4,q8
++	aesimc	$dat4,$dat4
++	vld1.32	{q8},[$key_],#16		// load key schedule...
++	subs	$rounds,$rounds,#2
++	aesd	$dat0,q9
++	aesimc	$dat0,$dat0
++	aesd	$dat1,q9
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q9
++	aesimc	$dat2,$dat2
++	aesd	$dat3,q9
++	aesimc	$dat3,$dat3
++	aesd	$dat4,q9
++	aesimc	$dat4,$dat4
++	vld1.32	{q9},[$key_],#16		// load key schedule...
++	b.gt	.Loop5x_xts_dec
++
++	aesd	$dat0,q8
++	aesimc	$dat0,$dat0
++	aesd	$dat1,q8
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q8
++	aesimc	$dat2,$dat2
++	aesd	$dat3,q8
++	aesimc	$dat3,$dat3
++	aesd	$dat4,q8
++	aesimc	$dat4,$dat4
++	subs	$len,$len,#0x50			// because .Lxts_dec_tail4x
++
++	aesd	$dat0,q9
++	aesimc	$dat0,$dat
++	aesd	$dat1,q9
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q9
++	aesimc	$dat2,$dat2
++	aesd	$dat3,q9
++	aesimc	$dat3,$dat3
++	aesd	$dat4,q9
++	aesimc	$dat4,$dat4
++	csel	$xoffset,xzr,$len,gt		// borrow x6, w6, "gt" is not typo
++	mov	$key_,$key1
++
++	aesd	$dat0,q10
++	aesimc	$dat0,$dat0
++	aesd	$dat1,q10
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q10
++	aesimc	$dat2,$dat2
++	aesd	$dat3,q10
++	aesimc	$dat3,$dat3
++	aesd	$dat4,q10
++	aesimc	$dat4,$dat4
++	add	$inp,$inp,$xoffset		// x0 is adjusted in such way that
++						// at exit from the loop v1.16b-v26.16b
++						// are loaded with last "words"
++	add	$xoffset,$len,#0x60		// because .Lxts_dec_tail4x
++
++	aesd	$dat0,q11
++	aesimc	$dat0,$dat0
++	aesd	$dat1,q11
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q11
++	aesimc	$dat2,$dat2
++	aesd	$dat3,q11
++	aesimc	$dat3,$dat3
++	aesd	$dat4,q11
++	aesimc	$dat4,$dat4
++
++	aesd	$dat0,q12
++	aesimc	$dat0,$dat0
++	aesd	$dat1,q12
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q12
++	aesimc	$dat2,$dat2
++	aesd	$dat3,q12
++	aesimc	$dat3,$dat3
++	aesd	$dat4,q12
++	aesimc	$dat4,$dat4
++
++	aesd	$dat0,q13
++	aesimc	$dat0,$dat0
++	aesd	$dat1,q13
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q13
++	aesimc	$dat2,$dat2
++	aesd	$dat3,q13
++	aesimc	$dat3,$dat3
++	aesd	$dat4,q13
++	aesimc	$dat4,$dat4
++
++	aesd	$dat0,q14
++	aesimc	$dat0,$dat0
++	aesd	$dat1,q14
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q14
++	aesimc	$dat2,$dat2
++	aesd	$dat3,q14
++	aesimc	$dat3,$dat3
++	aesd	$dat4,q14
++	aesimc	$dat4,$dat4
++
++	veor	$tmp0,$rndlast,$iv0
++	aesd	$dat0,q15
++	// The iv for first block of next iteration.
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr #31
++	eor	$ivl,$tmpmx,$ivl,lsl #1
++	fmov	$ivd00,$ivl
++	fmov	$ivd01,$ivh
++	veor	$tmp1,$rndlast,$iv1
++	vld1.8	{$in0},[$inp],#16
++	aesd	$dat1,q15
++	// The iv for second block
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr #31
++	eor	$ivl,$tmpmx,$ivl,lsl #1
++	fmov	$ivd10,$ivl
++	fmov	$ivd11,$ivh
++	veor	$tmp2,$rndlast,$iv2
++	vld1.8	{$in1},[$inp],#16
++	aesd	$dat2,q15
++	// The iv for third block
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr #31
++	eor	$ivl,$tmpmx,$ivl,lsl #1
++	fmov	$ivd20,$ivl
++	fmov	$ivd21,$ivh
++	veor	$tmp3,$rndlast,$iv3
++	vld1.8	{$in2},[$inp],#16
++	aesd	$dat3,q15
++	// The iv for fourth block
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr #31
++	eor	$ivl,$tmpmx,$ivl,lsl #1
++	fmov	$ivd30,$ivl
++	fmov	$ivd31,$ivh
++	veor	$tmp4,$rndlast,$iv4
++	vld1.8	{$in3},[$inp],#16
++	aesd	$dat4,q15
++
++	// The iv for fifth block
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr #31
++	eor	$ivl,$tmpmx,$ivl,lsl #1
++	fmov	$ivd40,$ivl
++	fmov	$ivd41,$ivh
++
++	vld1.8	{$in4},[$inp],#16
++	cbz	$xoffset,.Lxts_dec_tail4x
++	vld1.32	{q8},[$key_],#16		// re-pre-load rndkey[0]
++	veor	$tmp0,$tmp0,$dat0
++	veor	$dat0,$in0,$iv0
++	veor	$tmp1,$tmp1,$dat1
++	veor	$dat1,$in1,$iv1
++	veor	$tmp2,$tmp2,$dat2
++	veor	$dat2,$in2,$iv2
++	veor	$tmp3,$tmp3,$dat3
++	veor	$dat3,$in3,$iv3
++	veor	$tmp4,$tmp4,$dat4
++	vst1.8	{$tmp0},[$out],#16
++	veor	$dat4,$in4,$iv4
++	vst1.8	{$tmp1},[$out],#16
++	mov	$rounds,$rounds0
++	vst1.8	{$tmp2},[$out],#16
++	vld1.32	{q9},[$key_],#16		// re-pre-load rndkey[1]
++	vst1.8	{$tmp3},[$out],#16
++	vst1.8	{$tmp4},[$out],#16
++	b.hs	.Loop5x_xts_dec
++
++	cmn	$len,#0x10
++	b.ne	.Loop5x_dec_after
++	// If x2($len) equal to -0x10, the left blocks is 4.
++	// After specially processing, utilize the five blocks processing again.
++	// It will use the following IVs: $iv0,$iv0,$iv1,$iv2,$iv3.
++	vorr	$iv4,$iv3,$iv3
++	vorr	$iv3,$iv2,$iv2
++	vorr	$iv2,$iv1,$iv1
++	vorr	$iv1,$iv0,$iv0
++	fmov	$ivl,$ivd40
++	fmov	$ivh,$ivd41
++	veor	$dat0,$iv0,$in0
++	veor	$dat1,$iv1,$in1
++	veor	$dat2,$in2,$iv2
++	veor	$dat3,$in3,$iv3
++	veor	$dat4,$in4,$iv4
++	b.eq	.Loop5x_xts_dec
++
++.Loop5x_dec_after:
++	add	$len,$len,#0x50
++	cbz	$len,.Lxts_done
++
++	add	$rounds,$rounds0,#2
++	subs	$len,$len,#0x30
++	b.lo	.Lxts_inner_dec_tail
++
++	veor	$dat0,$iv0,$in2
++	veor	$dat1,$iv1,$in3
++	veor	$dat2,$in4,$iv2
++	b	.Lxts_outer_dec_tail
++
++.align	4
++.Lxts_dec_tail4x:
++	add	$inp,$inp,#16
++	vld1.32	{$dat0},[$inp],#16
++	veor	$tmp1,$dat1,$tmp0
++	vst1.8	{$tmp1},[$out],#16
++	veor	$tmp2,$dat2,$tmp2
++	vst1.8	{$tmp2},[$out],#16
++	veor	$tmp3,$dat3,$tmp3
++	veor	$tmp4,$dat4,$tmp4
++	vst1.8	{$tmp3-$tmp4},[$out],#32
++
++	b	.Lxts_done
++.align	4
++.Lxts_outer_dec_tail:
++	aesd	$dat0,q8
++	aesimc	$dat0,$dat0
++	aesd	$dat1,q8
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q8
++	aesimc	$dat2,$dat2
++	vld1.32	{q8},[$key_],#16
++	subs	$rounds,$rounds,#2
++	aesd	$dat0,q9
++	aesimc	$dat0,$dat0
++	aesd	$dat1,q9
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q9
++	aesimc	$dat2,$dat2
++	vld1.32	{q9},[$key_],#16
++	b.gt	.Lxts_outer_dec_tail
++
++	aesd	$dat0,q8
++	aesimc	$dat0,$dat0
++	aesd	$dat1,q8
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q8
++	aesimc	$dat2,$dat2
++	veor	$tmp0,$iv0,$rndlast
++	subs	$len,$len,#0x30
++	// The iv for first block
++	fmov	$ivl,$ivd20
++	fmov	$ivh,$ivd21
++	mov	$constnum,#0x87
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr #31
++	eor	$ivl,$tmpmx,$ivl,lsl #1
++	fmov	$ivd00,$ivl
++	fmov	$ivd01,$ivh
++	veor	$tmp1,$iv1,$rndlast
++	csel	$xoffset,$len,$xoffset,lo	// x6, w6, is zero at this point
++	aesd	$dat0,q9
++	aesimc	$dat0,$dat0
++	aesd	$dat1,q9
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q9
++	aesimc	$dat2,$dat2
++	veor	$tmp2,$iv2,$rndlast
++	// The iv for second block
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr #31
++	eor	$ivl,$tmpmx,$ivl,lsl #1
++	fmov	$ivd10,$ivl
++	fmov	$ivd11,$ivh
++
++	add	$xoffset,$xoffset,#0x20
++	add	$inp,$inp,$xoffset		// $inp is adjusted to the last data
++
++	mov	$key_,$key1
++
++	// The iv for third block
++	extr	$midnumx,$ivh,$ivh,#32
++	extr	$ivh,$ivh,$ivl,#63
++	and	$tmpmw,$constnum,$midnum,asr #31
++	eor	$ivl,$tmpmx,$ivl,lsl #1
++	fmov	$ivd20,$ivl
++	fmov	$ivd21,$ivh
++
++	aesd	$dat0,q12
++	aesimc	$dat0,$dat0
++	aesd	$dat1,q12
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q12
++	aesimc	$dat2,$dat2
++	aesd	$dat0,q13
++	aesimc	$dat0,$dat0
++	aesd	$dat1,q13
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q13
++	aesimc	$dat2,$dat2
++	aesd	$dat0,q14
++	aesimc	$dat0,$dat0
++	aesd	$dat1,q14
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q14
++	aesimc	$dat2,$dat2
++	vld1.8	{$in2},[$inp],#16
++	aesd	$dat0,q15
++	aesd	$dat1,q15
++	aesd	$dat2,q15
++	vld1.32	{q8},[$key_],#16		// re-pre-load rndkey[0]
++	add	$rounds,$rounds0,#2
++	veor	$tmp0,$tmp0,$dat0
++	veor	$tmp1,$tmp1,$dat1
++	veor	$dat2,$dat2,$tmp2
++	vld1.32	{q9},[$key_],#16		// re-pre-load rndkey[1]
++	vst1.8	{$tmp0},[$out],#16
++	vst1.8	{$tmp1},[$out],#16
++	vst1.8	{$dat2},[$out],#16
++
++	cmn	$len,#0x30
++	add	$len,$len,#0x30
++	b.eq	.Lxts_done
++	sub	$len,$len,#0x30
++	vorr	$in3,$in1,$in1
++	vorr	$in4,$in2,$in2
++	nop
++
++.Lxts_inner_dec_tail:
++	// $len == -0x10 means two blocks left.
++	cmn	$len,#0x10
++	veor	$dat1,$in3,$iv0
++	veor	$dat2,$in4,$iv1
++	b.eq	.Lxts_dec_tail_loop
++	veor	$dat2,$in4,$iv0
++.Lxts_dec_tail_loop:
++	aesd	$dat1,q8
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q8
++	aesimc	$dat2,$dat2
++	vld1.32	{q8},[$key_],#16
++	subs	$rounds,$rounds,#2
++	aesd	$dat1,q9
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q9
++	aesimc	$dat2,$dat2
++	vld1.32	{q9},[$key_],#16
++	b.gt	.Lxts_dec_tail_loop
++
++	aesd	$dat1,q8
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q8
++	aesimc	$dat2,$dat2
++	aesd	$dat1,q9
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q9
++	aesimc	$dat2,$dat2
++	aesd	$dat1,q12
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q12
++	aesimc	$dat2,$dat2
++	cmn	$len,#0x20
++	aesd	$dat1,q13
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q13
++	aesimc	$dat2,$dat2
++	veor	$tmp1,$iv0,$rndlast
++	aesd	$dat1,q14
++	aesimc	$dat1,$dat1
++	aesd	$dat2,q14
++	aesimc	$dat2,$dat2
++	veor	$tmp2,$iv1,$rndlast
++	aesd	$dat1,q15
++	aesd	$dat2,q15
++	b.eq	.Lxts_dec_one
++	veor	$tmp1,$tmp1,$dat1
++	veor	$tmp2,$tmp2,$dat2
++	vorr	$iv0,$iv2,$iv2
++	vorr	$iv1,$iv3,$iv3
++	vst1.8	{$tmp1},[$out],#16
++	vst1.8	{$tmp2},[$out],#16
++	add	$len,$len,#16
++	b	.Lxts_done
++
++.Lxts_dec_one:
++	veor	$tmp1,$tmp1,$dat2
++	vorr	$iv0,$iv1,$iv1
++	vorr	$iv1,$iv2,$iv2
++	vst1.8	{$tmp1},[$out],#16
++	add	$len,$len,#32
++
++.Lxts_done:
++	tst	$tailcnt,#0xf
++	b.eq	.Lxts_dec_abort
++	// Processing the last two blocks with cipher stealing.
++	mov	x7,x3
++	cbnz	x2,.Lxts_dec_1st_done
++	vld1.32	{$dat0},[$inp],#16
++
++	// Decrypt the last secod block to get the last plain text block
++.Lxts_dec_1st_done:
++	eor	$tmpin,$dat0,$iv1
++	ldr	$rounds,[$key1,#240]
++	vld1.32	{$dat0},[$key1],#16
++	sub	$rounds,$rounds,#2
++	vld1.32	{$dat1},[$key1],#16
++.Loop_final_2nd_dec:
++	aesd	$tmpin,$dat0
++	aesimc	$tmpin,$tmpin
++	vld1.32	{$dat0},[$key1],#16		// load key schedule...
++	subs	$rounds,$rounds,#2
++	aesd	$tmpin,$dat1
++	aesimc	$tmpin,$tmpin
++	vld1.32	{$dat1},[$key1],#16		// load key schedule...
++	b.gt	.Loop_final_2nd_dec
++
++	aesd	$tmpin,$dat0
++	aesimc	$tmpin,$tmpin
++	vld1.32	{$dat0},[$key1]
++	aesd	$tmpin,$dat1
++	veor	$tmpin,$tmpin,$dat0
++	veor	$tmpin,$tmpin,$iv1
++	vst1.8	{$tmpin},[$out]
++
++	mov	$tmpinp,$inp
++	add	$tmpoutp,$out,#16
++
++	// Composite the tailcnt "16 byte not aligned block" into the last second plain blocks
++	// to get the last encrypted block.
++.composite_dec_loop:
++	subs	$tailcnt,$tailcnt,#1
++	ldrb	$l2outp,[$out,$tailcnt]
++	ldrb	$loutp,[$tmpinp,$tailcnt]
++	strb	$l2outp,[$tmpoutp,$tailcnt]
++	strb	$loutp,[$out,$tailcnt]
++	b.gt	.composite_dec_loop
++.Lxts_dec_load_done:
++	vld1.8	{$tmpin},[$out]
++	veor	$tmpin,$tmpin,$iv0
++
++	// Decrypt the composite block to get the last second plain text block
++	ldr	$rounds,[$key_,#240]
++	vld1.8	{$dat},[$key_],#16
++	sub	$rounds,$rounds,#2
++	vld1.8	{$dat1},[$key_],#16
++.Loop_final_dec:
++	aesd	$tmpin,$dat0
++	aesimc	$tmpin,$tmpin
++	vld1.32	{$dat0},[$key_],#16		// load key schedule...
++	subs	$rounds,$rounds,#2
++	aesd	$tmpin,$dat1
++	aesimc	$tmpin,$tmpin
++	vld1.32	{$dat1},[$key_],#16		// load key schedule...
++	b.gt	.Loop_final_dec
++
++	aesd	$tmpin,$dat0
++	aesimc	$tmpin,$tmpin
++	vld1.32	{$dat0},[$key_]
++	aesd	$tmpin,$dat1
++	veor	$tmpin,$tmpin,$dat0
++	veor	$tmpin,$tmpin,$iv0
++	vst1.8	{$tmpin},[$out]
++
++.Lxts_dec_abort:
++	ldp	$tailcnt,$midnumx,[sp,#48]
++	ldp	$ivd10,$ivd20,[sp,#32]
++	ldp	$ivd30,$ivd40,[sp,#16]
++	ldp	$constnumx,$tmpinp,[sp],#64
++
++.Lxts_dec_final_abort:
++	ret
++.size	${prefix}_xts_decrypt,.-${prefix}_xts_decrypt
++___
++}
++}}}
+ $code.=<<___;
+ #endif
+ ___
+Index: openssl-1.1.1d/crypto/evp/e_aes.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/evp/e_aes.c
++++ openssl-1.1.1d/crypto/evp/e_aes.c
+@@ -170,6 +170,10 @@ static void ctr64_inc(unsigned char *cou
+ # define HWAES_set_decrypt_key aes_p8_set_decrypt_key
+ # define HWAES_encrypt aes_p8_encrypt
+ # define HWAES_decrypt aes_p8_decrypt
++# if __ARM_MAX_ARCH__>=8
++#   define HWAES_xts_encrypt aes_v8_xts_encrypt
++#   define HWAES_xts_decrypt aes_v8_xts_decrypt
++# endif
+ # define HWAES_cbc_encrypt aes_p8_cbc_encrypt
+ # define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks
+ # define HWAES_xts_encrypt aes_p8_xts_encrypt
+Index: openssl-1.1.1d/test/recipes/30-test_evp_data/evpcase.txt
+===================================================================
+--- openssl-1.1.1d.orig/test/recipes/30-test_evp_data/evpcase.txt
++++ openssl-1.1.1d/test/recipes/30-test_evp_data/evpcase.txt
+@@ -15,6 +15,44 @@
+ # These tests exercise the case insensitive handling of object names.
+ # They are contrived
+ 
++Title = AES XTS Non standard test vectors - generated from reference implementation
++
++Cipher = aes-128-xts
++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0
++IV = 9a785634120000000000000000000000
++Plaintext = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f2021
++Ciphertext = edbf9dace45d6f6a7306e64be5dd824b9dc31efeb418c373ce073b66755529982538
++
++Cipher = aes-128-xts
++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0
++IV = 9a785634120000000000000000000000
++Plaintext = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031
++Ciphertext = edbf9dace45d6f6a7306e64be5dd824b2538f5724fcf24249ac111ab45ad39237a709959673bd8747d58690f8c762a353ad6
++
++Cipher = aes-128-xts
++Key = 2718281828459045235360287471352631415926535897932384626433832795
++IV = 00000000000000000000000000000000
++Plaintext = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f
++Ciphertext = 27a7479befa1d476489f308cd4cfa6e2a96e4bbe3208ff25287dd3819616e89cc78cf7f5e543445f8333d8fa7f56000005279fa5d8b5e4ad40e736ddb4d35412
++
++Cipher = aes-128-xts
++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0
++IV = 9a785634120000000000000000000000
++Plaintext = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f40
++Ciphertext = edbf9dace45d6f6a7306e64be5dd824b2538f5724fcf24249ac111ab45ad39233ad6183c66fa548a3cdf3e36d2b21ccde9ffb48286ec211619e02decc7ca0883c6
++
++Cipher = aes-128-xts
++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0
++IV = 9a785634120000000000000000000000
++Plaintext = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f
++Ciphertext = edbf9dace45d6f6a7306e64be5dd824b2538f5724fcf24249ac111ab45ad39233ad6183c66fa548a3cdf3e36d2b21ccdc6bc657cb3aeb87ba2c5f58ffafacd76d0a098b687c0b6536d560ca007051b0b
++
++Cipher = aes-128-xts
++Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0
++IV = 9a785634120000000000000000000000
++Plaintext = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f5051
++Ciphertext = edbf9dace45d6f6a7306e64be5dd824b2538f5724fcf24249ac111ab45ad39233ad6183c66fa548a3cdf3e36d2b21ccdc6bc657cb3aeb87ba2c5f58ffafacd765ecc4c85c0a01bf317b823fbd6111956d0a0
++
+ Title = Case insensitive AES tests
+ 
+ Cipher = Aes-128-eCb
diff --git a/openssl-1_1-Optimize-RSA-armv8.patch b/openssl-1_1-Optimize-RSA-armv8.patch
new file mode 100644
index 0000000..4aeeba0
--- /dev/null
+++ b/openssl-1_1-Optimize-RSA-armv8.patch
@@ -0,0 +1,575 @@
+From 5ea64b456b1a27ae046f23d632a968a7583bb9eb Mon Sep 17 00:00:00 2001
+From: "Fangming.Fang" <fangming.fang@arm.com>
+Date: Tue, 28 Apr 2020 02:33:50 +0000
+Subject: [PATCH] Read MIDR_EL1 system register on aarch64
+
+MIDR_EL1 system register exposes microarchitecture information so that
+people can make micro-arch related optimization such as exposing as
+much instruction level parallelism as possible.
+
+MIDR_EL1 register can be read only if HWCAP_CPUID feature is supported.
+
+Change-Id: Iabb8a36c5d31b184dba6399f378598058d394d4e
+
+Reviewed-by: Paul Dale <paul.dale@oracle.com>
+Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
+(Merged from https://github.com/openssl/openssl/pull/11744)
+---
+ crypto/arm64cpuid.pl |  7 +++++++
+ crypto/arm_arch.h    | 44 ++++++++++++++++++++++++++++++++++++++++++++
+ crypto/armcap.c      | 11 +++++++++++
+ 3 files changed, 62 insertions(+)
+
+Index: openssl-1.1.1d/crypto/arm64cpuid.pl
+===================================================================
+--- openssl-1.1.1d.orig/crypto/arm64cpuid.pl
++++ openssl-1.1.1d/crypto/arm64cpuid.pl
+@@ -78,6 +78,13 @@ _armv8_sha512_probe:
+ 	ret
+ .size	_armv8_sha512_probe,.-_armv8_sha512_probe
+ 
++.globl	_armv8_cpuid_probe
++.type	_armv8_cpuid_probe,%function
++_armv8_cpuid_probe:
++	mrs	x0, midr_el1
++	ret
++.size	_armv8_cpuid_probe,.-_armv8_cpuid_probe
++
+ .globl	OPENSSL_cleanse
+ .type	OPENSSL_cleanse,%function
+ .align	5
+Index: openssl-1.1.1d/crypto/arm_arch.h
+===================================================================
+--- openssl-1.1.1d.orig/crypto/arm_arch.h
++++ openssl-1.1.1d/crypto/arm_arch.h
+@@ -71,6 +71,7 @@
+ 
+ # ifndef __ASSEMBLER__
+ extern unsigned int OPENSSL_armcap_P;
++extern unsigned int OPENSSL_arm_midr;
+ # endif
+ 
+ # define ARMV7_NEON      (1<<0)
+@@ -80,5 +81,48 @@ extern unsigned int OPENSSL_armcap_P;
+ # define ARMV8_SHA256    (1<<4)
+ # define ARMV8_PMULL     (1<<5)
+ # define ARMV8_SHA512    (1<<6)
++# define ARMV8_CPUID     (1<<7)
+ 
++/*
++ * MIDR_EL1 system register
++ *
++ * 63___ _ ___32_31___ _ ___24_23_____20_19_____16_15__ _ __4_3_______0
++ * |            |             |         |         |          |        |
++ * |RES0        | Implementer | Variant | Arch    | PartNum  |Revision|
++ * |____ _ _____|_____ _ _____|_________|_______ _|____ _ ___|________|
++ *
++ */
++
++# define ARM_CPU_IMP_ARM           0x41
++
++# define ARM_CPU_PART_CORTEX_A72   0xD08
++# define ARM_CPU_PART_N1           0xD0C
++
++# define MIDR_PARTNUM_SHIFT       4
++# define MIDR_PARTNUM_MASK        (0xfff << MIDR_PARTNUM_SHIFT)
++# define MIDR_PARTNUM(midr)       \
++           (((midr) & MIDR_PARTNUM_MASK) >> MIDR_PARTNUM_SHIFT)
++
++# define MIDR_IMPLEMENTER_SHIFT   24
++# define MIDR_IMPLEMENTER_MASK    (0xff << MIDR_IMPLEMENTER_SHIFT)
++# define MIDR_IMPLEMENTER(midr)   \
++           (((midr) & MIDR_IMPLEMENTER_MASK) >> MIDR_IMPLEMENTER_SHIFT)
++
++# define MIDR_ARCHITECTURE_SHIFT  16
++# define MIDR_ARCHITECTURE_MASK   (0xf << MIDR_ARCHITECTURE_SHIFT)
++# define MIDR_ARCHITECTURE(midr)  \
++           (((midr) & MIDR_ARCHITECTURE_MASK) >> MIDR_ARCHITECTURE_SHIFT)
++
++# define MIDR_CPU_MODEL_MASK \
++           (MIDR_IMPLEMENTER_MASK | \
++            MIDR_PARTNUM_MASK     | \
++            MIDR_ARCHITECTURE_MASK)
++
++# define MIDR_CPU_MODEL(imp, partnum) \
++           (((imp)     << MIDR_IMPLEMENTER_SHIFT)  | \
++            (0xf       << MIDR_ARCHITECTURE_SHIFT) | \
++            ((partnum) << MIDR_PARTNUM_SHIFT))
++
++# define MIDR_IS_CPU_MODEL(midr, imp, partnum) \
++           (((midr) & MIDR_CPU_MODEL_MASK) == MIDR_CPU_MODEL(imp, partnum))
+ #endif
+Index: openssl-1.1.1d/crypto/armcap.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/armcap.c
++++ openssl-1.1.1d/crypto/armcap.c
+@@ -18,6 +18,8 @@
+ #include "arm_arch.h"
+ 
+ unsigned int OPENSSL_armcap_P = 0;
++unsigned int OPENSSL_arm_midr = 0;
++unsigned int OPENSSL_armv8_rsa_neonized = 0;
+ 
+ #if __ARM_MAX_ARCH__<7
+ void OPENSSL_cpuid_setup(void)
+@@ -48,6 +50,7 @@ void _armv8_sha256_probe(void);
+ void _armv8_pmull_probe(void);
+ # ifdef __aarch64__
+ void _armv8_sha512_probe(void);
++unsigned int _armv8_cpuid_probe(void);
+ # endif
+ uint32_t _armv7_tick(void);
+ 
+@@ -95,6 +98,7 @@ void OPENSSL_cpuid_setup(void) __attribu
+ #  define HWCAP_CE_PMULL         (1 << 4)
+ #  define HWCAP_CE_SHA1          (1 << 5)
+ #  define HWCAP_CE_SHA256        (1 << 6)
++#  define HWCAP_CPUID            (1 << 11)
+ #  define HWCAP_CE_SHA512        (1 << 21)
+ # endif
+ 
+@@ -155,6 +159,9 @@ void OPENSSL_cpuid_setup(void)
+ #  ifdef __aarch64__
+         if (hwcap & HWCAP_CE_SHA512)
+             OPENSSL_armcap_P |= ARMV8_SHA512;
++
++        if (hwcap & HWCAP_CPUID)
++            OPENSSL_armcap_P |= ARMV8_CPUID;
+ #  endif
+     }
+ # endif
+@@ -210,5 +217,16 @@ void OPENSSL_cpuid_setup(void)
+ 
+     sigaction(SIGILL, &ill_oact, NULL);
+     sigprocmask(SIG_SETMASK, &oset, NULL);
++
++# ifdef __aarch64__
++    if (OPENSSL_armcap_P & ARMV8_CPUID)
++        OPENSSL_arm_midr = _armv8_cpuid_probe();
++
++    if ((MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A72) ||
++         MIDR_IS_CPU_MODEL(OPENSSL_arm_midr, ARM_CPU_IMP_ARM, ARM_CPU_PART_N1)) &&
++        (OPENSSL_armcap_P & ARMV7_NEON)) {
++            OPENSSL_armv8_rsa_neonized = 1;
++    }
++# endif
+ }
+ #endif
+Index: openssl-1.1.1d/crypto/bn/asm/armv8-mont.pl
+===================================================================
+--- openssl-1.1.1d.orig/crypto/bn/asm/armv8-mont.pl
++++ openssl-1.1.1d/crypto/bn/asm/armv8-mont.pl
+@@ -64,16 +64,34 @@ $n0="x4";	# const BN_ULONG *n0,
+ $num="x5";	# int num);
+ 
+ $code.=<<___;
++#ifndef	__KERNEL__
++# include "arm_arch.h"
++.extern OPENSSL_armv8_rsa_neonized
++.hidden OPENSSL_armv8_rsa_neonized
++#endif
+ .text
+ 
+ .globl	bn_mul_mont
+ .type	bn_mul_mont,%function
+ .align	5
+ bn_mul_mont:
++.Lbn_mul_mont:
++	tst	$num,#3
++	b.ne	.Lmul_mont
++	cmp	$num,#32
++	b.le	.Lscalar_impl
++#ifndef	__KERNEL__
++	adrp	x17,OPENSSL_armv8_rsa_neonized
++	ldr	w17,[x17,#:lo12:OPENSSL_armv8_rsa_neonized]
++	cbnz	w17, bn_mul8x_mont_neon
++#endif
++
++.Lscalar_impl:
+ 	tst	$num,#7
+ 	b.eq	__bn_sqr8x_mont
+ 	tst	$num,#3
+ 	b.eq	__bn_mul4x_mont
++
+ .Lmul_mont:
+ 	stp	x29,x30,[sp,#-64]!
+ 	add	x29,sp,#0
+@@ -271,6 +289,369 @@ bn_mul_mont:
+ .size	bn_mul_mont,.-bn_mul_mont
+ ___
+ {
++my ($A0,$A1,$N0,$N1)=map("v$_",(0..3));
++my ($Z,$Temp)=("v4.16b","v5");
++my @ACC=map("v$_",(6..13));
++my ($Bi,$Ni,$M0)=map("v$_",(28..30));
++my $sBi="s28";
++my $sM0="s30";
++my $zero="v14";
++my $temp="v15";
++my $ACCTemp="v16";
++
++my ($rptr,$aptr,$bptr,$nptr,$n0,$num)=map("x$_",(0..5));
++my ($tinptr,$toutptr,$inner,$outer,$bnptr)=map("x$_",(6..11));
++
++$code.=<<___;
++.type	bn_mul8x_mont_neon,%function
++.align	5
++bn_mul8x_mont_neon:
++	stp	x29,x30,[sp,#-80]!
++	mov	x16,sp
++	stp	d8,d9,[sp,#16]
++	stp	d10,d11,[sp,#32]
++	stp	d12,d13,[sp,#48]
++	stp	d14,d15,[sp,#64]
++	lsl	$num,$num,#1
++	eor	$zero.16b,$zero.16b,$zero.16b
++
++.align	4
++.LNEON_8n:
++	eor	@ACC[0].16b,@ACC[0].16b,@ACC[0].16b
++	sub	$toutptr,sp,#128
++	eor	@ACC[1].16b,@ACC[1].16b,@ACC[1].16b
++	sub	$toutptr,$toutptr,$num,lsl#4
++	eor	@ACC[2].16b,@ACC[2].16b,@ACC[2].16b
++	and	$toutptr,$toutptr,#-64
++	eor	@ACC[3].16b,@ACC[3].16b,@ACC[3].16b
++	mov	sp,$toutptr		// alloca
++	eor	@ACC[4].16b,@ACC[4].16b,@ACC[4].16b
++	add	$toutptr,$toutptr,#256
++	eor	@ACC[5].16b,@ACC[5].16b,@ACC[5].16b
++	sub	$inner,$num,#8
++	eor	@ACC[6].16b,@ACC[6].16b,@ACC[6].16b
++	eor	@ACC[7].16b,@ACC[7].16b,@ACC[7].16b
++
++.LNEON_8n_init:
++	st1	{@ACC[0].2d,@ACC[1].2d},[$toutptr],#32
++	subs	$inner,$inner,#8
++	st1	{@ACC[2].2d,@ACC[3].2d},[$toutptr],#32
++	st1	{@ACC[4].2d,@ACC[5].2d},[$toutptr],#32
++	st1	{@ACC[6].2d,@ACC[7].2d},[$toutptr],#32
++	bne	.LNEON_8n_init
++
++	add	$tinptr,sp,#256
++	ld1	{$A0.4s,$A1.4s},[$aptr],#32
++	add	$bnptr,sp,#8
++	ldr	$sM0,[$n0],#4
++	mov	$outer,$num
++	b	.LNEON_8n_outer
++
++.align	4
++.LNEON_8n_outer:
++	ldr	$sBi,[$bptr],#4   // *b++
++	uxtl	$Bi.4s,$Bi.4h
++	add	$toutptr,sp,#128
++	ld1	{$N0.4s,$N1.4s},[$nptr],#32
++
++	umlal	@ACC[0].2d,$Bi.2s,$A0.s[0]
++	umlal	@ACC[1].2d,$Bi.2s,$A0.s[1]
++	umlal	@ACC[2].2d,$Bi.2s,$A0.s[2]
++	shl	$Ni.2d,@ACC[0].2d,#16
++	ext	$Ni.16b,$Ni.16b,$Ni.16b,#8
++	umlal	@ACC[3].2d,$Bi.2s,$A0.s[3]
++	add	$Ni.2d,$Ni.2d,@ACC[0].2d
++	umlal	@ACC[4].2d,$Bi.2s,$A1.s[0]
++	mul	$Ni.2s,$Ni.2s,$M0.2s
++	umlal	@ACC[5].2d,$Bi.2s,$A1.s[1]
++	st1	{$Bi.2s},[sp]		// put aside smashed b[8*i+0]
++	umlal	@ACC[6].2d,$Bi.2s,$A1.s[2]
++	uxtl	$Ni.4s,$Ni.4h
++	umlal	@ACC[7].2d,$Bi.2s,$A1.s[3]
++___
++for ($i=0; $i<7;) {
++$code.=<<___;
++	ldr	$sBi,[$bptr],#4   // *b++
++	umlal	@ACC[0].2d,$Ni.2s,$N0.s[0]
++	umlal	@ACC[1].2d,$Ni.2s,$N0.s[1]
++	uxtl	$Bi.4s,$Bi.4h
++	umlal	@ACC[2].2d,$Ni.2s,$N0.s[2]
++	ushr	$temp.2d,@ACC[0].2d,#16
++	umlal	@ACC[3].2d,$Ni.2s,$N0.s[3]
++	umlal	@ACC[4].2d,$Ni.2s,$N1.s[0]
++	ext	@ACC[0].16b,@ACC[0].16b,@ACC[0].16b,#8
++	add	@ACC[0].2d,@ACC[0].2d,$temp.2d
++	umlal	@ACC[5].2d,$Ni.2s,$N1.s[1]
++	ushr	@ACC[0].2d,@ACC[0].2d,#16
++	umlal	@ACC[6].2d,$Ni.2s,$N1.s[2]
++	umlal	@ACC[7].2d,$Ni.2s,$N1.s[3]
++	add	$ACCTemp.2d,@ACC[1].2d,@ACC[0].2d
++	ins	@ACC[1].d[0],$ACCTemp.d[0]
++	st1	{$Ni.2s},[$bnptr],#8	// put aside smashed m[8*i+$i]
++___
++	push(@ACC,shift(@ACC));	$i++;
++$code.=<<___;
++	umlal	@ACC[0].2d,$Bi.2s,$A0.s[0]
++	ld1	{@ACC[7].2d},[$tinptr],#16
++	umlal	@ACC[1].2d,$Bi.2s,$A0.s[1]
++	umlal	@ACC[2].2d,$Bi.2s,$A0.s[2]
++	shl	$Ni.2d,@ACC[0].2d,#16
++	ext	$Ni.16b,$Ni.16b,$Ni.16b,#8
++	umlal	@ACC[3].2d,$Bi.2s,$A0.s[3]
++	add	$Ni.2d,$Ni.2d,@ACC[0].2d
++	umlal	@ACC[4].2d,$Bi.2s,$A1.s[0]
++	mul	$Ni.2s,$Ni.2s,$M0.2s
++	umlal	@ACC[5].2d,$Bi.2s,$A1.s[1]
++	st1	{$Bi.2s},[$bnptr],#8	// put aside smashed b[8*i+$i]
++	umlal	@ACC[6].2d,$Bi.2s,$A1.s[2]
++	uxtl	$Ni.4s,$Ni.4h
++	umlal	@ACC[7].2d,$Bi.2s,$A1.s[3]
++___
++}
++$code.=<<___;
++	ld1	{$Bi.2s},[sp]		// pull smashed b[8*i+0]
++	umlal	@ACC[0].2d,$Ni.2s,$N0.s[0]
++	ld1	{$A0.4s,$A1.4s},[$aptr],#32
++	umlal	@ACC[1].2d,$Ni.2s,$N0.s[1]
++	umlal	@ACC[2].2d,$Ni.2s,$N0.s[2]
++	mov	$Temp.16b,@ACC[0].16b
++	ushr	$Temp.2d,$Temp.2d,#16
++	ext	@ACC[0].16b,@ACC[0].16b,@ACC[0].16b,#8
++	umlal	@ACC[3].2d,$Ni.2s,$N0.s[3]
++	umlal	@ACC[4].2d,$Ni.2s,$N1.s[0]
++	add	@ACC[0].2d,@ACC[0].2d,$Temp.2d
++	umlal	@ACC[5].2d,$Ni.2s,$N1.s[1]
++	ushr	@ACC[0].2d,@ACC[0].2d,#16
++	eor	$temp.16b,$temp.16b,$temp.16b
++	ins	@ACC[0].d[1],$temp.d[0]
++	umlal	@ACC[6].2d,$Ni.2s,$N1.s[2]
++	umlal	@ACC[7].2d,$Ni.2s,$N1.s[3]
++	add	@ACC[1].2d,@ACC[1].2d,@ACC[0].2d
++	st1	{$Ni.2s},[$bnptr],#8	// put aside smashed m[8*i+$i]
++	add	$bnptr,sp,#8		// rewind
++___
++	push(@ACC,shift(@ACC));
++$code.=<<___;
++	sub	$inner,$num,#8
++	b	.LNEON_8n_inner
++
++.align	4
++.LNEON_8n_inner:
++	subs	$inner,$inner,#8
++	umlal	@ACC[0].2d,$Bi.2s,$A0.s[0]
++	ld1	{@ACC[7].2d},[$tinptr]
++	umlal	@ACC[1].2d,$Bi.2s,$A0.s[1]
++	ld1	{$Ni.2s},[$bnptr],#8	// pull smashed m[8*i+0]
++	umlal	@ACC[2].2d,$Bi.2s,$A0.s[2]
++	ld1	{$N0.4s,$N1.4s},[$nptr],#32
++	umlal	@ACC[3].2d,$Bi.2s,$A0.s[3]
++	b.eq	.LInner_jump
++	add	$tinptr,$tinptr,#16	// don't advance in last iteration
++.LInner_jump:
++	umlal	@ACC[4].2d,$Bi.2s,$A1.s[0]
++	umlal	@ACC[5].2d,$Bi.2s,$A1.s[1]
++	umlal	@ACC[6].2d,$Bi.2s,$A1.s[2]
++	umlal	@ACC[7].2d,$Bi.2s,$A1.s[3]
++___
++for ($i=1; $i<8; $i++) {
++$code.=<<___;
++	ld1	{$Bi.2s},[$bnptr],#8	// pull smashed b[8*i+$i]
++	umlal	@ACC[0].2d,$Ni.2s,$N0.s[0]
++	umlal	@ACC[1].2d,$Ni.2s,$N0.s[1]
++	umlal	@ACC[2].2d,$Ni.2s,$N0.s[2]
++	umlal	@ACC[3].2d,$Ni.2s,$N0.s[3]
++	umlal	@ACC[4].2d,$Ni.2s,$N1.s[0]
++	umlal	@ACC[5].2d,$Ni.2s,$N1.s[1]
++	umlal	@ACC[6].2d,$Ni.2s,$N1.s[2]
++	umlal	@ACC[7].2d,$Ni.2s,$N1.s[3]
++	st1	{@ACC[0].2d},[$toutptr],#16
++___
++	push(@ACC,shift(@ACC));
++$code.=<<___;
++	umlal	@ACC[0].2d,$Bi.2s,$A0.s[0]
++	ld1	{@ACC[7].2d},[$tinptr]
++	umlal	@ACC[1].2d,$Bi.2s,$A0.s[1]
++	ld1	{$Ni.2s},[$bnptr],#8	// pull smashed m[8*i+$i]
++	umlal	@ACC[2].2d,$Bi.2s,$A0.s[2]
++	b.eq	.LInner_jump$i
++	add	$tinptr,$tinptr,#16	// don't advance in last iteration
++.LInner_jump$i:
++	umlal	@ACC[3].2d,$Bi.2s,$A0.s[3]
++	umlal	@ACC[4].2d,$Bi.2s,$A1.s[0]
++	umlal	@ACC[5].2d,$Bi.2s,$A1.s[1]
++	umlal	@ACC[6].2d,$Bi.2s,$A1.s[2]
++	umlal	@ACC[7].2d,$Bi.2s,$A1.s[3]
++___
++}
++$code.=<<___;
++	b.ne	.LInner_after_rewind$i
++	sub	$aptr,$aptr,$num,lsl#2	// rewind
++.LInner_after_rewind$i:
++	umlal	@ACC[0].2d,$Ni.2s,$N0.s[0]
++	ld1	{$Bi.2s},[sp]		// pull smashed b[8*i+0]
++	umlal	@ACC[1].2d,$Ni.2s,$N0.s[1]
++	ld1	{$A0.4s,$A1.4s},[$aptr],#32
++	umlal	@ACC[2].2d,$Ni.2s,$N0.s[2]
++	add	$bnptr,sp,#8		// rewind
++	umlal	@ACC[3].2d,$Ni.2s,$N0.s[3]
++	umlal	@ACC[4].2d,$Ni.2s,$N1.s[0]
++	umlal	@ACC[5].2d,$Ni.2s,$N1.s[1]
++	umlal	@ACC[6].2d,$Ni.2s,$N1.s[2]
++	st1	{@ACC[0].2d},[$toutptr],#16
++	umlal	@ACC[7].2d,$Ni.2s,$N1.s[3]
++
++	bne	.LNEON_8n_inner
++___
++	push(@ACC,shift(@ACC));
++$code.=<<___;
++	add	$tinptr,sp,#128
++	st1	{@ACC[0].2d,@ACC[1].2d},[$toutptr],#32
++	eor	$N0.16b,$N0.16b,$N0.16b	// $N0
++	st1	{@ACC[2].2d,@ACC[3].2d},[$toutptr],#32
++	eor	$N1.16b,$N1.16b,$N1.16b	// $N1
++	st1	{@ACC[4].2d,@ACC[5].2d},[$toutptr],#32
++	st1	{@ACC[6].2d},[$toutptr]
++
++	subs	$outer,$outer,#8
++	ld1	{@ACC[0].2d,@ACC[1].2d},[$tinptr],#32
++	ld1	{@ACC[2].2d,@ACC[3].2d},[$tinptr],#32
++	ld1	{@ACC[4].2d,@ACC[5].2d},[$tinptr],#32
++	ld1	{@ACC[6].2d,@ACC[7].2d},[$tinptr],#32
++
++	b.eq	.LInner_8n_jump_2steps
++	sub	$nptr,$nptr,$num,lsl#2	// rewind
++	b	.LNEON_8n_outer
++
++.LInner_8n_jump_2steps:
++	add	$toutptr,sp,#128
++	st1	{$N0.2d,$N1.2d}, [sp],#32	// start wiping stack frame
++	mov	$Temp.16b,@ACC[0].16b
++	ushr	$temp.2d,@ACC[0].2d,#16
++	ext	@ACC[0].16b,@ACC[0].16b,@ACC[0].16b,#8
++	st1	{$N0.2d,$N1.2d}, [sp],#32
++	add	@ACC[0].2d,@ACC[0].2d,$temp.2d
++	st1	{$N0.2d,$N1.2d}, [sp],#32
++	ushr	$temp.2d,@ACC[0].2d,#16
++	st1	{$N0.2d,$N1.2d}, [sp],#32
++	zip1	@ACC[0].4h,$Temp.4h,@ACC[0].4h
++	ins	$temp.d[1],$zero.d[0]
++
++	mov	$inner,$num
++	b	.LNEON_tail_entry
++
++.align	4
++.LNEON_tail:
++	add	@ACC[0].2d,@ACC[0].2d,$temp.2d
++	mov	$Temp.16b,@ACC[0].16b
++	ushr	$temp.2d,@ACC[0].2d,#16
++	ext	@ACC[0].16b,@ACC[0].16b,@ACC[0].16b,#8
++	ld1	{@ACC[2].2d,@ACC[3].2d}, [$tinptr],#32
++	add	@ACC[0].2d,@ACC[0].2d,$temp.2d
++	ld1	{@ACC[4].2d,@ACC[5].2d}, [$tinptr],#32
++	ushr	$temp.2d,@ACC[0].2d,#16
++	ld1	{@ACC[6].2d,@ACC[7].2d}, [$tinptr],#32
++	zip1	@ACC[0].4h,$Temp.4h,@ACC[0].4h
++	ins	$temp.d[1],$zero.d[0]
++
++.LNEON_tail_entry:
++___
++for ($i=1; $i<8; $i++) {
++$code.=<<___;
++	add	@ACC[1].2d,@ACC[1].2d,$temp.2d
++	st1	{@ACC[0].s}[0], [$toutptr],#4
++	ushr	$temp.2d,@ACC[1].2d,#16
++	mov	$Temp.16b,@ACC[1].16b
++	ext	@ACC[1].16b,@ACC[1].16b,@ACC[1].16b,#8
++	add	@ACC[1].2d,@ACC[1].2d,$temp.2d
++	ushr	$temp.2d,@ACC[1].2d,#16
++	zip1	@ACC[1].4h,$Temp.4h,@ACC[1].4h
++	ins	$temp.d[1],$zero.d[0]
++___
++	push(@ACC,shift(@ACC));
++}
++	push(@ACC,shift(@ACC));
++$code.=<<___;
++	ld1	{@ACC[0].2d,@ACC[1].2d}, [$tinptr],#32
++	subs	$inner,$inner,#8
++	st1	{@ACC[7].s}[0], [$toutptr],#4
++	bne	.LNEON_tail
++
++	st1	{$temp.s}[0], [$toutptr],#4	// top-most bit
++	sub	$nptr,$nptr,$num,lsl#2		// rewind $nptr
++	subs	$aptr,sp,#0			// clear carry flag
++	add	$bptr,sp,$num,lsl#2
++
++.LNEON_sub:
++	ldp	w4,w5,[$aptr],#8
++	ldp	w6,w7,[$aptr],#8
++	ldp	w8,w9,[$nptr],#8
++	ldp	w10,w11,[$nptr],#8
++	sbcs	w8,w4,w8
++	sbcs	w9,w5,w9
++	sbcs	w10,w6,w10
++	sbcs	w11,w7,w11
++	sub	x17,$bptr,$aptr
++	stp	w8,w9,[$rptr],#8
++	stp	w10,w11,[$rptr],#8
++	cbnz	x17,.LNEON_sub
++
++	ldr	w10, [$aptr]		// load top-most bit
++	mov	x11,sp
++	eor	v0.16b,v0.16b,v0.16b
++	sub	x11,$bptr,x11		// this is num*4
++	eor	v1.16b,v1.16b,v1.16b
++	mov	$aptr,sp
++	sub	$rptr,$rptr,x11		// rewind $rptr
++	mov	$nptr,$bptr		// second 3/4th of frame
++	sbcs	w10,w10,wzr		// result is carry flag
++
++.LNEON_copy_n_zap:
++	ldp	w4,w5,[$aptr],#8
++	ldp	w6,w7,[$aptr],#8
++	ldp	w8,w9,[$rptr],#8
++	ldp	w10,w11,[$rptr]
++	sub	$rptr,$rptr,#8
++	b.cs	.LCopy_1
++	mov	w8,w4
++	mov	w9,w5
++	mov	w10,w6
++	mov	w11,w7
++.LCopy_1:
++	st1	{v0.2d,v1.2d}, [$nptr],#32		// wipe
++	st1	{v0.2d,v1.2d}, [$nptr],#32		// wipe
++	ldp	w4,w5,[$aptr],#8
++	ldp	w6,w7,[$aptr],#8
++	stp	w8,w9,[$rptr],#8
++	stp	w10,w11,[$rptr],#8
++	sub	$aptr,$aptr,#32
++	ldp	w8,w9,[$rptr],#8
++	ldp	w10,w11,[$rptr]
++	sub	$rptr,$rptr,#8
++	b.cs	.LCopy_2
++	mov	w8, w4
++	mov	w9, w5
++	mov	w10, w6
++	mov	w11, w7
++.LCopy_2:
++	st1	{v0.2d,v1.2d}, [$aptr],#32		// wipe
++	st1	{v0.2d,v1.2d}, [$nptr],#32		// wipe
++	sub	x17,$bptr,$aptr		// preserves carry
++	stp	w8,w9,[$rptr],#8
++	stp	w10,w11,[$rptr],#8
++	cbnz	x17,.LNEON_copy_n_zap
++
++	mov	sp,x16
++	ldp	d14,d15,[sp,#64]
++	ldp	d12,d13,[sp,#48]
++	ldp	d10,d11,[sp,#32]
++	ldp	d8,d9,[sp,#16]
++	ldr	x29,[sp],#80
++	ret			// bx lr
++
++.size	bn_mul8x_mont_neon,.-bn_mul8x_mont_neon
++___
++}
++{
+ ########################################################################
+ # Following is ARMv8 adaptation of sqrx8x_mont from x86_64-mont5 module.
+ 
+Index: openssl-1.1.1d/crypto/bn/build.info
+===================================================================
+--- openssl-1.1.1d.orig/crypto/bn/build.info
++++ openssl-1.1.1d/crypto/bn/build.info
+@@ -65,3 +65,4 @@ INCLUDE[armv4-mont.o]=..
+ GENERATE[armv4-gf2m.S]=asm/armv4-gf2m.pl $(PERLASM_SCHEME)
+ INCLUDE[armv4-gf2m.o]=..
+ GENERATE[armv8-mont.S]=asm/armv8-mont.pl $(PERLASM_SCHEME)
++INCLUDE[armv8-mont.o]=..
diff --git a/openssl-1_1-Optimize-ppc64.patch b/openssl-1_1-Optimize-ppc64.patch
new file mode 100644
index 0000000..58ed0ed
--- /dev/null
+++ b/openssl-1_1-Optimize-ppc64.patch
@@ -0,0 +1,2308 @@
+From 4dba53694bf633c272075e62acdc5a5ca3003ce6 Mon Sep 17 00:00:00 2001
+From: Amitay Isaacs <amitay@ozlabs.org>
+Date: Mon, 29 Mar 2021 18:06:13 +1100
+Subject: [PATCH 01/29] numbers: Define 128-bit integers if compiler supports
+
+Signed-off-by: Amitay Isaacs <amitay@ozlabs.org>
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/14784)
+
+(cherry picked from commit bbed0d1cbd436af6797d7837e270bff4ca4d5a10)
+---
+ include/internal/numbers.h | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+Index: openssl-1.1.1l/include/internal/numbers.h
+===================================================================
+--- openssl-1.1.1l.orig/include/internal/numbers.h
++++ openssl-1.1.1l/include/internal/numbers.h
+@@ -60,6 +60,16 @@
+ #  define UINT64_MAX __MAXUINT__(uint64_t)
+ # endif
+ 
++# ifndef INT128_MAX
++#  if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16
++typedef __int128_t int128_t;
++typedef __uint128_t uint128_t;
++#   define INT128_MIN __MININT__(int128_t)
++#   define INT128_MAX __MAXINT__(int128_t)
++#   define UINT128_MAX __MAXUINT__(uint128_t)
++#  endif
++# endif
++
+ # ifndef SIZE_MAX
+ #  define SIZE_MAX __MAXUINT__(size_t)
+ # endif
+Index: openssl-1.1.1l/crypto/bn/bn_div.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/bn/bn_div.c
++++ openssl-1.1.1l/crypto/bn/bn_div.c
+@@ -97,7 +97,7 @@ BN_ULONG bn_div_3_words(const BN_ULONG *
+  */
+ #  if BN_BITS2 == 64 && defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16
+ #   undef BN_ULLONG
+-#   define BN_ULLONG __uint128_t
++#   define BN_ULLONG uint128_t
+ #   define BN_LLONG
+ #  endif
+ 
+Index: openssl-1.1.1l/crypto/bn/bn_local.h
+===================================================================
+--- openssl-1.1.1l.orig/crypto/bn/bn_local.h
++++ openssl-1.1.1l/crypto/bn/bn_local.h
+@@ -22,6 +22,7 @@
+ # endif
+ 
+ # include "crypto/bn.h"
++# include "internal/numbers.h"
+ 
+ /*
+  * These preprocessor symbols control various aspects of the bignum headers
+@@ -374,9 +375,9 @@ struct bn_gencb_st {
+  */
+ #  if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16 && \
+       (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
+-#   define BN_UMULT_HIGH(a,b)          (((__uint128_t)(a)*(b))>>64)
++#   define BN_UMULT_HIGH(a,b)          (((uint128_t)(a)*(b))>>64)
+ #   define BN_UMULT_LOHI(low,high,a,b) ({       \
+-        __uint128_t ret=(__uint128_t)(a)*(b);   \
++        uint128_t ret=(uint128_t)(a)*(b);   \
+         (high)=ret>>64; (low)=ret;      })
+ #  elif defined(__alpha) && (defined(SIXTY_FOUR_BIT_LONG) || defined(SIXTY_FOUR_BIT))
+ #   if defined(__DECC)
+Index: openssl-1.1.1l/crypto/ec/curve25519.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/ec/curve25519.c
++++ openssl-1.1.1l/crypto/ec/curve25519.c
+@@ -11,6 +11,8 @@
+ #include "ec_local.h"
+ #include <openssl/sha.h>
+ 
++#include "internal/numbers.h"
++
+ #if defined(X25519_ASM) && (defined(__x86_64) || defined(__x86_64__) || \
+                             defined(_M_AMD64) || defined(_M_X64))
+ 
+@@ -252,7 +254,7 @@ static void x25519_scalar_mulx(uint8_t o
+ #endif
+ 
+ #if defined(X25519_ASM) \
+-    || ( (defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16) \
++    || ( defined(INT128_MAX) \
+          && !defined(__sparc__) \
+          && (!defined(__SIZEOF_LONG__) || (__SIZEOF_LONG__ == 8)) \
+          && !(defined(__ANDROID__) && !defined(__clang__)) )
+@@ -385,7 +387,7 @@ void x25519_fe51_mul121666(fe51 h, fe51
+ #  define fe51_mul121666 x25519_fe51_mul121666
+ # else
+ 
+-typedef __uint128_t u128;
++typedef uint128_t u128;
+ 
+ static void fe51_mul(fe51 h, const fe51 f, const fe51 g)
+ {
+Index: openssl-1.1.1l/crypto/ec/curve448/curve448utils.h
+===================================================================
+--- openssl-1.1.1l.orig/crypto/ec/curve448/curve448utils.h
++++ openssl-1.1.1l/crypto/ec/curve448/curve448utils.h
+@@ -15,6 +15,8 @@
+ 
+ # include <openssl/e_os2.h>
+ 
++# include "internal/numbers.h"
++
+ /*
+  * Internal word types. Somewhat tricky.  This could be decided separately per
+  * platform.  However, the structs do need to be all the same size and
+@@ -41,9 +43,9 @@ typedef int64_t c448_sword_t;
+ /* "Boolean" type, will be set to all-zero or all-one (i.e. -1u) */
+ typedef uint64_t c448_bool_t;
+ /* Double-word size for internal computations */
+-typedef __uint128_t c448_dword_t;
++typedef uint128_t c448_dword_t;
+ /* Signed double-word size for internal computations */
+-typedef __int128_t c448_dsword_t;
++typedef int128_t c448_dsword_t;
+ # elif C448_WORD_BITS == 32
+ /* Word size for internal computations */
+ typedef uint32_t c448_word_t;
+Index: openssl-1.1.1l/crypto/ec/curve448/word.h
+===================================================================
+--- openssl-1.1.1l.orig/crypto/ec/curve448/word.h
++++ openssl-1.1.1l/crypto/ec/curve448/word.h
+@@ -17,15 +17,20 @@
+ # include <assert.h>
+ # include <stdlib.h>
+ # include <openssl/e_os2.h>
+-# include "arch_intrinsics.h"
+ # include "curve448utils.h"
+ 
++# ifdef INT128_MAX
++#  include "arch_64/arch_intrinsics.h"
++# else
++#  include "arch_32/arch_intrinsics.h"
++# endif
++
+ # if (ARCH_WORD_BITS == 64)
+ typedef uint64_t word_t, mask_t;
+-typedef __uint128_t dword_t;
++typedef uint128_t dword_t;
+ typedef int32_t hsword_t;
+ typedef int64_t sword_t;
+-typedef __int128_t dsword_t;
++typedef int128_t dsword_t;
+ # elif (ARCH_WORD_BITS == 32)
+ typedef uint32_t word_t, mask_t;
+ typedef uint64_t dword_t;
+Index: openssl-1.1.1l/crypto/ec/ecp_nistp224.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/ec/ecp_nistp224.c
++++ openssl-1.1.1l/crypto/ec/ecp_nistp224.c
+@@ -40,11 +40,9 @@ NON_EMPTY_TRANSLATION_UNIT
+ # include <openssl/err.h>
+ # include "ec_local.h"
+ 
+-# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16
+-  /* even with gcc, the typedef won't work for 32-bit platforms */
+-typedef __uint128_t uint128_t;  /* nonstandard; implemented by gcc on 64-bit
+-                                 * platforms */
+-# else
++#include "internal/numbers.h"
++
++#ifndef INT128_MAX
+ #  error "Your compiler doesn't appear to support 128-bit integer types"
+ # endif
+ 
+Index: openssl-1.1.1l/crypto/ec/ecp_nistp256.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/ec/ecp_nistp256.c
++++ openssl-1.1.1l/crypto/ec/ecp_nistp256.c
+@@ -41,14 +41,11 @@ NON_EMPTY_TRANSLATION_UNIT
+ # include <openssl/err.h>
+ # include "ec_local.h"
+ 
+-# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16
+-  /* even with gcc, the typedef won't work for 32-bit platforms */
+-typedef __uint128_t uint128_t;  /* nonstandard; implemented by gcc on 64-bit
+-                                 * platforms */
+-typedef __int128_t int128_t;
+-# else
+-#  error "Your compiler doesn't appear to support 128-bit integer types"
+-# endif
++#include "internal/numbers.h"
++
++#ifndef INT128_MAX
++# error "Your compiler doesn't appear to support 128-bit integer types"
++#endif
+ 
+ typedef uint8_t u8;
+ typedef uint32_t u32;
+Index: openssl-1.1.1l/crypto/ec/ecp_nistp521.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/ec/ecp_nistp521.c
++++ openssl-1.1.1l/crypto/ec/ecp_nistp521.c
+@@ -40,13 +40,11 @@ NON_EMPTY_TRANSLATION_UNIT
+ # include <openssl/err.h>
+ # include "ec_local.h"
+ 
+-# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16
+-  /* even with gcc, the typedef won't work for 32-bit platforms */
+-typedef __uint128_t uint128_t;  /* nonstandard; implemented by gcc on 64-bit
+-                                 * platforms */
+-# else
+-#  error "Your compiler doesn't appear to support 128-bit integer types"
+-# endif
++#include "internal/numbers.h"
++
++#ifndef INT128_MAX
++# error "Your compiler doesn't appear to support 128-bit integer types"
++#endif
+ 
+ typedef uint8_t u8;
+ typedef uint64_t u64;
+@@ -400,7 +398,7 @@ static void felem_diff128(largefelem out
+  * On exit:
+  *   out[i] < 17 * max(in[i]) * max(in[i])
+  */
+-static void felem_square(largefelem out, const felem in)
++static void felem_square_ref(largefelem out, const felem in)
+ {
+     felem inx2, inx4;
+     felem_scalar(inx2, in, 2);
+@@ -484,7 +482,7 @@ static void felem_square(largefelem out,
+  * On exit:
+  *   out[i] < 17 * max(in1[i]) * max(in2[i])
+  */
+-static void felem_mul(largefelem out, const felem in1, const felem in2)
++static void felem_mul_ref(largefelem out, const felem in1, const felem in2)
+ {
+     felem in2x2;
+     felem_scalar(in2x2, in2, 2);
+@@ -674,6 +672,57 @@ static void felem_reduce(felem out, cons
+      */
+ }
+ 
++#if defined(ECP_NISTP521_ASM)
++void felem_square_wrapper(largefelem out, const felem in);
++void felem_mul_wrapper(largefelem out, const felem in1, const felem in2);
++
++static void (*felem_square_p)(largefelem out, const felem in) =
++    felem_square_wrapper;
++static void (*felem_mul_p)(largefelem out, const felem in1, const felem in2) =
++    felem_mul_wrapper;
++
++void p521_felem_square(largefelem out, const felem in);
++void p521_felem_mul(largefelem out, const felem in1, const felem in2);
++
++# if defined(_ARCH_PPC64)
++#  include "../ppc_arch.h"
++# endif
++
++void felem_select(void)
++{
++# if defined(_ARCH_PPC64)
++    if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) {
++        felem_square_p = p521_felem_square;
++        felem_mul_p = p521_felem_mul;
++
++        return;
++    }
++# endif
++
++    /* Default */
++    felem_square_p = felem_square_ref;
++    felem_mul_p = felem_mul_ref;
++}
++
++void felem_square_wrapper(largefelem out, const felem in)
++{
++    felem_select();
++    felem_square_p(out, in);
++}
++
++void felem_mul_wrapper(largefelem out, const felem in1, const felem in2)
++{
++    felem_select();
++    felem_mul_p(out, in1, in2);
++}
++
++# define felem_square felem_square_p
++# define felem_mul felem_mul_p
++#else
++# define felem_square felem_square_ref
++# define felem_mul felem_mul_ref
++#endif
++
+ static void felem_square_reduce(felem out, const felem in)
+ {
+     largefelem tmp;
+Index: openssl-1.1.1l/crypto/poly1305/poly1305.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/poly1305/poly1305.c
++++ openssl-1.1.1l/crypto/poly1305/poly1305.c
+@@ -95,11 +95,10 @@ poly1305_blocks(void *ctx, const unsigne
+          (a ^ ((a ^ b) | ((a - b) ^ b))) >> (sizeof(a) * 8 - 1) \
+          )
+ 
+-# if (defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16) && \
+-     (defined(__SIZEOF_LONG__) && __SIZEOF_LONG__==8)
++# if defined(INT64_MAX) && defined(INT128_MAX)
+ 
+ typedef unsigned long u64;
+-typedef __uint128_t u128;
++typedef uint128_t u128;
+ 
+ typedef struct {
+     u64 h[3];
+Index: openssl-1.1.1l/crypto/poly1305/poly1305_base2_44.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/poly1305/poly1305_base2_44.c
++++ openssl-1.1.1l/crypto/poly1305/poly1305_base2_44.c
+@@ -18,7 +18,7 @@
+ typedef unsigned char u8;
+ typedef unsigned int u32;
+ typedef unsigned long u64;
+-typedef unsigned __int128 u128;
++typedef uint128_t u128;
+ 
+ typedef struct {
+     u64 h[3];
+Index: openssl-1.1.1l/crypto/ec/build.info
+===================================================================
+--- openssl-1.1.1l.orig/crypto/ec/build.info
++++ openssl-1.1.1l/crypto/ec/build.info
+@@ -6,8 +13,9 @@ SOURCE[../../libcrypto]=\
+         ecp_nistp224.c ecp_nistp256.c ecp_nistp521.c ecp_nistputil.c \
+         ecp_oct.c ec2_oct.c ec_oct.c ec_kmeth.c ecdh_ossl.c ecdh_kdf.c \
+         ecdsa_ossl.c ecdsa_sign.c ecdsa_vrf.c curve25519.c ecx_meth.c \
+-        curve448/arch_32/f_impl.c curve448/f_generic.c curve448/scalar.c \
++        curve448/f_generic.c curve448/scalar.c \
+         curve448/curve448_tables.c curve448/eddsa.c curve448/curve448.c \
++        curve448/arch_64/f_impl64.c curve448/arch_32/f_impl32.c \
+         {- $target{ec_asm_src} -}
+ 
+ GENERATE[ecp_nistz256-x86.s]=asm/ecp_nistz256-x86.pl \
+@@ -29,6 +38,8 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_n
+ INCLUDE[ecp_nistz256-armv8.o]=..
+ GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl $(PERLASM_SCHEME)
+ 
++GENERATE[ecp_nistp521-ppc64.s]=asm/ecp_nistp521-ppc64.pl $(PERLASM_SCHEME)
++
+ GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl $(PERLASM_SCHEME)
+ GENERATE[x25519-ppc64.s]=asm/x25519-ppc64.pl $(PERLASM_SCHEME)
+ 
+@@ -36,10 +47,3 @@ BEGINRAW[Makefile]
+ {- $builddir -}/ecp_nistz256-%.S:	{- $sourcedir -}/asm/ecp_nistz256-%.pl
+ 	CC="$(CC)" $(PERL) $< $(PERLASM_SCHEME) $@
+ ENDRAW[Makefile]
+-
+-INCLUDE[curve448/arch_32/f_impl.o]=curve448/arch_32 curve448
+-INCLUDE[curve448/f_generic.o]=curve448/arch_32 curve448
+-INCLUDE[curve448/scalar.o]=curve448/arch_32 curve448
+-INCLUDE[curve448/curve448_tables.o]=curve448/arch_32 curve448
+-INCLUDE[curve448/eddsa.o]=curve448/arch_32 curve448
+-INCLUDE[curve448/curve448.o]=curve448/arch_32 curve448
+Index: openssl-1.1.1l/crypto/ec/curve448/field.h
+===================================================================
+--- openssl-1.1.1l.orig/crypto/ec/curve448/field.h
++++ openssl-1.1.1l/crypto/ec/curve448/field.h
+@@ -66,10 +66,15 @@ void gf_serialize(uint8_t *serial, const
+ mask_t gf_deserialize(gf x, const uint8_t serial[SER_BYTES], int with_hibit,
+                       uint8_t hi_nmask);
+ 
+-# include "f_impl.h"            /* Bring in the inline implementations */
+ 
+ # define LIMBPERM(i) (i)
+-# define LIMB_MASK(i) (((1)<<LIMB_PLACE_VALUE(i))-1)
++# if (ARCH_WORD_BITS == 32)
++#  include "arch_32/f_impl.h"    /* Bring in the inline implementations */
++#  define LIMB_MASK(i) (((1)<<LIMB_PLACE_VALUE(i))-1)
++# elif (ARCH_WORD_BITS == 64)
++#  include "arch_64/f_impl.h"    /* Bring in the inline implementations */
++#  define LIMB_MASK(i) (((1ULL)<<LIMB_PLACE_VALUE(i))-1)
++# endif
+ 
+ static const gf ZERO = {{{0}}}, ONE = {{{1}}};
+ 
+Index: openssl-1.1.1l/crypto/ec/curve448/arch_64/arch_intrinsics.h
+===================================================================
+--- /dev/null
++++ openssl-1.1.1l/crypto/ec/curve448/arch_64/arch_intrinsics.h
+@@ -0,0 +1,27 @@
++/*
++ * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2016 Cryptography Research, Inc.
++ *
++ * Licensed under the OpenSSL license (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ *
++ * Originally written by Mike Hamburg
++ */
++
++# include "internal/constant_time.h"
++
++#ifndef OSSL_CRYPTO_EC_CURVE448_ARCH_64_INTRINSICS_H
++# define OSSL_CRYPTO_EC_CURVE448_ARCH_64_INTRINSICS_H
++
++# define ARCH_WORD_BITS 64
++
++# define word_is_zero(a)     constant_time_is_zero_64(a)
++
++static ossl_inline uint128_t widemul(uint64_t a, uint64_t b)
++{
++    return ((uint128_t) a) * b;
++}
++
++#endif                          /* OSSL_CRYPTO_EC_CURVE448_ARCH_64_INTRINSICS_H */
+Index: openssl-1.1.1l/crypto/ec/curve448/arch_64/f_impl.h
+===================================================================
+--- /dev/null
++++ openssl-1.1.1l/crypto/ec/curve448/arch_64/f_impl.h
+@@ -0,0 +1,58 @@
++/*
++ * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2014-2016 Cryptography Research, Inc.
++ *
++ * Licensed under the OpenSSL license (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ *
++ * Originally written by Mike Hamburg
++ */
++
++#ifndef OSSL_CRYPTO_EC_CURVE448_ARCH_64_F_IMPL_H
++# define OSSL_CRYPTO_EC_CURVE448_ARCH_64_F_IMPL_H
++
++# define GF_HEADROOM 9999        /* Everything is reduced anyway */
++# define FIELD_LITERAL(a,b,c,d,e,f,g,h) {{a,b,c,d,e,f,g,h}}
++
++# define LIMB_PLACE_VALUE(i) 56
++
++void gf_add_RAW(gf out, const gf a, const gf b)
++{
++    unsigned int i;
++
++    for (i = 0; i < NLIMBS; i++)
++        out->limb[i] = a->limb[i] + b->limb[i];
++
++    gf_weak_reduce(out);
++}
++
++void gf_sub_RAW(gf out, const gf a, const gf b)
++{
++    uint64_t co1 = ((1ULL << 56) - 1) * 2, co2 = co1 - 2;
++    unsigned int i;
++
++    for (i = 0; i < NLIMBS; i++)
++        out->limb[i] = a->limb[i] - b->limb[i] + ((i == NLIMBS / 2) ? co2 : co1);
++
++    gf_weak_reduce(out);
++}
++
++void gf_bias(gf a, int amt)
++{
++}
++
++void gf_weak_reduce(gf a)
++{
++    uint64_t mask = (1ULL << 56) - 1;
++    uint64_t tmp = a->limb[NLIMBS - 1] >> 56;
++    unsigned int i;
++
++    a->limb[NLIMBS / 2] += tmp;
++    for (i = NLIMBS - 1; i > 0; i--)
++        a->limb[i] = (a->limb[i] & mask) + (a->limb[i - 1] >> 56);
++    a->limb[0] = (a->limb[0] & mask) + tmp;
++}
++
++#endif                  /* OSSL_CRYPTO_EC_CURVE448_ARCH_64_F_IMPL_H */
+Index: openssl-1.1.1l/include/internal/constant_time.h
+===================================================================
+--- openssl-1.1.1l.orig/include/internal/constant_time.h
++++ openssl-1.1.1l/include/internal/constant_time.h
+@@ -181,6 +181,11 @@ static ossl_inline uint32_t constant_tim
+     return constant_time_msb_32(~a & (a - 1));
+ }
+ 
++static ossl_inline uint64_t constant_time_is_zero_64(uint64_t a)
++{
++    return constant_time_msb_64(~a & (a - 1));
++}
++
+ static ossl_inline unsigned int constant_time_eq(unsigned int a,
+                                                  unsigned int b)
+ {
+Index: openssl-1.1.1l/crypto/ec/curve448/arch_32/f_impl32.c
+===================================================================
+--- /dev/null
++++ openssl-1.1.1l/crypto/ec/curve448/arch_32/f_impl32.c
+@@ -0,0 +1,104 @@
++/*
++ * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2014 Cryptography Research, Inc.
++ *
++ * Licensed under the OpenSSL license (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ *
++ * Originally written by Mike Hamburg
++ */
++
++#include <openssl/opensslconf.h>
++#include "internal/numbers.h"
++
++#ifdef UINT128_MAX
++/* We have support for 128 bit ints, so do nothing here */
++NON_EMPTY_TRANSLATION_UNIT
++#else
++
++# include "../field.h"
++
++void gf_mul(gf_s * RESTRICT cs, const gf as, const gf bs)
++{
++    const uint32_t *a = as->limb, *b = bs->limb;
++    uint32_t *c = cs->limb;
++    uint64_t accum0 = 0, accum1 = 0, accum2 = 0;
++    uint32_t mask = (1 << 28) - 1;
++    uint32_t aa[8], bb[8];
++    int i, j;
++
++    for (i = 0; i < 8; i++) {
++        aa[i] = a[i] + a[i + 8];
++        bb[i] = b[i] + b[i + 8];
++    }
++
++    for (j = 0; j < 8; j++) {
++        accum2 = 0;
++        for (i = 0; i < j + 1; i++) {
++            accum2 += widemul(a[j - i], b[i]);
++            accum1 += widemul(aa[j - i], bb[i]);
++            accum0 += widemul(a[8 + j - i], b[8 + i]);
++        }
++        accum1 -= accum2;
++        accum0 += accum2;
++        accum2 = 0;
++        for (i = j + 1; i < 8; i++) {
++            accum0 -= widemul(a[8 + j - i], b[i]);
++            accum2 += widemul(aa[8 + j - i], bb[i]);
++            accum1 += widemul(a[16 + j - i], b[8 + i]);
++        }
++        accum1 += accum2;
++        accum0 += accum2;
++        c[j] = ((uint32_t)(accum0)) & mask;
++        c[j + 8] = ((uint32_t)(accum1)) & mask;
++        accum0 >>= 28;
++        accum1 >>= 28;
++    }
++
++    accum0 += accum1;
++    accum0 += c[8];
++    accum1 += c[0];
++    c[8] = ((uint32_t)(accum0)) & mask;
++    c[0] = ((uint32_t)(accum1)) & mask;
++
++    accum0 >>= 28;
++    accum1 >>= 28;
++    c[9] += ((uint32_t)(accum0));
++    c[1] += ((uint32_t)(accum1));
++}
++
++void gf_mulw_unsigned(gf_s * RESTRICT cs, const gf as, uint32_t b)
++{
++    const uint32_t *a = as->limb;
++    uint32_t *c = cs->limb;
++    uint64_t accum0 = 0, accum8 = 0;
++    uint32_t mask = (1 << 28) - 1;
++    int i;
++
++    assert(b <= mask);
++
++    for (i = 0; i < 8; i++) {
++        accum0 += widemul(b, a[i]);
++        accum8 += widemul(b, a[i + 8]);
++        c[i] = accum0 & mask;
++        accum0 >>= 28;
++        c[i + 8] = accum8 & mask;
++        accum8 >>= 28;
++    }
++
++    accum0 += accum8 + c[8];
++    c[8] = ((uint32_t)accum0) & mask;
++    c[9] += (uint32_t)(accum0 >> 28);
++
++    accum8 += c[0];
++    c[0] = ((uint32_t)accum8) & mask;
++    c[1] += (uint32_t)(accum8 >> 28);
++}
++
++void gf_sqr(gf_s * RESTRICT cs, const gf as)
++{
++    gf_mul(cs, as, as);         /* Performs better with a dedicated square */
++}
++#endif
+Index: openssl-1.1.1l/crypto/ec/curve448/arch_64/f_impl64.c
+===================================================================
+--- /dev/null
++++ openssl-1.1.1l/crypto/ec/curve448/arch_64/f_impl64.c
+@@ -0,0 +1,210 @@
++/*
++ * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2014 Cryptography Research, Inc.
++ *
++ * Licensed under the OpenSSL license (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ *
++ * Originally written by Mike Hamburg
++ */
++
++#include <openssl/opensslconf.h>
++#include "internal/numbers.h"
++
++#ifndef UINT128_MAX
++/* No support for 128 bit ints, so do nothing here */
++NON_EMPTY_TRANSLATION_UNIT
++#else
++
++# include "../field.h"
++
++void gf_mul(gf_s * RESTRICT cs, const gf as, const gf bs)
++{
++    const uint64_t *a = as->limb, *b = bs->limb;
++    uint64_t *c = cs->limb;
++    uint128_t accum0 = 0, accum1 = 0, accum2;
++    uint64_t mask = (1ULL << 56) - 1;
++    uint64_t aa[4], bb[4], bbb[4];
++    unsigned int i, j;
++
++    for (i = 0; i < 4; i++) {
++        aa[i] = a[i] + a[i + 4];
++        bb[i] = b[i] + b[i + 4];
++        bbb[i] = bb[i] + b[i + 4];
++    }
++
++    for (i = 0; i < 4; i++) {
++        accum2 = 0;
++
++        for (j = 0; j <= i; j++) {
++            accum2 += widemul(a[j], b[i - j]);
++            accum1 += widemul(aa[j], bb[i - j]);
++            accum0 += widemul(a[j + 4], b[i - j + 4]);
++        }
++        for (; j < 4; j++) {
++            accum2 += widemul(a[j], b[i - j + 8]);
++            accum1 += widemul(aa[j], bbb[i - j + 4]);
++            accum0 += widemul(a[j + 4], bb[i - j + 4]);
++        }
++
++	accum1 -= accum2;
++	accum0 += accum2;
++
++        c[i] = ((uint64_t)(accum0)) & mask;
++        c[i + 4] = ((uint64_t)(accum1)) & mask;
++
++        accum0 >>= 56;
++        accum1 >>= 56;
++    }
++
++    accum0 += accum1;
++    accum0 += c[4];
++    accum1 += c[0];
++    c[4] = ((uint64_t)(accum0)) & mask;
++    c[0] = ((uint64_t)(accum1)) & mask;
++
++    accum0 >>= 56;
++    accum1 >>= 56;
++
++    c[5] += ((uint64_t)(accum0));
++    c[1] += ((uint64_t)(accum1));
++}
++
++void gf_mulw_unsigned(gf_s * __restrict__ cs, const gf as, uint32_t b)
++{
++    const uint64_t *a = as->limb;
++    uint64_t *c = cs->limb;
++    uint128_t accum0 = 0, accum4 = 0;
++    uint64_t mask = (1ULL << 56) - 1;
++    int i;
++
++    for (i = 0; i < 4; i++) {
++        accum0 += widemul(b, a[i]);
++        accum4 += widemul(b, a[i + 4]);
++        c[i] = accum0 & mask;
++        accum0 >>= 56;
++        c[i + 4] = accum4 & mask;
++        accum4 >>= 56;
++    }
++
++    accum0 += accum4 + c[4];
++    c[4] = accum0 & mask;
++    c[5] += accum0 >> 56;
++
++    accum4 += c[0];
++    c[0] = accum4 & mask;
++    c[1] += accum4 >> 56;
++}
++
++void gf_sqr(gf_s * __restrict__ cs, const gf as)
++{
++    const uint64_t *a = as->limb;
++    uint64_t *c = cs->limb;
++    uint128_t accum0 = 0, accum1 = 0, accum2;
++    uint64_t mask = (1ULL << 56) - 1;
++    uint64_t aa[4];
++
++    /* For some reason clang doesn't vectorize this without prompting? */
++    unsigned int i;
++    for (i = 0; i < 4; i++) {
++        aa[i] = a[i] + a[i + 4];
++    }
++
++    accum2 = widemul(a[0], a[3]);
++    accum0 = widemul(aa[0], aa[3]);
++    accum1 = widemul(a[4], a[7]);
++
++    accum2 += widemul(a[1], a[2]);
++    accum0 += widemul(aa[1], aa[2]);
++    accum1 += widemul(a[5], a[6]);
++
++    accum0 -= accum2;
++    accum1 += accum2;
++
++    c[3] = ((uint64_t)(accum1)) << 1 & mask;
++    c[7] = ((uint64_t)(accum0)) << 1 & mask;
++
++    accum0 >>= 55;
++    accum1 >>= 55;
++
++    accum0 += widemul(2 * aa[1], aa[3]);
++    accum1 += widemul(2 * a[5], a[7]);
++    accum0 += widemul(aa[2], aa[2]);
++    accum1 += accum0;
++
++    accum0 -= widemul(2 * a[1], a[3]);
++    accum1 += widemul(a[6], a[6]);
++
++    accum2 = widemul(a[0], a[0]);
++    accum1 -= accum2;
++    accum0 += accum2;
++
++    accum0 -= widemul(a[2], a[2]);
++    accum1 += widemul(aa[0], aa[0]);
++    accum0 += widemul(a[4], a[4]);
++
++    c[0] = ((uint64_t)(accum0)) & mask;
++    c[4] = ((uint64_t)(accum1)) & mask;
++
++    accum0 >>= 56;
++    accum1 >>= 56;
++
++    accum2 = widemul(2 * aa[2], aa[3]);
++    accum0 -= widemul(2 * a[2], a[3]);
++    accum1 += widemul(2 * a[6], a[7]);
++
++    accum1 += accum2;
++    accum0 += accum2;
++
++    accum2 = widemul(2 * a[0], a[1]);
++    accum1 += widemul(2 * aa[0], aa[1]);
++    accum0 += widemul(2 * a[4], a[5]);
++
++    accum1 -= accum2;
++    accum0 += accum2;
++
++    c[1] = ((uint64_t)(accum0)) & mask;
++    c[5] = ((uint64_t)(accum1)) & mask;
++
++    accum0 >>= 56;
++    accum1 >>= 56;
++
++    accum2 = widemul(aa[3], aa[3]);
++    accum0 -= widemul(a[3], a[3]);
++    accum1 += widemul(a[7], a[7]);
++
++    accum1 += accum2;
++    accum0 += accum2;
++
++    accum2 = widemul(2 * a[0], a[2]);
++    accum1 += widemul(2 * aa[0], aa[2]);
++    accum0 += widemul(2 * a[4], a[6]);
++
++    accum2 += widemul(a[1], a[1]);
++    accum1 += widemul(aa[1], aa[1]);
++    accum0 += widemul(a[5], a[5]);
++
++    accum1 -= accum2;
++    accum0 += accum2;
++
++    c[2] = ((uint64_t)(accum0)) & mask;
++    c[6] = ((uint64_t)(accum1)) & mask;
++
++    accum0 >>= 56;
++    accum1 >>= 56;
++
++    accum0 += c[3];
++    accum1 += c[7];
++    c[3] = ((uint64_t)(accum0)) & mask;
++    c[7] = ((uint64_t)(accum1)) & mask;
++
++    /* we could almost stop here, but it wouldn't be stable, so... */
++
++    accum0 >>= 56;
++    accum1 >>= 56;
++    c[4] += ((uint64_t)(accum0)) + ((uint64_t)(accum1));
++    c[0] += ((uint64_t)(accum1));
++}
++#endif
+Index: openssl-1.1.1l/Configurations/00-base-templates.conf
+===================================================================
+--- openssl-1.1.1l.orig/Configurations/00-base-templates.conf
++++ openssl-1.1.1l/Configurations/00-base-templates.conf
+@@ -351,7 +351,8 @@ my %targets=(
+     ppc64_asm => {
+ 	inherit_from	=> [ "ppc32_asm" ],
+ 	template	=> 1,
+-	ec_asm_src	=> "ecp_nistz256.c ecp_nistz256-ppc64.s x25519-ppc64.s",
++	bn_asm_src      => add("ppc64-mont-fixed.s"),
++	ec_asm_src	=> "ecp_nistz256.c ecp_nistz256-ppc64.s ecp_nistp521-ppc64.s x25519-ppc64.s",
+ 	keccak1600_asm_src	=> "keccak1600-ppc64.s",
+     },
+ );
+Index: openssl-1.1.1l/crypto/bn/asm/ppc64-mont-fixed.pl
+===================================================================
+--- /dev/null
++++ openssl-1.1.1l/crypto/bn/asm/ppc64-mont-fixed.pl
+@@ -0,0 +1,581 @@
++#! /usr/bin/env perl
++# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
++#
++# Licensed under the Apache License 2.0 (the "License").  You may not use
++# this file except in compliance with the License.  You can obtain a copy
++# in the file LICENSE in the source distribution or at
++# https://www.openssl.org/source/license.html
++
++# ====================================================================
++# Written by Amitay Isaacs <amitay@ozlabs.org>, Martin Schwenke
++# <martin@meltin.net> & Alastair D'Silva <alastair@d-silva.org> for
++# the OpenSSL project.
++# ====================================================================
++
++#
++# Fixed length (n=6), unrolled PPC Montgomery Multiplication
++#
++
++# 2021
++#
++# Although this is a generic implementation for unrolling Montgomery
++# Multiplication for arbitrary values of n, this is currently only
++# used for n = 6 to improve the performance of ECC p384.
++#
++# Unrolling allows intermediate results to be stored in registers,
++# rather than on the stack, improving performance by ~7% compared to
++# the existing PPC assembly code.
++#
++# The ISA 3.0 implementation uses combination multiply/add
++# instructions (maddld, maddhdu) to improve performance by an
++# additional ~10% on Power 9.
++#
++# Finally, saving non-volatile registers into volatile vector
++# registers instead of onto the stack saves a little more.
++#
++# On a Power 9 machine we see an overall improvement of ~18%.
++#
++
++use strict;
++use warnings;
++
++my ($flavour, $output, $dir, $xlate);
++
++# $output is the last argument if it looks like a file (it has an extension)
++# $flavour is the first argument if it doesn't look like a file
++$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
++$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
++
++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
++( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
++( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
++die "can't locate ppc-xlate.pl";
++
++open STDOUT,"| $^X $xlate $flavour \"$output\""
++    or die "can't call $xlate: $!";
++
++if ($flavour !~ /64/) {
++	die "bad flavour ($flavour) - only ppc64 permitted";
++}
++
++my $SIZE_T= 8;
++
++# Registers are global so the code is remotely readable
++
++# Parameters for Montgomery multiplication
++my $sp	= "r1";
++my $toc	= "r2";
++my $rp	= "r3";
++my $ap	= "r4";
++my $bp	= "r5";
++my $np	= "r6";
++my $n0	= "r7";
++my $num	= "r8";
++
++my $i	= "r9";
++my $c0	= "r10";
++my $bp0	= "r11";
++my $bpi	= "r11";
++my $bpj	= "r11";
++my $tj	= "r12";
++my $apj	= "r12";
++my $npj	= "r12";
++my $lo	= "r14";
++my $c1	= "r14";
++
++# Non-volatile registers used for tp[i]
++#
++# 12 registers are available but the limit on unrolling is 10,
++# since registers from $tp[0] to $tp[$n+1] are used.
++my @tp = ("r20" .. "r31");
++
++# volatile VSRs for saving non-volatile GPRs - faster than stack
++my @vsrs = ("v32" .. "v46");
++
++package Mont;
++
++sub new($$)
++{
++	my ($class, $n) = @_;
++
++	if ($n > 10) {
++		die "Can't unroll for BN length ${n} (maximum 10)"
++	}
++
++	my $self = {
++		code => "",
++		n => $n,
++	};
++	bless $self, $class;
++
++	return $self;
++}
++
++sub add_code($$)
++{
++	my ($self, $c) = @_;
++
++	$self->{code} .= $c;
++}
++
++sub get_code($)
++{
++	my ($self) = @_;
++
++	return $self->{code};
++}
++
++sub get_function_name($)
++{
++	my ($self) = @_;
++
++	return "bn_mul_mont_fixed_n" . $self->{n};
++}
++
++sub get_label($$)
++{
++	my ($self, $l) = @_;
++
++	return "L" . $l . "_" . $self->{n};
++}
++
++sub get_labels($@)
++{
++	my ($self, @labels) = @_;
++
++	my %out = ();
++
++	foreach my $l (@labels) {
++		$out{"$l"} = $self->get_label("$l");
++	}
++
++	return \%out;
++}
++
++sub nl($)
++{
++	my ($self) = @_;
++
++	$self->add_code("\n");
++}
++
++sub copy_result($)
++{
++	my ($self) = @_;
++
++	my ($n) = $self->{n};
++
++	for (my $j = 0; $j < $n; $j++) {
++		$self->add_code(<<___);
++	std		$tp[$j],`$j*$SIZE_T`($rp)
++___
++	}
++
++}
++
++sub mul_mont_fixed($)
++{
++	my ($self) = @_;
++
++	my ($n) = $self->{n};
++	my $fname = $self->get_function_name();
++	my $label = $self->get_labels("outer", "enter", "sub", "copy", "end");
++
++	$self->add_code(<<___);
++
++.globl	.${fname}
++.align	5
++.${fname}:
++
++___
++
++	$self->save_registers();
++
++	$self->add_code(<<___);
++	ld		$n0,0($n0)
++
++	ld		$bp0,0($bp)
++
++	ld		$apj,0($ap)
++___
++
++	$self->mul_c_0($tp[0], $apj, $bp0, $c0);
++
++	for (my $j = 1; $j < $n - 1; $j++) {
++		$self->add_code(<<___);
++	ld		$apj,`$j*$SIZE_T`($ap)
++___
++		$self->mul($tp[$j], $apj, $bp0, $c0);
++	}
++
++	$self->add_code(<<___);
++	ld		$apj,`($n-1)*$SIZE_T`($ap)
++___
++
++	$self->mul_last($tp[$n-1], $tp[$n], $apj, $bp0, $c0);
++
++	$self->add_code(<<___);
++	li		$tp[$n+1],0
++
++___
++
++	$self->add_code(<<___);
++	li		$i,0
++	mtctr		$num
++	b		$label->{"enter"}
++
++.align	4
++$label->{"outer"}:
++	ldx		$bpi,$bp,$i
++
++	ld		$apj,0($ap)
++___
++
++	$self->mul_add_c_0($tp[0], $tp[0], $apj, $bpi, $c0);
++
++	for (my $j = 1; $j < $n; $j++) {
++		$self->add_code(<<___);
++	ld		$apj,`$j*$SIZE_T`($ap)
++___
++		$self->mul_add($tp[$j], $tp[$j], $apj, $bpi, $c0);
++	}
++
++	$self->add_code(<<___);
++	addc		$tp[$n],$tp[$n],$c0
++	addze		$tp[$n+1],$tp[$n+1]
++___
++
++	$self->add_code(<<___);
++.align	4
++$label->{"enter"}:
++	mulld		$bpi,$tp[0],$n0
++
++	ld		$npj,0($np)
++___
++
++	$self->mul_add_c_0($lo, $tp[0], $bpi, $npj, $c0);
++
++	for (my $j = 1; $j < $n; $j++) {
++		$self->add_code(<<___);
++	ld		$npj,`$j*$SIZE_T`($np)
++___
++		$self->mul_add($tp[$j-1], $tp[$j], $npj, $bpi, $c0);
++	}
++
++	$self->add_code(<<___);
++	addc		$tp[$n-1],$tp[$n],$c0
++	addze		$tp[$n],$tp[$n+1]
++
++	addi		$i,$i,$SIZE_T
++	bdnz		$label->{"outer"}
++
++	and.		$tp[$n],$tp[$n],$tp[$n]
++	bne		$label->{"sub"}
++
++	cmpld	$tp[$n-1],$npj
++	blt		$label->{"copy"}
++
++$label->{"sub"}:
++___
++
++	#
++	# Reduction
++	#
++
++		$self->add_code(<<___);
++	ld		$bpj,`0*$SIZE_T`($np)
++	subfc		$c1,$bpj,$tp[0]
++	std		$c1,`0*$SIZE_T`($rp)
++
++___
++	for (my $j = 1; $j < $n - 1; $j++) {
++		$self->add_code(<<___);
++	ld		$bpj,`$j*$SIZE_T`($np)
++	subfe		$c1,$bpj,$tp[$j]
++	std		$c1,`$j*$SIZE_T`($rp)
++
++___
++	}
++
++		$self->add_code(<<___);
++	subfe		$c1,$npj,$tp[$n-1]
++	std		$c1,`($n-1)*$SIZE_T`($rp)
++
++___
++
++	$self->add_code(<<___);
++	addme.		$tp[$n],$tp[$n]
++	beq		$label->{"end"}
++
++$label->{"copy"}:
++___
++
++	$self->copy_result();
++
++	$self->add_code(<<___);
++
++$label->{"end"}:
++___
++
++	$self->restore_registers();
++
++	$self->add_code(<<___);
++	li		r3,1
++	blr
++.size .${fname},.-.${fname}
++___
++
++}
++
++package Mont::GPR;
++
++our @ISA = ('Mont');
++
++sub new($$)
++{
++    my ($class, $n) = @_;
++
++    return $class->SUPER::new($n);
++}
++
++sub save_registers($)
++{
++	my ($self) = @_;
++
++	my $n = $self->{n};
++
++	$self->add_code(<<___);
++	std	$lo,-8($sp)
++___
++
++	for (my $j = 0; $j <= $n+1; $j++) {
++		$self->{code}.=<<___;
++	std	$tp[$j],-`($j+2)*8`($sp)
++___
++	}
++
++	$self->add_code(<<___);
++
++___
++}
++
++sub restore_registers($)
++{
++	my ($self) = @_;
++
++	my $n = $self->{n};
++
++	$self->add_code(<<___);
++	ld	$lo,-8($sp)
++___
++
++	for (my $j = 0; $j <= $n+1; $j++) {
++		$self->{code}.=<<___;
++	ld	$tp[$j],-`($j+2)*8`($sp)
++___
++	}
++
++	$self->{code} .=<<___;
++
++___
++}
++
++# Direct translation of C mul()
++sub mul($$$$$)
++{
++	my ($self, $r, $a, $w, $c) = @_;
++
++	$self->add_code(<<___);
++	mulld		$lo,$a,$w
++	addc		$r,$lo,$c
++	mulhdu		$c,$a,$w
++	addze		$c,$c
++
++___
++}
++
++# Like mul() but $c is ignored as an input - an optimisation to save a
++# preliminary instruction that would set input $c to 0
++sub mul_c_0($$$$$)
++{
++	my ($self, $r, $a, $w, $c) = @_;
++
++	$self->add_code(<<___);
++	mulld		$r,$a,$w
++	mulhdu		$c,$a,$w
++
++___
++}
++
++# Like mul() but does not to the final addition of CA into $c - an
++# optimisation to save an instruction
++sub mul_last($$$$$$)
++{
++	my ($self, $r1, $r2, $a, $w, $c) = @_;
++
++	$self->add_code(<<___);
++	mulld		$lo,$a,$w
++	addc		$r1,$lo,$c
++	mulhdu		$c,$a,$w
++
++	addze		$r2,$c
++___
++}
++
++# Like C mul_add() but allow $r_out and $r_in to be different
++sub mul_add($$$$$$)
++{
++	my ($self, $r_out, $r_in, $a, $w, $c) = @_;
++
++	$self->add_code(<<___);
++	mulld		$lo,$a,$w
++	addc		$lo,$lo,$c
++	mulhdu		$c,$a,$w
++	addze		$c,$c
++	addc		$r_out,$r_in,$lo
++	addze		$c,$c
++
++___
++}
++
++# Like mul_add() but $c is ignored as an input - an optimisation to save a
++# preliminary instruction that would set input $c to 0
++sub mul_add_c_0($$$$$$)
++{
++	my ($self, $r_out, $r_in, $a, $w, $c) = @_;
++
++	$self->add_code(<<___);
++	mulld		$lo,$a,$w
++	addc		$r_out,$r_in,$lo
++	mulhdu		$c,$a,$w
++	addze		$c,$c
++
++___
++}
++
++package Mont::GPR_300;
++
++our @ISA = ('Mont::GPR');
++
++sub new($$)
++{
++	my ($class, $n) = @_;
++
++	my $mont = $class->SUPER::new($n);
++
++	return $mont;
++}
++
++sub get_function_name($)
++{
++	my ($self) = @_;
++
++	return "bn_mul_mont_300_fixed_n" . $self->{n};
++}
++
++sub get_label($$)
++{
++	my ($self, $l) = @_;
++
++	return "L" . $l . "_300_" . $self->{n};
++}
++
++# Direct translation of C mul()
++sub mul($$$$$)
++{
++	my ($self, $r, $a, $w, $c, $last) = @_;
++
++	$self->add_code(<<___);
++	maddld		$r,$a,$w,$c
++	maddhdu		$c,$a,$w,$c
++
++___
++}
++
++# Save the last carry as the final entry
++sub mul_last($$$$$)
++{
++	my ($self, $r1, $r2, $a, $w, $c) = @_;
++
++	$self->add_code(<<___);
++	maddld		$r1,$a,$w,$c
++	maddhdu		$r2,$a,$w,$c
++
++___
++}
++
++# Like mul() but $c is ignored as an input - an optimisation to save a
++# preliminary instruction that would set input $c to 0
++sub mul_c_0($$$$$)
++{
++	my ($self, $r, $a, $w, $c) = @_;
++
++	$self->add_code(<<___);
++	mulld          $r,$a,$w
++	mulhdu          $c,$a,$w
++
++___
++}
++
++# Like C mul_add() but allow $r_out and $r_in to be different
++sub mul_add($$$$$$)
++{
++	my ($self, $r_out, $r_in, $a, $w, $c) = @_;
++
++	$self->add_code(<<___);
++	maddld		$lo,$a,$w,$c
++	maddhdu		$c,$a,$w,$c
++	addc		$r_out,$r_in,$lo
++	addze		$c,$c
++
++___
++}
++
++# Like mul_add() but $c is ignored as an input - an optimisation to save a
++# preliminary instruction that would set input $c to 0
++sub mul_add_c_0($$$$$$)
++{
++	my ($self, $r_out, $r_in, $a, $w, $c) = @_;
++
++	$self->add_code(<<___);
++	maddld		$lo,$a,$w,$r_in
++	maddhdu		$c,$a,$w,$r_in
++___
++
++	if ($r_out ne $lo) {
++		$self->add_code(<<___);
++	mr			$r_out,$lo
++___
++	}
++
++	$self->nl();
++}
++
++
++package main;
++
++my $code;
++
++$code.=<<___;
++.machine "any"
++.text
++___
++
++my $mont;
++
++$mont = new Mont::GPR(6);
++$mont->mul_mont_fixed();
++$code .= $mont->get_code();
++
++$mont = new Mont::GPR_300(6);
++$mont->mul_mont_fixed();
++$code .= $mont->get_code();
++
++$code =~ s/\`([^\`]*)\`/eval $1/gem;
++
++$code.=<<___;
++.asciz  "Montgomery Multiplication for PPC by <amitay\@ozlabs.org>, <alastair\@d-silva.org>"
++___
++
++print $code;
++close STDOUT or die "error closing STDOUT: $!";
+Index: openssl-1.1.1l/crypto/bn/build.info
+===================================================================
+--- openssl-1.1.1l.orig/crypto/bn/build.info
++++ openssl-1.1.1l/crypto/bn/build.info
+@@ -56,6 +56,7 @@ GENERATE[parisc-mont.s]=asm/parisc-mont.
+ GENERATE[bn-ppc.s]=asm/ppc.pl $(PERLASM_SCHEME)
+ GENERATE[ppc-mont.s]=asm/ppc-mont.pl $(PERLASM_SCHEME)
+ GENERATE[ppc64-mont.s]=asm/ppc64-mont.pl $(PERLASM_SCHEME)
++GENERATE[ppc64-mont-fixed.s]=asm/ppc64-mont-fixed.pl $(PERLASM_SCHEME)
+ 
+ GENERATE[alpha-mont.S]=asm/alpha-mont.pl $(PERLASM_SCHEME)
+ 
+Index: openssl-1.1.1l/crypto/ppccap.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/ppccap.c
++++ openssl-1.1.1l/crypto/ppccap.c
+@@ -46,6 +46,12 @@ int bn_mul_mont(BN_ULONG *rp, const BN_U
+                         const BN_ULONG *np, const BN_ULONG *n0, int num);
+     int bn_mul4x_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+                           const BN_ULONG *np, const BN_ULONG *n0, int num);
++    int bn_mul_mont_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap,
++                             const BN_ULONG *bp, const BN_ULONG *np,
++                             const BN_ULONG *n0, int num);
++    int bn_mul_mont_300_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap,
++                                 const BN_ULONG *bp, const BN_ULONG *np,
++                                 const BN_ULONG *n0, int num);
+ 
+     if (num < 4)
+         return 0;
+@@ -61,6 +67,15 @@ int bn_mul_mont(BN_ULONG *rp, const BN_U
+      * no opportunity to figure it out...
+      */
+ 
++#if defined(_ARCH_PPC64)
++    if (num == 6) {
++        if (OPENSSL_ppccap_P & PPC_MADD300)
++            return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num);
++        else
++            return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num);
++    }
++#endif
++
+     return bn_mul_mont_int(rp, ap, bp, np, n0, num);
+ }
+ #endif
+Index: openssl-1.1.1l/crypto/perlasm/ppc-xlate.pl
+===================================================================
+--- openssl-1.1.1l.orig/crypto/perlasm/ppc-xlate.pl
++++ openssl-1.1.1l/crypto/perlasm/ppc-xlate.pl
+@@ -136,6 +136,71 @@ my $quad = sub {
+ };
+ 
+ ################################################################
++# vector register number hacking
++################################################################
++
++# It is convenient to be able to set a variable like:
++#   my $foo = "v33";
++# and use this in different contexts where:
++# * a VSR (Vector-Scaler Register) number (i.e. "v33") is required
++# * a VR (Vector Register) number (i.e. "v1") is required
++# Map VSR numbering to VR number for certain vector instructions.
++
++# vs<N> -> v<N-32> if N > 32
++sub vsr2vr1 {
++    my $in = shift;
++
++    my $n = int($in);
++    if ($n >= 32) {
++	    $n -= 32;
++    }
++
++    return "$n";
++}
++# As above for first $num register args, returns list
++sub _vsr2vr {
++    my $num = shift;
++    my @rest = @_;
++    my @subst = splice(@rest, 0, $num);
++
++    @subst = map { vsr2vr1($_); } @subst;
++
++    return (@subst, @rest);
++}
++# As above but 1st arg ($f) is extracted and reinserted after
++# processing so that it can be ignored by a code generation function
++# that consumes the result
++sub vsr2vr_args {
++    my $num = shift;
++    my $f = shift;
++
++    my @out = _vsr2vr($num, @_);
++
++    return ($f, @out);
++}
++# As above but 1st arg is mnemonic, return formatted instruction
++sub vsr2vr {
++    my $mnemonic = shift;
++    my $num = shift;
++    my $f = shift;
++
++    my @out = _vsr2vr($num, @_);
++
++    "	${mnemonic}${f}	" . join(",", @out);
++}
++
++# ISA 2.03
++my $vsel	= sub { vsr2vr("vsel",		4, @_); };
++my $vsl		= sub { vsr2vr("vsl",		3, @_); };
++my $vspltisb	= sub { vsr2vr("vspltisb",	1, @_); };
++my $vspltisw	= sub { vsr2vr("vspltisw",	1, @_); };
++my $vsr		= sub { vsr2vr("vsr",		3, @_); };
++my $vsro	= sub { vsr2vr("vsro",		3, @_); };
++
++# ISA 3.0
++my $lxsd	= sub { vsr2vr("lxsd",		1, @_); };
++
++################################################################
+ # simplified mnemonics not handled by at least one assembler
+ ################################################################
+ my $cmplw = sub {
+@@ -226,13 +291,18 @@ my $vpermdi	= sub {				# xxpermdi
+ 
+ # PowerISA 2.07 stuff
+ sub vcrypto_op {
+-    my ($f, $vrt, $vra, $vrb, $op) = @_;
++    my ($f, $vrt, $vra, $vrb, $op) = vsr2vr_args(3, @_);
+     "	.long	".sprintf "0x%X",(4<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|$op;
+ }
+ sub vfour {
+     my ($f, $vrt, $vra, $vrb, $vrc, $op) = @_;
+     "	.long	".sprintf "0x%X",(4<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|($vrc<<6)|$op;
+ };
++sub vfour_vsr {
++    my ($f, $vrt, $vra, $vrb, $vrc, $op) = vsr2vr_args(4, @_);
++    "	.long	".sprintf "0x%X",(4<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|($vrc<<6)|$op;
++};
++
+ my $vcipher	= sub { vcrypto_op(@_, 1288); };
+ my $vcipherlast	= sub { vcrypto_op(@_, 1289); };
+ my $vncipher	= sub { vcrypto_op(@_, 1352); };
+@@ -254,10 +324,10 @@ my $vsld	= sub { vcrypto_op(@_, 1476); }
+ my $vsrd	= sub { vcrypto_op(@_, 1732); };
+ my $vsubudm	= sub { vcrypto_op(@_, 1216); };
+ my $vaddcuq	= sub { vcrypto_op(@_, 320);  };
+-my $vaddeuqm	= sub { vfour(@_,60); };
+-my $vaddecuq	= sub { vfour(@_,61); };
+-my $vmrgew	= sub { vfour(@_,0,1932); };
+-my $vmrgow	= sub { vfour(@_,0,1676); };
++my $vaddeuqm	= sub { vfour_vsr(@_,60); };
++my $vaddecuq	= sub { vfour_vsr(@_,61); };
++my $vmrgew	= sub { vfour_vsr(@_,0,1932); };
++my $vmrgow	= sub { vfour_vsr(@_,0,1676); };
+ 
+ my $mtsle	= sub {
+     my ($f, $arg) = @_;
+@@ -298,7 +368,7 @@ my $addex = sub {
+     my ($f, $rt, $ra, $rb, $cy) = @_;	# only cy==0 is specified in 3.0B
+     "	.long	".sprintf "0x%X",(31<<26)|($rt<<21)|($ra<<16)|($rb<<11)|($cy<<9)|(170<<1);
+ };
+-my $vmsumudm	= sub { vfour(@_,35); };
++my $vmsumudm	= sub { vfour_vsr(@_, 35); };
+ 
+ while($line=<>) {
+ 
+Index: openssl-1.1.1l/Configurations/10-main.conf
+===================================================================
+--- openssl-1.1.1l.orig/Configurations/10-main.conf
++++ openssl-1.1.1l/Configurations/10-main.conf
+@@ -669,7 +669,7 @@ my %targets = (
+         inherit_from     => [ "linux-generic64", asm("ppc64_asm") ],
+         cflags           => add("-m64"),
+         cxxflags         => add("-m64"),
+-        lib_cppflags     => add("-DB_ENDIAN"),
++        lib_cppflags     => add("-DB_ENDIAN -DECP_NISTP521_ASM"),
+         perlasm_scheme   => "linux64",
+         multilib         => "64",
+     },
+@@ -677,7 +677,7 @@ my %targets = (
+         inherit_from     => [ "linux-generic64", asm("ppc64_asm") ],
+         cflags           => add("-m64"),
+         cxxflags         => add("-m64"),
+-        lib_cppflags     => add("-DL_ENDIAN"),
++        lib_cppflags     => add("-DL_ENDIAN -DECP_NISTP521_ASM"),
+         perlasm_scheme   => "linux64le",
+     },
+ 
+Index: openssl-1.1.1l/crypto/ec/asm/ecp_nistp521-ppc64.pl
+===================================================================
+--- /dev/null
++++ openssl-1.1.1l/crypto/ec/asm/ecp_nistp521-ppc64.pl
+@@ -0,0 +1,435 @@
++#! /usr/bin/env perl
++# Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
++#
++# Licensed under the OpenSSL license (the "License").  You may not use
++# this file except in compliance with the License.  You can obtain a copy
++# in the file LICENSE in the source distribution or at
++# https://www.openssl.org/source/license.html
++#
++# ====================================================================
++# Written by Amitay Isaacs <amitay@ozlabs.org> and Martin Schwenke
++# <martin@meltin.net> for the OpenSSL project.
++# ====================================================================
++#
++# p521 lower-level primitives for PPC64 using vector instructions.
++#
++
++use strict;
++use warnings;
++
++my $flavour = shift;
++my $output = "";
++while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
++if (!$output) {
++	$output = "-";
++}
++
++my ($xlate, $dir);
++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
++( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
++( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
++die "can't locate ppc-xlate.pl";
++
++open OUT,"| \"$^X\" $xlate $flavour $output";
++*STDOUT=*OUT;
++
++my $code = "";
++
++my ($sp, $outp, $savelr, $savesp) = ("r1", "r3", "r10", "r12");
++
++my $vzero = "v32";
++
++sub startproc($)
++{
++    my ($name) = @_;
++
++    $code.=<<___;
++    .globl ${name}
++    .align 5
++${name}:
++
++___
++}
++
++sub endproc($)
++{
++    my ($name) = @_;
++
++    $code.=<<___;
++	blr
++	    .size	${name},.-${name}
++
++___
++}
++
++
++sub push_vrs($$)
++{
++	my ($min, $max) = @_;
++
++	my $count = $max - $min + 1;
++
++	$code.=<<___;
++	mr		$savesp,$sp
++	stdu		$sp,-16*`$count+1`($sp)
++
++___
++	    for (my $i = $min; $i <= $max; $i++) {
++		    my $mult = $max - $i + 1;
++		    $code.=<<___;
++	stxv		$i,-16*$mult($savesp)
++___
++
++	}
++
++	$code.=<<___;
++
++___
++}
++
++sub pop_vrs($$)
++{
++	my ($min, $max) = @_;
++
++	$code.=<<___;
++	ld		$savesp,0($sp)
++___
++	for (my $i = $min; $i <= $max; $i++) {
++		my $mult = $max - $i + 1;
++		$code.=<<___;
++	lxv		$i,-16*$mult($savesp)
++___
++	}
++
++	$code.=<<___;
++	mr		$sp,$savesp
++
++___
++}
++
++sub load_vrs($$)
++{
++	my ($pointer, $reg_list) = @_;
++
++	for (my $i = 0; $i <= 8; $i++) {
++		my $offset = $i * 8;
++		$code.=<<___;
++	lxsd		$reg_list->[$i],$offset($pointer)
++___
++	}
++
++	$code.=<<___;
++
++___
++}
++
++sub store_vrs($$)
++{
++	my ($pointer, $reg_list) = @_;
++
++	for (my $i = 0; $i <= 8; $i++) {
++		my $offset = $i * 16;
++		$code.=<<___;
++	stxv		$reg_list->[$i],$offset($pointer)
++___
++	}
++
++	$code.=<<___;
++
++___
++}
++
++$code.=<<___;
++.text
++
++___
++
++{
++	# mul/square common
++	my ($t1, $t2, $t3, $t4) = ("v33", "v34", "v44", "v54");
++	my ($zero, $one) = ("r8", "r9");
++	my @out = map("v$_",(55..63));
++
++	{
++		#
++		# p521_felem_mul
++		#
++
++		my ($in1p, $in2p) = ("r4", "r5");
++		my @in1 = map("v$_",(45..53));
++		my @in2 = map("v$_",(35..43));
++
++		startproc("p521_felem_mul");
++
++		push_vrs(52, 63);
++
++		$code.=<<___;
++	vspltisw	$vzero,0
++
++___
++
++		load_vrs($in1p, \@in1);
++		load_vrs($in2p, \@in2);
++
++		$code.=<<___;
++	vmsumudm	$out[0],$in1[0],$in2[0],$vzero
++
++	xxpermdi	$t1,$in1[0],$in1[1],0b00
++	xxpermdi	$t2,$in2[1],$in2[0],0b00
++	vmsumudm	$out[1],$t1,$t2,$vzero
++
++	xxpermdi	$t2,$in2[2],$in2[1],0b00
++	vmsumudm	$out[2],$t1,$t2,$vzero
++	vmsumudm	$out[2],$in1[2],$in2[0],$out[2]
++
++	xxpermdi	$t2,$in2[3],$in2[2],0b00
++	vmsumudm	$out[3],$t1,$t2,$vzero
++	xxpermdi	$t3,$in1[2],$in1[3],0b00
++	xxpermdi	$t4,$in2[1],$in2[0],0b00
++	vmsumudm	$out[3],$t3,$t4,$out[3]
++
++	xxpermdi	$t2,$in2[4],$in2[3],0b00
++	vmsumudm	$out[4],$t1,$t2,$vzero
++	xxpermdi	$t4,$in2[2],$in2[1],0b00
++	vmsumudm	$out[4],$t3,$t4,$out[4]
++	vmsumudm	$out[4],$in1[4],$in2[0],$out[4]
++
++	xxpermdi	$t2,$in2[5],$in2[4],0b00
++	vmsumudm	$out[5],$t1,$t2,$vzero
++	xxpermdi	$t4,$in2[3],$in2[2],0b00
++	vmsumudm	$out[5],$t3,$t4,$out[5]
++
++	xxpermdi	$t2,$in2[6],$in2[5],0b00
++	vmsumudm	$out[6],$t1,$t2,$vzero
++	xxpermdi	$t4,$in2[4],$in2[3],0b00
++	vmsumudm	$out[6],$t3,$t4,$out[6]
++
++	xxpermdi	$t2,$in2[7],$in2[6],0b00
++	vmsumudm	$out[7],$t1,$t2,$vzero
++	xxpermdi	$t4,$in2[5],$in2[4],0b00
++	vmsumudm	$out[7],$t3,$t4,$out[7]
++
++	xxpermdi	$t2,$in2[8],$in2[7],0b00
++	vmsumudm	$out[8],$t1,$t2,$vzero
++	xxpermdi	$t4,$in2[6],$in2[5],0b00
++	vmsumudm	$out[8],$t3,$t4,$out[8]
++
++	xxpermdi	$t1,$in1[4],$in1[5],0b00
++	xxpermdi	$t2,$in2[1],$in2[0],0b00
++	vmsumudm	$out[5],$t1,$t2,$out[5]
++
++	xxpermdi	$t2,$in2[2],$in2[1],0b00
++	vmsumudm	$out[6],$t1,$t2,$out[6]
++	vmsumudm	$out[6],$in1[6],$in2[0],$out[6]
++
++	xxpermdi	$t2,$in2[3],$in2[2],0b00
++	vmsumudm	$out[7],$t1,$t2,$out[7]
++	xxpermdi	$t3,$in1[6],$in1[7],0b00
++	xxpermdi	$t4,$in2[1],$in2[0],0b00
++	vmsumudm	$out[7],$t3,$t4,$out[7]
++
++	xxpermdi	$t2,$in2[4],$in2[3],0b00
++	vmsumudm	$out[8],$t1,$t2,$out[8]
++	xxpermdi	$t4,$in2[2],$in2[1],0b00
++	vmsumudm	$out[8],$t3,$t4,$out[8]
++	vmsumudm	$out[8],$in1[8],$in2[0],$out[8]
++
++	li		$zero,0
++	li		$one,1
++	mtvsrdd		$t1,$one,$zero
++___
++
++		for (my $i = 0; $i <= 8; $i++) {
++			$code.=<<___;
++	vsld		$in2[$i],$in2[$i],$t1
++___
++		}
++
++		$code.=<<___;
++
++	vmsumudm	$out[7],$in1[8],$in2[8],$out[7]
++
++	xxpermdi	$t2,$in2[8],$in2[7],0b00
++	xxpermdi	$t1,$in1[7],$in1[8],0b00
++	vmsumudm	$out[6],$t1,$t2,$out[6]
++
++	xxpermdi	$t1,$in1[6],$in1[7],0b00
++	vmsumudm	$out[5],$t1,$t2,$out[5]
++	vmsumudm	$out[5],$in1[8],$in2[6],$out[5]
++
++	xxpermdi	$t1,$in1[5],$in1[6],0b00
++	vmsumudm	$out[4],$t1,$t2,$out[4]
++	xxpermdi	$t4,$in2[6],$in2[5],0b00
++	xxpermdi	$t3,$in1[7],$in1[8],0b00
++	vmsumudm	$out[4],$t3,$t4,$out[4]
++
++	xxpermdi	$t1,$in1[4],$in1[5],0b00
++	vmsumudm	$out[3],$t1,$t2,$out[3]
++	xxpermdi	$t3,$in1[6],$in1[7],0b00
++	vmsumudm	$out[3],$t3,$t4,$out[3]
++	vmsumudm	$out[3],$in1[8],$in2[4],$out[3]
++
++	xxpermdi	$t1,$in1[3],$in1[4],0b00
++	vmsumudm	$out[2],$t1,$t2,$out[2]
++	xxpermdi	$t3,$in1[5],$in1[6],0b00
++	vmsumudm	$out[2],$t3,$t4,$out[2]
++
++	xxpermdi	$t1,$in1[2],$in1[3],0b00
++	vmsumudm	$out[1],$t1,$t2,$out[1]
++	xxpermdi	$t3,$in1[4],$in1[5],0b00
++	vmsumudm	$out[1],$t3,$t4,$out[1]
++
++	xxpermdi	$t1,$in1[1],$in1[2],0b00
++	vmsumudm	$out[0],$t1,$t2,$out[0]
++	xxpermdi	$t3,$in1[3],$in1[4],0b00
++	vmsumudm	$out[0],$t3,$t4,$out[0]
++
++	xxpermdi	$t2,$in2[4],$in2[3],0b00
++	xxpermdi	$t1,$in1[7],$in1[8],0b00
++	vmsumudm	$out[2],$t1,$t2,$out[2]
++
++	xxpermdi	$t1,$in1[6],$in1[7],0b00
++	vmsumudm	$out[1],$t1,$t2,$out[1]
++	vmsumudm	$out[1],$in1[8],$in2[2],$out[1]
++
++	xxpermdi	$t1,$in1[5],$in1[6],0b00
++	vmsumudm	$out[0],$t1,$t2,$out[0]
++	xxpermdi	$t4,$in2[2],$in2[1],0b00
++	xxpermdi	$t3,$in1[7],$in1[8],0b00
++	vmsumudm	$out[0],$t3,$t4,$out[0]
++
++___
++
++		store_vrs($outp, \@out);
++
++		pop_vrs(52, 63);
++
++		endproc("p521_felem_mul");
++	}
++
++	{
++		#
++		# p51_felem_square
++		#
++
++		my ($inp) = ("r4");
++		my @in = map("v$_",(45..53));
++		my @inx2 = map("v$_",(35..43));
++
++		startproc("p521_felem_square");
++
++		push_vrs(52, 63);
++
++		$code.=<<___;
++	vspltisw	$vzero,0
++
++___
++
++		load_vrs($inp, \@in);
++
++		$code.=<<___;
++	li		$zero,0
++	li		$one,1
++	mtvsrdd		$t1,$one,$zero
++___
++
++		for (my $i = 0; $i <= 8; $i++) {
++			$code.=<<___;
++	vsld		$inx2[$i],$in[$i],$t1
++___
++		}
++
++		$code.=<<___;
++	vmsumudm	$out[0],$in[0],$in[0],$vzero
++
++	vmsumudm	$out[1],$in[0],$inx2[1],$vzero
++
++	xxpermdi	$t1,$in[0],$in[1],0b00
++	xxpermdi	$t2,$inx2[2],$in[1],0b00
++	vmsumudm	$out[2],$t1,$t2,$vzero
++
++	xxpermdi	$t2,$inx2[3],$inx2[2],0b00
++	vmsumudm	$out[3],$t1,$t2,$vzero
++
++	xxpermdi	$t2,$inx2[4],$inx2[3],0b00
++	vmsumudm	$out[4],$t1,$t2,$vzero
++	vmsumudm	$out[4],$in[2],$in[2],$out[4]
++
++	xxpermdi	$t2,$inx2[5],$inx2[4],0b00
++	vmsumudm	$out[5],$t1,$t2,$vzero
++	vmsumudm	$out[5],$in[2],$inx2[3],$out[5]
++
++	xxpermdi	$t2,$inx2[6],$inx2[5],0b00
++	vmsumudm	$out[6],$t1,$t2,$vzero
++	xxpermdi	$t3,$in[2],$in[3],0b00
++	xxpermdi	$t4,$inx2[4],$in[3],0b00
++	vmsumudm	$out[6],$t3,$t4,$out[6]
++
++	xxpermdi	$t2,$inx2[7],$inx2[6],0b00
++	vmsumudm	$out[7],$t1,$t2,$vzero
++	xxpermdi	$t4,$inx2[5],$inx2[4],0b00
++	vmsumudm	$out[7],$t3,$t4,$out[7]
++
++	xxpermdi	$t2,$inx2[8],$inx2[7],0b00
++	vmsumudm	$out[8],$t1,$t2,$vzero
++	xxpermdi	$t4,$inx2[6],$inx2[5],0b00
++	vmsumudm	$out[8],$t3,$t4,$out[8]
++	vmsumudm	$out[8],$in[4],$in[4],$out[8]
++
++	vmsumudm	$out[1],$in[5],$inx2[5],$out[1]
++
++	vmsumudm	$out[3],$in[6],$inx2[6],$out[3]
++
++	vmsumudm	$out[5],$in[7],$inx2[7],$out[5]
++
++	vmsumudm	$out[7],$in[8],$inx2[8],$out[7]
++
++	mtvsrdd		$t1,$one,$zero
++___
++
++		for (my $i = 5; $i <= 8; $i++) {
++			$code.=<<___;
++	vsld		$inx2[$i],$inx2[$i],$t1
++___
++		}
++
++		$code.=<<___;
++
++	vmsumudm	$out[6],$in[7],$inx2[8],$out[6]
++
++	vmsumudm	$out[5],$in[6],$inx2[8],$out[5]
++
++	xxpermdi	$t2,$inx2[8],$inx2[7],0b00
++	xxpermdi	$t1,$in[5],$in[6],0b00
++	vmsumudm	$out[4],$t1,$t2,$out[4]
++
++	xxpermdi	$t1,$in[4],$in[5],0b00
++	vmsumudm	$out[3],$t1,$t2,$out[3]
++
++	xxpermdi	$t1,$in[3],$in[4],0b00
++	vmsumudm	$out[2],$t1,$t2,$out[2]
++	vmsumudm	$out[2],$in[5],$inx2[6],$out[2]
++
++	xxpermdi	$t1,$in[2],$in[3],0b00
++	vmsumudm	$out[1],$t1,$t2,$out[1]
++	vmsumudm	$out[1],$in[4],$inx2[6],$out[1]
++
++	xxpermdi	$t1,$in[1],$in[2],0b00
++	vmsumudm	$out[0],$t1,$t2,$out[0]
++	xxpermdi	$t2,$inx2[6],$inx2[5],0b00
++	xxpermdi	$t1,$in[3],$in[4],0b00
++	vmsumudm	$out[0],$t1,$t2,$out[0]
++
++___
++
++		store_vrs($outp, \@out);
++
++		pop_vrs(52, 63);
++
++		endproc("p521_felem_square");
++	}
++}
++
++$code =~ s/\`([^\`]*)\`/eval $1/gem;
++print $code;
++close STDOUT or die "error closing STDOUT: $!";
+Index: openssl-1.1.1l/crypto/ec/ec_local.h
+===================================================================
+--- openssl-1.1.1l.orig/crypto/ec/ec_local.h
++++ openssl-1.1.1l/crypto/ec/ec_local.h
+@@ -499,6 +499,10 @@ int ec_GF2m_simple_field_div(const EC_GR
+                              const BIGNUM *b, BN_CTX *);
+ 
+ #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
++# ifdef B_ENDIAN
++#  error "Can not enable ec_nistp_64_gcc_128 on big-endian systems"
++# endif
++
+ /* method functions in ecp_nistp224.c */
+ int ec_GFp_nistp224_group_init(EC_GROUP *group);
+ int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p,
+Index: openssl-1.1.1l/crypto/ec/curve448/arch_32/f_impl.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/ec/curve448/arch_32/f_impl.c
++++ openssl-1.1.1l/crypto/ec/curve448/arch_32/f_impl.c
+@@ -10,7 +10,7 @@
+  * Originally written by Mike Hamburg
+  */
+ 
+-#include "field.h"
++#include "../field.h"
+ 
+ void gf_mul(gf_s * RESTRICT cs, const gf as, const gf bs)
+ {
+Index: openssl-1.1.1l/crypto/ec/curve448/arch_64/f_impl.c
+===================================================================
+--- /dev/null
++++ openssl-1.1.1l/crypto/ec/curve448/arch_64/f_impl.c
+@@ -0,0 +1,200 @@
++/*
++ * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2014 Cryptography Research, Inc.
++ *
++ * Licensed under the OpenSSL license (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ *
++ * Originally written by Mike Hamburg
++ */
++
++#include "../field.h"
++
++void gf_mul(gf_s * RESTRICT cs, const gf as, const gf bs)
++{
++    const uint64_t *a = as->limb, *b = bs->limb;
++    uint64_t *c = cs->limb;
++    uint128_t accum0 = 0, accum1 = 0, accum2;
++    uint64_t mask = (1ULL << 56) - 1;
++    uint64_t aa[4], bb[4], bbb[4];
++    unsigned int i, j;
++
++    for (i = 0; i < 4; i++) {
++        aa[i] = a[i] + a[i + 4];
++        bb[i] = b[i] + b[i + 4];
++        bbb[i] = bb[i] + b[i + 4];
++    }
++
++    for (i = 0; i < 4; i++) {
++        accum2 = 0;
++
++        for (j = 0; j <= i; j++) {
++            accum2 += widemul(a[j], b[i - j]);
++            accum1 += widemul(aa[j], bb[i - j]);
++            accum0 += widemul(a[j + 4], b[i - j + 4]);
++        }
++        for (; j < 4; j++) {
++            accum2 += widemul(a[j], b[i - j + 8]);
++            accum1 += widemul(aa[j], bbb[i - j + 4]);
++            accum0 += widemul(a[j + 4], bb[i - j + 4]);
++        }
++
++        accum1 -= accum2;
++        accum0 += accum2;
++
++        c[i] = ((uint64_t)(accum0)) & mask;
++        c[i + 4] = ((uint64_t)(accum1)) & mask;
++
++        accum0 >>= 56;
++        accum1 >>= 56;
++    }
++
++    accum0 += accum1;
++    accum0 += c[4];
++    accum1 += c[0];
++    c[4] = ((uint64_t)(accum0)) & mask;
++    c[0] = ((uint64_t)(accum1)) & mask;
++
++    accum0 >>= 56;
++    accum1 >>= 56;
++
++    c[5] += ((uint64_t)(accum0));
++    c[1] += ((uint64_t)(accum1));
++}
++
++void gf_mulw_unsigned(gf_s * RESTRICT cs, const gf as, uint32_t b)
++{
++    const uint64_t *a = as->limb;
++    uint64_t *c = cs->limb;
++    uint128_t accum0 = 0, accum4 = 0;
++    uint64_t mask = (1ULL << 56) - 1;
++    int i;
++
++    for (i = 0; i < 4; i++) {
++        accum0 += widemul(b, a[i]);
++        accum4 += widemul(b, a[i + 4]);
++        c[i] = accum0 & mask;
++        accum0 >>= 56;
++        c[i + 4] = accum4 & mask;
++        accum4 >>= 56;
++    }
++
++    accum0 += accum4 + c[4];
++    c[4] = accum0 & mask;
++    c[5] += accum0 >> 56;
++
++    accum4 += c[0];
++    c[0] = accum4 & mask;
++    c[1] += accum4 >> 56;
++}
++
++void gf_sqr(gf_s * RESTRICT cs, const gf as)
++{
++    const uint64_t *a = as->limb;
++    uint64_t *c = cs->limb;
++    uint128_t accum0 = 0, accum1 = 0, accum2;
++    uint64_t mask = (1ULL << 56) - 1;
++    uint64_t aa[4];
++    unsigned int i;
++
++    /* For some reason clang doesn't vectorize this without prompting? */
++    for (i = 0; i < 4; i++)
++        aa[i] = a[i] + a[i + 4];
++
++    accum2 = widemul(a[0], a[3]);
++    accum0 = widemul(aa[0], aa[3]);
++    accum1 = widemul(a[4], a[7]);
++
++    accum2 += widemul(a[1], a[2]);
++    accum0 += widemul(aa[1], aa[2]);
++    accum1 += widemul(a[5], a[6]);
++
++    accum0 -= accum2;
++    accum1 += accum2;
++
++    c[3] = ((uint64_t)(accum1)) << 1 & mask;
++    c[7] = ((uint64_t)(accum0)) << 1 & mask;
++
++    accum0 >>= 55;
++    accum1 >>= 55;
++
++    accum0 += widemul(2 * aa[1], aa[3]);
++    accum1 += widemul(2 * a[5], a[7]);
++    accum0 += widemul(aa[2], aa[2]);
++    accum1 += accum0;
++
++    accum0 -= widemul(2 * a[1], a[3]);
++    accum1 += widemul(a[6], a[6]);
++
++    accum2 = widemul(a[0], a[0]);
++    accum1 -= accum2;
++    accum0 += accum2;
++
++    accum0 -= widemul(a[2], a[2]);
++    accum1 += widemul(aa[0], aa[0]);
++    accum0 += widemul(a[4], a[4]);
++
++    c[0] = ((uint64_t)(accum0)) & mask;
++    c[4] = ((uint64_t)(accum1)) & mask;
++
++    accum0 >>= 56;
++    accum1 >>= 56;
++
++    accum2 = widemul(2 * aa[2], aa[3]);
++    accum0 -= widemul(2 * a[2], a[3]);
++    accum1 += widemul(2 * a[6], a[7]);
++
++    accum1 += accum2;
++    accum0 += accum2;
++
++    accum2 = widemul(2 * a[0], a[1]);
++    accum1 += widemul(2 * aa[0], aa[1]);
++    accum0 += widemul(2 * a[4], a[5]);
++
++    accum1 -= accum2;
++    accum0 += accum2;
++
++    c[1] = ((uint64_t)(accum0)) & mask;
++    c[5] = ((uint64_t)(accum1)) & mask;
++
++    accum0 >>= 56;
++    accum1 >>= 56;
++
++    accum2 = widemul(aa[3], aa[3]);
++    accum0 -= widemul(a[3], a[3]);
++    accum1 += widemul(a[7], a[7]);
++
++    accum1 += accum2;
++    accum0 += accum2;
++
++    accum2 = widemul(2 * a[0], a[2]);
++    accum1 += widemul(2 * aa[0], aa[2]);
++    accum0 += widemul(2 * a[4], a[6]);
++
++    accum2 += widemul(a[1], a[1]);
++    accum1 += widemul(aa[1], aa[1]);
++    accum0 += widemul(a[5], a[5]);
++
++    accum1 -= accum2;
++    accum0 += accum2;
++
++    c[2] = ((uint64_t)(accum0)) & mask;
++    c[6] = ((uint64_t)(accum1)) & mask;
++
++    accum0 >>= 56;
++    accum1 >>= 56;
++
++    accum0 += c[3];
++    accum1 += c[7];
++    c[3] = ((uint64_t)(accum0)) & mask;
++    c[7] = ((uint64_t)(accum1)) & mask;
++
++    /* we could almost stop here, but it wouldn't be stable, so... */
++
++    accum0 >>= 56;
++    accum1 >>= 56;
++    c[4] += ((uint64_t)(accum0)) + ((uint64_t)(accum1));
++    c[0] += ((uint64_t)(accum1));
++}
+Index: openssl-1.1.1l/Configure
+===================================================================
+--- openssl-1.1.1l.orig/Configure
++++ openssl-1.1.1l/Configure
+@@ -1476,6 +1476,20 @@ if (!$disabled{asm} && !$predefined_C{__
+     }
+ }
+ 
++# Check if __SIZEOF_INT128__ is defined by compiler
++$config{use_int128} = 0;
++{
++    my $cc = $config{CROSS_COMPILE}.$config{CC};
++    open(PIPE, "$cc -E -dM - </dev/null 2>&1 |");
++    while(<PIPE>) {
++        if (m/__SIZEOF_INT128__/) {
++            $config{use_int128} = 1;
++            last;
++        }
++    }
++    close(PIPE);
++}
++
+ # Deal with bn_ops ###################################################
+ 
+ $config{bn_ll}                  =0;
diff --git a/openssl-1_1-Zeroization.patch b/openssl-1_1-Zeroization.patch
new file mode 100644
index 0000000..983cb14
--- /dev/null
+++ b/openssl-1_1-Zeroization.patch
@@ -0,0 +1,25 @@
+--- openssl-1.1.1l/crypto/fips/fips.c	
++++ openssl-1.1.1l/crypto/fips/fips.c	
+@@ -350,6 +350,10 @@ static int FIPSCHECK_verify(const char *
+         if (strcmp(hex, hmac) != 0) {
+             rv = -1;
+         }
++        if (hmaclen != 0) {
++            OPENSSL_cleanse(buf, hmaclen);
++            OPENSSL_cleanse(hex, hmaclen * 2 + 1);
++        }
+         free(buf);
+         free(hex);
+     } else {
+@@ -357,7 +360,11 @@ static int FIPSCHECK_verify(const char *
+     }
+ 
+  end:
++    if (n != 0)
++        OPENSSL_cleanse(hmac, n);
+     free(hmac);
++    if (strlen(hmacpath) != 0)
++        OPENSSL_cleanse(hmacpath, strlen(hmacpath));
+     free(hmacpath);
+     fclose(hf);
+ 
diff --git a/openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch b/openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch
new file mode 100644
index 0000000..ae860a1
--- /dev/null
+++ b/openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch
@@ -0,0 +1,1535 @@
+From f596bbe4da779b56eea34d96168b557d78e1149a Mon Sep 17 00:00:00 2001
+From: Deepankar Bhattacharjee <deepankar.b@in.ibm.com>
+Date: Mon, 20 Sep 2021 10:45:15 -0400
+Subject: [PATCH] chacha20 performance optimizations for ppc64le with 8x lanes,
+ Performance increase around 50%.
+
+Co-authored-by: Madhusudhanan Duraisamy <madurais@in.ibm.com>
+
+Co-authored-by: Nilamjyoti Goswami <nilamgoswami@in.ibm.com>
+
+Co-authored-by: Siva Sundar Anbareeswaran <srisivasundar@in.ibm.com>
+
+Reviewed-by: Danny Tsen <dtsen@us.ibm.com>
+Tested-by: Danny Tsen <dtsen@us.ibm.com>
+Signed-off-by: Danny <dtsen@us.ibm.com>
+
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/16637)
+---
+ Configurations/00-base-templates.conf |    2 
+ crypto/chacha/asm/chachap10-ppc.pl    | 1354 ++++++++++++++++++++++++++++++++++
+ crypto/chacha/build.info              |    1 
+ crypto/perlasm/ppc-xlate.pl           |   17 
+ crypto/ppc_arch.h                     |    1 
+ crypto/ppccap.c                       |   24 
+ crypto/ppccpuid.pl                    |   11 
+ 7 files changed, 1404 insertions(+), 6 deletions(-)
+ create mode 100755 crypto/chacha/asm/chachap10-ppc.pl
+
+--- a/Configurations/00-base-templates.conf
++++ b/Configurations/00-base-templates.conf
+@@ -345,7 +345,7 @@ my %targets=(
+ 	aes_asm_src     => "aes_core.c aes_cbc.c aes-ppc.s vpaes-ppc.s aesp8-ppc.s",
+ 	sha1_asm_src    => "sha1-ppc.s sha256-ppc.s sha512-ppc.s sha256p8-ppc.s sha512p8-ppc.s",
+ 	modes_asm_src   => "ghashp8-ppc.s aes-gcm-ppc.s",
+-	chacha_asm_src	=> "chacha-ppc.s",
++	chacha_asm_src	=> "chacha-ppc.s chachap10-ppc.s",
+ 	poly1305_asm_src=> "poly1305-ppc.s poly1305-ppcfp.s",
+     },
+     ppc64_asm => {
+--- /dev/null
++++ b/crypto/chacha/asm/chachap10-ppc.pl
+@@ -0,0 +1,1354 @@
++#! /usr/bin/env perl
++# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
++#
++# Licensed under the Apache License 2.0 (the "License").  You may not use
++# this file except in compliance with the License.  You can obtain a copy
++# in the file LICENSE in the source distribution or at
++# https://www.openssl.org/source/license.html
++
++#
++# ====================================================================
++# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
++# project. The module is, however, dual licensed under OpenSSL and
++# CRYPTOGAMS licenses depending on where you obtain it. For further
++# details see http://www.openssl.org/~appro/cryptogams/.
++# ====================================================================
++#
++# October 2015
++#
++# ChaCha20 for PowerPC/AltiVec.
++#
++# June 2018
++#
++# Add VSX 2.07 code path. Original 3xAltiVec+1xIALU is well-suited for
++# processors that can't issue more than one vector instruction per
++# cycle. But POWER8 (and POWER9) can issue a pair, and vector-only 4x
++# interleave would perform better. Incidentally PowerISA 2.07 (first
++# implemented by POWER8) defined new usable instructions, hence 4xVSX
++# code path...
++#
++# Performance in cycles per byte out of large buffer.
++#
++#			IALU/gcc-4.x    3xAltiVec+1xIALU	4xVSX
++#
++# Freescale e300	13.6/+115%	-			-
++# PPC74x0/G4e		6.81/+310%	3.81			-
++# PPC970/G5		9.29/+160%	?			-
++# POWER7		8.62/+61%	3.35			-
++# POWER8		8.70/+51%	2.91			2.09
++# POWER9		8.80/+29%	4.44(*)			2.45(**)
++#
++# (*)	this is trade-off result, it's possible to improve it, but
++#	then it would negatively affect all others;
++# (**)	POWER9 seems to be "allergic" to mixing vector and integer
++#	instructions, which is why switch to vector-only code pays
++#	off that much;
++
++# $output is the last argument if it looks like a file (it has an extension)
++# $flavour is the first argument if it doesn't look like a file
++$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
++$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
++
++if ($flavour =~ /64/) {
++	$SIZE_T	=8;
++	$LRSAVE	=2*$SIZE_T;
++	$STU	="stdu";
++	$POP	="ld";
++	$PUSH	="std";
++	$UCMP	="cmpld";
++} elsif ($flavour =~ /32/) {
++	$SIZE_T	=4;
++	$LRSAVE	=$SIZE_T;
++	$STU	="stwu";
++	$POP	="lwz";
++	$PUSH	="stw";
++	$UCMP	="cmplw";
++} else { die "nonsense $flavour"; }
++
++$LITTLE_ENDIAN = ($flavour=~/le$/) ? 1 : 0;
++
++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
++( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
++( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
++die "can't locate ppc-xlate.pl";
++
++open STDOUT,"| $^X $xlate $flavour \"$output\""
++    or die "can't call $xlate: $!";
++
++$LOCALS=6*$SIZE_T;
++$FRAME=$LOCALS+64+18*$SIZE_T;	# 64 is for local variables
++
++sub AUTOLOAD()		# thunk [simplified] x86-style perlasm
++{ my $opcode = $AUTOLOAD; $opcode =~ s/.*:://; $opcode =~ s/_/\./;
++    $code .= "\t$opcode\t".join(',',@_)."\n";
++}
++
++my $sp = "r1";
++
++my ($out,$inp,$len,$key,$ctr) = map("r$_",(3..7));
++
++
++{{{
++my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3,
++    $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3) = map("v$_",(0..15));
++my @K = map("v$_",(16..19));
++my $CTR = "v26";
++my ($xt0,$xt1,$xt2,$xt3) = map("v$_",(27..30));
++my ($sixteen,$twelve,$eight,$seven) = ($xt0,$xt1,$xt2,$xt3);
++my $beperm = "v31";
++
++my ($x00,$x10,$x20,$x30) = (0, map("r$_",(8..10)));
++
++my $FRAME=$LOCALS+64+7*16;	# 7*16 is for v26-v31 offload
++
++sub VSX_lane_ROUND_1x {
++my $a=@_[0];
++my $b=@_[1];
++my $c=@_[2];
++my $d=@_[3];
++my $odd=@_[4];
++	vadduwm		($a,$a,$b);
++	vxor		($d,$d,$a);
++	vrlw		($d,$d,$sixteen);
++	vadduwm		($c,$c,$d);
++	vxor		($b,$b,$c);
++	vrlw		($b,$b,$twelve);
++	vadduwm		($a,$a,$b);
++	vxor		($d,$d,$a);
++	vrlw		($d,$d,$eight);
++	vadduwm		($c,$c,$d);
++	vxor		($b,$b,$c);
++	vrlw		($b,$b,$seven);
++	xxsldwi		($c,$c,$c,2);
++	xxsldwi		($b,$b,$b,$odd?3:1);
++	xxsldwi		($d,$d,$d,$odd?1:3);
++}
++
++
++sub VSX_lane_ROUND_4x {
++my ($a0,$b0,$c0,$d0)=@_;
++my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0));
++my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1));
++my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2));
++my @x=map("\"v$_\"",(0..15));
++
++	(
++	"&vadduwm	(@x[$a0],@x[$a0],@x[$b0])",	# Q1
++	 "&vadduwm	(@x[$a1],@x[$a1],@x[$b1])",	# Q2
++	  "&vadduwm	(@x[$a2],@x[$a2],@x[$b2])",	# Q3
++	   "&vadduwm	(@x[$a3],@x[$a3],@x[$b3])",	# Q4
++	"&vxor		(@x[$d0],@x[$d0],@x[$a0])",
++	 "&vxor		(@x[$d1],@x[$d1],@x[$a1])",
++	  "&vxor	(@x[$d2],@x[$d2],@x[$a2])",
++	   "&vxor	(@x[$d3],@x[$d3],@x[$a3])",
++	"&vrlw		(@x[$d0],@x[$d0],'$sixteen')",
++	 "&vrlw		(@x[$d1],@x[$d1],'$sixteen')",
++	  "&vrlw	(@x[$d2],@x[$d2],'$sixteen')",
++	   "&vrlw	(@x[$d3],@x[$d3],'$sixteen')",
++
++	"&vadduwm	(@x[$c0],@x[$c0],@x[$d0])",
++	 "&vadduwm	(@x[$c1],@x[$c1],@x[$d1])",
++	  "&vadduwm	(@x[$c2],@x[$c2],@x[$d2])",
++	   "&vadduwm	(@x[$c3],@x[$c3],@x[$d3])",
++	"&vxor		(@x[$b0],@x[$b0],@x[$c0])",
++	 "&vxor		(@x[$b1],@x[$b1],@x[$c1])",
++	  "&vxor	(@x[$b2],@x[$b2],@x[$c2])",
++	   "&vxor	(@x[$b3],@x[$b3],@x[$c3])",
++	"&vrlw		(@x[$b0],@x[$b0],'$twelve')",
++	 "&vrlw		(@x[$b1],@x[$b1],'$twelve')",
++	  "&vrlw	(@x[$b2],@x[$b2],'$twelve')",
++	   "&vrlw	(@x[$b3],@x[$b3],'$twelve')",
++
++	"&vadduwm	(@x[$a0],@x[$a0],@x[$b0])",
++	 "&vadduwm	(@x[$a1],@x[$a1],@x[$b1])",
++	  "&vadduwm	(@x[$a2],@x[$a2],@x[$b2])",
++	   "&vadduwm	(@x[$a3],@x[$a3],@x[$b3])",
++	"&vxor		(@x[$d0],@x[$d0],@x[$a0])",
++	 "&vxor		(@x[$d1],@x[$d1],@x[$a1])",
++	  "&vxor	(@x[$d2],@x[$d2],@x[$a2])",
++	   "&vxor	(@x[$d3],@x[$d3],@x[$a3])",
++	"&vrlw		(@x[$d0],@x[$d0],'$eight')",
++	 "&vrlw		(@x[$d1],@x[$d1],'$eight')",
++	  "&vrlw	(@x[$d2],@x[$d2],'$eight')",
++	   "&vrlw	(@x[$d3],@x[$d3],'$eight')",
++
++	"&vadduwm	(@x[$c0],@x[$c0],@x[$d0])",
++	 "&vadduwm	(@x[$c1],@x[$c1],@x[$d1])",
++	  "&vadduwm	(@x[$c2],@x[$c2],@x[$d2])",
++	   "&vadduwm	(@x[$c3],@x[$c3],@x[$d3])",
++	"&vxor		(@x[$b0],@x[$b0],@x[$c0])",
++	 "&vxor		(@x[$b1],@x[$b1],@x[$c1])",
++	  "&vxor	(@x[$b2],@x[$b2],@x[$c2])",
++	   "&vxor	(@x[$b3],@x[$b3],@x[$c3])",
++	"&vrlw		(@x[$b0],@x[$b0],'$seven')",
++	 "&vrlw		(@x[$b1],@x[$b1],'$seven')",
++	  "&vrlw	(@x[$b2],@x[$b2],'$seven')",
++	   "&vrlw	(@x[$b3],@x[$b3],'$seven')"
++	);
++}
++
++$code.=<<___;
++
++.globl	.ChaCha20_ctr32_vsx_p10
++.align	5
++.ChaCha20_ctr32_vsx_p10:
++	${UCMP}i $len,256
++	bgt 	ChaCha20_ctr32_vsx_8x
++	$STU	$sp,-$FRAME($sp)
++	mflr	r0
++	li	r10,`15+$LOCALS+64`
++	li	r11,`31+$LOCALS+64`
++	mfspr	r12,256
++	stvx	v26,r10,$sp
++	addi	r10,r10,32
++	stvx	v27,r11,$sp
++	addi	r11,r11,32
++	stvx	v28,r10,$sp
++	addi	r10,r10,32
++	stvx	v29,r11,$sp
++	addi	r11,r11,32
++	stvx	v30,r10,$sp
++	stvx	v31,r11,$sp
++	stw	r12,`$FRAME-4`($sp)		# save vrsave
++	li	r12,-4096+63
++	$PUSH	r0, `$FRAME+$LRSAVE`($sp)
++	mtspr	256,r12				# preserve 29 AltiVec registers
++
++	bl	Lconsts				# returns pointer Lsigma in r12
++	lvx_4w	@K[0],0,r12			# load sigma
++	addi	r12,r12,0x70
++	li	$x10,16
++	li	$x20,32
++	li	$x30,48
++	li	r11,64
++
++	lvx_4w	@K[1],0,$key			# load key
++	lvx_4w	@K[2],$x10,$key
++	lvx_4w	@K[3],0,$ctr			# load counter
++
++	vxor	$xt0,$xt0,$xt0
++	lvx_4w	$xt1,r11,r12
++	vspltw	$CTR,@K[3],0
++	vsldoi	@K[3],@K[3],$xt0,4
++	vsldoi	@K[3],$xt0,@K[3],12		# clear @K[3].word[0]
++	vadduwm	$CTR,$CTR,$xt1
++
++	be?lvsl	$beperm,0,$x10			# 0x00..0f
++	be?vspltisb $xt0,3			# 0x03..03
++	be?vxor	$beperm,$beperm,$xt0		# swap bytes within words
++
++	li	r0,10				# inner loop counter
++	mtctr	r0
++	b	Loop_outer_vsx
++
++.align	5
++Loop_outer_vsx:
++	lvx	$xa0,$x00,r12			# load [smashed] sigma
++	lvx	$xa1,$x10,r12
++	lvx	$xa2,$x20,r12
++	lvx	$xa3,$x30,r12
++
++	vspltw	$xb0,@K[1],0			# smash the key
++	vspltw	$xb1,@K[1],1
++	vspltw	$xb2,@K[1],2
++	vspltw	$xb3,@K[1],3
++
++	vspltw	$xc0,@K[2],0
++	vspltw	$xc1,@K[2],1
++	vspltw	$xc2,@K[2],2
++	vspltw	$xc3,@K[2],3
++
++	vmr	$xd0,$CTR			# smash the counter
++	vspltw	$xd1,@K[3],1
++	vspltw	$xd2,@K[3],2
++	vspltw	$xd3,@K[3],3
++
++	vspltisw $sixteen,-16			# synthesize constants
++	vspltisw $twelve,12
++	vspltisw $eight,8
++	vspltisw $seven,7
++
++	${UCMP}i $len,64
++	bgt 	Loop_vsx_4x
++
++	vmr	$xa0,@K[0]
++	vmr	$xb0,@K[1]
++	vmr	$xc0,@K[2]
++	vmr 	$xd0,@K[3]
++
++Loop_vsx_1x:
++___
++	VSX_lane_ROUND_1x($xa0, $xb0, $xc0,$xd0,0);
++	VSX_lane_ROUND_1x($xa0, $xb0, $xc0,$xd0,1);
++
++$code.=<<___;
++
++	bdnz	Loop_vsx_1x
++
++	vadduwm $xa0, $xa0, @K[0]
++	vadduwm $xb0, $xb0, @K[1]
++	vadduwm $xc0, $xc0, @K[2]
++	vadduwm $xd0, $xd0, @K[3]
++	${UCMP}i $len,0x40
++	blt	Ltail_vsx
++
++	lvx_4w  $xt0,$x00, $inp
++	lvx_4w  $xt1,$x10, $inp
++	lvx_4w  $xt2,$x20, $inp
++	lvx_4w  $xt3,$x30, $inp
++
++	vxor	$xa0,$xa0,$xt0
++	vxor	$xb0,$xb0,$xt1
++	vxor	$xc0,$xc0,$xt2
++	vxor	$xd0,$xd0,$xt3
++
++	stvx_4w	$xa0,$x00,$out
++	stvx_4w	$xb0,$x10,$out
++	addi	$inp,$inp,0x40
++	stvx_4w	$xc0,$x20,$out
++	subi	$len,$len,0x40
++	stvx_4w	$xd0,$x30,$out
++	addi	$out,$out,0x40
++	beq	Ldone_vsx
++
++Loop_vsx_4x:
++___
++	foreach (&VSX_lane_ROUND_4x(0, 4, 8,12)) { eval; }
++	foreach (&VSX_lane_ROUND_4x(0, 5,10,15)) { eval; }
++$code.=<<___;
++
++	bdnz	Loop_vsx_4x
++
++	vadduwm	$xd0,$xd0,$CTR
++
++	vmrgew	$xt0,$xa0,$xa1			# transpose data
++	vmrgew	$xt1,$xa2,$xa3
++	vmrgow	$xa0,$xa0,$xa1
++	vmrgow	$xa2,$xa2,$xa3
++	vmrgew	$xt2,$xb0,$xb1
++	vmrgew	$xt3,$xb2,$xb3
++	vpermdi	$xa1,$xa0,$xa2,0b00
++	vpermdi	$xa3,$xa0,$xa2,0b11
++	vpermdi	$xa0,$xt0,$xt1,0b00
++	vpermdi	$xa2,$xt0,$xt1,0b11
++
++	vmrgow	$xb0,$xb0,$xb1
++	vmrgow	$xb2,$xb2,$xb3
++	vmrgew	$xt0,$xc0,$xc1
++	vmrgew	$xt1,$xc2,$xc3
++	vpermdi	$xb1,$xb0,$xb2,0b00
++	vpermdi	$xb3,$xb0,$xb2,0b11
++	vpermdi	$xb0,$xt2,$xt3,0b00
++	vpermdi	$xb2,$xt2,$xt3,0b11
++
++	vmrgow	$xc0,$xc0,$xc1
++	vmrgow	$xc2,$xc2,$xc3
++	vmrgew	$xt2,$xd0,$xd1
++	vmrgew	$xt3,$xd2,$xd3
++	vpermdi	$xc1,$xc0,$xc2,0b00
++	vpermdi	$xc3,$xc0,$xc2,0b11
++	vpermdi	$xc0,$xt0,$xt1,0b00
++	vpermdi	$xc2,$xt0,$xt1,0b11
++
++	vmrgow	$xd0,$xd0,$xd1
++	vmrgow	$xd2,$xd2,$xd3
++	vspltisw $xt0,4
++	vadduwm  $CTR,$CTR,$xt0		# next counter value
++	vpermdi	$xd1,$xd0,$xd2,0b00
++	vpermdi	$xd3,$xd0,$xd2,0b11
++	vpermdi	$xd0,$xt2,$xt3,0b00
++	vpermdi	$xd2,$xt2,$xt3,0b11
++
++	vadduwm	$xa0,$xa0,@K[0]
++	vadduwm	$xb0,$xb0,@K[1]
++	vadduwm	$xc0,$xc0,@K[2]
++	vadduwm	$xd0,$xd0,@K[3]
++
++	be?vperm $xa0,$xa0,$xa0,$beperm
++	be?vperm $xb0,$xb0,$xb0,$beperm
++	be?vperm $xc0,$xc0,$xc0,$beperm
++	be?vperm $xd0,$xd0,$xd0,$beperm
++
++	${UCMP}i $len,0x40
++	blt	Ltail_vsx
++
++	lvx_4w	$xt0,$x00,$inp
++	lvx_4w	$xt1,$x10,$inp
++	lvx_4w	$xt2,$x20,$inp
++	lvx_4w	$xt3,$x30,$inp
++
++	vxor	$xt0,$xt0,$xa0
++	vxor	$xt1,$xt1,$xb0
++	vxor	$xt2,$xt2,$xc0
++	vxor	$xt3,$xt3,$xd0
++
++	stvx_4w	$xt0,$x00,$out
++	stvx_4w	$xt1,$x10,$out
++	addi	$inp,$inp,0x40
++	stvx_4w	$xt2,$x20,$out
++	subi	$len,$len,0x40
++	stvx_4w	$xt3,$x30,$out
++	addi	$out,$out,0x40
++	beq	Ldone_vsx
++
++	vadduwm	$xa0,$xa1,@K[0]
++	vadduwm	$xb0,$xb1,@K[1]
++	vadduwm	$xc0,$xc1,@K[2]
++	vadduwm	$xd0,$xd1,@K[3]
++
++	be?vperm $xa0,$xa0,$xa0,$beperm
++	be?vperm $xb0,$xb0,$xb0,$beperm
++	be?vperm $xc0,$xc0,$xc0,$beperm
++	be?vperm $xd0,$xd0,$xd0,$beperm
++
++	${UCMP}i $len,0x40
++	blt	Ltail_vsx
++
++	lvx_4w	$xt0,$x00,$inp
++	lvx_4w	$xt1,$x10,$inp
++	lvx_4w	$xt2,$x20,$inp
++	lvx_4w	$xt3,$x30,$inp
++
++	vxor	$xt0,$xt0,$xa0
++	vxor	$xt1,$xt1,$xb0
++	vxor	$xt2,$xt2,$xc0
++	vxor	$xt3,$xt3,$xd0
++
++	stvx_4w	$xt0,$x00,$out
++	stvx_4w	$xt1,$x10,$out
++	addi	$inp,$inp,0x40
++	stvx_4w	$xt2,$x20,$out
++	subi	$len,$len,0x40
++	stvx_4w	$xt3,$x30,$out
++	addi	$out,$out,0x40
++	beq	Ldone_vsx
++
++	vadduwm	$xa0,$xa2,@K[0]
++	vadduwm	$xb0,$xb2,@K[1]
++	vadduwm	$xc0,$xc2,@K[2]
++	vadduwm	$xd0,$xd2,@K[3]
++
++	be?vperm $xa0,$xa0,$xa0,$beperm
++	be?vperm $xb0,$xb0,$xb0,$beperm
++	be?vperm $xc0,$xc0,$xc0,$beperm
++	be?vperm $xd0,$xd0,$xd0,$beperm
++
++	${UCMP}i $len,0x40
++	blt	Ltail_vsx
++
++	lvx_4w	$xt0,$x00,$inp
++	lvx_4w	$xt1,$x10,$inp
++	lvx_4w	$xt2,$x20,$inp
++	lvx_4w	$xt3,$x30,$inp
++
++	vxor	$xt0,$xt0,$xa0
++	vxor	$xt1,$xt1,$xb0
++	vxor	$xt2,$xt2,$xc0
++	vxor	$xt3,$xt3,$xd0
++
++	stvx_4w	$xt0,$x00,$out
++	stvx_4w	$xt1,$x10,$out
++	addi	$inp,$inp,0x40
++	stvx_4w	$xt2,$x20,$out
++	subi	$len,$len,0x40
++	stvx_4w	$xt3,$x30,$out
++	addi	$out,$out,0x40
++	beq	Ldone_vsx
++
++	vadduwm	$xa0,$xa3,@K[0]
++	vadduwm	$xb0,$xb3,@K[1]
++	vadduwm	$xc0,$xc3,@K[2]
++	vadduwm	$xd0,$xd3,@K[3]
++
++	be?vperm $xa0,$xa0,$xa0,$beperm
++	be?vperm $xb0,$xb0,$xb0,$beperm
++	be?vperm $xc0,$xc0,$xc0,$beperm
++	be?vperm $xd0,$xd0,$xd0,$beperm
++
++	${UCMP}i $len,0x40
++	blt	Ltail_vsx
++
++	lvx_4w	$xt0,$x00,$inp
++	lvx_4w	$xt1,$x10,$inp
++	lvx_4w	$xt2,$x20,$inp
++	lvx_4w	$xt3,$x30,$inp
++
++	vxor	$xt0,$xt0,$xa0
++	vxor	$xt1,$xt1,$xb0
++	vxor	$xt2,$xt2,$xc0
++	vxor	$xt3,$xt3,$xd0
++
++	stvx_4w	$xt0,$x00,$out
++	stvx_4w	$xt1,$x10,$out
++	addi	$inp,$inp,0x40
++	stvx_4w	$xt2,$x20,$out
++	subi	$len,$len,0x40
++	stvx_4w	$xt3,$x30,$out
++	addi	$out,$out,0x40
++	mtctr	r0
++	bne	Loop_outer_vsx
++
++Ldone_vsx:
++	lwz	r12,`$FRAME-4`($sp)		# pull vrsave
++	li	r10,`15+$LOCALS+64`
++	li	r11,`31+$LOCALS+64`
++	$POP	r0, `$FRAME+$LRSAVE`($sp)
++	mtspr	256,r12				# restore vrsave
++	lvx	v26,r10,$sp
++	addi	r10,r10,32
++	lvx	v27,r11,$sp
++	addi	r11,r11,32
++	lvx	v28,r10,$sp
++	addi	r10,r10,32
++	lvx	v29,r11,$sp
++	addi	r11,r11,32
++	lvx	v30,r10,$sp
++	lvx	v31,r11,$sp
++	mtlr	r0
++	addi	$sp,$sp,$FRAME
++	blr
++
++.align	4
++Ltail_vsx:
++	addi	r11,$sp,$LOCALS
++	mtctr	$len
++	stvx_4w	$xa0,$x00,r11			# offload block to stack
++	stvx_4w	$xb0,$x10,r11
++	stvx_4w	$xc0,$x20,r11
++	stvx_4w	$xd0,$x30,r11
++	subi	r12,r11,1			# prepare for *++ptr
++	subi	$inp,$inp,1
++	subi	$out,$out,1
++
++Loop_tail_vsx:
++	lbzu	r6,1(r12)
++	lbzu	r7,1($inp)
++	xor	r6,r6,r7
++	stbu	r6,1($out)
++	bdnz	Loop_tail_vsx
++
++	stvx_4w	$K[0],$x00,r11			# wipe copy of the block
++	stvx_4w	$K[0],$x10,r11
++	stvx_4w	$K[0],$x20,r11
++	stvx_4w	$K[0],$x30,r11
++
++	b	Ldone_vsx
++	.long	0
++	.byte	0,12,0x04,1,0x80,0,5,0
++	.long	0
++.size	.ChaCha20_ctr32_vsx_p10,.-.ChaCha20_ctr32_vsx_p10
++___
++}}}
++
++##This is 8 block in parallel implementation. The heart of chacha round uses vector instruction that has access to 
++# vsr[32+X]. To perform the 8 parallel block we tend to use all 32 register to hold the 8 block info.
++# WE need to store few register value on side, so we can use VSR{32+X} for few vector instructions used in round op and hold intermediate value.
++# WE use the VSR[0]-VSR[31] for holding intermediate value and perform 8 block in parallel.
++#
++{{{
++#### ($out,$inp,$len,$key,$ctr) = map("r$_",(3..7));
++my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3,
++    $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3,
++    $xa4,$xa5,$xa6,$xa7, $xb4,$xb5,$xb6,$xb7,
++    $xc4,$xc5,$xc6,$xc7, $xd4,$xd5,$xd6,$xd7) = map("v$_",(0..31));
++my ($xcn4,$xcn5,$xcn6,$xcn7, $xdn4,$xdn5,$xdn6,$xdn7) = map("v$_",(8..15));
++my ($xan0,$xbn0,$xcn0,$xdn0) = map("v$_",(0..3));
++my @K = map("v$_",27,(24..26));
++my ($xt0,$xt1,$xt2,$xt3,$xt4) = map("v$_",23,(28..31));
++my $xr0 = "v4";
++my $CTR0 = "v22";
++my $CTR1 = "v5";
++my $beperm = "v31";
++my ($x00,$x10,$x20,$x30) = (0, map("r$_",(8..10)));
++my ($xv0,$xv1,$xv2,$xv3,$xv4,$xv5,$xv6,$xv7) = map("v$_",(0..7));
++my ($xv8,$xv9,$xv10,$xv11,$xv12,$xv13,$xv14,$xv15,$xv16,$xv17) = map("v$_",(8..17));
++my ($xv18,$xv19,$xv20,$xv21) = map("v$_",(18..21));
++my ($xv22,$xv23,$xv24,$xv25,$xv26) = map("v$_",(22..26));
++
++my $FRAME=$LOCALS+64+9*16;	# 8*16 is for v24-v31 offload
++
++sub VSX_lane_ROUND_8x {
++my ($a0,$b0,$c0,$d0,$a4,$b4,$c4,$d4)=@_;
++my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0));
++my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1));
++my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2));
++my ($a5,$b5,$c5,$d5)=map(($_&~3)+(($_+1)&3),($a4,$b4,$c4,$d4));
++my ($a6,$b6,$c6,$d6)=map(($_&~3)+(($_+1)&3),($a5,$b5,$c5,$d5));
++my ($a7,$b7,$c7,$d7)=map(($_&~3)+(($_+1)&3),($a6,$b6,$c6,$d6));
++my ($xv8,$xv9,$xv10,$xv11,$xv12,$xv13,$xv14,$xv15,$xv16,$xv17) = map("\"v$_\"",(8..17));
++my @x=map("\"v$_\"",(0..31));
++
++	(
++	"&vxxlor        ($xv15 ,@x[$c7],@x[$c7])",      #copy v30 to v13
++	"&vxxlorc       (@x[$c7], $xv9,$xv9)",
++
++	"&vadduwm	(@x[$a0],@x[$a0],@x[$b0])",	# Q1
++	 "&vadduwm	(@x[$a1],@x[$a1],@x[$b1])",	# Q2
++	  "&vadduwm	(@x[$a2],@x[$a2],@x[$b2])",	# Q3
++	   "&vadduwm	(@x[$a3],@x[$a3],@x[$b3])",	# Q4
++	"&vadduwm	(@x[$a4],@x[$a4],@x[$b4])",	# Q1
++	 "&vadduwm	(@x[$a5],@x[$a5],@x[$b5])",	# Q2
++	  "&vadduwm	(@x[$a6],@x[$a6],@x[$b6])",	# Q3
++	   "&vadduwm	(@x[$a7],@x[$a7],@x[$b7])",	# Q4
++
++	"&vxor		(@x[$d0],@x[$d0],@x[$a0])",
++	 "&vxor		(@x[$d1],@x[$d1],@x[$a1])",
++	  "&vxor	(@x[$d2],@x[$d2],@x[$a2])",
++	   "&vxor	(@x[$d3],@x[$d3],@x[$a3])",
++	"&vxor		(@x[$d4],@x[$d4],@x[$a4])",
++	 "&vxor		(@x[$d5],@x[$d5],@x[$a5])",
++	  "&vxor	(@x[$d6],@x[$d6],@x[$a6])",
++	   "&vxor	(@x[$d7],@x[$d7],@x[$a7])",
++
++	"&vrlw		(@x[$d0],@x[$d0],@x[$c7])",
++	 "&vrlw		(@x[$d1],@x[$d1],@x[$c7])",
++	  "&vrlw	(@x[$d2],@x[$d2],@x[$c7])",
++	   "&vrlw	(@x[$d3],@x[$d3],@x[$c7])",
++	"&vrlw		(@x[$d4],@x[$d4],@x[$c7])",
++	 "&vrlw		(@x[$d5],@x[$d5],@x[$c7])",
++	  "&vrlw	(@x[$d6],@x[$d6],@x[$c7])",
++	   "&vrlw	(@x[$d7],@x[$d7],@x[$c7])",
++
++	"&vxxlor        ($xv13 ,@x[$a7],@x[$a7])",
++	"&vxxlorc       (@x[$c7], $xv15,$xv15)",
++	"&vxxlorc       (@x[$a7], $xv10,$xv10)",
++
++	"&vadduwm	(@x[$c0],@x[$c0],@x[$d0])",
++	 "&vadduwm	(@x[$c1],@x[$c1],@x[$d1])",
++	  "&vadduwm	(@x[$c2],@x[$c2],@x[$d2])",
++	   "&vadduwm	(@x[$c3],@x[$c3],@x[$d3])",
++	"&vadduwm	(@x[$c4],@x[$c4],@x[$d4])",
++	 "&vadduwm	(@x[$c5],@x[$c5],@x[$d5])",
++	  "&vadduwm	(@x[$c6],@x[$c6],@x[$d6])",
++	   "&vadduwm	(@x[$c7],@x[$c7],@x[$d7])",
++
++	"&vxor		(@x[$b0],@x[$b0],@x[$c0])",
++	 "&vxor		(@x[$b1],@x[$b1],@x[$c1])",
++	  "&vxor	(@x[$b2],@x[$b2],@x[$c2])",
++	   "&vxor	(@x[$b3],@x[$b3],@x[$c3])",
++	"&vxor		(@x[$b4],@x[$b4],@x[$c4])",
++	 "&vxor		(@x[$b5],@x[$b5],@x[$c5])",
++	  "&vxor	(@x[$b6],@x[$b6],@x[$c6])",
++	   "&vxor	(@x[$b7],@x[$b7],@x[$c7])",
++
++	"&vrlw		(@x[$b0],@x[$b0],@x[$a7])",
++	 "&vrlw		(@x[$b1],@x[$b1],@x[$a7])",
++	  "&vrlw	(@x[$b2],@x[$b2],@x[$a7])",
++	   "&vrlw	(@x[$b3],@x[$b3],@x[$a7])",
++	"&vrlw		(@x[$b4],@x[$b4],@x[$a7])",
++	 "&vrlw		(@x[$b5],@x[$b5],@x[$a7])",
++	  "&vrlw	(@x[$b6],@x[$b6],@x[$a7])",
++	   "&vrlw	(@x[$b7],@x[$b7],@x[$a7])",
++
++	"&vxxlorc       (@x[$a7], $xv13,$xv13)",
++	"&vxxlor	($xv15 ,@x[$c7],@x[$c7])",                 
++	"&vxxlorc       (@x[$c7], $xv11,$xv11)",
++
++
++	"&vadduwm	(@x[$a0],@x[$a0],@x[$b0])",
++	 "&vadduwm	(@x[$a1],@x[$a1],@x[$b1])",
++	  "&vadduwm	(@x[$a2],@x[$a2],@x[$b2])",
++	   "&vadduwm	(@x[$a3],@x[$a3],@x[$b3])",
++	"&vadduwm	(@x[$a4],@x[$a4],@x[$b4])",
++	 "&vadduwm	(@x[$a5],@x[$a5],@x[$b5])",
++	  "&vadduwm	(@x[$a6],@x[$a6],@x[$b6])",
++	   "&vadduwm	(@x[$a7],@x[$a7],@x[$b7])",
++
++	"&vxor		(@x[$d0],@x[$d0],@x[$a0])",
++	 "&vxor		(@x[$d1],@x[$d1],@x[$a1])",
++	  "&vxor	(@x[$d2],@x[$d2],@x[$a2])",
++	   "&vxor	(@x[$d3],@x[$d3],@x[$a3])",
++	"&vxor		(@x[$d4],@x[$d4],@x[$a4])",
++	 "&vxor		(@x[$d5],@x[$d5],@x[$a5])",
++	  "&vxor	(@x[$d6],@x[$d6],@x[$a6])",
++	   "&vxor	(@x[$d7],@x[$d7],@x[$a7])",
++
++	"&vrlw		(@x[$d0],@x[$d0],@x[$c7])",
++	 "&vrlw		(@x[$d1],@x[$d1],@x[$c7])",
++	  "&vrlw	(@x[$d2],@x[$d2],@x[$c7])",
++	   "&vrlw	(@x[$d3],@x[$d3],@x[$c7])",
++	"&vrlw		(@x[$d4],@x[$d4],@x[$c7])",
++	 "&vrlw		(@x[$d5],@x[$d5],@x[$c7])",
++	  "&vrlw	(@x[$d6],@x[$d6],@x[$c7])",
++	   "&vrlw	(@x[$d7],@x[$d7],@x[$c7])",
++
++	"&vxxlorc       (@x[$c7], $xv15,$xv15)",
++	"&vxxlor        ($xv13 ,@x[$a7],@x[$a7])",               
++	"&vxxlorc       (@x[$a7], $xv12,$xv12)",
++
++	"&vadduwm	(@x[$c0],@x[$c0],@x[$d0])",
++	 "&vadduwm	(@x[$c1],@x[$c1],@x[$d1])",
++	  "&vadduwm	(@x[$c2],@x[$c2],@x[$d2])",
++	   "&vadduwm	(@x[$c3],@x[$c3],@x[$d3])",
++	"&vadduwm	(@x[$c4],@x[$c4],@x[$d4])",
++	 "&vadduwm	(@x[$c5],@x[$c5],@x[$d5])",
++	  "&vadduwm	(@x[$c6],@x[$c6],@x[$d6])",
++	   "&vadduwm	(@x[$c7],@x[$c7],@x[$d7])",
++	"&vxor		(@x[$b0],@x[$b0],@x[$c0])",
++	 "&vxor		(@x[$b1],@x[$b1],@x[$c1])",
++	  "&vxor	(@x[$b2],@x[$b2],@x[$c2])",
++	   "&vxor	(@x[$b3],@x[$b3],@x[$c3])",
++	"&vxor		(@x[$b4],@x[$b4],@x[$c4])",
++	 "&vxor		(@x[$b5],@x[$b5],@x[$c5])",
++	  "&vxor	(@x[$b6],@x[$b6],@x[$c6])",
++	   "&vxor	(@x[$b7],@x[$b7],@x[$c7])",
++	"&vrlw		(@x[$b0],@x[$b0],@x[$a7])",
++	 "&vrlw		(@x[$b1],@x[$b1],@x[$a7])",
++	  "&vrlw	(@x[$b2],@x[$b2],@x[$a7])",
++	   "&vrlw	(@x[$b3],@x[$b3],@x[$a7])",
++	"&vrlw		(@x[$b4],@x[$b4],@x[$a7])",
++	 "&vrlw		(@x[$b5],@x[$b5],@x[$a7])",
++	  "&vrlw	(@x[$b6],@x[$b6],@x[$a7])",
++	   "&vrlw	(@x[$b7],@x[$b7],@x[$a7])",
++
++	"&vxxlorc       (@x[$a7], $xv13,$xv13)",
++	);
++}
++
++$code.=<<___;
++
++.globl	.ChaCha20_ctr32_vsx_8x
++.align	5
++.ChaCha20_ctr32_vsx_8x:
++	$STU	$sp,-$FRAME($sp)
++	mflr	r0
++	li	r10,`15+$LOCALS+64`
++	li	r11,`31+$LOCALS+64`
++	mfspr	r12,256
++	stvx	v24,r10,$sp
++	addi	r10,r10,32
++	stvx	v25,r11,$sp
++	addi	r11,r11,32
++	stvx	v26,r10,$sp
++	addi	r10,r10,32
++	stvx	v27,r11,$sp
++	addi	r11,r11,32
++	stvx	v28,r10,$sp
++	addi	r10,r10,32
++	stvx	v29,r11,$sp
++	addi	r11,r11,32
++	stvx	v30,r10,$sp
++	stvx	v31,r11,$sp
++	stw	r12,`$FRAME-4`($sp)		# save vrsave
++	li	r12,-4096+63
++	$PUSH	r0, `$FRAME+$LRSAVE`($sp)
++	mtspr	256,r12				# preserve 29 AltiVec registers
++
++	bl	Lconsts				# returns pointer Lsigma in r12
++
++	lvx_4w	@K[0],0,r12			# load sigma
++	addi	r12,r12,0x70
++	li	$x10,16
++	li	$x20,32
++	li	$x30,48
++	li	r11,64
++
++	vspltisw $xa4,-16			# synthesize constants
++	vspltisw $xb4,12			# synthesize constants
++	vspltisw $xc4,8			# synthesize constants
++	vspltisw $xd4,7			# synthesize constants
++
++	lvx	$xa0,$x00,r12			# load [smashed] sigma
++	lvx	$xa1,$x10,r12
++	lvx	$xa2,$x20,r12
++	lvx	$xa3,$x30,r12
++
++	vxxlor	$xv9   ,$xa4,$xa4               #save shift val in vr9-12
++	vxxlor	$xv10  ,$xb4,$xb4
++	vxxlor	$xv11  ,$xc4,$xc4
++	vxxlor	$xv12  ,$xd4,$xd4
++	vxxlor	$xv22  ,$xa0,$xa0               #save sigma in vr22-25
++	vxxlor	$xv23  ,$xa1,$xa1
++	vxxlor	$xv24  ,$xa2,$xa2
++	vxxlor	$xv25  ,$xa3,$xa3
++
++	lvx_4w	@K[1],0,$key			# load key
++	lvx_4w	@K[2],$x10,$key
++	lvx_4w	@K[3],0,$ctr			# load counter
++	vspltisw $xt3,4
++
++
++	vxor	$xt2,$xt2,$xt2
++	lvx_4w	$xt1,r11,r12
++	vspltw	$xa2,@K[3],0			#save the original count after spltw
++	vsldoi	@K[3],@K[3],$xt2,4
++	vsldoi	@K[3],$xt2,@K[3],12		# clear @K[3].word[0]
++	vadduwm	$xt1,$xa2,$xt1
++	vadduwm $xt3,$xt1,$xt3     		# next counter value
++	vspltw	$xa0,@K[2],2                    # save the K[2] spltw 2 and save v8.
++
++	be?lvsl	  $beperm,0,$x10			# 0x00..0f
++	be?vspltisb $xt0,3			# 0x03..03
++	be?vxor   $beperm,$beperm,$xt0		# swap bytes within words
++	be?vxxlor $xv26 ,$beperm,$beperm
++
++	vxxlor	$xv0 ,@K[0],@K[0]               # K0,k1,k2 to vr0,1,2
++	vxxlor	$xv1 ,@K[1],@K[1]
++	vxxlor	$xv2 ,@K[2],@K[2]
++	vxxlor	$xv3 ,@K[3],@K[3]
++	vxxlor	$xv4 ,$xt1,$xt1                #CTR ->4, CTR+4-> 5
++	vxxlor	$xv5 ,$xt3,$xt3
++	vxxlor	$xv8 ,$xa0,$xa0
++
++	li	r0,10				# inner loop counter
++	mtctr	r0
++	b	Loop_outer_vsx_8x
++
++.align	5
++Loop_outer_vsx_8x:
++	vxxlorc	$xa0,$xv22,$xv22	        # load [smashed] sigma
++	vxxlorc	$xa1,$xv23,$xv23
++	vxxlorc	$xa2,$xv24,$xv24
++	vxxlorc	$xa3,$xv25,$xv25
++	vxxlorc	$xa4,$xv22,$xv22
++	vxxlorc	$xa5,$xv23,$xv23
++	vxxlorc	$xa6,$xv24,$xv24
++	vxxlorc	$xa7,$xv25,$xv25
++
++	vspltw	$xb0,@K[1],0			# smash the key
++	vspltw	$xb1,@K[1],1
++	vspltw	$xb2,@K[1],2
++	vspltw	$xb3,@K[1],3
++	vspltw	$xb4,@K[1],0			# smash the key
++	vspltw	$xb5,@K[1],1
++	vspltw	$xb6,@K[1],2
++	vspltw	$xb7,@K[1],3
++
++	vspltw	$xc0,@K[2],0
++	vspltw	$xc1,@K[2],1
++	vspltw	$xc2,@K[2],2
++	vspltw	$xc3,@K[2],3
++	vspltw	$xc4,@K[2],0
++	vspltw	$xc7,@K[2],3
++	vspltw	$xc5,@K[2],1
++
++	vxxlorc	$xd0,$xv4,$xv4			# smash the counter
++	vspltw	$xd1,@K[3],1
++	vspltw	$xd2,@K[3],2
++	vspltw	$xd3,@K[3],3
++	vxxlorc	$xd4,$xv5,$xv5			# smash the counter
++	vspltw	$xd5,@K[3],1
++	vspltw	$xd6,@K[3],2
++	vspltw	$xd7,@K[3],3
++	vxxlorc	$xc6,$xv8,$xv8                  #copy of vlspt k[2],2 is in v8.v26 ->k[3] so need to wait until k3 is done
++
++Loop_vsx_8x:
++___
++	foreach (&VSX_lane_ROUND_8x(0,4, 8,12,16,20,24,28)) { eval; }
++	foreach (&VSX_lane_ROUND_8x(0,5,10,15,16,21,26,31)) { eval; }
++$code.=<<___;
++
++	bdnz	        Loop_vsx_8x
++	vxxlor	        $xv13 ,$xd4,$xd4                # save the register vr24-31
++	vxxlor	        $xv14 ,$xd5,$xd5                #
++	vxxlor	        $xv15 ,$xd6,$xd6                #
++	vxxlor	        $xv16 ,$xd7,$xd7                #
++
++	vxxlor	        $xv18 ,$xc4,$xc4                #
++	vxxlor	        $xv19 ,$xc5,$xc5                #
++	vxxlor	        $xv20 ,$xc6,$xc6                #
++	vxxlor	        $xv21 ,$xc7,$xc7                #
++
++	vxxlor	        $xv6  ,$xb6,$xb6                # save vr23, so we get 8 regs
++	vxxlor	        $xv7  ,$xb7,$xb7                # save vr23, so we get 8 regs
++	be?vxxlorc      $beperm,$xv26,$xv26             # copy back the the beperm.
++
++	vxxlorc	   @K[0],$xv0,$xv0                #27
++	vxxlorc	   @K[1],$xv1,$xv1 		  #24
++	vxxlorc	   @K[2],$xv2,$xv2		  #25
++	vxxlorc	   @K[3],$xv3,$xv3		  #26
++	vxxlorc	   $CTR0,$xv4,$xv4
++###changing to vertical
++
++	vmrgew	$xt0,$xa0,$xa1			# transpose data
++	vmrgew	$xt1,$xa2,$xa3
++	vmrgow	$xa0,$xa0,$xa1
++	vmrgow	$xa2,$xa2,$xa3
++
++	vmrgew	$xt2,$xb0,$xb1
++	vmrgew	$xt3,$xb2,$xb3
++	vmrgow	$xb0,$xb0,$xb1
++	vmrgow	$xb2,$xb2,$xb3
++
++	vadduwm	$xd0,$xd0,$CTR0
++
++	vpermdi	$xa1,$xa0,$xa2,0b00
++	vpermdi	$xa3,$xa0,$xa2,0b11
++	vpermdi	$xa0,$xt0,$xt1,0b00
++	vpermdi	$xa2,$xt0,$xt1,0b11
++	vpermdi	$xb1,$xb0,$xb2,0b00
++	vpermdi	$xb3,$xb0,$xb2,0b11
++	vpermdi	$xb0,$xt2,$xt3,0b00
++	vpermdi	$xb2,$xt2,$xt3,0b11
++
++	vmrgew	$xt0,$xc0,$xc1
++	vmrgew	$xt1,$xc2,$xc3
++	vmrgow	$xc0,$xc0,$xc1
++	vmrgow	$xc2,$xc2,$xc3
++	vmrgew	$xt2,$xd0,$xd1
++	vmrgew	$xt3,$xd2,$xd3
++	vmrgow	$xd0,$xd0,$xd1
++	vmrgow	$xd2,$xd2,$xd3
++
++	vpermdi	$xc1,$xc0,$xc2,0b00
++	vpermdi	$xc3,$xc0,$xc2,0b11
++	vpermdi	$xc0,$xt0,$xt1,0b00
++	vpermdi	$xc2,$xt0,$xt1,0b11
++	vpermdi	$xd1,$xd0,$xd2,0b00
++	vpermdi	$xd3,$xd0,$xd2,0b11
++	vpermdi	$xd0,$xt2,$xt3,0b00
++	vpermdi	$xd2,$xt2,$xt3,0b11
++
++	vspltisw $xt0,8
++	vadduwm  $CTR0,$CTR0,$xt0		# next counter value
++	vxxlor	 $xv4 ,$CTR0,$CTR0	        #CTR+4-> 5
++
++	vadduwm	$xa0,$xa0,@K[0]
++	vadduwm	$xb0,$xb0,@K[1]
++	vadduwm	$xc0,$xc0,@K[2]
++	vadduwm	$xd0,$xd0,@K[3]
++
++	be?vperm $xa0,$xa0,$xa0,$beperm
++	be?vperm $xb0,$xb0,$xb0,$beperm
++	be?vperm $xc0,$xc0,$xc0,$beperm
++	be?vperm $xd0,$xd0,$xd0,$beperm
++
++	${UCMP}i $len,0x40
++	blt	Ltail_vsx_8x
++
++	lvx_4w	$xt0,$x00,$inp
++	lvx_4w	$xt1,$x10,$inp
++	lvx_4w	$xt2,$x20,$inp
++	lvx_4w	$xt3,$x30,$inp
++
++	vxor	$xt0,$xt0,$xa0
++	vxor	$xt1,$xt1,$xb0
++	vxor	$xt2,$xt2,$xc0
++	vxor	$xt3,$xt3,$xd0
++
++	stvx_4w	$xt0,$x00,$out
++	stvx_4w	$xt1,$x10,$out
++	addi	$inp,$inp,0x40
++	stvx_4w	$xt2,$x20,$out
++	subi	$len,$len,0x40
++	stvx_4w	$xt3,$x30,$out
++	addi	$out,$out,0x40
++	beq	Ldone_vsx_8x
++
++	vadduwm	$xa0,$xa1,@K[0]
++	vadduwm	$xb0,$xb1,@K[1]
++	vadduwm	$xc0,$xc1,@K[2]
++	vadduwm	$xd0,$xd1,@K[3]
++
++	be?vperm $xa0,$xa0,$xa0,$beperm
++	be?vperm $xb0,$xb0,$xb0,$beperm
++	be?vperm $xc0,$xc0,$xc0,$beperm
++	be?vperm $xd0,$xd0,$xd0,$beperm
++
++	${UCMP}i $len,0x40
++	blt	Ltail_vsx_8x
++
++	lvx_4w	$xt0,$x00,$inp
++	lvx_4w	$xt1,$x10,$inp
++	lvx_4w	$xt2,$x20,$inp
++	lvx_4w	$xt3,$x30,$inp
++
++	vxor	$xt0,$xt0,$xa0
++	vxor	$xt1,$xt1,$xb0
++	vxor	$xt2,$xt2,$xc0
++	vxor	$xt3,$xt3,$xd0
++
++	stvx_4w	$xt0,$x00,$out
++	stvx_4w	$xt1,$x10,$out
++	addi	$inp,$inp,0x40
++	stvx_4w	$xt2,$x20,$out
++	subi	$len,$len,0x40
++	stvx_4w	$xt3,$x30,$out
++	addi	$out,$out,0x40
++	beq	Ldone_vsx_8x
++
++	vadduwm	$xa0,$xa2,@K[0]
++	vadduwm	$xb0,$xb2,@K[1]
++	vadduwm	$xc0,$xc2,@K[2]
++	vadduwm	$xd0,$xd2,@K[3]
++
++	be?vperm $xa0,$xa0,$xa0,$beperm
++	be?vperm $xb0,$xb0,$xb0,$beperm
++	be?vperm $xc0,$xc0,$xc0,$beperm
++	be?vperm $xd0,$xd0,$xd0,$beperm
++
++	${UCMP}i $len,0x40
++	blt	Ltail_vsx_8x
++
++	lvx_4w	$xt0,$x00,$inp
++	lvx_4w	$xt1,$x10,$inp
++	lvx_4w	$xt2,$x20,$inp
++	lvx_4w	$xt3,$x30,$inp
++
++	vxor	$xt0,$xt0,$xa0
++	vxor	$xt1,$xt1,$xb0
++	vxor	$xt2,$xt2,$xc0
++	vxor	$xt3,$xt3,$xd0
++
++	stvx_4w	$xt0,$x00,$out
++	stvx_4w	$xt1,$x10,$out
++	addi	$inp,$inp,0x40
++	stvx_4w	$xt2,$x20,$out
++	subi	$len,$len,0x40
++	stvx_4w	$xt3,$x30,$out
++	addi	$out,$out,0x40
++	beq	Ldone_vsx_8x
++
++	vadduwm	$xa0,$xa3,@K[0]
++	vadduwm	$xb0,$xb3,@K[1]
++	vadduwm	$xc0,$xc3,@K[2]
++	vadduwm	$xd0,$xd3,@K[3]
++
++	be?vperm $xa0,$xa0,$xa0,$beperm
++	be?vperm $xb0,$xb0,$xb0,$beperm
++	be?vperm $xc0,$xc0,$xc0,$beperm
++	be?vperm $xd0,$xd0,$xd0,$beperm
++
++	${UCMP}i $len,0x40
++	blt	Ltail_vsx_8x
++
++	lvx_4w	$xt0,$x00,$inp
++	lvx_4w	$xt1,$x10,$inp
++	lvx_4w	$xt2,$x20,$inp
++	lvx_4w	$xt3,$x30,$inp
++
++	vxor	$xt0,$xt0,$xa0
++	vxor	$xt1,$xt1,$xb0
++	vxor	$xt2,$xt2,$xc0
++	vxor	$xt3,$xt3,$xd0
++
++	stvx_4w	$xt0,$x00,$out
++	stvx_4w	$xt1,$x10,$out
++	addi	$inp,$inp,0x40
++	stvx_4w	$xt2,$x20,$out
++	subi	$len,$len,0x40
++	stvx_4w	$xt3,$x30,$out
++	addi	$out,$out,0x40
++	beq	Ldone_vsx_8x
++
++#blk4-7: 24:31 remain the same as we can use the same logic above . Reg a4-b7 remain same.Load c4,d7--> position 8-15.we can reuse vr24-31.
++#VR0-3 : are used to load temp value, vr4 --> as xr0 instead of xt0.
++
++	vxxlorc	   $CTR1 ,$xv5,$xv5
++
++	vxxlorc	   $xcn4 ,$xv18,$xv18
++	vxxlorc	   $xcn5 ,$xv19,$xv19
++	vxxlorc	   $xcn6 ,$xv20,$xv20
++	vxxlorc	   $xcn7 ,$xv21,$xv21
++
++	vxxlorc	   $xdn4 ,$xv13,$xv13
++	vxxlorc	   $xdn5 ,$xv14,$xv14
++	vxxlorc	   $xdn6 ,$xv15,$xv15
++	vxxlorc	   $xdn7 ,$xv16,$xv16
++	vadduwm	   $xdn4,$xdn4,$CTR1
++
++	vxxlorc	   $xb6 ,$xv6,$xv6
++	vxxlorc	   $xb7 ,$xv7,$xv7
++#use xa1->xr0, as xt0...in the block 4-7
++
++	vmrgew	$xr0,$xa4,$xa5			# transpose data
++	vmrgew	$xt1,$xa6,$xa7
++	vmrgow	$xa4,$xa4,$xa5
++	vmrgow	$xa6,$xa6,$xa7
++	vmrgew	$xt2,$xb4,$xb5
++	vmrgew	$xt3,$xb6,$xb7
++	vmrgow	$xb4,$xb4,$xb5
++	vmrgow	$xb6,$xb6,$xb7
++
++	vpermdi	$xa5,$xa4,$xa6,0b00
++	vpermdi	$xa7,$xa4,$xa6,0b11
++	vpermdi	$xa4,$xr0,$xt1,0b00
++	vpermdi	$xa6,$xr0,$xt1,0b11
++	vpermdi	$xb5,$xb4,$xb6,0b00
++	vpermdi	$xb7,$xb4,$xb6,0b11
++	vpermdi	$xb4,$xt2,$xt3,0b00
++	vpermdi	$xb6,$xt2,$xt3,0b11
++
++	vmrgew	$xr0,$xcn4,$xcn5
++	vmrgew	$xt1,$xcn6,$xcn7
++	vmrgow	$xcn4,$xcn4,$xcn5
++	vmrgow	$xcn6,$xcn6,$xcn7
++	vmrgew	$xt2,$xdn4,$xdn5
++	vmrgew	$xt3,$xdn6,$xdn7
++	vmrgow	$xdn4,$xdn4,$xdn5
++	vmrgow	$xdn6,$xdn6,$xdn7
++
++	vpermdi	$xcn5,$xcn4,$xcn6,0b00
++	vpermdi	$xcn7,$xcn4,$xcn6,0b11
++	vpermdi	$xcn4,$xr0,$xt1,0b00
++	vpermdi	$xcn6,$xr0,$xt1,0b11
++	vpermdi	$xdn5,$xdn4,$xdn6,0b00
++	vpermdi	$xdn7,$xdn4,$xdn6,0b11
++	vpermdi	$xdn4,$xt2,$xt3,0b00
++	vpermdi	$xdn6,$xt2,$xt3,0b11
++
++	vspltisw $xr0,8
++	vadduwm  $CTR1,$CTR1,$xr0		# next counter value
++	vxxlor	 $xv5 ,$CTR1,$CTR1	        #CTR+4-> 5
++
++	vadduwm	$xan0,$xa4,@K[0]
++	vadduwm	$xbn0,$xb4,@K[1]
++	vadduwm	$xcn0,$xcn4,@K[2]
++	vadduwm	$xdn0,$xdn4,@K[3]
++
++	be?vperm $xan0,$xa4,$xa4,$beperm
++	be?vperm $xbn0,$xb4,$xb4,$beperm
++	be?vperm $xcn0,$xcn4,$xcn4,$beperm
++	be?vperm $xdn0,$xdn4,$xdn4,$beperm
++
++	${UCMP}i $len,0x40
++	blt	Ltail_vsx_8x_1
++
++	lvx_4w	$xr0,$x00,$inp
++	lvx_4w	$xt1,$x10,$inp
++	lvx_4w	$xt2,$x20,$inp
++	lvx_4w	$xt3,$x30,$inp
++
++	vxor	$xr0,$xr0,$xan0
++	vxor	$xt1,$xt1,$xbn0
++	vxor	$xt2,$xt2,$xcn0
++	vxor	$xt3,$xt3,$xdn0
++
++	stvx_4w	$xr0,$x00,$out
++	stvx_4w	$xt1,$x10,$out
++	addi	$inp,$inp,0x40
++	stvx_4w	$xt2,$x20,$out
++	subi	$len,$len,0x40
++	stvx_4w	$xt3,$x30,$out
++	addi	$out,$out,0x40
++	beq	Ldone_vsx_8x
++
++	vadduwm	$xan0,$xa5,@K[0]
++	vadduwm	$xbn0,$xb5,@K[1]
++	vadduwm	$xcn0,$xcn5,@K[2]
++	vadduwm	$xdn0,$xdn5,@K[3]
++
++	be?vperm $xan0,$xan0,$xan0,$beperm
++	be?vperm $xbn0,$xbn0,$xbn0,$beperm
++	be?vperm $xcn0,$xcn0,$xcn0,$beperm
++	be?vperm $xdn0,$xdn0,$xdn0,$beperm
++
++	${UCMP}i $len,0x40
++	blt	Ltail_vsx_8x_1
++
++	lvx_4w	$xr0,$x00,$inp
++	lvx_4w	$xt1,$x10,$inp
++	lvx_4w	$xt2,$x20,$inp
++	lvx_4w	$xt3,$x30,$inp
++
++	vxor	$xr0,$xr0,$xan0
++	vxor	$xt1,$xt1,$xbn0
++	vxor	$xt2,$xt2,$xcn0
++	vxor	$xt3,$xt3,$xdn0
++
++	stvx_4w	$xr0,$x00,$out
++	stvx_4w	$xt1,$x10,$out
++	addi	$inp,$inp,0x40
++	stvx_4w	$xt2,$x20,$out
++	subi	$len,$len,0x40
++	stvx_4w	$xt3,$x30,$out
++	addi	$out,$out,0x40
++	beq	Ldone_vsx_8x
++
++	vadduwm	$xan0,$xa6,@K[0]
++	vadduwm	$xbn0,$xb6,@K[1]
++	vadduwm	$xcn0,$xcn6,@K[2]
++	vadduwm	$xdn0,$xdn6,@K[3]
++
++	be?vperm $xan0,$xan0,$xan0,$beperm
++	be?vperm $xbn0,$xbn0,$xbn0,$beperm
++	be?vperm $xcn0,$xcn0,$xcn0,$beperm
++	be?vperm $xdn0,$xdn0,$xdn0,$beperm
++
++	${UCMP}i $len,0x40
++	blt	Ltail_vsx_8x_1
++
++	lvx_4w	$xr0,$x00,$inp
++	lvx_4w	$xt1,$x10,$inp
++	lvx_4w	$xt2,$x20,$inp
++	lvx_4w	$xt3,$x30,$inp
++
++	vxor	$xr0,$xr0,$xan0
++	vxor	$xt1,$xt1,$xbn0
++	vxor	$xt2,$xt2,$xcn0
++	vxor	$xt3,$xt3,$xdn0
++
++	stvx_4w	$xr0,$x00,$out
++	stvx_4w	$xt1,$x10,$out
++	addi	$inp,$inp,0x40
++	stvx_4w	$xt2,$x20,$out
++	subi	$len,$len,0x40
++	stvx_4w	$xt3,$x30,$out
++	addi	$out,$out,0x40
++	beq	Ldone_vsx_8x
++
++	vadduwm	$xan0,$xa7,@K[0]
++	vadduwm	$xbn0,$xb7,@K[1]
++	vadduwm	$xcn0,$xcn7,@K[2]
++	vadduwm	$xdn0,$xdn7,@K[3]
++
++	be?vperm $xan0,$xan0,$xan0,$beperm
++	be?vperm $xbn0,$xbn0,$xbn0,$beperm
++	be?vperm $xcn0,$xcn0,$xcn0,$beperm
++	be?vperm $xdn0,$xdn0,$xdn0,$beperm
++
++	${UCMP}i $len,0x40
++	blt	Ltail_vsx_8x_1
++
++	lvx_4w	$xr0,$x00,$inp
++	lvx_4w	$xt1,$x10,$inp
++	lvx_4w	$xt2,$x20,$inp
++	lvx_4w	$xt3,$x30,$inp
++
++	vxor	$xr0,$xr0,$xan0
++	vxor	$xt1,$xt1,$xbn0
++	vxor	$xt2,$xt2,$xcn0
++	vxor	$xt3,$xt3,$xdn0
++
++	stvx_4w	$xr0,$x00,$out
++	stvx_4w	$xt1,$x10,$out
++	addi	$inp,$inp,0x40
++	stvx_4w	$xt2,$x20,$out
++	subi	$len,$len,0x40
++	stvx_4w	$xt3,$x30,$out
++	addi	$out,$out,0x40
++	beq	Ldone_vsx_8x
++
++	mtctr	r0
++	bne	Loop_outer_vsx_8x
++
++Ldone_vsx_8x:
++	lwz	r12,`$FRAME-4`($sp)		# pull vrsave
++	li	r10,`15+$LOCALS+64`
++	li	r11,`31+$LOCALS+64`
++	$POP	r0, `$FRAME+$LRSAVE`($sp)
++	mtspr	256,r12				# restore vrsave
++	lvx	v24,r10,$sp
++	addi	r10,r10,32
++	lvx	v25,r11,$sp
++	addi	r11,r11,32
++	lvx	v26,r10,$sp
++	addi	r10,r10,32
++	lvx	v27,r11,$sp
++	addi	r11,r11,32
++	lvx	v28,r10,$sp
++	addi	r10,r10,32
++	lvx	v29,r11,$sp
++	addi	r11,r11,32
++	lvx	v30,r10,$sp
++	lvx	v31,r11,$sp
++	mtlr	r0
++	addi	$sp,$sp,$FRAME
++	blr
++
++.align	4
++Ltail_vsx_8x:
++	addi	r11,$sp,$LOCALS
++	mtctr	$len
++	stvx_4w	$xa0,$x00,r11			# offload block to stack
++	stvx_4w	$xb0,$x10,r11
++	stvx_4w	$xc0,$x20,r11
++	stvx_4w	$xd0,$x30,r11
++	subi	r12,r11,1			# prepare for *++ptr
++	subi	$inp,$inp,1
++	subi	$out,$out,1
++	bl      Loop_tail_vsx_8x
++Ltail_vsx_8x_1:
++	addi	r11,$sp,$LOCALS
++	mtctr	$len
++	stvx_4w	$xan0,$x00,r11			# offload block to stack
++	stvx_4w	$xbn0,$x10,r11
++	stvx_4w	$xcn0,$x20,r11
++	stvx_4w	$xdn0,$x30,r11
++	subi	r12,r11,1			# prepare for *++ptr
++	subi	$inp,$inp,1
++	subi	$out,$out,1
++        bl      Loop_tail_vsx_8x
++
++Loop_tail_vsx_8x:
++	lbzu	r6,1(r12)
++	lbzu	r7,1($inp)
++	xor	r6,r6,r7
++	stbu	r6,1($out)
++	bdnz	Loop_tail_vsx_8x
++
++	stvx_4w	$K[0],$x00,r11			# wipe copy of the block
++	stvx_4w	$K[0],$x10,r11
++	stvx_4w	$K[0],$x20,r11
++	stvx_4w	$K[0],$x30,r11
++
++	b	Ldone_vsx_8x
++	.long	0
++	.byte	0,12,0x04,1,0x80,0,5,0
++	.long	0
++.size	.ChaCha20_ctr32_vsx_8x,.-.ChaCha20_ctr32_vsx_8x
++___
++}}}
++
++
++$code.=<<___;
++.align	5
++Lconsts:
++	mflr	r0
++	bcl	20,31,\$+4
++	mflr	r12	#vvvvv "distance between . and Lsigma
++	addi	r12,r12,`64-8`
++	mtlr	r0
++	blr
++	.long	0
++	.byte	0,12,0x14,0,0,0,0,0
++	.space	`64-9*4`
++Lsigma:
++	.long   0x61707865,0x3320646e,0x79622d32,0x6b206574
++	.long	1,0,0,0
++	.long	2,0,0,0
++	.long	3,0,0,0
++	.long	4,0,0,0
++___
++$code.=<<___ 	if ($LITTLE_ENDIAN);
++	.long	0x0e0f0c0d,0x0a0b0809,0x06070405,0x02030001
++	.long	0x0d0e0f0c,0x090a0b08,0x05060704,0x01020300
++___
++$code.=<<___ 	if (!$LITTLE_ENDIAN);	# flipped words
++	.long	0x02030001,0x06070405,0x0a0b0809,0x0e0f0c0d
++	.long	0x01020300,0x05060704,0x090a0b08,0x0d0e0f0c
++___
++$code.=<<___;
++	.long	0x61707865,0x61707865,0x61707865,0x61707865
++	.long	0x3320646e,0x3320646e,0x3320646e,0x3320646e
++	.long	0x79622d32,0x79622d32,0x79622d32,0x79622d32
++	.long	0x6b206574,0x6b206574,0x6b206574,0x6b206574
++	.long	0,1,2,3
++        .long   0x03020100,0x07060504,0x0b0a0908,0x0f0e0d0c
++.asciz  "ChaCha20 for PowerPC/AltiVec, CRYPTOGAMS by <appro\@openssl.org>"
++.align	2
++___
++
++foreach (split("\n",$code)) {
++	s/\`([^\`]*)\`/eval $1/ge;
++
++	# instructions prefixed with '?' are endian-specific and need
++	# to be adjusted accordingly...
++	if ($flavour !~ /le$/) {	# big-endian
++	    s/be\?//		or
++	    s/le\?/#le#/	or
++	    s/\?lvsr/lvsl/	or
++	    s/\?lvsl/lvsr/	or
++	    s/\?(vperm\s+v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+)/$1$3$2$4/ or
++	    s/vrldoi(\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9]+)/vsldoi$1$2$2 16-$3/;
++	} else {			# little-endian
++	    s/le\?//		or
++	    s/be\?/#be#/	or
++	    s/\?([a-z]+)/$1/	or
++	    s/vrldoi(\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9]+)/vsldoi$1$2$2 $3/;
++	}
++
++	print $_,"\n";
++}
++
++close STDOUT or die "error closing STDOUT: $!";
+--- a/crypto/chacha/build.info
++++ b/crypto/chacha/build.info
+@@ -5,6 +5,7 @@ GENERATE[chacha-x86.s]=asm/chacha-x86.pl
+         $(PERLASM_SCHEME) $(LIB_CFLAGS) $(LIB_CPPFLAGS) $(PROCESSOR)
+ GENERATE[chacha-x86_64.s]=asm/chacha-x86_64.pl $(PERLASM_SCHEME)
+ GENERATE[chacha-ppc.s]=asm/chacha-ppc.pl $(PERLASM_SCHEME)
++GENERATE[chachap10-ppc.s]=asm/chachap10-ppc.pl $(PERLASM_SCHEME)
+ GENERATE[chacha-armv4.S]=asm/chacha-armv4.pl $(PERLASM_SCHEME)
+ INCLUDE[chacha-armv4.o]=..
+ GENERATE[chacha-armv8.S]=asm/chacha-armv8.pl $(PERLASM_SCHEME)
+--- a/crypto/perlasm/ppc-xlate.pl
++++ b/crypto/perlasm/ppc-xlate.pl
+@@ -288,6 +288,14 @@ my $vpermdi	= sub {				# xxpermdi
+     $dm = oct($dm) if ($dm =~ /^0/);
+     "	.long	".sprintf "0x%X",(60<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|($dm<<8)|(10<<3)|7;
+ };
++my $vxxlor	= sub {				# xxlor
++    my ($f, $vrt, $vra, $vrb) = @_;
++    "	.long	".sprintf "0x%X",(60<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|(146<<3)|6;
++};
++my $vxxlorc	= sub {				# xxlor
++    my ($f, $vrt, $vra, $vrb) = @_;
++    "	.long	".sprintf "0x%X",(60<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|(146<<3)|1;
++};
+ 
+ # PowerISA 2.07 stuff
+ sub vcrypto_op {
+@@ -370,6 +378,15 @@ my $addex = sub {
+ };
+ my $vmsumudm	= sub { vfour_vsr(@_, 35); };
+ 
++# PowerISA 3.1 stuff
++my $brd = sub {
++    my ($f, $ra, $rs) = @_;
++    "  .long   ".sprintf "0x%X",(31<<26)|($rs<<21)|($ra<<16)|(187<<1);
++};
++my $vsrq	= sub { vcrypto_op(@_, 517); };
++
++
++
+ while($line=<>) {
+ 
+     $line =~ s|[#!;].*$||;	# get rid of asm-style comments...
+--- a/crypto/ppc_arch.h
++++ b/crypto/ppc_arch.h
+@@ -24,5 +24,6 @@ extern unsigned int OPENSSL_ppccap_P;
+ # define PPC_MADD300     (1<<4)
+ # define PPC_MFTB        (1<<5)
+ # define PPC_MFSPR268    (1<<6)
++# define PPC_BRD31       (1<<7)
+ 
+ #endif
+--- a/crypto/ppccap.c
++++ b/crypto/ppccap.c
+@@ -108,15 +108,20 @@ void ChaCha20_ctr32_vmx(unsigned char *o
+ void ChaCha20_ctr32_vsx(unsigned char *out, const unsigned char *inp,
+                         size_t len, const unsigned int key[8],
+                         const unsigned int counter[4]);
++void ChaCha20_ctr32_vsx_p10(unsigned char *out, const unsigned char *inp,
++                        size_t len, const unsigned int key[8],
++                        const unsigned int counter[4]);
+ void ChaCha20_ctr32(unsigned char *out, const unsigned char *inp,
+                     size_t len, const unsigned int key[8],
+                     const unsigned int counter[4])
+ {
+-    OPENSSL_ppccap_P & PPC_CRYPTO207
+-        ? ChaCha20_ctr32_vsx(out, inp, len, key, counter)
+-        : OPENSSL_ppccap_P & PPC_ALTIVEC
+-            ? ChaCha20_ctr32_vmx(out, inp, len, key, counter)
+-            : ChaCha20_ctr32_int(out, inp, len, key, counter);
++    OPENSSL_ppccap_P & PPC_BRD31
++        ? ChaCha20_ctr32_vsx_p10(out, inp, len, key, counter)
++        :OPENSSL_ppccap_P & PPC_CRYPTO207
++            ? ChaCha20_ctr32_vsx(out, inp, len, key, counter)
++            : OPENSSL_ppccap_P & PPC_ALTIVEC
++                 ? ChaCha20_ctr32_vmx(out, inp, len, key, counter)
++                 : ChaCha20_ctr32_int(out, inp, len, key, counter);
+ }
+ #endif
+ 
+@@ -182,6 +187,7 @@ void OPENSSL_ppc64_probe(void);
+ void OPENSSL_altivec_probe(void);
+ void OPENSSL_crypto207_probe(void);
+ void OPENSSL_madd300_probe(void);
++void OPENSSL_brd31_probe(void);
+ 
+ long OPENSSL_rdtsc_mftb(void);
+ long OPENSSL_rdtsc_mfspr268(void);
+@@ -264,6 +270,7 @@ static unsigned long getauxval(unsigned
+ #define HWCAP2                  26      /* AT_HWCAP2 */
+ #define HWCAP_VEC_CRYPTO        (1U << 25)
+ #define HWCAP_ARCH_3_00         (1U << 23)
++#define HWCAP_ARCH_3_1          (1U << 18)
+ 
+ # if defined(__GNUC__) && __GNUC__>=2
+ __attribute__ ((constructor))
+@@ -324,6 +331,9 @@ void OPENSSL_cpuid_setup(void)
+     if (__power_set(0xffffffffU<<17))           /* POWER9 and later */
+         OPENSSL_ppccap_P |= PPC_MADD300;
+ 
++    if (__power_set(0xffffffffU<<18))           /* POWER10 and later */
++        OPENSSL_ppccap_P |= PPC_BRD31;
++
+     return;
+ # endif
+ #endif
+@@ -379,6 +389,10 @@ void OPENSSL_cpuid_setup(void)
+         if (hwcap2 & HWCAP_ARCH_3_00) {
+             OPENSSL_ppccap_P |= PPC_MADD300;
+         }
++
++        if (hwcap2 & HWCAP_ARCH_3_1) {
++            OPENSSL_ppccap_P |= PPC_BRD31;
++        }
+     }
+ #endif
+ 
+--- a/crypto/ppccpuid.pl
++++ b/crypto/ppccpuid.pl
+@@ -77,6 +77,17 @@ $code=<<___;
+ 	.long	0
+ 	.byte	0,12,0x14,0,0,0,0,0
+ 
++.globl	.OPENSSL_brd31_probe
++.align	4
++.OPENSSL_brd31_probe:
++	xor	r0,r0,r0
++	brd	r3,r0
++	blr
++	.long	0
++	.byte	0,12,0x14,0,0,0,0,0
++.size	.OPENSSL_brd31_probe,.-.OPENSSL_brd31_probe
++
++
+ .globl	.OPENSSL_wipe_cpu
+ .align	4
+ .OPENSSL_wipe_cpu:
diff --git a/openssl-1_1-disable-test_srp-sslapi.patch b/openssl-1_1-disable-test_srp-sslapi.patch
new file mode 100644
index 0000000..91f31fa
--- /dev/null
+++ b/openssl-1_1-disable-test_srp-sslapi.patch
@@ -0,0 +1,13 @@
+Index: openssl-1.1.1i/test/sslapitest.c
+===================================================================
+--- openssl-1.1.1i.orig/test/sslapitest.c
++++ openssl-1.1.1i/test/sslapitest.c
+@@ -6766,7 +6766,7 @@ int setup_tests(void)
+ #endif
+     ADD_ALL_TESTS(test_ssl_clear, 2);
+     ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test));
+-#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2)
++#if !defined(OPENSSL_NO_SRP) && !defined(OPENSSL_NO_TLS1_2) && 0
+     ADD_ALL_TESTS(test_srp, 6);
+ #endif
+     ADD_ALL_TESTS(test_info_callback, 6);
diff --git a/openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch b/openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
new file mode 100644
index 0000000..d6a598e
--- /dev/null
+++ b/openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
@@ -0,0 +1,23 @@
+diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
+index cbbfab1..7576de8 100644
+--- a/include/openssl/opensslv.h
++++ b/include/openssl/opensslv.h
+@@ -14,6 +14,9 @@
+ extern "C" {
+ #endif
+ 
++#define SUSE_OPENSSL_STRING_PARAM_FUNCA(x) #x
++#define SUSE_OPENSSL_STRING_PARAM_FUNCB(x) SUSE_OPENSSL_STRING_PARAM_FUNCA(x)
++
+ /*-
+  * Numeric release version identifier:
+  * MNNFFPPS: major minor fix patch status
+@@ -40,7 +43,7 @@ extern "C" {
+  *  major minor fix final patch/beta)
+  */
+ # define OPENSSL_VERSION_NUMBER  0x101010cfL
+-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1l  24 Aug 2021"
++# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1l  24 Aug 2021 SUSE release " SUSE_OPENSSL_STRING_PARAM_FUNCB(SUSE_OPENSSL_RELEASE)
+ 
+ /*-
+  * The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/openssl-1_1-fips-drbg-selftest.patch b/openssl-1_1-fips-drbg-selftest.patch
new file mode 100644
index 0000000..2611d7d
--- /dev/null
+++ b/openssl-1_1-fips-drbg-selftest.patch
@@ -0,0 +1,589 @@
+Index: openssl-1.1.1l/crypto/fips/fips_post.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/fips/fips_post.c
++++ openssl-1.1.1l/crypto/fips/fips_post.c
+@@ -66,6 +66,7 @@
+ 
+ # include <openssl/fips.h>
+ # include "crypto/fips.h"
++# include "crypto/rand.h"
+ # include "fips_locl.h"
+ 
+ /* Run all selftests */
+@@ -79,6 +80,8 @@ int FIPS_selftest(void)
+     if (!FIPS_selftest_drbg_all())
+         rv = 0;
+ #endif
++    if (!FIPS_selftest_drbg_new())
++        rv = 0;
+     if (!FIPS_selftest_sha1())
+         rv = 0;
+     if (!FIPS_selftest_sha2())
+Index: openssl-1.1.1l/crypto/rand/build.info
+===================================================================
+--- openssl-1.1.1l.orig/crypto/rand/build.info
++++ openssl-1.1.1l/crypto/rand/build.info
+@@ -1,6 +1,6 @@
+ LIBS=../../libcrypto
+ SOURCE[../../libcrypto]=\
+         randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \
+-        rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c
++        rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c drbg_selftest.c
+ 
+ INCLUDE[drbg_ctr.o]=../modes
+Index: openssl-1.1.1l/crypto/rand/drbg_selftest.c
+===================================================================
+--- /dev/null
++++ openssl-1.1.1l/crypto/rand/drbg_selftest.c
+@@ -0,0 +1,537 @@
++/*
++ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the OpenSSL license (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include <string.h>
++#include <stddef.h>
++#include "internal/nelem.h"
++#include <openssl/crypto.h>
++#include <openssl/err.h>
++#include <openssl/rand_drbg.h>
++#include <openssl/obj_mac.h>
++#include "internal/thread_once.h"
++#include "crypto/rand.h"
++
++typedef struct test_ctx_st {
++    const unsigned char *entropy;
++    size_t entropylen;
++    int entropycnt;
++    const unsigned char *nonce;
++    size_t noncelen;
++    int noncecnt;
++} TEST_CTX;
++
++static int app_data_index = -1;
++static CRYPTO_ONCE get_index_once = CRYPTO_ONCE_STATIC_INIT;
++DEFINE_RUN_ONCE_STATIC(drbg_app_data_index_init)
++{
++    app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
++
++    return 1;
++}
++
++enum drbg_kat_type {
++    NO_RESEED,
++    PR_FALSE,
++    PR_TRUE
++};
++
++enum drbg_df {
++    USE_DF,
++    NO_DF,
++    NA
++};
++
++struct drbg_kat_no_reseed {
++    size_t count;
++    const unsigned char *entropyin;
++    const unsigned char *nonce;
++    const unsigned char *persstr;
++    const unsigned char *addin1;
++    const unsigned char *addin2;
++    const unsigned char *retbytes;
++};
++
++struct drbg_kat_pr_false {
++    size_t count;
++    const unsigned char *entropyin;
++    const unsigned char *nonce;
++    const unsigned char *persstr;
++    const unsigned char *entropyinreseed;
++    const unsigned char *addinreseed;
++    const unsigned char *addin1;
++    const unsigned char *addin2;
++    const unsigned char *retbytes;
++};
++
++struct drbg_kat_pr_true {
++    size_t count;
++    const unsigned char *entropyin;
++    const unsigned char *nonce;
++    const unsigned char *persstr;
++    const unsigned char *entropyinpr1;
++    const unsigned char *addin1;
++    const unsigned char *entropyinpr2;
++    const unsigned char *addin2;
++    const unsigned char *retbytes;
++};
++
++struct drbg_kat {
++    enum drbg_kat_type type;
++    enum drbg_df df;
++    int nid;
++
++    size_t entropyinlen;
++    size_t noncelen;
++    size_t persstrlen;
++    size_t addinlen;
++    size_t retbyteslen;
++
++    const void *t;
++};
++
++/*
++ * Excerpt from test/drbg_cavs_data.c
++ * DRBG test vectors from:
++ * https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/
++ */
++
++static const unsigned char kat1308_entropyin[] = {
++    0x7c, 0x5d, 0x90, 0x70, 0x3b, 0x8a, 0xc7, 0x0f, 0x23, 0x73, 0x24, 0x9c,
++    0xa7, 0x15, 0x41, 0x71, 0x7a, 0x31, 0xea, 0x32, 0xfc, 0x28, 0x0d, 0xd7,
++    0x5b, 0x09, 0x01, 0x98, 0x1b, 0xe2, 0xa5, 0x53, 0xd9, 0x05, 0x32, 0x97,
++    0xec, 0xbe, 0x86, 0xfd, 0x1c, 0x1c, 0x71, 0x4c, 0x52, 0x29, 0x9e, 0x52,
++};
++static const unsigned char kat1308_nonce[] = {0};
++static const unsigned char kat1308_persstr[] = {
++    0xdc, 0x07, 0x2f, 0x68, 0xfa, 0x77, 0x03, 0x23, 0x42, 0xb0, 0xf5, 0xa2,
++    0xd9, 0xad, 0xa1, 0xd0, 0xad, 0xa2, 0x14, 0xb4, 0xd0, 0x8e, 0xfb, 0x39,
++    0xdd, 0xc2, 0xac, 0xfb, 0x98, 0xdf, 0x7f, 0xce, 0x4c, 0x75, 0x56, 0x45,
++    0xcd, 0x86, 0x93, 0x74, 0x90, 0x6e, 0xf6, 0x9e, 0x85, 0x7e, 0xfb, 0xc3,
++};
++static const unsigned char kat1308_addin0[] = {
++    0x52, 0x25, 0xc4, 0x2f, 0x03, 0xce, 0x29, 0x71, 0xc5, 0x0b, 0xc3, 0x4e,
++    0xad, 0x8d, 0x6f, 0x17, 0x82, 0xe1, 0xf3, 0xfd, 0xfd, 0x9b, 0x94, 0x9a,
++    0x1d, 0xac, 0xd0, 0xd4, 0x3f, 0x2b, 0xe3, 0xab, 0x7c, 0x3d, 0x3e, 0x5a,
++    0x68, 0xbb, 0xa4, 0x74, 0x68, 0x1a, 0xc6, 0x27, 0xff, 0xe0, 0xc0, 0x6c,
++};
++static const unsigned char kat1308_addin1[] = {
++    0xdc, 0x91, 0xd7, 0xb7, 0xb9, 0x94, 0x79, 0x0f, 0x06, 0xc4, 0x70, 0x19,
++    0x33, 0x25, 0x7c, 0x96, 0x01, 0xa0, 0x62, 0xb0, 0x50, 0xe6, 0xc0, 0x3a,
++    0x56, 0x8f, 0xc5, 0x50, 0x48, 0xc6, 0xf4, 0x49, 0xe5, 0x70, 0x16, 0x2e,
++    0xae, 0xf2, 0x99, 0xb4, 0x2d, 0x70, 0x18, 0x16, 0xcd, 0xe0, 0x24, 0xe4,
++};
++static const unsigned char kat1308_retbits[] = {
++    0xde, 0xf8, 0x91, 0x1b, 0xf1, 0xe1, 0xa9, 0x97, 0xd8, 0x61, 0x84, 0xe2,
++    0xdb, 0x83, 0x3e, 0x60, 0x45, 0xcd, 0xc8, 0x66, 0x93, 0x28, 0xc8, 0x92,
++    0xbc, 0x25, 0xae, 0xe8, 0xb0, 0xed, 0xed, 0x16, 0x3d, 0xa5, 0xf9, 0x0f,
++    0xb3, 0x72, 0x08, 0x84, 0xac, 0x3c, 0x3b, 0xaa, 0x5f, 0xf9, 0x7d, 0x63,
++    0x3e, 0xde, 0x59, 0x37, 0x0e, 0x40, 0x12, 0x2b, 0xbc, 0x6c, 0x96, 0x53,
++    0x26, 0x32, 0xd0, 0xb8,
++};
++static const struct drbg_kat_no_reseed kat1308_t = {
++    2, kat1308_entropyin, kat1308_nonce, kat1308_persstr,
++    kat1308_addin0, kat1308_addin1, kat1308_retbits
++};
++static const struct drbg_kat kat1308 = {
++    NO_RESEED, NO_DF, NID_aes_256_ctr, 48, 0, 48, 48, 64, &kat1308_t
++};
++
++static const unsigned char kat1465_entropyin[] = {
++    0xc9, 0x96, 0x3a, 0x15, 0x51, 0x76, 0x4f, 0xe0, 0x45, 0x82, 0x8a, 0x64,
++    0x87, 0xbe, 0xaa, 0xc0,
++};
++static const unsigned char kat1465_nonce[] = {
++    0x08, 0xcd, 0x69, 0x39, 0xf8, 0x58, 0x9a, 0x85,
++};
++static const unsigned char kat1465_persstr[] = {0};
++static const unsigned char kat1465_entropyinreseed[] = {
++    0x16, 0xcc, 0x35, 0x15, 0xb1, 0x17, 0xf5, 0x33, 0x80, 0x9a, 0x80, 0xc5,
++    0x1f, 0x4b, 0x7b, 0x51,
++};
++static const unsigned char kat1465_addinreseed[] = {
++    0xf5, 0x3d, 0xf1, 0x2e, 0xdb, 0x28, 0x1c, 0x00, 0x7b, 0xcb, 0xb6, 0x12,
++    0x61, 0x9f, 0x26, 0x5f,
++};
++static const unsigned char kat1465_addin0[] = {
++    0xe2, 0x67, 0x06, 0x62, 0x09, 0xa7, 0xcf, 0xd6, 0x84, 0x8c, 0x20, 0xf6,
++    0x10, 0x5a, 0x73, 0x9c,
++};
++static const unsigned char kat1465_addin1[] = {
++    0x26, 0xfa, 0x50, 0xe1, 0xb3, 0xcb, 0x65, 0xed, 0xbc, 0x6d, 0xda, 0x18,
++    0x47, 0x99, 0x1f, 0xeb,
++};
++static const unsigned char kat1465_retbits[] = {
++    0xf9, 0x47, 0xc6, 0xb0, 0x58, 0xa8, 0x66, 0x8a, 0xf5, 0x2b, 0x2a, 0x6d,
++    0x4e, 0x24, 0x6f, 0x65, 0xbf, 0x51, 0x22, 0xbf, 0xe8, 0x8d, 0x6c, 0xeb,
++    0xf9, 0x68, 0x7f, 0xed, 0x3b, 0xdd, 0x6b, 0xd5, 0x28, 0x47, 0x56, 0x52,
++    0xda, 0x50, 0xf0, 0x90, 0x73, 0x95, 0x06, 0x58, 0xaf, 0x08, 0x98, 0x6e,
++    0x24, 0x18, 0xfd, 0x2f, 0x48, 0x72, 0x57, 0xd6, 0x59, 0xab, 0xe9, 0x41,
++    0x58, 0xdb, 0x27, 0xba,
++};
++static const struct drbg_kat_pr_false kat1465_t = {
++    9, kat1465_entropyin, kat1465_nonce, kat1465_persstr,
++    kat1465_entropyinreseed, kat1465_addinreseed, kat1465_addin0,
++    kat1465_addin1, kat1465_retbits
++};
++static const struct drbg_kat kat1465 = {
++    PR_FALSE, USE_DF, NID_aes_128_ctr, 16, 8, 0, 16, 64, &kat1465_t
++};
++
++static const unsigned char kat3146_entropyin[] = {
++    0xd7, 0x08, 0x42, 0x82, 0xc2, 0xd2, 0xd1, 0xde, 0x01, 0xb4, 0x36, 0xb3,
++    0x7f, 0xbd, 0xd3, 0xdd, 0xb3, 0xc4, 0x31, 0x4f, 0x8f, 0xa7, 0x10, 0xf4,
++};
++static const unsigned char kat3146_nonce[] = {
++    0x7b, 0x9e, 0xcd, 0x49, 0x4f, 0x46, 0xa0, 0x08, 0x32, 0xff, 0x2e, 0xc3,
++    0x50, 0x86, 0xca, 0xca,
++};
++static const unsigned char kat3146_persstr[] = {0};
++static const unsigned char kat3146_entropyinpr1[] = {
++    0x68, 0xd0, 0x7b, 0xa4, 0xe7, 0x22, 0x19, 0xe6, 0xb6, 0x46, 0x6a, 0xda,
++    0x8e, 0x67, 0xea, 0x63, 0x3f, 0xaf, 0x2f, 0x6c, 0x9d, 0x5e, 0x48, 0x15,
++};
++static const unsigned char kat3146_addinpr1[] = {
++    0x70, 0x0f, 0x54, 0xf4, 0x53, 0xde, 0xca, 0x61, 0x5c, 0x49, 0x51, 0xd1,
++    0x41, 0xc4, 0xf1, 0x2f, 0x65, 0xfb, 0x7e, 0xbc, 0x9b, 0x14, 0xba, 0x90,
++    0x05, 0x33, 0x7e, 0x64, 0xb7, 0x2b, 0xaf, 0x99,
++};
++static const unsigned char kat3146_entropyinpr2[] = {
++    0xeb, 0x77, 0xb0, 0xe9, 0x2d, 0x31, 0xc8, 0x66, 0xc5, 0xc4, 0xa7, 0xf7,
++    0x6c, 0xb2, 0x74, 0x36, 0x4b, 0x25, 0x78, 0x04, 0xd8, 0xd7, 0xd2, 0x34,
++};
++static const unsigned char kat3146_addinpr2[] = {
++    0x05, 0xcd, 0x2a, 0x97, 0x5a, 0x5d, 0xfb, 0x98, 0xc1, 0xf1, 0x00, 0x0c,
++    0xed, 0xe6, 0x2a, 0xba, 0xf0, 0x89, 0x1f, 0x5a, 0x4f, 0xd7, 0x48, 0xb3,
++    0x24, 0xc0, 0x8a, 0x3d, 0x60, 0x59, 0x5d, 0xb6,
++};
++static const unsigned char kat3146_retbits[] = {
++    0x29, 0x94, 0xa4, 0xa8, 0x17, 0x3e, 0x62, 0x2f, 0x94, 0xdd, 0x40, 0x1f,
++    0xe3, 0x7e, 0x77, 0xd4, 0x38, 0xbc, 0x0e, 0x49, 0x46, 0xf6, 0x0e, 0x28,
++    0x91, 0xc6, 0x9c, 0xc4, 0xa6, 0xa1, 0xf8, 0x9a, 0x64, 0x5e, 0x99, 0x76,
++    0xd0, 0x2d, 0xee, 0xde, 0xe1, 0x2c, 0x93, 0x29, 0x4b, 0x12, 0xcf, 0x87,
++    0x03, 0x98, 0xb9, 0x74, 0x41, 0xdb, 0x3a, 0x49, 0x9f, 0x92, 0xd0, 0x45,
++    0xd4, 0x30, 0x73, 0xbb,
++};
++static const struct drbg_kat_pr_true kat3146_t = {
++    10, kat3146_entropyin, kat3146_nonce, kat3146_persstr,
++    kat3146_entropyinpr1, kat3146_addinpr1, kat3146_entropyinpr2,
++    kat3146_addinpr2, kat3146_retbits
++};
++static const struct drbg_kat kat3146 = {
++    PR_TRUE, USE_DF, NID_aes_192_ctr, 24, 16, 0, 32, 64, &kat3146_t
++};
++
++static const struct drbg_kat *drbg_test[] = { &kat1308, &kat1465, &kat3146 };
++
++static const size_t drbg_test_nelem = OSSL_NELEM(drbg_test);
++
++static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
++                          int entropy, size_t min_len, size_t max_len,
++                          int prediction_resistance)
++{
++    TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
++
++    t->entropycnt++;
++    *pout = (unsigned char *)t->entropy;
++    return t->entropylen;
++}
++
++static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
++                        int entropy, size_t min_len, size_t max_len)
++{
++    TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
++
++    t->noncecnt++;
++    *pout = (unsigned char *)t->nonce;
++    return t->noncelen;
++}
++
++/*
++ * Do a single NO_RESEED KAT:
++ *
++ * Instantiate
++ * Generate Random Bits (pr=false)
++ * Generate Random Bits (pr=false)
++ * Uninstantiate
++ *
++ * Return 0 on failure.
++ */
++static int single_kat_no_reseed(const struct drbg_kat *td)
++{
++    struct drbg_kat_no_reseed *data = (struct drbg_kat_no_reseed *)td->t;
++    RAND_DRBG *drbg = NULL;
++    unsigned char *buff = NULL;
++    unsigned int flags = 0;
++    int failures = 0;
++    TEST_CTX t;
++
++    if (td->df != USE_DF)
++        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
++
++    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
++        return 0;
++
++    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
++                                 kat_nonce, NULL)) {
++        failures++;
++        goto err;
++    }
++    memset(&t, 0, sizeof(t));
++    t.entropy = data->entropyin;
++    t.entropylen = td->entropyinlen;
++    t.nonce = data->nonce;
++    t.noncelen = td->noncelen;
++    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
++
++    buff = OPENSSL_malloc(td->retbyteslen);
++    if (buff == NULL) {
++        failures++;
++        goto err;
++    }
++
++    if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)
++        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
++                               data->addin1, td->addinlen)
++        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
++                               data->addin2, td->addinlen)
++        || memcmp(data->retbytes, buff,
++                  td->retbyteslen) != 0)
++        failures++;
++
++err:
++    OPENSSL_free(buff);
++    RAND_DRBG_uninstantiate(drbg);
++    RAND_DRBG_free(drbg);
++    return failures == 0;
++}
++
++/*-
++ * Do a single PR_FALSE KAT:
++ *
++ * Instantiate
++ * Reseed
++ * Generate Random Bits (pr=false)
++ * Generate Random Bits (pr=false)
++ * Uninstantiate
++ *
++ * Return 0 on failure.
++ */
++static int single_kat_pr_false(const struct drbg_kat *td)
++{
++    struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
++    RAND_DRBG *drbg = NULL;
++    unsigned char *buff = NULL;
++    unsigned int flags = 0;
++    int failures = 0;
++    TEST_CTX t;
++
++    if (td->df != USE_DF)
++        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
++
++    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
++        return 0;
++
++    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
++                                 kat_nonce, NULL)) {
++        failures++;
++        goto err;
++    }
++    memset(&t, 0, sizeof(t));
++    t.entropy = data->entropyin;
++    t.entropylen = td->entropyinlen;
++    t.nonce = data->nonce;
++    t.noncelen = td->noncelen;
++    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
++
++    buff = OPENSSL_malloc(td->retbyteslen);
++    if (buff == NULL) {
++        failures++;
++        goto err;
++    }
++
++    if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
++        failures++;
++
++    t.entropy = data->entropyinreseed;
++    t.entropylen = td->entropyinlen;
++
++    if (!RAND_DRBG_reseed(drbg, data->addinreseed, td->addinlen, 0)
++        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
++                               data->addin1, td->addinlen)
++        || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0,
++                               data->addin2, td->addinlen)
++        || memcmp(data->retbytes, buff,
++                  td->retbyteslen) != 0)
++        failures++;
++
++err:
++    OPENSSL_free(buff);
++    RAND_DRBG_uninstantiate(drbg);
++    RAND_DRBG_free(drbg);
++    return failures == 0;
++}
++
++/*-
++ * Do a single PR_TRUE KAT:
++ *
++ * Instantiate
++ * Generate Random Bits (pr=true)
++ * Generate Random Bits (pr=true)
++ * Uninstantiate
++ *
++ * Return 0 on failure.
++ */
++static int single_kat_pr_true(const struct drbg_kat *td)
++{
++    struct drbg_kat_pr_true *data = (struct drbg_kat_pr_true *)td->t;
++    RAND_DRBG *drbg = NULL;
++    unsigned char *buff = NULL;
++    unsigned int flags = 0;
++    int failures = 0;
++    TEST_CTX t;
++
++    if (td->df != USE_DF)
++        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
++
++    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
++        return 0;
++
++    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
++                                 kat_nonce, NULL)) {
++        failures++;
++        goto err;
++    }
++    memset(&t, 0, sizeof(t));
++    t.nonce = data->nonce;
++    t.noncelen = td->noncelen;
++    t.entropy = data->entropyin;
++    t.entropylen = td->entropyinlen;
++    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
++
++    buff = OPENSSL_malloc(td->retbyteslen);
++    if (buff == NULL) {
++        failures++;
++        goto err;
++    }
++
++    if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
++        failures++;
++
++    t.entropy = data->entropyinpr1;
++    t.entropylen = td->entropyinlen;
++
++    if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
++                            data->addin1, td->addinlen))
++        failures++;
++
++    t.entropy = data->entropyinpr2;
++    t.entropylen = td->entropyinlen;
++
++    if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1,
++                            data->addin2, td->addinlen)
++        || memcmp(data->retbytes, buff,
++                  td->retbyteslen) != 0)
++        failures++;
++
++err:
++    OPENSSL_free(buff);
++    RAND_DRBG_uninstantiate(drbg);
++    RAND_DRBG_free(drbg);
++    return failures == 0;
++}
++
++static int test_kats(int i)
++{
++    const struct drbg_kat *td = drbg_test[i];
++    int rv = 0;
++
++    switch (td->type) {
++    case NO_RESEED:
++        if (!single_kat_no_reseed(td))
++            goto err;
++        break;
++    case PR_FALSE:
++        if (!single_kat_pr_false(td))
++            goto err;
++        break;
++    case PR_TRUE:
++        if (!single_kat_pr_true(td))
++            goto err;
++        break;
++    default:	/* cant happen */
++        goto err;
++    }
++    rv = 1;
++err:
++    return rv;
++}
++
++/*-
++ * Do one expected-error test:
++ *
++ * Instantiate with no entropy supplied
++ *
++ * Return 0 on failure.
++ */
++static int test_drbg_sanity(const struct drbg_kat *td)
++{
++    struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t;
++    RAND_DRBG *drbg = NULL;
++    unsigned int flags = 0;
++    int failures = 0;
++    TEST_CTX t;
++
++    if (td->df != USE_DF)
++        flags |= RAND_DRBG_FLAG_CTR_NO_DF;
++
++    if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL)
++        return 0;
++
++    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
++                                 kat_nonce, NULL)) {
++        failures++;
++        goto err;
++    }
++    memset(&t, 0, sizeof(t));
++    t.entropy = data->entropyin;
++    t.entropylen = 0;     /* No entropy */
++    t.nonce = data->nonce;
++    t.noncelen = td->noncelen;
++    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
++
++    ERR_set_mark();
++    /* This must fail. */
++    if (RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen))
++        failures++;
++    RAND_DRBG_uninstantiate(drbg);
++    ERR_pop_to_mark();
++
++err:
++    RAND_DRBG_free(drbg);
++    return failures == 0;
++}
++
++
++int FIPS_selftest_drbg_new(void)
++{
++    int i;
++
++    if (!RUN_ONCE(&get_index_once, drbg_app_data_index_init))
++        return 0;
++
++    for (i = 0; i < drbg_test_nelem; i++) {
++        if (test_kats(i) <= 0)
++            return 0;
++    }
++
++    if (test_drbg_sanity(&kat1465) <= 0)
++        return 0;
++
++    return 1;
++}
+Index: openssl-1.1.1l/include/crypto/rand.h
+===================================================================
+--- openssl-1.1.1l.orig/include/crypto/rand.h
++++ openssl-1.1.1l/include/crypto/rand.h
+@@ -140,4 +140,9 @@ void rand_pool_cleanup(void);
+  */
+ void rand_pool_keep_random_devices_open(int keep);
+ 
++/*
++ * Perform the DRBG KAT selftests
++ */
++int FIPS_selftest_drbg_new(void);
++
+ #endif
diff --git a/openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch b/openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch
new file mode 100644
index 0000000..fee38bf
--- /dev/null
+++ b/openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch
@@ -0,0 +1,130 @@
+---
+ crypto/asn1/ameth_lib.c        |   18 ++++++++++++++++++
+ crypto/asn1/standard_methods.h |   29 +++++++++++++++++++++++++++++
+ crypto/evp/c_alld.c            |   27 +++++++++++++++++++++++++++
+ 3 files changed, 74 insertions(+)
+
+--- a/crypto/asn1/ameth_lib.c
++++ b/crypto/asn1/ameth_lib.c
+@@ -35,7 +35,11 @@ IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_P
+ 
+ int EVP_PKEY_asn1_get_count(void)
+ {
++#ifdef OPENSSL_FIPS
++    int num = FIPS_mode() ? OSSL_NELEM(standard_fips_methods) : OSSL_NELEM(standard_methods);
++#else
+     int num = OSSL_NELEM(standard_methods);
++#endif
+     if (app_methods)
+         num += sk_EVP_PKEY_ASN1_METHOD_num(app_methods);
+     return num;
+@@ -43,11 +47,19 @@ int EVP_PKEY_asn1_get_count(void)
+ 
+ const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx)
+ {
++#ifdef OPENSSL_FIPS
++    int num = FIPS_mode() ? OSSL_NELEM(standard_fips_methods) : OSSL_NELEM(standard_methods);
++#else
+     int num = OSSL_NELEM(standard_methods);
++#endif
+     if (idx < 0)
+         return NULL;
+     if (idx < num)
++#ifdef OPENSSL_FIPS
++        return FIPS_mode() ? standard_fips_methods[idx] : standard_methods[idx];
++#else
+         return standard_methods[idx];
++#endif
+     idx -= num;
+     return sk_EVP_PKEY_ASN1_METHOD_value(app_methods, idx);
+ }
+@@ -63,7 +75,13 @@ static const EVP_PKEY_ASN1_METHOD *pkey_
+         if (idx >= 0)
+             return sk_EVP_PKEY_ASN1_METHOD_value(app_methods, idx);
+     }
++#ifdef OPENSSL_FIPS
++    ret = FIPS_mode() ? \
++          OBJ_bsearch_ameth(&t, standard_fips_methods, OSSL_NELEM(standard_fips_methods)) : \
++          OBJ_bsearch_ameth(&t, standard_methods, OSSL_NELEM(standard_methods));
++#else
+     ret = OBJ_bsearch_ameth(&t, standard_methods, OSSL_NELEM(standard_methods));
++#endif
+     if (!ret || !*ret)
+         return NULL;
+     return *ret;
+--- a/crypto/asn1/standard_methods.h
++++ b/crypto/asn1/standard_methods.h
+@@ -59,3 +59,32 @@ static const EVP_PKEY_ASN1_METHOD *stand
+ #endif
+ };
+ 
++static const EVP_PKEY_ASN1_METHOD *standard_fips_methods[] = {
++#ifndef OPENSSL_NO_RSA
++    &rsa_asn1_meths[0],
++    &rsa_asn1_meths[1],
++#endif
++#ifndef OPENSSL_NO_DH
++    &dh_asn1_meth,
++#endif
++#ifndef OPENSSL_NO_DSA
++    &dsa_asn1_meths[0],
++    &dsa_asn1_meths[1],
++    &dsa_asn1_meths[2],
++    &dsa_asn1_meths[3],
++    &dsa_asn1_meths[4],
++#endif
++#ifndef OPENSSL_NO_EC
++    &eckey_asn1_meth,
++#endif
++    &hmac_asn1_meth,
++#ifndef OPENSSL_NO_CMAC
++    &cmac_asn1_meth,
++#endif
++#ifndef OPENSSL_NO_RSA
++    &rsa_pss_asn1_meth,
++#endif
++#ifndef OPENSSL_NO_DH
++    &dhx_asn1_meth,
++#endif
++};
+--- a/crypto/evp/c_alld.c
++++ b/crypto/evp/c_alld.c
+@@ -16,6 +16,13 @@
+ 
+ void openssl_add_all_digests_int(void)
+ {
++#ifdef OPENSSL_FIPS
++    /*
++     * This function is called from FIPS_selftest_ecdsa() before FIPS mode is
++     * turned on. That is the reason why we need to also check fips_in_post().
++     */
++    if (!FIPS_mode() && !fips_in_post()) {
++#endif
+ #ifndef OPENSSL_NO_MD4
+     EVP_add_digest(EVP_md4());
+ #endif
+@@ -57,4 +64,24 @@ void openssl_add_all_digests_int(void)
+     EVP_add_digest(EVP_sha3_512());
+     EVP_add_digest(EVP_shake128());
+     EVP_add_digest(EVP_shake256());
++#ifdef OPENSSL_FIPS
++    } else {
++        EVP_add_digest(EVP_md5_sha1());
++        EVP_add_digest(EVP_sha1());
++        EVP_add_digest_alias(SN_sha1, "ssl3-sha1");
++        EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA);
++        EVP_add_digest(EVP_sha224());
++        EVP_add_digest(EVP_sha256());
++        EVP_add_digest(EVP_sha384());
++        EVP_add_digest(EVP_sha512());
++        EVP_add_digest(EVP_sha512_224());
++        EVP_add_digest(EVP_sha512_256());
++        EVP_add_digest(EVP_sha3_224());
++        EVP_add_digest(EVP_sha3_256());
++        EVP_add_digest(EVP_sha3_384());
++        EVP_add_digest(EVP_sha3_512());
++        EVP_add_digest(EVP_shake128());
++        EVP_add_digest(EVP_shake256());
++    }
++#endif
+ }
diff --git a/openssl-1_1-jitterentropy-3.4.0.patch b/openssl-1_1-jitterentropy-3.4.0.patch
new file mode 100644
index 0000000..e088892
--- /dev/null
+++ b/openssl-1_1-jitterentropy-3.4.0.patch
@@ -0,0 +1,202 @@
+---
+ Configurations/00-base-templates.conf |    2 -
+ crypto/fips/build.info                |    3 +-
+ crypto/fips/fips.c                    |    8 +++++++
+ crypto/fips/fips_entropy.c            |   38 ++++++++++++++++++++++++++++++++++
+ crypto/fips/fips_err.h                |    1 
+ crypto/init.c                         |    4 +++
+ crypto/rand/rand_unix.c               |   30 +++++++++++++++++++++++++-
+ include/crypto/fips.h                 |    2 +
+ include/openssl/fips.h                |    4 +++
+ util/libcrypto.num                    |    2 +
+ 10 files changed, 91 insertions(+), 3 deletions(-)
+
+--- a/Configurations/00-base-templates.conf
++++ b/Configurations/00-base-templates.conf
+@@ -96,7 +96,7 @@ my %targets=(
+         ex_libs         =>
+             sub { !defined($disabled{zlib})
+                   && defined($disabled{"zlib-dynamic"})
+-                  ? "-lz" : () },
++                  ? "-lz -ljitterentropy" : "-ljitterentropy" },
+         HASHBANGPERL    => "/usr/bin/env perl", # Only Unix actually cares
+         RANLIB          => sub { which("$config{cross_compile_prefix}ranlib")
+                                      ? "ranlib" : "" },
+--- a/crypto/fips/build.info
++++ b/crypto/fips/build.info
+@@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\
+         fips_post.c drbgtest.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
+         fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
+         fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
+-        fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c fips_sli.c
++        fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c fips_sli.c \
++        fips_entropy.c
+ 
+ PROGRAMS=\
+           fips_standalone_hmac
+--- a/crypto/fips/fips.c
++++ b/crypto/fips/fips.c
+@@ -461,6 +461,14 @@ int FIPS_module_mode_set(int onoff)
+ 
+         fips_post = 1;
+ 
++        if (!FIPS_entropy_init()) {
++            FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++                    FIPS_R_ENTROPY_INIT_FAILED);
++            fips_selftest_fail = 1;
++            ret = 0;
++            goto end;
++        }
++
+ 	/* Run the KATs before the HMAC verification for FIPS 140-3 compliance */
+         if (!FIPS_selftest()) {
+             fips_selftest_fail = 1;
+--- /dev/null
++++ b/crypto/fips/fips_entropy.c
+@@ -0,0 +1,38 @@
++#include <openssl/fips.h>
++
++#include "crypto/fips.h"
++#include "jitterentropy.h"
++
++static struct rand_data* ec = NULL;
++
++struct rand_data* FIPS_entropy_init(void)
++{
++    if (ec != NULL)
++        /* Entropy source has been initiated and collector allocated */
++        return ec;
++    /* If the initialization is successful, the call returns with 0 */
++    if (jent_entropy_init_ex(1, JENT_FORCE_FIPS) == 0)
++        /* Allocate entropy collector */
++        ec = jent_entropy_collector_alloc(1, JENT_FORCE_FIPS);
++    return ec;
++}
++
++void FIPS_entropy_cleanup(void)
++{
++    /* Free entropy collector */
++    if (ec != NULL) {
++        jent_entropy_collector_free(ec);
++        ec = NULL;
++    }
++}
++
++ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen)
++{
++    ssize_t ent_bytes = -1;
++
++    if (buf != NULL && buflen != 0 && FIPS_entropy_init()) {
++        /* Get entropy */
++        ent_bytes = jent_read_entropy_safe(&ec, (char *)buf, buflen);
++    }
++    return ent_bytes;
++}
+--- a/crypto/fips/fips_err.h
++++ b/crypto/fips/fips_err.h
+@@ -135,6 +135,7 @@ static ERR_STRING_DATA FIPS_str_reasons[
+     {ERR_REASON(FIPS_R_DRBG_NOT_INITIALISED), "drbg not initialised"},
+     {ERR_REASON(FIPS_R_DRBG_STUCK), "drbg stuck"},
+     {ERR_REASON(FIPS_R_ENTROPY_ERROR_UNDETECTED), "entropy error undetected"},
++    {ERR_REASON(FIPS_R_ENTROPY_INIT_FAILED), "entropy init failed"},
+     {ERR_REASON(FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED),
+      "entropy not requested for reseed"},
+     {ERR_REASON(FIPS_R_ENTROPY_SOURCE_STUCK), "entropy source stuck"},
+--- a/crypto/init.c
++++ b/crypto/init.c
+@@ -27,6 +27,7 @@
+ #include "crypto/dso_conf.h"
+ #include "internal/dso.h"
+ #include "crypto/store.h"
++#include "openssl/fips.h"
+ 
+ static int stopped = 0;
+ 
+@@ -597,6 +598,9 @@ void OPENSSL_cleanup(void)
+     rand_cleanup_int();
+     rand_drbg_cleanup_int();
+     conf_modules_free_int();
++#ifdef OPENSSL_FIPS
++    FIPS_entropy_cleanup();
++#endif
+ #ifndef OPENSSL_NO_ENGINE
+     engine_cleanup_int();
+ #endif
+--- a/crypto/rand/rand_unix.c
++++ b/crypto/rand/rand_unix.c
+@@ -642,9 +642,37 @@ size_t rand_pool_acquire_entropy(RAND_PO
+     return rand_pool_entropy_available(pool);
+ #  else
+     size_t entropy_available;
++    int in_post;
++
++#   ifdef OPENSSL_FIPS
++    if (FIPS_mode()) {
++        /* Use jitter entropy in FIPS mode */
++        for (in_post = fips_in_post(); in_post >= 0; --in_post) {
++            size_t bytes_needed;
++            unsigned char *buffer;
++            ssize_t bytes;
++            /* Maximum allowed number of consecutive unsuccessful attempts */
++            int attempts = 3;
++
++            bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/);
++            while (bytes_needed != 0 && attempts-- > 0) {
++                buffer = rand_pool_add_begin(pool, bytes_needed);
++                bytes = FIPS_jitter_entropy(buffer, bytes_needed);
++                if (bytes > 0) {
++                    rand_pool_add_end(pool, bytes, 8 * bytes);
++                    bytes_needed -= bytes;
++                    attempts = 3; /* reset counter after successful attempt */
++                } else if (bytes < 0) {
++                    break;
++                }
++            }
++        }
++        entropy_available = rand_pool_entropy_available(pool);
++        return entropy_available;
++    }
++#   endif
+ 
+ #   if defined(OPENSSL_RAND_SEED_GETRANDOM)
+-    int in_post;
+ 
+     for (in_post = fips_in_post(); in_post >= 0; --in_post) {
+     {
+--- a/include/crypto/fips.h
++++ b/include/crypto/fips.h
+@@ -101,4 +101,6 @@ void fips_set_selftest_fail(void);
+ 
+ void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr);
+ 
++ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen);
++
+ #endif
+--- a/include/openssl/fips.h
++++ b/include/openssl/fips.h
+@@ -74,6 +74,9 @@ extern "C" {
+                                BN_GENCB *cb);
+     int FIPS_dsa_paramgen_check_g(DSA *dsa);
+ 
++    struct rand_data* FIPS_entropy_init(void);
++    void FIPS_entropy_cleanup(void);
++
+ /* BEGIN ERROR CODES */
+ /* The following lines are auto generated by the script mkerr.pl. Any changes
+  * made after this point may be overwritten when the script is next run.
+@@ -151,6 +154,7 @@ extern "C" {
+ # define FIPS_R_DRBG_NOT_INITIALISED                      152
+ # define FIPS_R_DRBG_STUCK                                103
+ # define FIPS_R_ENTROPY_ERROR_UNDETECTED                  104
++# define FIPS_R_ENTROPY_INIT_FAILED                       161
+ # define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED          105
+ # define FIPS_R_ENTROPY_SOURCE_STUCK                      142
+ # define FIPS_R_ERROR_INITIALISING_DRBG                   115
+--- a/util/libcrypto.num
++++ b/util/libcrypto.num
+@@ -4647,3 +4647,5 @@ fips_sli_PKCS5_PBKDF2_HMAC_is_approved
+ fips_sli_HMAC_is_approved               6608	1_1_1l	EXIST::FUNCTION:
+ fips_sli_RAND_bytes_is_approved         6609	1_1_1l	EXIST::FUNCTION:
+ fips_sli_RAND_priv_bytes_is_approved    6610	1_1_1l	EXIST::FUNCTION:
++FIPS_entropy_init                       6611	1_1_1l	EXIST::FUNCTION:
++FIPS_entropy_cleanup                    6612	1_1_1l	EXIST::FUNCTION:
diff --git a/openssl-1_1-ossl-sli-000-fix-build-error.patch b/openssl-1_1-ossl-sli-000-fix-build-error.patch
new file mode 100644
index 0000000..ec8ccb4
--- /dev/null
+++ b/openssl-1_1-ossl-sli-000-fix-build-error.patch
@@ -0,0 +1,10 @@
+diff --git a/util/libcrypto.num b/util/libcrypto.num
+index e4a490a82..2a778ce92 100644
+--- a/util/libcrypto.num
++++ b/util/libcrypto.num
+@@ -4634,3 +4634,5 @@ EVP_KDF_vctrl                           6594	1_1_1d	EXIST::FUNCTION:
+ EVP_KDF_ctrl_str                        6595	1_1_1d	EXIST::FUNCTION:
+ EVP_KDF_size                            6596	1_1_1d	EXIST::FUNCTION:
+ EVP_KDF_derive                          6597	1_1_1d	EXIST::FUNCTION:
++EC_GROUP_get0_field                     6598	1_1_1l	EXIST::FUNCTION:EC
++NONFIPS_selftest_check                  6599	1_1_1l	EXIST::FUNCTION:
diff --git a/openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch b/openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch
new file mode 100644
index 0000000..0027f4c
--- /dev/null
+++ b/openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch
@@ -0,0 +1,111 @@
+diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
+index 43c916fc1..fab410b9e 100644
+--- a/crypto/ec/ec_key.c
++++ b/crypto/ec/ec_key.c
+@@ -472,16 +472,16 @@ int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx)
+      */
+     if (eckey->priv_key != NULL) {
+         if (BN_cmp(eckey->priv_key, order) >= 0) {
+-            ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_WRONG_ORDER);
++            ECerr(EC_F_EC_KEY_PUBLIC_CHECK, EC_R_WRONG_ORDER);
+             goto err;
+         }
+         if (!EC_POINT_mul(eckey->group, point, eckey->priv_key,
+                           NULL, NULL, ctx)) {
+-            ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, ERR_R_EC_LIB);
++            ECerr(EC_F_EC_KEY_PUBLIC_CHECK, ERR_R_EC_LIB);
+             goto err;
+         }
+         if (EC_POINT_cmp(eckey->group, point, eckey->pub_key, ctx) != 0) {
+-            ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_INVALID_PRIVATE_KEY);
++            ECerr(EC_F_EC_KEY_PUBLIC_CHECK, EC_R_INVALID_PRIVATE_KEY);
+             goto err;
+         }
+     }
+diff --git a/crypto/ec/ecdh_ossl.c b/crypto/ec/ecdh_ossl.c
+index 8794a6781..f38137388 100644
+--- a/crypto/ec/ecdh_ossl.c
++++ b/crypto/ec/ecdh_ossl.c
+@@ -28,7 +28,7 @@ int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen,
+ {
+ #ifdef OPENSSL_FIPS
+     if (FIPS_selftest_failed()) {
+-        FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED);
++        FIPSerr(FIPS_F_OSSL_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED);
+         return -1;
+     }
+ #endif
+diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c
+index 3445abd02..9e9526241 100644
+--- a/crypto/ec/ecdsa_ossl.c
++++ b/crypto/ec/ecdsa_ossl.c
+@@ -204,7 +204,7 @@ ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
+ 
+ #ifdef OPENSSL_FIPS
+     if (FIPS_selftest_failed()) {
+-        FIPSerr(FIPS_F_OSSL_ECDSA_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
++        FIPSerr(FIPS_F_ECDSA_SIMPLE_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
+         return NULL;
+     }
+ #endif
+@@ -373,7 +373,7 @@ int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len,
+ 
+ #ifdef OPENSSL_FIPS
+     if (FIPS_selftest_failed()) {
+-        FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
++        FIPSerr(FIPS_F_ECDSA_SIMPLE_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED);
+         return -1;
+     }
+ #endif
+diff --git a/crypto/fips/fips_sha_selftest.c b/crypto/fips/fips_sha_selftest.c
+index 035c2c092..4a6336248 100644
+--- a/crypto/fips/fips_sha_selftest.c
++++ b/crypto/fips/fips_sha_selftest.c
+@@ -195,25 +195,25 @@ int FIPS_selftest_sha3(void)
+ 
+     EVP_Digest(msg_sha3_256, sizeof(msg_sha3_256), md, NULL, EVP_sha3_256(), NULL);
+     if (memcmp(dig_sha3_256, md, sizeof(dig_sha3_256))) {
+-        FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
++        FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED);
+         return 0;
+     }
+ 
+     EVP_Digest(msg_sha3_512, sizeof(msg_sha3_512), md, NULL, EVP_sha3_512(), NULL);
+     if (memcmp(dig_sha3_512, md, sizeof(dig_sha3_512))) {
+-        FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
++        FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED);
+         return 0;
+     }
+ 
+     EVP_Digest(msg_shake_128, sizeof(msg_shake_128), md, NULL, EVP_shake128(), NULL);
+     if (memcmp(dig_shake_128, md, sizeof(dig_shake_128))) {
+-        FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
++        FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED);
+         return 0;
+     }
+ 
+     EVP_Digest(msg_shake_256, sizeof(msg_shake_256), md, NULL, EVP_shake256(), NULL);
+     if (memcmp(dig_shake_256, md, sizeof(dig_shake_256))) {
+-        FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED);
++        FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED);
+         return 0;
+     }
+ 
+diff --git a/include/openssl/fips.h b/include/openssl/fips.h
+index e4208cbfa..7af006e7b 100644
+--- a/include/openssl/fips.h
++++ b/include/openssl/fips.h
+@@ -130,8 +130,13 @@ extern "C" {
+ # define FIPS_F_FIPS_SELFTEST_HKDF                        155
+ # define FIPS_F_FIPS_SELFTEST_SHA1                        115
+ # define FIPS_F_FIPS_SELFTEST_SHA2                        105
++# define FIPS_F_FIPS_SELFTEST_SHA3                        156
++# define FIPS_F_ECDSA_SIMPLE_VERIFY_SIG                   157
++# define FIPS_F_ECDSA_SIMPLE_SIGN_SIG                     158
+ # define FIPS_F_OSSL_ECDSA_SIGN_SIG                       143
+ # define FIPS_F_OSSL_ECDSA_VERIFY_SIG                     148
++# define FIPS_F_OSSL_ECDSA_SIMPLE_VERIFY_SIG              159
++# define FIPS_F_OSSL_ECDH_COMPUTE_KEY                     160
+ # define FIPS_F_RSA_BUILTIN_KEYGEN                        116
+ # define FIPS_F_RSA_OSSL_INIT                             149
+ # define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT                  117
diff --git a/openssl-1_1-ossl-sli-002-ran-make-update.patch b/openssl-1_1-ossl-sli-002-ran-make-update.patch
new file mode 100644
index 0000000..50cb3eb
--- /dev/null
+++ b/openssl-1_1-ossl-sli-002-ran-make-update.patch
@@ -0,0 +1,1124 @@
+diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
+index e64cc9f3a..8bb07ca1b 100644
+--- a/apps/openssl-vms.cnf
++++ b/apps/openssl-vms.cnf
+@@ -11,6 +11,24 @@
+ # defined.
+ HOME			= .
+ 
++openssl_conf 		= openssl_init
++
++[ openssl_init ]
++
++engines		= engine_section
++
++[ engine_section ]
++
++# This include will look through the directory that will contain the
++# engine declarations for any engines provided by other packages.
++.include /etc/ssl/engines.d
++
++# This include will look through the directory that will contain the
++# definitions of the engines declared in the engine section.
++.include /etc/ssl/engdef.d
++
++[ oid_section ]
++
+ # Extra OBJECT IDENTIFIER info:
+ #oid_file		= $ENV::HOME/.oid
+ oid_section		= new_oids
+diff --git a/crypto/asn1/charmap.h b/crypto/asn1/charmap.h
+index e234c9e61..5630291bd 100644
+--- a/crypto/asn1/charmap.h
++++ b/crypto/asn1/charmap.h
+@@ -2,7 +2,7 @@
+  * WARNING: do not edit!
+  * Generated by crypto/asn1/charmap.pl
+  *
+- * Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+diff --git a/crypto/bn/bn_prime.h b/crypto/bn/bn_prime.h
+index 1a25c2857..8f2d7e995 100644
+--- a/crypto/bn/bn_prime.h
++++ b/crypto/bn/bn_prime.h
+@@ -2,7 +2,7 @@
+  * WARNING: do not edit!
+  * Generated by crypto/bn/bn_prime.pl
+  *
+- * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+diff --git a/crypto/conf/conf_def.h b/crypto/conf/conf_def.h
+index 1e4a03e10..049023628 100644
+--- a/crypto/conf/conf_def.h
++++ b/crypto/conf/conf_def.h
+@@ -2,7 +2,7 @@
+  * WARNING: do not edit!
+  * Generated by crypto/conf/keysets.pl
+  *
+- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+  * in the file LICENSE in the source distribution or at
+diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
+index 97781380c..c7ac6aec0 100644
+--- a/crypto/dh/dh_err.c
++++ b/crypto/dh/dh_err.c
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -26,8 +26,8 @@ static const ERR_STRING_DATA DH_str_functs[] = {
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0),
+      "dh_cms_set_shared_info"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_COMPUTE_KEY, 0), "DH_compute_key"},
+-    {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_KEY, 0), "DH_generate_key"},
+-    {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_PARAMETERS_EX, 0), "DH_generate_parameters_ex"},
++    {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_PARAMETERS_EX, 0),
++     "DH_generate_parameters_ex"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_DUP, 0), "DH_meth_dup"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_NEW, 0), "DH_meth_new"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_SET1_NAME, 0), "DH_meth_set1_name"},
+@@ -78,11 +78,11 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEY_SIZE_TOO_SMALL), "key size too small"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_MISSING_PUBKEY), "missing pubkey"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_LARGE), "modulus too large"},
++    {ERR_PACK(ERR_LIB_DH, 0, DH_R_NON_FIPS_METHOD), "non fips method"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_NOT_SUITABLE_GENERATOR),
+     "not suitable generator"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PARAMETERS_SET), "no parameters set"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PRIVATE_VALUE), "no private value"},
+-    {ERR_PACK(ERR_LIB_DH, 0, DH_R_NON_FIPS_METHOD), "non FIPS method"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
+     "parameter encoding error"},
+     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
+diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c
+index d85d221c3..26210c593 100644
+--- a/crypto/dsa/dsa_err.c
++++ b/crypto/dsa/dsa_err.c
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -24,7 +24,8 @@ static const ERR_STRING_DATA DSA_str_functs[] = {
+     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_SIGN, 0), "DSA_do_sign"},
+     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_VERIFY, 0), "DSA_do_verify"},
+     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_KEY, 0), "DSA_generate_key"},
+-    {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_PARAMETERS_EX, 0), "DSA_generate_parameters_ex"},
++    {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_PARAMETERS_EX, 0),
++     "DSA_generate_parameters_ex"},
+     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_DUP, 0), "DSA_meth_dup"},
+     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_NEW, 0), "DSA_meth_new"},
+     {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_SET1_NAME, 0), "DSA_meth_set1_name"},
+@@ -60,8 +61,9 @@ static const ERR_STRING_DATA DSA_str_reasons[] = {
+     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PRIVATE_KEY),
+     "missing private key"},
+     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"},
++    {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD),
++    "non fips dsa method"},
+     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"},
+-    {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"},
+     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR),
+     "parameter encoding error"},
+     {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"},
+diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c
+index bfe742265..2dc2ffa97 100644
+--- a/crypto/ec/ec_err.c
++++ b/crypto/ec/ec_err.c
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -27,9 +27,19 @@ static const ERR_STRING_DATA EC_str_functs[] = {
+      "ecdh_simple_compute_key"},
+     {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_DO_SIGN_EX, 0), "ECDSA_do_sign_ex"},
+     {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_DO_VERIFY, 0), "ECDSA_do_verify"},
++    {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_S390X_NISTP_SIGN_SIG, 0),
++     "ecdsa_s390x_nistp_sign_sig"},
++    {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, 0),
++     "ecdsa_s390x_nistp_verify_sig"},
+     {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIGN_EX, 0), "ECDSA_sign_ex"},
+     {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIGN_SETUP, 0), "ECDSA_sign_setup"},
+     {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIG_NEW, 0), "ECDSA_SIG_new"},
++    {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_SIGN_SETUP, 0),
++     "ecdsa_simple_sign_setup"},
++    {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_SIGN_SIG, 0),
++     "ecdsa_simple_sign_sig"},
++    {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_VERIFY_SIG, 0),
++     "ecdsa_simple_verify_sig"},
+     {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_VERIFY, 0), "ECDSA_verify"},
+     {ERR_PACK(ERR_LIB_EC, EC_F_ECD_ITEM_VERIFY, 0), "ecd_item_verify"},
+     {ERR_PACK(ERR_LIB_EC, EC_F_ECKEY_PARAM2TYPE, 0), "eckey_param2type"},
+@@ -193,6 +203,7 @@ static const ERR_STRING_DATA EC_str_functs[] = {
+     {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_PRINT_FP, 0), "EC_KEY_print_fp"},
+     {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_PRIV2BUF, 0), "EC_KEY_priv2buf"},
+     {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_PRIV2OCT, 0), "EC_KEY_priv2oct"},
++    {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_PUBLIC_CHECK, 0), "ec_key_public_check"},
+     {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES, 0),
+      "EC_KEY_set_public_key_affine_coordinates"},
+     {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_SIMPLE_CHECK_KEY, 0),
+@@ -266,6 +277,8 @@ static const ERR_STRING_DATA EC_str_functs[] = {
+     {ERR_PACK(ERR_LIB_EC, EC_F_OLD_EC_PRIV_DECODE, 0), "old_ec_priv_decode"},
+     {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDH_COMPUTE_KEY, 0),
+      "ossl_ecdh_compute_key"},
++    {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_SIGN_SETUP, 0),
++     "ossl_ecdsa_sign_setup"},
+     {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_SIGN_SIG, 0), "ossl_ecdsa_sign_sig"},
+     {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_VERIFY_SIG, 0),
+      "ossl_ecdsa_verify_sig"},
+@@ -284,6 +297,18 @@ static const ERR_STRING_DATA EC_str_functs[] = {
+     {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_KEYGEN, 0), "pkey_ec_keygen"},
+     {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_PARAMGEN, 0), "pkey_ec_paramgen"},
+     {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_SIGN, 0), "pkey_ec_sign"},
++    {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_DIGESTSIGN25519, 0),
++     "s390x_pkey_ecd_digestsign25519"},
++    {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_DIGESTSIGN448, 0),
++     "s390x_pkey_ecd_digestsign448"},
++    {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_KEYGEN25519, 0),
++     "s390x_pkey_ecd_keygen25519"},
++    {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_KEYGEN448, 0),
++     "s390x_pkey_ecd_keygen448"},
++    {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECX_KEYGEN25519, 0),
++     "s390x_pkey_ecx_keygen25519"},
++    {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECX_KEYGEN448, 0),
++     "s390x_pkey_ecx_keygen448"},
+     {ERR_PACK(ERR_LIB_EC, EC_F_VALIDATE_ECX_DERIVE, 0), "validate_ecx_derive"},
+     {0, NULL}
+ };
+@@ -298,6 +323,8 @@ static const ERR_STRING_DATA EC_str_reasons[] = {
+     "coordinates out of range"},
+     {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH),
+     "curve does not support ecdh"},
++    {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA),
++    "curve does not support ecdsa"},
+     {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING),
+     "curve does not support signing"},
+     {ERR_PACK(ERR_LIB_EC, 0, EC_R_D2I_ECPKPARAMETERS_FAILURE),
+diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+index 28cb308a1..ee2a1a5f3 100644
+--- a/crypto/err/openssl.txt
++++ b/crypto/err/openssl.txt
+@@ -1,4 +1,4 @@
+-# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
++# Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
+ #
+ # Licensed under the OpenSSL license (the "License").  You may not use
+ # this file except in compliance with the License.  You can obtain a copy
+@@ -407,6 +407,8 @@ DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
+ DH_F_DH_CMS_DECRYPT:114:dh_cms_decrypt
+ DH_F_DH_CMS_SET_PEERKEY:115:dh_cms_set_peerkey
+ DH_F_DH_CMS_SET_SHARED_INFO:116:dh_cms_set_shared_info
++DH_F_DH_COMPUTE_KEY:126:DH_compute_key
++DH_F_DH_GENERATE_PARAMETERS_EX:127:DH_generate_parameters_ex
+ DH_F_DH_METH_DUP:117:DH_meth_dup
+ DH_F_DH_METH_NEW:118:DH_meth_new
+ DH_F_DH_METH_SET1_NAME:119:DH_meth_set1_name
+@@ -426,10 +428,13 @@ DH_F_PKEY_DH_INIT:125:pkey_dh_init
+ DH_F_PKEY_DH_KEYGEN:113:pkey_dh_keygen
+ DSA_F_DSAPARAMS_PRINT:100:DSAparams_print
+ DSA_F_DSAPARAMS_PRINT_FP:101:DSAparams_print_fp
++DSA_F_DSA_BUILTIN_KEYGEN:108:dsa_builtin_keygen
+ DSA_F_DSA_BUILTIN_PARAMGEN:125:dsa_builtin_paramgen
+ DSA_F_DSA_BUILTIN_PARAMGEN2:126:dsa_builtin_paramgen2
+ DSA_F_DSA_DO_SIGN:112:DSA_do_sign
+ DSA_F_DSA_DO_VERIFY:113:DSA_do_verify
++DSA_F_DSA_GENERATE_KEY:109:DSA_generate_key
++DSA_F_DSA_GENERATE_PARAMETERS_EX:110:DSA_generate_parameters_ex
+ DSA_F_DSA_METH_DUP:127:DSA_meth_dup
+ DSA_F_DSA_METH_NEW:128:DSA_meth_new
+ DSA_F_DSA_METH_SET1_NAME:129:DSA_meth_set1_name
+@@ -493,15 +498,15 @@ EC_F_ECDH_COMPUTE_KEY:246:ECDH_compute_key
+ EC_F_ECDH_SIMPLE_COMPUTE_KEY:257:ecdh_simple_compute_key
+ EC_F_ECDSA_DO_SIGN_EX:251:ECDSA_do_sign_ex
+ EC_F_ECDSA_DO_VERIFY:252:ECDSA_do_verify
++EC_F_ECDSA_S390X_NISTP_SIGN_SIG:313:ecdsa_s390x_nistp_sign_sig
++EC_F_ECDSA_S390X_NISTP_VERIFY_SIG:314:ecdsa_s390x_nistp_verify_sig
+ EC_F_ECDSA_SIGN_EX:254:ECDSA_sign_ex
+ EC_F_ECDSA_SIGN_SETUP:248:ECDSA_sign_setup
+ EC_F_ECDSA_SIG_NEW:265:ECDSA_SIG_new
+-EC_F_ECDSA_VERIFY:253:ECDSA_verify
+ EC_F_ECDSA_SIMPLE_SIGN_SETUP:310:ecdsa_simple_sign_setup
+ EC_F_ECDSA_SIMPLE_SIGN_SIG:311:ecdsa_simple_sign_sig
+ EC_F_ECDSA_SIMPLE_VERIFY_SIG:312:ecdsa_simple_verify_sig
+-EC_F_ECDSA_S390X_NISTP_SIGN_SIG:313:ecdsa_s390x_nistp_sign_sig
+-EC_F_ECDSA_S390X_NISTP_VERIFY_SIG:314:ecdsa_s390x_nistp_verify_sig
++EC_F_ECDSA_VERIFY:253:ECDSA_verify
+ EC_F_ECD_ITEM_VERIFY:270:ecd_item_verify
+ EC_F_ECKEY_PARAM2TYPE:223:eckey_param2type
+ EC_F_ECKEY_PARAM_DECODE:212:eckey_param_decode
+@@ -609,6 +614,7 @@ EC_F_EC_KEY_PRINT:180:EC_KEY_print
+ EC_F_EC_KEY_PRINT_FP:181:EC_KEY_print_fp
+ EC_F_EC_KEY_PRIV2BUF:279:EC_KEY_priv2buf
+ EC_F_EC_KEY_PRIV2OCT:256:EC_KEY_priv2oct
++EC_F_EC_KEY_PUBLIC_CHECK:299:ec_key_public_check
+ EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES:229:\
+ 	EC_KEY_set_public_key_affine_coordinates
+ EC_F_EC_KEY_SIMPLE_CHECK_KEY:258:ec_key_simple_check_key
+@@ -734,6 +740,7 @@ EVP_F_AES_OCB_CIPHER:169:aes_ocb_cipher
+ EVP_F_AES_T4_INIT_KEY:178:aes_t4_init_key
+ EVP_F_AES_T4_XTS_INIT_KEY:208:aes_t4_xts_init_key
+ EVP_F_AES_WRAP_CIPHER:170:aes_wrap_cipher
++EVP_F_AES_XTS_CIPHER:210:aes_xts_cipher
+ EVP_F_AES_XTS_INIT_KEY:209:aes_xts_init_key
+ EVP_F_ALG_MODULE_INIT:177:alg_module_init
+ EVP_F_ARIA_CCM_INIT_KEY:175:aria_ccm_init_key
+@@ -833,6 +840,55 @@ EVP_F_R_32_12_16_INIT_KEY:242:r_32_12_16_init_key
+ EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl
+ EVP_F_SCRYPT_ALG:228:scrypt_alg
+ EVP_F_UPDATE:173:update
++FIPS_F_DRBG_RESEED:100:drbg_reseed
++FIPS_F_DSA_BUILTIN_PARAMGEN2:101:dsa_builtin_paramgen2
++FIPS_F_DSA_DO_SIGN:102:DSA_do_sign
++FIPS_F_DSA_DO_VERIFY:103:DSA_do_verify
++FIPS_F_ECDSA_SIMPLE_SIGN_SIG:104:ecdsa_simple_sign_sig
++FIPS_F_ECDSA_SIMPLE_VERIFY_SIG:105:ecdsa_simple_verify_sig
++FIPS_F_EVP_CIPHERINIT_EX:106:EVP_CipherInit_ex
++FIPS_F_EVP_CIPHER_CTX_NEW:107:EVP_CIPHER_CTX_new
++FIPS_F_EVP_CIPHER_CTX_RESET:108:EVP_CIPHER_CTX_reset
++FIPS_F_EVP_DIGESTINIT_EX:109:EVP_DigestInit_ex
++FIPS_F_FIPS_CHECK_DSA:110:fips_check_dsa
++FIPS_F_FIPS_CHECK_EC:111:fips_check_ec
++FIPS_F_FIPS_CHECK_RSA:112:fips_check_rsa
++FIPS_F_FIPS_DRBG_BYTES:113:fips_drbg_bytes
++FIPS_F_FIPS_DRBG_CHECK:114:fips_drbg_check
++FIPS_F_FIPS_DRBG_ERROR_CHECK:115:fips_drbg_error_check
++FIPS_F_FIPS_DRBG_GENERATE:116:FIPS_drbg_generate
++FIPS_F_FIPS_DRBG_INIT:117:FIPS_drbg_init
++FIPS_F_FIPS_DRBG_INSTANTIATE:118:FIPS_drbg_instantiate
++FIPS_F_FIPS_DRBG_NEW:119:FIPS_drbg_new
++FIPS_F_FIPS_DRBG_SINGLE_KAT:120:fips_drbg_single_kat
++FIPS_F_FIPS_GET_ENTROPY:121:fips_get_entropy
++FIPS_F_FIPS_MODULE_MODE_SET:122:FIPS_module_mode_set
++FIPS_F_FIPS_PKEY_SIGNATURE_TEST:123:fips_pkey_signature_test
++FIPS_F_FIPS_RAND_BYTES:124:FIPS_rand_bytes
++FIPS_F_FIPS_RAND_SEED:125:FIPS_rand_seed
++FIPS_F_FIPS_RAND_SET_METHOD:126:FIPS_rand_set_method
++FIPS_F_FIPS_RAND_STATUS:127:FIPS_rand_status
++FIPS_F_FIPS_RSA_BUILTIN_KEYGEN:128:fips_rsa_builtin_keygen
++FIPS_F_FIPS_SELFTEST_AES:129:FIPS_selftest_aes
++FIPS_F_FIPS_SELFTEST_AES_CCM:130:FIPS_selftest_aes_ccm
++FIPS_F_FIPS_SELFTEST_AES_GCM:131:FIPS_selftest_aes_gcm
++FIPS_F_FIPS_SELFTEST_AES_XTS:132:FIPS_selftest_aes_xts
++FIPS_F_FIPS_SELFTEST_CMAC:133:FIPS_selftest_cmac
++FIPS_F_FIPS_SELFTEST_DES:134:FIPS_selftest_des
++FIPS_F_FIPS_SELFTEST_ECDSA:135:FIPS_selftest_ecdsa
++FIPS_F_FIPS_SELFTEST_HKDF:136:FIPS_selftest_hkdf
++FIPS_F_FIPS_SELFTEST_HMAC:137:FIPS_selftest_hmac
++FIPS_F_FIPS_SELFTEST_PBKDF2:138:FIPS_selftest_pbkdf2
++FIPS_F_FIPS_SELFTEST_SHA1:139:FIPS_selftest_sha1
++FIPS_F_FIPS_SELFTEST_SHA2:140:FIPS_selftest_sha2
++FIPS_F_FIPS_SELFTEST_SHA3:141:FIPS_selftest_sha3
++FIPS_F_FIPS_SELFTEST_SSH:142:FIPS_selftest_ssh
++FIPS_F_FIPS_SELFTEST_TLS:143:FIPS_selftest_tls
++FIPS_F_OSSL_ECDH_COMPUTE_KEY:144:ossl_ecdh_compute_key
++FIPS_F_RSA_OSSL_PRIVATE_DECRYPT:145:rsa_ossl_private_decrypt
++FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT:146:rsa_ossl_private_encrypt
++FIPS_F_RSA_OSSL_PUBLIC_DECRYPT:147:rsa_ossl_public_decrypt
++FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT:148:rsa_ossl_public_encrypt
+ KDF_F_HKDF_EXTRACT:112:HKDF_Extract
+ KDF_F_KDF_HKDF_DERIVE:113:kdf_hkdf_derive
+ KDF_F_KDF_HKDF_NEW:114:kdf_hkdf_new
+@@ -1074,6 +1130,7 @@ RAND_F_RAND_PSEUDO_BYTES:126:RAND_pseudo_bytes
+ RAND_F_RAND_WRITE_FILE:112:RAND_write_file
+ RSA_F_CHECK_PADDING_MD:140:check_padding_md
+ RSA_F_ENCODE_PKCS1:146:encode_pkcs1
++RSA_F_FIPS_RSA_BUILTIN_KEYGEN:168:fips_rsa_builtin_keygen
+ RSA_F_INT_RSA_VERIFY:145:int_rsa_verify
+ RSA_F_OLD_RSA_PRIV_DECODE:147:old_rsa_priv_decode
+ RSA_F_PKEY_PSS_INIT:165:pkey_pss_init
+@@ -1088,6 +1145,8 @@ RSA_F_RSA_CHECK_KEY:123:RSA_check_key
+ RSA_F_RSA_CHECK_KEY_EX:160:RSA_check_key_ex
+ RSA_F_RSA_CMS_DECRYPT:159:rsa_cms_decrypt
+ RSA_F_RSA_CMS_VERIFY:158:rsa_cms_verify
++RSA_F_RSA_GENERATE_KEY_EX:169:RSA_generate_key_ex
++RSA_F_RSA_GENERATE_MULTI_PRIME_KEY:170:RSA_generate_multi_prime_key
+ RSA_F_RSA_ITEM_VERIFY:148:rsa_item_verify
+ RSA_F_RSA_METH_DUP:161:RSA_meth_dup
+ RSA_F_RSA_METH_NEW:162:RSA_meth_new
+@@ -1123,12 +1182,18 @@ RSA_F_RSA_PADDING_CHECK_X931:128:RSA_padding_check_X931
+ RSA_F_RSA_PARAM_DECODE:164:rsa_param_decode
+ RSA_F_RSA_PRINT:115:RSA_print
+ RSA_F_RSA_PRINT_FP:116:RSA_print_fp
++RSA_F_RSA_PRIVATE_DECRYPT:171:RSA_private_decrypt
++RSA_F_RSA_PRIVATE_ENCRYPT:172:RSA_private_encrypt
+ RSA_F_RSA_PRIV_DECODE:150:rsa_priv_decode
+ RSA_F_RSA_PRIV_ENCODE:138:rsa_priv_encode
+ RSA_F_RSA_PSS_GET_PARAM:151:rsa_pss_get_param
+ RSA_F_RSA_PSS_TO_CTX:155:rsa_pss_to_ctx
++RSA_F_RSA_PUBLIC_DECRYPT:173:RSA_public_decrypt
++RSA_F_RSA_PUBLIC_ENCRYPT:174:RSA_public_encrypt
+ RSA_F_RSA_PUB_DECODE:139:rsa_pub_decode
+ RSA_F_RSA_SETUP_BLINDING:136:RSA_setup_blinding
++RSA_F_RSA_SET_DEFAULT_METHOD:175:RSA_set_default_method
++RSA_F_RSA_SET_METHOD:176:RSA_set_method
+ RSA_F_RSA_SIGN:117:RSA_sign
+ RSA_F_RSA_SIGN_ASN1_OCTET_STRING:118:RSA_sign_ASN1_OCTET_STRING
+ RSA_F_RSA_VERIFY:119:RSA_verify
+@@ -2135,8 +2200,10 @@ DH_R_INVALID_PARAMETER_NID:114:invalid parameter nid
+ DH_R_INVALID_PUBKEY:102:invalid public key
+ DH_R_KDF_PARAMETER_ERROR:112:kdf parameter error
+ DH_R_KEYS_NOT_SET:108:keys not set
++DH_R_KEY_SIZE_TOO_SMALL:126:key size too small
+ DH_R_MISSING_PUBKEY:125:missing pubkey
+ DH_R_MODULUS_TOO_LARGE:103:modulus too large
++DH_R_NON_FIPS_METHOD:127:non fips method
+ DH_R_NOT_SUITABLE_GENERATOR:120:not suitable generator
+ DH_R_NO_PARAMETERS_SET:107:no parameters set
+ DH_R_NO_PRIVATE_VALUE:100:no private value
+@@ -2150,9 +2217,12 @@ DSA_R_BN_ERROR:109:bn error
+ DSA_R_DECODE_ERROR:104:decode error
+ DSA_R_INVALID_DIGEST_TYPE:106:invalid digest type
+ DSA_R_INVALID_PARAMETERS:112:invalid parameters
++DSA_R_KEY_SIZE_INVALID:114:key size invalid
++DSA_R_KEY_SIZE_TOO_SMALL:115:key size too small
+ DSA_R_MISSING_PARAMETERS:101:missing parameters
+ DSA_R_MISSING_PRIVATE_KEY:111:missing private key
+ DSA_R_MODULUS_TOO_LARGE:103:modulus too large
++DSA_R_NON_FIPS_DSA_METHOD:116:non fips dsa method
+ DSA_R_NO_PARAMETERS_SET:107:no parameters set
+ DSA_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
+ DSA_R_Q_NOT_PRIME:113:q not prime
+@@ -2290,6 +2360,7 @@ EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH:138:data not multiple of block length
+ EVP_R_DECODE_ERROR:114:decode error
+ EVP_R_DIFFERENT_KEY_TYPES:101:different key types
+ EVP_R_DIFFERENT_PARAMETERS:153:different parameters
++EVP_R_DISABLED_FOR_FIPS:185:disabled for fips
+ EVP_R_ERROR_LOADING_SECTION:165:error loading section
+ EVP_R_ERROR_SETTING_FIPS_MODE:166:error setting fips mode
+ EVP_R_EXPECTING_AN_HMAC_KEY:174:expecting an hmac key
+@@ -2335,6 +2406,7 @@ EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\
+ EVP_R_PRIVATE_KEY_DECODE_ERROR:145:private key decode error
+ EVP_R_PRIVATE_KEY_ENCODE_ERROR:146:private key encode error
+ EVP_R_PUBLIC_KEY_NOT_RSA:106:public key not rsa
++EVP_R_TOO_LARGE:186:too large
+ EVP_R_UNKNOWN_CIPHER:160:unknown cipher
+ EVP_R_UNKNOWN_DIGEST:161:unknown digest
+ EVP_R_UNKNOWN_OPTION:169:unknown option
+@@ -2352,6 +2424,49 @@ EVP_R_UNSUPPORTED_SALT_TYPE:126:unsupported salt type
+ EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed
+ EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length
+ EVP_R_XTS_DUPLICATED_KEYS:183:xts duplicated keys
++FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED:100:additional input error undetected
++FIPS_R_ADDITIONAL_INPUT_TOO_LONG:101:additional input too long
++FIPS_R_ALREADY_INSTANTIATED:102:already instantiated
++FIPS_R_DRBG_NOT_INITIALISED:103:drbg not initialised
++FIPS_R_ENTROPY_ERROR_UNDETECTED:104:entropy error undetected
++FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED:105:entropy not requested for reseed
++FIPS_R_ENTROPY_SOURCE_STUCK:106:entropy source stuck
++FIPS_R_ERROR_INITIALISING_DRBG:107:error initialising drbg
++FIPS_R_ERROR_INSTANTIATING_DRBG:108:error instantiating drbg
++FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT:109:error retrieving additional input
++FIPS_R_ERROR_RETRIEVING_ENTROPY:110:error retrieving entropy
++FIPS_R_ERROR_RETRIEVING_NONCE:111:error retrieving nonce
++FIPS_R_FINGERPRINT_DOES_NOT_MATCH:112:fingerprint does not match
++FIPS_R_FIPS_MODE_ALREADY_SET:113:fips mode already set
++FIPS_R_FIPS_SELFTEST_FAILED:114:fips selftest failed
++FIPS_R_FUNCTION_ERROR:115:function error
++FIPS_R_GENERATE_ERROR:116:generate error
++FIPS_R_GENERATE_ERROR_UNDETECTED:117:generate error undetected
++FIPS_R_INSTANTIATE_ERROR:118:instantiate error
++FIPS_R_INVALID_KEY_LENGTH:119:invalid key length
++FIPS_R_IN_ERROR_STATE:120:in error state
++FIPS_R_KEY_TOO_SHORT:121:key too short
++FIPS_R_NONCE_ERROR_UNDETECTED:122:nonce error undetected
++FIPS_R_NON_FIPS_METHOD:123:non fips method
++FIPS_R_NOPR_TEST1_FAILURE:124:nopr test1 failure
++FIPS_R_NOPR_TEST2_FAILURE:125:nopr test2 failure
++FIPS_R_NOT_INSTANTIATED:126:not instantiated
++FIPS_R_PAIRWISE_TEST_FAILED:127:pairwise test failed
++FIPS_R_PERSONALISATION_ERROR_UNDETECTED:128:personalisation error undetected
++FIPS_R_PERSONALISATION_STRING_TOO_LONG:129:personalisation string too long
++FIPS_R_PR_TEST1_FAILURE:130:pr test1 failure
++FIPS_R_PR_TEST2_FAILURE:131:pr test2 failure
++FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED:132:request length error undetected
++FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG:133:request too large for drbg
++FIPS_R_RESEED_COUNTER_ERROR:134:reseed counter error
++FIPS_R_RESEED_ERROR:135:reseed error
++FIPS_R_SELFTEST_FAILED:136:selftest failed
++FIPS_R_SELFTEST_FAILURE:137:selftest failure
++FIPS_R_TEST_FAILURE:138:test failure
++FIPS_R_UNINSTANTIATE_ERROR:139:uninstantiate error
++FIPS_R_UNINSTANTIATE_ZEROISE_ERROR:140:uninstantiate zeroise error
++FIPS_R_UNSUPPORTED_DRBG_TYPE:141:unsupported drbg type
++FIPS_R_UNSUPPORTED_PLATFORM:142:unsupported platform
+ KDF_R_INVALID_DIGEST:100:invalid digest
+ KDF_R_MISSING_ITERATION_COUNT:109:missing iteration count
+ KDF_R_MISSING_KEY:104:missing key
+@@ -2602,11 +2717,13 @@ RSA_R_MODULUS_TOO_LARGE:105:modulus too large
+ RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R:168:mp coefficient not inverse of r
+ RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D:169:mp exponent not congruent to d
+ RSA_R_MP_R_NOT_PRIME:170:mp r not prime
++RSA_R_NON_FIPS_RSA_METHOD:171:non fips rsa method
+ RSA_R_NO_PUBLIC_EXPONENT:140:no public exponent
+ RSA_R_NULL_BEFORE_BLOCK_MISSING:113:null before block missing
+ RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES:172:n does not equal product of primes
+ RSA_R_N_DOES_NOT_EQUAL_P_Q:127:n does not equal p q
+ RSA_R_OAEP_DECODING_ERROR:121:oaep decoding error
++RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE:173:operation not allowed in fips mode
+ RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:148:\
+ 	operation not supported for this keytype
+ RSA_R_PADDING_CHECK_FAILED:114:padding check failed
+@@ -2628,6 +2745,7 @@ RSA_R_UNSUPPORTED_ENCRYPTION_TYPE:162:unsupported encryption type
+ RSA_R_UNSUPPORTED_LABEL_SOURCE:163:unsupported label source
+ RSA_R_UNSUPPORTED_MASK_ALGORITHM:153:unsupported mask algorithm
+ RSA_R_UNSUPPORTED_MASK_PARAMETER:154:unsupported mask parameter
++RSA_R_UNSUPPORTED_PARAMETERS:174:unsupported parameters
+ RSA_R_UNSUPPORTED_SIGNATURE_TYPE:155:unsupported signature type
+ RSA_R_VALUE_MISSING:147:value missing
+ RSA_R_WRONG_SIGNATURE_LENGTH:119:wrong signature length
+diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c
+index 7276ebf09..c50038ce4 100644
+--- a/crypto/evp/evp_err.c
++++ b/crypto/evp/evp_err.c
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -192,7 +192,7 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
+     "different key types"},
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_PARAMETERS),
+     "different parameters"},
+-    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DISABLED_FOR_FIPS), "disabled for FIPS"},
++    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DISABLED_FOR_FIPS), "disabled for fips"},
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION),
+     "error loading section"},
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE),
+@@ -286,8 +286,6 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
+     "wrap mode not allowed"},
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH),
+     "wrong final block length"},
+-    {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE),
+-    "xts data unit is too large"},
+     {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS),
+     "xts duplicated keys"},
+     {0, NULL}
+diff --git a/crypto/fips/fips_ers.c b/crypto/fips/fips_ers.c
+index 1788ed288..a8c8f5573 100644
+--- a/crypto/fips/fips_ers.c
++++ b/crypto/fips/fips_ers.c
+@@ -1,7 +1,186 @@
+-#include <openssl/opensslconf.h>
++/*
++ * Generated by util/mkerr.pl DO NOT EDIT
++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the OpenSSL license (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
+ 
+-#ifdef OPENSSL_FIPS
+-# include "fips_err.h"
+-#else
+-static void *dummy = &dummy;
++#include <openssl/err.h>
++#include "crypto/fipserr.h"
++
++#ifndef OPENSSL_NO_ERR
++
++static const ERR_STRING_DATA FIPS_str_functs[] = {
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_DRBG_RESEED, 0), "drbg_reseed"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_DSA_BUILTIN_PARAMGEN2, 0),
++     "dsa_builtin_paramgen2"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_DSA_DO_SIGN, 0), "DSA_do_sign"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_DSA_DO_VERIFY, 0), "DSA_do_verify"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_ECDSA_SIMPLE_SIGN_SIG, 0),
++     "ecdsa_simple_sign_sig"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_ECDSA_SIMPLE_VERIFY_SIG, 0),
++     "ecdsa_simple_verify_sig"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_EVP_CIPHERINIT_EX, 0), "EVP_CipherInit_ex"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_EVP_CIPHER_CTX_NEW, 0),
++     "EVP_CIPHER_CTX_new"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_EVP_CIPHER_CTX_RESET, 0),
++     "EVP_CIPHER_CTX_reset"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_EVP_DIGESTINIT_EX, 0), "EVP_DigestInit_ex"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_CHECK_DSA, 0), "fips_check_dsa"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_CHECK_EC, 0), "fips_check_ec"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_CHECK_RSA, 0), "fips_check_rsa"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_BYTES, 0), "fips_drbg_bytes"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_CHECK, 0), "fips_drbg_check"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_ERROR_CHECK, 0),
++     "fips_drbg_error_check"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_GENERATE, 0),
++     "FIPS_drbg_generate"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_INIT, 0), "FIPS_drbg_init"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_INSTANTIATE, 0),
++     "FIPS_drbg_instantiate"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_NEW, 0), "FIPS_drbg_new"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_SINGLE_KAT, 0),
++     "fips_drbg_single_kat"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_GET_ENTROPY, 0), "fips_get_entropy"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_MODULE_MODE_SET, 0),
++     "FIPS_module_mode_set"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_PKEY_SIGNATURE_TEST, 0),
++     "fips_pkey_signature_test"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RAND_BYTES, 0), "FIPS_rand_bytes"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RAND_SEED, 0), "FIPS_rand_seed"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RAND_SET_METHOD, 0),
++     "FIPS_rand_set_method"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RAND_STATUS, 0), "FIPS_rand_status"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, 0),
++     "fips_rsa_builtin_keygen"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_AES, 0), "FIPS_selftest_aes"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_AES_CCM, 0),
++     "FIPS_selftest_aes_ccm"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_AES_GCM, 0),
++     "FIPS_selftest_aes_gcm"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_AES_XTS, 0),
++     "FIPS_selftest_aes_xts"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_CMAC, 0),
++     "FIPS_selftest_cmac"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_DES, 0), "FIPS_selftest_des"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_ECDSA, 0),
++     "FIPS_selftest_ecdsa"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_HKDF, 0),
++     "FIPS_selftest_hkdf"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_HMAC, 0),
++     "FIPS_selftest_hmac"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_PBKDF2, 0),
++     "FIPS_selftest_pbkdf2"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_SHA1, 0),
++     "FIPS_selftest_sha1"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_SHA2, 0),
++     "FIPS_selftest_sha2"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_SHA3, 0),
++     "FIPS_selftest_sha3"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_SSH, 0), "FIPS_selftest_ssh"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_TLS, 0), "FIPS_selftest_tls"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_OSSL_ECDH_COMPUTE_KEY, 0),
++     "ossl_ecdh_compute_key"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_RSA_OSSL_PRIVATE_DECRYPT, 0),
++     "rsa_ossl_private_decrypt"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT, 0),
++     "rsa_ossl_private_encrypt"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_RSA_OSSL_PUBLIC_DECRYPT, 0),
++     "rsa_ossl_public_decrypt"},
++    {ERR_PACK(ERR_LIB_FIPS, FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT, 0),
++     "rsa_ossl_public_encrypt"},
++    {0, NULL}
++};
++
++static const ERR_STRING_DATA FIPS_str_reasons[] = {
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED),
++    "additional input error undetected"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ADDITIONAL_INPUT_TOO_LONG),
++    "additional input too long"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ALREADY_INSTANTIATED),
++    "already instantiated"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_DRBG_NOT_INITIALISED),
++    "drbg not initialised"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ENTROPY_ERROR_UNDETECTED),
++    "entropy error undetected"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED),
++    "entropy not requested for reseed"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ENTROPY_SOURCE_STUCK),
++    "entropy source stuck"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_INITIALISING_DRBG),
++    "error initialising drbg"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_INSTANTIATING_DRBG),
++    "error instantiating drbg"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT),
++    "error retrieving additional input"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_RETRIEVING_ENTROPY),
++    "error retrieving entropy"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_RETRIEVING_NONCE),
++    "error retrieving nonce"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_FINGERPRINT_DOES_NOT_MATCH),
++    "fingerprint does not match"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_FIPS_MODE_ALREADY_SET),
++    "fips mode already set"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_FIPS_SELFTEST_FAILED),
++    "fips selftest failed"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_FUNCTION_ERROR), "function error"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_GENERATE_ERROR), "generate error"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_GENERATE_ERROR_UNDETECTED),
++    "generate error undetected"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_INSTANTIATE_ERROR), "instantiate error"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_INVALID_KEY_LENGTH),
++    "invalid key length"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_IN_ERROR_STATE), "in error state"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_KEY_TOO_SHORT), "key too short"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NONCE_ERROR_UNDETECTED),
++    "nonce error undetected"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NON_FIPS_METHOD), "non fips method"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NOPR_TEST1_FAILURE),
++    "nopr test1 failure"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NOPR_TEST2_FAILURE),
++    "nopr test2 failure"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NOT_INSTANTIATED), "not instantiated"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PAIRWISE_TEST_FAILED),
++    "pairwise test failed"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PERSONALISATION_ERROR_UNDETECTED),
++    "personalisation error undetected"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PERSONALISATION_STRING_TOO_LONG),
++    "personalisation string too long"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PR_TEST1_FAILURE), "pr test1 failure"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PR_TEST2_FAILURE), "pr test2 failure"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED),
++    "request length error undetected"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG),
++    "request too large for drbg"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_RESEED_COUNTER_ERROR),
++    "reseed counter error"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_RESEED_ERROR), "reseed error"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_SELFTEST_FAILED), "selftest failed"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_SELFTEST_FAILURE), "selftest failure"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_TEST_FAILURE), "test failure"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_UNINSTANTIATE_ERROR),
++    "uninstantiate error"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_UNINSTANTIATE_ZEROISE_ERROR),
++    "uninstantiate zeroise error"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_UNSUPPORTED_DRBG_TYPE),
++    "unsupported drbg type"},
++    {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_UNSUPPORTED_PLATFORM),
++    "unsupported platform"},
++    {0, NULL}
++};
++
++#endif
++
++int ERR_load_FIPS_strings(void)
++{
++#ifndef OPENSSL_NO_ERR
++    if (ERR_func_error_string(FIPS_str_functs[0].error) == NULL) {
++        ERR_load_strings_const(FIPS_str_functs);
++        ERR_load_strings_const(FIPS_str_reasons);
++    }
+ #endif
++    return 1;
++}
+diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h
+index 2fbd9a940..897a47c3e 100644
+--- a/crypto/objects/obj_dat.h
++++ b/crypto/objects/obj_dat.h
+@@ -2,7 +2,7 @@
+  * WARNING: do not edit!
+  * Generated by crypto/objects/obj_dat.pl
+  *
+- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+  * in the file LICENSE in the source distribution or at
+diff --git a/crypto/objects/obj_xref.h b/crypto/objects/obj_xref.h
+index 5c3561ab7..5ef094bbf 100644
+--- a/crypto/objects/obj_xref.h
++++ b/crypto/objects/obj_xref.h
+@@ -2,7 +2,7 @@
+  * WARNING: do not edit!
+  * Generated by objxref.pl
+  *
+- * Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+diff --git a/crypto/rsa/rsa_err.c b/crypto/rsa/rsa_err.c
+index cf4326576..888fd0757 100644
+--- a/crypto/rsa/rsa_err.c
++++ b/crypto/rsa/rsa_err.c
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -34,7 +34,8 @@ static const ERR_STRING_DATA RSA_str_functs[] = {
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CHECK_KEY_EX, 0), "RSA_check_key_ex"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_DECRYPT, 0), "rsa_cms_decrypt"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_VERIFY, 0), "rsa_cms_verify"},
+-    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_KEY_EX, 0), "RSA_generate_key_ex"},
++    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_KEY_EX, 0),
++     "RSA_generate_key_ex"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, 0),
+      "RSA_generate_multi_prime_key"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_ITEM_VERIFY, 0), "rsa_item_verify"},
+@@ -93,16 +94,21 @@ static const ERR_STRING_DATA RSA_str_functs[] = {
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PARAM_DECODE, 0), "rsa_param_decode"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRINT, 0), "RSA_print"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRINT_FP, 0), "RSA_print_fp"},
++    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_DECRYPT, 0),
++     "RSA_private_decrypt"},
++    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_ENCRYPT, 0),
++     "RSA_private_encrypt"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_DECODE, 0), "rsa_priv_decode"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_ENCODE, 0), "rsa_priv_encode"},
+-    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_DECRYPT, 0), "RSA_private_decrypt"},
+-    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_ENCRYPT, 0), "RSA_private_encrypt"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_GET_PARAM, 0), "rsa_pss_get_param"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_TO_CTX, 0), "rsa_pss_to_ctx"},
+-    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUB_DECODE, 0), "rsa_pub_decode"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_DECRYPT, 0), "RSA_public_decrypt"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_ENCRYPT, 0), "RSA_public_encrypt"},
++    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUB_DECODE, 0), "rsa_pub_decode"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SETUP_BLINDING, 0), "RSA_setup_blinding"},
++    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_DEFAULT_METHOD, 0),
++     "RSA_set_default_method"},
++    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_METHOD, 0), "RSA_set_method"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN, 0), "RSA_sign"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN_ASN1_OCTET_STRING, 0),
+      "RSA_sign_ASN1_OCTET_STRING"},
+@@ -111,8 +117,6 @@ static const ERR_STRING_DATA RSA_str_functs[] = {
+      "RSA_verify_ASN1_OCTET_STRING"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, 0),
+      "RSA_verify_PKCS1_PSS_mgf1"},
+-    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_DEFAULT_METHOD, 0), "RSA_set_default_method"},
+-    {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_METHOD, 0), "RSA_set_method"},
+     {ERR_PACK(ERR_LIB_RSA, RSA_F_SETUP_TBUF, 0), "setup_tbuf"},
+     {0, NULL}
+ };
+@@ -193,8 +197,9 @@ static const ERR_STRING_DATA RSA_str_reasons[] = {
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D),
+     "mp exponent not congruent to d"},
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_R_NOT_PRIME), "mp r not prime"},
++    {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NON_FIPS_RSA_METHOD),
++    "non fips rsa method"},
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"},
+-    {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NON_FIPS_RSA_METHOD), "non FIPS rsa method"},
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NULL_BEFORE_BLOCK_MISSING),
+     "null before block missing"},
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES),
+@@ -204,7 +209,7 @@ static const ERR_STRING_DATA RSA_str_reasons[] = {
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OAEP_DECODING_ERROR),
+     "oaep decoding error"},
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE),
+-    "operation not allowed in FIPS mode"},
++    "operation not allowed in fips mode"},
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE),
+     "operation not supported for this keytype"},
+     {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PADDING_CHECK_FAILED),
+diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
+index b2d62eb9e..e7fdb2159 100644
+--- a/include/openssl/dherr.h
++++ b/include/openssl/dherr.h
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -11,9 +11,7 @@
+ #ifndef HEADER_DHERR_H
+ # define HEADER_DHERR_H
+ 
+-# ifndef HEADER_SYMHACKS_H
+-#  include <openssl/symhacks.h>
+-# endif
++# include <openssl/symhacks.h>
+ 
+ # include <openssl/opensslconf.h>
+ 
+@@ -36,9 +34,8 @@ int ERR_load_DH_strings(void);
+ #  define DH_F_DH_CMS_DECRYPT                              114
+ #  define DH_F_DH_CMS_SET_PEERKEY                          115
+ #  define DH_F_DH_CMS_SET_SHARED_INFO                      116
+-#  define DH_F_DH_COMPUTE_KEY                              203
+-#  define DH_F_DH_GENERATE_KEY                             202
+-#  define DH_F_DH_GENERATE_PARAMETERS_EX                   201
++#  define DH_F_DH_COMPUTE_KEY                              126
++#  define DH_F_DH_GENERATE_PARAMETERS_EX                   127
+ #  define DH_F_DH_METH_DUP                                 117
+ #  define DH_F_DH_METH_NEW                                 118
+ #  define DH_F_DH_METH_SET1_NAME                           119
+@@ -76,14 +73,14 @@ int ERR_load_DH_strings(void);
+ #  define DH_R_INVALID_PARAMETER_NID                       114
+ #  define DH_R_INVALID_PUBKEY                              102
+ #  define DH_R_KDF_PARAMETER_ERROR                         112
+-#  define DH_R_KEY_SIZE_TOO_SMALL                          201
+ #  define DH_R_KEYS_NOT_SET                                108
++#  define DH_R_KEY_SIZE_TOO_SMALL                          126
+ #  define DH_R_MISSING_PUBKEY                              125
+ #  define DH_R_MODULUS_TOO_LARGE                           103
++#  define DH_R_NON_FIPS_METHOD                             127
+ #  define DH_R_NOT_SUITABLE_GENERATOR                      120
+ #  define DH_R_NO_PARAMETERS_SET                           107
+ #  define DH_R_NO_PRIVATE_VALUE                            100
+-#  define DH_R_NON_FIPS_METHOD                             202
+ #  define DH_R_PARAMETER_ENCODING_ERROR                    105
+ #  define DH_R_PEER_KEY_ERROR                              111
+ #  define DH_R_SHARED_INFO_ERROR                           113
+diff --git a/include/openssl/dsaerr.h b/include/openssl/dsaerr.h
+index 19f650a95..83f1b68ed 100644
+--- a/include/openssl/dsaerr.h
++++ b/include/openssl/dsaerr.h
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -11,9 +11,7 @@
+ #ifndef HEADER_DSAERR_H
+ # define HEADER_DSAERR_H
+ 
+-# ifndef HEADER_SYMHACKS_H
+-#  include <openssl/symhacks.h>
+-# endif
++# include <openssl/symhacks.h>
+ 
+ # include <openssl/opensslconf.h>
+ 
+@@ -29,13 +27,13 @@ int ERR_load_DSA_strings(void);
+  */
+ #  define DSA_F_DSAPARAMS_PRINT                            100
+ #  define DSA_F_DSAPARAMS_PRINT_FP                         101
+-#  define DSA_F_DSA_BUILTIN_KEYGEN                         202
++#  define DSA_F_DSA_BUILTIN_KEYGEN                         108
+ #  define DSA_F_DSA_BUILTIN_PARAMGEN                       125
+ #  define DSA_F_DSA_BUILTIN_PARAMGEN2                      126
+-#  define DSA_F_DSA_GENERATE_KEY                           201
+-#  define DSA_F_DSA_GENERATE_PARAMETERS_EX                 200
+ #  define DSA_F_DSA_DO_SIGN                                112
+ #  define DSA_F_DSA_DO_VERIFY                              113
++#  define DSA_F_DSA_GENERATE_KEY                           109
++#  define DSA_F_DSA_GENERATE_PARAMETERS_EX                 110
+ #  define DSA_F_DSA_METH_DUP                               127
+ #  define DSA_F_DSA_METH_NEW                               128
+ #  define DSA_F_DSA_METH_SET1_NAME                         129
+@@ -63,13 +61,13 @@ int ERR_load_DSA_strings(void);
+ #  define DSA_R_DECODE_ERROR                               104
+ #  define DSA_R_INVALID_DIGEST_TYPE                        106
+ #  define DSA_R_INVALID_PARAMETERS                         112
+-#  define DSA_R_KEY_SIZE_INVALID                           201
+-#  define DSA_R_KEY_SIZE_TOO_SMALL                         202
++#  define DSA_R_KEY_SIZE_INVALID                           114
++#  define DSA_R_KEY_SIZE_TOO_SMALL                         115
+ #  define DSA_R_MISSING_PARAMETERS                         101
+ #  define DSA_R_MISSING_PRIVATE_KEY                        111
+ #  define DSA_R_MODULUS_TOO_LARGE                          103
++#  define DSA_R_NON_FIPS_DSA_METHOD                        116
+ #  define DSA_R_NO_PARAMETERS_SET                          107
+-#  define DSA_R_NON_FIPS_DSA_METHOD                        200
+ #  define DSA_R_PARAMETER_ENCODING_ERROR                   105
+ #  define DSA_R_Q_NOT_PRIME                                113
+ #  define DSA_R_SEED_LEN_SMALL                             110
+diff --git a/include/openssl/ecerr.h b/include/openssl/ecerr.h
+index 14dda4cfd..2443e78cd 100644
+--- a/include/openssl/ecerr.h
++++ b/include/openssl/ecerr.h
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -11,9 +11,7 @@
+ #ifndef HEADER_ECERR_H
+ # define HEADER_ECERR_H
+ 
+-# ifndef HEADER_SYMHACKS_H
+-#  include <openssl/symhacks.h>
+-# endif
++# include <openssl/symhacks.h>
+ 
+ # include <openssl/opensslconf.h>
+ 
+@@ -143,6 +141,7 @@ int ERR_load_EC_strings(void);
+ #  define EC_F_EC_KEY_PRINT_FP                             181
+ #  define EC_F_EC_KEY_PRIV2BUF                             279
+ #  define EC_F_EC_KEY_PRIV2OCT                             256
++#  define EC_F_EC_KEY_PUBLIC_CHECK                         299
+ #  define EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES    229
+ #  define EC_F_EC_KEY_SIMPLE_CHECK_KEY                     258
+ #  define EC_F_EC_KEY_SIMPLE_OCT2PRIV                      259
+diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h
+index 8ced040f2..6ee26ce18 100644
+--- a/include/openssl/evperr.h
++++ b/include/openssl/evperr.h
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -22,15 +22,15 @@ int ERR_load_EVP_strings(void);
+  * EVP function codes.
+  */
+ # define EVP_F_AESNI_INIT_KEY                             165
+-# define EVP_F_AESNI_XTS_INIT_KEY                         233
++# define EVP_F_AESNI_XTS_INIT_KEY                         207
+ # define EVP_F_AES_GCM_CTRL                               196
+ # define EVP_F_AES_INIT_KEY                               133
+ # define EVP_F_AES_OCB_CIPHER                             169
+ # define EVP_F_AES_T4_INIT_KEY                            178
+-# define EVP_F_AES_T4_XTS_INIT_KEY                        234
++# define EVP_F_AES_T4_XTS_INIT_KEY                        208
+ # define EVP_F_AES_WRAP_CIPHER                            170
+-# define EVP_F_AES_XTS_CIPHER                             229
+-# define EVP_F_AES_XTS_INIT_KEY                           235
++# define EVP_F_AES_XTS_CIPHER                             210
++# define EVP_F_AES_XTS_INIT_KEY                           209
+ # define EVP_F_ALG_MODULE_INIT                            177
+ # define EVP_F_ARIA_CCM_INIT_KEY                          175
+ # define EVP_F_ARIA_GCM_CTRL                              197
+@@ -146,9 +146,9 @@ int ERR_load_EVP_strings(void);
+ # define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED             133
+ # define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH          138
+ # define EVP_R_DECODE_ERROR                               114
+-# define EVP_R_DISABLED_FOR_FIPS                          200
+ # define EVP_R_DIFFERENT_KEY_TYPES                        101
+ # define EVP_R_DIFFERENT_PARAMETERS                       153
++# define EVP_R_DISABLED_FOR_FIPS                          185
+ # define EVP_R_ERROR_LOADING_SECTION                      165
+ # define EVP_R_ERROR_SETTING_FIPS_MODE                    166
+ # define EVP_R_EXPECTING_AN_HMAC_KEY                      174
+@@ -184,15 +184,15 @@ int ERR_load_EVP_strings(void);
+ # define EVP_R_ONLY_ONESHOT_SUPPORTED                     177
+ # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE   150
+ # define EVP_R_OPERATON_NOT_INITIALIZED                   151
+-# define EVP_R_PARAMETER_TOO_LARGE                        187
+ # define EVP_R_OUTPUT_WOULD_OVERFLOW                      184
++# define EVP_R_PARAMETER_TOO_LARGE                        187
+ # define EVP_R_PARTIALLY_OVERLAPPING                      162
+ # define EVP_R_PBKDF2_ERROR                               181
+ # define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179
+ # define EVP_R_PRIVATE_KEY_DECODE_ERROR                   145
+ # define EVP_R_PRIVATE_KEY_ENCODE_ERROR                   146
+ # define EVP_R_PUBLIC_KEY_NOT_RSA                         106
+-# define EVP_R_TOO_LARGE                                  201
++# define EVP_R_TOO_LARGE                                  186
+ # define EVP_R_UNKNOWN_CIPHER                             160
+ # define EVP_R_UNKNOWN_DIGEST                             161
+ # define EVP_R_UNKNOWN_OPTION                             169
+@@ -208,7 +208,6 @@ int ERR_load_EVP_strings(void);
+ # define EVP_R_UNSUPPORTED_SALT_TYPE                      126
+ # define EVP_R_WRAP_MODE_NOT_ALLOWED                      170
+ # define EVP_R_WRONG_FINAL_BLOCK_LENGTH                   109
+-# define EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE                 191
+-# define EVP_R_XTS_DUPLICATED_KEYS                        192
++# define EVP_R_XTS_DUPLICATED_KEYS                        183
+ 
+ #endif
+diff --git a/include/openssl/rsaerr.h b/include/openssl/rsaerr.h
+index a8bcfdf20..6bbd265a7 100644
+--- a/include/openssl/rsaerr.h
++++ b/include/openssl/rsaerr.h
+@@ -1,6 +1,6 @@
+ /*
+  * Generated by util/mkerr.pl DO NOT EDIT
+- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
+  *
+  * Licensed under the OpenSSL license (the "License").  You may not use
+  * this file except in compliance with the License.  You can obtain a copy
+@@ -11,9 +11,7 @@
+ #ifndef HEADER_RSAERR_H
+ # define HEADER_RSAERR_H
+ 
+-# ifndef HEADER_SYMHACKS_H
+-#  include <openssl/symhacks.h>
+-# endif
++# include <openssl/symhacks.h>
+ 
+ # ifdef  __cplusplus
+ extern "C"
+@@ -25,7 +23,7 @@ int ERR_load_RSA_strings(void);
+  */
+ # define RSA_F_CHECK_PADDING_MD                           140
+ # define RSA_F_ENCODE_PKCS1                               146
+-# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN                    206
++# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN                    168
+ # define RSA_F_INT_RSA_VERIFY                             145
+ # define RSA_F_OLD_RSA_PRIV_DECODE                        147
+ # define RSA_F_PKEY_PSS_INIT                              165
+@@ -40,8 +38,8 @@ int ERR_load_RSA_strings(void);
+ # define RSA_F_RSA_CHECK_KEY_EX                           160
+ # define RSA_F_RSA_CMS_DECRYPT                            159
+ # define RSA_F_RSA_CMS_VERIFY                             158
+-# define RSA_F_RSA_GENERATE_KEY_EX                        204
+-# define RSA_F_RSA_GENERATE_MULTI_PRIME_KEY               207
++# define RSA_F_RSA_GENERATE_KEY_EX                        169
++# define RSA_F_RSA_GENERATE_MULTI_PRIME_KEY               170
+ # define RSA_F_RSA_ITEM_VERIFY                            148
+ # define RSA_F_RSA_METH_DUP                               161
+ # define RSA_F_RSA_METH_NEW                               162
+@@ -77,18 +75,18 @@ int ERR_load_RSA_strings(void);
+ # define RSA_F_RSA_PARAM_DECODE                           164
+ # define RSA_F_RSA_PRINT                                  115
+ # define RSA_F_RSA_PRINT_FP                               116
++# define RSA_F_RSA_PRIVATE_DECRYPT                        171
++# define RSA_F_RSA_PRIVATE_ENCRYPT                        172
+ # define RSA_F_RSA_PRIV_DECODE                            150
+ # define RSA_F_RSA_PRIV_ENCODE                            138
+-# define RSA_F_RSA_PRIVATE_DECRYPT                        200
+-# define RSA_F_RSA_PRIVATE_ENCRYPT                        201
+ # define RSA_F_RSA_PSS_GET_PARAM                          151
+ # define RSA_F_RSA_PSS_TO_CTX                             155
++# define RSA_F_RSA_PUBLIC_DECRYPT                         173
++# define RSA_F_RSA_PUBLIC_ENCRYPT                         174
+ # define RSA_F_RSA_PUB_DECODE                             139
+-# define RSA_F_RSA_PUBLIC_DECRYPT                         202
+-# define RSA_F_RSA_PUBLIC_ENCRYPT                         203
+ # define RSA_F_RSA_SETUP_BLINDING                         136
+-# define RSA_F_RSA_SET_DEFAULT_METHOD                     205
+-# define RSA_F_RSA_SET_METHOD                             204
++# define RSA_F_RSA_SET_DEFAULT_METHOD                     175
++# define RSA_F_RSA_SET_METHOD                             176
+ # define RSA_F_RSA_SIGN                                   117
+ # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING                 118
+ # define RSA_F_RSA_VERIFY                                 119
+@@ -139,19 +137,19 @@ int ERR_load_RSA_strings(void);
+ # define RSA_R_KEY_PRIME_NUM_INVALID                      165
+ # define RSA_R_KEY_SIZE_TOO_SMALL                         120
+ # define RSA_R_LAST_OCTET_INVALID                         134
+-# define RSA_R_MISSING_PRIVATE_KEY                        179
+ # define RSA_R_MGF1_DIGEST_NOT_ALLOWED                    152
++# define RSA_R_MISSING_PRIVATE_KEY                        179
+ # define RSA_R_MODULUS_TOO_LARGE                          105
+ # define RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R            168
+ # define RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D             169
+ # define RSA_R_MP_R_NOT_PRIME                             170
++# define RSA_R_NON_FIPS_RSA_METHOD                        171
+ # define RSA_R_NO_PUBLIC_EXPONENT                         140
+-# define RSA_R_NON_FIPS_RSA_METHOD                        200
+ # define RSA_R_NULL_BEFORE_BLOCK_MISSING                  113
+ # define RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES         172
+ # define RSA_R_N_DOES_NOT_EQUAL_P_Q                       127
+ # define RSA_R_OAEP_DECODING_ERROR                        121
+-# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE         201
++# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE         173
+ # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE   148
+ # define RSA_R_PADDING_CHECK_FAILED                       114
+ # define RSA_R_PKCS_DECODING_ERROR                        159
+@@ -171,7 +169,7 @@ int ERR_load_RSA_strings(void);
+ # define RSA_R_UNSUPPORTED_LABEL_SOURCE                   163
+ # define RSA_R_UNSUPPORTED_MASK_ALGORITHM                 153
+ # define RSA_R_UNSUPPORTED_MASK_PARAMETER                 154
+-# define RSA_R_UNSUPPORTED_PARAMETERS                     202
++# define RSA_R_UNSUPPORTED_PARAMETERS                     174
+ # define RSA_R_UNSUPPORTED_SIGNATURE_TYPE                 155
+ # define RSA_R_VALUE_MISSING                              147
+ # define RSA_R_WRONG_SIGNATURE_LENGTH                     119
diff --git a/openssl-1_1-ossl-sli-003-add-sli.patch b/openssl-1_1-ossl-sli-003-add-sli.patch
new file mode 100644
index 0000000..1e87822
--- /dev/null
+++ b/openssl-1_1-ossl-sli-003-add-sli.patch
@@ -0,0 +1,3284 @@
+--- a/crypto/cmac/cm_pmeth.c	
++++ b/crypto/cmac/cm_pmeth.c	
+@@ -72,7 +72,10 @@ static int cmac_signctx_init(EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx)
+ static int cmac_signctx(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
+                         EVP_MD_CTX *mctx)
+ {
+-    return CMAC_Final(ctx->data, sig, siglen);
++    const int r = CMAC_Final(ctx->data, sig, siglen);
++    if (!fips_sli_is_approved_CMAC_CTX(ctx->data))
++        fips_sli_disapprove_EVP_PKEY_CTX(ctx);
++    return r;
+ }
+ 
+ static int pkey_cmac_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
+--- a/crypto/cmac/cmac.c	
++++ b/crypto/cmac/cmac.c	
+@@ -13,6 +13,7 @@ 
+ #include "internal/cryptlib.h"
+ #include <openssl/cmac.h>
+ #include <openssl/err.h>
++#include "internal/fips_sli_local.h"
+ 
+ struct CMAC_CTX_st {
+     /* Cipher context to use */
+@@ -26,8 +27,11 @@ struct CMAC_CTX_st {
+     unsigned char last_block[EVP_MAX_BLOCK_LENGTH];
+     /* Number of bytes in last block: -1 means context not initialised */
+     int nlast_block;
++    FIPS_STATUS sli; /* Service Level Indicator */
+ };
+ 
++fips_sli_define_for(CMAC_CTX)
++
+ /* Make temporary keys K1 and K2 */
+ 
+ static void make_kn(unsigned char *k1, const unsigned char *l, int bl)
+@@ -62,6 +66,7 @@ CMAC_CTX *CMAC_CTX_new(void)
+ 
+ void CMAC_CTX_cleanup(CMAC_CTX *ctx)
+ {
++    ctx->sli = FIPS_UNSET;
+     EVP_CIPHER_CTX_reset(ctx->cctx);
+     OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH);
+     OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH);
+@@ -97,6 +102,7 @@ int CMAC_CTX_copy(CMAC_CTX *out, const CMAC_CTX *in)
+     memcpy(out->tbl, in->tbl, bl);
+     memcpy(out->last_block, in->last_block, bl);
+     out->nlast_block = in->nlast_block;
++    out->sli = in->sli;
+     return 1;
+ }
+ 
+@@ -104,6 +110,7 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen,
+               const EVP_CIPHER *cipher, ENGINE *impl)
+ {
+     static const unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH] = { 0 };
++    ctx->sli = FIPS_UNSET;
+     /* All zeros means restart */
+     if (!key && !cipher && !impl && keylen == 0) {
+         /* Not initialised */
+@@ -215,6 +222,15 @@ int CMAC_Final(CMAC_CTX *ctx, unsigned char *out, size_t *poutlen)
+         OPENSSL_cleanse(out, bl);
+         return 0;
+     }
++    switch (EVP_CIPHER_nid(EVP_CIPHER_CTX_cipher(ctx->cctx))) {
++    case NID_aes_128_cbc:
++    case NID_aes_192_cbc:
++    case NID_aes_256_cbc:
++        fips_sli_approve_CMAC_CTX(ctx);
++        break;
++    default:
++        fips_sli_disapprove_CMAC_CTX(ctx);
++    }
+     return 1;
+ }
+ 
+--- a/crypto/dh/dh_pmeth.c	
++++ b/crypto/dh/dh_pmeth.c	
+@@ -442,6 +442,8 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
+         if (ret < 0)
+             return ret;
+         *keylen = ret;
++        fips_sli_check_key_dh_EVP_PKEY_CTX(ctx, ctx->peerkey->pkey.dh);
++        fips_sli_check_key_dh_EVP_PKEY_CTX(ctx, dh);
+         return 1;
+     }
+ #ifndef OPENSSL_NO_CMS
+@@ -469,6 +471,8 @@ static int pkey_dh_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
+                           dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md))
+             goto err;
+         *keylen = dctx->kdf_outlen;
++        fips_sli_check_key_dh_EVP_PKEY_CTX(ctx, ctx->peerkey->pkey.dh);
++        fips_sli_check_key_dh_EVP_PKEY_CTX(ctx, dh);
+         ret = 1;
+  err:
+         OPENSSL_clear_free(Z, Zlen);
+--- a/crypto/dsa/dsa_pmeth.c	
++++ b/crypto/dsa/dsa_pmeth.c	
+@@ -77,6 +77,8 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
+     DSA_PKEY_CTX *dctx = ctx->data;
+     DSA *dsa = ctx->pkey->pkey.dsa;
+ 
++    fips_sli_check_key_dsa_siggen_EVP_PKEY_CTX(ctx, dsa);
++
+     if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md))
+         return 0;
+ 
+@@ -96,6 +98,8 @@ static int pkey_dsa_verify(EVP_PKEY_CTX *ctx,
+     DSA_PKEY_CTX *dctx = ctx->data;
+     DSA *dsa = ctx->pkey->pkey.dsa;
+ 
++    fips_sli_check_key_dsa_sigver_EVP_PKEY_CTX(ctx, dsa);
++
+     if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md))
+         return 0;
+ 
+@@ -224,6 +228,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
+ static int pkey_dsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
+ {
+     DSA *dsa = NULL;
++    fips_sli_disapprove_EVP_PKEY_CTX(ctx);
+ 
+     if (ctx->pkey == NULL) {
+         DSAerr(DSA_F_PKEY_DSA_KEYGEN, DSA_R_NO_PARAMETERS_SET);
+--- a/crypto/ec/ec_pmeth.c	
++++ b/crypto/ec/ec_pmeth.c	
+@@ -122,6 +122,7 @@ static int pkey_ec_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
+ 
+     type = (dctx->md != NULL) ? EVP_MD_type(dctx->md) : NID_sha1;
+ 
++    fips_sli_check_curve_siggen_EVP_PKEY_CTX(ctx, EC_KEY_get0_group(ec));
+     ret = ECDSA_sign(type, tbs, tbslen, sig, &sltmp, ec);
+ 
+     if (ret <= 0)
+@@ -143,6 +144,7 @@ static int pkey_ec_verify(EVP_PKEY_CTX *ctx,
+     else
+         type = NID_sha1;
+ 
++    fips_sli_check_curve_sigver_EVP_PKEY_CTX(ctx, EC_KEY_get0_group(ec));
+     ret = ECDSA_verify(type, tbs, tbslen, sig, siglen, ec);
+ 
+     return ret;
+@@ -182,6 +184,8 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
+     if (ret <= 0)
+         return 0;
+     *keylen = ret;
++    fips_sli_check_key_ecdh_EVP_PKEY_CTX(ctx, eckey);
++    fips_sli_check_key_ecdh_EVP_PKEY_CTX(ctx, ctx->peerkey->pkey.ec);
+     return 1;
+ }
+ 
+@@ -208,6 +212,8 @@ static int pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx,
+     }
+     if (!pkey_ec_derive(ctx, ktmp, &ktmplen))
+         goto err;
++    /* ANSI-X9.63-KDF (X9_62) is FIPS-approved, but we don't have a selftest */
++    fips_sli_disapprove_EVP_PKEY_CTX(ctx);
+     /* Do KDF stuff */
+     if (!ecdh_KDF_X9_63(key, *keylen, ktmp, ktmplen,
+                         dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md))
+@@ -433,7 +439,12 @@ static int pkey_ec_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
+     else
+         ret = EC_KEY_set_group(ec, dctx->gen_group);
+ 
+-    return ret ? EC_KEY_generate_key(ec) : 0;
++    if (ret) {
++        fips_sli_check_key_ec_keygen_EVP_PKEY_CTX(ctx, ec);
++        return EC_KEY_generate_key(ec);
++    } else {
++        return 0;
++    }
+ }
+ 
+ static const EVP_PKEY_METHOD ec_pkey_meth = {
+--- a/crypto/ec/ecx_meth.c	
++++ b/crypto/ec/ecx_meth.c	
+@@ -691,6 +691,7 @@ static int pkey_ecx_derive25519(EVP_PKEY_CTX *ctx, unsigned char *key,
+                 && X25519(key, privkey, pubkey) == 0))
+         return 0;
+     *keylen = X25519_KEYLEN;
++    fips_sli_disapprove_EVP_PKEY_CTX(ctx);
+     return 1;
+ }
+ 
+@@ -704,6 +705,7 @@ static int pkey_ecx_derive448(EVP_PKEY_CTX *ctx, unsigned char *key,
+                 && X448(key, privkey, pubkey) == 0))
+         return 0;
+     *keylen = X448_KEYLEN;
++    fips_sli_disapprove_EVP_PKEY_CTX(ctx);
+     return 1;
+ }
+ 
+--- a/crypto/evp/digest.c	
++++ b/crypto/evp/digest.c	
+@@ -24,6 +24,7 @@ int EVP_MD_CTX_reset(EVP_MD_CTX *ctx)
+     if (ctx == NULL)
+         return 1;
+ 
++    ctx->sli = FIPS_UNSET;
+     /*
+      * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because
+      * sometimes only copies of the context are ever finalised.
+@@ -69,6 +70,7 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type)
+ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
+ {
+     EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
++    ctx->sli = FIPS_UNSET;
+ #ifdef OPENSSL_FIPS
+     if (FIPS_selftest_failed()) {
+         FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED);
+--- a/crypto/evp/e_aes.c	
++++ b/crypto/evp/e_aes.c	
+@@ -4303,3 +4303,73 @@ BLOCK_CIPHER_custom(NID_aes, 192, 16, 12, ocb, OCB,
+ BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB,
+                     EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS)
+ #endif                         /* OPENSSL_NO_OCB */
++
++/* Use an explicit whitelist here (due to the number of ciphers and modes) */
++FIPS_STATUS EVP_CIPHER_get_fips_status(const EVP_CIPHER *cipher) {
++    /* switch on pointers is not entirely portable */
++    if (cipher->do_cipher == aes_cbc_cipher
++            || cipher->do_cipher == aes_ecb_cipher
++            || cipher->do_cipher == aes_xts_cipher
++            || cipher->do_cipher == aes_ofb_cipher
++            || cipher->do_cipher == aes_cfb_cipher
++            || cipher->do_cipher == aes_cfb1_cipher
++            || cipher->do_cipher == aes_cfb8_cipher
++            || cipher->do_cipher == aes_ctr_cipher
++            || cipher->do_cipher == aes_gcm_cipher
++            || cipher->do_cipher == aes_gcm_tls_cipher
++            || cipher->do_cipher == aes_ccm_cipher
++            #if defined(OPENSSL_CPUID_OBJ) && ( \
++                    ((defined(__i386) || defined(__i386__) || defined(_M_IX86))\
++                    && defined(OPENSSL_IA32_SSE2)) \
++                || defined(__x86_64) || defined(__x86_64__) \
++                || defined(_M_AMD64) || defined(_M_X64))
++            || cipher->do_cipher == aesni_cbc_cipher /* AES-NI */
++            || cipher->do_cipher == aesni_ecb_cipher
++            || cipher->do_cipher == aesni_xts_cipher
++            || cipher->do_cipher == aesni_ofb_cipher
++            || cipher->do_cipher == aesni_cfb_cipher
++            || cipher->do_cipher == aesni_cfb1_cipher
++            || cipher->do_cipher == aesni_cfb8_cipher
++            || cipher->do_cipher == aesni_ctr_cipher
++            || cipher->do_cipher == aesni_gcm_cipher
++            || cipher->do_cipher == aesni_ccm_cipher
++            #elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
++            || cipher->do_cipher == s390x_aes_cbc_cipher /* System/390 */
++            || cipher->do_cipher == s390x_aes_ecb_cipher
++            || cipher->do_cipher == s390x_aes_xts_cipher
++            || cipher->do_cipher == s390x_aes_ofb_cipher
++            || cipher->do_cipher == s390x_aes_cfb_cipher
++            || cipher->do_cipher == s390x_aes_cfb1_cipher
++            || cipher->do_cipher == s390x_aes_cfb8_cipher
++            || cipher->do_cipher == s390x_aes_ctr_cipher
++            || cipher->do_cipher == s390x_aes_gcm_cipher
++            || cipher->do_cipher == s390x_aes_gcm_tls_cipher
++            || cipher->do_cipher == s390x_aes_ccm_cipher
++            #endif
++            || cipher->do_cipher == aes_wrap_cipher /* key wrapping */
++       ) {
++        switch (EVP_CIPHER_key_length(cipher) * 8) {
++        case 128:
++        case 192:
++            if (cipher->do_cipher == aes_xts_cipher
++                #if defined(OPENSSL_CPUID_OBJ) && ( \
++                        ((defined(__i386) || defined(__i386__) || defined(_M_IX86))\
++                        && defined(OPENSSL_IA32_SSE2)) \
++                    || defined(__x86_64) || defined(__x86_64__) \
++                    || defined(_M_AMD64) || defined(_M_X64))
++                || cipher->do_cipher == aesni_xts_cipher
++                #elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
++                || cipher->do_cipher == s390x_aes_xts_cipher
++                #endif
++            )
++                return FIPS_NONAPPROVED;
++            /* intended fall-through */
++        case 256:
++            return FIPS_APPROVED;
++        }
++    }
++    /* disapproved for enc and dec: all others, including
++     * 3DES and AES modes
++     * aes_ocb_cipher */
++    return FIPS_NONAPPROVED;
++}
+--- a/crypto/evp/evp_enc.c	
++++ b/crypto/evp/evp_enc.c	
+@@ -32,6 +32,7 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c)
+ #endif
+     if (c == NULL)
+         return 1;
++    c->sli = FIPS_UNSET;
+     if (c->cipher != NULL) {
+         if (c->cipher->cleanup && !c->cipher->cleanup(c))
+             return 0;
+@@ -112,6 +113,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+             /* Restore encrypt and flags */
+             ctx->encrypt = enc;
+             ctx->flags = flags;
++            ctx->sli = FIPS_UNSET;
+         }
+ #ifndef OPENSSL_NO_ENGINE
+         if (impl) {
+@@ -237,6 +239,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
+     ctx->buf_len = 0;
+     ctx->final_used = 0;
+     ctx->block_mask = ctx->cipher->block_size - 1;
++    fips_sli_check_cipher_EVP_CIPHER_CTX(ctx, ctx->cipher);
+     return 1;
+ }
+ 
+--- a/crypto/evp/evp_local.h	
++++ b/crypto/evp/evp_local.h	
+@@ -1,3 +1,4 @@ 
++#include "internal/fips_sli_local.h"
+ /*
+  * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+  *
+@@ -19,6 +20,7 @@ struct evp_md_ctx_st {
+     EVP_PKEY_CTX *pctx;
+     /* Update function: usually copied from EVP_MD */
+     int (*update) (EVP_MD_CTX *ctx, const void *data, size_t count);
++    FIPS_STATUS sli; /* Service Level Indicator */
+ } /* EVP_MD_CTX */ ;
+ 
+ struct evp_cipher_ctx_st {
+@@ -39,11 +41,13 @@ struct evp_cipher_ctx_st {
+     int final_used;
+     int block_mask;
+     unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */
++    FIPS_STATUS sli; /* Service Level Indicator */
+ } /* EVP_CIPHER_CTX */ ;
+ 
+ struct evp_kdf_ctx_st {
+     const EVP_KDF_METHOD *kmeth;
+     EVP_KDF_IMPL *impl;          /* Algorithm-specific data */
++    FIPS_STATUS sli; /* Service Level Indicator */
+ } /* EVP_KDF_CTX */ ;
+ 
+ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass,
+--- a/crypto/evp/kdf_lib.c	
++++ b/crypto/evp/kdf_lib.c	
+@@ -17,6 +17,7 @@ 
+ #include <openssl/kdf.h>
+ #include "crypto/asn1.h"
+ #include "crypto/evp.h"
++#include "internal/fips_sli_local.h"
+ #include "internal/numbers.h"
+ #include "evp_local.h"
+ 
+@@ -82,6 +83,7 @@ EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id)
+     }
+ 
+     ret->kmeth = kmeth;
++    ret->sli = FIPS_UNSET;
+     return ret;
+ }
+ 
+@@ -101,6 +103,7 @@ void EVP_KDF_reset(EVP_KDF_CTX *ctx)
+ 
+     if (ctx->kmeth->reset != NULL)
+         ctx->kmeth->reset(ctx->impl);
++    ctx->sli = FIPS_UNSET;
+ }
+ 
+ int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...)
+@@ -161,6 +164,12 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen)
+     if (ctx == NULL)
+         return 0;
+ 
+-    return ctx->kmeth->derive(ctx->impl, key, keylen);
++    int ret = ctx->kmeth->derive(ctx->impl, key, keylen);
++    if (ctx->kmeth->fips_sli_is_approved(ctx->impl))
++        fips_sli_approve_EVP_KDF_CTX(ctx);
++    else
++        fips_sli_disapprove_EVP_KDF_CTX(ctx);
++
++    return ret;
+ }
+ 
+--- a/crypto/evp/m_sigver.c	
++++ b/crypto/evp/m_sigver.c	
+@@ -105,15 +105,21 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
+     if (pctx->pmeth->flags & EVP_PKEY_FLAG_SIGCTX_CUSTOM) {
+         if (!sigret)
+             return pctx->pmeth->signctx(pctx, sigret, siglen, ctx);
+-        if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE)
++        if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) {
+             r = pctx->pmeth->signctx(pctx, sigret, siglen, ctx);
+-        else {
++            if (!fips_sli_is_approved_EVP_PKEY_CTX(pctx))
++                fips_sli_disapprove_EVP_MD_CTX(ctx);
++        } else {
+             EVP_PKEY_CTX *dctx = EVP_PKEY_CTX_dup(ctx->pctx);
+             if (!dctx)
+                 return 0;
+             r = dctx->pmeth->signctx(dctx, sigret, siglen, ctx);
++            if (!fips_sli_is_approved_EVP_PKEY_CTX(dctx))
++                fips_sli_disapprove_EVP_MD_CTX(ctx);
+             EVP_PKEY_CTX_free(dctx);
+         }
++        /* stricter than necessary, ctx->digest might be set but unused */
++        fips_sli_check_hash_siggen_EVP_MD_CTX(ctx, ctx->digest);
+         return r;
+     }
+     if (pctx->pmeth->signctx)
+@@ -124,8 +130,11 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
+         unsigned char md[EVP_MAX_MD_SIZE];
+         unsigned int mdlen = 0;
+         if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) {
+-            if (sctx)
++            if (sctx) {
+                 r = ctx->pctx->pmeth->signctx(ctx->pctx, sigret, siglen, ctx);
++                if (!fips_sli_is_approved_EVP_PKEY_CTX(ctx->pctx))
++                    fips_sli_disapprove_EVP_MD_CTX(ctx);
++            }
+             else
+                 r = EVP_DigestFinal_ex(ctx, md, &mdlen);
+         } else {
+@@ -136,16 +145,25 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
+                 EVP_MD_CTX_free(tmp_ctx);
+                 return 0;
+             }
+-            if (sctx)
++            if (sctx) {
+                 r = tmp_ctx->pctx->pmeth->signctx(tmp_ctx->pctx,
+                                                   sigret, siglen, tmp_ctx);
++                if (!fips_sli_is_approved_EVP_PKEY_CTX(tmp_ctx->pctx))
++                    fips_sli_disapprove_EVP_MD_CTX(ctx);
++            }
+             else
+                 r = EVP_DigestFinal_ex(tmp_ctx, md, &mdlen);
+             EVP_MD_CTX_free(tmp_ctx);
+         }
++        /* stricter than necessary, ctx->digest might be set but unused */
++        fips_sli_check_hash_siggen_EVP_MD_CTX(ctx, ctx->digest);
++
+         if (sctx || !r)
+             return r;
+-        if (EVP_PKEY_sign(ctx->pctx, sigret, siglen, md, mdlen) <= 0)
++        r = EVP_PKEY_sign(ctx->pctx, sigret, siglen, md, mdlen);
++        if (!fips_sli_is_approved_EVP_PKEY_CTX(ctx->pctx))
++            fips_sli_disapprove_EVP_MD_CTX(ctx);
++        if (r <= 0)
+             return 0;
+     } else {
+         if (sctx) {
+@@ -163,8 +181,12 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
+ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
+                    const unsigned char *tbs, size_t tbslen)
+ {
+-    if (ctx->pctx->pmeth->digestsign != NULL)
++    if (ctx->pctx->pmeth->digestsign != NULL) {
++        /* digestsign is only used for ed25519 and ed448 signatures, so should
++         * be safe to disapprove it completely */
++        fips_sli_disapprove_EVP_MD_CTX(ctx);
+         return ctx->pctx->pmeth->digestsign(ctx, sigret, siglen, tbs, tbslen);
++    }
+     if (sigret != NULL && EVP_DigestSignUpdate(ctx, tbs, tbslen) <= 0)
+         return 0;
+     return EVP_DigestSignFinal(ctx, sigret, siglen);
+@@ -178,9 +200,14 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
+     unsigned int mdlen = 0;
+     int vctx = 0;
+ 
+-    if (ctx->pctx->pmeth->verifyctx)
++    fips_sli_check_hash_sigver_EVP_MD_CTX(ctx, EVP_MD_CTX_md(ctx));
++
++    if (ctx->pctx->pmeth->verifyctx) {
+         vctx = 1;
+-    else
++        /* verifyctx seems to be unused by openssl, so should be safe to
++         * disapprove it */
++        fips_sli_disapprove_EVP_MD_CTX(ctx);
++    } else
+         vctx = 0;
+     if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) {
+         if (vctx)
+@@ -204,14 +231,21 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
+     }
+     if (vctx || !r)
+         return r;
+-    return EVP_PKEY_verify(ctx->pctx, sig, siglen, md, mdlen);
++    const int res = EVP_PKEY_verify(ctx->pctx, sig, siglen, md, mdlen);
++    if (!fips_sli_is_approved_EVP_PKEY_CTX(ctx->pctx))
++        fips_sli_disapprove_EVP_MD_CTX(ctx);
++    return res;
+ }
+ 
+ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
+                      size_t siglen, const unsigned char *tbs, size_t tbslen)
+ {
+-    if (ctx->pctx->pmeth->digestverify != NULL)
++    if (ctx->pctx->pmeth->digestverify != NULL) {
++        /* digestverify is only used for ed25519 and ed448 signatures, so should
++         * be safe to disapprove it completely */
++        fips_sli_disapprove_EVP_MD_CTX(ctx);
+         return ctx->pctx->pmeth->digestverify(ctx, sigret, siglen, tbs, tbslen);
++    }
+     if (EVP_DigestVerifyUpdate(ctx, tbs, tbslen) <= 0)
+         return -1;
+     return EVP_DigestVerifyFinal(ctx, sigret, siglen);
+--- a/crypto/evp/p5_crpt2.c	
++++ b/crypto/evp/p5_crpt2.c	
+@@ -10,6 +10,7 @@ 
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include "internal/cryptlib.h"
++#include "internal/fips_sli_local.h"
+ #include <openssl/x509.h>
+ #include <openssl/evp.h>
+ #include <openssl/kdf.h>
+@@ -24,13 +25,13 @@ 
+ static void h__dump(const unsigned char *p, int len);
+ #endif
+ 
+-int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
++static int PKCS5_PBKDF2_HMAC_internal(const char *pass, int passlen,
+                       const unsigned char *salt, int saltlen, int iter,
+-                      const EVP_MD *digest, int keylen, unsigned char *out)
++                      const EVP_MD *digest, int keylen, unsigned char *out,
++                      EVP_KDF_CTX *kctx)
+ {
+     const char *empty = "";
+     int rv = 1;
+-    EVP_KDF_CTX *kctx;
+ 
+     /* Keep documented behaviour. */
+     if (pass == NULL) {
+@@ -42,9 +43,6 @@ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
+     if (salt == NULL && saltlen == 0)
+         salt = (unsigned char *)empty;
+ 
+-    kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2);
+-    if (kctx == NULL)
+-        return 0;
+     if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, pass, (size_t)passlen) != 1
+             || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT,
+                             salt, (size_t)saltlen) != 1
+@@ -53,8 +51,6 @@ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
+             || EVP_KDF_derive(kctx, out, keylen) != 1)
+         rv = 0;
+ 
+-    EVP_KDF_CTX_free(kctx);
+-
+ # ifdef OPENSSL_DEBUG_PKCS5V2
+     fprintf(stderr, "Password:\n");
+     h__dump(pass, passlen);
+@@ -67,6 +63,32 @@ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
+     return rv;
+ }
+ 
++int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
++                      const unsigned char *salt, int saltlen, int iter,
++                      const EVP_MD *digest, int keylen, unsigned char *out)
++{
++    EVP_KDF_CTX *kctx;
++     kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2);
++    if (kctx == NULL)
++        return 0;
++    int ret = PKCS5_PBKDF2_HMAC_internal(pass, passlen, salt, saltlen, iter, digest, keylen, out, kctx);
++    EVP_KDF_CTX_free(kctx);
++    return ret;
++}
++
++int fips_sli_PKCS5_PBKDF2_HMAC_is_approved(const char *pass, int passlen,
++                      const unsigned char *salt, int saltlen, int iter,
++                      const EVP_MD *digest, int keylen, unsigned char *out)
++{
++    EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2);
++    if (kctx == NULL)
++        return 0;
++    PKCS5_PBKDF2_HMAC_internal(pass, passlen, salt, saltlen, iter, digest, keylen, out, kctx);
++    int ret = fips_sli_is_approved_EVP_KDF_CTX(kctx);
++    EVP_KDF_CTX_free(kctx);
++    return ret;
++}
++
+ int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen,
+                            const unsigned char *salt, int saltlen, int iter,
+                            int keylen, unsigned char *out)
+--- a/crypto/evp/p_open.c	
++++ b/crypto/evp/p_open.c	
+@@ -8,6 +8,7 @@ 
+  */
+ 
+ #include "internal/cryptlib.h"
++#include "internal/fips_sli_local.h"
+ #ifdef OPENSSL_NO_RSA
+ NON_EMPTY_TRANSLATION_UNIT
+ #else
+@@ -47,6 +48,8 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+         goto err;
+     }
+ 
++    // EVP_PKEY_decrypt_old always uses RSA dec
++    fips_sli_disapprove_EVP_CIPHER_CTX(ctx);
+     i = EVP_PKEY_decrypt_old(key, ek, ekl, priv);
+     if ((i <= 0) || !EVP_CIPHER_CTX_set_key_length(ctx, i)) {
+         /* ERROR */
+--- a/crypto/evp/p_seal.c	
++++ b/crypto/evp/p_seal.c	
+@@ -9,6 +9,7 @@ 
+ 
+ #include <stdio.h>
+ #include "internal/cryptlib.h"
++#include "internal/fips_sli_local.h"
+ #include <openssl/rand.h>
+ #include <openssl/rsa.h>
+ #include <openssl/evp.h>
+@@ -44,6 +45,8 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
+         ekl[i] =
+             EVP_PKEY_encrypt_old(ek[i], key, EVP_CIPHER_CTX_key_length(ctx),
+                                  pubk[i]);
++        // EVP_PKEY_encrypt_old always uses RSA encryption
++        fips_sli_disapprove_EVP_CIPHER_CTX(ctx);
+         if (ekl[i] <= 0) {
+             rv = -1;
+             goto err;
+--- a/crypto/evp/p_sign.c	
++++ b/crypto/evp/p_sign.c	
+@@ -23,6 +23,8 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
+     size_t sltmp;
+     EVP_PKEY_CTX *pkctx = NULL;
+ 
++    fips_sli_check_hash_sigver_EVP_MD_CTX(ctx, EVP_MD_CTX_md(ctx));
++
+     *siglen = 0;
+     if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_FINALISE)) {
+         if (!EVP_DigestFinal_ex(ctx, m, &m_len))
+@@ -37,6 +39,7 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
+         rv = EVP_MD_CTX_copy_ex(tmp_ctx, ctx);
+         if (rv)
+             rv = EVP_DigestFinal_ex(tmp_ctx, m, &m_len);
++
+         EVP_MD_CTX_free(tmp_ctx);
+         if (!rv)
+             return 0;
+@@ -53,6 +56,8 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
+         goto err;
+     if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0)
+         goto err;
++    if (!fips_sli_is_approved_EVP_PKEY_CTX(pkctx))
++        fips_sli_disapprove_EVP_MD_CTX(ctx);
+     *siglen = sltmp;
+     i = 1;
+  err:
+--- a/crypto/evp/p_verify.c	
++++ b/crypto/evp/p_verify.c	
+@@ -22,6 +22,8 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
+     int i = 0;
+     EVP_PKEY_CTX *pkctx = NULL;
+ 
++    fips_sli_check_hash_sigver_EVP_MD_CTX(ctx, EVP_MD_CTX_md(ctx));
++
+     if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_FINALISE)) {
+         if (!EVP_DigestFinal_ex(ctx, m, &m_len))
+             goto err;
+@@ -49,6 +51,8 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
+     if (EVP_PKEY_CTX_set_signature_md(pkctx, EVP_MD_CTX_md(ctx)) <= 0)
+         goto err;
+     i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len);
++    if (!fips_sli_is_approved_EVP_PKEY_CTX(pkctx))
++        fips_sli_disapprove_EVP_MD_CTX(ctx);
+  err:
+     EVP_PKEY_CTX_free(pkctx);
+     return i;
+--- a/crypto/evp/pkey_kdf.c	
++++ b/crypto/evp/pkey_kdf.c	
+@@ -158,7 +158,10 @@ static int pkey_kdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key,
+         if (key == NULL)
+             return 1;
+     }
+-    return EVP_KDF_derive(kctx, key, *keylen);
++    int ret =  EVP_KDF_derive(kctx, key, *keylen);
++    if (!fips_sli_is_approved_EVP_KDF_CTX(kctx))
++        fips_sli_disapprove_EVP_PKEY_CTX(ctx);
++    return ret;
+ }
+ 
+ #ifndef OPENSSL_NO_SCRYPT
+--- a/crypto/evp/pmeth_lib.c	
++++ b/crypto/evp/pmeth_lib.c	
+@@ -162,6 +162,7 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id)
+         EVPerr(EVP_F_INT_CTX_NEW, ERR_R_MALLOC_FAILURE);
+         return NULL;
+     }
++    ret->sli = FIPS_UNSET;
+     ret->engine = e;
+     ret->pmeth = pmeth;
+     ret->operation = EVP_PKEY_OP_UNDEFINED;
+@@ -299,6 +300,7 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_CTX *pctx)
+     rctx->data = NULL;
+     rctx->app_data = NULL;
+     rctx->operation = pctx->operation;
++    rctx->sli = pctx->sli;
+ 
+     if (pctx->pmeth->copy(rctx, pctx) > 0)
+         return rctx;
+--- a/crypto/fips/build.info	
++++ b/crypto/fips/build.info	
+@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\
+         fips_post.c drbgtest.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
+         fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
+         fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
+-        fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c
++        fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c fips_sli.c
+ 
+ PROGRAMS=\
+           fips_standalone_hmac
+--- a/crypto/fips/fips_sli.c	
++++ b/crypto/fips/fips_sli.c	
+@@ -0,0 +1,371 @@ 
++#include <openssl/dsa.h>
++#include <openssl/ec.h>
++#include <openssl/rsa.h>
++#include "crypto/evp.h"
++#include "../evp/evp_local.h"
++#include "../hmac/hmac_local.h"
++#include "internal/fips_sli_local.h"
++
++/* Main part of the FIPS Service Level Indicator
++ If you want to quickly change its behaviour, you most likely want to start here
++  - beware of some exceptions, though... */
++
++FIPS_STATUS fips_sli_fsm_transition(FIPS_STATUS state, FIPS_STATUS input) {
++    switch (state) {
++    case FIPS_UNSET:
++        switch (input) {
++        case FIPS_UNSET: /* ignore */
++            return state;
++        case FIPS_APPROVED:
++        case FIPS_NONAPPROVED:
++        case FIPS_ERROR:
++            return input;
++        }
++        break;
++    case FIPS_APPROVED:
++        switch (input) {
++        case FIPS_UNSET: /* ignore */
++        case FIPS_APPROVED:
++            return state;
++        case FIPS_NONAPPROVED:
++        case FIPS_ERROR:
++            return input;
++        }
++        break;
++    case FIPS_NONAPPROVED:
++        return state;
++    case FIPS_ERROR:
++        switch (input) {
++        case FIPS_UNSET: /* ignore */
++        case FIPS_APPROVED:
++        case FIPS_ERROR:
++            return state;
++        case FIPS_NONAPPROVED:
++            return input;
++        }
++    }
++    abort();
++}
++
++fips_sli_define_for(EVP_CIPHER_CTX)
++fips_sli_define_for(EVP_KDF_CTX)
++fips_sli_define_for(EVP_MD_CTX)
++fips_sli_define_for(EVP_PKEY_CTX)
++fips_sli_define_for(HMAC_CTX)
++
++typedef enum curve_usage_e {
++    CURVE_KEYGEN,
++    CURVE_SIGGEN,
++    CURVE_SIGVER,
++    CURVE_DH
++} CURVE_USAGE;
++
++/* Check whether a curve is okay for some type of usage */
++static FIPS_STATUS get_fips_curve_status(const EC_GROUP *group, CURVE_USAGE u) {
++    if (group == NULL) {
++        return FIPS_ERROR;
++    }
++
++    switch (u) {
++    case CURVE_KEYGEN:
++        switch (EC_GROUP_get_curve_name(group)) {
++        /* ACVP-tested curves for keygen: */
++        case NID_secp224r1:
++        /* SECG secp256r1 is the same as X9.62 prime256v1 (P-256) and hence omitted */
++        case NID_X9_62_prime256v1:
++        case NID_secp384r1:
++        case NID_secp521r1:
++            return FIPS_APPROVED;
++        default:
++            return FIPS_NONAPPROVED;
++        }
++    case CURVE_SIGVER:
++        switch (EC_GROUP_get_curve_name(group)) {
++        case NID_X9_62_prime192v1: /* NIST P-192 */
++        case NID_secp224r1:
++        /* SECG secp256r1 is the same as X9.62 prime256v1 (P-256) and hence omitted */
++        case NID_X9_62_prime256v1:
++        case NID_secp384r1:
++        case NID_secp521r1:
++        /* nist k curves */
++        case NID_sect233k1:
++        case NID_sect283k1:
++        case NID_sect409k1:
++        case NID_sect571k1:
++        /* nist b curves */
++        case NID_sect233r1:
++        case NID_sect283r1:
++        case NID_sect409r1:
++        case NID_sect571r1:
++            return FIPS_APPROVED;
++        default:
++            return FIPS_NONAPPROVED;
++        }
++    case CURVE_SIGGEN:
++    case CURVE_DH:
++        switch (EC_GROUP_get_curve_name(group)) {
++        /* see crypto/ec/ec_curve.c:2800 */
++        /* nist P curves*/
++        case NID_secp224r1:
++        /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
++        case NID_X9_62_prime256v1:
++        case NID_secp384r1:
++        case NID_secp521r1:
++            return FIPS_APPROVED;
++        default:
++            return FIPS_NONAPPROVED;
++        }
++    }
++    return FIPS_NONAPPROVED;
++}
++
++#define make_fips_sli_check_curve(CTXTYPE, fn, usage) \
++void fips_sli_check_curve_##fn##_##CTXTYPE(CTXTYPE *ctx, const EC_GROUP *group)\
++{ \
++     fips_sli_fsm_##CTXTYPE(ctx, get_fips_curve_status(group, usage)); \
++}
++
++make_fips_sli_check_curve(EVP_MD_CTX, siggen, CURVE_SIGGEN)
++make_fips_sli_check_curve(EVP_MD_CTX, sigver, CURVE_SIGVER)
++/* keygen missing because in this case we need more info than available here*/
++make_fips_sli_check_curve(EVP_PKEY_CTX, siggen, CURVE_SIGGEN)
++make_fips_sli_check_curve(EVP_PKEY_CTX, sigver, CURVE_SIGVER)
++
++typedef enum hash_usage_e {
++    HASH_SIGGEN,
++    HASH_SIGVER,
++    HASH_KDF_SSHKDF,
++    HASH_KDF_PBKDF2,
++    HASH_KDF_TLS,
++    HASH_RNG,
++    HASH_MAC
++} HASH_USAGE;
++
++static FIPS_STATUS get_fips_hash_status(const EVP_MD *md, HASH_USAGE u) {
++    if (md == NULL) {
++        return FIPS_ERROR;
++    }
++
++    switch (u) {
++    case HASH_KDF_TLS:
++        switch (EVP_MD_type(md)) {
++        case NID_sha256: /* TLSv1.2 */
++        case NID_sha384:
++        case NID_sha512:
++        case NID_md5_sha1: /* used in TLS v1.0 / v1.1 */
++            return FIPS_APPROVED;
++        default:
++            return FIPS_NONAPPROVED;
++        }
++    case HASH_KDF_PBKDF2:
++    case HASH_KDF_SSHKDF:
++    case HASH_MAC:
++        switch (EVP_MD_type(md)) {
++        case NID_sha1:
++        case NID_sha224:
++        case NID_sha256:
++        case NID_sha384:
++        case NID_sha512:
++        case NID_sha512_224:
++        case NID_sha512_256:
++        case NID_sha3_224:
++        case NID_sha3_256:
++        case NID_sha3_384:
++        case NID_sha3_512:
++        case NID_shake128:
++        case NID_shake256:
++            return FIPS_APPROVED;
++        default:
++            return FIPS_NONAPPROVED;
++        }
++    case HASH_RNG:
++    case HASH_SIGGEN:
++    case HASH_SIGVER:
++        switch (EVP_MD_type(md)) {
++        case NID_sha224:
++        case NID_sha256:
++        case NID_sha384:
++        case NID_sha512:
++        case NID_sha512_224:
++        case NID_sha512_256:
++        case NID_sha3_224:
++        case NID_sha3_256:
++        case NID_sha3_384:
++        case NID_sha3_512:
++        case NID_shake128:
++        case NID_shake256:
++            return FIPS_APPROVED;
++        default:
++            return FIPS_NONAPPROVED;
++        }
++    }
++    return FIPS_ERROR;
++}
++
++#define make_fips_sli_check_hash(CTXTYPE, fn, usage) \
++void fips_sli_check_hash_##fn##_##CTXTYPE(CTXTYPE *ctx, const EVP_MD *md) \
++{ \
++     fips_sli_fsm_##CTXTYPE(ctx, get_fips_hash_status(md, usage)); \
++}
++
++make_fips_sli_check_hash(EVP_MD_CTX, siggen, HASH_SIGGEN)
++make_fips_sli_check_hash(EVP_MD_CTX, sigver, HASH_SIGVER)
++make_fips_sli_check_hash(EVP_PKEY_CTX, siggen, HASH_SIGGEN)
++make_fips_sli_check_hash(EVP_PKEY_CTX, sigver, HASH_SIGVER)
++make_fips_sli_check_hash(HMAC_CTX, mac, HASH_MAC)
++/* KDF impl is a bit special - avoid changing everything just because of that */
++FIPS_STATUS fips_sli_get_hash_status_sshkdf(const EVP_MD * md) {
++    return get_fips_hash_status(md, HASH_KDF_SSHKDF);
++}
++FIPS_STATUS fips_sli_get_hash_status_pbkdf2(const EVP_MD * md) {
++    return get_fips_hash_status(md, HASH_KDF_PBKDF2);
++}
++FIPS_STATUS fips_sli_get_hash_status_kdf_tls1_prf(const EVP_MD * md) {
++    return get_fips_hash_status(md, HASH_KDF_TLS);
++}
++
++FIPS_STATUS fips_sli_get_kdf_keylen_status(size_t keylen_bytes) {
++    if (keylen_bytes >= 112/8)
++        return FIPS_APPROVED;
++    else
++        return FIPS_NONAPPROVED;
++}
++
++void fips_sli_check_key_rsa_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) {
++    fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(ctx, rsa);
++}
++
++void fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) {
++    if (RSA_bits(rsa) >= 2048)
++        fips_sli_approve_EVP_PKEY_CTX(ctx);
++    else
++        fips_sli_disapprove_EVP_PKEY_CTX(ctx);
++}
++
++void fips_sli_check_key_rsa_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) {
++    const int len_n = RSA_bits(rsa);
++
++    if (1024 <= len_n && len_n < 2048)
++        fips_sli_approve_EVP_PKEY_CTX(ctx); // legacy use
++    else if (2048 <= len_n)
++        fips_sli_approve_EVP_PKEY_CTX(ctx);
++    else
++        fips_sli_disapprove_EVP_PKEY_CTX(ctx);
++}
++
++void fips_sli_check_key_rsa_enc_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) {
++    fips_sli_disapprove_EVP_PKEY_CTX(ctx);
++}
++
++void fips_sli_check_key_rsa_dec_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) {
++    fips_sli_disapprove_EVP_PKEY_CTX(ctx);
++}
++
++void fips_sli_check_key_dsa_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const DSA * dsa) {
++    fips_sli_disapprove_EVP_PKEY_CTX(ctx);
++}
++
++void fips_sli_check_key_dsa_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const DSA * dsa) {
++    fips_sli_disapprove_EVP_PKEY_CTX(ctx);
++}
++
++void fips_sli_check_key_dh_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const DH *dh) {
++    switch (DH_get_nid(dh)) {
++    /* RFC 3526 */
++    case NID_modp_2048:
++    case NID_modp_3072:
++    case NID_modp_4096:
++    case NID_modp_6144:
++    case NID_modp_8192:
++    /* RFC 7919 */
++    case NID_ffdhe2048:
++    case NID_ffdhe3072:
++    case NID_ffdhe4096:
++    case NID_ffdhe6144:
++    case NID_ffdhe8192:
++        fips_sli_approve_EVP_PKEY_CTX(ctx);
++        break;
++    default:
++        fips_sli_disapprove_EVP_PKEY_CTX(ctx);
++    }
++}
++
++void fips_sli_check_key_ecdh_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_KEY *ecdh) {
++    fips_sli_fsm_EVP_PKEY_CTX(ctx, get_fips_curve_status(EC_KEY_get0_group(ecdh), CURVE_DH));
++}
++
++void fips_sli_check_cipher_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher) {
++    fips_sli_fsm_EVP_CIPHER_CTX(ctx, EVP_CIPHER_get_fips_status(cipher));
++}
++
++/** According to FIPS PUB 186-5.
++ * Not really helpful because nist P curves are the only allowed curves for
++ * KeyGen, and have h=1 anyway - but allow for future extensibility */
++static FIPS_STATUS get_fips_keygen_ecdsa_order_status(const EC_KEY *ec) {
++    BN_CTX *ctx = BN_CTX_new();
++    BIGNUM *pwr14, *pwr16, *pwr24, *pwr32;
++    const BIGNUM * cofactor = EC_GROUP_get0_cofactor(EC_KEY_get0_group(ec));
++    const int n = EC_GROUP_order_bits(EC_KEY_get0_group(ec));
++    FIPS_STATUS ret = FIPS_NONAPPROVED;
++
++    if (ctx == NULL) {
++        ret = FIPS_ERROR;
++        goto end;
++    }
++
++    BN_CTX_start(ctx);
++    pwr14 = BN_CTX_get(ctx);
++    pwr16 = BN_CTX_get(ctx);
++    pwr24 = BN_CTX_get(ctx);
++    pwr32 = BN_CTX_get(ctx);
++    if (pwr32 == NULL) {
++        /* Sufficient to check the return value of the last BN_CTX_get() */
++        ret = FIPS_ERROR;
++        goto end;
++    }
++    BN_set_bit(pwr14, 14);
++    BN_set_bit(pwr16, 16);
++    BN_set_bit(pwr24, 24);
++    BN_set_bit(pwr32, 32);
++
++    if (224 < n && n <= 255) {
++        if (BN_cmp(cofactor, pwr14) != 1)
++            ret = FIPS_APPROVED;
++    } else if (256 < n && n <= 383) {
++        if (BN_cmp(cofactor, pwr16) != 1)
++            ret = FIPS_APPROVED;
++
++    } else if (384 < n && n <= 511) {
++        if (BN_cmp(cofactor, pwr24) != 1)
++            ret = FIPS_APPROVED;
++
++    } else if (n >= 512) {
++        if (BN_cmp(cofactor, pwr32) != 1)
++            ret = FIPS_APPROVED;
++    }
++
++end:
++    BN_CTX_end(ctx);
++    BN_CTX_free(ctx);
++    return ret;
++}
++
++void fips_sli_check_key_ec_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx,
++        const EC_KEY *ec) {
++    fips_sli_fsm_EVP_PKEY_CTX(ctx, get_fips_curve_status(
++                                  EC_KEY_get0_group(ec), CURVE_KEYGEN));
++    fips_sli_fsm_EVP_PKEY_CTX(ctx, get_fips_keygen_ecdsa_order_status(ec));
++}
++
++/* MINOR: refactor for sign/verify, too. See crypto/rsa/rsa_pmeth.c */
++static FIPS_STATUS get_fips_padding_rsa_encdec_status(int pad_mode/*,usg: enc/dec*/) {
++    return FIPS_NONAPPROVED;
++}
++
++void fips_sli_check_padding_rsa_enc_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, int pad_mode) {
++    fips_sli_fsm_EVP_PKEY_CTX(ctx, get_fips_padding_rsa_encdec_status(pad_mode));
++}
++
++void fips_sli_check_padding_rsa_dec_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, int pad_mode) {
++    fips_sli_check_padding_rsa_enc_EVP_PKEY_CTX(ctx, pad_mode);
++}
+--- a/crypto/hmac/hm_pmeth.c	
++++ b/crypto/hmac/hm_pmeth.c	
+@@ -128,8 +128,11 @@ static int hmac_signctx(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
+     if (!sig)
+         return 1;
+ 
+-    if (!HMAC_Final(hctx->ctx, sig, &hlen))
++    if (!HMAC_Final(hctx->ctx, sig, &hlen)) {
++        if (!fips_sli_is_approved_HMAC_CTX(hctx->ctx))
++            fips_sli_disapprove_EVP_PKEY_CTX(ctx);
+         return 0;
++    }
+     *siglen = (size_t)hlen;
+     return 1;
+ }
+--- a/crypto/hmac/hmac.c	
++++ b/crypto/hmac/hmac.c	
+@@ -23,6 +23,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
+     unsigned char pad[HMAC_MAX_MD_CBLOCK_SIZE];
+     unsigned int keytmp_length;
+     unsigned char keytmp[HMAC_MAX_MD_CBLOCK_SIZE];
++    ctx->sli = FIPS_UNSET;
+ 
+     /* If we are changing MD then we must have a key */
+     if (md != NULL && md != ctx->md && (key == NULL || len < 0))
+@@ -83,9 +84,17 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
+         if (!EVP_DigestInit_ex(ctx->o_ctx, md, impl)
+                 || !EVP_DigestUpdate(ctx->o_ctx, pad, EVP_MD_block_size(md)))
+             goto err;
++        ctx->sli_key_len = len;
+     }
+     if (!EVP_MD_CTX_copy_ex(ctx->md_ctx, ctx->i_ctx))
+         goto err;
++    /* On reuse, key/key_len might be NULL. Use cached value. */
++    if (ctx->sli_key_len >= 112/8) {
++        fips_sli_approve_HMAC_CTX(ctx);
++    } else {
++        fips_sli_disapprove_HMAC_CTX(ctx);
++    }
++    fips_sli_check_hash_mac_HMAC_CTX(ctx, md);
+     rv = 1;
+  err:
+     if (reset) {
+@@ -190,6 +199,7 @@ static int hmac_ctx_alloc_mds(HMAC_CTX *ctx)
+ 
+ int HMAC_CTX_reset(HMAC_CTX *ctx)
+ {
++    ctx->sli = FIPS_UNSET;
+     hmac_ctx_cleanup(ctx);
+     if (!hmac_ctx_alloc_mds(ctx)) {
+         hmac_ctx_cleanup(ctx);
+@@ -209,24 +219,22 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx)
+     if (!EVP_MD_CTX_copy_ex(dctx->md_ctx, sctx->md_ctx))
+         goto err;
+     dctx->md = sctx->md;
++    dctx->sli = sctx->sli;
+     return 1;
+  err:
+     hmac_ctx_cleanup(dctx);
+     return 0;
+ }
+ 
+-unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
++static unsigned char *HMAC_internal(const EVP_MD *evp_md, const void *key, int key_len,
+                     const unsigned char *d, size_t n, unsigned char *md,
+-                    unsigned int *md_len)
++                    unsigned int *md_len, HMAC_CTX *c)
+ {
+-    HMAC_CTX *c = NULL;
+     static unsigned char m[EVP_MAX_MD_SIZE];
+     static const unsigned char dummy_key[1] = {'\0'};
+ 
+     if (md == NULL)
+         md = m;
+-    if ((c = HMAC_CTX_new()) == NULL)
+-        goto err;
+ 
+     /* For HMAC_Init_ex, NULL key signals reuse. */
+     if (key == NULL && key_len == 0) {
+@@ -239,13 +247,40 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
+         goto err;
+     if (!HMAC_Final(c, md, md_len))
+         goto err;
+-    HMAC_CTX_free(c);
+     return md;
+  err:
+-    HMAC_CTX_free(c);
+     return NULL;
+ }
+ 
++unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
++                    const unsigned char *d, size_t n, unsigned char *md,
++                    unsigned int *md_len)
++{
++    HMAC_CTX *c = HMAC_CTX_new();
++    unsigned char *ret = NULL;
++    if (c == NULL)
++        goto err;
++    ret = HMAC_internal(evp_md, key, key_len, d, n, md, md_len, c);
++    HMAC_CTX_free(c);
++    err:
++        return ret;
++}
++
++int fips_sli_HMAC_is_approved(const EVP_MD *evp_md, const void *key, int key_len,
++                    const unsigned char *d, size_t n, unsigned char *md,
++                    unsigned int *md_len)
++{
++    HMAC_CTX *c = HMAC_CTX_new();
++    int ret = 0;
++    if (c == NULL)
++        goto err;
++    HMAC_internal(evp_md, key, key_len, d, n, md, md_len, c);
++    ret = fips_sli_is_approved_HMAC_CTX(c);
++    HMAC_CTX_free(c);
++    err:
++        return ret;
++}
++
+ void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
+ {
+     EVP_MD_CTX_set_flags(ctx->i_ctx, flags);
+--- a/crypto/hmac/hmac_local.h	
++++ b/crypto/hmac/hmac_local.h	
+@@ -10,6 +10,8 @@ 
+ #ifndef OSSL_CRYPTO_HMAC_LOCAL_H
+ # define OSSL_CRYPTO_HMAC_LOCAL_H
+ 
++#include "internal/fips_sli_local.h"
++
+ /* The current largest case is for SHA3-224 */
+ #define HMAC_MAX_MD_CBLOCK_SIZE     144
+ 
+@@ -18,6 +20,8 @@ struct hmac_ctx_st {
+     EVP_MD_CTX *md_ctx;
+     EVP_MD_CTX *i_ctx;
+     EVP_MD_CTX *o_ctx;
++    FIPS_STATUS sli; /* Service Level Indicator */
++    size_t sli_key_len; /* SLI needs to cache keylen in case of context reuse */
+ };
+ 
+ #endif
+--- a/crypto/kdf/hkdf.c	
++++ b/crypto/kdf/hkdf.c	
+@@ -222,6 +222,11 @@ static int kdf_hkdf_derive(EVP_KDF_IMPL *impl, unsigned char *key,
+     }
+ }
+ 
++static int kdf_hkdf_fips_sli_is_approved(ossl_unused const EVP_KDF_IMPL *impl) {
++    return 0; /* can't check whether this is only used for DH / TLS1.3 because
++    this is handled by the application. Thus label HKDF as non-approved. */
++}
++
+ const EVP_KDF_METHOD hkdf_kdf_meth = {
+     EVP_KDF_HKDF,
+     kdf_hkdf_new,
+@@ -230,7 +235,8 @@ const EVP_KDF_METHOD hkdf_kdf_meth = {
+     kdf_hkdf_ctrl,
+     kdf_hkdf_ctrl_str,
+     kdf_hkdf_size,
+-    kdf_hkdf_derive
++    kdf_hkdf_derive,
++    kdf_hkdf_fips_sli_is_approved
+ };
+ 
+ static int HKDF(const EVP_MD *evp_md,
+--- a/crypto/kdf/pbkdf2.c	
++++ b/crypto/kdf/pbkdf2.c	
+@@ -31,8 +31,16 @@ struct evp_kdf_impl_st {
+     size_t salt_len;
+     int iter;
+     const EVP_MD *md;
++    FIPS_STATUS sli; /* Service Level Indicator */
+ };
+ 
++static ossl_unused int fips_sli_is_approved_struct_evp_kdf_impl_st(const struct evp_kdf_impl_st *ctx);
++fips_sli_define_basic_for(static, struct_evp_kdf_impl_st, struct evp_kdf_impl_st)
++
++static void fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(struct evp_kdf_impl_st *ctx) {
++    fips_sli_fsm_struct_evp_kdf_impl_st(ctx, fips_sli_get_hash_status_pbkdf2(ctx->md));
++}
++
+ static EVP_KDF_IMPL *kdf_pbkdf2_new(void)
+ {
+     EVP_KDF_IMPL *impl;
+@@ -64,6 +72,7 @@ static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl)
+ {
+     impl->iter = PKCS5_DEFAULT_ITER;
+     impl->md = EVP_sha1();
++    impl->sli = FIPS_UNSET;
+ }
+ 
+ static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen,
+@@ -175,6 +184,8 @@ static int kdf_pbkdf2_derive(EVP_KDF_IMPL *impl, unsigned char *key,
+         return 0;
+     }
+ 
++    fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl);
++
+     return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len,
+                             impl->salt, impl->salt_len, impl->iter,
+                             impl->md, key, keylen);
+@@ -188,7 +199,8 @@ const EVP_KDF_METHOD pbkdf2_kdf_meth = {
+     kdf_pbkdf2_ctrl,
+     kdf_pbkdf2_ctrl_str,
+     NULL,
+-    kdf_pbkdf2_derive
++    kdf_pbkdf2_derive,
++    fips_sli_is_approved_struct_evp_kdf_impl_st
+ };
+ 
+ /*
+--- a/crypto/kdf/scrypt.c	
++++ b/crypto/kdf/scrypt.c	
+@@ -267,6 +267,10 @@ static int kdf_scrypt_derive(EVP_KDF_IMPL *impl, unsigned char *key,
+                       impl->maxmem_bytes, key, keylen);
+ }
+ 
++static int kdf_scrypt_fips_sli_is_approved(ossl_unused const EVP_KDF_IMPL *impl) {
++    return 0; /* not FIPS-approved */
++}
++
+ const EVP_KDF_METHOD scrypt_kdf_meth = {
+     EVP_KDF_SCRYPT,
+     kdf_scrypt_new,
+@@ -275,7 +279,8 @@ const EVP_KDF_METHOD scrypt_kdf_meth = {
+     kdf_scrypt_ctrl,
+     kdf_scrypt_ctrl_str,
+     NULL,
+-    kdf_scrypt_derive
++    kdf_scrypt_derive,
++    kdf_scrypt_fips_sli_is_approved
+ };
+ 
+ #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
+--- a/crypto/kdf/sshkdf.c	
++++ b/crypto/kdf/sshkdf.c	
+@@ -34,8 +34,19 @@ struct evp_kdf_impl_st {
+     char type; /* X */
+     unsigned char *session_id;
+     size_t session_id_len;
++    FIPS_STATUS sli; /* Service Level Indicator */
+ };
+ 
++
++fips_sli_define_basic_for(static, struct_evp_kdf_impl_st, struct evp_kdf_impl_st)
++
++static void fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(struct evp_kdf_impl_st *ctx) {
++    fips_sli_fsm_struct_evp_kdf_impl_st(ctx,
++                                        fips_sli_get_hash_status_sshkdf(ctx->md));
++    fips_sli_fsm_struct_evp_kdf_impl_st(ctx,
++                                        fips_sli_get_kdf_keylen_status(ctx->key_len));
++}
++
+ static EVP_KDF_IMPL *kdf_sshkdf_new(void)
+ {
+     EVP_KDF_IMPL *impl;
+@@ -196,6 +207,7 @@ static int kdf_sshkdf_derive(EVP_KDF_IMPL *impl, unsigned char *key,
+         KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_TYPE);
+         return 0;
+     }
++    fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl);
+     return SSHKDF(impl->md, impl->key, impl->key_len,
+                   impl->xcghash, impl->xcghash_len,
+                   impl->session_id, impl->session_id_len,
+@@ -211,6 +223,7 @@ const EVP_KDF_METHOD sshkdf_kdf_meth = {
+     kdf_sshkdf_ctrl_str,
+     kdf_sshkdf_size,
+     kdf_sshkdf_derive,
++    fips_sli_is_approved_struct_evp_kdf_impl_st
+ };
+ 
+ static int SSHKDF(const EVP_MD *evp_md,
+--- a/crypto/kdf/tls1_prf.c	
++++ b/crypto/kdf/tls1_prf.c	
+@@ -35,8 +35,16 @@ struct evp_kdf_impl_st {
+     /* Buffer of concatenated seed data */
+     unsigned char seed[TLS1_PRF_MAXBUF];
+     size_t seedlen;
++    FIPS_STATUS sli; /* Service Level Indicator */
+ };
+ 
++fips_sli_define_basic_for(static, struct_evp_kdf_impl_st, struct evp_kdf_impl_st)
++
++static void fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(struct evp_kdf_impl_st *ctx) {
++    fips_sli_fsm_struct_evp_kdf_impl_st(ctx,
++                                        fips_sli_get_hash_status_kdf_tls1_prf(ctx->md));
++}
++
+ static EVP_KDF_IMPL *kdf_tls1_prf_new(void)
+ {
+     EVP_KDF_IMPL *impl;
+@@ -152,6 +160,7 @@ static int kdf_tls1_prf_derive(EVP_KDF_IMPL *impl, unsigned char *key,
+         KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED);
+         return 0;
+     }
++    fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl);
+     return tls1_prf_alg(impl->md, impl->sec, impl->seclen,
+                         impl->seed, impl->seedlen,
+                         key, keylen);
+@@ -165,7 +174,8 @@ const EVP_KDF_METHOD tls1_prf_kdf_meth = {
+     kdf_tls1_prf_ctrl,
+     kdf_tls1_prf_ctrl_str,
+     NULL,
+-    kdf_tls1_prf_derive
++    kdf_tls1_prf_derive,
++    fips_sli_is_approved_struct_evp_kdf_impl_st
+ };
+ 
+ static int tls1_prf_P_hash(const EVP_MD *md,
+--- a/crypto/poly1305/poly1305_pmeth.c	
++++ b/crypto/poly1305/poly1305_pmeth.c	
+@@ -108,8 +108,10 @@ static int poly1305_signctx(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *sigle
+     POLY1305_PKEY_CTX *pctx = ctx->data;
+ 
+     *siglen = POLY1305_DIGEST_SIZE;
+-    if (sig != NULL)
++    if (sig != NULL) {
+         Poly1305_Final(&pctx->ctx, sig);
++        fips_sli_disapprove_EVP_PKEY_CTX(ctx); // Poly1305 isn't an approved MAC
++    }
+     return 1;
+ }
+ 
+--- a/crypto/rand/rand_lib.c	
++++ b/crypto/rand/rand_lib.c	
+@@ -936,6 +936,13 @@ int RAND_priv_bytes(unsigned char *buf, int num)
+     return 0;
+ }
+ 
++int fips_sli_RAND_priv_bytes_is_approved(unsigned char *buf, int num) {
++    const RAND_METHOD *meth = RAND_get_rand_method();
++    if (meth != NULL && meth != RAND_OpenSSL())
++        return 0;
++    return 1;
++}
++
+ int RAND_bytes(unsigned char *buf, int num)
+ {
+     const RAND_METHOD *meth = RAND_get_rand_method();
+@@ -946,6 +953,11 @@ int RAND_bytes(unsigned char *buf, int num)
+     return -1;
+ }
+ 
++int fips_sli_RAND_bytes_is_approved(unsigned char *buf, int num) {
++    const RAND_METHOD *meth = RAND_get_rand_method();
++    return meth == RAND_OpenSSL();
++}
++
+ #if OPENSSL_API_COMPAT < 0x10100000L
+ int RAND_pseudo_bytes(unsigned char *buf, int num)
+ {
+--- a/crypto/rsa/rsa_pmeth.c	
++++ b/crypto/rsa/rsa_pmeth.c	
+@@ -129,6 +129,7 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
+     RSA_PKEY_CTX *rctx = ctx->data;
+     RSA *rsa = ctx->pkey->pkey.rsa;
+ 
++    fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(ctx, rsa);
+     if (rctx->md) {
+         if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
+             RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH);
+@@ -139,6 +140,8 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
+             unsigned int sltmp;
+             if (rctx->pad_mode != RSA_PKCS1_PADDING)
+                 return -1;
++            /* PKCS1-v1.5 padding is disallowed after 2023 */
++            fips_sli_disapprove_EVP_PKEY_CTX(ctx);
+             ret = RSA_sign_ASN1_OCTET_STRING(0,
+                                              tbs, tbslen, sig, &sltmp, rsa);
+ 
+@@ -154,11 +157,30 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
+                 RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE);
+                 return -1;
+             }
++            /* MINOR fips: refactor out? May have to read rctx->pad_mode (RSA_PKEY_CTX), though */
++            /* ANSI X9.31 */
++            switch (EVP_MD_type(rctx->md)) {
++            case NID_sha256:
++            case NID_sha384:
++            case NID_sha512:
++            case NID_sha3_224:
++            case NID_sha3_256:
++            case NID_sha3_384:
++            case NID_sha3_512:
++            case NID_shake128:
++            case NID_shake256:
++                fips_sli_approve_EVP_PKEY_CTX(ctx);
++                break;
++            default:
++                fips_sli_disapprove_EVP_PKEY_CTX(ctx);
++            }
+             memcpy(rctx->tbuf, tbs, tbslen);
+             rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md));
+             ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
+                                       sig, rsa, RSA_X931_PADDING);
+         } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
++            /*  PKCS1-v1.5 padding is disallowed after 2023  */
++            fips_sli_disapprove_EVP_PKEY_CTX(ctx);
+             unsigned int sltmp;
+             ret = RSA_sign(EVP_MD_type(rctx->md),
+                            tbs, tbslen, sig, &sltmp, rsa);
+@@ -173,12 +195,14 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
+                                                 rctx->md, rctx->mgf1md,
+                                                 rctx->saltlen))
+                 return -1;
++            fips_sli_check_hash_siggen_EVP_PKEY_CTX(ctx, rctx->md);
+             ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf,
+                                       sig, rsa, RSA_NO_PADDING);
+         } else {
+             return -1;
+         }
+     } else {
++        fips_sli_approve_EVP_PKEY_CTX(ctx); /* plain sig without hash */
+         ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa,
+                                   rctx->pad_mode);
+     }
+@@ -199,6 +223,23 @@ static int pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx,
+         if (rctx->pad_mode == RSA_X931_PADDING) {
+             if (!setup_tbuf(rctx, ctx))
+                 return -1;
++            /* MINOR fips: refactor out? May have to read rctx->pad_mode (RSA_PKEY_CTX), though */
++            /* ANSI X9.31 */
++            switch (EVP_MD_type(rctx->md)) {
++            case NID_sha256:
++            case NID_sha384:
++            case NID_sha512:
++            case NID_sha3_224:
++            case NID_sha3_256:
++            case NID_sha3_384:
++            case NID_sha3_512:
++            case NID_shake128:
++            case NID_shake256:
++                fips_sli_approve_EVP_PKEY_CTX(ctx);
++                break;
++            default:
++                fips_sli_disapprove_EVP_PKEY_CTX(ctx);
++            }
+             ret = RSA_public_decrypt(siglen, sig,
+                                      rctx->tbuf, ctx->pkey->pkey.rsa,
+                                      RSA_X931_PADDING);
+@@ -245,11 +286,15 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
+     RSA_PKEY_CTX *rctx = ctx->data;
+     RSA *rsa = ctx->pkey->pkey.rsa;
+     size_t rslen;
++    fips_sli_check_key_rsa_sigver_EVP_PKEY_CTX(ctx, rsa);
+ 
+     if (rctx->md) {
+-        if (rctx->pad_mode == RSA_PKCS1_PADDING)
++        if (rctx->pad_mode == RSA_PKCS1_PADDING) {
++            /* PKCS1-v1.5 padding is disallowed after 2023 */
++            fips_sli_disapprove_EVP_PKEY_CTX(ctx);
+             return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
+                               sig, siglen, rsa);
++        }
+         if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
+             RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH);
+             return -1;
+@@ -270,6 +315,7 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
+                                             rctx->tbuf, rctx->saltlen);
+             if (ret <= 0)
+                 return 0;
++            fips_sli_check_hash_sigver_EVP_PKEY_CTX(ctx, rctx->md);
+             return 1;
+         } else {
+             return -1;
+@@ -277,6 +323,7 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
+     } else {
+         if (!setup_tbuf(rctx, ctx))
+             return -1;
++        fips_sli_approve_EVP_PKEY_CTX(ctx); /* plain sig without hash */
+         rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf,
+                                    rsa, rctx->pad_mode);
+         if (rslen == 0)
+@@ -313,6 +360,8 @@ static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
+         ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
+                                  rctx->pad_mode);
+     }
++    fips_sli_check_padding_rsa_enc_EVP_PKEY_CTX(ctx, rctx->pad_mode);
++    fips_sli_check_key_rsa_enc_EVP_PKEY_CTX(ctx, ctx->pkey->pkey.rsa);
+     if (ret < 0)
+         return ret;
+     *outlen = ret;
+@@ -342,6 +391,8 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
+         ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
+                                   rctx->pad_mode);
+     }
++    fips_sli_check_padding_rsa_dec_EVP_PKEY_CTX(ctx, rctx->pad_mode);
++    fips_sli_check_key_rsa_dec_EVP_PKEY_CTX(ctx, ctx->pkey->pkey.rsa);
+     *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret);
+     ret = constant_time_select_int(constant_time_msb(ret), ret, 1);
+     return ret;
+@@ -747,9 +798,13 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
+         RSA_free(rsa);
+         return 0;
+     }
+-    if (ret > 0)
++    if (rctx->primes != 2)
++        fips_sli_disapprove_EVP_PKEY_CTX(ctx);
++
++    if (ret > 0) {
++        fips_sli_check_key_rsa_keygen_EVP_PKEY_CTX(ctx, rsa);
+         EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa);
+-    else
++    } else
+         RSA_free(rsa);
+     return ret;
+ }
+--- a/crypto/sha/sha1_one.c	
++++ b/crypto/sha/sha1_one.c	
+@@ -26,3 +26,8 @@ unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md)
+     OPENSSL_cleanse(&c, sizeof(c));
+     return md;
+ }
++
++int fips_sli_SHA1_is_approved(const unsigned char *d, size_t n, unsigned char *md) {
++    /* Only approved depending on usage context, so default to false */
++    return 0;
++}
+--- a/crypto/siphash/siphash_pmeth.c	
++++ b/crypto/siphash/siphash_pmeth.c	
+@@ -109,8 +109,10 @@ static int siphash_signctx(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen
+     SIPHASH_PKEY_CTX *pctx = ctx->data;
+ 
+     *siglen = SipHash_hash_size(&pctx->ctx);
+-    if (sig != NULL)
++    if (sig != NULL) {
++        fips_sli_disapprove_EVP_PKEY_CTX(ctx);
+         return SipHash_Final(&pctx->ctx, sig, *siglen);
++    }
+     return 1;
+ }
+ 
+--- a/crypto/sm2/sm2_pmeth.c	
++++ b/crypto/sm2/sm2_pmeth.c	
+@@ -107,6 +107,7 @@ static int pkey_sm2_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen,
+         return 0;
+     }
+ 
++    fips_sli_disapprove_EVP_PKEY_CTX(ctx);
+     ret = sm2_sign(tbs, tbslen, sig, &sltmp, ec);
+ 
+     if (ret <= 0)
+@@ -120,7 +121,7 @@ static int pkey_sm2_verify(EVP_PKEY_CTX *ctx,
+                            const unsigned char *tbs, size_t tbslen)
+ {
+     EC_KEY *ec = ctx->pkey->pkey.ec;
+-
++    fips_sli_disapprove_EVP_PKEY_CTX(ctx);
+     return sm2_verify(tbs, tbslen, sig, siglen, ec);
+ }
+ 
+@@ -139,6 +140,7 @@ static int pkey_sm2_encrypt(EVP_PKEY_CTX *ctx,
+             return 1;
+     }
+ 
++    fips_sli_disapprove_EVP_PKEY_CTX(ctx);
+     return sm2_encrypt(ec, md, in, inlen, out, outlen);
+ }
+ 
+@@ -157,6 +159,7 @@ static int pkey_sm2_decrypt(EVP_PKEY_CTX *ctx,
+             return 1;
+     }
+ 
++    fips_sli_disapprove_EVP_PKEY_CTX(ctx);
+     return sm2_decrypt(ec, md, in, inlen, out, outlen);
+ }
+ 
+--- a/doc/man3/FIPS_service_level_indicator.pod	
++++ b/doc/man3/FIPS_service_level_indicator.pod	
+@@ -0,0 +1,110 @@ 
++=pod
++
++=head1 NAME
++
++C<int fips_sli_is_approved_*_CTX> - get status of the FIPS Service Level Indicator (SLI) for context operations
++
++C<int fips_sli_*_is_approved> - get status of the FIPS SLI for standalone operations
++
++=head1 SYNOPSIS
++
++ #include <openssl/fips_sli.h>
++
++ int fips_sli_is_approved_EVP_CIPHER_CTX(const EVP_CIPHER_CTX *ctx);
++
++ int fips_sli_is_approved_EVP_KDF_CTX(const EVP_KDF_CTX *ctx);
++
++ int fips_sli_is_approved_EVP_MD_CTX(const EVP_MD_CTX *ctx);
++
++ int fips_sli_is_approved_EVP_PKEY_CTX(const EVP_PKEY_CTX *ctx);
++
++ int fips_sli_is_approved_CMAC_CTX(const CMAC_CTX *ctx);
++
++ int fips_sli_is_approved_HMAC_CTX(const HMAC_CTX *ctx);
++
++ int fips_sli_SHA1_is_approved(const unsigned char *d, size_t n, unsigned char *md);
++
++ int fips_sli_HMAC_is_approved(const EVP_MD *evp_md, const void *key, int key_len,
++                     const unsigned char *d, size_t n, unsigned char *md,
++                     unsigned int *md_len);
++
++ int fips_sli_PKCS5_PBKDF2_HMAC_is_approved(const char *pass, int passlen,
++                       const unsigned char *salt, int saltlen, int iter,
++                       const EVP_MD *digest, int keylen, unsigned char *out);
++
++ int fips_sli_RAND_bytes_is_approved(unsigned char *buf, int num);
++
++ int fips_sli_RAND_priv_bytes_is_approved(unsigned char *buf, int num);
++
++=head1 DESCRIPTION
++
++The service level indicator has two different usage scenarios.
++
++=over 1
++
++=item C<int fips_sli_is_approved_*_CTX(...)>
++
++Most operations happen on some form of a context, which also holds the SLI.
++This function returns whether the FIPS SLI indicates an approved operation or not.
++
++After a disapproved operation is encountered, the SLI will continue to indicate this disapproved state. The SLI can only
++be reset by the various existing resetting functions such as C<EVP_MD_CTX_reset(EVP_MD_CTX *ctx)> or reinitializing the
++context, e.g. via L<EVP_DigestInit(3)>.
++
++=item C<int fips_sli_*_is_approved(...)>
++
++Operations without a context (standalone functions) have a separate SLI with the name fips_sli_FNNAME_is_approved().
++These indicator functions take the same parameters as their corresponding operation
++and may modify them just like their corresponding function might do.
++
++In order to check the SLI status of an operation C<FNNAME()>, the function
++C<fips_sli_FNNAME_is_approved()> must be called with the same set of parameters as C<FNNAME()>.
++Note that applications must check the return value of C<FNNAME()> according to its documentation B<as well as> the return value of the SLI (see below for L</RETURN VALUES>).
++Both are orthogonal: the former reports about success and failure of C<FNNAME()>, and the latter whether a disapproved operation happened or not.
++Well-behaving applications check for both.
++
++The following explicit indicators exist:
++
++C<int fips_sli_SHA1_is_approved(const unsigned char *d, size_t n, unsigned char *md);>
++
++C<int fips_sli_HMAC_is_approved(const EVP_MD *evp_md, const void *key, int key_len, const unsigned char *d, size_t n, unsigned char *md, unsigned int *md_len);>
++
++C<int fips_sli_PKCS5_PBKDF2_HMAC_is_approved(const char *pass, int passlen, const unsigned char *salt, int saltlen, int iter, const EVP_MD *digest, int keylen, unsigned char *out);>
++
++C<int fips_sli_RAND_bytes_is_approved(unsigned char *buf, int num);>
++
++C<int fips_sli_RAND_priv_bytes_is_approved(unsigned char *buf, int num);>
++
++=back
++
++=head1 Notes on the RNG
++
++OpenSSL 1.1.1l implements a CTR DRBG with AES 128/192/256 (defaults to AES-256).
++See L<RAND_bytes(3)>/RAND_priv_bytes().
++
++Swapping out OPENSSL's RNG implementation (e.g. via L<RAND_set_rand_method(3)>) is NOT allowed.
++
++=head1 RETURN VALUES
++
++C<fips_sli_is_approved_*_CTX()> returns 0 if the previous operation(s) was unapproved or B<ctx> was B<NULL>, and returns 1
++if the previous operation(s) were approved (or rather, no non-approved operations happened).
++
++C<fips_sli_*_is_approved()> returns 0 if an operation with a given set of parameters was unapproved, and returns 1
++if the operation is approved with the given set of parameters.
++
++These functions can be invoked at any time.
++
++=head1 HISTORY
++
++The FIPS SLI was added in OpenSSL 1.1.1.l.
++
++=head1 COPYRIGHT
++
++Copyright 2022
++
++Licensed under the OpenSSL license (the "License").  You may not use
++this file except in compliance with the License.  You can obtain a copy
++in the file LICENSE in the source distribution or at
++L<https://www.openssl.org/source/license.html>.
++
++=cut
+--- a/include/crypto/evp.h	
++++ b/include/crypto/evp.h	
+@@ -9,6 +9,7 @@ 
+ 
+ #include <openssl/evp.h>
+ #include "internal/refcount.h"
++#include "internal/fips_sli_local.h"
+ 
+ /*
+  * Don't free up md_ctx->pctx in EVP_MD_CTX_reset, use the reserved flag
+@@ -36,6 +37,7 @@ struct evp_pkey_ctx_st {
+     /* implementation specific keygen data */
+     int *keygen_info;
+     int keygen_info_count;
++    FIPS_STATUS sli; /* Service Level Indicator */
+ } /* EVP_PKEY_CTX */ ;
+ 
+ #define EVP_PKEY_FLAG_DYNAMIC   1
+@@ -123,6 +125,9 @@ typedef struct {
+     int (*ctrl_str) (EVP_KDF_IMPL *impl, const char *type, const char *value);
+     size_t (*size) (EVP_KDF_IMPL *impl);
+     int (*derive) (EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen);
++    /* KDFs are handled differently by the SLI because the EVP_KDF_IMPL, which
++     holds the required information, is defined implementation-dependent */
++    int (*fips_sli_is_approved) (const EVP_KDF_IMPL *impl);
+ } EVP_KDF_METHOD;
+ 
+ extern const EVP_KDF_METHOD pbkdf2_kdf_meth;
+--- a/include/crypto/fipserr.h	
++++ b/include/crypto/fipserr.h	
+@@ -0,0 +1,121 @@ 
++/*
++ * Generated by util/mkerr.pl DO NOT EDIT
++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the OpenSSL license (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#ifndef HEADER_FIPSERR_H
++# define HEADER_FIPSERR_H
++
++# include <openssl/symhacks.h>
++
++# ifdef  __cplusplus
++extern "C"
++# endif
++int ERR_load_FIPS_strings(void);
++
++/*
++ * FIPS function codes.
++ */
++# define FIPS_F_DRBG_RESEED                               100
++# define FIPS_F_DSA_BUILTIN_PARAMGEN2                     101
++# define FIPS_F_DSA_DO_SIGN                               102
++# define FIPS_F_DSA_DO_VERIFY                             103
++# define FIPS_F_ECDSA_SIMPLE_SIGN_SIG                     104
++# define FIPS_F_ECDSA_SIMPLE_VERIFY_SIG                   105
++# define FIPS_F_EVP_CIPHERINIT_EX                         106
++# define FIPS_F_EVP_CIPHER_CTX_NEW                        107
++# define FIPS_F_EVP_CIPHER_CTX_RESET                      108
++# define FIPS_F_EVP_DIGESTINIT_EX                         109
++# define FIPS_F_FIPS_CHECK_DSA                            110
++# define FIPS_F_FIPS_CHECK_EC                             111
++# define FIPS_F_FIPS_CHECK_RSA                            112
++# define FIPS_F_FIPS_DRBG_BYTES                           113
++# define FIPS_F_FIPS_DRBG_CHECK                           114
++# define FIPS_F_FIPS_DRBG_ERROR_CHECK                     115
++# define FIPS_F_FIPS_DRBG_GENERATE                        116
++# define FIPS_F_FIPS_DRBG_INIT                            117
++# define FIPS_F_FIPS_DRBG_INSTANTIATE                     118
++# define FIPS_F_FIPS_DRBG_NEW                             119
++# define FIPS_F_FIPS_DRBG_SINGLE_KAT                      120
++# define FIPS_F_FIPS_GET_ENTROPY                          121
++# define FIPS_F_FIPS_MODULE_MODE_SET                      122
++# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST                  123
++# define FIPS_F_FIPS_RAND_BYTES                           124
++# define FIPS_F_FIPS_RAND_SEED                            125
++# define FIPS_F_FIPS_RAND_SET_METHOD                      126
++# define FIPS_F_FIPS_RAND_STATUS                          127
++# define FIPS_F_FIPS_RSA_BUILTIN_KEYGEN                   128
++# define FIPS_F_FIPS_SELFTEST_AES                         129
++# define FIPS_F_FIPS_SELFTEST_AES_CCM                     130
++# define FIPS_F_FIPS_SELFTEST_AES_GCM                     131
++# define FIPS_F_FIPS_SELFTEST_AES_XTS                     132
++# define FIPS_F_FIPS_SELFTEST_CMAC                        133
++# define FIPS_F_FIPS_SELFTEST_DES                         134
++# define FIPS_F_FIPS_SELFTEST_ECDSA                       135
++# define FIPS_F_FIPS_SELFTEST_HKDF                        136
++# define FIPS_F_FIPS_SELFTEST_HMAC                        137
++# define FIPS_F_FIPS_SELFTEST_PBKDF2                      138
++# define FIPS_F_FIPS_SELFTEST_SHA1                        139
++# define FIPS_F_FIPS_SELFTEST_SHA2                        140
++# define FIPS_F_FIPS_SELFTEST_SHA3                        141
++# define FIPS_F_FIPS_SELFTEST_SSH                         142
++# define FIPS_F_FIPS_SELFTEST_TLS                         143
++# define FIPS_F_OSSL_ECDH_COMPUTE_KEY                     144
++# define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT                  145
++# define FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT                  146
++# define FIPS_F_RSA_OSSL_PUBLIC_DECRYPT                   147
++# define FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT                   148
++
++/*
++ * FIPS reason codes.
++ */
++# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED         100
++# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG                 101
++# define FIPS_R_ALREADY_INSTANTIATED                      102
++# define FIPS_R_DRBG_NOT_INITIALISED                      103
++# define FIPS_R_ENTROPY_ERROR_UNDETECTED                  104
++# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED          105
++# define FIPS_R_ENTROPY_SOURCE_STUCK                      106
++# define FIPS_R_ERROR_INITIALISING_DRBG                   107
++# define FIPS_R_ERROR_INSTANTIATING_DRBG                  108
++# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT         109
++# define FIPS_R_ERROR_RETRIEVING_ENTROPY                  110
++# define FIPS_R_ERROR_RETRIEVING_NONCE                    111
++# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH                112
++# define FIPS_R_FIPS_MODE_ALREADY_SET                     113
++# define FIPS_R_FIPS_SELFTEST_FAILED                      114
++# define FIPS_R_FUNCTION_ERROR                            115
++# define FIPS_R_GENERATE_ERROR                            116
++# define FIPS_R_GENERATE_ERROR_UNDETECTED                 117
++# define FIPS_R_INSTANTIATE_ERROR                         118
++# define FIPS_R_INVALID_KEY_LENGTH                        119
++# define FIPS_R_IN_ERROR_STATE                            120
++# define FIPS_R_KEY_TOO_SHORT                             121
++# define FIPS_R_NONCE_ERROR_UNDETECTED                    122
++# define FIPS_R_NON_FIPS_METHOD                           123
++# define FIPS_R_NOPR_TEST1_FAILURE                        124
++# define FIPS_R_NOPR_TEST2_FAILURE                        125
++# define FIPS_R_NOT_INSTANTIATED                          126
++# define FIPS_R_PAIRWISE_TEST_FAILED                      127
++# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED          128
++# define FIPS_R_PERSONALISATION_STRING_TOO_LONG           129
++# define FIPS_R_PR_TEST1_FAILURE                          130
++# define FIPS_R_PR_TEST2_FAILURE                          131
++# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED           132
++# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG                133
++# define FIPS_R_RESEED_COUNTER_ERROR                      134
++# define FIPS_R_RESEED_ERROR                              135
++# define FIPS_R_SELFTEST_FAILED                           136
++# define FIPS_R_SELFTEST_FAILURE                          137
++# define FIPS_R_TEST_FAILURE                              138
++# define FIPS_R_UNINSTANTIATE_ERROR                       139
++# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR               140
++# define FIPS_R_UNSUPPORTED_DRBG_TYPE                     141
++# define FIPS_R_UNSUPPORTED_PLATFORM                      142
++
++#endif
+--- a/include/internal/fips_sli_local.h	
++++ b/include/internal/fips_sli_local.h	
+@@ -0,0 +1,96 @@ 
++#ifndef FIPS_SLI_LOCAL_H_INCLUDED
++#define FIPS_SLI_LOCAL_H_INCLUDED
++
++#include <openssl/cmac.h>
++#include <openssl/ec.h>
++#include <openssl/fips_sli.h>
++
++/* status for SLI */
++typedef enum fips_status_e {
++    FIPS_UNSET,
++    FIPS_APPROVED,
++    FIPS_NONAPPROVED,
++    FIPS_ERROR,
++} FIPS_STATUS;
++
++
++void fips_sli_approve_EVP_KDF_CTX(EVP_KDF_CTX *ctx);
++void fips_sli_approve_EVP_MD_CTX(EVP_MD_CTX *ctx);
++void fips_sli_approve_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx);
++void fips_sli_approve_HMAC_CTX(HMAC_CTX *ctx);
++
++/* Unused:
++ * void fips_sli_approve_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx);
++ */
++void fips_sli_disapprove_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx);
++void fips_sli_disapprove_EVP_KDF_CTX(EVP_KDF_CTX *ctx);
++void fips_sli_disapprove_EVP_MD_CTX(EVP_MD_CTX *ctx);
++void fips_sli_disapprove_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx);
++void fips_sli_disapprove_HMAC_CTX(HMAC_CTX *ctx);
++
++//void fips_sli_error_EVP_KDF_CTX(EVP_KDF_CTX *ctx); /* unused */
++//void fips_sli_error_HMAC_CTX(HMAC_CTX *ctx);
++//void fips_sli_error_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx);
++void fips_sli_error_EVP_MD_CTX(EVP_MD_CTX *ctx);
++void fips_sli_error_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx);
++
++FIPS_STATUS fips_sli_fsm_transition(FIPS_STATUS state, FIPS_STATUS input);
++
++#define fips_sli_define_basic_for(LNKG, FNNAME, CTXTYPE) \
++static void fips_sli_fsm_##FNNAME(CTXTYPE *ctx, FIPS_STATUS input) {  \
++    if (ctx == NULL)                                                  \
++        return;                                                       \
++    ctx->sli = fips_sli_fsm_transition(ctx->sli, input);              \
++}                                                                     \
++LNKG int fips_sli_is_approved_##FNNAME(const CTXTYPE *ctx) {          \
++    if (ctx == NULL)                                                  \
++        return 0;                                                     \
++    return (ctx->sli == FIPS_UNSET) || (ctx->sli == FIPS_APPROVED);   \
++}
++
++#define fips_sli_define_for(CTXTYPE)                   \
++fips_sli_define_basic_for(, CTXTYPE, CTXTYPE)          \
++void fips_sli_approve_##CTXTYPE(CTXTYPE *ctx) {        \
++    fips_sli_fsm_##CTXTYPE(ctx, FIPS_APPROVED);        \
++}                                                      \
++void fips_sli_disapprove_##CTXTYPE(CTXTYPE *ctx) {     \
++    fips_sli_fsm_##CTXTYPE(ctx, FIPS_NONAPPROVED);     \
++}                                                      \
++void fips_sli_error_##CTXTYPE(CTXTYPE *ctx) {          \
++    fips_sli_fsm_##CTXTYPE(ctx, FIPS_ERROR);           \
++}
++
++void fips_sli_check_hash_siggen_EVP_MD_CTX(EVP_MD_CTX * ctx, const EVP_MD * md);
++void fips_sli_check_hash_sigver_EVP_MD_CTX(EVP_MD_CTX * ctx, const EVP_MD * md);
++void fips_sli_check_hash_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const EVP_MD * md);
++void fips_sli_check_hash_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const EVP_MD * md);
++void fips_sli_check_hash_mac_HMAC_CTX(HMAC_CTX * ctx, const EVP_MD * md);
++
++FIPS_STATUS fips_sli_get_hash_status_sshkdf(const EVP_MD * md);
++FIPS_STATUS fips_sli_get_hash_status_pbkdf2(const EVP_MD * md);
++FIPS_STATUS fips_sli_get_hash_status_kdf_tls1_prf(const EVP_MD * md);
++FIPS_STATUS fips_sli_get_kdf_keylen_status(size_t keylen_bytes);
++
++/* Check if used curve is okay for and in this context */
++void fips_sli_check_curve_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_GROUP *group);
++void fips_sli_check_curve_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_GROUP *group);
++
++void fips_sli_check_key_ec_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_KEY *ec);
++void fips_sli_check_key_rsa_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa);
++void fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa);
++void fips_sli_check_key_rsa_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa);
++void fips_sli_check_key_rsa_enc_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa);
++void fips_sli_check_key_rsa_dec_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa);
++void fips_sli_check_key_dsa_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const DSA * dsa);
++void fips_sli_check_key_dsa_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const DSA * dsa);
++
++void fips_sli_check_key_dh_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const DH *dh);
++void fips_sli_check_key_ecdh_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_KEY *ecdh);
++
++void fips_sli_check_padding_rsa_enc_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, int pad_mode);
++void fips_sli_check_padding_rsa_dec_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, int pad_mode);
++
++FIPS_STATUS EVP_CIPHER_get_fips_status(const EVP_CIPHER *cipher);
++void fips_sli_check_cipher_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher);
++
++#endif /* FIPS_SLI_LOCAL_H_INCLUDED */
+--- a/include/openssl/fips_sli.h	
++++ b/include/openssl/fips_sli.h	
+@@ -0,0 +1,32 @@ 
++#ifndef FIPS_SLI_H_INCLUDED
++#define FIPS_SLI_H_INCLUDED
++
++#include <openssl/evp.h>
++#include <openssl/cmac.h>
++# ifdef  __cplusplus
++extern "C" {
++# endif
++
++/* Interface for consumers to check if their usage of the services offered by 
++ * this ctx was approved */
++int fips_sli_is_approved_EVP_CIPHER_CTX(const EVP_CIPHER_CTX *ctx);
++int fips_sli_is_approved_EVP_KDF_CTX(const EVP_KDF_CTX *ctx);
++int fips_sli_is_approved_EVP_MD_CTX(const EVP_MD_CTX *ctx);
++int fips_sli_is_approved_EVP_PKEY_CTX(const EVP_PKEY_CTX *ctx);
++int fips_sli_is_approved_CMAC_CTX(const CMAC_CTX *ctx);
++int fips_sli_is_approved_HMAC_CTX(const HMAC_CTX *ctx);
++
++int fips_sli_SHA1_is_approved(const unsigned char *d, size_t n, unsigned char *md);
++int fips_sli_HMAC_is_approved(const EVP_MD *evp_md, const void *key, int key_len,
++                    const unsigned char *d, size_t n, unsigned char *md,
++                    unsigned int *md_len);
++int fips_sli_PKCS5_PBKDF2_HMAC_is_approved(const char *pass, int passlen,
++                      const unsigned char *salt, int saltlen, int iter,
++                      const EVP_MD *digest, int keylen, unsigned char *out);
++int fips_sli_RAND_bytes_is_approved(unsigned char *buf, int num);
++int fips_sli_RAND_priv_bytes_is_approved(unsigned char *buf, int num);
++
++#  ifdef  __cplusplus
++}
++#  endif
++#endif // FIPS_SLI_H_INCLUDED
+--- a/test/build.info	
++++ b/test/build.info	
+@@ -52,7 +52,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
+           recordlentest drbgtest drbg_cavs_test sslbuffertest \
+           time_offset_test pemtest ssl_cert_table_internal_test ciphername_test \
+           servername_test ocspapitest rsa_mp_test fatalerrtest tls13ccstest \
+-          sysdefaulttest errtest ssl_ctx_test gosttest
++          sysdefaulttest errtest ssl_ctx_test gosttest fips_slitest
+ 
+   SOURCE[versions]=versions.c
+   INCLUDE[versions]=../include
+@@ -573,6 +573,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN
+   INCLUDE[gosttest]=../include ..
+   DEPEND[gosttest]=../libcrypto ../libssl libtestutil.a
+ 
++  SOURCE[fips_slitest]=fips_slitest.c fips_slitest_helper.c
++  INCLUDE[fips_slitest]=../include
++  DEPEND[fips_slitest]=../libcrypto libtestutil.a
++
+   SOURCE[ssl_ctx_test]=ssl_ctx_test.c
+   INCLUDE[ssl_ctx_test]=../include
+   DEPEND[ssl_ctx_test]=../libcrypto ../libssl libtestutil.a
+--- a/test/fips_slitest.c	
++++ b/test/fips_slitest.c	
+@@ -0,0 +1,659 @@ 
++#include <openssl/evp.h>
++#include <openssl/fips_sli.h>
++#include <openssl/kdf.h>
++#include <openssl/opensslconf.h> /* To see if OPENSSL_NO_EC is defined */
++#ifndef OPENSSL_NO_EC
++# include <openssl/ec.h>
++#endif
++#ifndef OPENSSL_NO_RSA
++# include <openssl/rsa.h>
++#endif
++#include <openssl/rand.h>
++
++#include "testutil.h"
++#include "fips_slitest_helper.h"
++
++static int test_sli_noop(void) {
++    int res = 0; /* 0 means test failure    */
++    EVP_MD_CTX* ctx = NULL;
++    if (!TEST_ptr(ctx = EVP_MD_CTX_new()))
++        goto end;
++    if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(ctx)))
++        goto end;
++    if (!TEST_false(fips_sli_is_approved_EVP_MD_CTX(NULL)))
++        goto end;
++    res = 1; /* test case successful */
++end:
++    EVP_MD_CTX_free(ctx);
++    return res;
++}
++
++static int cmac_aes_cbc(void) {
++    int success = 0;
++    CMAC_CTX *ctx = NULL;
++    size_t maclen = 0;
++
++    if (!TEST_ptr(ctx = CMAC_CTX_new()))
++        return 0;
++    if (!TEST_true(CMAC_Init(ctx, get_key_16(), 16, EVP_aes_128_cbc(), NULL))
++            || !TEST_true(CMAC_Final(ctx, NULL, &maclen))
++       ) {
++        CMAC_CTX_free(ctx);
++        return 0;
++    }
++
++    uint8_t mac[maclen];
++
++    if (!TEST_true(maclen > 0)
++            || !TEST_true(CMAC_Update(ctx, get_msg_16(), 16))
++            || !TEST_true(CMAC_Final(ctx, mac, &maclen))
++            || !TEST_true(fips_sli_is_approved_CMAC_CTX(ctx))
++       )
++        goto end;
++    success = 1;
++end:
++    CMAC_CTX_free(ctx);
++    return success;
++}
++
++static int cmac_no_des(void) {
++    int success = 0;
++    CMAC_CTX *ctx = NULL;
++    size_t maclen = 0;
++
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode()) {
++        TEST_note("Skipping test because DES is disabled in FIPS mode");
++        return 1;
++    }
++#endif
++
++    if (!TEST_ptr(ctx = CMAC_CTX_new()))
++        return 0;
++    if (!TEST_true(CMAC_Init(ctx, get_key_16(), 16, EVP_des_ede_cbc(), NULL))
++            || !TEST_true(CMAC_Final(ctx, NULL, &maclen))
++       ) {
++        CMAC_CTX_free(ctx);
++        return 0;
++    }
++
++    uint8_t mac[maclen];
++
++    if (!TEST_true(maclen > 0)
++            || !TEST_int_eq(16, EVP_CIPHER_key_length(EVP_des_ede_cbc()))
++            || !TEST_true(CMAC_Update(ctx, get_msg_16(), 16))
++            || !TEST_true(CMAC_Final(ctx, mac, &maclen))
++            || !TEST_false(fips_sli_is_approved_CMAC_CTX(ctx))
++       )
++        goto end;
++    success = 1;
++end:
++    CMAC_CTX_free(ctx);
++    return success;
++}
++
++typedef struct {
++    int fips_approved;
++    int cipher_nid;
++} SLI_CMAC_TEST;
++
++static const SLI_CMAC_TEST cmac_tests[] = {
++    // Cipher must fit to key length of 32 B
++    {1, NID_aes_256_cbc},
++    {0, NID_camellia_256_cbc},
++};
++static const size_t cmac_tests_len = sizeof(cmac_tests) / sizeof(cmac_tests[0]);
++
++static int cmac_via_md_ctx(int cmac_test_index) {
++    int success = 0;
++    EVP_MD_CTX *ctx = NULL;
++    const EVP_MD* md = NULL;
++    unsigned char* mac = NULL;
++    size_t maclen = 0;
++
++    EVP_PKEY *key = NULL;
++
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode()
++            && cmac_tests[cmac_test_index].cipher_nid == NID_camellia_256_cbc) {
++        TEST_note("Skipping test because Camellia is disabled in FIPS mode");
++        success = 1;
++        goto end;
++    }
++#endif
++
++    if (!TEST_true(get_cmac_key(cmac_tests[cmac_test_index].cipher_nid,
++                                &key) == 1))
++        goto end;
++    if (!TEST_ptr(ctx = EVP_MD_CTX_new()))
++        goto end;
++    // hash doesn't matter here but must be present...
++    if (!TEST_true(EVP_DigestInit_ex(ctx, EVP_sha256(), NULL)))
++        goto end;
++    if (!TEST_true(EVP_DigestSignInit(ctx, NULL, md, NULL, key)))
++        goto end;
++    if (!TEST_true(EVP_DigestSignUpdate(ctx, get_msg_16(), 16)))
++        goto end;
++    size_t req = 0;
++    if (!TEST_true(EVP_DigestSignFinal(ctx, NULL, &req)))
++        goto end;
++    if (!TEST_true(req > 0))
++        goto end;
++    if (!TEST_ptr(mac = OPENSSL_malloc(req)))
++        goto end;
++    maclen = req;
++    if (!TEST_true(EVP_DigestSignFinal(ctx, mac, &maclen)))
++        goto end;
++    if (cmac_tests[cmac_test_index].fips_approved) {
++        if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(ctx)))
++            goto end;
++    } else {
++        if (!TEST_false(fips_sli_is_approved_EVP_MD_CTX(ctx)))
++            goto end;
++    }
++
++    success = 1;
++end:
++    if (mac)
++        OPENSSL_free(mac);
++    EVP_MD_CTX_free(ctx);
++    return success;
++}
++
++#ifndef OPENSSL_NO_EC
++typedef struct {
++    int fips_approved;
++    int curve_nid;
++} SLI_ECDSA_TEST;
++
++static const SLI_ECDSA_TEST ecdsa_tests[] = {
++    {0, NID_secp112r2},
++    {1, NID_secp521r1},
++#ifndef OPENSSL_NO_EC2M
++    {0, NID_sect163r1},
++#endif
++    {0, NID_brainpoolP512r1},
++};
++static const size_t ecdsa_tests_len = sizeof(ecdsa_tests) / sizeof(ecdsa_tests[0]);
++
++/* Adapted from openssl/test/ecdsatest.c */
++static int ecdsa_via_EVP_DigestSign(int ecdsa_test_index) {
++    unsigned char *sig = NULL;
++    EC_KEY *eckey = NULL;
++    EVP_PKEY *pkey = NULL;
++    EVP_MD_CTX *mctx = NULL;
++    size_t sig_len;
++    const int nid = ecdsa_tests[ecdsa_test_index].curve_nid;
++    int success = 0;
++    const uint8_t* tbs = get_msg_128();
++
++    TEST_note("testing ECDSA for curve %s", OBJ_nid2sn(nid));
++
++    if (!TEST_ptr(mctx = EVP_MD_CTX_new())
++            || !TEST_ptr(eckey = EC_KEY_new_by_curve_name(nid))
++            || !TEST_true(EC_KEY_generate_key(eckey))
++            || !TEST_ptr(pkey = EVP_PKEY_new())
++            || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey)))
++        goto err;
++
++    sig_len = ECDSA_size(eckey);
++
++    if (!TEST_ptr(sig = OPENSSL_malloc(sig_len))
++            /* create a signature */
++            || !TEST_true(EVP_DigestSignInit(mctx, NULL, NULL, NULL, pkey))
++            || !TEST_true(EVP_DigestSign(mctx, sig, &sig_len, tbs, sizeof(tbs)))
++            || !TEST_int_le(sig_len, ECDSA_size(eckey)))
++        goto err;
++
++    // SLI shows proper status for sign()
++    if (ecdsa_tests[ecdsa_test_index].fips_approved) {
++        if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(mctx)))
++            goto err;
++    } else {
++        if (!TEST_false(fips_sli_is_approved_EVP_MD_CTX(mctx)))
++            goto err;
++    }
++
++    /* positive test, verify with correct key, 1 return */
++    if (!TEST_true(EVP_MD_CTX_reset(mctx))
++            || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey)))
++        goto err;
++
++    /* a resetted and initialised ctx should be okay again */
++    if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(mctx)))
++        goto err;
++
++    if (!TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1))
++        goto err;
++
++    // SLI shows proper status for verify()
++    if (ecdsa_tests[ecdsa_test_index].fips_approved) {
++        if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(mctx)))
++            goto err;
++    } else {
++        if (!TEST_false(fips_sli_is_approved_EVP_MD_CTX(mctx)))
++            goto err;
++    }
++
++    success = 1;
++err:
++    EVP_PKEY_free(pkey);
++    if (mctx != NULL)
++        EVP_MD_CTX_free(mctx);
++    if (sig != NULL)
++        OPENSSL_free(sig);
++    return success;
++}
++#endif
++
++typedef struct {
++    int fips_approved;
++    int cipher_nid;
++} SLI_CIPHER_TEST;
++
++static const SLI_CIPHER_TEST cipher_tests[] = {
++    {1, NID_aes_128_cfb128},
++    {1, NID_aes_256_gcm},
++    {0, NID_des_ede3_cbc},
++    {0, NID_des_ede3_cfb8},
++    {0, NID_des_ofb64},
++    {0, NID_des_ede_ecb},
++    {0, NID_des_ede_ofb64},
++    {0, NID_idea_cbc},
++};
++static const size_t cipher_tests_len = sizeof(cipher_tests) / sizeof(cipher_tests[0]);
++
++static size_t get_ciphertext_len(size_t plaintextlen, const EVP_CIPHER *cipher) {
++    /* maximum value according to manpage */
++    return plaintextlen + EVP_CIPHER_block_size(cipher);
++}
++
++static int cipher(int cipher_test_index) {
++    int success = 0;
++    unsigned char *key = NULL, *iv = NULL, *ctext = NULL;
++    int ctext_written_len = 0;
++    const EVP_CIPHER *cipher = NULL;
++    EVP_CIPHER_CTX *ctx = NULL;
++    const uint8_t* const ptext = get_msg_16();
++    const size_t ptext_len = 16;
++    const int cipher_nid = cipher_tests[cipher_test_index].cipher_nid;
++
++    TEST_note("testing SLI for cipher %s", OBJ_nid2sn(cipher_nid));
++
++#ifdef OPENSSL_NO_IDEA
++    switch (cipher_nid) {
++    case NID_idea_cbc:
++        TEST_note("Skipping test since IDEA is not supported in this build");
++        success = 1;
++        goto end;
++    }
++#endif
++
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode()) {
++        switch (cipher_nid) {
++        case NID_des_ofb64:
++        case NID_des_ede_ecb:
++        case NID_des_ede_ofb64:
++        case NID_idea_cbc:
++            TEST_note("Skipping test since DES/IDEA are disabled in FIPS mode");
++            success = 1;
++            goto end;
++        }
++    }
++#endif
++
++    if (!TEST_ptr(cipher = EVP_get_cipherbynid(cipher_nid))) {
++        goto end;
++    }
++
++    const size_t key_len = EVP_CIPHER_key_length(cipher);
++    const size_t iv_len = EVP_CIPHER_iv_length(cipher);
++    TEST_note("have keylen = %zd, ivlen = %zd", key_len, iv_len);
++
++    if (!TEST_ptr(key = OPENSSL_malloc(key_len))
++            || !TEST_ptr(ctext = OPENSSL_malloc(get_ciphertext_len(ptext_len, cipher)))
++            || !TEST_true(RAND_bytes(key, key_len) == 1))
++        goto end;
++
++    if (iv_len != 0) {
++        if (!TEST_ptr(iv = OPENSSL_malloc(iv_len))
++                || !TEST_true(RAND_bytes(iv, iv_len) == 1))
++            goto end;
++    }
++
++    int tmp_len = 0;
++    if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
++            || !TEST_true(EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv) == 1)
++            || !TEST_true(EVP_EncryptUpdate(ctx, ctext, &ctext_written_len, ptext, ptext_len) == 1)
++            || !TEST_true(ctext_written_len <= get_ciphertext_len(ptext_len, cipher))
++            || !TEST_true(EVP_EncryptFinal_ex(ctx, ctext + ctext_written_len, &tmp_len) == 1))
++        goto end;
++
++    if (!TEST_true(ctext_written_len + tmp_len <= get_ciphertext_len(ptext_len, cipher)))
++        goto end;
++
++    if (cipher_tests[cipher_test_index].fips_approved) {
++        if (!TEST_true(fips_sli_is_approved_EVP_CIPHER_CTX(ctx)))
++            goto end;
++    } else {
++        if (!TEST_false(fips_sli_is_approved_EVP_CIPHER_CTX(ctx)))
++            goto end;
++    }
++
++    success = 1;
++end:
++    EVP_CIPHER_CTX_free(ctx);
++    if (key != NULL)
++        OPENSSL_free(key);
++    if (iv != NULL)
++        OPENSSL_free(iv);
++    if (ctext != NULL)
++        OPENSSL_free(ctext);
++    return success;
++}
++
++#ifndef OPENSSL_NO_RSA
++typedef struct {
++    int fips_approved;
++    int cipher_nid;
++    uint8_t rsa_key_id;
++} SLI_SEALENV_TEST;
++
++static const SLI_SEALENV_TEST sealenv_tests[] = {
++    // consider RSA enc/dec as always disapproved
++    {0, NID_aes_128_cfb128, 0},
++    {0, NID_aes_256_gcm, 1},
++    {0, NID_idea_cbc, 0},
++    {0, NID_des_ede3_cbc, 2},
++    {0, NID_aes_128_ecb, 0},
++    {0, NID_aes_128_ecb, 3},
++    {0, NID_aes_128_ccm, 3},
++};
++static const size_t sealenv_tests_len = sizeof(sealenv_tests) / sizeof(sealenv_tests[0]);
++
++/* Asymmetric enc/dec */
++static int sealenv(int sealenv_test_index) {
++    int success = 0;
++    RSA *rsa_pkey = RSA_new();
++    EVP_PKEY *pkey = NULL;
++    const EVP_CIPHER *cipher = NULL;
++    const int cipher_nid = sealenv_tests[sealenv_test_index].cipher_nid;
++    EVP_CIPHER_CTX *ctx = NULL;
++
++    uint8_t* enc_sym_key = NULL;
++    int enc_sym_key_len = 0;
++
++    const uint8_t* const ptext = get_msg_128();
++    const size_t ptext_len = 128;
++    unsigned char *iv = NULL, *ctext = NULL;
++    size_t ctext_len = 0;
++    int ctext_written_len = 0;
++
++    switch (sealenv_tests[sealenv_test_index].rsa_key_id) {
++    case 0:
++        get_rsa_key1(rsa_pkey);
++        break;
++    case 1:
++        get_rsa_key2(rsa_pkey);
++        break;
++    case 2:
++        get_rsa_key3(rsa_pkey);
++        break;
++    case 3:
++        if (!TEST_int_eq(256, get_rsa_key2048p3(rsa_pkey)))
++            goto end;
++        break;
++    default:
++        goto end;
++    }
++
++    TEST_note("RSA enc with key #%d, cipher %s",
++              sealenv_tests[sealenv_test_index].rsa_key_id,
++              OBJ_nid2sn(cipher_nid));
++
++#ifdef OPENSSL_NO_IDEA
++    switch (cipher_nid) {
++    case NID_idea_cbc:
++        TEST_note("Skipping test since IDEA is not supported in this build");
++        success = 1;
++        goto end;
++    }
++#endif
++
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode()) {
++        switch (cipher_nid) {
++        case NID_idea_cbc:
++            TEST_note("Skipping test since IDEA is disabled in FIPS mode");
++            success = 1;
++            goto end;
++        }
++    }
++#endif
++
++    if (!TEST_ptr(pkey = EVP_PKEY_new())
++            || !TEST_true(EVP_PKEY_assign_RSA(pkey, rsa_pkey))
++            || !TEST_ptr(cipher = EVP_get_cipherbynid(cipher_nid))
++            || !TEST_ptr(enc_sym_key = OPENSSL_malloc(EVP_PKEY_size(pkey)))
++            || !TEST_ptr(ctext = OPENSSL_malloc(get_ciphertext_len(ptext_len, cipher)))
++       )
++        goto end;
++
++    const size_t iv_len = EVP_CIPHER_iv_length(cipher);
++    if (iv_len != 0) {
++        if (!TEST_ptr(iv = OPENSSL_malloc(iv_len)))
++            goto end;
++    }
++
++    if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new())
++            || !TEST_true(1 == EVP_SealInit(ctx, cipher, &enc_sym_key, &enc_sym_key_len, iv, &pkey, 1))
++            || !TEST_true(enc_sym_key_len > 0 && enc_sym_key_len <= EVP_PKEY_size(pkey))
++            || !TEST_true(1 == EVP_SealUpdate(ctx, ctext, &ctext_written_len, ptext, ptext_len))
++       )
++        goto end;
++    ctext_len += ctext_written_len;
++    if (!TEST_true(1 == EVP_SealFinal(ctx, ctext + ctext_len, &ctext_written_len)))
++        goto end;
++    ctext_len += ctext_written_len;
++    if (!TEST_true(ctext_len <= get_ciphertext_len(ptext_len, cipher)))
++        goto end;
++
++    if (sealenv_tests[sealenv_test_index].fips_approved) {
++        if (!TEST_true(fips_sli_is_approved_EVP_CIPHER_CTX(ctx)))
++            goto end;
++    } else {
++        if (!TEST_false(fips_sli_is_approved_EVP_CIPHER_CTX(ctx)))
++            goto end;
++    }
++
++    success = 1;
++end:
++    EVP_PKEY_free(pkey); /* also frees rsa_pkey */
++    if (ctx != NULL)
++        EVP_CIPHER_CTX_free(ctx);
++    if (enc_sym_key != NULL)
++        OPENSSL_free(enc_sym_key);
++    if (iv != NULL)
++        OPENSSL_free(iv);
++    if (ctext != NULL)
++        OPENSSL_free(ctext);
++    return success;
++}
++#endif
++
++typedef struct {
++    int fips_approved;
++    int iterations;
++    int nid_digest;
++    const uint8_t key_expected[32]; // length has to be 32
++} SLI_PBKDF2_TEST;
++
++static const SLI_PBKDF2_TEST pbkdf2_tests[] = {
++    {
++        1, 4200, NID_sha256, {
++            0xE7, 0xBE, 0x37, 0x75, 0x9D, 0x53, 0x3E, 0x5A, 0x06, 0x20, 0xC9, 0xA5, 0x3A, 0x8D, 0xA2, 0x9E,
++            0x9C, 0x27, 0xDF, 0x26, 0x24, 0xAB, 0xD8, 0x8E, 0x56, 0xE5, 0xB9, 0xF5, 0xA0, 0xD6, 0xD5, 0xEE
++        }
++    },
++    {
++        1, 1347, NID_sha256, {
++            0xFB, 0xBB, 0xEC, 0x28, 0x5B, 0x48, 0xE7, 0xC2, 0x54, 0x4E, 0x65, 0x0F, 0x1E, 0xC8, 0xB5, 0x1C,
++            0xF5, 0xAD, 0xAE, 0x2A, 0x21, 0x56, 0x94, 0xD2, 0xE1, 0xB7, 0xC8, 0x7D, 0x7A, 0x0D, 0x63, 0x86
++        }
++    },
++    {
++        1, 4200, NID_sha1, {
++            0x45, 0x96, 0x78, 0xF3, 0x92, 0x74, 0xAC, 0x5B, 0x1F, 0x2B, 0xD3, 0x75, 0x1A, 0xBA, 0x5D, 0xBE,
++            0xF2, 0xDE, 0xE9, 0x88, 0x16, 0x4B, 0x0B, 0x84, 0x94, 0xD9, 0xC2, 0x2D, 0xC1, 0xB9, 0xB0, 0x8A
++        }
++    },
++    {
++        1, 4200, NID_sha3_512, {
++            0x1E, 0x77, 0xC8, 0x28, 0x9A, 0x79, 0x2E, 0x25, 0x85, 0x8D, 0x73, 0xB3, 0x0D, 0xA1, 0x26, 0x65,
++            0xC0, 0x04, 0x7D, 0x91, 0xB6, 0x5F, 0x89, 0x5E, 0x01, 0x82, 0x23, 0x35, 0x19, 0x2E, 0x5C, 0x09
++        }
++    },
++    {
++        0, 1347, NID_md5, {
++            0xC2, 0x78, 0x16, 0xDC, 0xD1, 0xC5, 0x71, 0xBD, 0x4A, 0x06, 0x2B, 0x38, 0x50, 0xE7, 0x4E, 0xC2,
++            0x0E, 0x74, 0x9D, 0xB1, 0x59, 0xA8, 0xFF, 0x11, 0x24, 0x68, 0xD0, 0xCF, 0x69, 0xE5, 0x30, 0x36
++        }
++    }
++};
++static const size_t pbkdf2_tests_len = sizeof(pbkdf2_tests) / sizeof(pbkdf2_tests[0]);
++
++static int test_PKCS5_PBKDF2_HMAC(int pbkdf2_tests_idx) {
++    int success = 0;
++    const char password[] = "password";
++    const unsigned char salt[] = {'s', 'a', 'l', 't'};
++    const size_t password_len = sizeof(password) / sizeof(password[0]);
++    const size_t salt_len = sizeof(salt) / sizeof(salt[0]);
++
++    int iter = pbkdf2_tests[pbkdf2_tests_idx].iterations;
++    const EVP_MD *digest = EVP_get_digestbynid(pbkdf2_tests[pbkdf2_tests_idx].nid_digest);
++    const size_t key_len = 32;
++    const size_t key_expected_len = key_len;
++    uint8_t* key = NULL;
++
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode()) {
++        switch (pbkdf2_tests[pbkdf2_tests_idx].nid_digest) {
++        case NID_md5:
++            TEST_note("Skipping test since MD5 is disabled in FIPS mode");
++            success = 1;
++            goto end;
++        }
++    }
++#endif
++
++    if (!TEST_ptr(key = OPENSSL_malloc(key_len))
++            || !TEST_true(1 == PKCS5_PBKDF2_HMAC(password, password_len, salt, salt_len,
++                          iter, digest,
++                          key_len, key))
++            || !TEST_true(fips_sli_PKCS5_PBKDF2_HMAC_is_approved(password, password_len,
++                          salt, salt_len,
++                          iter, digest,
++                          key_len, key) == pbkdf2_tests[pbkdf2_tests_idx].fips_approved)
++            || !TEST_mem_eq(key, key_len, pbkdf2_tests[pbkdf2_tests_idx].key_expected, key_expected_len))
++        goto end;
++    success = 1;
++end:
++    return success;
++}
++
++typedef struct {
++    int fips_approved;
++    int digest_nid;
++} SLI_SSHKDF_TEST;
++
++static const SLI_SSHKDF_TEST sshkdf_tests[] = {
++    {1, NID_sha256},
++    {0, NID_md5},
++};
++static const size_t sshkdf_tests_len = sizeof(sshkdf_tests) / sizeof(sshkdf_tests[0]);
++
++static int sshkdf(int sshkdf_test_idx) {
++    int success = 0;
++    const uint8_t *key = get_key_32();
++    const uint8_t *xcghash = get_msg_128();
++    const uint8_t *session_id = get_key_32();
++    uint8_t kdfout[16];
++    size_t kdfoutlen = sizeof(kdfout) / sizeof(kdfout[0]);
++    const int digest_nid = sshkdf_tests[sshkdf_test_idx].digest_nid;
++    EVP_KDF_CTX *ctx = NULL;
++
++    TEST_note("SSHKDF with %s", OBJ_nid2sn(digest_nid));
++
++#ifdef OPENSSL_FIPS
++    if (FIPS_mode()) {
++        switch (digest_nid) {
++        case NID_md5:
++            TEST_note("Skipping test since MD5 is disabled in FIPS mode");
++            success = 1;
++            goto end;
++        }
++    }
++#endif
++
++    if (!TEST_ptr(ctx = EVP_KDF_CTX_new_id(NID_sshkdf))
++            || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, EVP_get_digestbynid(digest_nid)) == 1)
++            || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, 32) == 1)
++            || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, session_id, 32) == 1)
++            || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV) == 1)
++            || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, xcghash, 128) == 1)
++            || !TEST_true(fips_sli_is_approved_EVP_KDF_CTX(ctx))
++            || !TEST_true(EVP_KDF_derive(ctx, kdfout, kdfoutlen) == 1)
++            || !TEST_true(fips_sli_is_approved_EVP_KDF_CTX(ctx) == sshkdf_tests[sshkdf_test_idx].fips_approved)
++       )
++        goto end;
++
++    EVP_KDF_reset(ctx);
++
++    if (!TEST_true(fips_sli_is_approved_EVP_KDF_CTX(ctx)))
++        goto end;
++
++    success = 1;
++end:
++    EVP_KDF_CTX_free(ctx);
++    return success;
++}
++
++static int rand_bytes() {
++    int success = 0;
++    unsigned char r[1];
++    size_t rlen = sizeof(r) / sizeof(r[0]);
++    if (!TEST_true(fips_sli_RAND_bytes_is_approved(r, rlen) == 1)
++            || !TEST_true(RAND_bytes(r, rlen) == 1)
++            || !TEST_true(fips_sli_RAND_priv_bytes_is_approved(r, rlen) == 1)
++            || !TEST_true(RAND_priv_bytes(r, rlen) == 1)
++            || !TEST_true(fips_sli_RAND_priv_bytes_is_approved(r, rlen) == 1)
++       )
++        goto end;
++    success = 1;
++end:
++    return success;
++}
++
++int setup_tests(void) {
++    ADD_TEST(test_sli_noop);
++    ADD_TEST(cmac_aes_cbc);
++    ADD_TEST(cmac_no_des);
++    ADD_ALL_TESTS(cmac_via_md_ctx, cmac_tests_len);
++#ifdef OPENSSL_NO_EC
++    TEST_note("Elliptic curves are disabled.");
++#else
++    ADD_ALL_TESTS(ecdsa_via_EVP_DigestSign, ecdsa_tests_len);
++#endif
++    ADD_ALL_TESTS(cipher, cipher_tests_len);
++#ifdef OPENSSL_NO_RSA
++    TEST_note("RSA is disabled.");
++#else
++    ADD_ALL_TESTS(sealenv, sealenv_tests_len);
++#endif
++    ADD_ALL_TESTS(test_PKCS5_PBKDF2_HMAC, pbkdf2_tests_len);
++    ADD_ALL_TESTS(sshkdf, sshkdf_tests_len);
++    ADD_TEST(rand_bytes);
++
++    return 1; /* success */
++}
+--- a/test/fips_slitest_helper.c	
++++ b/test/fips_slitest_helper.c	
+@@ -0,0 +1,489 @@ 
++#include <stdlib.h>
++#include <stdio.h>
++#include <limits.h>
++#include <string.h>
++#include <assert.h>
++
++#include <openssl/err.h>
++#include <openssl/sha.h>
++#include <openssl/rand.h>
++
++#include "testutil.h"
++#include "fips_slitest_helper.h"
++
++int make_hmac_keys(EVP_PKEY** skey, EVP_PKEY** vkey) {
++    byte hkey[EVP_MAX_MD_SIZE];
++
++    int result = -1;
++
++    if (!skey || !vkey)
++        return -1;
++
++    if (*skey != NULL) {
++        EVP_PKEY_free(*skey);
++        *skey = NULL;
++    }
++
++    if (*vkey != NULL) {
++        EVP_PKEY_free(*vkey);
++        *vkey = NULL;
++    }
++
++    do {
++        const EVP_MD* md = EVP_sha256();
++        int size = EVP_MD_size(md);
++        assert(size >= 16);
++        if (!(size >= 16)) {
++            printf("EVP_MD_size failed, error 0x%lx\n", ERR_get_error());
++            break; /* failed */
++        }
++
++        assert(size <= sizeof(hkey));
++        if (!(size <= sizeof(hkey))) {
++            printf("EVP_MD_size is too large\n");
++            break; /* failed */
++        }
++
++        /* Generate bytes */
++        int rc = RAND_bytes(hkey, size);
++        assert(rc == 1);
++        if (rc != 1) {
++            printf("RAND_bytes failed, error 0x%lx\n", ERR_get_error());
++            break;
++        }
++
++        //print_it("HMAC key", hkey, size);
++
++        *skey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, hkey, size);
++        assert(*skey != NULL);
++        if (*skey == NULL) {
++            printf("EVP_PKEY_new_mac_key 1st failed, error 0x%lx\n", ERR_get_error());
++            break;
++        }
++
++        *vkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, hkey, size);
++        assert(*vkey != NULL);
++        if (*vkey == NULL) {
++            printf("EVP_PKEY_new_mac_key 2nd failed, error 0x%lx\n", ERR_get_error());
++            break;
++        }
++
++        result = 0;
++
++    } while (0);
++
++    OPENSSL_cleanse(hkey, sizeof(hkey));
++
++    /* Convert to 0/1 result */
++    return !!result;
++}
++static const uint8_t msg[16] = { 0x71, 0x50, 0x00, 0x00,
++                                 0xc0, 0xff, 0xee, 0x00,
++                                 0xde, 0xad, 0xbe, 0xef,
++                                 0x01, 0x02, 0x03, 0x04
++                               };
++static const uint8_t msg128[128] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12,
++                                    13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23,
++                                    24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34,
++                                    35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45,
++                                    46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56,
++                                    57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67,
++                                    68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78,
++                                    79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89,
++                                    90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100,
++                                    101, 102, 103, 104, 105, 106, 107, 108, 109,
++                                    110, 111, 112, 113, 114, 115, 116, 117, 118,
++                                    119, 120, 121, 122, 123, 124, 125, 126, 127
++                                   };
++
++static const uint8_t key16[16] = { 0xaa, 0xbb, 0xcc, 0xdd,
++                                   0x01, 0x02, 0x03, 0x04,
++                                   0xaa, 0xbb, 0xcc, 0xdd,
++                                   0xde, 0xad, 0xbe, 0xef
++                                 };
++static const uint8_t key32[32] = { 0xaa, 0xbb, 0xcc, 0xdd,
++                                   0x01, 0x02, 0x03, 0x04,
++                                   0xaa, 0xbb, 0xcc, 0xdd,
++                                   0xde, 0xad, 0xbe, 0xef,
++                                   0xaa, 0xbb, 0xcc, 0xdd,
++                                   0x01, 0x02, 0x03, 0x04,
++                                   0xaa, 0xbb, 0xcc, 0xdd,
++                                   0xde, 0xad, 0xbe, 0xef
++                                 };
++
++const uint8_t* get_msg_16() {
++    return msg;
++}
++
++const uint8_t* get_msg_128() {
++    return msg128;
++}
++
++const uint8_t* get_key_16() {
++    return key16;
++}
++
++const uint8_t* get_key_32() {
++    return key32;
++}
++
++void print_it(const char* label, const byte* buff, size_t len) {
++    if (!buff || !len)
++        return;
++
++    if (label)
++        printf("%s: ", label);
++
++    for (size_t i = 0; i < len; ++i)
++        printf("%02X", buff[i]);
++
++    printf("\n");
++}
++
++int get_cmac_key(int cipher_nid, EVP_PKEY** out) {
++    int success = 0;
++    EVP_PKEY_CTX *ctx = NULL;
++    const size_t key_len = 32;
++    const uint8_t *key = get_key_32();
++    const EVP_CIPHER *cipher = EVP_get_cipherbynid(cipher_nid);
++
++    if (!(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_CMAC, NULL)))
++        goto end;
++    if (EVP_PKEY_keygen_init(ctx) != 1)
++        goto end;
++    if (cipher == NULL)
++        goto end;
++    if (EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_CIPHER, 0, (void*)cipher) <= 0)
++        goto end;
++    if (EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_SET_MAC_KEY, key_len, (void*)key) <= 0)
++        goto end;
++    if (!EVP_PKEY_keygen(ctx, out))
++        goto end;
++
++    success = 1;
++end:
++
++    if (ctx)
++        EVP_PKEY_CTX_free(ctx);
++    return success;
++}
++
++#ifndef OPENSSL_NO_RSA
++# include <openssl/rsa.h>
++
++/* adapted from openssl/test/rsa_test.c */
++# define SetKey \
++    RSA_set0_key(key,                                           \
++                 BN_bin2bn(n, sizeof(n)-1, NULL),               \
++                 BN_bin2bn(e, sizeof(e)-1, NULL),               \
++                 BN_bin2bn(d, sizeof(d)-1, NULL));              \
++    RSA_set0_factors(key,                                       \
++                     BN_bin2bn(p, sizeof(p)-1, NULL),           \
++                     BN_bin2bn(q, sizeof(q)-1, NULL));          \
++    RSA_set0_crt_params(key,                                    \
++                        BN_bin2bn(dmp1, sizeof(dmp1)-1, NULL),  \
++                        BN_bin2bn(dmq1, sizeof(dmq1)-1, NULL),  \
++                        BN_bin2bn(iqmp, sizeof(iqmp)-1, NULL));
++
++void get_rsa_key1(RSA *key) {
++    static unsigned char n[] =
++        "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F"
++        "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5"
++        "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93"
++        "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1"
++        "\xF5";
++
++    static unsigned char e[] = "\x11";
++
++    static unsigned char d[] =
++        "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44"
++        "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64"
++        "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9"
++        "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51";
++
++    static unsigned char p[] =
++        "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
++        "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12"
++        "\x0D";
++
++    static unsigned char q[] =
++        "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
++        "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
++        "\x89";
++
++    static unsigned char dmp1[] =
++        "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF"
++        "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05";
++
++    static unsigned char dmq1[] =
++        "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99"
++        "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D"
++        "\x51";
++
++    static unsigned char iqmp[] =
++        "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8"
++        "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26";
++
++    SetKey;
++}
++
++void get_rsa_key2(RSA *key) {
++    static unsigned char n[] =
++        "\x00\xA3\x07\x9A\x90\xDF\x0D\xFD\x72\xAC\x09\x0C\xCC\x2A\x78\xB8"
++        "\x74\x13\x13\x3E\x40\x75\x9C\x98\xFA\xF8\x20\x4F\x35\x8A\x0B\x26"
++        "\x3C\x67\x70\xE7\x83\xA9\x3B\x69\x71\xB7\x37\x79\xD2\x71\x7B\xE8"
++        "\x34\x77\xCF";
++
++    static unsigned char e[] = "\x3";
++
++    static unsigned char d[] =
++        "\x6C\xAF\xBC\x60\x94\xB3\xFE\x4C\x72\xB0\xB3\x32\xC6\xFB\x25\xA2"
++        "\xB7\x62\x29\x80\x4E\x68\x65\xFC\xA4\x5A\x74\xDF\x0F\x8F\xB8\x41"
++        "\x3B\x52\xC0\xD0\xE5\x3D\x9B\x59\x0F\xF1\x9B\xE7\x9F\x49\xDD\x21"
++        "\xE5\xEB";
++
++    static unsigned char p[] =
++        "\x00\xCF\x20\x35\x02\x8B\x9D\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92"
++        "\xEA\x0D\xA3\xB4\x32\x04\xB5\xCF\xCE\x91";
++
++    static unsigned char q[] =
++        "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
++        "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5F";
++
++    static unsigned char dmp1[] =
++        "\x00\x8A\x15\x78\xAC\x5D\x13\xAF\x10\x2B\x22\xB9\x99\xCD\x74\x61"
++        "\xF1\x5E\x6D\x22\xCC\x03\x23\xDF\xDF\x0B";
++
++    static unsigned char dmq1[] =
++        "\x00\x86\x55\x21\x4A\xC5\x4D\x8D\x4E\xCD\x61\x77\xF1\xC7\x36\x90"
++        "\xCE\x2A\x48\x2C\x8B\x05\x99\xCB\xE0\x3F";
++
++    static unsigned char iqmp[] =
++        "\x00\x83\xEF\xEF\xB8\xA9\xA4\x0D\x1D\xB6\xED\x98\xAD\x84\xED\x13"
++        "\x35\xDC\xC1\x08\xF3\x22\xD0\x57\xCF\x8D";
++
++    SetKey;
++}
++
++void get_rsa_key3(RSA *key) {
++    static unsigned char n[] =
++        "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71"
++        "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5"
++        "\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD"
++        "\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80"
++        "\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25"
++        "\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39"
++        "\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68"
++        "\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD"
++        "\xCB";
++
++    static unsigned char e[] = "\x11";
++
++    static unsigned char d[] =
++        "\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD"
++        "\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41"
++        "\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69"
++        "\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA"
++        "\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94"
++        "\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A"
++        "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94"
++        "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3"
++        "\xC1";
++
++    static unsigned char p[] =
++        "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60"
++        "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6"
++        "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A"
++        "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65"
++        "\x99";
++
++    static unsigned char q[] =
++        "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9"
++        "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D"
++        "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5"
++        "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15"
++        "\x03";
++
++    static unsigned char dmp1[] =
++        "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A"
++        "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E"
++        "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E"
++        "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81";
++
++    static unsigned char dmq1[] =
++        "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9"
++        "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7"
++        "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D"
++        "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D";
++
++    static unsigned char iqmp[] =
++        "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23"
++        "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11"
++        "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E"
++        "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39"
++        "\xF7";
++
++    SetKey;
++}
++
++/* taken from openssl/test/rsa_mp_test.c */
++#define NUM_EXTRA_PRIMES 1
++/* Returns the public key length (256) on success */
++int get_rsa_key2048p3(RSA *key) {
++    /* C90 requires string should <= 509 bytes */
++    static const unsigned char n[] =
++        "\x92\x60\xd0\x75\x0a\xe1\x17\xee\xe5\x5c\x3f\x3d\xea\xba\x74\x91"
++        "\x75\x21\xa2\x62\xee\x76\x00\x7c\xdf\x8a\x56\x75\x5a\xd7\x3a\x15"
++        "\x98\xa1\x40\x84\x10\xa0\x14\x34\xc3\xf5\xbc\x54\xa8\x8b\x57\xfa"
++        "\x19\xfc\x43\x28\xda\xea\x07\x50\xa4\xc4\x4e\x88\xcf\xf3\xb2\x38"
++        "\x26\x21\xb8\x0f\x67\x04\x64\x43\x3e\x43\x36\xe6\xd0\x03\xe8\xcd"
++        "\x65\xbf\xf2\x11\xda\x14\x4b\x88\x29\x1c\x22\x59\xa0\x0a\x72\xb7"
++        "\x11\xc1\x16\xef\x76\x86\xe8\xfe\xe3\x4e\x4d\x93\x3c\x86\x81\x87"
++        "\xbd\xc2\x6f\x7b\xe0\x71\x49\x3c\x86\xf7\xa5\x94\x1c\x35\x10\x80"
++        "\x6a\xd6\x7b\x0f\x94\xd8\x8f\x5c\xf5\xc0\x2a\x09\x28\x21\xd8\x62"
++        "\x6e\x89\x32\xb6\x5c\x5b\xd8\xc9\x20\x49\xc2\x10\x93\x2b\x7a\xfa"
++        "\x7a\xc5\x9c\x0e\x88\x6a\xe5\xc1\xed\xb0\x0d\x8c\xe2\xc5\x76\x33"
++        "\xdb\x26\xbd\x66\x39\xbf\xf7\x3c\xee\x82\xbe\x92\x75\xc4\x02\xb4"
++        "\xcf\x2a\x43\x88\xda\x8c\xf8\xc6\x4e\xef\xe1\xc5\xa0\xf5\xab\x80"
++        "\x57\xc3\x9f\xa5\xc0\x58\x9c\x3e\x25\x3f\x09\x60\x33\x23\x00\xf9"
++        "\x4b\xea\x44\x87\x7b\x58\x8e\x1e\xdb\xde\x97\xcf\x23\x60\x72\x7a"
++        "\x09\xb7\x75\x26\x2d\x7e\xe5\x52\xb3\x31\x9b\x92\x66\xf0\x5a\x25";
++
++    static const unsigned char e[] = "\x01\x00\x01";
++
++    static const unsigned char d[] =
++        "\x6a\x7d\xf2\xca\x63\xea\xd4\xdd\xa1\x91\xd6\x14\xb6\xb3\x85\xe0"
++        "\xd9\x05\x6a\x3d\x6d\x5c\xfe\x07\xdb\x1d\xaa\xbe\xe0\x22\xdb\x08"
++        "\x21\x2d\x97\x61\x3d\x33\x28\xe0\x26\x7c\x9d\xd2\x3d\x78\x7a\xbd"
++        "\xe2\xaf\xcb\x30\x6a\xeb\x7d\xfc\xe6\x92\x46\xcc\x73\xf5\xc8\x7f"
++        "\xdf\x06\x03\x01\x79\xa2\x11\x4b\x76\x7d\xb1\xf0\x83\xff\x84\x1c"
++        "\x02\x5d\x7d\xc0\x0c\xd8\x24\x35\xb9\xa9\x0f\x69\x53\x69\xe9\x4d"
++        "\xf2\x3d\x2c\xe4\x58\xbc\x3b\x32\x83\xad\x8b\xba\x2b\x8f\xa1\xba"
++        "\x62\xe2\xdc\xe9\xac\xcf\xf3\x79\x9a\xae\x7c\x84\x00\x16\xf3\xba"
++        "\x8e\x00\x48\xc0\xb6\xcc\x43\x39\xaf\x71\x61\x00\x3a\x5b\xeb\x86"
++        "\x4a\x01\x64\xb2\xc1\xc9\x23\x7b\x64\xbc\x87\x55\x69\x94\x35\x1b"
++        "\x27\x50\x6c\x33\xd4\xbc\xdf\xce\x0f\x9c\x49\x1a\x7d\x6b\x06\x28"
++        "\xc7\xc8\x52\xbe\x4f\x0a\x9c\x31\x32\xb2\xed\x3a\x2c\x88\x81\xe9"
++        "\xaa\xb0\x7e\x20\xe1\x7d\xeb\x07\x46\x91\xbe\x67\x77\x76\xa7\x8b"
++        "\x5c\x50\x2e\x05\xd9\xbd\xde\x72\x12\x6b\x37\x38\x69\x5e\x2d\xd1"
++        "\xa0\xa9\x8a\x14\x24\x7c\x65\xd8\xa7\xee\x79\x43\x2a\x09\x2c\xb0"
++        "\x72\x1a\x12\xdf\x79\x8e\x44\xf7\xcf\xce\x0c\x49\x81\x47\xa9\xb1";
++
++    static const unsigned char p[] =
++        "\x06\x77\xcd\xd5\x46\x9b\xc1\xd5\x58\x00\x81\xe2\xf3\x0a\x36\xb1"
++        "\x6e\x29\x89\xd5\x2f\x31\x5f\x92\x22\x3b\x9b\x75\x30\x82\xfa\xc5"
++        "\xf5\xde\x8a\x36\xdb\xc6\xe5\x8f\xef\x14\x37\xd6\x00\xf9\xab\x90"
++        "\x9b\x5d\x57\x4c\xf5\x1f\x77\xc4\xbb\x8b\xdd\x9b\x67\x11\x45\xb2"
++        "\x64\xe8\xac\xa8\x03\x0f\x16\x0d\x5d\x2d\x53\x07\x23\xfb\x62\x0d"
++        "\xe6\x16\xd3\x23\xe8\xb3";
++
++    static const unsigned char q[] =
++        "\x06\x66\x9a\x70\x53\xd6\x72\x74\xfd\xea\x45\xc3\xc0\x17\xae\xde"
++        "\x79\x17\xae\x79\xde\xfc\x0e\xf7\xa4\x3a\x8c\x43\x8f\xc7\x8a\xa2"
++        "\x2c\x51\xc4\xd0\x72\x89\x73\x5c\x61\xbe\xfd\x54\x3f\x92\x65\xde"
++        "\x4d\x65\x71\x70\xf6\xf2\xe5\x98\xb9\x0f\xd1\x0b\xe6\x95\x09\x4a"
++        "\x7a\xdf\xf3\x10\x16\xd0\x60\xfc\xa5\x10\x34\x97\x37\x6f\x0a\xd5"
++        "\x5d\x8f\xd4\xc3\xa0\x5b";
++
++    static const unsigned char dmp1[] =
++        "\x05\x7c\x9e\x1c\xbd\x90\x25\xe7\x40\x86\xf5\xa8\x3b\x7a\x3f\x99"
++        "\x56\x95\x60\x3a\x7b\x95\x4b\xb8\xa0\xd7\xa5\xf1\xcc\xdc\x5f\xb5"
++        "\x8c\xf4\x62\x95\x54\xed\x2e\x12\x62\xc2\xe8\xf6\xde\xce\xed\x8e"
++        "\x77\x6d\xc0\x40\x25\x74\xb3\x5a\x2d\xaa\xe1\xac\x11\xcb\xe2\x2f"
++        "\x0a\x51\x23\x1e\x47\xb2\x05\x88\x02\xb2\x0f\x4b\xf0\x67\x30\xf0"
++        "\x0f\x6e\xef\x5f\xf7\xe7";
++
++    static const unsigned char dmq1[] =
++        "\x01\xa5\x6b\xbc\xcd\xe3\x0e\x46\xc6\x72\xf5\x04\x56\x28\x01\x22"
++        "\x58\x74\x5d\xbc\x1c\x3c\x29\x41\x49\x6c\x81\x5c\x72\xe2\xf7\xe5"
++        "\xa3\x8e\x58\x16\xe0\x0e\x37\xac\x1f\xbb\x75\xfd\xaf\xe7\xdf\xe9"
++        "\x1f\x70\xa2\x8f\x52\x03\xc0\x46\xd9\xf9\x96\x63\x00\x27\x7e\x5f"
++        "\x38\x60\xd6\x6b\x61\xe2\xaf\xbe\xea\x58\xd3\x9d\xbc\x75\x03\x8d"
++        "\x42\x65\xd6\x6b\x85\x97";
++
++    static const unsigned char iqmp[] =
++        "\x03\xa1\x8b\x80\xe4\xd8\x87\x25\x17\x5d\xcc\x8d\xa9\x8a\x22\x2b"
++        "\x6c\x15\x34\x6f\x80\xcc\x1c\x44\x04\x68\xbc\x03\xcd\x95\xbb\x69"
++        "\x37\x61\x48\xb4\x23\x13\x08\x16\x54\x6a\xa1\x7c\xf5\xd4\x3a\xe1"
++        "\x4f\xa4\x0c\xf5\xaf\x80\x85\x27\x06\x0d\x70\xc0\xc5\x19\x28\xfe"
++        "\xee\x8e\x86\x21\x98\x8a\x37\xb7\xe5\x30\x25\x70\x93\x51\x2d\x49"
++        "\x85\x56\xb3\x0c\x2b\x96";
++
++    static const unsigned char ex_prime[] =
++        "\x03\x89\x22\xa0\xb7\x3a\x91\xcb\x5e\x0c\xfd\x73\xde\xa7\x38\xa9"
++        "\x47\x43\xd6\x02\xbf\x2a\xb9\x3c\x48\xf3\x06\xd6\x58\x35\x50\x56"
++        "\x16\x5c\x34\x9b\x61\x87\xc8\xaa\x0a\x5d\x8a\x0a\xcd\x9c\x41\xd9"
++        "\x96\x24\xe0\xa9\x9b\x26\xb7\xa8\x08\xc9\xea\xdc\xa7\x15\xfb\x62"
++        "\xa0\x2d\x90\xe6\xa7\x55\x6e\xc6\x6c\xff\xd6\x10\x6d\xfa\x2e\x04"
++        "\x50\xec\x5c\x66\xe4\x05";
++
++    static const unsigned char ex_exponent[] =
++        "\x02\x0a\xcd\xc3\x82\xd2\x03\xb0\x31\xac\xd3\x20\x80\x34\x9a\x57"
++        "\xbc\x60\x04\x57\x25\xd0\x29\x9a\x16\x90\xb9\x1c\x49\x6a\xd1\xf2"
++        "\x47\x8c\x0e\x9e\xc9\x20\xc2\xd8\xe4\x8f\xce\xd2\x1a\x9c\xec\xb4"
++        "\x1f\x33\x41\xc8\xf5\x62\xd1\xa5\xef\x1d\xa1\xd8\xbd\x71\xc6\xf7"
++        "\xda\x89\x37\x2e\xe2\xec\x47\xc5\xb8\xe3\xb4\xe3\x5c\x82\xaa\xdd"
++        "\xb7\x58\x2e\xaf\x07\x79";
++
++    static const unsigned char ex_coefficient[] =
++        "\x00\x9c\x09\x88\x9b\xc8\x57\x08\x69\x69\xab\x2d\x9e\x29\x1c\x3c"
++        "\x6d\x59\x33\x12\x0d\x2b\x09\x2e\xaf\x01\x2c\x27\x01\xfc\xbd\x26"
++        "\x13\xf9\x2d\x09\x22\x4e\x49\x11\x03\x82\x88\x87\xf4\x43\x1d\xac"
++        "\xca\xec\x86\xf7\x23\xf1\x64\xf3\xf5\x81\xf0\x37\x36\xcf\x67\xff"
++        "\x1a\xff\x7a\xc7\xf9\xf9\x67\x2d\xa0\x9d\x61\xf8\xf6\x47\x5c\x2f"
++        "\xe7\x66\xe8\x3c\x3a\xe8";
++
++    BIGNUM **pris = NULL, **exps = NULL, **coeffs = NULL;
++    int rv = 256; /* public key length */
++
++    if (!TEST_int_eq(RSA_set0_key(key,
++                                  BN_bin2bn(n, sizeof(n) - 1, NULL),
++                                  BN_bin2bn(e, sizeof(e) - 1, NULL),
++                                  BN_bin2bn(d, sizeof(d) - 1, NULL)), 1))
++        goto err;
++
++    if (!TEST_int_eq(RSA_set0_factors(key,
++                                      BN_bin2bn(p, sizeof(p) - 1, NULL),
++                                      BN_bin2bn(q, sizeof(q) - 1, NULL)), 1))
++        goto err;
++
++    if (!TEST_int_eq(RSA_set0_crt_params(key,
++                                         BN_bin2bn(dmp1, sizeof(dmp1) - 1, NULL),
++                                         BN_bin2bn(dmq1, sizeof(dmq1) - 1, NULL),
++                                         BN_bin2bn(iqmp, sizeof(iqmp) - 1,
++                                                 NULL)), 1))
++        return 0;
++
++    pris = OPENSSL_zalloc(sizeof(BIGNUM *));
++    exps = OPENSSL_zalloc(sizeof(BIGNUM *));
++    coeffs = OPENSSL_zalloc(sizeof(BIGNUM *));
++    if (!TEST_ptr(pris) || !TEST_ptr(exps) || !TEST_ptr(coeffs))
++        goto err;
++
++    pris[0] = BN_bin2bn(ex_prime, sizeof(ex_prime) - 1, NULL);
++    exps[0] = BN_bin2bn(ex_exponent, sizeof(ex_exponent) - 1, NULL);
++    coeffs[0] = BN_bin2bn(ex_coefficient, sizeof(ex_coefficient) - 1, NULL);
++    if (!TEST_ptr(pris[0]) || !TEST_ptr(exps[0]) || !TEST_ptr(coeffs[0]))
++        goto err;
++
++    if (!TEST_true(RSA_set0_multi_prime_params(key, pris, exps,
++                   coeffs, NUM_EXTRA_PRIMES)))
++        goto err;
++
++ret:
++    OPENSSL_free(pris);
++    OPENSSL_free(exps);
++    OPENSSL_free(coeffs);
++    return rv;
++err:
++    if (pris != NULL)
++        BN_free(pris[0]);
++    if (exps != NULL)
++        BN_free(exps[0]);
++    if (coeffs != NULL)
++        BN_free(coeffs[0]);
++    rv = 0;
++    goto ret;
++}
++
++#endif
+--- a/test/fips_slitest_helper.h	
++++ b/test/fips_slitest_helper.h	
+@@ -0,0 +1,29 @@ 
++#ifndef __FIPS_SLITEST_HELPER_H__
++#define __FIPS_SLITEST_HELPER_H__
++
++#include <openssl/evp.h>
++
++typedef unsigned char byte;
++
++/** Create a MAC key: one copy for macgen, one for macver (verification)
++ * Adapted from https://wiki.openssl.org/images/1/1b/T-hmac.c.tar.gz
++ */
++int make_hmac_keys(EVP_PKEY** skey, EVP_PKEY** vkey);
++
++/* Adapted from https://wiki.openssl.org/images/1/1b/T-hmac.c.tar.gz */
++void print_it(const char* label, const byte* buff, size_t len);
++
++int get_cmac_key(int cipher_nid, EVP_PKEY** out);
++
++const uint8_t* get_msg_16();
++const uint8_t* get_msg_128();
++/* Get constant keys of specified length */
++const uint8_t* get_key_16();
++const uint8_t* get_key_32();
++
++void get_rsa_key1(RSA *key);
++void get_rsa_key2(RSA *key);
++void get_rsa_key3(RSA *key);
++int get_rsa_key2048p3(RSA *key);
++
++#endif /* __FIPS_SLITEST_HELPER_H__ */
+--- a/test/recipes/30-test_fips_sli.t	
++++ b/test/recipes/30-test_fips_sli.t	
+@@ -0,0 +1,4 @@ 
++#!/usr/bin/env perl
++use OpenSSL::Test::Simple;
++
++simple_test("test_fips_sli", "fips_slitest", "fips_sli");
+--- a/util/libcrypto.num	
++++ b/util/libcrypto.num	
+@@ -4636,3 +4636,14 @@ EVP_KDF_size                            6596	1_1_1d	EXIST::FUNCTION:
+ EVP_KDF_derive                          6597	1_1_1d	EXIST::FUNCTION:
+ EC_GROUP_get0_field                     6598	1_1_1l	EXIST::FUNCTION:EC
+ NONFIPS_selftest_check                  6599	1_1_1l	EXIST::FUNCTION:
++fips_sli_is_approved_EVP_MD_CTX         6600	1_1_1l	EXIST::FUNCTION:
++fips_sli_is_approved_CMAC_CTX           6601	1_1_1l	EXIST::FUNCTION:
++fips_sli_is_approved_HMAC_CTX           6602	1_1_1l	EXIST::FUNCTION:
++fips_sli_is_approved_EVP_PKEY_CTX       6603	1_1_1l	EXIST::FUNCTION:
++fips_sli_is_approved_EVP_CIPHER_CTX     6604	1_1_1l	EXIST::FUNCTION:
++fips_sli_is_approved_EVP_KDF_CTX        6605	1_1_1l	EXIST::FUNCTION:
++fips_sli_SHA1_is_approved               6606	1_1_1l	EXIST::FUNCTION:
++fips_sli_PKCS5_PBKDF2_HMAC_is_approved  6607	1_1_1l	EXIST::FUNCTION:
++fips_sli_HMAC_is_approved               6608	1_1_1l	EXIST::FUNCTION:
++fips_sli_RAND_bytes_is_approved         6609	1_1_1l	EXIST::FUNCTION:
++fips_sli_RAND_priv_bytes_is_approved    6610	1_1_1l	EXIST::FUNCTION:
diff --git a/openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch b/openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch
new file mode 100644
index 0000000..a7bbfa2
--- /dev/null
+++ b/openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch
@@ -0,0 +1,39 @@
+diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
+index 6adff696c..29b23f9f7 100644
+--- a/crypto/evp/e_aes.c
++++ b/crypto/evp/e_aes.c
+@@ -4366,6 +4366,21 @@ FIPS_STATUS EVP_CIPHER_get_fips_status(const EVP_CIPHER *cipher) {
+             /* intended fall-through */
+         case 256:
+             return FIPS_APPROVED;
++        case 512:
++            if (cipher->do_cipher == aes_xts_cipher
++                #if defined(OPENSSL_CPUID_OBJ) && ( \
++                        ((defined(__i386) || defined(__i386__) || defined(_M_IX86))\
++                        && defined(OPENSSL_IA32_SSE2)) \
++                    || defined(__x86_64) || defined(__x86_64__) \
++                    || defined(_M_AMD64) || defined(_M_X64))
++                || cipher->do_cipher == aesni_xts_cipher
++                #elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__)
++                || cipher->do_cipher == s390x_aes_xts_cipher
++                #endif
++            )
++                return FIPS_APPROVED;
++            else
++                return FIPS_ERROR;
+         }
+     }
+     /* disapproved for enc and dec: all others, including
+diff --git a/test/fips_slitest.c b/test/fips_slitest.c
+index d32f748a6..9e37cf36b 100644
+--- a/test/fips_slitest.c
++++ b/test/fips_slitest.c
+@@ -260,6 +260,8 @@ static const SLI_CIPHER_TEST cipher_tests[] = {
+     {0, NID_des_ede_ecb},
+     {0, NID_des_ede_ofb64},
+     {0, NID_idea_cbc},
++    {1, NID_aes_128_xts},
++    {1, NID_aes_256_xts},
+ };
+ static const size_t cipher_tests_len = sizeof(cipher_tests) / sizeof(cipher_tests[0]);
+ 
diff --git a/openssl-1_1-ossl-sli-005-EC_group_order_bits.patch b/openssl-1_1-ossl-sli-005-EC_group_order_bits.patch
new file mode 100644
index 0000000..813477a
--- /dev/null
+++ b/openssl-1_1-ossl-sli-005-EC_group_order_bits.patch
@@ -0,0 +1,24 @@
+---
+ crypto/fips/fips_sli.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/crypto/fips/fips_sli.c
++++ b/crypto/fips/fips_sli.c
+@@ -328,14 +328,14 @@ static FIPS_STATUS get_fips_keygen_ecdsa
+     BN_set_bit(pwr24, 24);
+     BN_set_bit(pwr32, 32);
+ 
+-    if (224 < n && n <= 255) {
++    if (224 <= n && n <= 255) {
+         if (BN_cmp(cofactor, pwr14) != 1)
+             ret = FIPS_APPROVED;
+-    } else if (256 < n && n <= 383) {
++    } else if (256 <= n && n <= 383) {
+         if (BN_cmp(cofactor, pwr16) != 1)
+             ret = FIPS_APPROVED;
+ 
+-    } else if (384 < n && n <= 511) {
++    } else if (384 <= n && n <= 511) {
+         if (BN_cmp(cofactor, pwr24) != 1)
+             ret = FIPS_APPROVED;
+ 
diff --git a/openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch b/openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch
new file mode 100644
index 0000000..0241b7f
--- /dev/null
+++ b/openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch
@@ -0,0 +1,52 @@
+Index: openssl-1.1.1l/crypto/rsa/rsa_pmeth.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/rsa/rsa_pmeth.c
++++ openssl-1.1.1l/crypto/rsa/rsa_pmeth.c
+@@ -140,13 +140,11 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c
+             unsigned int sltmp;
+             if (rctx->pad_mode != RSA_PKCS1_PADDING)
+                 return -1;
+-            /* PKCS1-v1.5 padding is disallowed after 2023 */
+-            fips_sli_disapprove_EVP_PKEY_CTX(ctx);
+             ret = RSA_sign_ASN1_OCTET_STRING(0,
+                                              tbs, tbslen, sig, &sltmp, rsa);
+-
+             if (ret <= 0)
+                 return ret;
++            fips_sli_check_hash_siggen_EVP_PKEY_CTX(ctx, rctx->md);
+             ret = sltmp;
+         } else if (rctx->pad_mode == RSA_X931_PADDING) {
+             if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) {
+@@ -179,13 +177,12 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c
+             ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf,
+                                       sig, rsa, RSA_X931_PADDING);
+         } else if (rctx->pad_mode == RSA_PKCS1_PADDING) {
+-            /*  PKCS1-v1.5 padding is disallowed after 2023  */
+-            fips_sli_disapprove_EVP_PKEY_CTX(ctx);
+             unsigned int sltmp;
+             ret = RSA_sign(EVP_MD_type(rctx->md),
+                            tbs, tbslen, sig, &sltmp, rsa);
+             if (ret <= 0)
+                 return ret;
++            fips_sli_check_hash_siggen_EVP_PKEY_CTX(ctx, rctx->md);
+             ret = sltmp;
+         } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) {
+             if (!setup_tbuf(rctx, ctx))
+@@ -290,10 +287,13 @@ static int pkey_rsa_verify(EVP_PKEY_CTX
+ 
+     if (rctx->md) {
+         if (rctx->pad_mode == RSA_PKCS1_PADDING) {
+-            /* PKCS1-v1.5 padding is disallowed after 2023 */
+-            fips_sli_disapprove_EVP_PKEY_CTX(ctx);
+-            return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
+-                              sig, siglen, rsa);
++            int ret;
++            ret = RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
++                             sig, siglen, rsa);
++            if (ret <= 0)
++                return 0;
++            fips_sli_check_hash_sigver_EVP_PKEY_CTX(ctx, rctx->md);
++            return ret;
+         }
+         if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
+             RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH);
diff --git a/openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch b/openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch
new file mode 100644
index 0000000..d54c1e1
--- /dev/null
+++ b/openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch
@@ -0,0 +1,14 @@
+Index: openssl-1.1.1l/crypto/kdf/pbkdf2.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/kdf/pbkdf2.c
++++ openssl-1.1.1l/crypto/kdf/pbkdf2.c
+@@ -185,7 +185,8 @@ static int kdf_pbkdf2_derive(EVP_KDF_IMP
+     }
+ 
+     fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl);
+-
++    fips_sli_fsm_struct_evp_kdf_impl_st(impl,
++                                        fips_sli_get_kdf_keylen_status(keylen));
+     return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len,
+                             impl->salt, impl->salt_len, impl->iter,
+                             impl->md, key, keylen);
diff --git a/openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch b/openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch
new file mode 100644
index 0000000..0923a69
--- /dev/null
+++ b/openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch
@@ -0,0 +1,136 @@
+---
+ crypto/fips/fips_sli.c            |   21 +++++++++++++++++++
+ crypto/kdf/pbkdf2.c               |    6 +++++
+ include/internal/fips_sli_local.h |    3 ++
+ test/fips_slitest.c               |   41 ++++++++++++++++++++++----------------
+ 4 files changed, 54 insertions(+), 17 deletions(-)
+
+--- a/crypto/fips/fips_sli.c
++++ b/crypto/fips/fips_sli.c
+@@ -231,6 +231,27 @@ FIPS_STATUS fips_sli_get_kdf_keylen_stat
+         return FIPS_NONAPPROVED;
+ }
+ 
++FIPS_STATUS fips_sli_get_kdf_saltlen_status(size_t saltlen_bytes) {
++    if (saltlen_bytes >= 128/8)
++        return FIPS_APPROVED;
++    else
++        return FIPS_NONAPPROVED;
++}
++
++FIPS_STATUS fips_sli_get_kdf_iteration_status(size_t iter) {
++    if (iter >= 1000)
++        return FIPS_APPROVED;
++    else
++        return FIPS_NONAPPROVED;
++}
++
++FIPS_STATUS fips_sli_get_kdf_passlen_status(size_t passlen_bytes) {
++    if (passlen_bytes >= 20)
++        return FIPS_APPROVED;
++    else
++        return FIPS_NONAPPROVED;
++}
++
+ void fips_sli_check_key_rsa_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) {
+     fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(ctx, rsa);
+ }
+--- a/crypto/kdf/pbkdf2.c
++++ b/crypto/kdf/pbkdf2.c
+@@ -187,6 +187,12 @@ static int kdf_pbkdf2_derive(EVP_KDF_IMP
+     fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl);
+     fips_sli_fsm_struct_evp_kdf_impl_st(impl,
+                                         fips_sli_get_kdf_keylen_status(keylen));
++    fips_sli_fsm_struct_evp_kdf_impl_st(impl,
++                                        fips_sli_get_kdf_saltlen_status(impl->salt_len));
++    fips_sli_fsm_struct_evp_kdf_impl_st(impl,
++                                        fips_sli_get_kdf_iteration_status(impl->iter));
++    fips_sli_fsm_struct_evp_kdf_impl_st(impl,
++                                        fips_sli_get_kdf_passlen_status(impl->pass_len));
+     return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len,
+                             impl->salt, impl->salt_len, impl->iter,
+                             impl->md, key, keylen);
+--- a/include/internal/fips_sli_local.h
++++ b/include/internal/fips_sli_local.h
+@@ -70,6 +70,9 @@ FIPS_STATUS fips_sli_get_hash_status_ssh
+ FIPS_STATUS fips_sli_get_hash_status_pbkdf2(const EVP_MD * md);
+ FIPS_STATUS fips_sli_get_hash_status_kdf_tls1_prf(const EVP_MD * md);
+ FIPS_STATUS fips_sli_get_kdf_keylen_status(size_t keylen_bytes);
++FIPS_STATUS fips_sli_get_kdf_saltlen_status(size_t saltlen_bytes);
++FIPS_STATUS fips_sli_get_kdf_iteration_status(size_t iter);
++FIPS_STATUS fips_sli_get_kdf_passlen_status(size_t passlen_bytes);
+ 
+ /* Check if used curve is okay for and in this context */
+ void fips_sli_check_curve_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_GROUP *group);
+--- a/test/fips_slitest.c
++++ b/test/fips_slitest.c
+@@ -490,36 +490,41 @@ typedef struct {
+     int nid_digest;
+     const uint8_t key_expected[32]; // length has to be 32
+ } SLI_PBKDF2_TEST;
+-
+ static const SLI_PBKDF2_TEST pbkdf2_tests[] = {
+     {
+-        1, 4200, NID_sha256, {
+-            0xE7, 0xBE, 0x37, 0x75, 0x9D, 0x53, 0x3E, 0x5A, 0x06, 0x20, 0xC9, 0xA5, 0x3A, 0x8D, 0xA2, 0x9E,
+-            0x9C, 0x27, 0xDF, 0x26, 0x24, 0xAB, 0xD8, 0x8E, 0x56, 0xE5, 0xB9, 0xF5, 0xA0, 0xD6, 0xD5, 0xEE
++        1, 4096, NID_sha1, {
++            0x3D, 0x2E, 0xEC, 0x4F, 0xE4, 0x1C, 0x84, 0x9B, 0x80, 0xC8, 0xD8, 0x36, 0x62, 0xC0, 0xE4, 0x4A,
++            0x8B, 0x29, 0x1A, 0x96, 0x4C, 0xF2, 0xF0, 0x70, 0x38, 0xB6, 0xB8, 0x9A, 0x48, 0x61, 0x2C, 0x5A
++        }
++    },
++    {
++        1, 4096, NID_sha256, {
++            0x34, 0x8C, 0x89, 0xDB, 0xCB, 0xD3, 0x2B, 0x2F, 0x32, 0xD8, 0x14, 0xB8, 0x11, 0x6E, 0x84, 0xCF,
++            0x2B, 0x17, 0x34, 0x7E, 0xBC, 0x18, 0x00, 0x18, 0x1C, 0x4E, 0x2A, 0x1F, 0xB8, 0xDD, 0x53, 0xE1
+         }
+     },
+     {
+         1, 1347, NID_sha256, {
+-            0xFB, 0xBB, 0xEC, 0x28, 0x5B, 0x48, 0xE7, 0xC2, 0x54, 0x4E, 0x65, 0x0F, 0x1E, 0xC8, 0xB5, 0x1C,
+-            0xF5, 0xAD, 0xAE, 0x2A, 0x21, 0x56, 0x94, 0xD2, 0xE1, 0xB7, 0xC8, 0x7D, 0x7A, 0x0D, 0x63, 0x86
++            0xD5, 0x99, 0x16, 0xFF, 0x8A, 0xBC, 0x26, 0x37, 0xAF, 0x4B, 0x26, 0xF1, 0x7E, 0x56, 0x8B, 0x7A,
++            0x00, 0x16, 0xA9, 0xF2, 0x7D, 0x96, 0xDB, 0x33, 0x0A, 0xD0, 0x5F, 0xC3, 0x0C, 0x22, 0xA2, 0xD0
+         }
+     },
+     {
+-        1, 4200, NID_sha1, {
+-            0x45, 0x96, 0x78, 0xF3, 0x92, 0x74, 0xAC, 0x5B, 0x1F, 0x2B, 0xD3, 0x75, 0x1A, 0xBA, 0x5D, 0xBE,
+-            0xF2, 0xDE, 0xE9, 0x88, 0x16, 0x4B, 0x0B, 0x84, 0x94, 0xD9, 0xC2, 0x2D, 0xC1, 0xB9, 0xB0, 0x8A
++        1, 4096, NID_sha512, {
++            0x8C, 0x05, 0x11, 0xF4, 0xC6, 0xE5, 0x97, 0xC6, 0xAC, 0x63, 0x15, 0xD8, 0xF0, 0x36, 0x2E, 0x22,
++            0x5F, 0x3C, 0x50, 0x14, 0x95, 0xBA, 0x23, 0xB8, 0x68, 0xC0, 0x05, 0x17, 0x4D, 0xC4, 0xEE, 0x71
+         }
+     },
+     {
+-        1, 4200, NID_sha3_512, {
+-            0x1E, 0x77, 0xC8, 0x28, 0x9A, 0x79, 0x2E, 0x25, 0x85, 0x8D, 0x73, 0xB3, 0x0D, 0xA1, 0x26, 0x65,
+-            0xC0, 0x04, 0x7D, 0x91, 0xB6, 0x5F, 0x89, 0x5E, 0x01, 0x82, 0x23, 0x35, 0x19, 0x2E, 0x5C, 0x09
++        1, 4096, NID_sha3_512, {
++            0xD6, 0x07, 0x91, 0xA4, 0xED, 0x27, 0x19, 0x5D, 0x81, 0x3F, 0x35, 0x51, 0x03, 0x51, 0xB9, 0xD1,
++            0xFF, 0x9A, 0xD4, 0x26, 0x21, 0x53, 0x94, 0x46, 0x09, 0x50, 0xA4, 0xFE, 0x03, 0xDD, 0x9F, 0x54
+         }
+     },
+     {
+-        0, 1347, NID_md5, {
+-            0xC2, 0x78, 0x16, 0xDC, 0xD1, 0xC5, 0x71, 0xBD, 0x4A, 0x06, 0x2B, 0x38, 0x50, 0xE7, 0x4E, 0xC2,
+-            0x0E, 0x74, 0x9D, 0xB1, 0x59, 0xA8, 0xFF, 0x11, 0x24, 0x68, 0xD0, 0xCF, 0x69, 0xE5, 0x30, 0x36
++        0, 4096, NID_md5, {
++            0x8D, 0x5D, 0x0A, 0xAD, 0x94, 0xD1, 0x44, 0x20, 0x42, 0x9F, 0xBC, 0x7E, 0x5B, 0x08, 0x7D, 0x7A,
++            0x55, 0x27, 0xE6, 0x5D, 0xFD, 0x0D, 0x48, 0x6A, 0x31, 0x0E, 0x8A, 0x7B, 0x6F, 0xF5, 0xA2, 0x1B
+         }
+     }
+ };
+@@ -527,8 +532,10 @@ static const size_t pbkdf2_tests_len = s
+ 
+ static int test_PKCS5_PBKDF2_HMAC(int pbkdf2_tests_idx) {
+     int success = 0;
+-    const char password[] = "password";
+-    const unsigned char salt[] = {'s', 'a', 'l', 't'};
++    const char password[] = "passwordPASSWORDpassword";
++    const unsigned char salt[] = {'s', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', 'S', 'A', 'L', 'T',
++                                  's', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', 'S', 'A', 'L', 'T',
++                                  's', 'a', 'l', 't'};
+     const size_t password_len = sizeof(password) / sizeof(password[0]);
+     const size_t salt_len = sizeof(salt) / sizeof(salt[0]);
+ 
diff --git a/openssl-1_1-seclevel.patch b/openssl-1_1-seclevel.patch
new file mode 100644
index 0000000..c6751a5
--- /dev/null
+++ b/openssl-1_1-seclevel.patch
@@ -0,0 +1,160 @@
+diff -up openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel openssl-1.1.1g/crypto/x509/x509_vfy.c
+--- openssl-1.1.1g/crypto/x509/x509_vfy.c.seclevel	2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/crypto/x509/x509_vfy.c	2020-06-05 17:16:54.835536823 +0200
+@@ -3225,6 +3225,7 @@ static int build_chain(X509_STORE_CTX *c
+ }
+ 
+ static const int minbits_table[] = { 80, 112, 128, 192, 256 };
++static const int minbits_digest_table[] = { 80, 80, 128, 192, 256 };
+ static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
+ 
+ /*
+@@ -3276,6 +3277,11 @@ static int check_sig_level(X509_STORE_CT
+ 
+     if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL))
+         return 0;
+-
+-    return secbits >= minbits_table[level - 1];
++    /*
++     * Allow SHA1 in SECLEVEL 2 in non-FIPS mode or when the magic
++     * disable SHA1 flag is not set.
++     */
++    if ((ctx->param->flags & 0x40000000) || FIPS_mode())
++        return secbits >= minbits_table[level - 1];
++    return secbits >= minbits_digest_table[level - 1];
+ }
+diff -up openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod
+--- openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod.seclevel	2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/doc/man3/SSL_CTX_set_security_level.pod	2020-06-04 15:48:01.608178833 +0200
+@@ -81,8 +81,10 @@ using MD5 for the MAC is also prohibited
+ 
+ =item B<Level 2>
+ 
+-Security level set to 112 bits of security. As a result RSA, DSA and DH keys
+-shorter than 2048 bits and ECC keys shorter than 224 bits are prohibited.
++Security level set to 112 bits of security with the exception of SHA1 allowed
++for signatures.
++As a result RSA, DSA and DH keys shorter than 2048 bits and ECC keys
++shorter than 224 bits are prohibited.
+ In addition to the level 1 exclusions any cipher suite using RC4 is also
+ prohibited. SSL version 3 is also not allowed. Compression is disabled.
+ 
+diff -up openssl-1.1.1g/ssl/ssl_cert.c.seclevel openssl-1.1.1g/ssl/ssl_cert.c
+--- openssl-1.1.1g/ssl/ssl_cert.c.seclevel	2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/ssl/ssl_cert.c	2020-06-05 17:10:11.842198401 +0200
+@@ -27,6 +27,7 @@
+ static int ssl_security_default_callback(const SSL *s, const SSL_CTX *ctx,
+                                          int op, int bits, int nid, void *other,
+                                          void *ex);
++static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx);
+ 
+ static CRYPTO_ONCE ssl_x509_store_ctx_once = CRYPTO_ONCE_STATIC_INIT;
+ static volatile int ssl_x509_store_ctx_idx = -1;
+@@ -396,7 +397,7 @@ int ssl_verify_cert_chain(SSL *s, STACK_
+     X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
+ 
+     /* Set suite B flags if needed */
+-    X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s));
++    X509_STORE_CTX_set_flags(ctx, tls1_suiteb(s) | sha1_disable(s, NULL));
+     if (!X509_STORE_CTX_set_ex_data
+         (ctx, SSL_get_ex_data_X509_STORE_CTX_idx(), s)) {
+         goto end;
+@@ -953,12 +954,33 @@ static int ssl_security_default_callback
+             return 0;
+         break;
+     default:
++        /* allow SHA1 in SECLEVEL 2 in non FIPS mode */
++        if (nid == NID_sha1 && minbits == 112 && !sha1_disable(s, ctx))
++            break;
+         if (bits < minbits)
+             return 0;
+     }
+     return 1;
+ }
+ 
++static unsigned long sha1_disable(const SSL *s, const SSL_CTX *ctx)
++{
++    unsigned long ret = 0x40000000; /* a magical internal value used by X509_VERIFY_PARAM */
++    const CERT *c;
++
++    if (FIPS_mode())
++        return ret;
++
++    if (ctx != NULL) {
++       c = ctx->cert;
++    } else {
++       c = s->cert;
++    }
++    if (tls1_cert_sigalgs_have_sha1(c))
++        return 0;
++    return ret;
++}
++
+ int ssl_security(const SSL *s, int op, int bits, int nid, void *other)
+ {
+     return s->cert->sec_cb(s, NULL, op, bits, nid, other, s->cert->sec_ex);
+diff -up openssl-1.1.1g/ssl/ssl_local.h.seclevel openssl-1.1.1g/ssl/ssl_local.h
+--- openssl-1.1.1g/ssl/ssl_local.h.seclevel	2020-06-04 15:48:01.602178783 +0200
++++ openssl-1.1.1g/ssl/ssl_local.h	2020-06-05 17:02:22.666313410 +0200
+@@ -2576,6 +2576,7 @@ __owur int tls1_save_sigalgs(SSL *s, PAC
+ __owur int tls1_process_sigalgs(SSL *s);
+ __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
+ __owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
++int tls1_cert_sigalgs_have_sha1(const CERT *c);
+ __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
+ #  ifndef OPENSSL_NO_EC
+ __owur int tls_check_sigalg_curve(const SSL *s, int curve);
+diff -up openssl-1.1.1g/ssl/t1_lib.c.seclevel openssl-1.1.1g/ssl/t1_lib.c
+--- openssl-1.1.1g/ssl/t1_lib.c.seclevel	2020-06-04 15:48:01.654179221 +0200
++++ openssl-1.1.1g/ssl/t1_lib.c	2020-06-05 17:02:40.268459157 +0200
+@@ -2145,6 +2145,36 @@ int tls1_set_sigalgs(CERT *c, const int
+     return 0;
+ }
+ 
++static int tls1_sigalgs_have_sha1(const uint16_t *sigalgs, size_t sigalgslen)
++{
++    size_t i;
++
++    for (i = 0; i < sigalgslen; i++, sigalgs++) {
++        const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(*sigalgs);
++
++        if (lu == NULL)
++            continue;
++        if (lu->hash == NID_sha1)
++            return 1;
++    }
++    return 0;
++}
++
++
++int tls1_cert_sigalgs_have_sha1(const CERT *c)
++{
++    if (c->client_sigalgs != NULL) {
++        if (tls1_sigalgs_have_sha1(c->client_sigalgs, c->client_sigalgslen))
++            return 1;
++    }
++    if (c->conf_sigalgs != NULL) {
++        if (tls1_sigalgs_have_sha1(c->conf_sigalgs, c->conf_sigalgslen))
++            return 1;
++        return 0;
++    }
++    return 1;
++}
++
+ static int tls1_check_sig_alg(SSL *s, X509 *x, int default_nid)
+ {
+     int sig_nid, use_pc_sigalgs = 0;
+diff -up openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel openssl-1.1.1g/test/recipes/25-test_verify.t
+--- openssl-1.1.1g/test/recipes/25-test_verify.t.seclevel	2020-04-21 14:22:39.000000000 +0200
++++ openssl-1.1.1g/test/recipes/25-test_verify.t	2020-06-04 15:48:01.608178833 +0200
+@@ -346,8 +346,8 @@ ok(verify("ee-pss-sha1-cert", "sslserver
+ ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], ),
+     "CA with PSS signature using SHA256");
+ 
+-ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
+-    "Reject PSS signature using SHA1 and auth level 2");
++ok(!verify("ee-pss-sha1-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "3"),
++    "Reject PSS signature using SHA1 and auth level 3");
+ 
+ ok(verify("ee-pss-sha256-cert", "sslserver", ["root-cert"], ["ca-cert"], "-auth_level", "2"),
+     "PSS signature using SHA256 and auth level 2");
diff --git a/openssl-1_1-serialize-jitterentropy-calls.patch b/openssl-1_1-serialize-jitterentropy-calls.patch
new file mode 100644
index 0000000..1cb6ba5
--- /dev/null
+++ b/openssl-1_1-serialize-jitterentropy-calls.patch
@@ -0,0 +1,80 @@
+---
+ crypto/fips/fips_entropy.c |   40 ++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 38 insertions(+), 2 deletions(-)
+
+--- a/crypto/fips/fips_entropy.c
++++ b/crypto/fips/fips_entropy.c
+@@ -4,35 +4,71 @@
+ #include "jitterentropy.h"
+ 
+ static struct rand_data* ec = NULL;
++static CRYPTO_RWLOCK *jent_lock = NULL;
++static int stop = 0;
+ 
+ struct rand_data* FIPS_entropy_init(void)
+ {
+-    if (ec != NULL)
++    if (ec != NULL) {
+         /* Entropy source has been initiated and collector allocated */
+         return ec;
++    }
++    if (stop != 0) {
++        /* FIPS_entropy_cleanup() already called, don't initialize it again */
++        return NULL;
++    }
++    if (jent_lock == NULL) {
++        /* Allocates a new lock to serialize access to jent library */
++        jent_lock = CRYPTO_THREAD_lock_new();
++        if (jent_lock == NULL) {
++            return NULL;
++        }
++    }
++    if (CRYPTO_THREAD_write_lock(jent_lock) == 0) {
++        return NULL;
++    }
+     /* If the initialization is successful, the call returns with 0 */
+     if (jent_entropy_init_ex(1, JENT_FORCE_FIPS) == 0)
+         /* Allocate entropy collector */
+         ec = jent_entropy_collector_alloc(1, JENT_FORCE_FIPS);
++    CRYPTO_THREAD_unlock(jent_lock);
+     return ec;
+ }
+ 
+ void FIPS_entropy_cleanup(void)
+ {
++    if (jent_lock != NULL && stop == 0) {
++        CRYPTO_THREAD_write_lock(jent_lock);
++    }
++    /* Disable re-initialization in FIPS_entropy_init() */
++    stop = 1;
+     /* Free entropy collector */
+     if (ec != NULL) {
+         jent_entropy_collector_free(ec);
+         ec = NULL;
+     }
++    CRYPTO_THREAD_lock_free(jent_lock);
++    jent_lock = NULL;
+ }
+ 
+ ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen)
+ {
+     ssize_t ent_bytes = -1;
+ 
+-    if (buf != NULL && buflen != 0 && FIPS_entropy_init()) {
++    /*
++     * Order is important. We need to call FIPS_entropy_init() before we
++     * acquire jent_lock, otherwise it can lead to deadlock. Once we have
++     * jent_lock, we need to ensure that FIPS_entropy_cleanup() was not called
++     * in the meantime. Then it's safe to read entropy.
++     */
++    if (buf != NULL
++        && buflen != 0
++        && FIPS_entropy_init()
++        && CRYPTO_THREAD_write_lock(jent_lock) != 0
++        && stop == 0) {
+         /* Get entropy */
+         ent_bytes = jent_read_entropy_safe(&ec, (char *)buf, buflen);
++        CRYPTO_THREAD_unlock(jent_lock);
+     }
+     return ent_bytes;
+ }
diff --git a/openssl-1_1-shortcut-test_afalg_aes_cbc.patch b/openssl-1_1-shortcut-test_afalg_aes_cbc.patch
new file mode 100644
index 0000000..7e65401
--- /dev/null
+++ b/openssl-1_1-shortcut-test_afalg_aes_cbc.patch
@@ -0,0 +1,14 @@
+diff --git a/test/afalgtest.c b/test/afalgtest.c
+index adb2977..c4f848a 100644
+--- a/test/afalgtest.c
++++ b/test/afalgtest.c
+@@ -43,6 +43,9 @@ static ENGINE *e;
+ #ifndef OPENSSL_NO_AFALGENG
+ static int test_afalg_aes_cbc(int keysize_idx)
+ {
++  /* This test fails in fips mode, so just shortcut out. */
++  if ( FIPS_mode()) return 1;
++
+     EVP_CIPHER_CTX *ctx;
+     const EVP_CIPHER *cipher;
+     unsigned char key[] = "\x06\xa9\x21\x40\x36\xb8\xa1\x5b"
diff --git a/openssl-1_1-use-include-directive.patch b/openssl-1_1-use-include-directive.patch
new file mode 100644
index 0000000..a337507
--- /dev/null
+++ b/openssl-1_1-use-include-directive.patch
@@ -0,0 +1,29 @@
+Index: openssl-1.1.1m/apps/openssl.cnf
+===================================================================
+--- openssl-1.1.1m.orig/apps/openssl.cnf
++++ openssl-1.1.1m/apps/openssl.cnf
+@@ -11,6 +11,24 @@
+ # defined.
+ HOME			= .
+ 
++openssl_conf 		= openssl_init
++
++[ openssl_init ]
++
++engines		= engine_section
++
++[ engine_section ]
++
++# This include will look through the directory that will contain the
++# engine declarations for any engines provided by other packages.
++.include /etc/ssl/engines.d
++
++# This include will look through the directory that will contain the
++# definitions of the engines declared in the engine section.
++.include /etc/ssl/engdef.d
++
++[ oid_section ]
++
+ # Extra OBJECT IDENTIFIER info:
+ #oid_file		= $ENV::HOME/.oid
+ oid_section		= new_oids
diff --git a/openssl-1_1-use-seclevel2-in-tests.patch b/openssl-1_1-use-seclevel2-in-tests.patch
new file mode 100644
index 0000000..98687a0
--- /dev/null
+++ b/openssl-1_1-use-seclevel2-in-tests.patch
@@ -0,0 +1,38 @@
+Index: openssl-1.1.1d/test/ssl_test.c
+===================================================================
+--- openssl-1.1.1d.orig/test/ssl_test.c
++++ openssl-1.1.1d/test/ssl_test.c
+@@ -435,6 +440,7 @@ static int test_handshake(int idx)
+ #endif
+     if (test_ctx->method == SSL_TEST_METHOD_TLS) {
+         server_ctx = SSL_CTX_new(TLS_server_method());
++        SSL_CTX_set_security_level(server_ctx, 1);
+         if (!TEST_true(SSL_CTX_set_max_proto_version(server_ctx,
+                                                      TLS_MAX_VERSION)))
+             goto err;
+@@ -443,21 +449,25 @@ static int test_handshake(int idx)
+             SSL_TEST_SERVERNAME_CB_NONE) {
+             if (!TEST_ptr(server2_ctx = SSL_CTX_new(TLS_server_method())))
+                 goto err;
++            SSL_CTX_set_security_level(server2_ctx, 1);
+             if (!TEST_true(SSL_CTX_set_max_proto_version(server2_ctx,
+                                                          TLS_MAX_VERSION)))
+                 goto err;
+         }
+         client_ctx = SSL_CTX_new(TLS_client_method());
++        SSL_CTX_set_security_level(client_ctx, 1);
+         if (!TEST_true(SSL_CTX_set_max_proto_version(client_ctx,
+                                                      TLS_MAX_VERSION)))
+             goto err;
+ 
+         if (test_ctx->handshake_mode == SSL_TEST_HANDSHAKE_RESUME) {
+             resume_server_ctx = SSL_CTX_new(TLS_server_method());
++            SSL_CTX_set_security_level(resume_server_ctx, 1);
+             if (!TEST_true(SSL_CTX_set_max_proto_version(resume_server_ctx,
+                                                      TLS_MAX_VERSION)))
+                 goto err;
+             resume_client_ctx = SSL_CTX_new(TLS_client_method());
++            SSL_CTX_set_security_level(resume_client_ctx, 1);
+             if (!TEST_true(SSL_CTX_set_max_proto_version(resume_client_ctx,
+                                                          TLS_MAX_VERSION)))
+                 goto err;
diff --git a/openssl-1_1.changes b/openssl-1_1.changes
new file mode 100644
index 0000000..5bf22d1
--- /dev/null
+++ b/openssl-1_1.changes
@@ -0,0 +1,2534 @@
+* Thu Jul 20 2023 pmonreal@suse.com
+- Security fix: [bsc#1213487, CVE-2023-3446]
+  * Fix DH_check() excessive time with over sized modulus.
+  * The function DH_check() performs various checks on DH parameters.
+    One of those checks confirms that the modulus ("p" parameter) is
+    not too large. Trying to use a very large modulus is slow and
+    OpenSSL will not normally use a modulus which is over 10,000 bits
+    in length.
+    However the DH_check() function checks numerous aspects of the
+    key or parameters that have been supplied. Some of those checks
+    use the supplied modulus value even if it has already been found
+    to be too large.
+    A new limit has been added to DH_check of 32,768 bits. Supplying
+    a key/parameters with a modulus over this size will simply cause
+    DH_check() to fail.
+  * Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch
+* Wed Jun 14 2023 otto.hollmann@suse.com
+- Security Fix: [bsc#1207534, CVE-2022-4304]
+  * Reworked the Fix for the Timing Oracle in RSA Decryption
+    The previous fix for this timing side channel turned out to cause
+    a severe 2-3x performance regression in the typical use case
+    compared to 1.1.1s.
+  * Add openssl-CVE-2022-4304.patch
+  * Removed patches:
+  - openssl-CVE-2022-4304-1of2.patch
+  - openssl-CVE-2022-4304-2of2.patch
+  * Refreshed patches:
+  - openssl-CVE-2023-0464.patch
+  - openssl-CVE-2023-0465.patch
+* Wed May 31 2023 otto.hollmann@suse.com
+- Update further expiring certificates that affect tests [bsc#1201627]
+  * Add openssl-Update-further-expiring-certificates.patch
+* Mon May 22 2023 otto.hollmann@suse.com
+- Security Fix: [CVE-2023-2650, bsc#1211430]
+  * Possible DoS translating ASN.1 object identifiers
+  * Add openssl-CVE-2023-2650.patch
+* Mon Apr  3 2023 otto.hollmann@suse.com
+- Security Fix: [CVE-2023-0465, bsc#1209878]
+  * Invalid certificate policies in leaf certificates are silently ignored
+  * Add openssl-CVE-2023-0465.patch
+- Security Fix: [CVE-2023-0466, bsc#1209873]
+  * Certificate policy check not enabled
+  * Add openssl-CVE-2023-0466.patch
+* Fri Mar 24 2023 otto.hollmann@suse.com
+- Security Fix: [CVE-2023-0464, bsc#1209624]
+  * Excessive Resource Usage Verifying X.509 Policy Constraints
+  * Add openssl-CVE-2023-0464.patch
+* Tue Mar  7 2023 otto.hollmann@suse.com
+- FIPS: Service-level indicator [bsc#1208998]
+  * Add additional check required by FIPS 140-3. Minimum values for
+    PBKDF2 are: 112 bits for key, 128 bits for salt, 1000 for
+    iteration count and 20 characters for password.
+  * Add openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch
+* Wed Feb  8 2023 otto.hollmann@suse.com
+- FIPS: Serialize jitterentropy calls [bsc#1207994]
+  * Add openssl-1_1-serialize-jitterentropy-calls.patch
+* Wed Jan 25 2023 pmonreal@suse.com
+- Security Fix: [bsc#1207533, CVE-2023-0286]
+  * Fix X.400 address type confusion in X.509 GENERAL_NAME_cmp
+    for x400Address
+  * Add openssl-CVE-2023-0286.patch
+* Wed Jan 25 2023 pmonreal@suse.com
+- Security Fix: [bsc#1207536, CVE-2023-0215]
+  * Use-after-free following BIO_new_NDEF()
+  * Add patches:
+  - openssl-CVE-2023-0215-1of4.patch
+  - openssl-CVE-2023-0215-2of4.patch
+  - openssl-CVE-2023-0215-3of4.patch
+  - openssl-CVE-2023-0215-4of4.patch
+* Wed Jan 25 2023 pmonreal@suse.com
+- Security Fix: [bsc#1207538, CVE-2022-4450]
+  * Double free after calling PEM_read_bio_ex()
+  * Add patches:
+  - openssl-CVE-2022-4450-1of2.patch
+  - openssl-CVE-2022-4450-2of2.patch
+* Wed Jan 25 2023 pmonreal@suse.com
+- Security Fix: [bsc#1207534, CVE-2022-4304]
+  * Timing Oracle in RSA Decryption
+  * Add patches:
+  - openssl-CVE-2022-4304-1of2.patch
+  - openssl-CVE-2022-4304-2of2.patch
+* Fri Dec  2 2022 otto.hollmann@suse.com
+- POWER10 performance enhancements for cryptography [jsc#PED-512]
+  * openssl-1_1-AES-GCM-performance-optimzation-with-stitched-method.patch
+  * openssl-1_1-Fixed-counter-overflow.patch
+  * openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch
+  * openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch
+  * openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch
+* Mon Nov 21 2022 pmonreal@suse.com
+- FIPS: Service-level indicator [bsc#1190651]
+  * Mark PBKDF2 with key shorter than 112 bits as non-approved
+  * Add openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch
+* Wed Nov 16 2022 pmonreal@suse.com
+- FIPS: Service-level indicator [bsc#1190651]
+  * Consider RSA siggen/sigver with PKCS1 padding also approved
+  * Add openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch
+* Wed Nov 16 2022 pmonreal@suse.com
+- FIPS: Service-level indicator [bsc#1190651]
+  * Return the correct indicator for a given EC group order bits
+  * Add openssl-1_1-ossl-sli-005-EC_group_order_bits.patch
+* Fri Oct 28 2022 pmonreal@suse.com
+- FIPS: Add a missing dependency on jitterentropy-devel for
+  libopenssl-1_1-devel [bsc#1202148]
+* Wed Oct  5 2022 otto.hollmann@suse.com
+- FIPS: OpenSSL service-level indicator - Allow AES XTS 256 [bsc#1190651]
+  * Add patches: openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch
+* Fri Sep 16 2022 pmonreal@suse.com
+- FIPS: Default to RFC-7919 groups for genparam and dhparam
+  * Add openssl-1_1-FIPS-default-RFC7919.patch [bsc#1180995]
+* Fri Sep  9 2022 otto.hollmann@suse.com
+- FIPS: list only FIPS approved digest and public key algorithms
+  [bsc#1121365, bsc#1190888, bsc#1193859, bsc#1198471, bsc#1198472]
+  * Add openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch
+  * Disabled test 15-test_ec.t in FIPS mode
+* Fri Sep  2 2022 pmonreal@suse.com
+- FIPS: Add KAT for the RAND_DRBG implementation [bsc#1203069]
+  * Add openssl-1_1-fips-drbg-selftest.patch
+* Fri Sep  2 2022 pmonreal@suse.com
+- FIPS: openssl: RAND api should call into FIPS DRBG [bsc#1201293]
+  * The FIPS_drbg implementation is not FIPS validated anymore. To
+    provide backwards compatibility for applications that need FIPS
+    compliant RNG number generation and use FIPS_drbg_generate,
+    this function was re-wired to call the FIPS validated DRBG
+    instance instead through the RAND_bytes() call.
+  * Add openssl-1_1-FIPS_drbg-rewire.patch
+* Thu Sep  1 2022 otto.hollmann@suse.com
+- Fix memory leaks introduced by openssl-1.1.1-fips.patch [bsc#1203046]
+  * Add patch openssl-1.1.1-fips-fix-memory-leaks.patch
+* Tue Aug 30 2022 otto.hollmann@suse.com
+- FIPS: OpenSSL: Port openssl to use jitterentropy
+  [bsc#1202148, jsc#SLE-24941]
+  * Add openssl-1_1-jitterentropy-3.4.0.patch
+  * Add build dependency on jitterentropy-devel >= 3.4.0 and
+    libjitterentropy3 >= 3.4.0
+* Thu Jul 21 2022 pmonreal@suse.com
+- FIPS: OpenSSL Provide a service-level indicator [bsc#1190651]
+  * Add patches:
+  - openssl-1_1-ossl-sli-000-fix-build-error.patch
+  - openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch
+  - openssl-1_1-ossl-sli-002-ran-make-update.patch
+  - openssl-1_1-ossl-sli-003-add-sli.patch
+* Thu Jul 21 2022 pmonreal@suse.com
+- FIPS: Add zeroization of temporary variables to the hmac integrity
+  function FIPSCHECK_verify(). [bsc#1190653]
+  * Add openssl-1_1-Zeroization.patch
+* Sun Jul  3 2022 jsikes@suse.com
+- Encrypt the sixteen bytes that were unencrypted in some circumstances
+  on 32-bit x86 platforms.
+  * [bsc#1201099, CVE-2022-2097]
+  * added openssl-CVE-2022-2097.patch
+* Fri Jun 17 2022 jsikes@suse.com
+- Added openssl-1_1-Fix-file-operations-in-c_rehash.patch
+  * bsc#1200550
+  * CVE-2022-2068
+  * Fixed more shell code injection issues in c_rehash
+* Thu Jun  2 2022 jsikes@suse.com
+- Added openssl-update_expired_certificates.patch
+  * Openssl failed tests because of expired certificates.
+  * bsc#1185637
+  * Sourced from https://github.com/openssl/openssl/pull/18446/commits
+* Mon May 30 2022 jsikes@suse.com
+- Security fix: [bsc#1199166, CVE-2022-1292]
+  * Added: openssl-CVE-2022-1292.patch
+  * properly sanitise shell metacharacters in c_rehash script.
+* Mon May  2 2022 jsikes@suse.com
+- FIPS: Added signature verification test to
+    bsc1185319-FIPS-KAT-for-ECDSA.patch
+* Thu Apr 21 2022 jsikes@suse.com
+- FIPS: add bsc1185319-FIPS-KAT-for-ECDSA.patch
+  * Known answer test for ECDSA
+  * bsc#1185319
+- FIPS: add bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch
+  * Enable tests for Deterministic Random Bit Generator
+  * bsc#1198207
+- Bypass a regression test that fails in FIPS mode.
+  * [openssl-1_1-shortcut-test_afalg_aes_cbc.patch]
+* Fri Mar 18 2022 pmonreal@suse.com
+- FIPS: Additional PBKDF2 requirements for KAT [bsc#1197280]
+  * The IG 10.3.A and SP800-132 require some minimum parameters for
+    the salt length, password length and iteration count. These
+    parameters should be also used in the KAT.
+  * Add openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch
+* Tue Mar 15 2022 pmonreal@suse.com
+- Security Fix: [bsc#1196877, CVE-2022-0778]
+  * Infinite loop in BN_mod_sqrt() reachable when parsing certificates
+  * Add openssl-CVE-2022-0778.patch openssl-CVE-2022-0778-tests.patch
+* Tue Mar 15 2022 pmonreal@suse.com
+- Added openssl-1_1-use-include-directive.patch so that the default
+  /etc/ssl/openssl.cnf file will include any configuration files that
+  other packages might place into /etc/ssl/engines.d/ and
+  /etc/ssl/engdef.d/ This is a fix for bsc#1004463 where scripting was
+  being used to modify the openssl.cnf file. The scripting would fail
+  if either the default openssl.cnf file, or the sample openssl-ibmca
+  configuration file would be changed by upstream.
+- Updated spec file to create the two new necessary directores for
+  the above patch. [bsc#1194187, bsc#1004463]
+* Thu Mar 10 2022 jsikes@suse.com
+- FIPS: add openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
+  * bsc#1190652 - Provide a service to output module name/identifier
+    and version
+* Fri Mar  4 2022 pmonreal@suse.com
+- Security fix: [bsc#1192820, CVE-2002-20001]
+  * Fix DHEATER: The Diffie-Hellman Key Agreement Protocol allows
+    remote attackers (from the client side) to send arbitrary
+    numbers that are actually not public keys, and trigger
+    expensive server-side DHE calculation.
+  * Stop recommending the DHE in SSL_DEFAULT_SUSE_CIPHER_LIST
+  * Rebase openssl-DEFAULT_SUSE_cipher.patch
+* Tue Mar  1 2022 pmonreal@suse.com
+- FIPS: Reintroduce the FFC and ECC checks in openssl-DH.patch
+  that were removed in the update to 1.1.1l [bsc#1185313]
+* Tue Mar  1 2022 pmonreal@suse.com
+- FIPS: Fix sn_objs and ln_objs in crypto/objects/obj_mac.num
+  * Rebase openssl-DH.patch [bsc#1194327]
+- Merge openssl-keep_EVP_KDF_functions_version.patch into
+  openssl-1.1.1-evp-kdf.patch
+- Add function codes for pbkdf2, hkdf, tls and ssh selftests.
+  Rebase patches:
+  * openssl-fips-kdf-hkdf-selftest.patch
+  * openssl-kdf-selftest.patch
+  * openssl-kdf-ssh-selftest.patch
+  * openssl-kdf-tls-selftest.patch
+* Fri Feb 11 2022 pmonreal@suse.com
+- Pull libopenssl-1_1 when updating openssl-1_1 with the same
+  version. [bsc#1195792]
+* Fri Feb  4 2022 pmonreal@suse.com
+- FIPS: Fix function and reason error codes [bsc#1182959]
+  * Add openssl-1_1-FIPS-fix-error-reason-codes.patch
+* Thu Feb  3 2022 pmonreal@suse.com
+- Enable zlib compression support [bsc#1195149]
+* Thu Feb  3 2022 pmonreal@suse.com
+- Remove the openssl-has-RSA_get0_pss_params provides as it is
+  now fixed in the nodejs16 side [bsc#1192489]
+* Wed Feb  2 2022 pmonreal@suse.com
+- FIPS: Move the HMAC-SHA2-256 used for integrity test [bsc#1185320]
+  * Add openssl-FIPS-KAT-before-integrity-tests.patch
+* Wed Feb  2 2022 pmonreal@suse.com
+- FIPS: Add missing KAT for HKDF/TLS 1.3/IPSEC IKEv2 [bsc#1192442]
+  * Add openssl-fips-kdf-hkdf-selftest.patch
+* Fri Jan 28 2022 pmonreal@suse.com
+- Add a provides for openssl-has-RSA_get0_pss_params as required by
+  nodejs16. [bsc#1192489]
+* Thu Jan 13 2022 pmonreal@suse.com
+- Backport cryptographic improvements from OpenSSL 3 [jsc#SLE-19742]
+  * Optimize RSA on armv8: openssl-1_1-Optimize-RSA-armv8.patch
+  * Optimize AES-XTS mode for aarch64:
+    openssl-1_1-Optimize-AES-XTS-aarch64.patch
+  * Optimize AES-GCM for uarchs with unroll and new instructions:
+    openssl-1_1-Optimize-AES-GCM-uarchs.patch
+* Thu Dec 16 2021 pmonreal@suse.com
+- Add support for livepatches (jsc#SLE-20049).
+- Generate ipa-clones tarball artifact when livepatching is enabled.
+* Wed Nov 24 2021 pmonreal@suse.com
+- POWER10 performance enhancements for cryptography [jsc#SLE-18136]
+  * openssl-1_1-Optimize-ppc64.patch
+* Wed Oct 20 2021 jsikes@suse.com
+- Import centralized crypto policy profile from Factory [jsc#SLE-15832]
+  * openssl-1.1.1-system-cipherlist.patch
+  * openssl-1_1-disable-test_srp-sslapi.patch
+  * openssl-1_1-seclevel.patch
+  * openssl-1_1-use-seclevel2-in-tests.patch
+* Sun Sep 12 2021 jsikes@suse.com
+- Update to openssl-1.1.1l ('L' as in 'Lima') for SUSE-SLE-15-SP4
+  * jsc#SLE-19640, jsc#PM-2816
+- Changes in 1.1.1l:
+  * [bsc#1189520, CVE-2021-3711] Fixed an SM2 Decryption Buffer Overflow.
+  * [bsc#1189521, CVE-2021-3712] Fixed various read buffer overruns
+    processing ASN.1 strings
+- Changes in 1.1.1k
+  * Fixed a problem with verifying a certificate chain when using
+    the X509_V_FLAG_X509_STRICT flag. This flag enables additional
+    security checks of the certificates present in a certificate
+    chain. It is not set by default. ([CVE-2021-3450])
+    [bsc#1183851]
+  * Fixed an issue where an OpenSSL TLS server may crash if sent a
+    maliciously crafted renegotiation ClientHello message from a
+    client. If a TLSv1.2 renegotiation ClientHello omits the
+    signature_algorithms extension (where it was present in the
+    initial ClientHello), but includes a signature_algorithms_cert
+    extension then a NULL pointer dereference will result, leading
+    to a crash and a denial of service attack.
+    A server is only vulnerable if it has TLSv1.2 and renegotiation
+    enabled (which is the default configuration). OpenSSL TLS
+    clients are not impacted by this issue. ([CVE-2021-3449])
+    [bsc#1183852]
+- Changes in 1.1.1j
+  * Fixed the X509_issuer_and_serial_hash() function. It attempts
+    to create a unique hash value based on the issuer and serial
+    number data contained within an X509 certificate. However it
+    was failing to correctly handle any errors that may occur
+    while parsing the issuer field [bsc#1182331, CVE-2021-23841]
+  * Fixed the RSA_padding_check_SSLv23() function and the
+    RSA_SSLV23_PADDING padding mode to correctly check for
+    rollback attacks.
+  * Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and
+    EVP_DecryptUpdate functions. Previously they could overflow the
+    output length argument in some cases where the input length is
+    close to the maximum permissable length for an integer on the
+    platform. In such cases the return value from the function call
+    would be 1 (indicating success), but the output length value
+    would be negative. This could cause applications to behave
+    incorrectly or crash. [bsc#1182333, CVE-2021-23840]
+  * Fixed SRP_Calc_client_key so that it runs in constant time.
+    The previous implementation called BN_mod_exp without setting
+    BN_FLG_CONSTTIME. This could be exploited in a side channel
+    attack to recover the password. Since the attack is local host
+    only this is outside of the current OpenSSL threat model and
+    therefore no CVE is assigned.
+- Changes in 1.1.1i
+  * Fixed NULL pointer deref in GENERAL_NAME_cmp
+  * bsc#1179491, CVE-2020-1971
+- Changes in 1.1.1h
+  * Disallow explicit curve parameters in verifications chains when X509_V_FLAG_X509_STRICT is used
+  * Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS contexts
+- Changes in 1.1.1g
+  * Fixed segmentation fault in SSL_check_chain (CVE-2020-1967, bsc#1169407)
+    Server or client applications that call the SSL_check_chain() function
+    during or after a TLS 1.3 handshake may crash due to a NULL pointer
+    dereference as a result of incorrect handling of the
+    "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
+    or unrecognised signature algorithm is received from the peer. This could
+    be exploited by a malicious peer in a Denial of Service attack.
+  * Added AES consttime code for no-asm configurations
+    an optional constant time support for AES was added
+    when building openssl for no-asm.
+- Changes in 1.1.1f
+  * Revert the unexpected EOF reporting via SSL_ERROR_SSL
+- Changes in 1.1.1e
+  * Properly detect EOF while reading in libssl. Previously if we hit an EOF
+    while reading in libssl then we would report an error back to the
+    application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
+    an error to the stack (which means we instead return SSL_ERROR_SSL) and
+    therefore give a hint as to what went wrong.
+  * Check that ed25519 and ed448 are allowed by the security level. Previously
+    signature algorithms not using an MD were not being checked that they were
+    allowed by the security level.
+  * Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
+    was not quite right. The behaviour was not consistent between resumption
+    and normal handshakes, and also not quite consistent with historical
+    behaviour. The behaviour in various scenarios has been clarified and
+    it has been updated to make it match historical behaviour as closely as
+    possible.
+  * Corrected the documentation of the return values from the EVP_DigestSign*
+    set of functions.  The documentation mentioned negative values for some
+    errors, but this was never the case, so the mention of negative values
+    was removed.
+  * Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
+    The presence of this system service is determined at run-time.
+  * Added newline escaping functionality to a filename when using openssl dgst.
+    This output format is to replicate the output format found in the '*sum'
+    checksum programs. This aims to preserve backward compatibility.
+  * Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
+    the first value.
+- Dropped the following patches:
+  * openssl-1_1-CVE-2019-1551.patch
+  * openssl-fips-dont_run_FIPS_module_installed.patch
+  * openssl-fips_fix_selftests_return_value.patch
+  * openssl-CVE-2020-1967.patch
+  * openssl-CVE-2020-1967-test1.patch
+  * openssl-CVE-2020-1967-test2.patch
+  * openssl-CVE-2020-1967-test3.patch
+  * openssl-CVE-2020-1971.patch
+  * openssl-CVE-2021-23840.patch
+  * openssl-CVE-2021-23841.patch
+  * openssl-1_1-CVE-2021-3449-NULL_pointer_deref_in_signature_algorithms.patch
+  * openssl-1.1.1-fips_list_ciphers.patch
+  * CVE-2021-3711-1-Correctly-calculate-the-length-of-SM2-plaintext-give.patch
+  * CVE-2021-3711-2-Extend-tests-for-SM2-decryption.patch
+  * CVE-2021-3711-3-Check-the-plaintext-buffer-is-large-enough-when-decr.patch
+  * CVE-2021-3712-Fix-read-buffer-overrun-in-X509_aux_print.patch
+  * CVE-2021-3712-other-ASN1_STRING-issues.patch
+- Rebased the following patches:
+  * 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
+  * 0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
+  * openssl-1.1.0-issuer-hash.patch
+  * openssl-1.1.0-no-html.patch
+  * openssl-1.1.1-evp-kdf.patch
+  * openssl-1.1.1-fips-crng-test.patch
+  * openssl-1.1.1-fips-post-rand.patch
+  * openssl-1.1.1-fips.patch
+  * openssl-1.1.1-ssh-kdf.patch
+  * openssl-DH.patch
+  * openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch
+  * openssl-assembly-pack-accelerate-scalar-multiplication.patch
+  * openssl-fips_selftest_upstream_drbg.patch
+  * openssl-kdf-selftest.patch
+  * openssl-kdf-ssh-selftest.patch
+  * openssl-kdf-tls-selftest.patch
+  * openssl-s390x-assembly-pack-accelerate-ECDSA.patch
+  * openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
+  * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
+  * openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
+* Sun Aug 29 2021 jsikes@suse.com
+- Other OpenSSL functions that print ASN.1 data have been found to assume that
+  the ASN1_STRING byte array will be NUL terminated, even though this is not
+  guaranteed for strings that have been directly constructed. Where an application
+  requests an ASN.1 structure to be printed, and where that ASN.1 structure
+  contains ASN1_STRINGs that have been directly constructed by the application
+  without NUL terminating the "data" field, then a read buffer overrun can occur.
+  * CVE-2021-3712 continued
+  * bsc#1189521
+  * Add CVE-2021-3712-other-ASN1_STRING-issues.patch
+  * Sourced from openssl-CVE-2021-3712.tar.bz2 posted on bsc-1189521
+    2021-08-24 00:47 PDT by Marcus Meissner
+* Wed Aug 18 2021 jsikes@suse.com
+- A bug in the implementation of the SM2 decryption code means that the
+  calculation of the buffer size required to hold the plaintext returned by the
+  first call to EVP_PKEY_decrypt() can be smaller than the actual size required by
+  the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is
+  called by the application a second time with a buffer that is too small.
+  * CVE-2021-3711
+  * bsc#1189520
+  * Add:
+    CVE-2021-3711-1-Correctly-calculate-the-length-of-SM2-plaintext-give.patch
+    CVE-2021-3711-2-Extend-tests-for-SM2-decryption.patch
+    CVE-2021-3711-3-Check-the-plaintext-buffer-is-large-enough-when-decr.patch
+- The function X509_aux_print() has a bug which may cause a read buffer overrun
+  when printing certificate details. A malicious actor could construct a
+  certificate to deliberately hit this bug, which may result in a crash of the
+  application (causing a Denial of Service attack).
+  * CVE-2021-3712
+  * bsc#1189521
+  * Add CVE-2021-3712-Fix-read-buffer-overrun-in-X509_aux_print.patch
+* Wed Apr  7 2021 jsikes@suse.com
+- Don't list disapproved cipher algorithms while in FIPS mode
+  * openssl-1.1.1-fips_list_ciphers.patch
+  * bsc#1161276
+* Tue Mar 23 2021 jsikes@suse.com
+- Fix NULL pointer deref in signature_algorithms
+  * CVE-2021-3449
+  * bsc#1183852
+  * Add openssl-1_1-CVE-2021-3449-NULL_pointer_deref_in_signature_algorithms.patch
+* Wed Mar  3 2021 pmonreal@suse.com
+- Security fixes:
+  * Integer overflow in CipherUpdate: Incorrect SSLv2 rollback
+    protection [bsc#1182333, CVE-2021-23840]
+  * Null pointer deref in X509_issuer_and_serial_hash()
+    [bsc#1182331, CVE-2021-23841]
+- Add openssl-CVE-2021-23840.patch openssl-CVE-2021-23841.patch
+* Tue Mar  2 2021 pmonreal@suse.com
+- Fix unresolved error codes [bsc#1182959]
+- Update openssl-1.1.1-fips.patch
+* Tue Dec  8 2020 vcizek@suse.com
+- Fix EDIPARTYNAME NULL pointer dereference
+  (CVE-2020-1971, bsc#1179491)
+  * add openssl-CVE-2020-1971.patch
+* Thu Oct  8 2020 pmonreal@suse.com
+- Restore private key check in EC_KEY_check_key [bsc#1177479]
+  * Update openssl-DH.patch
+* Tue Sep  8 2020 vcizek@suse.com
+- Add shared secret KAT to FIPS DH selftest [bsc#1175844]
+  * add openssl-fips-DH_selftest_shared_secret_KAT.patch
+* Thu Aug 27 2020 pmonreal@suse.com
+- Include ECDH/DH Requirements from SP800-56Arev3 [bsc#1175844, bsc#1173470]
+- Add patches:
+  * openssl-DH.patch
+  * openssl-kdf-selftest.patch
+  * openssl-kdf-tls-selftest.patch
+  * openssl-kdf-ssh-selftest.patch
+* Mon Apr 20 2020 pmonrealgonzalez@suse.com
+- Security fix: [bsc#1169407, CVE-2020-1967]
+  * Segmentation fault in SSL_check_chain: Server applications that
+    call the SSL_check_chain() function during or after a TLS handshake
+    may crash due to a NULL pointer dereference as a result of incorrect
+    handling of the signature_algorithms_cert TLS extension.
+- Add patches:
+  * openssl-CVE-2020-1967.patch
+  * openssl-CVE-2020-1967-test1.patch
+  * openssl-CVE-2020-1967-test2.patch
+  * openssl-CVE-2020-1967-test3.patch
+* Fri Mar 20 2020 vcizek@suse.com
+- openssl dgst: default to SHA256 only when called without a digest,
+  not when it couldn't be found (bsc#1166189)
+  * add openssl-unknown_dgst.patch
+* Wed Mar  4 2020 vcizek@suse.com
+- Limit the DRBG selftests to not deplete entropy (bsc#1165274)
+  * update openssl-fips_selftest_upstream_drbg.patch
+* Wed Feb 26 2020 vcizek@suse.com
+- Run FIPS DRBG selftests against the crypto/rand DRBG implementation
+  (bsc#1164557)
+  * add openssl-fips_selftest_upstream_drbg.patch
+* Fri Feb 21 2020 vcizek@suse.com
+- Use the newly build libcrypto shared library when computing the hmac
+  checksums in order to avoid a bootstrapping issue by BuildRequiring
+  libopenssl1_1 (bsc#1164102)
+* Thu Feb 13 2020 vcizek@suse.com
+- Fix wrong return values of FIPS DSA and ECDH selftests (bsc#1163569)
+  * add openssl-fips_fix_selftests_return_value.patch
+* Wed Feb 12 2020 jsikes@suse.com
+- Added SHA3 FIPS self-tests bsc#1155345
+  * openssl-fips-add-SHA3-selftest.patch
+* Tue Jan 28 2020 pmonrealgonzalez@suse.com
+- Support for CPACF enhancements - part 2 (crypto) [jsc#SLE-7403]
+- Add patches:
+  * openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
+  * openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
+* Thu Jan 23 2020 vcizek@suse.com
+- Temporarily ignore broken OPENSSL_INIT_NO_ATEXIT due to our
+  layered FIPS initialization (bsc#1161789)
+  * openssl-fips-ignore_broken_atexit_test.patch
+* Wed Jan 22 2020 vcizek@suse.com
+- Import FIPS patches from SLE-15
+  * openssl-fips-dont_run_FIPS_module_installed.patch
+  * openssl-fips_mode.patch
+  * openssl-ship_fips_standalone_hmac.patch
+  * openssl-fips-clearerror.patch
+  * openssl-fips-selftests_in_nonfips_mode.patch
+* Tue Jan 21 2020 vcizek@suse.com
+- Don't run FIPS power-up self-tests when the checksum files aren't
+  installed (bsc#1042392)
+  * add openssl-fips-run_selftests_only_when_module_is_complete.patch
+* Tue Jan 21 2020 vcizek@suse.com
+- Import FIPS patches from Fedora (bsc#1157702, jsc#SLE-9553)
+  * openssl-1.1.1-fips-crng-test.patch
+  * openssl-1.1.1-fips-post-rand.patch
+  * openssl-1.1.1-fips.patch
+  * openssl-1.1.0-issuer-hash.patch
+  * openssl-1.1.1-evp-kdf.patch
+  * openssl-1.1.1-ssh-kdf.patch replaces openssl-jsc-SLE-8789-backport_KDF.patch
+- keep EVP_KDF functions at version 1.1.1d for backward compatibility
+  * add openssl-keep_EVP_KDF_functions_version.patch
+* Fri Dec 20 2019 pmonrealgonzalez@suse.com
+- Support for CPACF enhancements - part 1 (crypto) [bsc#1152695, jsc#SLE-7861]
+- Add patches:
+  * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
+  * openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch
+  * openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
+  * openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch
+  * openssl-s390xcpuid.pl-fix-comment.patch
+  * openssl-assembly-pack-accelerate-scalar-multiplication.patch
+  * openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch
+  * openssl-s390x-assembly-pack-accelerate-ECDSA.patch
+  * openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch
+  * openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch
+  * openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch
+  * openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch
+  * openssl-Fix-9bf682f-which-broke-nistp224_method.patch
+* Wed Dec 18 2019 vcizek@suse.com
+- Obsolete libopenssl-1_0_0-devel and libopenssl-1_0_0-hmac in order
+  to avoid conflict upon upgrade from SLE-12 (bsc#1158499)
+* Tue Dec 10 2019 pmonrealgonzalez@suse.com
+- Security fix: [bsc#1158809, CVE-2019-1551]
+  * Overflow bug in the x64_64 Montgomery squaring procedure used
+    in exponentiation with 512-bit moduli
+- Add openssl-1_1-CVE-2019-1551.patch
+* Fri Oct 11 2019 jsikes@suse.com
+- Fixed EVP_PBE_scrypt() to allow NULL salt values.
+  * Revealed by nodejs12 during bsc#1149572.
+  * Modified openssl-jsc-SLE-8789-backport_KDF.patch
+* Wed Sep 11 2019 vcizek@suse.com
+- Update to 1.1.1d (bsc#1133925, jsc#SLE-6430)
+  * Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
+    number generator (RNG). This was intended to include protection in the
+    event of a fork() system call in order to ensure that the parent and child
+    processes did not share the same RNG state. However this protection was not
+    being used in the default case.
+    (bsc#1150247, CVE-2019-1549)
+  * Compute ECC cofactors if not provided during EC_GROUP construction. Before
+    this change, EC_GROUP_set_generator would accept order and/or cofactor as
+    NULL. After this change, only the cofactor parameter can be NULL.
+    (bsc#1150003, CVE-2019-1547)
+  * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
+    (bsc#1150250, CVE-2019-1563)
+  * For built-in EC curves, ensure an EC_GROUP built from the curve name is
+    used even when parsing explicit parameters, when loading a serialized key
+    or calling EC_GROUP_new_from_ecpkparameters()/EC_GROUP_new_from_ecparameters().
+  * Early start up entropy quality from the DEVRANDOM seed source has been
+    improved for older Linux systems.
+  * Changed DH_check to accept parameters with order q and 2q subgroups.
+    With order 2q subgroups the bit 0 of the private key is not secret
+    but DH_generate_key works around that by clearing bit 0 of the
+    private key for those. This avoids leaking bit 0 of the private key.
+  * Significantly reduce secure memory usage by the randomness pools.
+  * Revert the DEVRANDOM_WAIT feature for Linux systems
+- drop 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch (upstream)
+- refresh patches
+  * openssl-1.1.0-no-html.patch
+  * openssl-jsc-SLE-8789-backport_KDF.patch
+* Mon Sep  9 2019 jsikes@suse.com
+- To avoid seperate certification of openssh server / client
+  move the SSH KDF (Key Derivation Function) into openssl.
+  * jsc#SLE-8789
+  * Sourced from commit
+    8d76481b189b7195ef932e0fb8f0e23ab0120771#diff-a9562bc75317360a2e6b8b0748956e34
+    in openssl master (introduce the SSH KDF)
+    and commit 5a285addbf39f91d567f95f04b2b41764127950d
+    in openssl master (backport EVP/KDF API framework)
+  * added openssl-jsc-SLE-8789-backport_KDF.patch
+* Thu Aug 29 2019 vcizek@suse.com
+- Upgrade to 1.1.1c (jsc#SLE-9135, bsc#1148799)
+  * Support for TLSv1.3 added
+  * Allow GNU style "make variables" to be used with Configure.
+  * Add a STORE module (OSSL_STORE)
+  * Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes
+  * Add multi-prime RSA (RFC 8017) support
+  * Add SM3 implemented according to GB/T 32905-2016
+  * Add SM4 implemented according to GB/T 32907-2016.
+  * Add 'Maximum Fragment Length' TLS extension negotiation and support
+  * Add ARIA support
+  * Add SHA3
+  * Rewrite of devcrypto engine
+  * Add support for SipHash
+  * Grand redesign of the OpenSSL random generator
+- drop FIPS support
+  * don't build with FIPS mode (not supported in 1.1.1)
+  - drop FIPS patches
+  * openssl-fips-clearerror.patch
+  * openssl-fips_disallow_ENGINE_loading.patch
+  * openssl-fips-dont-fall-back-to-default-digest.patch
+  * openssl-fips-dont_run_FIPS_module_installed.patch
+  * openssl-fips-fix-odd-rsakeybits.patch
+  * openssl-fips-rsagen-d-bits.patch
+  * openssl-fips-selftests_in_nonfips_mode.patch
+  * openssl-rsakeygen-minimum-distance.patch
+  * openssl-1.1.0-fips.patch
+- add TLS 1.3 ciphers to DEFAULT_SUSE
+- merge openssl-1.0.1e-add-suse-default-cipher.patch and
+  openssl-1.0.1e-add-test-suse-default-cipher-suite.patch to
+  openssl-DEFAULT_SUSE_cipher.patch
+- Use upstream patch for the locale crash (bsc#1135550)
+  * https://github.com/openssl/openssl/pull/8966
+  * add 0001-build_SYS_str_reasons-Fix-a-crash-caused-by-overlong.patch
+- drop patches (upstream):
+  * openssl-Bleichenbachers_CAT.patch
+  * openssl-CVE-2018-0734.patch
+  * openssl-CVE-2018-0735.patch
+  * openssl-CVE-2019-1543.patch
+  * openssl-disable_rsa_keygen_tests_with_small_modulus.patch
+  * openssl-dsa_paramgen2_check.patch
+  * openssl-One_and_Done.patch
+  * openssl-speed_skip_binary_curves_NO_EC2M.patch
+  * openssl-static-deps.patch
+  * openssl-urandom-reseeding.patch
+  * 0001-Add-a-constant-time-flag-to-one-of-the-bignums-to-av.patch
+  * 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
+  * 0001-DSA-mod-inverse-fix.patch
+  * 0001-Resume-reading-from-randfile-when-interrupted-by-a-s.patch
+  * 0001-apps-speed-fix-segfault-while-looking-up-algorithm-n.patch
+- drop s390x patches (rebased):
+  * 0002-s390x-assembly-pack-add-KMA-code-path-for-aes-ctr.patch
+  * 0003-crypto-aes-asm-aes-s390x.pl-replace-decrypt-flag-by-.patch
+  * 0004-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch
+  * 0005-s390x-assembly-pack-add-KMAC-code-path-for-aes-ccm.patch
+  * 0006-s390x-assembly-pack-add-KM-code-path-for-aes-ecb.patch
+  * 0007-s390x-assembly-pack-add-KMO-code-path-for-aes-ofb.patch
+  * 0008-s390x-assembly-pack-add-KMF-code-path-for-aes-cfb-cf.patch
+  * 0009-Fix-undefined-behavior-in-s390x-aes-gcm-ccm.patch
+  * 0001-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
+  * 0001-s390x-assembly-pack-extend-s390x-capability-vector.patch
+- add s390x patches:
+  * 0001-s390x-assembly-pack-perlasm-support.patch
+  * 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
+  * 0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
+  * 0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
+  * 0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
+  * 0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
+* Tue Mar 12 2019 vcizek@suse.com
+- Fix segfault in openssl speed when an unknown algorithm is passed
+  (bsc#1125494)
+  * add 0001-apps-speed-fix-segfault-while-looking-up-algorithm-n.patch
+- Correctly skip binary curves in openssl speed to avoid spitting
+  errors (bsc#1116833)
+  * add openssl-speed_skip_binary_curves_NO_EC2M.patch
+* Thu Mar  7 2019 vcizek@suse.com
+- OpenSSL Security Advisory [6 March 2019]
+  * Prevent long nonces in ChaCha20-Poly1305 (bsc#1128189, CVE-2019-1543)
+  * add openssl-CVE-2019-1543.patch
+* Mon Feb 11 2019 vcizek@suse.com
+- Add s390x poly1305 vectorized implementation (fate#326351)
+  * https://github.com/openssl/openssl/pull/7991
+- add 0001-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
+* Tue Jan 22 2019 vcizek@suse.com
+- Add vectorized chacha20 implementation for s390x (fate#326561)
+  * https://github.com/openssl/openssl/pull/6919
+- add patches:
+  0001-s390x-assembly-pack-perlasm-support.patch
+  0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
+* Tue Jan 22 2019 vcizek@suse.com
+- Replace fate#321518 s390x patches from closed pull request
+  https://github.com/openssl/openssl/pull/2859 with patches from
+  openssl git master (bsc#1122984)
+- add patches:
+  0001-s390x-assembly-pack-extend-s390x-capability-vector.patch
+  0002-s390x-assembly-pack-add-KMA-code-path-for-aes-ctr.patch
+  0003-crypto-aes-asm-aes-s390x.pl-replace-decrypt-flag-by-.patch
+  0004-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch
+  0005-s390x-assembly-pack-add-KMAC-code-path-for-aes-ccm.patch
+  0006-s390x-assembly-pack-add-KM-code-path-for-aes-ecb.patch
+  0007-s390x-assembly-pack-add-KMO-code-path-for-aes-ofb.patch
+  0008-s390x-assembly-pack-add-KMF-code-path-for-aes-cfb-cf.patch
+  0009-Fix-undefined-behavior-in-s390x-aes-gcm-ccm.patch
+- drop patches:
+  0002-crypto-modes-asm-ghash-s390x.pl-fix-gcm_gmult_4bit-K.patch
+  0004-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
+  0005-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
+  0006-s390x-assembly-pack-extended-s390x-capability-vector.patch
+  0007-crypto-evp-e_aes.c-add-foundations-for-extended-s390.patch
+  0008-s390x-assembly-pack-extended-s390x-capability-vector.patch
+  0009-crypto-aes-asm-aes-s390x.pl-add-KMA-code-path.patch
+  0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch
+  0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch
+  0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch
+  0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch
+* Fri Jan 18 2019 vcizek@suse.com
+- Fix FIPS RSA generator (bsc#1118913)
+  * import fixed openssl-1.1.0-fips.patch from Fedora
+  * drop openssl-CVE-2018-0737-fips.patch which got merged into
+    openssl-1.1.0-fips.patch
+  * refresh openssl-fips-rsagen-d-bits.patch
+* Thu Dec 20 2018 vcizek@suse.com
+- The 9 Lives of Bleichenbacher's CAT: Cache ATtacks on TLS
+  Implementations (bsc#1117951)
+  * https://github.com/openssl/openssl/issues/7739
+  * add patch openssl-Bleichenbachers_CAT.patch
+* Mon Nov  5 2018 vcizek@suse.com
+- OpenSSL Security Advisory [30 October 2018]
+  * Timing vulnerability in ECDSA signature generation
+    (bsc#1113651, CVE-2018-0735)
+  * Timing vulnerability in DSA signature generation
+    (bsc#1113652, CVE-2018-0734)
+  * And more timing fixes
+- Add patches:
+  * openssl-CVE-2018-0734.patch
+  * openssl-CVE-2018-0735.patch
+  * 0001-DSA-mod-inverse-fix.patch
+  * 0001-Add-a-constant-time-flag-to-one-of-the-bignums-to-av.patch
+* Tue Oct 23 2018 vcizek@suse.com
+- Obsolete libopenssl-1_0_0-devel by libopenssl-1_1-devel to avoid
+  conflicts when updating from older distributions (bsc#1106180)
+* Thu Oct 18 2018 vcizek@suse.com
+- Fix infinite loop in DSA generation with incorrect parameters
+  (bsc#1112209)
+  * add openssl-dsa_paramgen2_check.patch
+* Thu Oct 18 2018 vcizek@suse.com
+- Fix One&Done side-channel attack on RSA (bsc#1104789)
+  * add openssl-One_and_Done.patch
+* Tue Aug 14 2018 vcizek@suse.com
+- Update to 1.1.0i
+  - Align with SLE-12-SP4
+  OpenSSL Security Advisory [12 June 2018]
+  * Reject excessively large primes in DH key generation
+    (bsc#1097158, CVE-2018-0732)
+  * Make EVP_PKEY_asn1_new() a bit stricter about its input
+  * Revert blinding in ECDSA sign and instead make problematic addition
+    length-invariant. Switch even to fixed-length Montgomery multiplication.
+  * Change generating and checking of primes so that the error rate of not
+    being prime depends on the intended use based on the size of the input.
+  * Increase the number of Miller-Rabin rounds for DSA key generating to 64.
+  * Add blinding to ECDSA and DSA signatures to protect against side channel
+    attacks
+  * When unlocking a pass phrase protected PEM file or PKCS#8 container, we
+    now allow empty (zero character) pass phrases.
+  * Certificate time validation (X509_cmp_time) enforces stricter
+    compliance with RFC 5280. Fractional seconds and timezone offsets
+    are no longer allowed.
+  * Fixed a text canonicalisation bug in CMS
+- drop patches (upstream):
+  * 0001-Limit-scope-of-CN-name-constraints.patch
+  * 0001-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch
+  * 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch
+  * 0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch
+  * openssl-add-blinding-to-dsa.patch
+  * openssl-add-blinding-to-ecdsa.patch
+  * openssl-CVE-2018-0732.patch
+- refresh patches:
+  * openssl-1.1.0-fips.patch
+  * openssl-disable_rsa_keygen_tests_with_small_modulus.patch
+- rename openssl-CVE-2018-0737.patch to openssl-CVE-2018-0737-fips.patch
+  as it now only includes changes to the fips code
+* Thu Aug  2 2018 vcizek@suse.com
+- Add openssl(cli) Provide so the packages that require the openssl
+  binary can require this instead of the new openssl meta package
+  (bsc#1101470)
+- Don't Require openssl-1_1 from the devel package, just Recommend it
+* Wed Jul 25 2018 vcizek@suse.com
+- Suggest libopenssl1_1-hmac from libopenssl1_1 package to avoid
+  dependency issues during updates (bsc#1090765)
+* Wed Jul 25 2018 vcizek@suse.com
+- Relax CN name restrictions (bsc#1084011)
+  * added patches:
+    0001-Limit-scope-of-CN-name-constraints.patch
+    0002-Skip-CN-DNS-name-constraint-checks-when-not-needed.patch
+* Tue Jun 26 2018 sflees@suse.de
+- Reject excessively large primes in DH key generation (bsc#1097158,
+  CVE-2018-0732)
+  * openssl-CVE-2018-0732.patch
+- blinding enhancements for ECDSA and DSA (bsc#1097624, bsc#1098592)
+  * openssl-add-blinding-to-ecdsa.patch
+  * openssl-add-blinding-to-dsa.patch
+* Thu May 10 2018 vcizek@suse.com
+- OpenSSL Security Advisory [16 Apr 2018]
+  * Cache timing vulnerability in RSA Key Generation
+    (CVE-2018-0737, bsc#1089039)
+  * add openssl-CVE-2018-0737.patch
+* Thu May 10 2018 vcizek@suse.com
+- Fix escaping in c_rehash (boo#1091961, bsc#1091963)
+  * add 0001-Revert-util-dofile.pl-only-quote-stuff-that-actually.patch
+* Wed Mar 28 2018 vcizek@suse.com
+- Tolerate a Certificate using a non-supported group on server side
+  (boo#1084651)
+  * https://github.com/openssl/openssl/pull/5607
+  * add 0001-Tolerate-a-Certificate-using-a-non-supported-group-o.patch
+* Tue Mar 27 2018 vcizek@suse.com
+- Update to 1.1.0h
+  OpenSSL Security Advisory [27 Mar 2018]
+  * Constructed ASN.1 types with a recursive definition could exceed
+    the stack (CVE-2018-0739) (bsc#1087102)
+  * rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
+    (bsc#1071906)
+- refresh patches:
+  * 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
+  * openssl-1.1.0-fips.patch
+  * openssl-pkgconfig.patch
+  * openssl-rsakeygen-minimum-distance.patch
+  * openssl-static-deps.patch
+* Tue Feb 27 2018 dimstar@opensuse.org
+- Move the libopenssl1_1_0-32bit obsoletes in baselibs.conf to the
+  new libopenssl1_1-32bit: it does not belong to the devel
+  package.
+* Fri Feb 16 2018 vcizek@suse.com
+- Renamed from openssl-1_1_0 (bsc#1081335)
+  * All the minor versions of the 1.1.x openssl branch have the same
+    sonum and keep ABI compatibility
+  * obsolete the 1_1_0 packages
+- update baselibs.conf with the new version names
+* Thu Feb 15 2018 tchvatal@suse.com
+- Remove bit obsolete syntax
+- Use %%license macro
+* Mon Jan 22 2018 schwab@suse.de
+- Don't disable afalgeng on aarch64
+* Tue Jan  9 2018 vcizek@suse.com
+- Add support for s390x CPACF enhancements (fate#321518)
+  patches taken from https://github.com/openssl/openssl/pull/2859:
+  * 0002-crypto-modes-asm-ghash-s390x.pl-fix-gcm_gmult_4bit-K.patch
+  * 0004-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
+  * 0005-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
+  * 0006-s390x-assembly-pack-extended-s390x-capability-vector.patch
+  * 0007-crypto-evp-e_aes.c-add-foundations-for-extended-s390.patch
+  * 0008-s390x-assembly-pack-extended-s390x-capability-vector.patch
+  * 0009-crypto-aes-asm-aes-s390x.pl-add-KMA-code-path.patch
+  * 0010-doc-man3-OPENSSL_s390xcap.pod-update-KMA.patch
+  * 0011-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch
+  * 0012-s390x-assembly-pack-add-KMA-code-path-for-aes-gcm.patch
+  * 0013-crypto-aes-asm-aes-s390x.pl-add-CFI-annotations-KMA-.patch
+* Tue Nov 28 2017 dimstar@opensuse.org
+- Do not filter pkgconfig() provides/requires.
+* Tue Nov 28 2017 dimstar@opensuse.org
+- Obsolete openssl-1_0_0 by openssl-1_1_0: this is required for a
+  clean upgrade path as an aid to zypp (boo#1070003).
+* Thu Nov  2 2017 vcizek@suse.com
+- Update to 1.1.0g
+  OpenSSL Security Advisory [02 Nov 2017]
+  * bn_sqrx8x_internal carry bug on x86_64
+    (CVE-2017-3736) (bsc#1066242)
+  * Malformed X.509 IPAddressFamily could cause OOB read
+    (CVE-2017-3735) (bsc#1056058)
+- drop 0001-Fix-a-TLSProxy-race-condition.patch (upstream)
+- refresh 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
+* Fri Sep  1 2017 vcizek@suse.com
+- update DEFAULT_SUSE cipher list (bsc#1055825)
+  * add CHACHA20-POLY1305
+  * add ECDSA ciphers
+  * remove 3DES
+- modified openssl-1.0.1e-add-suse-default-cipher.patch
+* Tue Aug 15 2017 meissner@suse.com
+- do not require openssl1_1_0-targettype in devel-targettype, as it
+  is not built (it has no libraries)
+* Mon Aug  7 2017 jengelh@inai.de
+- The description is supposed to describe the package, not the
+  development process or history. (Synchronize with the
+  already-updates descriptions in openssl-1_0_0.)
+- Update historic copypasted boilerplate summaries
+  ("include files mandatory for development")
+* Thu Aug  3 2017 tchvatal@suse.com
+- Disable the verbosity of the tests as we expose yet another race
+  condition in that
+* Tue Jul 18 2017 vcizek@suse.com
+- Fix a race condition in tests to make the package build reliably
+  * https://github.com/openssl/openssl/issues/3562
+  * 0001-Fix-a-TLSProxy-race-condition.patch
+* Tue Jul 18 2017 jimmy@boombatower.com
+- Add Provides and Conflicts for -devel package in baselibs.conf.
+* Sun Jun 25 2017 tchvatal@suse.com
+- Add patch openssl-no-date.patch to disable date inclusion in most
+  of the binaries
+- Use autopatch to make things smaller
+- Enable verbose output on the tests
+- Paralelize depmod
+* Mon May 29 2017 vcizek@suse.com
+- update to 1.1.0f
+  * bugfix only release
+- disable RSA keygen tests, because they use too small modulus, which
+  is rejected by our CC/FIPS hardening patches
+  * added openssl-disable_rsa_keygen_tests_with_small_modulus.patch
+- refreshed openssl-rsakeygen-minimum-distance.patch and
+  0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
+* Wed May 10 2017 tchvatal@suse.com
+- Add conflict for any libopenssl-devel that is not in our version
+* Wed May 10 2017 tchvatal@suse.com
+- Avoid the requires conflict between 1.1 and 1.0 openssl
+* Fri May  5 2017 tchvatal@suse.com
+- Add conflict on docu packages
+* Wed May  3 2017 vcizek@suse.com
+- drop unnecessary README.SUSE
+* Wed May  3 2017 vcizek@suse.com
+- add openssl-1.1-fix-ppc64.patch from Marcus Meissner to fix build
+  on ppc64
+* Wed May  3 2017 tchvatal@suse.com
+- Fix build on aarch64
+* Wed May  3 2017 tchvatal@suse.com
+- Remove libpadlock conditional, no longer present
+* Tue May  2 2017 tchvatal@suse.com
+- Update baselibs.conf to contain all the renamed packages
+* Wed Apr 26 2017 vcizek@suse.com
+- re-enable tests on SLE-12 and below despite current failure, so
+  they are automatically run once the issue is resolved
+* Wed Apr 26 2017 tchvatal@suse.com
+- Filter out the pkgconfig provides to force usage of the main
+  openssl package provides
+* Fri Apr 21 2017 vcizek@suse.com
+- disable tests on SLE-12 and its derivates
+  * they fail because of glibc bug bsc#1035445
+- remove README-FIPS.txt (outdated)
+* Thu Apr 20 2017 vcizek@suse.com
+- drop openssl-fipslocking.patch
+  The locking in 1.1.0 has been rewritten and converted to the new
+  threading API. The fips deadlock (at least bsc#991193) can't be
+  reproduced anymore.
+- don't ship useless INSTALL* files
+* Thu Apr 20 2017 vcizek@suse.com
+- simplify openssl-fips-dont-fall-back-to-default-digest.patch
+  The -non-fips-allow option was dropped in OpenSSL 1.1.0
+- drop openssl-no-egd.patch as OpenSSL 1.1.0 disables EGD at compile
+  time by default
+- renumber the patches so the numbers are consequent
+* Tue Apr 18 2017 tchvatal@suse.com
+- Update showciphers.c to work with new openssl
+* Tue Apr 18 2017 tchvatal@suse.com
+- Add patch openssl-static-deps.patch to allow dependencies on
+  statically build libraries
+- Refresh openssl-1-1.0-fips.patch to take in use the above approach
+- Silence the install manpage rename phase
+* Thu Apr 13 2017 tchvatal@suse.com
+- Start update to 1.1.0e basing of the 1.0.0 split release
+- Drop patch merge_from_0.9.8k.patch the ppc64 should work out of the
+  box
+- Drop patch openssl-engines-path.patch converted to configure option
+- Drop patch openssl-1.0.2a-padlock64.patch code behind was redone
+  does not apply at all
+- Drop patch openssl-fix-pod-syntax.diff mostly merged upstream or
+  not applicable
+- Drop patch compression_methods_switch.patch as we do not need
+  to keep the compat on this release anymore
+- Drop patch openssl-1.0.2a-ipv6-apps.patch which was upstreamed
+- Drop upstreamed patch openssl-1.0.2a-default-paths.patch
+- Drop obsolete patch openssl-1.0.0-c_rehash-compat.diff
+- Drop obsolete patch openssl-missing_FIPS_ec_group_new_by_curve_name.patch
+- Drop obsolete patch openssl-print_notice-NULL_crash.patch
+- Drop obsolete patch openssl-randfile_fread_interrupt.patch
+- Refresh patch openssl-truststore.patch
+- Refresh baselibs.conf to correctly reflect soname
+- Add patch openssl-1.1.0-fips.patch obsoleting bunch of older:
+  * openssl-1.0.2i-fips.patch
+  * openssl-1.0.2a-fips-ec.patch
+  * openssl-1.0.2a-fips-ctor.patch
+  * openssl-1.0.2i-new-fips-reqs.patch
+  * openssl-fips_disallow_x931_rand_method.patch
+- Add new patch for upstream:
+  * 0001-Resume-reading-from-randfile-when-interrupted-by-a-s.patch
+- Refresh patch openssl-pkgconfig.patch
+- Drop patch openssl-gcc-attributes.patch as the code was redone
+- Rebase patch 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
+- Rebase patch openssl-no-egd.patch
+- Rebase patch openssl-1.0.1e-add-suse-default-cipher.patch and
+  openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
+- Rebase patch openssl-fips_disallow_ENGINE_loading.patch
+- Rebase patch openssl-urandom-reseeding.patch
+- Rebase patch openssl-fips-rsagen-d-bits.patch
+- Rebase patch openssl-fips-selftests_in_nonfips_mode.patch
+- Remove switch for ssl2 - no longer present
+- Remve the buildinf.h parsing, should no longer be needed
+- Drop the rehash in build, no longer needed
+- Drop openssl-fips-hidden.patch as it is not really needed
+- Do not sed in secure_getenv upstream does it in code on their own
+- Do not install html converted manpages
+  * openssl-1.1.0-no-html.patch
+* Thu Apr 13 2017 tchvatal@suse.com
+- Drop the symbol hiding patches to ease maintenance updates:
+  * 0005-libssl-Hide-library-private-symbols.patch
+  * 0001-libcrypto-Hide-library-private-symbols.patch
+* Thu Apr 13 2017 tchvatal@suse.com
+- Add new patch for engines folders to allow co-installation
+  * openssl-engines-path.patch
+* Thu Apr 13 2017 tchvatal@suse.com
+- Drop openssl-ocloexec.patch as it causes additional maintenance
+  burden we would like to avoid
+* Thu Apr 13 2017 tchvatal@suse.com
+- Drop bug610223.patch as we moved to libdir
+* Thu Apr 13 2017 tchvatal@suse.com
+- Move check to %%check phase
+- Split showciphers to separate file
+* Wed Apr 12 2017 tchvatal@suse.com
+- Move openssl to /usr/lib64 from /lib64
+* Wed Apr 12 2017 tchvatal@suse.com
+- Remove some of the DSO setting code that is not needed
+- Fix the showciphers binary
+* Wed Apr 12 2017 tchvatal@suse.com
+- Rename to openssl-1_0_0 to allow instalation of multiple versions
+* Tue Apr  4 2017 tchvatal@suse.com
+- Remove O3 from optflags, no need to not rely on distro wide settings
+- Remove conditions for sle10 and sle11, we care only about sle12+
+- USE SUSE instead of SuSE in readme
+- Pass over with spec-cleaner
+* Thu Feb  2 2017 vcizek@suse.com
+- fix X509_CERT_FILE path (bsc#1022271) and rename
+  updated openssl-1.0.1e-truststore.diff to openssl-truststore.patch
+* Fri Jan 27 2017 meissner@suse.com
+- Updated to openssl 1.0.2k
+  - bsc#1009528 / CVE-2016-7055: openssl: Montgomery multiplication may produce incorrect results
+  - bsc#1019334 / CVE-2016-7056: openssl: ECSDA P-256 timing attack key recovery
+  - bsc#1022085 / CVE-2017-3731: openssl: Truncated packet could crash via OOB read
+  - bsc#1022086 / CVE-2017-3732: openssl: BN_mod_exp may produce incorrect results on x86_64
+* Fri Sep 30 2016 vcizek@suse.com
+- resume reading from /dev/urandom when interrupted by a signal
+  (bsc#995075)
+  * add openssl-randfile_fread_interrupt.patch
+* Fri Sep 30 2016 vcizek@suse.com
+- add FIPS changes from SP2:
+- fix problems with locking in FIPS mode (bsc#992120)
+  * duplicates: bsc#991877, bsc#991193, bsc#990392, bsc#990428
+    and bsc#990207
+  * bring back openssl-fipslocking.patch
+- drop openssl-fips_RSA_compute_d_with_lcm.patch (upstream)
+  (bsc#984323)
+- don't check for /etc/system-fips (bsc#982268)
+  * add openssl-fips-dont_run_FIPS_module_installed.patch
+- refresh openssl-fips-rsagen-d-bits.patch
+* Tue Sep 27 2016 michael@stroeder.com
+- update to openssl-1.0.2j
+  * Missing CRL sanity check (CVE-2016-7052 bsc#1001148)
+* Fri Sep 23 2016 vcizek@suse.com
+- OpenSSL Security Advisory [22 Sep 2016] (bsc#999665)
+  Severity: High
+  * OCSP Status Request extension unbounded memory growth
+    (CVE-2016-6304) (bsc#999666)
+  Severity: Low
+  * Pointer arithmetic undefined behaviour (CVE-2016-2177) (bsc#982575)
+  * Constant time flag not preserved in DSA signing (CVE-2016-2178) (bsc#983249)
+  * DTLS buffered message DoS (CVE-2016-2179) (bsc#994844)
+  * OOB read in TS_OBJ_print_bio() (CVE-2016-2180) (bsc#990419)
+  * DTLS replay protection DoS (CVE-2016-2181) (bsc#994749)
+  * OOB write in BN_bn2dec() (CVE-2016-2182) (bsc#993819)
+  * Birthday attack against 64-bit block ciphers (SWEET32)
+    (CVE-2016-2183) (bsc#995359)
+  * Malformed SHA512 ticket DoS (CVE-2016-6302) (bsc#995324)
+  * OOB write in MDC2_Update() (CVE-2016-6303) (bsc#995377)
+  * Certificate message OOB reads (CVE-2016-6306) (bsc#999668)
+- update to openssl-1.0.2i
+  * remove patches:
+    openssl-1.0.2a-new-fips-reqs.patch
+    openssl-1.0.2e-fips.patch
+  * add patches:
+    openssl-1.0.2i-fips.patch
+    openssl-1.0.2i-new-fips-reqs.patch
+* Wed Aug  3 2016 vcizek@suse.com
+- fix crash in print_notice (bsc#998190)
+  * add openssl-print_notice-NULL_crash.patch
+* Tue May  3 2016 vcizek@suse.com
+- OpenSSL Security Advisory [3rd May 2016]
+- update to 1.0.2h (boo#977584, boo#977663)
+  * Prevent padding oracle in AES-NI CBC MAC check
+    A MITM attacker can use a padding oracle attack to decrypt traffic
+    when the connection uses an AES CBC cipher and the server support
+    AES-NI.
+    (CVE-2016-2107, boo#977616)
+  * Fix EVP_EncodeUpdate overflow
+    An overflow can occur in the EVP_EncodeUpdate() function which is used for
+    Base64 encoding of binary data. If an attacker is able to supply very large
+    amounts of input data then a length check can overflow resulting in a heap
+    corruption.
+    (CVE-2016-2105, boo#977614)
+  * Fix EVP_EncryptUpdate overflow
+    An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
+    is able to supply very large amounts of input data after a previous call to
+    EVP_EncryptUpdate() with a partial block then a length check can overflow
+    resulting in a heap corruption.
+    (CVE-2016-2106, boo#977615)
+  * Prevent ASN.1 BIO excessive memory allocation
+    When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
+    a short invalid encoding can casuse allocation of large amounts of memory
+    potentially consuming excessive resources or exhausting memory.
+    (CVE-2016-2109, boo#976942)
+  * EBCDIC overread
+    ASN1 Strings that are over 1024 bytes can cause an overread in applications
+    using the X509_NAME_oneline() function on EBCDIC systems. This could result
+    in arbitrary stack data being returned in the buffer.
+    (CVE-2016-2176, boo#978224)
+  * Modify behavior of ALPN to invoke callback after SNI/servername
+    callback, such that updates to the SSL_CTX affect ALPN.
+  * Remove LOW from the DEFAULT cipher list.  This removes singles DES from the
+    default.
+  * Only remove the SSLv2 methods with the no-ssl2-method option. When the
+    methods are enabled and ssl2 is disabled the methods return NULL.
+* Fri Apr 15 2016 dvaleev@suse.com
+- Remove a hack for bsc#936563
+- Drop bsc936563_hack.patch
+* Fri Apr 15 2016 vcizek@suse.com
+- import fips patches from SLE-12
+  * openssl-fips-clearerror.patch
+  * openssl-fips-dont-fall-back-to-default-digest.patch
+  * openssl-fips-fix-odd-rsakeybits.patch
+  * openssl-fips-rsagen-d-bits.patch
+  * openssl-fips-selftests_in_nonfips_mode.patch
+  * openssl-fips_RSA_compute_d_with_lcm.patch
+  * openssl-fips_disallow_ENGINE_loading.patch
+  * openssl-fips_disallow_x931_rand_method.patch
+  * openssl-rsakeygen-minimum-distance.patch
+  * openssl-urandom-reseeding.patch
+* Tue Mar  8 2016 vcizek@suse.com
+- add support for "ciphers" providing no encryption (bsc#937085)
+  * don't build with -DSSL_FORBID_ENULL
+* Tue Mar  1 2016 vcizek@suse.com
+- update to 1.0.2g (bsc#968044)
+  * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
+    Builds that are not configured with "enable-weak-ssl-ciphers" will not
+    provide any "EXPORT" or "LOW" strength ciphers.
+  * Disable SSLv2 default build, default negotiation and weak ciphers.  SSLv2
+    is by default disabled at build-time.  Builds that are not configured with
+    "enable-ssl2" will not support SSLv2.  Even if "enable-ssl2" is used,
+    users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
+    will need to explicitly call either of:
+    SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
+    or
+    SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
+    (CVE-2016-0800)
+  * Fix a double-free in DSA code
+    (CVE-2016-0705)
+  * Disable SRP fake user seed to address a server memory leak.
+    Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
+    (CVE-2016-0798)
+  * Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
+    (CVE-2016-0797)
+  * ) Side channel attack on modular exponentiation
+    http://cachebleed.info.
+    (CVE-2016-0702)
+  * ) Change the req app to generate a 2048-bit RSA/DSA key by default,
+    if no keysize is specified with default_bits. This fixes an
+    omission in an earlier change that changed all RSA/DSA key generation
+    apps to use 2048 bits by default.
+* Thu Jan 28 2016 vcizek@suse.com
+- update to 1.0.2f (boo#963410)
+  * ) DH small subgroups (boo#963413)
+    Historically OpenSSL only ever generated DH parameters based on "safe"
+    primes. More recently (in version 1.0.2) support was provided for
+    generating X9.42 style parameter files such as those required for RFC 5114
+    support. The primes used in such files may not be "safe". Where an
+    application is using DH configured with parameters based on primes that are
+    not "safe" then an attacker could use this fact to find a peer's private
+    DH exponent. This attack requires that the attacker complete multiple
+    handshakes in which the peer uses the same private DH exponent. For example
+    this could be used to discover a TLS server's private DH exponent if it's
+    reusing the private DH exponent or it's using a static DH ciphersuite.
+    (CVE-2016-0701)
+  * ) SSLv2 doesn't block disabled ciphers (boo#963415)
+    A malicious client can negotiate SSLv2 ciphers that have been disabled on
+    the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
+    been disabled, provided that the SSLv2 protocol was not also disabled via
+    SSL_OP_NO_SSLv2.
+    (CVE-2015-3197)
+  * ) Reject DH handshakes with parameters shorter than 1024 bits.
+* Fri Dec  4 2015 vcizek@suse.com
+- update to 1.0.2e
+  * fixes five security vulnerabilities
+  * Anon DH ServerKeyExchange with 0 p parameter
+    (CVE-2015-1794) (bsc#957984)
+  * BN_mod_exp may produce incorrect results on x86_64
+    (CVE-2015-3193) (bsc#957814)
+  * Certificate verify crash with missing PSS parameter
+    (CVE-2015-3194) (bsc#957815)
+  * X509_ATTRIBUTE memory leak
+    (CVE-2015-3195) (bsc#957812)
+  * Race condition handling PSK identify hint
+    (CVE-2015-3196) (bsc#957813)
+- pulled a refreshed fips patch from Fedora
+  * openssl-1.0.2a-fips.patch was replaced by
+    openssl-1.0.2e-fips.patch
+- refresh openssl-ocloexec.patch
+* Thu Jul  9 2015 vcizek@suse.com
+- update to 1.0.2d
+  * fixes CVE-2015-1793 (bsc#936746)
+  Alternate chains certificate forgery
+    During certificate verfification, OpenSSL will attempt to find an
+    alternative certificate chain if the first attempt to build such a chain
+    fails. An error in the implementation of this logic can mean that an
+    attacker could cause certain checks on untrusted certificates to be
+    bypassed, such as the CA flag, enabling them to use a valid leaf
+    certificate to act as a CA and "issue" an invalid certificate.
+- drop openssl-fix_invalid_manpage_name.patch (upstream)
+* Thu Jul  2 2015 dvaleev@suse.com
+- Workaround debugit crash on ppc64le with gcc5
+  bsc936563_hack.patch (bsc#936563)
+* Wed Jul  1 2015 normand@linux.vnet.ibm.com
+- update merge_from_0.9.8k.patch replacing __LP64__ by __LP64
+  this is a change versus previous request 309611
+  required to avoid build error for ppc64
+* Fri Jun 26 2015 crrodriguez@opensuse.org
+- Build with no-ssl3, for details on why this is needed read
+  rfc7568. Contrary to the "no-ssl2" option, this does not
+  require us to patch dependant packages as the relevant
+  functions are still available (SSLv3_(client|server)_method)
+  but will fail to negotiate. if removing SSL3 methods is desired
+  at a later time, option "no-ssl3-method" needs to be used.
+* Fri Jun 12 2015 vcizek@suse.com
+- update to 1.0.2c
+  * Fix HMAC ABI incompatibility
+- refreshed openssl-1.0.2a-fips.patch
+* Thu Jun 11 2015 vcizek@suse.com
+- update to 1.0.2b
+  * Malformed ECParameters causes infinite loop (CVE-2015-1788)
+  * Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
+  * PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
+  * CMS verify infinite loop with unknown hash function (CVE-2015-1792)
+  * Race condition handling NewSessionTicket (CVE-2015-1791)
+- refreshed patches:
+  * 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
+  * 0001-libcrypto-Hide-library-private-symbols.patch
+  * openssl-1.0.2a-default-paths.patch
+  * openssl-1.0.2a-fips.patch
+  * compression_methods_switch.patch
+  * openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
+* Sun May 24 2015 vcizek@suse.com
+- update to 1.0.2a
+  * Major changes since 1.0.1:
+  - Suite B support for TLS 1.2 and DTLS 1.2
+  - Support for DTLS 1.2
+  - TLS automatic EC curve selection.
+  - API to set TLS supported signature algorithms and curves
+  - SSL_CONF configuration API.
+  - TLS Brainpool support.
+  - ALPN support.
+  - CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
+- packaging changes:
+  * merged patches modifying CIPHER_LIST into one, dropping:
+  - openssl-1.0.1e-add-suse-default-cipher-header.patch
+  - openssl-libssl-noweakciphers.patch
+  * fix a manpage with invalid name
+  - added openssl-fix_invalid_manpage_name.patch
+  * remove a missing fips function
+  - openssl-missing_FIPS_ec_group_new_by_curve_name.patch
+  * reimported patches from Fedora
+    dropped patches:
+  - openssl-1.0.1c-default-paths.patch
+  - openssl-1.0.1c-ipv6-apps.patch
+  - openssl-1.0.1e-fips-ctor.patch
+  - openssl-1.0.1e-fips-ec.patch
+  - openssl-1.0.1e-fips.patch
+  - openssl-1.0.1e-new-fips-reqs.patch
+  - VIA_padlock_support_on_64systems.patch
+    added patches:
+  - openssl-1.0.2a-default-paths.patch
+  - openssl-1.0.2a-fips-ctor.patch
+  - openssl-1.0.2a-fips-ec.patch
+  - openssl-1.0.2a-fips.patch
+  - openssl-1.0.2a-ipv6-apps.patch
+  - openssl-1.0.2a-new-fips-reqs.patch
+  - openssl-1.0.2a-padlock64.patch
+  * dropped security fixes (upstream)
+  - openssl-CVE-2015-0209.patch
+  - openssl-CVE-2015-0286.patch
+  - openssl-CVE-2015-0287.patch
+  - openssl-CVE-2015-0288.patch
+  - openssl-CVE-2015-0289.patch
+  - openssl-CVE-2015-0293.patch
+  * upstream reformatted the sources, so all the patches have to
+    be refreshed
+* Thu Mar 19 2015 vcizek@suse.com
+- security update:
+  * CVE-2015-0209 (bnc#919648)
+  - Fix a failure to NULL a pointer freed on error
+  * CVE-2015-0286 (bnc#922496)
+  - Segmentation fault in ASN1_TYPE_cmp
+  * CVE-2015-0287 (bnc#922499)
+  - ASN.1 structure reuse memory corruption
+  * CVE-2015-0288 x509: (bnc#920236)
+  - added missing public key is not NULL check
+  * CVE-2015-0289 (bnc#922500)
+  - PKCS7 NULL pointer dereferences
+  * CVE-2015-0293 (bnc#922488)
+  - Fix reachable assert in SSLv2 servers
+  * added patches:
+  openssl-CVE-2015-0209.patch
+  openssl-CVE-2015-0286.patch
+  openssl-CVE-2015-0287.patch
+  openssl-CVE-2015-0288.patch
+  openssl-CVE-2015-0289.patch
+  openssl-CVE-2015-0293.patch
+* Wed Feb  4 2015 meissner@suse.com
+- The DATE stamp moved from crypto/Makefile to crypto/buildinf.h,
+  replace it there (bsc#915947)
+* Fri Jan  9 2015 meissner@suse.com
+- openssl 1.0.1k release
+  bsc#912294 CVE-2014-3571: Fix DTLS segmentation fault in dtls1_get_record.
+  bsc#912292 CVE-2015-0206: Fix DTLS memory leak in dtls1_buffer_record.
+  bsc#911399 CVE-2014-3569: Fix issue where no-ssl3 configuration sets method to NULL.
+  bsc#912015 CVE-2014-3572: Abort handshake if server key exchange
+    message is omitted for ephemeral ECDH ciphersuites.
+  bsc#912014 CVE-2015-0204: Remove non-export ephemeral RSA code on client and server.
+  bsc#912293 CVE-2015-0205: Fixed issue where DH client certificates are accepted without verification.
+  bsc#912018 CVE-2014-8275: Fix various certificate fingerprint issues.
+  bsc#912296 CVE-2014-3570: Correct Bignum squaring.
+  and other bugfixes.
+- openssl.keyring: use Matt Caswells current key.
+  pub  2048R/0E604491 2013-04-30
+  uid                            Matt Caswell <frodo@baggins.org>
+  uid                            Matt Caswell <matt@openssl.org>
+  sub  2048R/E3C21B70 2013-04-30
+- openssl-1.0.1e-fips.patch: rediffed
+- openssl-1.0.1i-noec2m-fix.patch: removed (upstream)
+- openssl-ocloexec.patch: rediffed
+* Tue Nov 18 2014 brian@aljex.com
+- suse_version 10.1 & 10.2 x86_64 can not enable-ec_nistp_64_gcc_128
+* Mon Nov 17 2014 meissner@suse.com
+- openssl-1.0.1i-noec2m-fix.patch: only report the Elliptic Curves
+  we actually support (not the binary ones) (bnc#905037)
+* Fri Nov  7 2014 brian@aljex.com
+- openSUSE < 11.2 doesn't have accept4()
+* Tue Oct 21 2014 crrodriguez@opensuse.org
+- openSSL 1.0.1j
+  * Fix SRTP Memory Leak (CVE-2014-3513)
+  * Session Ticket Memory Leak (CVE-2014-3567)
+  * Add SSL 3.0 Fallback protection (TLS_FALLBACK_SCSV)
+  * Build option no-ssl3 is incomplete (CVE-2014-3568)
+* Thu Aug 21 2014 meissner@suse.com
+- openssl.keyring: the 1.0.1i release was done by
+  Matt Caswell <matt@openssl.org> UK 0E604491
+* Thu Aug 14 2014 vcizek@suse.com
+- rename README.SuSE (old spelling) to README.SUSE (bnc#889013)
+* Wed Aug 13 2014 vcizek@suse.com
+- update to 1.0.1i
+  * Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
+    SRP code can be overrun an internal buffer. Add sanity check that
+    g, A, B < N to SRP code.
+    (CVE-2014-3512)
+  * A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate
+    TLS 1.0 instead of higher protocol versions when the ClientHello message
+    is badly fragmented. This allows a man-in-the-middle attacker to force a
+    downgrade to TLS 1.0 even if both the server and the client support a
+    higher protocol version, by modifying the client's TLS records.
+    (CVE-2014-3511)
+  * OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject
+    to a denial of service attack. A malicious server can crash the client
+    with a null pointer dereference (read) by specifying an anonymous (EC)DH
+    ciphersuite and sending carefully crafted handshake messages.
+    (CVE-2014-3510)
+  * By sending carefully crafted DTLS packets an attacker could cause openssl
+    to leak memory. This can be exploited through a Denial of Service attack.
+    (CVE-2014-3507)
+  * An attacker can force openssl to consume large amounts of memory whilst
+    processing DTLS handshake messages. This can be exploited through a
+    Denial of Service attack.
+    (CVE-2014-3506)
+  * An attacker can force an error condition which causes openssl to crash
+    whilst processing DTLS packets due to memory being freed twice. This
+    can be exploited through a Denial of Service attack.
+    (CVE-2014-3505)
+  * If a multithreaded client connects to a malicious server using a resumed
+    session and the server sends an ec point format extension it could write
+    up to 255 bytes to freed memory.
+    (CVE-2014-3509)
+  * A malicious server can crash an OpenSSL client with a null pointer
+    dereference (read) by specifying an SRP ciphersuite even though it was not
+    properly negotiated with the client. This can be exploited through a
+    Denial of Service attack.
+    (CVE-2014-5139)
+  * A flaw in OBJ_obj2txt may cause pretty printing functions such as
+    X509_name_oneline, X509_name_print_ex et al. to leak some information
+    from the stack. Applications may be affected if they echo pretty printing
+    output to the attacker.
+    (CVE-2014-3508)
+  * Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
+    for corner cases. (Certain input points at infinity could lead to
+    bogus results, with non-infinity inputs mapped to infinity too.)
+- refreshed patches:
+  * openssl-1.0.1e-new-fips-reqs.patch
+  * 0005-libssl-Hide-library-private-symbols.patch
+    (thanks to Marcus Meissner)
+* Mon Jul 21 2014 jengelh@inai.de
+- Move manpages around: *.1ssl should be in openssl
+  (e.g. ciphers(1ssl) is also referenced by openssl(1)),
+  and *.3ssl should be in openssl-doc.
+* Tue Jun 24 2014 meissner@suse.com
+- recommend: ca-certificates-mozilla instead of openssl-certs
+* Thu Jun  5 2014 meissner@suse.com
+- updated openssl to 1.0.1h (bnc#880891):
+  - CVE-2014-0224: Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
+    handshake can force the use of weak keying material in OpenSSL
+    SSL/TLS clients and servers.
+  - CVE-2014-0221: Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
+    OpenSSL DTLS client the code can be made to recurse eventually crashing
+    in a DoS attack.
+  - CVE-2014-0195: Fix DTLS invalid fragment vulnerability. A buffer
+    overrun attack can be triggered by sending invalid DTLS fragments to
+    an OpenSSL DTLS client or server. This is potentially exploitable to
+    run arbitrary code on a vulnerable client or server.
+  - CVE-2014-3470: Fix bug in TLS code where clients enable anonymous
+    ECDH ciphersuites are subject to a denial of service attack.
+- openssl-buffreelistbug-aka-CVE-2010-5298.patch: removed, upstream
+- CVE-2014-0198.patch: removed, upstream
+- 0009-Fix-double-frees.patch: removed, upstream
+- 0012-Fix-eckey_priv_encode.patch: removed, upstream
+- 0017-Double-free-in-i2o_ECPublicKey.patch: removed, upstream
+- 0018-fix-coverity-issues-966593-966596.patch: removed, upstream
+- 0020-Initialize-num-properly.patch: removed, upstream
+- 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch: removed, upstream
+- 0023-evp-prevent-underflow-in-base64-decoding.patch: removed, upstream
+- 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch: removed, upstream
+- 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch: removed, upstream
+- 0001-libcrypto-Hide-library-private-symbols.patch: disabled heartbeat testcase
+- openssl-1.0.1c-ipv6-apps.patch: refreshed
+- openssl-fix-pod-syntax.diff: some stuff merged upstream, refreshed
+* Wed May 21 2014 vpereira@novell.com
+- Added new SUSE default cipher suite
+  openssl-1.0.1e-add-suse-default-cipher.patch
+  openssl-1.0.1e-add-suse-default-cipher-header.patch
+  openssl-1.0.1e-add-test-suse-default-cipher-suite.patch
+* Fri May  9 2014 crrodriguez@opensuse.org
+- Add upstream patches fixing coverity scan issues:
+  * 0018-fix-coverity-issues-966593-966596.patch
+  * 0020-Initialize-num-properly.patch
+  * 0022-bignum-allow-concurrent-BN_MONT_CTX_set_locked.patch
+  * 0023-evp-prevent-underflow-in-base64-decoding.patch
+  * 0024-Fixed-NULL-pointer-dereference-in-PKCS7_dataDecode-r.patch
+  * 0025-fix-coverity-issue-966597-error-line-is-not-always-i.patch
+- Update 0001-libcrypto-Hide-library-private-symbols.patch
+  to cover more private symbols, now 98%% complete and probably
+  not much more can be done to fix the rest of the ill-defined API.
+- openssl-fips-hidden.patch new, hides private symbols added by the
+  FIPS patches.
+- openssl-no-egd.patch disable the EGD (entropy gathering daemon)
+  interface, we have no EGD in the distro and obtaining entropy from
+  a place other than /dev/*random, the hardware rng or the openSSL
+  internal PRNG is an extremely bad & dangerous idea.
+- use secure_getenv instead of getenv everywhere.
+* Mon May  5 2014 crrodriguez@opensuse.org
+-  0005-libssl-Hide-library-private-symbols.patch
+  Update to hide more symbols that are not part of
+  the public API
+- openssl-gcc-attributes.patch BUF_memdup also
+  needs attribute alloc_size as it returns memory
+  of size of the second parameter.
+- openssl-ocloexec.patch Update, accept()
+  also needs O_CLOEXEC.
+- 0009-Fix-double-frees.patch, 0017-Double-free-in-i2o_ECPublicKey.patch
+  fix various double frees (from upstream)
+- 012-Fix-eckey_priv_encode.patch eckey_priv_encode should
+  return an error inmediately on failure of i2d_ECPrivateKey (from upstream)
+- 0001-Axe-builtin-printf-implementation-use-glibc-instead.patch
+  From libressl, modified to work on linux systems that do not have
+  funopen() but fopencookie() instead.
+  Once upon a time, OS didn't have snprintf, which caused openssl to
+  bundle a *printf implementation. We know better nowadays, the glibc
+  implementation has buffer overflow checking, has sane failure modes
+  deal properly with threads, signals..etc..
+- build with -fno-common as well.
+* Mon May  5 2014 citypw@gmail.com
+- Fixed bug[ bnc#876282], CVE-2014-0198 openssl: OpenSSL NULL pointer dereference in do_ssl3_write
+  Add file: CVE-2014-0198.patch
+* Sun Apr 20 2014 crrodriguez@opensuse.org
+- Build everything with full RELRO (-Wl,-z,relro,-z,now)
+- Remove -fstack-protector from the hardcoded build options
+  it is already in RPM_OPT_FLAGS and is replaced by
+  - fstack-protector-strong with gcc 4.9
+* Sun Apr 20 2014 crrodriguez@opensuse.org
+- Remove the "gmp" and "capi" shared engines, nobody noticed
+  but they are just dummies that do nothing.
+* Sat Apr 19 2014 crrodriguez@opensuse.org
+- Use enable-rfc3779 to allow projects such as rpki.net
+  to work in openSUSE and match the functionality
+  available in Debian/Fedora/etc
+* Sat Apr 19 2014 crrodriguez@opensuse.org
+- openssl-buffreelistbug-aka-CVE-2010-5298.patch fix
+  CVE-2010-5298 and disable the internal BUF_FREELISTS
+  functionality. it hides bugs like heartbleed and is
+  there only for systems on which malloc() free() are slow.
+- ensure we export MALLOC_CHECK and PERTURB during the test
+  suite, now that the freelist functionality is disabled it
+  will help to catch bugs before they hit users.
+* Sat Apr 19 2014 crrodriguez@opensuse.org
+- openssl-libssl-noweakciphers.patch do not offer "export"
+  or "low" quality ciphers by default. using such ciphers
+  is not forbidden but requires an explicit request
+* Fri Apr 18 2014 crrodriguez@opensuse.org
+- openssl-gcc-attributes.patch: fix thinko, CRYPTO_realloc_clean does
+  not return memory of "num * old_num" but only "num" size
+  fortunately this function is currently unused.
+* Fri Apr 11 2014 crrodriguez@opensuse.org
+- openssl-gcc-attributes.patch
+  * annotate memory allocation wrappers with attribute(alloc_size)
+    so the compiler can tell us if it knows they are being misused
+  * OPENSSL_showfatal is annotated with attribute printf to detect
+    format string problems.
+- It is time to try to disable SSLv2 again, it was tried a while
+  ago but broke too many things, nowadays Debian, Ubuntu, the BSDs
+  all have disabled it, most components are already fixed.
+  I will fix the remaining fallout if any. (email me)
+* Tue Apr  8 2014 dmueller@suse.com
+- update to 1.0.1g:
+  * fix for critical TLS heartbeat read overrun (CVE-2014-0160) (bnc#872299)
+  * Fix for Recovering OpenSSL ECDSA Nonces (CVE-2014-0076) (bnc#869945)
+  * Workaround for the "TLS hang bug" (see FAQ and PR#2771)
+- remove CVE-2014-0076.patch
+- openssl.keyring: upstream changed to:
+  pub  4096R/FA40E9E2 2005-03-19 Dr Stephen N Henson <steve@openssl.org>
+  uid                            Dr Stephen Henson <shenson@drh-consultancy.co.uk>
+  uid                            Dr Stephen Henson <shenson@opensslfoundation.com>
+* Tue Mar 25 2014 shchang@suse.com
+- Fix bug[ bnc#869945] CVE-2014-0076: openssl: Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack
+  Add file: CVE-2014-0076.patch
+* Mon Mar  3 2014 shchang@suse.com
+- additional changes required for FIPS validation( from Fedora repo)
+  Add patch file: openssl-1.0.1e-new-fips-reqs.patch
+* Sat Jan 11 2014 shchang@suse.com
+- Remove GCC option "-O3" for compiliation issue of ARM version
+  Modify: openssl.spec
+* Fri Jan 10 2014 shchang@suse.com
+- Adjust the installation path( libopenssl/hmac into /lib or /lib64)
+  Modify files: README-FIPS.txt openssl.spec
+* Thu Jan  9 2014 andreas.stieger@gmx.de
+- 1.0.1f:
+  * Fix for TLS record tampering bug CVE-2013-4353
+- already included:
+  * Fix for TLS version checking bug CVE-2013-6449
+  * Fix for DTLS retransmission bug CVE-2013-6450
+- removed patches:
+  * CVE-2013-6449.patch, committed upstream
+  * CVE-2013-6450.patch, committed upstream
+  * SSL_get_certificate-broken.patch, committed upstream
+  * openssl-1.0.1e-bnc822642.patch, committed upstream
+- modified patches:
+  * openssl-1.0.1e-fips.patch, adjust for upstream changes
+  * openssl-fix-pod-syntax.diff, adjust for upstream changes
+* Wed Jan  8 2014 andreas.stieger@gmx.de
+- add a gpg keyring for source tarball
+* Wed Jan  8 2014 shchang@suse.com
+- Fixed bnc#857850, openssl doesn't load engine
+  Modify file: openssl.spec
+* Thu Jan  2 2014 shchang@suse.com
+- Fixed bnc#857203, openssl: crash in DTLS renegotiation after packet loss
+  Add file: CVE-2013-6450.patch
+* Sun Dec 22 2013 shchang@suse.com
+- Fixed bnc#856687, openssl: crash when using TLS 1.2
+  Add file: CVE-2013-6449.patch
+* Tue Dec 17 2013 meissner@suse.com
+- compression_methods_switch.patch: setenv might not be successful
+  if a surrounding library or application filters it, like e.g. sudo.
+  As setenv() does not seem to be useful anyway, remove it.
+  bnc#849377
+* Mon Dec 16 2013 shchang@suse.com
+- Adjust the installation path.
+  Modify files: README-FIPS.txt openssl.spec
+* Fri Dec  6 2013 lnussel@suse.de
+- don't own /etc/ssl/certs, it's owned by ca-certificates
+* Tue Dec  3 2013 meissner@suse.com
+- Actually enable it (in a building way) for openSUSE and SLES,
+  as we intended.
+- Add README-FIPS.txt from SLE 11.
+* Mon Dec  2 2013 crrodriguez@opensuse.org
+- Restrict the (broken beyond build) FIPS certification code
+  to SLE releases only, it has no value in openSUSE at all.
+* Sat Nov 23 2013 shchang@suse.com
+- Patches for OpenSSL FIPS-140-2/3 certification
+  Add patch files: openssl-1.0.1e-fips.patch, openssl-1.0.1e-fips-ec.patch,
+  openssl-1.0.1e-fips-ctor.patch
+* Wed Oct 23 2013 crrodriguez@opensuse.org
+- 0001-libcrypto-Hide-library-private-symbols.patch
+  This patch implements the libcrpto part complimentary to
+  0005-libssl-Hide-library-private-symbols.patch.
+  This patch is however not 100%% complete, as some private library
+  symbols are declared in public headers that shall not be touched
+  or are defined/declared in "perlasm". (tested in 13.1, 12.3, factory)
+- openSSL defaults to -O3 optimization level but we override
+  it with RPM_OPT_FLAGS, ensure we use -O3 like upstream.
+* Fri Oct 11 2013 meissner@suse.com
+- openssl-1.0.1c-ipv6-apps.patch:
+  Support ipv6 in the openssl s_client / s_server commandline app.
+* Fri Sep 27 2013 dmacvicar@suse.de
+- VPN openconnect problem (DTLS handshake failed)
+  (git 9fe4603b8, bnc#822642, openssl ticket#2984)
+* Wed Sep  4 2013 guillaume@opensuse.org
+- Fix armv6l arch (armv7 was previously used to build armv6 which
+  lead to illegal instruction when used)
+* Mon Aug 12 2013 shchang@suse.com
+- Fix bug[ bnc#832833] openssl ssl_set_cert_masks() is broken
+  modify patch file: SSL_get_certificate-broken.patch
+* Fri Aug  9 2013 crrodriguez@opensuse.org
+- Via padlock is only found in x86 and x86_64 CPUs, remove
+  the shared module for other archs.
+* Wed Aug  7 2013 crrodriguez@opensuse.org
+- Cleanup engines that are of no use in a modern linux distro
+- The following engines stay:
+  * libcapi.so --> usable in case you have third party /dev/crypto
+  * libgmp.so --> may help to doing some maths using GMP
+  * libgost.so --> implements the GOST block cipher
+  * libpadlock.so --> VIA padlock support
+- Al other are removed because they require third party propietary
+  shared libraries nowhere to be found or that we can test.
+* Wed Aug  7 2013 crrodriguez@opensuse.org
+- openssl-pkgconfig.patch: Here we go.. For applications
+  to benefit fully of features provided by openSSL engines
+  (rdrand, aes-ni..etc) either builtin or in DSO form applications
+  have to call ENGINE_load_builtin_engines() or OPENSSL_config()
+  unfortunately from a total of 68 apps/libraries linked to libcrypto
+  in a desktop system, only 4 do so, and there is a sea of buggy
+  code that I dont feel like fixing.
+  Instead we can pass -DOPENSSL_LOAD_CONF in the pkgconfig files
+  so the needed operation becomes implicit the next time such apps
+  are recompiled, see OPENSSL_config(3)
+  Unfortunately this does not fix everything, because there are apps
+  not using pkgconfig or using it incorrectly, but it is a good start.
+* Wed Aug  7 2013 dmueller@suse.com
+- add openssl-1.0.1c-default-paths.patch:
+  Fix from Fedora for openssl s_client not setting
+  CApath by default
+* Sat Aug  3 2013 crrodriguez@opensuse.org
+- 0005-libssl-Hide-library-private-symbols.patch: hide
+  private symbols, this *only* applies to libssl where
+  it is straightforward to do so as applications should
+  not be using any of the symbols declared/defined in headers
+  that the library does not install.
+  A separate patch MAY be provided in the future for libcrypto
+  where things are much more complicated and threfore requires
+  careful testing.
+* Mon Jul 29 2013 meissner@suse.com
+- compression_methods_switch.patch: Disable compression by default to
+  avoid the CRIME attack (CVE-2012-4929 bnc#793420)
+  Can be override by setting environment variable
+    OPENSSL_NO_DEFAULT_ZLIB=no
+* Tue Jul  2 2013 lnussel@suse.de
+- Don't use the legacy /etc/ssl/certs directory anymore but rather
+  the p11-kit generated /var/lib/ca-certificates/openssl one
+  (fate#314991, openssl-1.0.1e-truststore.diff)
+* Sat Jun 29 2013 crrodriguez@opensuse.org
+- Build enable-ec_nistp_64_gcc_128, ecdh is many times faster
+  but only works in x86_64.
+  According to the openSSL team
+  "it is superior to the default in multiple regards (speed, and also
+  security as the new implementations are secure against timing
+  attacks)"
+  It is not enabled by default due to the build system being unable
+  to detect if the compiler supports __uint128_t.
+* Thu Jun 20 2013 coolo@suse.com
+- pick openssl-fix-pod-syntax.diff out of the upstream RT to fix
+  build with perl 5.18
+* Sat May 25 2013 i@marguerite.su
+- add %%if tag for BuildArch. sles may also need latest openssl.
+* Fri Feb 22 2013 dmueller@suse.com
+- disable fstack-protector on aarch64
+* Tue Feb 12 2013 hrvoje.senjan@gmail.com
+- Update to 1.0.1e
+  o Bugfix release (bnc#803004)
+- Drop openssl-1.0.1d-s3-packet.patch, included upstream
+* Sun Feb 10 2013 hrvoje.senjan@gmail.com
+- Added openssl-1.0.1d-s3-packet.patch from upstream, fixes
+  bnc#803004, openssl ticket#2975
+* Tue Feb  5 2013 meissner@suse.com
+- update to version 1.0.1d, fixing security issues
+  o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
+  o Include the fips configuration module.
+  o Fix OCSP bad key DoS attack CVE-2013-0166
+  o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
+    bnc#802184
+  o Fix for TLS AESNI record handling flaw CVE-2012-2686
+* Mon Nov 12 2012 gjhe@suse.com
+- fix bug[bnc#784994] - VIA padlock support on 64 systems
+  e_padlock: add support for x86_64 gcc
+* Sun Aug 19 2012 crrodriguez@opensuse.org
+- Open Internal file descriptors with O_CLOEXEC, leaving
+  those open across fork()..execve() makes a perfect
+  vector for a side-channel attack...
+* Tue Aug  7 2012 dmueller@suse.com
+- fix build on armv5 (bnc#774710)
+* Thu May 10 2012 crrodriguez@opensuse.org
+- Update to version 1.0.1c for the complete list of changes see
+  NEWS, this only list packaging changes.
+- Drop aes-ni patch, no longer needed as it is builtin in openssl
+  now.
+- Define GNU_SOURCE and use -std=gnu99 to build the package.
+- Use LFS_CFLAGS in platforms where it matters.
+* Fri May  4 2012 lnussel@suse.de
+- don't install any demo or expired certs at all
+* Mon Apr 23 2012 gjhe@suse.com
+- update to latest stable verison 1.0.0i
+  including the following patches:
+  CVE-2012-2110.path
+  Bug748738_Tolerate_bad_MIME_headers.patch
+  bug749213-Free-headers-after-use.patch
+  bug749210-Symmetric-crypto-errors-in-PKCS7_decrypt.patch
+  CVE-2012-1165.patch
+  CVE-2012-0884.patch
+  bug749735.patch
+* Tue Mar 27 2012 gjhe@suse.com
+- fix bug[bnc#749735] - Memory leak when creating public keys.
+  fix bug[bnc#751977] - CMS and S/MIME Bleichenbacher attack
+  CVE-2012-0884
+* Thu Mar 22 2012 gjhe@suse.com
+- fix bug[bnc#751946] - S/MIME verification may erroneously fail
+  CVE-2012-1165
+* Wed Mar 21 2012 gjhe@suse.com
+- fix bug[bnc#749213]-Free headers after use in error message
+  and bug[bnc#749210]-Symmetric crypto errors in PKCS7_decrypt
+* Tue Mar 20 2012 cfarrell@suse.com
+- license update: OpenSSL
+* Fri Feb 24 2012 gjhe@suse.com
+- fix bug[bnc#748738] - Tolerate bad MIME headers in openssl's
+  asn1 parser.
+  CVE-2006-7250
+* Thu Feb  2 2012 gjhe@suse.com
+- Update to version 1.0.0g fix the following:
+  DTLS DoS attack (CVE-2012-0050)
+* Wed Jan 11 2012 gjhe@suse.com
+- Update to version 1.0.0f fix the following:
+  DTLS Plaintext Recovery Attack (CVE-2011-4108)
+  Uninitialized SSL 3.0 Padding (CVE-2011-4576)
+  Malformed RFC 3779 Data Can Cause Assertion Failures (CVE-2011-4577)
+  SGC Restart DoS Attack (CVE-2011-4619)
+  Invalid GOST parameters DoS Attack (CVE-2012-0027)
+* Tue Oct 18 2011 crrodriguez@opensuse.org
+- AES-NI: Check the return value of Engine_add()
+  if the ENGINE_add() call fails: it ends up adding a reference
+  to a freed up ENGINE which is likely to subsequently contain garbage
+  This will happen if an ENGINE with the same name is added multiple
+  times,for example different libraries. [bnc#720601]
+* Sat Oct  8 2011 crrodriguez@opensuse.org
+- Build with -DSSL_FORBID_ENULL so servers are not
+  able to use the NULL encryption ciphers (Those offering no
+  encryption whatsoever).
+* Wed Sep  7 2011 crrodriguez@opensuse.org
+- Update to openssl 1.0.0e fixes CVE-2011-3207 and CVE-2011-3210
+  see http://openssl.org/news/secadv_20110906.txt for details.
+* Sat Aug  6 2011 crrodriguez@opensuse.org
+- Add upstream patch that calls ENGINE_register_all_complete()
+  in ENGINE_load_builtin_engines() saving us from adding dozens
+  of calls to such function to calling applications.
+* Fri Aug  5 2011 crrodriguez@opensuse.org
+- remove -fno-strict-aliasing from CFLAGS no longer needed
+  and is likely to slow down stuff.
+* Mon Jul 25 2011 jengelh@medozas.de
+- Edit baselibs.conf to provide libopenssl-devel-32bit too
+* Fri Jun 24 2011 gjhe@novell.com
+- update to latest stable version 1.0.0d.
+  patch removed(already in the new package):
+  CVE-2011-0014
+  patch added:
+  ECDSA_signatures_timing_attack.patch
+* Tue May 31 2011 gjhe@novell.com
+- fix bug[bnc#693027].
+  Add protection against ECDSA timing attacks as mentioned in the paper
+  by Billy Bob Brumley and Nicola Tuveri, see:
+  http://eprint.iacr.org/2011/232.pdf
+  [Billy Bob Brumley and Nicola Tuveri]
+* Mon May 16 2011 andrea@opensuse.org
+- added openssl as dependency in the devel package
+* Thu Feb 10 2011 gjhe@novell.com
+- fix bug [bnc#670526]
+  CVE-2011-0014,OCSP stapling vulnerability
+* Sat Jan 15 2011 cristian.rodriguez@opensuse.org
+- Add patch from upstream in order to support AES-NI instruction
+  set present on current Intel and AMD processors
+* Mon Jan 10 2011 meissner@suse.de
+- enable -DPURIFY to avoid valgrind errors.
+* Thu Dec  9 2010 gjhe@novell.com
+- update to stable version 1.0.0c.
+  patch included:
+  CVE-2010-1633_and_CVE-2010-0742.patch
+  patchset-19727.diff
+  CVE-2010-2939.patch
+  CVE-2010-3864.patch
+* Thu Nov 18 2010 gjhe@novell.com
+- fix bug [bnc#651003]
+  CVE-2010-3864
+* Sat Sep 25 2010 gjhe@novell.com
+- fix bug [bnc#629905]
+  CVE-2010-2939
+* Wed Jul 28 2010 cristian.rodriguez@opensuse.org
+- Exclude static libraries, see what breaks and fix that
+  instead
+* Wed Jun 30 2010 jengelh@medozas.de
+- fix two compile errors on SPARC
+* Tue Jun 15 2010 bg@novell.com
+- -fstack-protector is not supported on hppa
+* Fri Jun  4 2010 gjhe@novell.com
+- fix bnc #610642
+  CVE-2010-0742
+  CVE-2010-1633
+* Mon May 31 2010 gjhe@novell.com
+- fix bnc #610223,change Configure to tell openssl to load engines
+  from /%%{_lib} instead of %%{_libdir}
+* Mon May 10 2010 aj@suse.de
+- Do not compile in build time but use mtime of changes file instead.
+  This allows build-compare to identify that no changes have happened.
+* Tue May  4 2010 gjhe@novell.com
+- build libopenssl to /%%{_lib} dir,and keep only one
+  libopenssl-devel for new developping programs.
+* Tue Apr 27 2010 gjhe@novell.com
+- build libopenssl and libopenssl-devel to a version directory
+* Sat Apr 24 2010 coolo@novell.com
+- buildrequire pkg-config to fix provides
+* Wed Apr 21 2010 lnussel@suse.de
+- also create old certificate hash in /etc/ssl/certs for
+  compatibility with applications that still link against 0.9.8
+* Mon Apr 12 2010 meissner@suse.de
+- Disable our own build targets, instead use the openSSL provided ones
+  as they are now good (or should be good at least).
+- add -Wa,--noexecstack to the Configure call, this is the upstream
+  approved way to avoid exec-stack marking
+* Mon Apr 12 2010 gjhe@novell.com
+- update to 1.0.0
+  Merge the following patches from 0.9.8k:
+  openssl-0.9.6g-alpha.diff
+  openssl-0.9.7f-ppc64.diff
+  openssl-0.9.8-flags-priority.dif
+  openssl-0.9.8-sparc.dif
+  openssl-allow-arch.diff
+  openssl-hppa-config.diff
+* Fri Apr  9 2010 meissner@suse.de
+- fixed "exectuable stack" for libcrypto.so issue on i586 by
+  adjusting the assembler output during MMX builds.
+* Wed Apr  7 2010 meissner@suse.de
+- Openssl is now partially converted to libdir usage upstream,
+  merge that in to fix lib64 builds.
+* Thu Mar 25 2010 gjhe@novell.com
+- fix security bug [bnc#590833]
+  CVE-2010-0740
+* Mon Mar 22 2010 gjhe@novell.com
+- update to version 0.9.8m
+  Merge the following patches from 0.9.8k:
+  bswap.diff
+  non-exec-stack.diff
+  openssl-0.9.6g-alpha.diff
+  openssl-0.9.7f-ppc64.diff
+  openssl-0.9.8-flags-priority.dif
+  openssl-0.9.8-sparc.dif
+  openssl-allow-arch.diff
+  openssl-hppa-config.diff
+* Fri Feb  5 2010 jengelh@medozas.de
+- build openssl for sparc64
+* Mon Dec 14 2009 jengelh@medozas.de
+- add baselibs.conf as a source
+- package documentation as noarch
+* Tue Nov  3 2009 coolo@novell.com
+- updated patches to apply with fuzz=0
+* Tue Sep  1 2009 gjhe@novell.com
+- fix Bug [bnc#526319]
+* Wed Aug 26 2009 coolo@novell.com
+- use %%patch0 for Patch0
+* Fri Jul  3 2009 gjhe@novell.com
+- update to version 0.9.8k
+- patches merged upstream:
+  openssl-CVE-2008-5077.patch
+  openssl-CVE-2009-0590.patch
+  openssl-CVE-2009-0591.patch
+  openssl-CVE-2009-0789.patch
+  openssl-CVE-2009-1377.patch
+  openssl-CVE-2009-1378.patch
+  openssl-CVE-2009-1379.patch
+  openssl-CVE-2009-1386.patch
+  openssl-CVE-2009-1387.patch
+* Tue Jun 30 2009 gjhe@novell.com
+- fix security bug [bnc#509031]
+  CVE-2009-1386
+  CVE-2009-1387
+* Tue Jun 30 2009 gjhe@novell.com
+- fix security bug [bnc#504687]
+  CVE-2009-1377
+  CVE-2009-1378
+  CVE-2009-1379
+* Wed Apr 15 2009 gjhe@suse.de
+- fix security bug [bnc#489641]
+  CVE-2009-0590
+  CVE-2009-0591
+  CVE-2009-0789
+* Wed Jan  7 2009 olh@suse.de
+- obsolete old -XXbit packages (bnc#437293)
+* Thu Dec 18 2008 jshi@suse.de
+- fix security bug [bnc#459468]
+  CVE-2008-5077
+* Tue Dec  9 2008 xwhu@suse.de
+- Disable optimization for s390x
+* Mon Dec  8 2008 xwhu@suse.de
+- Disable optimization of md4
+* Mon Nov 10 2008 xwhu@suse.de
+- Disable optimization of ripemd [bnc#442740]
+* Tue Oct 14 2008 xwhu@suse.de
+- Passing string as struct cause openssl segment-fault [bnc#430141]
+* Wed Jul 16 2008 mkoenig@suse.de
+- do not require openssl-certs, but rather recommend it
+  to avoid dependency cycle [bnc#408865]
+* Wed Jul  9 2008 mkoenig@suse.de
+- remove the certs subpackage from the openssl package
+  and move the CA root certificates into a package of its own
+* Tue Jun 24 2008 mkoenig@suse.de
+- update to version 0.9.8h
+- openssl does not ship CA root certificates anymore
+  keep certificates that SuSE is already shipping
+- resolves bad array index (function has been removed) [bnc#356549]
+- removed patches
+  openssl-0.9.8g-fix_dh_for_certain_moduli.patch
+  openssl-CVE-2008-0891.patch
+  openssl-CVE-2008-1672.patch
+* Wed May 28 2008 mkoenig@suse.de
+- fix OpenSSL Server Name extension crash (CVE-2008-0891)
+  and OpenSSL Omit Server Key Exchange message crash (CVE-2008-1672)
+  [bnc#394317]
+* Wed May 21 2008 cthiel@suse.de
+- fix baselibs.conf
+* Tue Apr 22 2008 mkoenig@suse.de
+- add -DMD32_REG_T=int for x86_64 and ia64 [bnc#381844]
+* Thu Apr 10 2008 ro@suse.de
+- added baselibs.conf file to build xxbit packages
+  for multilib support
+* Mon Nov  5 2007 mkoenig@suse.de
+- fix Diffie-Hellman failure with certain prime lengths
+* Mon Oct 22 2007 mkoenig@suse.de
+- update to version 0.9.8g:
+  * fix some bugs introduced with 0.9.8f
+* Mon Oct 15 2007 mkoenig@suse.de
+- update to version 0.9.8f:
+  * fixes CVE-2007-3108, CVE-2007-5135, CVE-2007-4995
+- patches merged upstream:
+  openssl-0.9.8-key_length.patch
+  openssl-CVE-2007-3108-bug296511
+  openssl-CVE-2007-5135.patch
+  openssl-gcc42.patch
+  openssl-gcc42_b.patch
+  openssl-s390-config.diff
+* Mon Oct  1 2007 mkoenig@suse.de
+- fix buffer overflow CVE-2007-5135 [#329208]
+* Wed Sep  5 2007 mkoenig@suse.de
+- fix another gcc 4.2 build problem [#307669]
+* Fri Aug  3 2007 coolo@suse.de
+- provide the version obsoleted (#293401)
+* Wed Aug  1 2007 werner@suse.de
+- Add patch from CVS for RSA key reconstruction vulnerability
+  (CVE-2007-3108, VU#724968, bug #296511)
+* Thu May 24 2007 mkoenig@suse.de
+- fix build with gcc-4.2
+  openssl-gcc42.patch
+- do not install example scripts with executable permissions
+* Sun Apr 29 2007 ro@suse.de
+- adapt requires
+* Fri Apr 27 2007 mkoenig@suse.de
+- Do not use dots in package name
+- explicitly build with gcc-4.1 because of currently unresolved
+  failures with gcc-4.2
+* Wed Apr 25 2007 mkoenig@suse.de
+- Split/rename package to follow library packaging policy [#260219]
+  New package libopenssl0.9.8 containing shared libs
+  openssl-devel package renamed to libopenssl-devel
+  New package openssl-certs containing certificates
+- add zlib-devel to Requires of devel package
+- remove old Obsoletes and Conflicts
+  openssls (Last used Nov 2000)
+  ssleay (Last used 6.2)
+* Mon Apr 23 2007 mkoenig@suse.de
+- Fix key length [#254905,#262477]
+* Tue Mar  6 2007 mkoenig@suse.de
+- update to version 0.9.8e:
+  * patches merged upstream:
+    openssl-CVE-2006-2940-fixup.patch
+    openssl-0.9.8d-padlock-static.patch
+* Tue Jan  9 2007 mkoenig@suse.de
+- fix PadLock support [#230823]
+* Thu Nov 30 2006 mkoenig@suse.de
+- enable fix for CVE-2006-2940 [#223040], SWAMP-ID 7198
+* Mon Nov  6 2006 poeml@suse.de
+- configure with 'zlib' instead of 'zlib-dynamic'. Build with the
+  latter, there are problems opening the libz when running on the
+  Via Epia or vmware platforms. [#213305]
+* Wed Oct  4 2006 poeml@suse.de
+- add patch for the CVE-2006-2940 fix: the newly introduced limit
+  on DH modulus size could lead to a crash when exerted. [#208971]
+  Discovered and fixed after the 0.9.8d release.
+* Fri Sep 29 2006 poeml@suse.de
+- update to 0.9.8d
+  * ) Introduce limits to prevent malicious keys being able to
+    cause a denial of service.  (CVE-2006-2940)
+  * ) Fix ASN.1 parsing of certain invalid structures that can result
+    in a denial of service.  (CVE-2006-2937)
+  * ) Fix buffer overflow in SSL_get_shared_ciphers() function.
+    (CVE-2006-3738)
+  * ) Fix SSL client code which could crash if connecting to a
+    malicious SSLv2 server.  (CVE-2006-4343)
+  * ) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
+    match only those.  Before that, "AES256-SHA" would be interpreted
+    as a pattern and match "AES128-SHA" too (since AES128-SHA got
+    the same strength classification in 0.9.7h) as we currently only
+    have a single AES bit in the ciphersuite description bitmap.
+    That change, however, also applied to ciphersuite strings such as
+    "RC4-MD5" that intentionally matched multiple ciphersuites --
+    namely, SSL 2.0 ciphersuites in addition to the more common ones
+    from SSL 3.0/TLS 1.0.
+    So we change the selection algorithm again: Naming an explicit
+    ciphersuite selects this one ciphersuite, and any other similar
+    ciphersuite (same bitmap) from *other* protocol versions.
+    Thus, "RC4-MD5" again will properly select both the SSL 2.0
+    ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
+    Since SSL 2.0 does not have any ciphersuites for which the
+    128/256 bit distinction would be relevant, this works for now.
+    The proper fix will be to use different bits for AES128 and
+    AES256, which would have avoided the problems from the beginning;
+    however, bits are scarce, so we can only do this in a new release
+    (not just a patchlevel) when we can change the SSL_CIPHER
+    definition to split the single 'unsigned long mask' bitmap into
+    multiple values to extend the available space.
+- not in mentioned in CHANGES: patch for CVE-2006-4339 corrected
+  [openssl.org #1397]
+* Fri Sep  8 2006 schwab@suse.de
+- Fix inverted logic.
+* Wed Sep  6 2006 poeml@suse.de
+- update to 0.9.8c
+  Changes between 0.9.8b and 0.9.8c  [05 Sep 2006]
+  * ) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
+    (CVE-2006-4339)  [Ben Laurie and Google Security Team]
+  * ) Add AES IGE and biIGE modes.  [Ben Laurie]
+  * ) Change the Unix randomness entropy gathering to use poll() when
+    possible instead of select(), since the latter has some
+    undesirable limitations.  [Darryl Miles via Richard Levitte and Bodo Moeller]
+  * ) Disable "ECCdraft" ciphersuites more thoroughly.  Now special
+    treatment in ssl/ssl_ciph.s makes sure that these ciphersuites
+    cannot be implicitly activated as part of, e.g., the "AES" alias.
+    However, please upgrade to OpenSSL 0.9.9[-dev] for
+    non-experimental use of the ECC ciphersuites to get TLS extension
+    support, which is required for curve and point format negotiation
+    to avoid potential handshake problems.  [Bodo Moeller]
+  * ) Disable rogue ciphersuites:
+  - SSLv2 0x08 0x00 0x80 ("RC4-64-MD5")
+  - SSLv3/TLSv1 0x00 0x61 ("EXP1024-RC2-CBC-MD5")
+  - SSLv3/TLSv1 0x00 0x60 ("EXP1024-RC4-MD5")
+    The latter two were purportedly from
+    draft-ietf-tls-56-bit-ciphersuites-0[01].txt, but do not really
+    appear there.
+    Also deactive the remaining ciphersuites from
+    draft-ietf-tls-56-bit-ciphersuites-01.txt.  These are just as
+    unofficial, and the ID has long expired.  [Bodo Moeller]
+  * ) Fix RSA blinding Heisenbug (problems sometimes occured on
+    dual-core machines) and other potential thread-safety issues.
+    [Bodo Moeller]
+  * ) Add the symmetric cipher Camellia (128-bit, 192-bit, 256-bit key
+    versions), which is now available for royalty-free use
+    (see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html).
+    Also, add Camellia TLS ciphersuites from RFC 4132.
+    To minimize changes between patchlevels in the OpenSSL 0.9.8
+    series, Camellia remains excluded from compilation unless OpenSSL
+    is configured with 'enable-camellia'.  [NTT]
+  * ) Disable the padding bug check when compression is in use. The padding
+    bug check assumes the first packet is of even length, this is not
+    necessarily true if compresssion is enabled and can result in false
+    positives causing handshake failure. The actual bug test is ancient
+    code so it is hoped that implementations will either have fixed it by
+    now or any which still have the bug do not support compression.
+    [Steve Henson]
+  Changes between 0.9.8a and 0.9.8b  [04 May 2006]
+  * ) When applying a cipher rule check to see if string match is an explicit
+    cipher suite and only match that one cipher suite if it is.  [Steve Henson]
+  * ) Link in manifests for VC++ if needed.  [Austin Ziegler <halostatue@gmail.com>]
+  * ) Update support for ECC-based TLS ciphersuites according to
+    draft-ietf-tls-ecc-12.txt with proposed changes (but without
+    TLS extensions, which are supported starting with the 0.9.9
+    branch, not in the OpenSSL 0.9.8 branch).  [Douglas Stebila]
+  * ) New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free() to support
+    opaque EVP_CIPHER_CTX handling.  [Steve Henson]
+  * ) Fixes and enhancements to zlib compression code. We now only use
+    "zlib1.dll" and use the default __cdecl calling convention on Win32
+    to conform with the standards mentioned here:
+    http://www.zlib.net/DLL_FAQ.txt
+    Static zlib linking now works on Windows and the new --with-zlib-include
+  - -with-zlib-lib options to Configure can be used to supply the location
+    of the headers and library. Gracefully handle case where zlib library
+    can't be loaded.  [Steve Henson]
+  * ) Several fixes and enhancements to the OID generation code. The old code
+    sometimes allowed invalid OIDs (1.X for X >= 40 for example), couldn't
+    handle numbers larger than ULONG_MAX, truncated printing and had a
+    non standard OBJ_obj2txt() behaviour.  [Steve Henson]
+  * ) Add support for building of engines under engine/ as shared libraries
+    under VC++ build system.  [Steve Henson]
+  * ) Corrected the numerous bugs in the Win32 path splitter in DSO.
+    Hopefully, we will not see any false combination of paths any more.
+    [Richard Levitte]
+- enable Camellia cipher. There is a royalty free license to the
+  patents, see http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html.
+  NOTE: the license forbids patches to the cipher.
+- build with zlib-dynamic and add zlib-devel to BuildRequires.
+  Allows compression of data in TLS, although few application would
+  actually use it since there is no standard for negotiating the
+  compression method. The only one I know if is stunnel.
+* Fri Jun  2 2006 poeml@suse.de
+- fix built-in ENGINESDIR for 64 bit architectures. We change only
+  the builtin search path for engines, not the path where engines
+  are packaged. Path can be overridden with the OPENSSL_ENGINES
+  environment variable. [#179094]
+* Wed Jan 25 2006 mls@suse.de
+- converted neededforbuild to BuildRequires
+* Mon Jan 16 2006 mc@suse.de
+- fix build problems on s390x (openssl-s390-config.diff)
+- build with -fstack-protector
+* Mon Nov  7 2005 dmueller@suse.de
+- build with non-executable stack
+* Thu Oct 20 2005 poeml@suse.de
+- fix unguarded free() which can cause a segfault in the ca
+  commandline app [#128655]
+* Thu Oct 13 2005 poeml@suse.de
+- add Geotrusts Equifax Root1 CA certificate, which needed to
+  verify the authenticity of you.novell.com [#121966]
+* Tue Oct 11 2005 poeml@suse.de
+- update to 0.9.8a
+  * ) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
+    (part of SSL_OP_ALL).  This option used to disable the
+    countermeasure against man-in-the-middle protocol-version
+    rollback in the SSL 2.0 server implementation, which is a bad
+    idea.  (CAN-2005-2969)
+  * ) Add two function to clear and return the verify parameter flags.
+  * ) Keep cipherlists sorted in the source instead of sorting them at
+    runtime, thus removing the need for a lock.
+  * ) Avoid some small subgroup attacks in Diffie-Hellman.
+  * ) Add functions for well-known primes.
+  * ) Extended Windows CE support.
+  * ) Initialize SSL_METHOD structures at compile time instead of during
+    runtime, thus removing the need for a lock.
+  * ) Make PKCS7_decrypt() work even if no certificate is supplied by
+    attempting to decrypt each encrypted key in turn. Add support to
+    smime utility.
+* Thu Sep 29 2005 poeml@suse.de
+- update to 0.9.8
+  see CHANGES file or http://www.openssl.org/news/changelog.html
+- adjust patches
+- drop obsolete openssl-no-libc.diff
+- disable libica patch until it has been ported
+* Fri May 20 2005 poeml@suse.de
+- update to 0.9.7g. The significant changes are:
+  * ) Fixes for newer kerberos headers. NB: the casts are needed because
+    the 'length' field is signed on one version and unsigned on another
+    with no (?) obvious way to tell the difference, without these VC++
+    complains. Also the "definition" of FAR (blank) is no longer included
+    nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up
+    some needed definitions.
+  * ) Added support for proxy certificates according to RFC 3820.
+    Because they may be a security thread to unaware applications,
+    they must be explicitely allowed in run-time.  See
+    docs/HOWTO/proxy_certificates.txt for further information.
+* Tue May 17 2005 schwab@suse.de
+- Include %%cflags_profile_generate in ${CC} since it is required for
+  linking as well.
+- Remove explicit reference to libc.
+* Fri Apr  8 2005 poeml@suse.de
+- update to 0.9.7f. The most significant changes are:
+    o Several compilation issues fixed.
+    o Many memory allocation failure checks added.
+    o Improved comparison of X509 Name type.
+    o Mandatory basic checks on certificates.
+    o Performance improvements.
+  (for a complete list see http://www.openssl.org/source/exp/CHANGES)
+- adjust openssl-0.9.7f-ppc64.diff
+- drop obsolete openssl-0.9.7d-crl-default_md.dif [#55435]
+* Tue Jan  4 2005 poeml@suse.de
+- update to 0.9.7e
+  * ) Avoid a race condition when CRLs are checked in a multi
+    threaded environment. This would happen due to the reordering
+    of the revoked entries during signature checking and serial
+    number lookup. Now the encoding is cached and the serial
+    number sort performed under a lock.  Add new STACK function
+    sk_is_sorted().
+  * ) Add Delta CRL to the extension code.
+  * ) Various fixes to s3_pkt.c so alerts are sent properly.
+  * ) Reduce the chances of duplicate issuer name and serial numbers
+    (in violation of RFC3280) using the OpenSSL certificate
+    creation utilities.  This is done by creating a random 64 bit
+    value for the initial serial number when a serial number file
+    is created or when a self signed certificate is created using
+    'openssl req -x509'. The initial serial number file is created
+    using 'openssl x509 -next_serial' in CA.pl rather than being
+    initialized to 1.
+- remove obsolete patches
+- fix openssl-0.9.7d-padlock-glue.diff and ICA patch to patch
+  Makefile, not Makefile.ssl
+- fixup for spaces in names of man pages not needed now
+- pack /usr/bin/openssl_fips_fingerprint
+- in rpm post/postun script, run /sbin/ldconfig directly (the macro
+  is deprecated)
+* Mon Oct 18 2004 poeml@suse.de
+- don't install openssl.doxy file [#45210]
+* Thu Jul 29 2004 poeml@suse.de
+- apply patch from CVS to fix segfault in S/MIME encryption
+  (http://cvs.openssl.org/chngview?cn=12081, regression in
+  openssl-0.9.7d) [#43386]
+* Mon Jul 12 2004 mludvig@suse.cz
+- Updated VIA PadLock engine.
+* Wed Jun 30 2004 mludvig@suse.cz
+- Updated openssl-0.9.7d-padlock-engine.diff with support for
+  AES192, AES256 and RNG.
+* Tue Jun 15 2004 poeml@suse.de
+- update IBM ICA patch to last night's version. Fixes ibmca_init()
+  to reset ibmca_dso=NULL after calling DSO_free(), if the device
+  driver could not be loaded. The bug lead to a segfault triggered
+  by stunnel, which does autoload available engines [#41874]
+- patch from CVS: make stack API more robust (return NULL for
+  out-of-range indexes). Fixes another possible segfault during
+  engine detection (could also triggered by stunnel)
+- add patch from Michal Ludvig for VIA PadLock support
+* Wed Jun  2 2004 poeml@suse.de
+- add root certificate for the ICP-Brasil CA [#41546]
+* Thu May 13 2004 poeml@suse.de
+- add patch to use default_md for CRLs too [#40435]
+* Tue May  4 2004 poeml@suse.de
+- update ICA patch to apr292004 release [#39695]
+* Thu Mar 18 2004 poeml@suse.de
+- update to 0.9.7d
+  o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
+    (CAN-2004-0112)
+  o Security: Fix null-pointer assignment in do_change_cipher_spec()
+    (CAN-2004-0079)
+  o Allow multiple active certificates with same subject in CA index
+  o Multiple X590 verification fixes
+  o Speed up HMAC and other operations
+- remove the hunk from openssl-0.9.6d.dif that added NO_IDEA around
+  IDEA_128_CBC_WITH_MD5 in the global cipher list. Upstream now has
+  OPENSSL_NO_IDEA around it
+- [#36386] fixed (broken generation of EVP_BytesToKey.3ssl from the
+  pod file)
+- permissions of lib/pkgconfig fixed
+* Wed Feb 25 2004 poeml@suse.de
+- update to 0.9.7c
+  * ) Fix various bugs revealed by running the NISCC test suite:
+    Stop out of bounds reads in the ASN1 code when presented with
+    invalid tags (CAN-2003-0543 and CAN-2003-0544).
+    Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545).
+    If verify callback ignores invalid public key errors don't try to check
+    certificate signature with the NULL public key.
+  * ) New -ignore_err option in ocsp application to stop the server
+    exiting on the first error in a request.
+  * ) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+    if the server requested one: as stated in TLS 1.0 and SSL 3.0
+    specifications.
+  * ) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
+    extra data after the compression methods not only for TLS 1.0
+    but also for SSL 3.0 (as required by the specification).
+  * ) Change X509_certificate_type() to mark the key as exported/exportable
+    when it's 512 *bits* long, not 512 bytes.
+  * ) Change AES_cbc_encrypt() so it outputs exact multiple of
+    blocks during encryption.
+  * ) Various fixes to base64 BIO and non blocking I/O. On write
+    flushes were not handled properly if the BIO retried. On read
+    data was not being buffered properly and had various logic bugs.
+    This also affects blocking I/O when the data being decoded is a
+    certain size.
+  * ) Various S/MIME bugfixes and compatibility changes:
+    output correct application/pkcs7 MIME type if
+    PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures.
+    Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening
+    of files as .eml work). Correctly handle very long lines in MIME
+    parser.
+- update ICA patch
+  quote: This version of the engine patch has updated error handling in
+  the DES/SHA code, and turns RSA blinding off for hardware
+  accelerated RSA ops.
+- filenames of some man pages contain spaces now. Replace them with
+  underscores
+- fix compiler warnings in showciphers.c
+- fix permissions of /usr/%%_lib/pkgconfig
+* Sat Jan 10 2004 adrian@suse.de
+- add %%run_ldconfig
+- remove unneeded PreRequires
+* Tue Nov 18 2003 poeml@suse.de
+- ditch annoying mail to root about moved locations [#31969]
+* Wed Aug 13 2003 poeml@suse.de
+- enable profile feedback based optimizations (except AES which
+  becomes slower)
+- add -fno-strict-aliasing, due to warnings about code where
+  dereferencing type-punned pointers will break strict aliasing
+- make a readlink function if readlink is not available
+* Mon Aug  4 2003 ro@suse.de
+- fixed manpages symlinks
+* Wed Jul 30 2003 meissner@suse.de
+- Fix Makefile to create pkgconfig file with lib64 on lib64 systems.
+* Sun Jul 27 2003 poeml@suse.de
+- don't explicitely strip binaries since RPM handles it, and may
+  keep the stripped information somewhere
+* Tue Jul 15 2003 meissner@suse.de
+- -DMD32_REG_T=int for ppc64 and s390x.
+* Thu Jul 10 2003 poeml@suse.de
+- update ibm ICA patch to 20030708 release (libica-1.3)
+* Mon May 12 2003 poeml@suse.de
+- package the openssl.pc file for pkgconfig
+* Wed Apr 16 2003 poeml@suse.de
+- update to 0.9.7b. The most significant changes are:
+  o New library section OCSP.
+  o Complete rewrite of ASN1 code.
+  o CRL checking in verify code and openssl utility.
+  o Extension copying in 'ca' utility.
+  o Flexible display options in 'ca' utility.
+  o Provisional support for international characters with UTF8.
+  o Support for external crypto devices ('engine') is no longer
+    a separate distribution.
+  o New elliptic curve library section.
+  o New AES (Rijndael) library section.
+  o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit,
+    Linux x86_64, Linux 64-bit on Sparc v9
+  o Extended support for some platforms: VxWorks
+  o Enhanced support for shared libraries.
+  o Now only builds PIC code when shared library support is requested.
+  o Support for pkg-config.
+  o Lots of new manuals.
+  o Makes symbolic links to or copies of manuals to cover all described
+    functions.
+  o Change DES API to clean up the namespace (some applications link also
+    against libdes providing similar functions having the same name).
+    Provide macros for backward compatibility (will be removed in the
+    future).
+  o Unify handling of cryptographic algorithms (software and engine)
+    to be available via EVP routines for asymmetric and symmetric ciphers.
+  o NCONF: new configuration handling routines.
+  o Change API to use more 'const' modifiers to improve error checking
+    and help optimizers.
+  o Finally remove references to RSAref.
+  o Reworked parts of the BIGNUM code.
+  o Support for new engines: Broadcom ubsec, Accelerated Encryption
+    Processing, IBM 4758.
+  o A few new engines added in the demos area.
+  o Extended and corrected OID (object identifier) table.
+  o PRNG: query at more locations for a random device, automatic query for
+    EGD style random sources at several locations.
+  o SSL/TLS: allow optional cipher choice according to server's preference.
+  o SSL/TLS: allow server to explicitly set new session ids.
+  o SSL/TLS: support Kerberos cipher suites (RFC2712).
+    Only supports MIT Kerberos for now.
+  o SSL/TLS: allow more precise control of renegotiations and sessions.
+  o SSL/TLS: add callback to retrieve SSL/TLS messages.
+  o SSL/TLS: support AES cipher suites (RFC3268).
+- adapt the ibmca patch
+- remove openssl-nocrypt.diff, openssl's crypt() vanished
+- configuration syntax has changed ($sys_id added before $lflags)
+* Thu Feb 20 2003 poeml@suse.de
+- update to bugfix release 0.9.6i:
+  - security fix: In ssl3_get_record (ssl/s3_pkt.c), minimize
+    information leaked via timing by performing a MAC computation
+    even if incorrrect block cipher padding has been found.  This
+    is a countermeasure against active attacks where the attacker
+    has to distinguish between bad padding and a MAC verification
+    error.  (CAN-2003-0078)
+  - a few more small bugfixes (mainly missing assertions)
+* Fri Dec  6 2002 poeml@suse.de
+- update to 0.9.6h (last release in the 0.9.6 series)
+  o New configuration targets for Tandem OSS and A/UX.
+  o New OIDs for Microsoft attributes.
+  o Better handling of SSL session caching.
+  o Better comparison of distinguished names.
+  o Better handling of shared libraries in a mixed GNU/non-GNU environment.
+  o Support assembler code with Borland C.
+  o Fixes for length problems.
+  o Fixes for uninitialised variables.
+  o Fixes for memory leaks, some unusual crashes and some race conditions.
+  o Fixes for smaller building problems.
+  o Updates of manuals, FAQ and other instructive documents.
+- add a call to make depend
+- fix sed expression (lib -> lib64) to replace multiple occurences
+  on one line
+* Mon Nov  4 2002 stepan@suse.de
+- fix openssl for alpha ev56 cpus
+* Thu Oct 24 2002 poeml@suse.de
+- own the /usr/share/ssl directory [#20849]
+- openssl-hppa-config.diff can be applied on all architectures
+* Mon Sep 30 2002 bg@suse.de
+- enable hppa distribution; use only pa1.1 architecture.
+* Tue Sep 17 2002 froh@suse.de
+- update ibm-hardware-crypto-patch to ibmca.patch-0.96e-2 (#18953)
+* Mon Aug 12 2002 poeml@suse.de
+- update to 0.9.6g and drop the now included ASN1 check patch.
+  Other change:
+  - Use proper error handling instead of 'assertions' in buffer
+    overflow checks added in 0.9.6e.  This prevents DoS (the
+    assertions could call abort()).
+* Fri Aug  9 2002 kukuk@suse.de
+- Fix requires of openssl-devel subpackage
+* Tue Aug  6 2002 draht@suse.de
+- Correction for changes in the ASN1 code, assembled in
+  openssl-0.9.6e-cvs-20020802-asn1_lib.diff
+* Wed Jul 31 2002 poeml@suse.de
+- update to 0.9.6e. Major changes:
+  o Various security fixes (sanity checks to asn1_get_length(),
+    various remote buffer overflows)
+  o new option SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS, disabling the
+    countermeasure against a vulnerability in the CBC ciphersuites
+    in SSL 3.0/TLS 1.0 that was added in 0.9.6d which turned out to
+    be incompatible with buggy SSL implementations
+- update ibmca crypto hardware patch (security issues fixed)
+- gcc 3.1 version detection is fixed, we can drop the patch
+- move the most used man pages from the -doc to the main package
+  [#9913] and resolve man page conflicts by putting them into ssl
+  sections [#17239]
+- spec file: use PreReq for %%post script
+* Fri Jul 12 2002 poeml@suse.de
+- update to 0.9.6d. Major changes:
+  o Various SSL/TLS library bugfixes.
+  o Fix DH parameter generation for 'non-standard' generators.
+  Complete Changelog: http://www.openssl.org/news/changelog.html
+- supposed to fix a session caching failure occuring with postfix
+- simplify local configuration for the architectures
+- there's a new config variable: $shared_ldflag
+- use RPM_OPT_FLAGS in favor of predifined cflags by appending them
+  at the end
+- validate config data (config --check-sanity)
+- resolve file conflict of /usr/share/man/man1/openssl.1.gz [#15982]
+- move configuration to /etc/ssl [#14387]
+- mark openssl.cnf %%config (noreplace)
+* Sat Jul  6 2002 schwab@suse.de
+- Include <crypt.h> to get crypt prototype.
+* Fri Jul  5 2002 kukuk@suse.de
+- Remove crypt prototype from des.h header file, too.
+* Mon Jun 10 2002 meissner@suse.de
+- enhanced ppc64 support (needs seperate config), reenabled make check
+* Fri May 31 2002 olh@suse.de
+- add ppc64 support, temporary disable make check
+* Thu Apr 18 2002 meissner@suse.de
+- fixed x86_64 build, added bc to needed_for_build (used by tests)
+* Wed Apr 17 2002 ro@suse.de
+- fixed gcc version determination
+- drop sun4c support/always use sparcv8
+- ignore return code from showciphers
+* Fri Mar 15 2002 poeml@suse.de
+- add settings for sparc to build shared objects. Note that all
+  sparcs (sun4[mdu]) are recognized as linux-sparcv7
+* Wed Feb  6 2002 kukuk@suse.de
+- Remove crypt function from libcrypto.so.0 [Bug #13056]
+* Sun Feb  3 2002 poeml@suse.de
+- add settings for mips to build shared objects
+- print out all settings to the build log
+* Tue Jan 29 2002 poeml@suse.de
+- update to 0.9.6c:
+  o bug fixes
+  o support for hardware crypto devices (Cryptographic Appliances,
+  Broadcom, and Accelerated Encryption Processing)
+- add IBMCA patch for IBM eServer Cryptographic Accelerator Device
+  Driver (#12565) (forward ported from 0.9.6b)
+  (http://www-124.ibm.com/developerworks/projects/libica/)
+- tell Configure how to build shared libs for s390 and s390x
+- tweak Makefile.org to use %%_libdir
+- clean up spec file
+- add README.SuSE as source file instead of in a patch
+* Wed Dec  5 2001 uli@suse.de
+- disabled "make test" for ARM (destest segfaults, the other tests
+  seem to succeed)
+* Wed Dec  5 2001 ro@suse.de
+- removed subpackage src
+* Wed Nov 28 2001 uli@suse.de
+- needs -ldl on ARM, too
+* Mon Nov 19 2001 mls@suse.de
+- made mips big endian, fixed shared library creation for mips
+* Fri Aug 31 2001 rolf@suse.de
+- added root certificates [BUG#9913]
+- move from /usr/ssh to /usr/share/ssl
+* Wed Jul 18 2001 rolf@suse.de
+- update to 0.9.6b
+- switch to engine version of openssl, which supports hardware
+  encryption for a few popular devices
+- check wether shared libraries have been generated
+* Thu Jul  5 2001 rolf@suse.de
+- appliy PRNG security patch
+* Tue Jun 12 2001 bk@suse.de
+- added support for s390x
+* Mon May  7 2001 kukuk@suse.de
+- Fix building of shared libraries on SPARC, too.
+* Mon May  7 2001 rolf@suse.de
+- Fix ppc and s390 shared library builds
+- resolved conflict in manpage naming:
+  rand.3 is now sslrand.3 [BUG#7643]
+* Tue May  1 2001 schwab@suse.de
+- Fix ia64 configuration.
+- Fix link command.
+* Thu Apr 26 2001 bjacke@suse.de
+- updated to 0.96a
+* Wed Apr 18 2001 kkaempf@suse.de
+- provide .so files in -devel package only
+* Tue Apr 17 2001 bjacke@suse.de
+- resolve file name conflict (#6966)
+* Wed Mar 21 2001 rolf@suse.de
+- new subpackage openssl-src [BUG#6383]
+- added README.SuSE which explains where to find the man pages [BUG#6717]
+* Fri Dec 15 2000 sf@suse.de
+- changed CFLAG to -O1 to make the tests run successfully
+* Mon Dec 11 2000 rolf@suse.de
+- build openssl with no-idea and no-rc5 to meet US & RSA regulations
+- build with -fPIC on all platforms (especially IA64)
+* Wed Nov 22 2000 rolf@suse.de
+- rename openssls to openssl-devel and add shared libs and header files
+- new subpackge openssl-doc for manpages and documentation
+- use BuildRoot
+* Fri Oct 27 2000 schwab@suse.de
+- Add link-time links for libcrypto and libssl.
+- Make sure that LD_LIBRARY_PATH is passed down to sub-makes.
+* Mon Oct  2 2000 rolf@suse.de
+- update to 0.9.6
+* Mon Apr 10 2000 bk@suse.de
+- fix support for s390-linux
+* Mon Apr 10 2000 rolf@suse.de
+- new version 0.9.5a
+* Sun Apr  9 2000 bk@suse.de
+- add support for s390-linux
+* Mon Mar 27 2000 kukuk@suse.de
+- Use sparcv7 for SPARC
+* Wed Mar  1 2000 rolf@suse.de
+- move manpages back, as too many conflict with system manuals
+* Wed Mar  1 2000 rolf@suse.de
+- move manpages to %%{_mandir}
+- include static libraries
+* Wed Mar  1 2000 bk@suse.de
+- added subpackage source openssls, needed for ppp_ssl
+* Tue Feb 29 2000 rolf@suse.de
+- new version 0.9.5
+* Thu Feb 24 2000 schwab@suse.de
+- add support for ia64-linux
+* Mon Jan 31 2000 kukuk@suse.de
+- Create and add libcrypto.so.0 and libssl.so.0
+* Mon Sep 13 1999 bs@suse.de
+- ran old prepare_spec on spec file to switch to new prepare_spec.
+* Wed Sep  1 1999 rolf@suse.de
+- new version 0.9.4
+* Wed May 26 1999 rolf@suse.de
+- new version 0.9.3 with new layout
+- alpha asm disabled by default now, no patch needed
+* Thu May 20 1999 ro@suse.de
+- disable asm for alpha: seems incomplete
+* Mon May 17 1999 rolf@suse.de
+- don't use -DNO_IDEA
+* Wed May 12 1999 rolf@suse.de
+- first version 0.9.2b
diff --git a/openssl-1_1.spec b/openssl-1_1.spec
new file mode 100644
index 0000000..948d463
--- /dev/null
+++ b/openssl-1_1.spec
@@ -0,0 +1,512 @@
+#
+# spec file for package openssl-1_1
+#
+# Copyright (c) 2022-2023 ZhuningOS
+#
+
+
+%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
+# Enable livepatching support for SLE15-SP4 onwards. It requires
+# compiler support introduced there.
+%define livepatchable 1
+
+# Set variables for livepatching.
+%define _other %{_topdir}/OTHER
+%define tar_basename %{_rname}-livepatch-%{version}-%{release}
+%define tar_package_name %{tar_basename}.%{_arch}.tar.xz
+%define clones_dest_dir %{tar_basename}/%{_arch}
+%else
+# Unsupported operating system.
+%define livepatchable 0
+%endif
+
+%ifnarch x86_64
+# Unsupported architectures must have livepatch disabled.
+%define livepatchable 0
+%endif
+
+%define ssletcdir %{_sysconfdir}/ssl
+%define maj_min 1.1
+%define _rname  openssl
+Name:           openssl-1_1
+# Don't forget to update the version in the "openssl" package!
+Version:        1.1.1l
+Release:        150500.17.9.1
+Summary:        Secure Sockets and Transport Layer Security
+License:        OpenSSL
+Group:          Productivity/Networking/Security
+URL:            https://www.openssl.org/
+Source:         https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz
+# to get mtime of file:
+Source1:        %{name}.changes
+Source2:        baselibs.conf
+Source3:        https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc
+# https://www.openssl.org/about/
+# http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA2D29B7BF295C759#/openssl.keyring
+Source4:        %{_rname}.keyring
+Source5:        showciphers.c
+# PATCH-FIX-OPENSUSE: do not install html mans it takes ages
+Patch1:         openssl-1.1.0-no-html.patch
+Patch2:         openssl-truststore.patch
+Patch3:         openssl-pkgconfig.patch
+Patch4:         openssl-DEFAULT_SUSE_cipher.patch
+Patch5:         openssl-ppc64-config.patch
+Patch6:         openssl-no-date.patch
+# PATCH-FIX-UPSTREAM jsc#SLE-6126 and jsc#SLE-6129
+Patch8:         0001-s390x-assembly-pack-perlasm-support.patch
+Patch9:         0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch
+Patch10:        0003-crypto-poly1305-asm-poly1305-s390x.pl-add-vx-code-pa.patch
+Patch11:        0004-s390x-assembly-pack-fix-formal-interface-bug-in-chac.patch
+Patch12:        0005-s390x-assembly-pack-import-chacha-from-cryptogams-re.patch
+Patch13:        0006-s390x-assembly-pack-import-poly-from-cryptogams-repo.patch
+# PATCH-FIX-UPSTREAM bsc#1152695 jsc#SLE-7861 Support for CPACF enhancements - part 1 (crypto)
+Patch16:        openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
+Patch17:        openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch
+Patch18:        openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
+Patch19:        openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch
+Patch20:        openssl-s390xcpuid.pl-fix-comment.patch
+Patch21:        openssl-assembly-pack-accelerate-scalar-multiplication.patch
+Patch22:        openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch
+Patch23:        openssl-s390x-assembly-pack-accelerate-ECDSA.patch
+Patch24:        openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch
+Patch25:        openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch
+Patch26:        openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch
+Patch27:        openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch
+Patch28:        openssl-Fix-9bf682f-which-broke-nistp224_method.patch
+# FIPS patches
+Patch30:        openssl-1.1.1-fips.patch
+Patch31:        openssl-1.1.1-fips-post-rand.patch
+Patch32:        openssl-1.1.1-fips-crng-test.patch
+Patch33:        openssl-1.1.0-issuer-hash.patch
+Patch34:        openssl-fips-run_selftests_only_when_module_is_complete.patch
+Patch35:        openssl-ship_fips_standalone_hmac.patch
+Patch36:        openssl-fips_mode.patch
+Patch37:        openssl-1.1.1-evp-kdf.patch
+Patch38:        openssl-1.1.1-ssh-kdf.patch
+Patch40:        openssl-fips-selftests_in_nonfips_mode.patch
+Patch41:        openssl-fips-clearerror.patch
+Patch42:        openssl-fips-ignore_broken_atexit_test.patch
+Patch45:        openssl-fips-add-SHA3-selftest.patch
+Patch46:        openssl-fips_selftest_upstream_drbg.patch
+Patch47:        openssl-unknown_dgst.patch
+# PATCH-FIX-UPSTREAM jsc#SLE-7403 Support for CPACF enhancements - part 2 (crypto)
+Patch50:        openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
+Patch51:        openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
+# PATCH-FIX-UPSTREAM bsc#1175844 FIPS: (EC)Diffie-Hellman requirements
+# from SP800-56Arev3 SLE-15-SP2
+Patch60:        openssl-DH.patch
+Patch61:        openssl-kdf-selftest.patch
+Patch62:        openssl-kdf-tls-selftest.patch
+Patch63:        openssl-kdf-ssh-selftest.patch
+Patch64:        openssl-fips-DH_selftest_shared_secret_KAT.patch
+Patch65:        openssl-1.1.1-system-cipherlist.patch
+# PATCH-FIX-OPENSUSE jsc#SLE-15832 Centralized Crypto Compliance Configuration
+Patch66:        openssl-1_1-seclevel.patch
+Patch67:        openssl-1_1-use-seclevel2-in-tests.patch
+Patch68:        openssl-1_1-disable-test_srp-sslapi.patch
+#PATCH-FIX-UPSTREAM jsc#SLE-18136 POWER10 performance enhancements for cryptography
+Patch69:        openssl-1_1-Optimize-ppc64.patch
+#PATCH-FIX-UPSTREAM jsc#SLE-19742 Backport Arm improvements from OpenSSL 3
+Patch70:        openssl-1_1-Optimize-RSA-armv8.patch
+Patch71:        openssl-1_1-Optimize-AES-XTS-aarch64.patch
+Patch72:        openssl-1_1-Optimize-AES-GCM-uarchs.patch
+#PATCH-FIX-UPSTREAM bsc#1192442 FIPS: missing KAT for HKDF/TLS 1.3/IPSEC IKEv2
+Patch73:        openssl-fips-kdf-hkdf-selftest.patch
+#PATCH-FIX-SUSE bsc#1185320 FIPS: move the HMAC-SHA2-256 used for integrity test
+Patch74:        openssl-FIPS-KAT-before-integrity-tests.patch
+#PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes
+Patch75:        openssl-1_1-FIPS-fix-error-reason-codes.patch
+#PATCH-FIX-SUSE bsc#1190652 FIPS: Add release number to version string
+Patch76:        openssl-1_1-fips-bsc1190652_release_num_in_version_string.patch
+#PATCH-FIX-SUSE bsc#1185319 FIPS: Implement Known Answer Tests for ECDSA
+# currently disable, as it breaks nodejs16
+#Patch77:        openssl-KAT-ecdsa.patch
+#PATCH-FIX-UPSTREAM bsc#1196877 CVE-2022-0778 Infinite loop in BN_mod_sqrt() reachable when parsing certificates
+Patch78:        openssl-CVE-2022-0778.patch
+Patch79:        openssl-CVE-2022-0778-tests.patch
+#PATCH-FIX-SUSE bsc#1194187 bsc#1004463 Add engines section in openssl.cnf
+Patch80:        openssl-1_1-use-include-directive.patch
+#PATCH-FIX-SUSE bsc#1197280 FIPS: Additional PBKDF2 requirements for KAT
+Patch81:        openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch
+Patch82:        bsc1185319-FIPS-KAT-for-ECDSA.patch
+Patch83:        bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch
+Patch84:        openssl-1_1-shortcut-test_afalg_aes_cbc.patch
+Patch85:        openssl-CVE-2022-1292.patch
+Patch86:        openssl-update_expired_certificates.patch
+Patch87:        openssl-1_1-Fix-file-operations-in-c_rehash.patch
+Patch88:        openssl-CVE-2022-2097.patch
+#PATCH-FIX-SUSE bsc#1190653 FIPS: Provide methods to zeroize all unprotected SSPs and key components
+Patch89:        openssl-1_1-Zeroization.patch
+#PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator
+Patch90:        openssl-1_1-ossl-sli-000-fix-build-error.patch
+Patch91:        openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch
+Patch92:        openssl-1_1-ossl-sli-002-ran-make-update.patch
+Patch93:        openssl-1_1-ossl-sli-003-add-sli.patch
+#PATCH-FIX-SUSE bsc#1202148 FIPS: Port openssl to use jitterentropy
+Patch94:        openssl-1_1-jitterentropy-3.4.0.patch
+#PATCH-FIX-SUSE bsc#1203046 FIPS: Fix memory leak when FIPS mode is enabled
+Patch95:        openssl-1.1.1-fips-fix-memory-leaks.patch
+#PATCH-FIX-FEDORA bsc#1201293 FIPS: RAND api should call into FIPS DRBG
+Patch96:        openssl-1_1-FIPS_drbg-rewire.patch
+#PATCH-FIX-FEDORA bsc#1203069 FIPS: Add KAT for the RAND_DRBG implementation
+Patch97:        openssl-1_1-fips-drbg-selftest.patch
+#PATCH-FIX-SUSE bsc#1121365, bsc#1190888, bsc#1193859, bsc#1198471, bsc#1198472 FIPS: List only approved digest and pubkey algorithms
+Patch98:        openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch
+#PATCH-FIX-SUSE bsc#1180995 FIPS: Default to RFC-7919 groups for genparam and dhparam
+Patch99:        openssl-1_1-FIPS-default-RFC7919.patch
+#PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator
+Patch100:       openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch
+Patch101:       openssl-1_1-ossl-sli-005-EC_group_order_bits.patch
+Patch102:       openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch
+Patch103:       openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch
+# PATCH-FIX-UPSTREAM jsc#PED-512
+# POWER10 performance enhancements for cryptography
+Patch104:       openssl-1_1-AES-GCM-performance-optimzation-with-stitched-method.patch
+Patch105:       openssl-1_1-Fixed-counter-overflow.patch
+Patch106:       openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch
+Patch107:       openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch
+Patch108:       openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch
+#PATCH-FIX-UPSTREAM bsc#1207534 CVE-2022-4304 Timing Oracle in RSA Decryption
+Patch109:       openssl-CVE-2022-4304.patch
+#PATCH-FIX-UPSTREAM bsc#1207538 CVE-2022-4450 Double free after calling PEM_read_bio_ex()
+Patch111:       openssl-CVE-2022-4450-1of2.patch
+Patch112:       openssl-CVE-2022-4450-2of2.patch
+#PATCH-FIX-UPSTREAM bsc#1207536 CVE-2023-0215 Use-after-free following BIO_new_NDEF()
+Patch113:       openssl-CVE-2023-0215-1of4.patch
+Patch114:       openssl-CVE-2023-0215-2of4.patch
+Patch115:       openssl-CVE-2023-0215-3of4.patch
+Patch116:       openssl-CVE-2023-0215-4of4.patch
+#PATCH-FIX-UPSTREAM bsc#1207533 CVE-2023-0286 Address type confusion related to X.400 address processing
+Patch117:       openssl-CVE-2023-0286.patch
+#PATCH-FIX-SUSE bsc#1207994 FIPS Make jitterentropy calls thread-safe
+Patch118:       openssl-1_1-serialize-jitterentropy-calls.patch
+#PATCH-FIX-SUSE bsc#1208998 FIPS: PBKDF2 requirements for openssl
+Patch119:       openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch
+# PATCH-FIX-UPSTREAM: bsc#1209624, CVE-2023-0464 Excessive Resource Usage Verifying X.509 Policy Constraints
+Patch120:       openssl-CVE-2023-0464.patch
+# PATCH-FIX-UPSTREAM: bsc#1209878, CVE-2023-0465 Invalid certificate policies in leaf certificates are silently ignored
+Patch121:       openssl-CVE-2023-0465.patch
+# PATCH-FIX-UPSTREAM: bsc#1209873, CVE-2023-0466 Certificate policy check not enabled
+Patch122:       openssl-CVE-2023-0466.patch
+# PATCH-FIX-UPSTREAM: bsc#1211430, CVE-2023-2650 Possible DoS translating ASN.1 object identifiers
+Patch123:       openssl-CVE-2023-2650.patch
+# PATCH-FIX-UPSTREAM bsc#1201627 Update further expiring certificates that affect tests
+Patch124:       openssl-Update-further-expiring-certificates.patch
+# PATCH-FIX-UPSTREAM: bsc#1213487 CVE-2023-3446 DH_check() excessive time with over sized modulus
+Patch125:       openssl-CVE-2023-3446.patch
+Patch126:       openssl-CVE-2023-3446-test.patch
+
+Requires:       libopenssl1_1 = %{version}-%{release}
+BuildRequires:  pkgconfig
+BuildRequires:  pkgconfig(zlib)
+BuildRequires:  jitterentropy-devel >= 3.4.0
+Requires:       libjitterentropy3 >= 3.4.0
+%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400
+Requires:       crypto-policies
+%endif
+Conflicts:      ssl
+Provides:       ssl
+Provides:       openssl(cli)
+# Needed for clean upgrade path, boo#1070003
+Obsoletes:      openssl-1_0_0
+# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
+Obsoletes:      openssl-1_1_0
+
+%description
+OpenSSL is a software library to be used in applications that need to
+secure communications over computer networks against eavesdropping or
+need to ascertain the identity of the party at the other end.
+OpenSSL contains an implementation of the SSL and TLS protocols.
+
+%package -n libopenssl1_1
+Summary:        Secure Sockets and Transport Layer Security
+License:        OpenSSL
+Group:          Productivity/Networking/Security
+%if 0%{?suse_version} && ! 0%{?sle_version}
+Requires:       crypto-policies
+%endif
+Recommends:     ca-certificates-mozilla
+# install libopenssl and libopenssl-hmac close together (bsc#1090765)
+Suggests:       libopenssl1_1-hmac = %{version}-%{release}
+# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
+Obsoletes:      libopenssl1_1_0
+Conflicts:      %{name} < %{version}-%{release}
+
+%description -n libopenssl1_1
+OpenSSL is a software library to be used in applications that need to
+secure communications over computer networks against eavesdropping or
+need to ascertain the identity of the party at the other end.
+OpenSSL contains an implementation of the SSL and TLS protocols.
+
+%package -n libopenssl-1_1-devel
+Summary:        Development files for OpenSSL
+License:        OpenSSL
+Group:          Development/Libraries/C and C++
+Requires:       jitterentropy-devel >= 3.4.0
+Requires:       libopenssl1_1 = %{version}
+Requires:       pkgconfig(zlib)
+Recommends:     %{name} = %{version}
+# we need to have around only the exact version we are able to operate with
+Conflicts:      libopenssl-devel < %{version}
+Conflicts:      libopenssl-devel > %{version}
+Conflicts:      ssl-devel
+Provides:       ssl-devel
+# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
+Obsoletes:      libopenssl-1_1_0-devel
+# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
+Obsoletes:      libopenssl-1_0_0-devel
+
+%description -n libopenssl-1_1-devel
+This subpackage contains header files for developing applications
+that want to make use of the OpenSSL C API.
+
+%package -n libopenssl1_1-hmac
+Summary:        HMAC files for FIPS-140-2 integrity checking of the openssl shared libraries
+License:        BSD-3-Clause
+Group:          Productivity/Networking/Security
+Requires:       libopenssl1_1 = %{version}-%{release}
+# Needed for clean upgrade from former openssl-1_1_0, boo#1081335
+Obsoletes:      libopenssl1_1_0-hmac
+# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499
+Obsoletes:      libopenssl-1_0_0-hmac
+
+%description -n libopenssl1_1-hmac
+The FIPS compliant operation of the openssl shared libraries is NOT
+possible without the HMAC hashes contained in this package!
+
+%package doc
+Summary:        Additional Package Documentation
+License:        OpenSSL
+Group:          Productivity/Networking/Security
+Conflicts:      openssl-doc
+Provides:       openssl-doc = %{version}
+Obsoletes:      openssl-doc < %{version}
+BuildArch:      noarch
+
+%description doc
+This package contains optional documentation provided in addition to
+this package's base documentation.
+
+%prep
+%autosetup -p1 -n %{_rname}-%{version}
+
+%build
+%ifarch armv5el armv5tel
+export MACHINE=armv5el
+%endif
+%ifarch armv6l armv6hl
+export MACHINE=armv6l
+%endif
+
+./config \
+    no-idea \
+    enable-rfc3779 \
+%ifarch x86_64 aarch64 ppc64le
+    enable-ec_nistp_64_gcc_128 \
+%endif
+    enable-camellia \
+    zlib \
+    no-ec2m \
+    --prefix=%{_prefix} \
+    --libdir=%{_lib} \
+    --openssldir=%{ssletcdir} \
+    %{optflags} \
+%if %{livepatchable}
+    -fpatchable-function-entry=16,14 -fdump-ipa-clones \
+%endif
+    -Wa,--noexecstack \
+    -Wl,-z,relro,-z,now \
+    -fno-common \
+    -DTERMIO \
+    -DPURIFY \
+    -D_GNU_SOURCE \
+    -DSUSE_OPENSSL_RELEASE=%{release} \
+    -DOPENSSL_NO_BUF_FREELISTS \
+    $(getconf LFS_CFLAGS) \
+    -Wall \
+    --with-rand-seed=getrandom \
+    --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config
+
+# Show build configuration
+perl configdata.pm --dump
+
+util/mkdef.pl crypto update
+make depend %{?_smp_mflags}
+make all %{?_smp_mflags}
+
+%check
+export MALLOC_CHECK_=3
+export MALLOC_PERTURB_=$(($RANDOM % 255 + 1))
+LD_LIBRARY_PATH=`pwd` make test -j1
+# Create the hmac files required to run the regression tests in FIPS mode
+%{buildroot}%{_bindir}/fips_standalone_hmac \
+ libssl.so.%{maj_min} > .libssl.so.%{maj_min}.hmac
+%{buildroot}%{_bindir}/fips_standalone_hmac \
+ libcrypto.so.%{maj_min} > .libcrypto.so.%{maj_min}.hmac
+OPENSSL_FORCE_FIPS_MODE=1 LD_LIBRARY_PATH=`pwd` make TESTS='-test_pem \
+		       -test_hmac -test_mdc2 -test_dh -test_dsa -test_genrsa \
+		       -test_mp_rsa -test_enc -test_enc_more -test_passwd -test_req \
+		       -test_verify -test_evp -test_evp_extra -test_pkey_meth_kdf \
+		       -test_bad_dtls -test_comp -test_key_share -test_renegotiation \
+		       -test_sslcbcpadding -test_sslcertstatus -test_sslextension \
+		       -test_sslmessages -test_sslrecords -test_sslsessiontick \
+		       -test_sslsigalgs -test_sslsignature -test_sslskewith0p \
+		       -test_sslversions -test_sslvertol -test_tls13alerts \
+		       -test_tls13cookie -test_tls13downgrade -test_tls13hrr \
+		       -test_tls13kexmodes -test_tls13messages -test_tls13psk \
+		       -test_tlsextms -test_ca -test_cipherlist -test_cms \
+		       -test_dtls_mtu -test_ssl_new -test_ssl_old -test_bio_enc \
+		       -test_sslapi -test_tls13ccs -test_ec' test -j1
+# show ciphers
+gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto
+LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers
+
+%install
+
+%if %{livepatchable}
+
+# Ipa-clones are files generated by gcc which logs changes made across
+# functions, and we need to know such changes to build livepatches
+# correctly. These files are intended to be used by the livepatch
+# developers and may be retrieved by using `osc getbinaries`.
+#
+# Create list of ipa-clones.
+find . -name "*.ipa-clones" ! -empty | sed 's/^\.\///g' | sort > ipa-clones.list
+
+# Create ipa-clones destination folder and move clones there.
+mkdir -p ipa-clones/%{clones_dest_dir}
+while read f; do
+  _dest=ipa-clones/%{clones_dest_dir}/$f
+  mkdir -p ${_dest%/*}
+  cp $f $_dest
+done < ipa-clones.list
+
+# Create tar package with the clone files.
+tar cfJ %{tar_package_name} -C ipa-clones %{tar_basename}
+
+# Copy tar package to the OTHERS folder
+cp %{tar_package_name} %{_other}
+
+%endif # livepatchable
+
+%make_install %{?_smp_mflags}
+# kill static libs
+rm -f %{buildroot}%{_libdir}/lib*.a
+# remove the cnf.dist
+rm -f %{buildroot}%{_sysconfdir}/ssl/openssl.cnf.dist
+ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl
+mkdir %{buildroot}/%{_datadir}/ssl
+mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/
+# Create the two directories into which packages will drop their configuration
+# files.
+mkdir %{buildroot}/%{ssletcdir}/engines.d/
+mkdir %{buildroot}/%{ssletcdir}/engdef.d/
+
+# avoid file conflicts with man pages from other packages
+#
+pushd %{buildroot}/%{_mandir}
+# some man pages now contain spaces. This makes several scripts go havoc, among them /usr/sbin/Check.
+# replace spaces by underscores
+#for i in man?/*\ *; do mv -v "$i" "${i// /_}"; done
+which readlink &>/dev/null || function readlink { ( set +x; target=$(file $1 2>/dev/null); target=${target//* }; test -f $target && echo $target; ) }
+for i in man?/*; do
+	if test -L $i ; then
+	    LDEST=`readlink $i`
+	    rm -f $i ${i}ssl
+	    ln -sf ${LDEST}ssl ${i}ssl
+	else
+	    mv $i ${i}ssl
+        fi
+	case "$i" in
+	    *.1)
+		# these are the pages mentioned in openssl(1). They go into the main package.
+		echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist;;
+	    *)
+		# the rest goes into the openssl-doc package.
+		echo %doc %{_mandir}/${i}ssl%{?ext_man} >> $OLDPWD/filelist.doc;;
+	esac
+done
+popd
+
+# Do not install demo scripts executable under /usr/share/doc
+find demos -type f -perm /111 -exec chmod 644 {} \;
+
+# Place showciphers.c for %%doc macro
+cp %{SOURCE5} .
+
+# the hmac hashes:
+#
+# this is a hack that re-defines the __os_install_post macro
+# for a simple reason: the macro strips the binaries and thereby
+# invalidates a HMAC that may have been created earlier.
+# solution: create the hashes _after_ the macro runs.
+#
+# this shows up earlier because otherwise the expand of
+# the macro is too late.
+# remark: This is the same as running
+#   openssl dgst -sha256 -hmac 'ppaksykemnsecgtsttplmamstKMEs'
+%{expand:%%global __os_install_post {%__os_install_post
+
+# Point linker to the newly installed libcrypto in order to avoid BuildRequiring itself (libopenssl1_1)
+export LD_LIBRARY_PATH="%{buildroot}%{_libdir}"
+
+%{buildroot}%{_bindir}/fips_standalone_hmac \
+  %{buildroot}%{_libdir}/libssl.so.%{maj_min} > \
+    %{buildroot}%{_libdir}/.libssl.so.%{maj_min}.hmac
+
+# As fips_standalone_hmac now uses the very same library it checksums,
+# the libcrypto hmac needs to be saved to a temporary file, otherwise
+# the library will detect the empty hmac and abort due to a wrong checksum
+%{buildroot}%{_bindir}/fips_standalone_hmac \
+  %{buildroot}%{_libdir}/libcrypto.so.%{maj_min} > \
+    %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.temphmac
+
+# rename the temporary checksum to its proper name
+mv %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.temphmac %{buildroot}%{_libdir}/.libcrypto.so.%{maj_min}.hmac
+unset LD_LIBRARY_PATH
+
+}}
+
+%post -n libopenssl1_1 -p /sbin/ldconfig
+%postun -n libopenssl1_1 -p /sbin/ldconfig
+
+%files -n libopenssl1_1
+%license LICENSE
+%{_libdir}/libssl.so.%{maj_min}
+%{_libdir}/libcrypto.so.%{maj_min}
+%{_libdir}/engines-%{maj_min}
+
+%files -n libopenssl1_1-hmac
+%{_libdir}/.libssl.so.%{maj_min}.hmac
+%{_libdir}/.libcrypto.so.%{maj_min}.hmac
+
+%files -n libopenssl-1_1-devel
+%{_includedir}/%{_rname}/
+%{_includedir}/ssl
+%{_libdir}/libssl.so
+%{_libdir}/libcrypto.so
+%{_libdir}/pkgconfig/libcrypto.pc
+%{_libdir}/pkgconfig/libssl.pc
+%{_libdir}/pkgconfig/openssl.pc
+
+%files doc -f filelist.doc
+%doc doc/* demos
+%doc showciphers.c
+
+%files -f filelist
+%doc CHANGE* NEWS README
+%dir %{ssletcdir}
+%config (noreplace) %{ssletcdir}/openssl.cnf
+%attr(700,root,root) %{ssletcdir}/private
+%dir %{ssletcdir}/engines.d
+%dir %{ssletcdir}/engdef.d
+%{ssletcdir}/ct_log_list.cnf
+%{ssletcdir}/ct_log_list.cnf.dist
+
+%dir %{_datadir}/ssl
+%{_datadir}/ssl/misc
+%{_bindir}/c_rehash
+%{_bindir}/fips_standalone_hmac
+%{_bindir}/%{_rname}
+
+%changelog
diff --git a/openssl-CVE-2022-0778-tests.patch b/openssl-CVE-2022-0778-tests.patch
new file mode 100644
index 0000000..8765cbb
--- /dev/null
+++ b/openssl-CVE-2022-0778-tests.patch
@@ -0,0 +1,54 @@
+From 48abbd97dc8834240eacb46f64b1fae43bfe9554 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Mon, 28 Feb 2022 18:26:35 +0100
+Subject: [PATCH] Add a negative testcase for BN_mod_sqrt
+
+---
+ test/bntest.c                          | 11 ++++++++++-
+ test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/test/bntest.c b/test/bntest.c
+index 390dd80073..1cab660bca 100644
+--- a/test/bntest.c
++++ b/test/bntest.c
+@@ -1729,8 +1729,17 @@ static int file_modsqrt(STANZA *s)
+             || !TEST_ptr(ret2 = BN_new()))
+         goto err;
+ 
++    if (BN_is_negative(mod_sqrt)) {
++        /* A negative testcase */
++        if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
++            goto err;
++
++        st = 1;
++        goto err;
++    }
++
+     /* There are two possible answers. */
+-    if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
++    if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
+             || !TEST_true(BN_sub(ret2, p, ret)))
+         goto err;
+ 
+diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt
+index 5ea4d031f2..e28cc6bfb0 100644
+--- a/test/recipes/10-test_bn_data/bnmod.txt
++++ b/test/recipes/10-test_bn_data/bnmod.txt
+@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
+ ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
+ A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
+ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
++
++# Negative testcases for BN_mod_sqrt()
++
++# This one triggers an infinite loop with unfixed implementation
++# It should just fail.
++ModSqrt = -1
++A = 20a7ee
++P = 460201
++
++ModSqrt = -1
++A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
++P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
+
diff --git a/openssl-CVE-2022-0778.patch b/openssl-CVE-2022-0778.patch
new file mode 100644
index 0000000..e04ae33
--- /dev/null
+++ b/openssl-CVE-2022-0778.patch
@@ -0,0 +1,63 @@
+From 72082ae738bbfdc552a0af55320cdc3c6fe16e1a Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Mon, 28 Feb 2022 18:26:21 +0100
+Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
+
+The calculation in some cases does not finish for non-prime p.
+
+This fixes CVE-2022-0778.
+
+Based on patch by David Benjamin <davidben@google.com>.
+---
+ crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
+index 1723d5ded5..53b0f55985 100644
+--- a/crypto/bn/bn_sqrt.c
++++ b/crypto/bn/bn_sqrt.c
+@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
+ /*
+  * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
+  * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
+- * Theory", algorithm 1.5.1). 'p' must be prime!
++ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
++ * an incorrect "result" will be returned.
+  */
+ {
+     BIGNUM *ret = in;
+@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
+             goto vrfy;
+         }
+ 
+-        /* find smallest  i  such that  b^(2^i) = 1 */
+-        i = 1;
+-        if (!BN_mod_sqr(t, b, p, ctx))
+-            goto end;
+-        while (!BN_is_one(t)) {
+-            i++;
+-            if (i == e) {
+-                BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+-                goto end;
++        /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
++        for (i = 1; i < e; i++) {
++            if (i == 1) {
++                if (!BN_mod_sqr(t, b, p, ctx))
++                    goto end;
++
++            } else {
++                if (!BN_mod_mul(t, t, t, p, ctx))
++                    goto end;
+             }
+-            if (!BN_mod_mul(t, t, t, p, ctx))
+-                goto end;
++            if (BN_is_one(t))
++                break;
++        }
++        /* If not found, a is not a square or p is not prime. */
++        if (i >= e) {
++            BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
++            goto end;
+         }
+ 
+         /* t := y^2^(e - i - 1) */
diff --git a/openssl-CVE-2022-1292.patch b/openssl-CVE-2022-1292.patch
new file mode 100644
index 0000000..d084eef
--- /dev/null
+++ b/openssl-CVE-2022-1292.patch
@@ -0,0 +1,73 @@
+From e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Tue, 26 Apr 2022 12:40:24 +0200
+Subject: [PATCH] c_rehash: Do not use shell to invoke openssl
+
+Except on VMS where it is safe.
+
+This fixes CVE-2022-1292.
+
+Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+---
+ tools/c_rehash.in | 29 +++++++++++++++++++++++++----
+ 1 file changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/tools/c_rehash.in b/tools/c_rehash.in
+index fa7c6c9fef91..83c1cc80e08a 100644
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -152,6 +152,23 @@ sub check_file {
+ 	return ($is_cert, $is_crl);
+ }
+ 
++sub compute_hash {
++    my $fh;
++    if ( $^O eq "VMS" ) {
++        # VMS uses the open through shell
++        # The file names are safe there and list form is unsupported
++        if (!open($fh, "-|", join(' ', @_))) {
++            print STDERR "Cannot compute hash on '$fname'\n";
++            return;
++        }
++    } else {
++        if (!open($fh, "-|", @_)) {
++            print STDERR "Cannot compute hash on '$fname'\n";
++            return;
++        }
++    }
++    return (<$fh>, <$fh>);
++}
+ 
+ # Link a certificate to its subject name hash value, each hash is of
+ # the form <hash>.<n> where n is an integer. If the hash value already exists
+@@ -161,10 +178,12 @@ sub check_file {
+ 
+ sub link_hash_cert {
+ 		my $fname = $_[0];
+-		$fname =~ s/\"/\\\"/g;
+-		my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
++		my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
++						   "-fingerprint", "-noout",
++						   "-in", $fname);
+ 		chomp $hash;
+ 		chomp $fprint;
++		return if !$hash;
+ 		$fprint =~ s/^.*=//;
+ 		$fprint =~ tr/://d;
+ 		my $suffix = 0;
+@@ -202,10 +221,12 @@ sub link_hash_cert {
+ 
+ sub link_hash_crl {
+ 		my $fname = $_[0];
+-		$fname =~ s/'/'\\''/g;
+-		my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
++		my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
++						   "-fingerprint", "-noout",
++						   "-in", $fname);
+ 		chomp $hash;
+ 		chomp $fprint;
++		return if !$hash;
+ 		$fprint =~ s/^.*=//;
+ 		$fprint =~ tr/://d;
+ 		my $suffix = 0;
diff --git a/openssl-CVE-2022-2097.patch b/openssl-CVE-2022-2097.patch
new file mode 100644
index 0000000..ee5ca05
--- /dev/null
+++ b/openssl-CVE-2022-2097.patch
@@ -0,0 +1,134 @@
+From 5908f8cebce81d2605483be4bd48a9b982bafa76 Mon Sep 17 00:00:00 2001
+From: Alex Chernyakhovsky <achernya@google.com>
+Date: Thu, 16 Jun 2022 12:00:22 +1000
+Subject: Fix AES OCB encrypt/decrypt for x86 AES-NI and test vectors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path
+that performs operations on 6 16-byte blocks concurrently (the
+"grandloop") and then proceeds to handle the "short" tail (which can
+be anywhere from 0 to 5 blocks) that remain.
+
+As part of initialization, the assembly initializes $len to the true
+length, less 96 bytes and converts it to a pointer so that the $inp
+can be compared to it. Each iteration of "grandloop" checks to see if
+there's a full 96-byte chunk to process, and if so, continues. Once
+this has been exhausted, it falls through to "short", which handles
+the remaining zero to five blocks.
+
+Unfortunately, the jump at the end of "grandloop" had a fencepost
+error, doing a `jb` ("jump below") rather than `jbe` (jump below or
+equal). This should be `jbe`, as $inp is pointing to the *end* of the
+chunk currently being handled. If $inp == $len, that means that
+there's a whole 96-byte chunk waiting to be handled. If $inp > $len,
+then there's 5 or fewer 16-byte blocks left to be handled, and the
+fall-through is intended.
+
+The net effect of `jb` instead of `jbe` is that the last 16-byte block
+of the last 96-byte chunk was completely omitted. The contents of
+`out` in this position were never written to. Additionally, since
+those bytes were never processed, the authentication tag generated is
+also incorrect.
+
+The same fencepost error, and identical logic, exists in both
+aesni_ocb_encrypt and aesni_ocb_decrypt.
+
+This addresses CVE-2022-2097.
+
+Co-authored-by: Alejandro Sedeño <asedeno@google.com>
+Co-authored-by: David Benjamin <davidben@google.com>
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+---
+ crypto/aes/asm/aesni-x86.pl | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+ test/recipes/30-test_evp_data/evpciph.txt | 50 +++++++++++++++++++++++
+ 1 file changed, 50 insertions(+)
+
+diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
+index fe2b26542a..812758e02e 100644
+--- a/crypto/aes/asm/aesni-x86.pl
++++ b/crypto/aes/asm/aesni-x86.pl
+@@ -2027,7 +2027,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
+ 	&movdqu		(&QWP(-16*2,$out,$inp),$inout4);
+ 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
+ 	&cmp		($inp,$len);			# done yet?
+-	&jb		(&label("grandloop"));
++	&jbe		(&label("grandloop"));
+ 
+ &set_label("short");
+ 	&add		($len,16*6);
+@@ -2453,7 +2453,7 @@ my ($l_,$block,$i1,$i3,$i5) = ($rounds_,$key_,$rounds,$len,$out);
+ 	&pxor		($rndkey1,$inout5);
+ 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
+ 	&cmp		($inp,$len);			# done yet?
+-	&jb		(&label("grandloop"));
++	&jbe		(&label("grandloop"));
+ 
+ &set_label("short");
+ 	&add		($len,16*6);
+
+diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt
+index 1c02ea1e9c..e12670d9a4 100644
+--- a/test/recipes/30-test_evp_data/evpciph.txt
++++ b/test/recipes/30-test_evp_data/evpciph.txt
+@@ -1188,6 +1188,56 @@ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B21
+ Operation = DECRYPT
+ Result = CIPHERFINAL_ERROR
+ 
++#Test vectors generated to validate aesni_ocb_encrypt on x86
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = C14DFF7D62A13C4A3422456207453190
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = D47D84F6FF912C79B6A4223AB9BE2DB8
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = 41970D13737B7BD1B5FBF49ED4412CA5
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = BE0228651ED4E48A11BDED68D953F3A0
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = 17BC6E10B16E5FDC52836E7D589518C7
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = E84AAC18666116990A3A37B3A5FC55BD
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED
++
++Cipher = aes-128-ocb
++Key = 000102030405060708090A0B0C0D0E0F
++IV = 000000000001020304050607
++Tag = 3E5EA7EE064FE83B313E28D411E91EAD
++Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D
++Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C
++
+ Title = AES XTS test vectors from IEEE Std 1619-2007
+ 
+ # Using the same key twice for encryption is always banned.
diff --git a/openssl-CVE-2022-4304.patch b/openssl-CVE-2022-4304.patch
new file mode 100644
index 0000000..4b5efab
--- /dev/null
+++ b/openssl-CVE-2022-4304.patch
@@ -0,0 +1,461 @@
+From aefe424d7695ed13b240673298d340bc552365fe Mon Sep 17 00:00:00 2001
+From: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Date: Mon, 13 Feb 2023 17:46:41 +0100
+Subject: [PATCH] Alternative fix for CVE-2022-4304
+
+This is about a timing leak in the topmost limb
+of the internal result of RSA_private_decrypt,
+before the padding check.
+
+There are in fact at least three bugs together that
+caused the timing leak:
+
+First and probably most important is the fact that
+the blinding did not use the constant time code path
+at all when the RSA object was used for a private
+decrypt, due to the fact that the Montgomery context
+rsa->_method_mod_n was not set up early enough in
+rsa_ossl_private_decrypt, when BN_BLINDING_create_param
+needed it, and that was persisted as blinding->m_ctx,
+although the RSA object creates the Montgomery context
+just a bit later.
+
+Then the infamous bn_correct_top was used on the
+secret value right after the blinding was removed.
+
+And finally the function BN_bn2binpad did not use
+the constant-time code path since the BN_FLG_CONSTTIME
+was not set on the secret value.
+
+In order to address the first problem, this patch
+makes sure that the rsa->_method_mod_n is initialized
+right before the blinding context.
+
+And to fix the second problem, we add a new utility
+function bn_correct_top_consttime, a const-time
+variant of bn_correct_top.
+
+Together with the fact, that BN_bn2binpad is already
+constant time if the flag BN_FLG_CONSTTIME is set,
+this should eliminate the timing oracle completely.
+
+In addition the no-asm variant may also have
+branches that depend on secret values, because the last
+invocation of bn_sub_words in bn_from_montgomery_word
+had branches when the function is compiled by certain
+gcc compiler versions, due to the clumsy coding style.
+
+So additionally this patch stream-lined the no-asm
+C-code in order to avoid branches where possible and
+improve the resulting code quality.
+---
+ CHANGES               |   10 ++++
+ crypto/bn/bn_asm.c    |  106 +++++++++++++++++++++++++++-----------------------
+ crypto/bn/bn_blind.c  |    3 -
+ crypto/bn/bn_lib.c    |   22 ++++++++++
+ crypto/bn/bn_local.h  |   26 ++++++------
+ crypto/rsa/rsa_ossl.c |   13 ++----
+ 6 files changed, 111 insertions(+), 69 deletions(-)
+
+--- a/CHANGES
++++ b/CHANGES
+@@ -9,6 +9,16 @@
+ 
+  Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
+ 
++  *) Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304).
++     The previous fix for this timing side channel turned out to cause
++     a severe 2-3x performance regression in the typical use case
++     compared to 1.1.1s. The new fix uses existing constant time
++     code paths, and restores the previous performance level while
++     fully eliminating all existing timing side channels.
++     The fix was developed by Bernd Edlinger with testing support
++     by Hubert Kario.
++     [Bernd Edlinger]
++
+   *) Fixed an SM2 Decryption Buffer Overflow.
+ 
+      In order to decrypt SM2 encrypted data an application is expected to call the
+--- a/crypto/bn/bn_asm.c
++++ b/crypto/bn/bn_asm.c
+@@ -381,25 +381,33 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const
+ #ifndef OPENSSL_SMALL_FOOTPRINT
+     while (n & ~3) {
+         t1 = a[0];
+-        t2 = b[0];
+-        r[0] = (t1 - t2 - c) & BN_MASK2;
+-        if (t1 != t2)
+-            c = (t1 < t2);
++        t2 = (t1 - c) & BN_MASK2;
++        c  = (t2 > t1);
++        t1 = b[0];
++        t1 = (t2 - t1) & BN_MASK2;
++        r[0] = t1;
++        c += (t1 > t2);
+         t1 = a[1];
+-        t2 = b[1];
+-        r[1] = (t1 - t2 - c) & BN_MASK2;
+-        if (t1 != t2)
+-            c = (t1 < t2);
++        t2 = (t1 - c) & BN_MASK2;
++        c  = (t2 > t1);
++        t1 = b[1];
++        t1 = (t2 - t1) & BN_MASK2;
++        r[1] = t1;
++        c += (t1 > t2);
+         t1 = a[2];
+-        t2 = b[2];
+-        r[2] = (t1 - t2 - c) & BN_MASK2;
+-        if (t1 != t2)
+-            c = (t1 < t2);
++        t2 = (t1 - c) & BN_MASK2;
++        c  = (t2 > t1);
++        t1 = b[2];
++        t1 = (t2 - t1) & BN_MASK2;
++        r[2] = t1;
++        c += (t1 > t2);
+         t1 = a[3];
+-        t2 = b[3];
+-        r[3] = (t1 - t2 - c) & BN_MASK2;
+-        if (t1 != t2)
+-            c = (t1 < t2);
++        t2 = (t1 - c) & BN_MASK2;
++        c  = (t2 > t1);
++        t1 = b[3];
++        t1 = (t2 - t1) & BN_MASK2;
++        r[3] = t1;
++        c += (t1 > t2);
+         a += 4;
+         b += 4;
+         r += 4;
+@@ -408,10 +416,12 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const
+ #endif
+     while (n) {
+         t1 = a[0];
+-        t2 = b[0];
+-        r[0] = (t1 - t2 - c) & BN_MASK2;
+-        if (t1 != t2)
+-            c = (t1 < t2);
++        t2 = (t1 - c) & BN_MASK2;
++        c  = (t2 > t1);
++        t1 = b[0];
++        t1 = (t2 - t1) & BN_MASK2;
++        r[0] = t1;
++        c += (t1 > t2);
+         a++;
+         b++;
+         r++;
+@@ -446,7 +456,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const
+         t += c0;                /* no carry */  \
+         c0 = (BN_ULONG)Lw(t);                   \
+         hi = (BN_ULONG)Hw(t);                   \
+-        c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
++        c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi);   \
+         } while(0)
+ 
+ #  define mul_add_c2(a,b,c0,c1,c2)      do {    \
+@@ -455,11 +465,11 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const
+         BN_ULLONG tt = t+c0;    /* no carry */  \
+         c0 = (BN_ULONG)Lw(tt);                  \
+         hi = (BN_ULONG)Hw(tt);                  \
+-        c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
++        c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi);   \
+         t += c0;                /* no carry */  \
+         c0 = (BN_ULONG)Lw(t);                   \
+         hi = (BN_ULONG)Hw(t);                   \
+-        c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
++        c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi);   \
+         } while(0)
+ 
+ #  define sqr_add_c(a,i,c0,c1,c2)       do {    \
+@@ -468,7 +478,7 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const
+         t += c0;                /* no carry */  \
+         c0 = (BN_ULONG)Lw(t);                   \
+         hi = (BN_ULONG)Hw(t);                   \
+-        c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
++        c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi);   \
+         } while(0)
+ 
+ #  define sqr_add_c2(a,i,j,c0,c1,c2) \
+@@ -483,26 +493,26 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const
+         BN_ULONG ta = (a), tb = (b);            \
+         BN_ULONG lo, hi;                        \
+         BN_UMULT_LOHI(lo,hi,ta,tb);             \
+-        c0 += lo; hi += (c0<lo)?1:0;            \
+-        c1 += hi; c2 += (c1<hi)?1:0;            \
++        c0 += lo; hi += (c0<lo);                \
++        c1 += hi; c2 += (c1<hi);                \
+         } while(0)
+ 
+ #  define mul_add_c2(a,b,c0,c1,c2)      do {    \
+         BN_ULONG ta = (a), tb = (b);            \
+         BN_ULONG lo, hi, tt;                    \
+         BN_UMULT_LOHI(lo,hi,ta,tb);             \
+-        c0 += lo; tt = hi+((c0<lo)?1:0);        \
+-        c1 += tt; c2 += (c1<tt)?1:0;            \
+-        c0 += lo; hi += (c0<lo)?1:0;            \
+-        c1 += hi; c2 += (c1<hi)?1:0;            \
++        c0 += lo; tt = hi + (c0<lo);            \
++        c1 += tt; c2 += (c1<tt);                \
++        c0 += lo; hi += (c0<lo);                \
++        c1 += hi; c2 += (c1<hi);                \
+         } while(0)
+ 
+ #  define sqr_add_c(a,i,c0,c1,c2)       do {    \
+         BN_ULONG ta = (a)[i];                   \
+         BN_ULONG lo, hi;                        \
+         BN_UMULT_LOHI(lo,hi,ta,ta);             \
+-        c0 += lo; hi += (c0<lo)?1:0;            \
+-        c1 += hi; c2 += (c1<hi)?1:0;            \
++        c0 += lo; hi += (c0<lo);                \
++        c1 += hi; c2 += (c1<hi);                \
+         } while(0)
+ 
+ #  define sqr_add_c2(a,i,j,c0,c1,c2)    \
+@@ -517,26 +527,26 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const
+         BN_ULONG ta = (a), tb = (b);            \
+         BN_ULONG lo = ta * tb;                  \
+         BN_ULONG hi = BN_UMULT_HIGH(ta,tb);     \
+-        c0 += lo; hi += (c0<lo)?1:0;            \
+-        c1 += hi; c2 += (c1<hi)?1:0;            \
++        c0 += lo; hi += (c0<lo);                \
++        c1 += hi; c2 += (c1<hi);                \
+         } while(0)
+ 
+ #  define mul_add_c2(a,b,c0,c1,c2)      do {    \
+         BN_ULONG ta = (a), tb = (b), tt;        \
+         BN_ULONG lo = ta * tb;                  \
+         BN_ULONG hi = BN_UMULT_HIGH(ta,tb);     \
+-        c0 += lo; tt = hi + ((c0<lo)?1:0);      \
+-        c1 += tt; c2 += (c1<tt)?1:0;            \
+-        c0 += lo; hi += (c0<lo)?1:0;            \
+-        c1 += hi; c2 += (c1<hi)?1:0;            \
++        c0 += lo; tt = hi + (c0<lo);            \
++        c1 += tt; c2 += (c1<tt);                \
++        c0 += lo; hi += (c0<lo);                \
++        c1 += hi; c2 += (c1<hi);                \
+         } while(0)
+ 
+ #  define sqr_add_c(a,i,c0,c1,c2)       do {    \
+         BN_ULONG ta = (a)[i];                   \
+         BN_ULONG lo = ta * ta;                  \
+         BN_ULONG hi = BN_UMULT_HIGH(ta,ta);     \
+-        c0 += lo; hi += (c0<lo)?1:0;            \
+-        c1 += hi; c2 += (c1<hi)?1:0;            \
++        c0 += lo; hi += (c0<lo);                \
++        c1 += hi; c2 += (c1<hi);                \
+         } while(0)
+ 
+ #  define sqr_add_c2(a,i,j,c0,c1,c2)      \
+@@ -551,8 +561,8 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const
+         BN_ULONG lo = LBITS(a), hi = HBITS(a);  \
+         BN_ULONG bl = LBITS(b), bh = HBITS(b);  \
+         mul64(lo,hi,bl,bh);                     \
+-        c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \
+-        c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
++        c0 = (c0+lo)&BN_MASK2; hi += (c0<lo);   \
++        c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi);   \
+         } while(0)
+ 
+ #  define mul_add_c2(a,b,c0,c1,c2)      do {    \
+@@ -561,17 +571,17 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const
+         BN_ULONG bl = LBITS(b), bh = HBITS(b);  \
+         mul64(lo,hi,bl,bh);                     \
+         tt = hi;                                \
+-        c0 = (c0+lo)&BN_MASK2; if (c0<lo) tt++; \
+-        c1 = (c1+tt)&BN_MASK2; if (c1<tt) c2++; \
+-        c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \
+-        c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
++        c0 = (c0+lo)&BN_MASK2; tt += (c0<lo);   \
++        c1 = (c1+tt)&BN_MASK2; c2 += (c1<tt);   \
++        c0 = (c0+lo)&BN_MASK2; hi += (c0<lo);   \
++        c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi);   \
+         } while(0)
+ 
+ #  define sqr_add_c(a,i,c0,c1,c2)       do {    \
+         BN_ULONG lo, hi;                        \
+         sqr64(lo,hi,(a)[i]);                    \
+-        c0 = (c0+lo)&BN_MASK2; if (c0<lo) hi++; \
+-        c1 = (c1+hi)&BN_MASK2; if (c1<hi) c2++; \
++        c0 = (c0+lo)&BN_MASK2; hi += (c0<lo);   \
++        c1 = (c1+hi)&BN_MASK2; c2 += (c1<hi);   \
+         } while(0)
+ 
+ #  define sqr_add_c2(a,i,j,c0,c1,c2) \
+--- a/crypto/bn/bn_blind.c
++++ b/crypto/bn/bn_blind.c
+@@ -191,7 +191,8 @@ int BN_BLINDING_invert_ex(BIGNUM *n, con
+             n->top = (int)(rtop & ~mask) | (ntop & mask);
+             n->flags |= (BN_FLG_FIXED_TOP & ~mask);
+         }
+-        ret = BN_mod_mul_montgomery(n, n, r, b->m_ctx, ctx);
++        ret = bn_mul_mont_fixed_top(n, n, r, b->m_ctx, ctx);
++        bn_correct_top_consttime(n);
+     } else {
+         ret = BN_mod_mul(n, n, r, b->mod, ctx);
+     }
+--- a/crypto/bn/bn_lib.c
++++ b/crypto/bn/bn_lib.c
+@@ -1001,6 +1001,28 @@ BIGNUM *bn_wexpand(BIGNUM *a, int words)
+     return (words <= a->dmax) ? a : bn_expand2(a, words);
+ }
+ 
++void bn_correct_top_consttime(BIGNUM *a)
++{
++    int j, atop;
++    BN_ULONG limb;
++    unsigned int mask;
++
++    for (j = 0, atop = 0; j < a->dmax; j++) {
++        limb = a->d[j];
++        limb |= 0 - limb;
++        limb >>= BN_BITS2 - 1;
++        limb = 0 - limb;
++        mask = (unsigned int)limb;
++        mask &= constant_time_msb(j - a->top);
++        atop = constant_time_select_int(mask, j + 1, atop);
++    }
++
++    mask = constant_time_eq_int(atop, 0);
++    a->top = atop;
++    a->neg = constant_time_select_int(mask, 0, a->neg);
++    a->flags &= ~BN_FLG_FIXED_TOP;
++}
++
+ void bn_correct_top(BIGNUM *a)
+ {
+     BN_ULONG *ftl;
+--- a/crypto/bn/bn_local.h
++++ b/crypto/bn/bn_local.h
+@@ -496,10 +496,10 @@ unsigned __int64 _umul128(unsigned __int
+         ret =  (r);                     \
+         BN_UMULT_LOHI(low,high,w,tmp);  \
+         ret += (c);                     \
+-        (c) =  (ret<(c))?1:0;           \
++        (c) =  (ret<(c));               \
+         (c) += high;                    \
+         ret += low;                     \
+-        (c) += (ret<low)?1:0;           \
++        (c) += (ret<low);               \
+         (r) =  ret;                     \
+         }
+ 
+@@ -508,7 +508,7 @@ unsigned __int64 _umul128(unsigned __int
+         BN_UMULT_LOHI(low,high,w,ta);   \
+         ret =  low + (c);               \
+         (c) =  high;                    \
+-        (c) += (ret<low)?1:0;           \
++        (c) += (ret<low);               \
+         (r) =  ret;                     \
+         }
+ 
+@@ -524,10 +524,10 @@ unsigned __int64 _umul128(unsigned __int
+         high=  BN_UMULT_HIGH(w,tmp);    \
+         ret += (c);                     \
+         low =  (w) * tmp;               \
+-        (c) =  (ret<(c))?1:0;           \
++        (c) =  (ret<(c));               \
+         (c) += high;                    \
+         ret += low;                     \
+-        (c) += (ret<low)?1:0;           \
++        (c) += (ret<low);               \
+         (r) =  ret;                     \
+         }
+ 
+@@ -537,7 +537,7 @@ unsigned __int64 _umul128(unsigned __int
+         high=  BN_UMULT_HIGH(w,ta);     \
+         ret =  low + (c);               \
+         (c) =  high;                    \
+-        (c) += (ret<low)?1:0;           \
++        (c) += (ret<low);               \
+         (r) =  ret;                     \
+         }
+ 
+@@ -570,10 +570,10 @@ unsigned __int64 _umul128(unsigned __int
+         lt=(bl)*(lt); \
+         m1=(bl)*(ht); \
+         ht =(bh)*(ht); \
+-        m=(m+m1)&BN_MASK2; if (m < m1) ht+=L2HBITS((BN_ULONG)1); \
++        m=(m+m1)&BN_MASK2; ht += L2HBITS((BN_ULONG)(m < m1)); \
+         ht+=HBITS(m); \
+         m1=L2HBITS(m); \
+-        lt=(lt+m1)&BN_MASK2; if (lt < m1) ht++; \
++        lt=(lt+m1)&BN_MASK2; ht += (lt < m1); \
+         (l)=lt; \
+         (h)=ht; \
+         }
+@@ -590,7 +590,7 @@ unsigned __int64 _umul128(unsigned __int
+         h*=h; \
+         h+=(m&BN_MASK2h1)>>(BN_BITS4-1); \
+         m =(m&BN_MASK2l)<<(BN_BITS4+1); \
+-        l=(l+m)&BN_MASK2; if (l < m) h++; \
++        l=(l+m)&BN_MASK2; h += (l < m); \
+         (lo)=l; \
+         (ho)=h; \
+         }
+@@ -604,9 +604,9 @@ unsigned __int64 _umul128(unsigned __int
+         mul64(l,h,(bl),(bh)); \
+  \
+         /* non-multiply part */ \
+-        l=(l+(c))&BN_MASK2; if (l < (c)) h++; \
++        l=(l+(c))&BN_MASK2; h += (l < (c)); \
+         (c)=(r); \
+-        l=(l+(c))&BN_MASK2; if (l < (c)) h++; \
++        l=(l+(c))&BN_MASK2; h += (l < (c)); \
+         (c)=h&BN_MASK2; \
+         (r)=l; \
+         }
+@@ -620,7 +620,7 @@ unsigned __int64 _umul128(unsigned __int
+         mul64(l,h,(bl),(bh)); \
+  \
+         /* non-multiply part */ \
+-        l+=(c); if ((l&BN_MASK2) < (c)) h++; \
++        l+=(c); h += ((l&BN_MASK2) < (c)); \
+         (c)=h&BN_MASK2; \
+         (r)=l&BN_MASK2; \
+         }
+@@ -650,7 +650,7 @@ BN_ULONG bn_sub_part_words(BN_ULONG *r,
+                            int cl, int dl);
+ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+                 const BN_ULONG *np, const BN_ULONG *n0, int num);
+-
++void bn_correct_top_consttime(BIGNUM *a);
+ BIGNUM *int_bn_mod_inverse(BIGNUM *in,
+                            const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx,
+                            int *noinv);
+--- a/crypto/rsa/rsa_ossl.c
++++ b/crypto/rsa/rsa_ossl.c
+@@ -252,6 +252,7 @@ static int rsa_blinding_invert(BN_BLINDI
+      * will only read the modulus from BN_BLINDING. In both cases it's safe
+      * to access the blinding without a lock.
+      */
++    BN_set_flags(f, BN_FLG_CONSTTIME);
+     return BN_BLINDING_invert_ex(f, unblind, b, ctx);
+ }
+ 
+@@ -470,6 +471,11 @@ static int rsa_ossl_private_decrypt(int
+         goto err;
+     }
+ 
++    if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
++        if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
++                                    rsa->n, ctx))
++            goto err;
++
+     if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) {
+         blinding = rsa_get_blinding(rsa, &local_blinding, ctx);
+         if (blinding == NULL) {
+@@ -507,13 +513,6 @@ static int rsa_ossl_private_decrypt(int
+             goto err;
+         }
+         BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME);
+-
+-        if (rsa->flags & RSA_FLAG_CACHE_PUBLIC)
+-            if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, rsa->lock,
+-                                        rsa->n, ctx)) {
+-                BN_free(d);
+-                goto err;
+-            }
+         if (!rsa->meth->bn_mod_exp(ret, f, d, rsa->n, ctx,
+                                    rsa->_method_mod_n)) {
+             BN_free(d);
diff --git a/openssl-CVE-2022-4450-1of2.patch b/openssl-CVE-2022-4450-1of2.patch
new file mode 100644
index 0000000..9075cb5
--- /dev/null
+++ b/openssl-CVE-2022-4450-1of2.patch
@@ -0,0 +1,32 @@
+commit 2fc14c59ca0eb275dfb9308e9d1d89a1dcbc2a24
+Author: Matt Caswell <matt@openssl.org>
+Date:   Tue Dec 13 14:54:55 2022 +0000
+
+    Avoid dangling ptrs in header and data params for PEM_read_bio_ex
+    
+    In the event of a failure in PEM_read_bio_ex() we free the buffers we
+    allocated for the header and data buffers. However we were not clearing
+    the ptrs stored in *header and *data. Since, on success, the caller is
+    responsible for freeing these ptrs this can potentially lead to a double
+    free if the caller frees them even on failure.
+    
+    Thanks to Dawei Wang for reporting this issue.
+    
+    Based on a proposed patch by Kurt Roeckx.
+    
+    CVE-2022-4450
+
+Index: openssl-1.1.1l/crypto/pem/pem_lib.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/pem/pem_lib.c
++++ openssl-1.1.1l/crypto/pem/pem_lib.c
+@@ -954,7 +954,9 @@ int PEM_read_bio_ex(BIO *bp, char **name
+     *data = pem_malloc(len, flags);
+     if (*header == NULL || *data == NULL) {
+         pem_free(*header, flags, 0);
++        *header = NULL;
+         pem_free(*data, flags, 0);
++        *data = NULL;
+         goto end;
+     }
+     BIO_read(headerB, *header, headerlen);
diff --git a/openssl-CVE-2022-4450-2of2.patch b/openssl-CVE-2022-4450-2of2.patch
new file mode 100644
index 0000000..3532420
--- /dev/null
+++ b/openssl-CVE-2022-4450-2of2.patch
@@ -0,0 +1,54 @@
+commit 075039740c6981d9b9a90ab3a8a6879d3014a987
+Author: Matt Caswell <matt@openssl.org>
+Date:   Tue Dec 13 15:02:26 2022 +0000
+
+    Add a test for CVE-2022-4450
+    
+    Call PEM_read_bio_ex() and expect a failure. There should be no dangling
+    ptrs and therefore there should be no double free if we free the ptrs on
+    error.
+
+diff --git a/test/pemtest.c b/test/pemtest.c
+index 3203d976be..edeb0a1205 100644
+--- a/test/pemtest.c
++++ b/test/pemtest.c
+@@ -83,9 +83,39 @@ static int test_invalid(void)
+     return 1;
+ }
+ 
++static int test_empty_payload(void)
++{
++    BIO *b;
++    static char *emptypay =
++        "-----BEGIN CERTIFICATE-----\n"
++        "-\n" /* Base64 EOF character */
++        "-----END CERTIFICATE-----";
++    char *name = NULL, *header = NULL;
++    unsigned char *data = NULL;
++    long len;
++    int ret = 0;
++
++    b = BIO_new_mem_buf(emptypay, strlen(emptypay));
++    if (!TEST_ptr(b))
++        return 0;
++
++    /* Expected to fail because the payload is empty */
++    if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0)))
++        goto err;
++
++    ret = 1;
++ err:
++    OPENSSL_free(name);
++    OPENSSL_free(header);
++    OPENSSL_free(data);
++    BIO_free(b);
++    return ret;
++}
++
+ int setup_tests(void)
+ {
+     ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data));
+     ADD_TEST(test_invalid);
++    ADD_TEST(test_empty_payload);
+     return 1;
+ }
diff --git a/openssl-CVE-2023-0215-1of4.patch b/openssl-CVE-2023-0215-1of4.patch
new file mode 100644
index 0000000..f2666c1
--- /dev/null
+++ b/openssl-CVE-2023-0215-1of4.patch
@@ -0,0 +1,102 @@
+commit 847b1cd5fcf2a9098871f5832a50845670c3885e
+Author: Matt Caswell <matt@openssl.org>
+Date:   Wed Dec 14 16:18:14 2022 +0000
+
+    Fix a UAF resulting from a bug in BIO_new_NDEF
+    
+    If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
+    be part of an invalid BIO chain. This causes a "use after free" when the
+    BIO is eventually freed.
+    
+    Based on an original patch by Viktor Dukhovni.
+    
+    Thanks to Octavio Galland for reporting this issue.
+
+diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
+index 760e4846a4..e0deaecf19 100644
+--- a/crypto/asn1/bio_ndef.c
++++ b/crypto/asn1/bio_ndef.c
+@@ -49,6 +49,12 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg);
+ static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen,
+                             void *parg);
+ 
++/*
++ * On success, the returned BIO owns the input BIO as part of its BIO chain.
++ * On failure, NULL is returned and the input BIO is owned by the caller.
++ *
++ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream()
++ */
+ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+ {
+     NDEF_SUPPORT *ndef_aux = NULL;
+@@ -60,45 +66,50 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+         ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
+         return NULL;
+     }
+-    ndef_aux = OPENSSL_zalloc(sizeof(*ndef_aux));
+     asn_bio = BIO_new(BIO_f_asn1());
+-    if (ndef_aux == NULL || asn_bio == NULL)
+-        goto err;
+-
+-    /* ASN1 bio needs to be next to output BIO */
+-    out = BIO_push(asn_bio, out);
+-    if (out == NULL)
+-        goto err;
++    if (asn_bio == NULL)
++        return NULL;
+ 
+     BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
+     BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
+ 
++    /* ASN1 bio needs to be next to output BIO */
++    if (BIO_push(asn_bio, out) == NULL) {
++        BIO_free(asn_bio);
++        return NULL;
++    }
++
+     /*
+-     * Now let callback prepends any digest, cipher etc BIOs ASN1 structure
+-     * needs.
++     * Now let the callback prepend any digest, cipher, etc., that the BIO's
++     * ASN1 structure needs.
+      */
+-
+-    sarg.out = out;
++    sarg.out = asn_bio;
+     sarg.ndef_bio = NULL;
+     sarg.boundary = NULL;
+ 
+-    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
+-        goto err;
++    /*
++     * On error, restore input BIO to head of its BIO chain.
++     *
++     * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
++     * middle of some partially built, but not returned BIO chain.
++     */
++    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0
++        || (ndef_aux = OPENSSL_zalloc(sizeof(*ndef_aux))) == NULL) {
++        /* Assumed head of BIO chain with "out" as immediate successor */
++        (void)BIO_pop(asn_bio);
++        BIO_free(asn_bio);
++        return NULL;
++    }
+ 
+     ndef_aux->val = val;
+     ndef_aux->it = it;
+     ndef_aux->ndef_bio = sarg.ndef_bio;
+     ndef_aux->boundary = sarg.boundary;
+-    ndef_aux->out = out;
++    ndef_aux->out = asn_bio;
+ 
+     BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
+ 
+     return sarg.ndef_bio;
+-
+- err:
+-    BIO_free(asn_bio);
+-    OPENSSL_free(ndef_aux);
+-    return NULL;
+ }
+ 
+ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg)
diff --git a/openssl-CVE-2023-0215-2of4.patch b/openssl-CVE-2023-0215-2of4.patch
new file mode 100644
index 0000000..f65ef7d
--- /dev/null
+++ b/openssl-CVE-2023-0215-2of4.patch
@@ -0,0 +1,69 @@
+commit 21639475465737d58abfad50b69e5dc657a0c275
+Author: Matt Caswell <matt@openssl.org>
+Date:   Wed Dec 14 17:15:18 2022 +0000
+
+    Check CMS failure during BIO setup with -stream is handled correctly
+    
+    Test for the issue fixed in the previous commit
+
+diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t
+index 5dc6a3aebe..ec11bfc253 100644
+--- a/test/recipes/80-test_cms.t
++++ b/test/recipes/80-test_cms.t
+@@ -13,7 +13,7 @@ use warnings;
+ use POSIX;
+ use File::Spec::Functions qw/catfile/;
+ use File::Compare qw/compare_text/;
+-use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/;
++use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/;
+ use OpenSSL::Test::Utils;
+ 
+ setup("test_cms");
+@@ -27,7 +27,7 @@ my $smcont   = srctop_file("test", "smcont.txt");
+ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib)
+     = disabled qw/des dh dsa ec ec2m rc2 zlib/;
+ 
+-plan tests => 6;
++plan tests => 7;
+ 
+ my @smime_pkcs7_tests = (
+ 
+@@ -584,3 +584,14 @@ sub check_availability {
+ 
+     return "";
+ }
++
++# Check that we get the expected failure return code
++with({ exit_checker => sub { return shift == 6; } },
++    sub {
++        ok(run(app(['openssl', 'cms', '-encrypt',
++                    '-in', srctop_file("test", "smcont.txt"),
++                    '-stream', '-recip',
++                    srctop_file("test/smime-certs", "badrsa.pem"),
++                   ])),
++            "Check failure during BIO setup with -stream is handled correctly");
++    });
+diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem
+new file mode 100644
+index 0000000000..f824fc2267
+--- /dev/null
++++ b/test/smime-certs/badrsa.pem
+@@ -0,0 +1,18 @@
++-----BEGIN CERTIFICATE-----
++MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD
++VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY
++DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN
++AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw
++I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A
++/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s
++yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0
++zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB
++lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww
++CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm
++ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW
++eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt
++5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d
++rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv
++yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/
++j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg=
++-----END CERTIFICATE-----
diff --git a/openssl-CVE-2023-0215-3of4.patch b/openssl-CVE-2023-0215-3of4.patch
new file mode 100644
index 0000000..6fa4060
--- /dev/null
+++ b/openssl-CVE-2023-0215-3of4.patch
@@ -0,0 +1,99 @@
+commit 6c051d7769ef19d12f00723dff8b5615c501ddfa
+Author: Matt Caswell <matt@openssl.org>
+Date:   Fri Jan 27 13:49:32 2023 +0000
+
+    squash! Fix a UAF resulting from a bug in BIO_new_NDEF
+    
+    If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will
+    be part of an invalid BIO chain. This causes a "use after free" when the
+    BIO is eventually freed.
+    
+    Based on an original patch by Viktor Dukhovni and an idea from Theo
+    Buehler.
+    
+    Thanks to Octavio Galland for reporting this issue.
+
+diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
+index e0deaecf19..a182399331 100644
+--- a/crypto/asn1/bio_ndef.c
++++ b/crypto/asn1/bio_ndef.c
+@@ -61,55 +61,59 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+     BIO *asn_bio = NULL;
+     const ASN1_AUX *aux = it->funcs;
+     ASN1_STREAM_ARG sarg;
++    BIO *pop_bio = NULL;
+ 
+     if (!aux || !aux->asn1_cb) {
+         ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED);
+         return NULL;
+     }
++    ndef_aux = OPENSSL_zalloc(sizeof(*ndef_aux));
+     asn_bio = BIO_new(BIO_f_asn1());
+-    if (asn_bio == NULL)
+-        return NULL;
++    if (ndef_aux == NULL || asn_bio == NULL)
++        goto err;
++
++    /* ASN1 bio needs to be next to output BIO */
++    out = BIO_push(asn_bio, out);
++    if (out == NULL)
++        goto err;
++    pop_bio = asn_bio;
+ 
+     BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
+     BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
+ 
+-    /* ASN1 bio needs to be next to output BIO */
+-    if (BIO_push(asn_bio, out) == NULL) {
+-        BIO_free(asn_bio);
+-        return NULL;
+-    }
+-
+     /*
+      * Now let the callback prepend any digest, cipher, etc., that the BIO's
+      * ASN1 structure needs.
+      */
+-    sarg.out = asn_bio;
++
++    sarg.out = out;
+     sarg.ndef_bio = NULL;
+     sarg.boundary = NULL;
+ 
+     /*
+-     * On error, restore input BIO to head of its BIO chain.
+-     *
+      * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
+      * middle of some partially built, but not returned BIO chain.
+      */
+-    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0
+-        || (ndef_aux = OPENSSL_zalloc(sizeof(*ndef_aux))) == NULL) {
+-        /* Assumed head of BIO chain with "out" as immediate successor */
+-        (void)BIO_pop(asn_bio);
+-        BIO_free(asn_bio);
+-        return NULL;
+-    }
++    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
++        goto err;
+ 
+     ndef_aux->val = val;
+     ndef_aux->it = it;
+     ndef_aux->ndef_bio = sarg.ndef_bio;
+     ndef_aux->boundary = sarg.boundary;
+-    ndef_aux->out = asn_bio;
++    ndef_aux->out = out;
+ 
+-    BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux);
++    if (BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
++        goto err;
+ 
+     return sarg.ndef_bio;
++
++ err:
++    /* BIO_pop() is NULL safe */
++    (void)BIO_pop(pop_bio);
++    BIO_free(asn_bio);
++    OPENSSL_free(ndef_aux);
++    return NULL;
+ }
+ 
+ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg)
diff --git a/openssl-CVE-2023-0215-4of4.patch b/openssl-CVE-2023-0215-4of4.patch
new file mode 100644
index 0000000..f5e2c70
--- /dev/null
+++ b/openssl-CVE-2023-0215-4of4.patch
@@ -0,0 +1,54 @@
+commit 0cbc68d3107e2b54a64606a857e0044637b01255
+Author: Matt Caswell <matt@openssl.org>
+Date:   Tue Jan 31 11:54:18 2023 +0000
+
+    fixup! Fix a UAF resulting from a bug in BIO_new_NDEF
+
+diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c
+index a182399331..f8d4b1b9aa 100644
+--- a/crypto/asn1/bio_ndef.c
++++ b/crypto/asn1/bio_ndef.c
+@@ -78,8 +78,10 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+         goto err;
+     pop_bio = asn_bio;
+ 
+-    BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free);
+-    BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free);
++    if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0
++            || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0
++            || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
++        goto err;
+ 
+     /*
+      * Now let the callback prepend any digest, cipher, etc., that the BIO's
+@@ -94,8 +96,19 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+      * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the
+      * middle of some partially built, but not returned BIO chain.
+      */
+-    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0)
++    if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) {
++        /*
++         * ndef_aux is now owned by asn_bio so we must not free it in the err
++         * clean up block
++         */
++        ndef_aux = NULL;
+         goto err;
++    }
++
++    /*
++     * We must not fail now because the callback has prepended additional
++     * BIOs to the chain
++     */
+ 
+     ndef_aux->val = val;
+     ndef_aux->it = it;
+@@ -103,9 +116,6 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it)
+     ndef_aux->boundary = sarg.boundary;
+     ndef_aux->out = out;
+ 
+-    if (BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0)
+-        goto err;
+-
+     return sarg.ndef_bio;
+ 
+  err:
diff --git a/openssl-CVE-2023-0286.patch b/openssl-CVE-2023-0286.patch
new file mode 100644
index 0000000..8948d3e
--- /dev/null
+++ b/openssl-CVE-2023-0286.patch
@@ -0,0 +1,47 @@
+commit a72082b1fd459bc6355c0d6e0ac5f28a34ae73b0
+Author: Hugo Landau <hlandau@openssl.org>
+Date:   Tue Jan 17 17:45:42 2023 +0000
+
+    CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address (1.1.1)
+
+--- a/crypto/x509v3/v3_genn.c	
++++ a/crypto/x509v3/v3_genn.c	
+@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+         return -1;
+     switch (a->type) {
+     case GEN_X400:
+-        result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
++        result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address);
+         break;
+ 
+     case GEN_EDIPARTY:
+--- a/include/openssl/x509v3.h	
++++ a/include/openssl/x509v3.h	
+@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st {
+         OTHERNAME *otherName;   /* otherName */
+         ASN1_IA5STRING *rfc822Name;
+         ASN1_IA5STRING *dNSName;
+-        ASN1_TYPE *x400Address;
++        ASN1_STRING *x400Address;
+         X509_NAME *directoryName;
+         EDIPARTYNAME *ediPartyName;
+         ASN1_IA5STRING *uniformResourceIdentifier;
+--- a/test/v3nametest.c	
++++ a/test/v3nametest.c	
+@@ -646,6 +646,16 @@ static struct gennamedata {
+             0xb7, 0x09, 0x02, 0x02
+         },
+         15
++    }, {
++        /*
++         * Malformed encoding of a `[3] ORAddress`.
++         * Regression test for CVE-2023-0286.
++         */
++        {
++            0xa3, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0c,
++            0xef, 0xcd, 0xab, 0x89, 0x67, 0x45, 0x23, 0x01,
++        },
++        16
+     }
+ };
+ 
diff --git a/openssl-CVE-2023-0464.patch b/openssl-CVE-2023-0464.patch
new file mode 100644
index 0000000..b814642
--- /dev/null
+++ b/openssl-CVE-2023-0464.patch
@@ -0,0 +1,814 @@
+From 013018c638d112132f7b8f0b089f19b1b3719255 Mon Sep 17 00:00:00 2001
+From: Pauli <pauli@openssl.org>
+Date: Wed, 8 Mar 2023 15:28:20 +1100
+Subject: [PATCH 1/3] x509: excessive resource use verifying policy constraints
+
+A security vulnerability has been identified in all supported versions
+of OpenSSL related to the verification of X.509 certificate chains
+that include policy constraints.  Attackers may be able to exploit this
+vulnerability by creating a malicious certificate chain that triggers
+exponential use of computational resources, leading to a denial-of-service
+(DoS) attack on affected systems.
+
+Fixes CVE-2023-0464
+---
+ CHANGES                                                     |    8 
+ crypto/x509v3/pcy_local.h                                   |    8 
+ crypto/x509v3/pcy_node.c                                    |   12 
+ crypto/x509v3/pcy_tree.c                                    |   37 -
+ test/recipes/80-test_policy_tree.t                          |   41 +
+ test/recipes/80-test_policy_tree_data/large_leaf.pem        |   11 
+ test/recipes/80-test_policy_tree_data/large_policy_tree.pem |  434 ++++++++++++
+ test/recipes/80-test_policy_tree_data/small_leaf.pem        |   11 
+ test/recipes/80-test_policy_tree_data/small_policy_tree.pem |   70 +
+ 9 files changed, 618 insertions(+), 14 deletions(-)
+
+--- a/CHANGES
++++ b/CHANGES
+@@ -9,6 +9,14 @@
+ 
+  Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
+ 
++  *) Limited the number of nodes created in a policy tree to mitigate
++     against CVE-2023-0464.  The default limit is set to 1000 nodes, which
++     should be sufficient for most installations.  If required, the limit
++     can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
++     time define to a desired maximum number of nodes or zero to allow
++     unlimited growth.
++     [Paul Dale]
++
+   *) Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304).
+      The previous fix for this timing side channel turned out to cause
+      a severe 2-3x performance regression in the typical use case
+--- a/crypto/x509v3/pcy_local.h
++++ b/crypto/x509v3/pcy_local.h
+@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st {
+ };
+ 
+ struct X509_POLICY_TREE_st {
++    /* The number of nodes in the tree */
++    size_t node_count;
++    /* The maximum number of nodes in the tree */
++    size_t node_maximum;
++
+     /* This is the tree 'level' data */
+     X509_POLICY_LEVEL *levels;
+     int nlevel;
+@@ -159,7 +164,8 @@ X509_POLICY_NODE *tree_find_sk(STACK_OF(
+ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+                                  X509_POLICY_DATA *data,
+                                  X509_POLICY_NODE *parent,
+-                                 X509_POLICY_TREE *tree);
++                                 X509_POLICY_TREE *tree,
++                                 int extra_data);
+ void policy_node_free(X509_POLICY_NODE *node);
+ int policy_node_match(const X509_POLICY_LEVEL *lvl,
+                       const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
+--- a/crypto/x509v3/pcy_node.c
++++ b/crypto/x509v3/pcy_node.c
+@@ -59,10 +59,15 @@ X509_POLICY_NODE *level_find_node(const
+ X509_POLICY_NODE *level_add_node(X509_POLICY_LEVEL *level,
+                                  X509_POLICY_DATA *data,
+                                  X509_POLICY_NODE *parent,
+-                                 X509_POLICY_TREE *tree)
++                                 X509_POLICY_TREE *tree,
++                                 int extra_data)
+ {
+     X509_POLICY_NODE *node;
+ 
++    /* Verify that the tree isn't too large.  This mitigates CVE-2023-0464 */
++    if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum)
++        return NULL;
++
+     node = OPENSSL_zalloc(sizeof(*node));
+     if (node == NULL) {
+         X509V3err(X509V3_F_LEVEL_ADD_NODE, ERR_R_MALLOC_FAILURE);
+@@ -70,7 +75,7 @@ X509_POLICY_NODE *level_add_node(X509_PO
+     }
+     node->data = data;
+     node->parent = parent;
+-    if (level) {
++    if (level != NULL) {
+         if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
+             if (level->anyPolicy)
+                 goto node_error;
+@@ -90,7 +95,7 @@ X509_POLICY_NODE *level_add_node(X509_PO
+         }
+     }
+ 
+-    if (tree) {
++    if (extra_data) {
+         if (tree->extra_data == NULL)
+             tree->extra_data = sk_X509_POLICY_DATA_new_null();
+         if (tree->extra_data == NULL){
+@@ -103,6 +108,7 @@ X509_POLICY_NODE *level_add_node(X509_PO
+         }
+     }
+ 
++    tree->node_count++;
+     if (parent)
+         parent->nchild++;
+ 
+--- a/crypto/x509v3/pcy_tree.c
++++ b/crypto/x509v3/pcy_tree.c
+@@ -14,6 +14,18 @@
+ #include "pcy_local.h"
+ 
+ /*
++ * If the maximum number of nodes in the policy tree isn't defined, set it to
++ * a generous default of 1000 nodes.
++ *
++ * Defining this to be zero means unlimited policy tree growth which opens the
++ * door on CVE-2023-0464.
++ */
++
++#ifndef OPENSSL_POLICY_TREE_NODES_MAX
++# define OPENSSL_POLICY_TREE_NODES_MAX 1000
++#endif
++
++/*
+  * Enable this to print out the complete policy tree at various point during
+  * evaluation.
+  */
+@@ -168,6 +180,9 @@ static int tree_init(X509_POLICY_TREE **
+         return X509_PCY_TREE_INTERNAL;
+     }
+ 
++    /* Limit the growth of the tree to mitigate CVE-2023-0464 */
++    tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX;
++
+     /*
+      * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3.
+      *
+@@ -184,7 +199,7 @@ static int tree_init(X509_POLICY_TREE **
+     level = tree->levels;
+     if ((data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0)) == NULL)
+         goto bad_tree;
+-    if (level_add_node(level, data, NULL, tree) == NULL) {
++    if (level_add_node(level, data, NULL, tree, 1) == NULL) {
+         policy_data_free(data);
+         goto bad_tree;
+     }
+@@ -243,7 +258,8 @@ static int tree_init(X509_POLICY_TREE **
+  * Return value: 1 on success, 0 otherwise
+  */
+ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr,
+-                                    X509_POLICY_DATA *data)
++                                    X509_POLICY_DATA *data,
++                                    X509_POLICY_TREE *tree)
+ {
+     X509_POLICY_LEVEL *last = curr - 1;
+     int i, matched = 0;
+@@ -253,13 +269,13 @@ static int tree_link_matching_nodes(X509
+         X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i);
+ 
+         if (policy_node_match(last, node, data->valid_policy)) {
+-            if (level_add_node(curr, data, node, NULL) == NULL)
++            if (level_add_node(curr, data, node, tree, 0) == NULL)
+                 return 0;
+             matched = 1;
+         }
+     }
+     if (!matched && last->anyPolicy) {
+-        if (level_add_node(curr, data, last->anyPolicy, NULL) == NULL)
++        if (level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL)
+             return 0;
+     }
+     return 1;
+@@ -272,7 +288,8 @@ static int tree_link_matching_nodes(X509
+  * Return value: 1 on success, 0 otherwise.
+  */
+ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
+-                           const X509_POLICY_CACHE *cache)
++                           const X509_POLICY_CACHE *cache,
++                           X509_POLICY_TREE *tree)
+ {
+     int i;
+ 
+@@ -280,7 +297,7 @@ static int tree_link_nodes(X509_POLICY_L
+         X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i);
+ 
+         /* Look for matching nodes in previous level */
+-        if (!tree_link_matching_nodes(curr, data))
++        if (!tree_link_matching_nodes(curr, data, tree))
+             return 0;
+     }
+     return 1;
+@@ -311,7 +328,7 @@ static int tree_add_unmatched(X509_POLIC
+     /* Curr may not have anyPolicy */
+     data->qualifier_set = cache->anyPolicy->qualifier_set;
+     data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
+-    if (level_add_node(curr, data, node, tree) == NULL) {
++    if (level_add_node(curr, data, node, tree, 1) == NULL) {
+         policy_data_free(data);
+         return 0;
+     }
+@@ -373,7 +390,7 @@ static int tree_link_any(X509_POLICY_LEV
+     }
+     /* Finally add link to anyPolicy */
+     if (last->anyPolicy &&
+-        level_add_node(curr, cache->anyPolicy, last->anyPolicy, NULL) == NULL)
++        level_add_node(curr, cache->anyPolicy, last->anyPolicy, tree, 0) == NULL)
+         return 0;
+     return 1;
+ }
+@@ -555,7 +572,7 @@ static int tree_calculate_user_set(X509_
+             extra->qualifier_set = anyPolicy->data->qualifier_set;
+             extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS
+                 | POLICY_DATA_FLAG_EXTRA_NODE;
+-            node = level_add_node(NULL, extra, anyPolicy->parent, tree);
++            node = level_add_node(NULL, extra, anyPolicy->parent, tree, 1);
+         }
+         if (!tree->user_policies) {
+             tree->user_policies = sk_X509_POLICY_NODE_new_null();
+@@ -582,7 +599,7 @@ static int tree_evaluate(X509_POLICY_TRE
+ 
+     for (i = 1; i < tree->nlevel; i++, curr++) {
+         cache = policy_cache_set(curr->cert);
+-        if (!tree_link_nodes(curr, cache))
++        if (!tree_link_nodes(curr, cache, tree))
+             return X509_PCY_TREE_INTERNAL;
+ 
+         if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY)
+--- /dev/null
++++ b/test/recipes/80-test_policy_tree.t
+@@ -0,0 +1,41 @@
++#! /usr/bin/env perl
++# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
++#
++# Licensed under the Apache License 2.0 (the "License").  You may not use
++# this file except in compliance with the License.  You can obtain a copy
++# in the file LICENSE in the source distribution or at
++# https://www.openssl.org/source/license.html
++
++
++use strict;
++use warnings;
++
++use POSIX;
++use OpenSSL::Test qw/:DEFAULT srctop_file with data_file/;
++
++use OpenSSL::Test::Utils;
++use OpenSSL::Glob;
++
++setup("test_policy_tree");
++
++plan tests => 2;
++
++# The small pathological tree is expected to work
++my $small_chain = srctop_file("test", "recipes", "80-test_policy_tree_data",
++                              "small_policy_tree.pem");
++my $small_leaf = srctop_file("test", "recipes", "80-test_policy_tree_data",
++                             "small_leaf.pem");
++
++ok(run(app(["openssl", "verify", "-CAfile", $small_chain,
++            "-policy_check", $small_leaf])),
++   "test small policy tree");
++
++# The large pathological tree is expected to fail
++my $large_chain = srctop_file("test", "recipes", "80-test_policy_tree_data",
++                              "large_policy_tree.pem");
++my $large_leaf = srctop_file("test", "recipes", "80-test_policy_tree_data",
++                             "large_leaf.pem");
++
++ok(!run(app(["openssl", "verify", "-CAfile", $large_chain,
++             "-policy_check", $large_leaf])),
++   "test large policy tree");
+--- /dev/null
++++ b/test/recipes/80-test_policy_tree_data/large_leaf.pem
+@@ -0,0 +1,11 @@
++-----BEGIN CERTIFICATE-----
++MIIBmTCCAT+gAwIBAgIBADAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
++Q0EgMTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowGjEYMBYGA1UE
++AxMPd3d3LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEp6Qe
++jrN6A0ZjqaFbX/zO01aVYXH5kthBDTEO/fU4H0CdwqrfyMsFrObwssrTJcsmSFKP
++x1FYr8wT2wCACs19lqN4MHYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPd3d3LmV4YW1wbGUuY29t
++MCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMAoGCCqGSM49
++BAMCA0gAMEUCIDGT8SVBkWJEZ2EzXm8M895NrNRmfc8uoheP0KKv+ndHAiEA2Onr
++20J+zTaR7vONY/1DleMm7fGY3UxTobSHSvOKbfY=
++-----END CERTIFICATE-----
+--- /dev/null
++++ b/test/recipes/80-test_policy_tree_data/large_policy_tree.pem
+@@ -0,0 +1,434 @@
++-----BEGIN CERTIFICATE-----
++MIICEDCCAbagAwIBAgIBATAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
++Q0EgMjAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
++AxMLUG9saWN5IENBIDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATgyLz1C0dD
++ib5J/QmoE4d+Nf5yvvlzjVZHWIu7iCMEqK67cnA1RtMp1d0xdiNQS6si3ExNPBF+
++ELdkP0E6x26Jo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
++BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSs+ml5upH1h25oUB0Ep4vd
++SUdZ/DAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
++HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
++YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
++MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAOME8j1/cMogNnuNCb0O
++RIOE9pLP4je78KJiP8CZm0iOAiALr8NI67orD/VpfRptkjCmOd7rTWMVOOJfBr6N
++VJFLjw==
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICDzCCAbagAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
++Q0EgMzAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
++AxMLUG9saWN5IENBIDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASIdzU/FF3Y
++rTsTX04fRIN2yrZwxvOAfZ6DuEgKRxEimJx1nCyETuMmfDowm52mx/Cyk08xorp8
++PhGEbacMd9kio4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
++BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSwok/8RfJbVGTzyF5jhWLc
++hO7pcDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
++HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
++YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
++MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDRwAwRAIgYVF7bXxUuOzAZF6SmeIJ
++s+iL15bLSQ2rW7QDc6QYp9MCIAup6YokIcr8JaGttHmLaKbASQLxYDGHhfFIVZuI
++BDvT
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEDCCAbagAwIBAgIBAzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
++Q0EgNDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
++AxMLUG9saWN5IENBIDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ38Llxxj32
++H3NN4Z1V8IuRKXLNhdU4z+NbT1rahusEyAHF+z9VTjim+HHfqFKV1QyNOJZ4rMA9
++J/gODWsNCT4po4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
++BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBS11YgFNKTx3a6kssIijnA9
++DiOhoTAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
++HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
++YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
++MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAJXNZHMpvlnMfxhcG6EF
++Vw1pEXJ+iZnWT+Yu02a2zhamAiAiOKNhALBw/iKhQrwLo0cdx6UEfUKbaqTSGiax
++tHUylA==
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEDCCAbagAwIBAgIBBDAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
++Q0EgNTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
++AxMLUG9saWN5IENBIDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATo81HWQ/we
++egmoO/LMntQK1VQ9YzU627nblv/XWoOjEd/tBeE8+Un4jUnhZqNrP2TAzy48jEaT
++1DShCQNQGek7o4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
++BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBS6/F38QgbZSHib0W1XtMfs
++4O5DTDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
++HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
++YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
++MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIgXMYCQWi5/6iQw+zqyEav
++CE7kOfTpm9GN4bZX5Eau5AACIQD0rDZwsjWf6hI2Hn8IlpwYVVC9bpxrAM/JmYuu
++79V/uw==
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEDCCAbagAwIBAgIBBTAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
++Q0EgNjAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
++AxMLUG9saWN5IENBIDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARsPMjOkmzJ
++2jwT30mKUvAFYVgOlgcoXxYr61p54mbQMmmH49ABmJQMu5rjwjwYlYA3UzbEN9ki
++hMsJz/4JIrJGo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
++BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQeflZRWUze+7jne9MkYYy5
++iWFgJDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
++HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
++YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
++MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAIN6BjMnPlixl3i6Z1Xa
++pZQt52MOCHPm0XzXDn2XlC9+AiAn146u8rbppdEGMFr21vfFZaktwEb0cZkC9fBp
++S1uKwQ==
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEDCCAbagAwIBAgIBBjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
++Q0EgNzAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
++AxMLUG9saWN5IENBIDYwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASVmpozZzxX
++f6rFinkqS0y8sfbOwcM0gNuR0x83mmZH5+a8W4ug5W80QiBaS3rHtwTsFHpCeQKq
++eJvfb/esgJu8o4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
++BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQPuF2sXR0vOHJynh57qefK
+++h7RGDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
++HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
++YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
++MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIgDX0jHPq1alZoMbPDmbZp
++QYuM9UQagQ5KJgVU1B0Mh2ECIQCtdyfT2h5jZvz3lLKkQ9a6LddIuqsyNKDAxbpb
++PlBOOA==
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEDCCAbagAwIBAgIBBzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
++Q0EgODAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
++AxMLUG9saWN5IENBIDcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASb+9fN9RLe
++SHGynsKXhLWGhIS/kZ6Yl97+h23xpjLaZUOzhn5VafXdmLrQ4BmqSMHqIKzcc8IB
++STV3NwO4NxPBo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
++BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTBF9x+MrsyqoCaTQ2kB7Bn
++tpK2qDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
++HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
++YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
++MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAI37Di/5MrSj2clr+2pX
++iXzeDIvlaxzVetyH3ibUZZBSAiA41aPIssHi9evv2mZonEvXY8g+DKbh/3L2mSub
++/AyLoA==
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICETCCAbagAwIBAgIBCDAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
++Q0EgOTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
++AxMLUG9saWN5IENBIDgwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASrRS12/zEP
++RUNye9SLadN4xK+xfTwyXfxeC+jam+J98lOMcHz6abnLpk5tJ7wab4Pkygsbj1V2
++STxeW+YH23dto4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
++BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQYpYFLhosbir7KoyYdehsQ
++6DdLfzAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
++HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
++YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
++MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSQAwRgIhAPTCN+zWFG2cFzJ+nlfg
++JMY4U2e3vqTQmFeBXYlBASb9AiEA0KvsyNwloF1YeeaYcP5iHoRGRo8UMD3QWKEE
++vWI14Uk=
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEDCCAbegAwIBAgIBCTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMTAwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBYxFDASBgNV
++BAMTC1BvbGljeSBDQSA5MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoR4udEgt
++usb9f946+Xznm7Q3OaW4DTZjO7wqX1I+27zDp0JrUbCZwtm0Cw+pYkG5kPpNcFTK
++7yG3YgqM1sT+6aOB8jCB7zAOBgNVHQ8BAf8EBAMCAgQwEwYDVR0lBAwwCgYIKwYB
++BQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUjgtOHvFBcUQ03AKUbvuJ
++IWO5lzUwJQYDVR0gBB4wHDAMBgpghkgBZQMCATABMAwGCmCGSAFlAwIBMAIwcQYD
++VR0hBGowaDAYBgpghkgBZQMCATABBgpghkgBZQMCATABMBgGCmCGSAFlAwIBMAEG
++CmCGSAFlAwIBMAIwGAYKYIZIAWUDAgEwAgYKYIZIAWUDAgEwATAYBgpghkgBZQMC
++ATACBgpghkgBZQMCATACMAoGCCqGSM49BAMCA0cAMEQCICIboTAzG1DvCY/0tA/o
++l18zrW9qKVnt4mxih5JQe4fOAiBOF2ZeUT2/ZtdFhZmg+zl/fGrQ1xEx09/S956k
++Ig4S9Q==
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEjCCAbigAwIBAgIBCjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMTEwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAxMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLxetqJp
++VR6apJytboxFCCooQ7jVcc7yoHhjlH8HsaJS3GrWpyMgiqOfyWt4KFMynKkgCU1K
++1QcU9aC5BfRQpyWjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFD6etMtD6Qpa7TjVQBgV
++/4PhZP4DMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEA+5uiOjJoq5nU7lKN
++rZtBdYNqUKvHuYB+jiNEfWvxx2cCIFZEJCGw8fzqkAyGWkLe10w8PUzPM64nh757
++pEtxCzZh
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEjCCAbigAwIBAgIBCzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMTIwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAxMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPQuXEeo
++BrbyENdz9HqAoWMSQx1BErsUcQaneq3L0/VHHJBPKihb8s4nB/2yZaEarr8LFAvi
++ofx+4egydkP0mJ+jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIoC4qL79Uy3+m26Y+ch
+++sE6gCOMMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEAx/vMDhaH4EYTM2v9
++GeM1xTP9pNRgak69JQLKLu1VM1YCIF1RYC8Fma5Bc0cZAYY+Gj7dEf9qHj1TODA5
++C9es2CPY
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICETCCAbigAwIBAgIBDDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMTMwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAxMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDlEv73o
++ej8Xvc3UodhSHkech80DbuBKdeldOTrRp6ZaVUP3vMgjNUJkh4WkvP3UVTe5SV4D
++zQXDIiwAEJu+zdmjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFCAn0wYXyRdliJOBFvvJ
++eZoGTiyOMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNHADBEAiAo2PPmLBZpcT0bst/C
++SXvnl3gztIZu89O1MKsNwFcM9QIgIzqZx/o9MF/fP7zbLWErVcUQViOGiCRBLVh7
++ppb7CoA=
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEzCCAbigAwIBAgIBDTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMTQwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAxMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB8mgAoN
++rmFo937IBKXKuxHedUjOL7y3cpDYD1H3C4HRDBQDVOL31lC5kJUhS4HBLvJQwebR
++2kW35E3AnhbY/oKjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBGbO20Xp/q0fPChjLHL
++WuJwSNc1MCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEA3qGzdevdYfmiSBj9
++t9oE8hfEP+APqGiStlOLKD6xVK0CIQDq9cVa2KXMEz7YwmMO3lxoQFDPEXftbRaC
++edFB7q/YXg==
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEzCCAbigAwIBAgIBDjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMTUwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAxNDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHDiOMtx
++5sfJs/WDnw0xS5NYlkbgy2eOZHAmC/jhRp6cjShZrr2/S4IJsH8B2VMcYAHgum6a
++eMjqWFIMxIjN5xyjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOWtYUeAPk66m0o6Z7ax
++1RN42wmkMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEA+AcazVKKPfqkpcJw
++rkXWIyZrTe+1PNETQzaJCooGNGkCIQDdfHf1I78e+ogaDcjkDe0s3R9VhkvjCty6
++uKKFtNGHMQ==
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEjCCAbigAwIBAgIBDzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMTYwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAxNTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKCkdSYz
+++zyHItG2rQSyCh018b4bu9Zrw8nzkCBgkT2IyycNtpabYkWhxcEL29ZFqBnB+l7N
++5fYmHl5CmflJPh+jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNanrmjMEN3PndPGeucm
++mST9ucNWMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiAFt48yhTTv0rP29N8H
++yRhAQGfnV4t1b8JucixLSfe32QIhAOef6iiwLxbBOMUn5ZN/WAK5TERem6DLSzWN
++/PTXHAAt
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICETCCAbigAwIBAgIBEDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMTcwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAxNjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABH5txyDp
++DfRsIyYPTAQ+fuxk08E3/tpChVWoog4XQvod61wcUO1/nhoTGNKZZOhN5uhKWJWb
++1futz+XxV2QxTCyjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHSlcxgh3gxgVag1JvAk
++zbHlgMbEMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNHADBEAiA9Ee47PnxqW0QmELB+
++dd90Fz8wcQFZlNmkPW4Oq2xr/wIgGlxfutQq7l3TU5hyyO0Lh01AHn2DC5KPFPwE
++l8S9VeY=
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEzCCAbigAwIBAgIBETAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMTgwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAxNzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAJvlQKB
++gJZ+Tysa6iwhllPXCeJrkan6WUm+oqOIY02/SpI5Mba1Kwg73Fsswx3Eywt8sxA2
++4fiaqwg+xZoil06jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFM/udZ1ib8qDfShdfdfX
++8gL6w7VMMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEA6kK7vAYF2TPXzywn
+++SDLsiGbU6Sj8aTtsJZf9DmhKr4CIQCt4FfI7IWinqNlURXe4HSBPsekcQkOpwjK
++PuJRx3fuFw==
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEzCCAbigAwIBAgIBEjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMTkwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAxODBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEerejCw
++gAy7GecLVbQw6eL8k1cGWwLt+wl3sn8he8fA0I+KoFfcOCgtvOF59RMXnjZ1+7OC
++kz3mNDVSbKY6KO2jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFM0OUOtOKTcTMRXGQwbw
++GOoLCOEYMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEAziPsm2dArB/3ILqm
++04mZl8/DX6dB4EmU+FPF2UpAeLwCIQCofc27tisg3L1mPNeiwZ26+rDe5SdixiUc
++S3KWOJ1cTg==
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEjCCAbigAwIBAgIBEzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMjAwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAxOTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPmB5spr
++C64/21ssufcbshGnQtAWbk2o2l+ej6pMMPIZhmNyvM450L3dFX12UBNcaERCABmr
++BEJL7IubGWE9CVOjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJCh/1mh0Hl2+LE0osUv
++OJCmV3IYMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEAtxMIkO4xCRSQCU6d
++0jt+Go4xj/R4bQFWbZrlS9+fYUECICuWAgT3evhoo34o04pU84UaYOvO5V0GJsTt
++hrS1v3hT
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEzCCAbigAwIBAgIBFDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMjEwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAyMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHdvTDYo
++M/padIV3LdTnrzwMy1HSTeJ2aTUalkVV17uL2i3C51rWM2pl+qlRordq6W2GboMz
++/+78HhKMcCrMWKCjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAbZN0eSPw3MyvWIEix6
++GnYRIiFkMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEAlaapLXHwGNkeEwc0
++jsY2XhuR3RlVhD4T2k/QyJRQ0s0CIQD5E+e+5QTe5s+534Lwcxe2iFb3oFm+8g81
++OBVtfmSMGg==
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEjCCAbigAwIBAgIBFTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMjIwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAyMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABLTu8R5Y
++7Po4W05hWperfod6mXezwWgAVk2RW2EG2vy4NeZeML2EFhg2geNc6N5Goep9t7pn
++d+BtORRvR75oCDijgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNs0d2vXsRj3YYsBrWDo
++jrvcEA+eMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiBB603Ui+L60FcUWPrB
++Ch06hmgle2u0P07Go/XjTk00ZQIhALGhNArJFEY0gu+XUtyKEZt7BZ0/sh5dtLDP
++xkRgR6Wh
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEzCCAbigAwIBAgIBFjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMjMwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAyMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPXpzC9/
++KGblQyjhdcS0a8KBPAiS7c0n+V0i9JItbyze38Ncrctp0wIGHZLjRoB4DZYX1I8e
++K5C7KVeUPEE9eOGjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFISsw9orkX/cBVWcK5KA
++//kldz8HMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEA1gazdApLS91ql8Am
++4gb4Ku7Lgll4jV+BrLkbABE2cI0CIQCEH1GUJ6ARJB1GdcHrPyaLgeZ5jV2p63UW
++UV2QL6aETA==
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEjCCAbigAwIBAgIBFzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMjQwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAyMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKdweprb
++RZmuUk4og1Xa9Skb1vu7jsLozlm9CtDhKLbJ+cDX/VeKj/b8FuvakBO3L1QV5XU0
++iFswsIVBVZ3m+TyjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPgcEbHfKHt0o/PCS0kD
++XWW9XkqMMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEA9XDj0w5qMS/tLlr9
++Z2j8JtVR4M7pF/Wx2U43vmPFJEACIBAlAiUnCm1Nfj16t2cojrW+m2t1cU80ihmj
++Ld1U+dRD
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICETCCAbigAwIBAgIBGDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMjUwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAyNDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAq2PphK
++4oVsc+ml3zskBLiMa+dz64k+PrrfKIGSG2Ri5Du/orj0dO9639LeCkkMwWpXAfSx
++wxHHQX0I1KwsudGjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEqcfkso+ynKq2eFaJy8
++mzNBdN2PMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNHADBEAiBZ71jDD33HFFqMkLAW
++gTAGMmzh9b/vZ8jAclPDKHRghQIgf2GBOF1eEF8Ino9F1n1ia5c3EryvXnvVoklw
++cjMIQ5g=
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEjCCAbigAwIBAgIBGTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMjYwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAyNTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJRoDkj7
++iDlIygt4YmMgw4pizu2sx4436MGtw5fFHhjy7T+pPMGjYFg3dixxUOu1NHORpdJq
++8Y7SN8p8Y0XsDpijgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOutMoKSOv5lEGZaqYZM
++zNFwpX3KMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEAks62lsAHmN6xkZsF
++6ocGONpH/XmHLpoO6RfMoRCnWkICIFNFD+W6pSSvdDB96sn8jnZ7W/Y0hyLzscBO
++WtkzqqJJ
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEzCCAbigAwIBAgIBGjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMjcwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAyNjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE3seRj5
++LVNKi9sZk7qv5cBVUG8BLXXfDRUhCUzT10YAU1J0yd2wmLTbwPyYm65GaecvAHSR
++SExOzX6bC35nNt6jgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFNx5XhDdoflDgPrW/HyU
++tCokuJ0AMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEApAQVb0KQedyAw1SJ
++J8At4uxxm2b8W13s6ENapxw+lwwCIQC7326NFPsDjbfBKhFDQhCIMkAkYq2wzRJ7
++ubTwkdT19g==
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEzCCAbigAwIBAgIBGzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMjgwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAyNzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABC+FQF2E
++TrZ4YGNyxFxzpTQBjlu9QUrwgHzabAn47toqRkWUGAS68jBfSdR+j2c7/oehQHhO
++relHcbQilhZnh4ijgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIOlwsa4FjZWhzQYTAY3
++c2TSYhsEMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEAwxNBi+8baAU76yng
+++XvMpY62aqPO4bAe/uedaxBb2jMCIQDJHXqibgIAm1T4/YHimllVlLQudQL5OkbF
++Krj3uVHtBg==
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEjCCAbigAwIBAgIBHDAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMjkwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAyODBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABBmhjGvk
++C3QfSVdY5zuHEY4Rf3eKVro6vcKymgdBPFjjDggZNktR3OMnayCabJB51g2VL7Fg
++MegdwzJWzPvQreyjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFEvevGIfitXek0IStYIR
++5ne2SkJwMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiBzlv0TggDJWUWx0UHl
++cqxuMpoNdy+ifizQIlcjWcrzvgIhAJdQfkPaZdc4/j/HfGaVNN9InJuBWGrPYU6A
++iwsSB0jY
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEzCCAbigAwIBAgIBHTAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMzAwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAyOTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCrC5p+Z
++ywMukm1LRuXeJ5V1M6V+8A8PjqB3tgHVeEn973HOfia8lt2/7EoKaLKzP8A7D3eC
++aBJUmTgHauaolYOjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGG5D5h1FRA+aZMbSXfZ
++Mp8pjYUEMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNJADBGAiEAnI2IhyXtBCRiv+Xs
++EzsO497oVf1U8SJiVR8SaEx0gzgCIQC0+un/Hcb0OWvpvoeHKcRi7e8SZkX+vn2i
++u+KsPqlfzA==
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEjCCAbigAwIBAgIBHjAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMzEwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAzMDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHg1qbhT
++bpV0agLQkk6di7EdwrrqIn7yCiBCfPwoDI7czY1bHwkR2E8EdrG4ZLBHHFXYNHau
++kEo9nueljxbA6MGjgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGXSqDk/Zov8a62kkXDr
++8YhtqdkTMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEA1D2Fm3D8REQtj8o4
++ZrnDyWam0Rx6cEMsvmeoafOBUeUCIBW0IoUYmF46faRQWKN7R8wnvbjUw0bxztzy
++okUR5Pma
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEjCCAbigAwIBAgIBHzAKBggqhkjOPQQDAjAXMRUwEwYDVQQDEwxQb2xpY3kg
++Q0EgMzEwIBcNMDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMBcxFTATBgNV
++BAMTDFBvbGljeSBDQSAzMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIwGMmHl
++/QJSpu6KHakSe4gkf3L+NpsrtQpxu6sNfmSjO++dGv6sj2v3+DZNeyagVUJRVHaD
++IZzpoyVVrBBO6vijgfIwge8wDgYDVR0PAQH/BAQDAgIEMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFA+f9g1sP2kM5sOT/8Ge
++IDKq5FcUMCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMHEG
++A1UdIQRqMGgwGAYKYIZIAWUDAgEwAQYKYIZIAWUDAgEwATAYBgpghkgBZQMCATAB
++BgpghkgBZQMCATACMBgGCmCGSAFlAwIBMAIGCmCGSAFlAwIBMAEwGAYKYIZIAWUD
++AgEwAgYKYIZIAWUDAgEwAjAKBggqhkjOPQQDAgNIADBFAiEAvQlbAmF3pS041Zo2
++eHrxMO3j8thB+XqHU8RatCZ60WACIG1vUFPH7UwzTTann7Sgp4s+Gd/jLOkrJnEk
++W3De9dSX
++-----END CERTIFICATE-----
+--- /dev/null
++++ b/test/recipes/80-test_policy_tree_data/small_leaf.pem
+@@ -0,0 +1,11 @@
++-----BEGIN CERTIFICATE-----
++MIIBmjCCAT+gAwIBAgIBADAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
++Q0EgMTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowGjEYMBYGA1UE
++AxMPd3d3LmV4YW1wbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAER7oh
++z+MnwilNhyEB2bZTuYBpeiwW4QlpYZU6b/8uWOldyMXCaPmaXwY60nrMznfFJX6F
++h8dC6XIzvQmjUMdSoqN4MHYwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsG
++AQUFBwMBMAwGA1UdEwEB/wQCMAAwGgYDVR0RBBMwEYIPd3d3LmV4YW1wbGUuY29t
++MCUGA1UdIAQeMBwwDAYKYIZIAWUDAgEwATAMBgpghkgBZQMCATACMAoGCCqGSM49
++BAMCA0kAMEYCIQC2km5juUULIRYsRgHuLFEiABBR0pDAyTbl9LRjlkSeEQIhAO9b
++ye60dMNbhY1OOzrr4mDRv0tuNmbGBErcFs61YZkC
++-----END CERTIFICATE-----
+--- /dev/null
++++ b/test/recipes/80-test_policy_tree_data/small_policy_tree.pem
+@@ -0,0 +1,70 @@
++-----BEGIN CERTIFICATE-----
++MIICETCCAbagAwIBAgIBATAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
++Q0EgMjAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
++AxMLUG9saWN5IENBIDEwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQu7GyNFjN6
++Sqwk1CZAt+lzTC/Us6ZkO5nsmb8yAuPb6RJ0A2LvUbsmZea+UyBFq3VuEbbuCoeE
++KRbKkS6wefAzo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
++BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSQkJvfn8gFHIXVTBJ4hrtP
++ypA9QTAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
++HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
++YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
++MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSQAwRgIhALn6/b3H+jLusJE5QiaS
++PiwrLcl+NDguWCnxo0c6AfduAiEApkXUN+7vRfXeFFd9CfA1BnTW3eUzBOsukZoN
++zaj+utk=
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICDzCCAbagAwIBAgIBAjAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
++Q0EgMzAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
++AxMLUG9saWN5IENBIDIwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT+p+A+K6MI
++R3eVP/+2O7lam32HU10frEKpyQslZAabYJwkc9iq5WatMbTMPQibuOIWHFl02uJ8
++cxGKy/Hke8P5o4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
++BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSSOt6HCXw+L/4uzJsInqqA
++XrWt8DAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
++HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
++YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
++MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDRwAwRAIgS/vh3osFy+q1MLuVnAdg
++gMINfiIJw1+3zbYsJYlNhWgCICu6Qgzee4NwIrJagcdVA0RAfnCOo6wfvikpl0ts
++EepA
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEDCCAbagAwIBAgIBAzAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
++Q0EgNDAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
++AxMLUG9saWN5IENBIDMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQONHKgpAJ6
++vE41FYBekpLzybpBQp/gUmgRPKrcL0z4lLTDjCG3j6yIbZma8u2bPM1MBXw5otZ7
++xVFhQ1AkZIOco4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
++BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQ69465BL89BXORf4sSnneU
++exkm0jAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
++HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
++YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
++MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAPK9PqPxgme9x6TPFh2z
++vv+qVEM2WxOTdRKOPgUYzCp9AiBl8qO3szv5jNDzb0fRIqVp37v9yBjWcgO9Wl02
++QDCpGw==
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICETCCAbagAwIBAgIBBDAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
++Q0EgNTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
++AxMLUG9saWN5IENBIDQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASLrUP7BFi7
+++LE2uDVCZ2Z2HK6BpL/kjBbwKkLxlJe+LqNolzu53b8+WtHwrvPPVkD9t3KMdWXU
++K7NtHYgXUz07o4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
++BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBS0kaY2oJVEBLtjkqI8pXsv
++eqm3VDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
++HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
++YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
++MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSQAwRgIhAJuTMvMUda4Y29V1Tm5O
++jCqBThR2NwdQfnET1sjch3Q7AiEA7nEudfXKMljjz608aWtafTkw5V5I2/SbuUKr
++vjprfIo=
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIICEDCCAbagAwIBAgIBBTAKBggqhkjOPQQDAjAWMRQwEgYDVQQDEwtQb2xpY3kg
++Q0EgNTAgFw0wMDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowFjEUMBIGA1UE
++AxMLUG9saWN5IENBIDUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ9RuYVzUGB
++FkAEM9kHe9xynDo/NcsiaAO3+E2u7jJQQN50d6hVEDHf9961omldhKhP4HTNfhqj
++VMIHKGMhXCgKo4HyMIHvMA4GA1UdDwEB/wQEAwICBDATBgNVHSUEDDAKBggrBgEF
++BQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTVrjWaVjkfMpilq5tGZ4zZ
++iJtaSDAlBgNVHSAEHjAcMAwGCmCGSAFlAwIBMAEwDAYKYIZIAWUDAgEwAjBxBgNV
++HSEEajBoMBgGCmCGSAFlAwIBMAEGCmCGSAFlAwIBMAEwGAYKYIZIAWUDAgEwAQYK
++YIZIAWUDAgEwAjAYBgpghkgBZQMCATACBgpghkgBZQMCATABMBgGCmCGSAFlAwIB
++MAIGCmCGSAFlAwIBMAIwCgYIKoZIzj0EAwIDSAAwRQIhAPVgPpACX2ylQMEMSntw
++izxKHTSPhXuF6IHhNHRz7KFnAiB8y/QcF7N2iXNZEqffWSkVted/XOw3Xrck0sJ6
++4eXNcw==
++-----END CERTIFICATE-----
diff --git a/openssl-CVE-2023-0465.patch b/openssl-CVE-2023-0465.patch
new file mode 100644
index 0000000..f129a6f
--- /dev/null
+++ b/openssl-CVE-2023-0465.patch
@@ -0,0 +1,221 @@
+From 818e2bc9d10e56659c6c68dee1c6a1fd5026f720 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Tue, 7 Mar 2023 15:22:40 +0000
+Subject: [PATCH 1/5] Generate some certificates with the certificatePolicies
+ extension
+
+Related-to: CVE-2023-0465
+---
+ CHANGES                             |    9 ++++++++-
+ NEWS                                |    3 +++
+ crypto/x509/x509_vfy.c              |   11 +++++++++--
+ test/certs/ca-pol-cert.pem          |   19 +++++++++++++++++++
+ test/certs/ee-cert-policies-bad.pem |   20 ++++++++++++++++++++
+ test/certs/ee-cert-policies.pem     |   20 ++++++++++++++++++++
+ test/certs/mkcert.sh                |    9 +++++++--
+ test/certs/setup.sh                 |    6 ++++++
+ test/recipes/25-test_verify.t       |   13 ++++++++++++-
+ 9 files changed, 104 insertions(+), 6 deletions(-)
+ create mode 100644 test/certs/ca-pol-cert.pem
+ create mode 100644 test/certs/ee-cert-policies-bad.pem
+ create mode 100644 test/certs/ee-cert-policies.pem
+
+--- a/CHANGES
++++ b/CHANGES
+@@ -9,12 +9,19 @@
+ 
+  Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
+ 
++  *) Fixed an issue where invalid certificate policies in leaf certificates are
++     silently ignored by OpenSSL and other certificate policy checks are skipped
++     for that certificate. A malicious CA could use this to deliberately assert
++     invalid certificate policies in order to circumvent policy checking on the
++     certificate altogether. (CVE-2023-0465)
++     [Matt Caswell]
++
+   *) Limited the number of nodes created in a policy tree to mitigate
+      against CVE-2023-0464.  The default limit is set to 1000 nodes, which
+      should be sufficient for most installations.  If required, the limit
+      can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build
+      time define to a desired maximum number of nodes or zero to allow
+-     unlimited growth.
++     unlimited growth. (CVE-2023-0464)
+      [Paul Dale]
+ 
+   *) Reworked the Fix for the Timing Oracle in RSA Decryption (CVE-2022-4304).
+--- a/NEWS
++++ b/NEWS
+@@ -7,6 +7,9 @@
+ 
+   Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021]
+ 
++      o Fixed handling of invalid certificate policies in leaf certificates
++        (CVE-2023-0465)
++      o Limited the number of nodes created in a policy tree ([CVE-2023-0464])
+       o Fixed an SM2 Decryption Buffer Overflow (CVE-2021-3711)
+       o Fixed various read buffer overruns processing ASN.1 strings (CVE-2021-3712)
+ 
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
+@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *
+     }
+     /* Invalid or inconsistent extensions */
+     if (ret == X509_PCY_TREE_INVALID) {
+-        int i;
++        int i, cbcalled = 0;
+ 
+         /* Locate certificates with bad extensions and notify callback. */
+-        for (i = 1; i < sk_X509_num(ctx->chain); i++) {
++        for (i = 0; i < sk_X509_num(ctx->chain); i++) {
+             X509 *x = sk_X509_value(ctx->chain, i);
+ 
+             if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
+                 continue;
++            cbcalled = 1;
+             if (!verify_cb_cert(ctx, x, i,
+                                 X509_V_ERR_INVALID_POLICY_EXTENSION))
+                 return 0;
+         }
++        if (!cbcalled) {
++            /* Should not be able to get here */
++            X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
++            return 0;
++        }
++        /* The callback ignored the error so we return success */
+         return 1;
+     }
+     if (ret == X509_PCY_TREE_FAILURE) {
+--- /dev/null
++++ b/test/certs/ca-pol-cert.pem
+@@ -0,0 +1,19 @@
++-----BEGIN CERTIFICATE-----
++MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
++IENBMCAXDTIzMDMwODEyMjMxNloYDzIxMjMwMzA5MTIyMzE2WjANMQswCQYDVQQD
++DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd
++j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz
++n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W
++l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l
++YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc
++ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9
++CLNNsUcCAwEAAaN7MHkwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD
++VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE
++PXyAmslTnE1y96NSMBkGA1UdIAQSMBAwDgYMKwYBBAGBgVy8+0cBMA0GCSqGSIb3
++DQEBCwUAA4IBAQBbE+MO9mewWIUY2kt85yhl0oZtvVxbn9K2Hty59ItwJGRNfzx7
++Ge7KgawkvNzMOXmj6qf8TpbJnf41ZLWdRyVZBVyIwrAKIVw1VxfGh8aEifHKN97H
++unZkBPcUkAhUJSiC1BOD/euaMYqOi8QwiI702Q6q1NBY1/UKnV/ZIBLecnqfj9vZ
++7T0wKxrwGYBztP4pNcxCmBoD9Dg+Dx3ZElo0WXyO4SOh/BgrsKJHKyhbuTpjrI/g
++DhcINRp6+lIzuFBtJ67+YXnAEspb3lKMk0YL/LXrCNF2scdmNfOPwHi+OKBqt69C
++9FJyWFEMxx2qm/ENE9sbOswgJRnKkaAqHBHx
++-----END CERTIFICATE-----
+--- /dev/null
++++ b/test/certs/ee-cert-policies-bad.pem
+@@ -0,0 +1,20 @@
++-----BEGIN CERTIFICATE-----
++MIIDTTCCAjWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
++Fw0yMzAzMDgxMjIzMzJaGA8yMTIzMDMwOTEyMjMzMlowGTEXMBUGA1UEAwwOc2Vy
++dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
++YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
++5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
++Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
++U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
++ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
++iIQPYf55NB9KiR+3AgMBAAGjgakwgaYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H
++mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC
++MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w
++bGUwKQYDVR0gBCIwIDAOBgwrBgEEAYGBXLz7RwEwDgYMKwYBBAGBgVy8+0cBMA0G
++CSqGSIb3DQEBCwUAA4IBAQArwtwNO++7kStcJeMg3ekz2D/m/8UEjTA1rknBjQiQ
++P0FK7tNeRqus9i8PxthNWk+biRayvDzaGIBV7igpDBPfXemDgmW9Adc4MKyiQDfs
++YfkHi3xJKvsK2fQmyCs2InVDaKpVAkNFcgAW8nSOhGliqIxLb0EOLoLNwaktou0N
++XQHmRzY8S7aIr8K9Qo9y/+MLar+PS4h8l6FkLLkTICiFzE4/wje5S3NckAnadRJa
++QpjwM2S6NuA+tYWuOcN//r7BSpW/AZKanYWPzHMrKlqCh+9o7sthPd72+hObG9kx
++wSGdzfStNK1I1zM5LiI08WtXCvR6AfLANTo2x1AYhSxF
++-----END CERTIFICATE-----
+--- /dev/null
++++ b/test/certs/ee-cert-policies.pem
+@@ -0,0 +1,20 @@
++-----BEGIN CERTIFICATE-----
++MIIDPTCCAiWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg
++Fw0yMzAzMDgxMjIzMjNaGA8yMTIzMDMwOTEyMjMyM1owGTEXMBUGA1UEAwwOc2Vy
++dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY
++YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT
++5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l
++Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1
++U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5
++ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn
++iIQPYf55NB9KiR+3AgMBAAGjgZkwgZYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H
++mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC
++MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w
++bGUwGQYDVR0gBBIwEDAOBgwrBgEEAYGBXLz7RwEwDQYJKoZIhvcNAQELBQADggEB
++AGbWslmAAdMX3+5ChcnFrX+NqDGoyhb3PTgWdtlQB5qtWdIt4rSxN50OcQxFTX0D
++QOBabSzR0DDKrgfBe4waL19WsdEvR9GyO4M7ASze/A3IEZue9C9k0n7Vq8zDaAZl
++CiR/Zqo9nAOuhKHMgmC/NjUlX7STv5pJVgc4SH8VEKmSRZDmNihaOalUtK5X8/Oa
++dawKxsZcaP5IKnOEPPKjtVNJxBu5CXywJHsO0GcoDEnEx1/NLdFoJ6WFw8NuTyDK
++NGLq2MHEdyKaigHQlptEs9bXyu9McJjzbx0uXj3BenRULASreccFej0L1RU6jDlk
++D3brBn24UISaFRZoB7jsjok=
++-----END CERTIFICATE-----
+--- a/test/certs/mkcert.sh
++++ b/test/certs/mkcert.sh
+@@ -117,11 +117,12 @@ genca() {
+     local OPTIND=1
+     local purpose=
+ 
+-    while getopts p: o
++    while getopts p:c: o
+     do
+         case $o in
+         p) purpose="$OPTARG";;
+-        *) echo "Usage: $0 genca [-p EKU] cn keyname certname cakeyname cacertname" >&2
++        c) certpol="$OPTARG";;
++        *) echo "Usage: $0 genca [-p EKU][-c policyoid] cn keyname certname cakeyname cacertname" >&2
+            return 1;;
+         esac
+     done
+@@ -142,6 +143,10 @@ genca() {
+     if [ -n "$NC" ]; then
+         exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC")
+     fi
++    if [ -n "$certpol" ]; then
++        exts=$(printf "%s\ncertificatePolicies = %s\n" "$exts" "$certpol")
++    fi
++
+     csr=$(req "$key" "CN = $cn") || return 1
+     echo "$csr" |
+         cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \
+--- a/test/certs/setup.sh
++++ b/test/certs/setup.sh
+@@ -403,3 +403,9 @@ OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed44
+     root-ed448-key root-ed448-cert
+ OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \
+     server-ed448-key server-ed448-cert root-ed448-key root-ed448-cert
++
++# certificatePolicies extension
++./mkcert.sh genca -c "1.3.6.1.4.1.16604.998855.1" "CA" ca-key ca-pol-cert root-key root-cert
++./mkcert.sh geneeextra server.example ee-key ee-cert-policies ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1"
++# We can create a cert with a duplicate policy oid - but its actually invalid!
++./mkcert.sh geneeextra server.example ee-key ee-cert-policies-bad ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1,1.3.6.1.4.1.16604.998855.1"
+--- a/test/recipes/25-test_verify.t
++++ b/test/recipes/25-test_verify.t
+@@ -27,7 +27,7 @@ sub verify {
+     run(app([@args]));
+ }
+ 
+-plan tests => 146;
++plan tests => 148;
+ 
+ # Canonical success
+ ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
+@@ -409,3 +409,14 @@ SKIP: {
+        "ED25519 signature");
+ 
+ }
++
++# Certificate Policies
++ok(verify("ee-cert-policies", "sslserver", ["root-cert"], ["ca-pol-cert"],
++          "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1",
++          "-explicit_policy"),
++   "Certificate policy");
++
++ok(!verify("ee-cert-policies-bad", "sslserver", ["root-cert"], ["ca-pol-cert"],
++           "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1",
++           "-explicit_policy"),
++   "Bad certificate policy");
diff --git a/openssl-CVE-2023-0466.patch b/openssl-CVE-2023-0466.patch
new file mode 100644
index 0000000..bee957a
--- /dev/null
+++ b/openssl-CVE-2023-0466.patch
@@ -0,0 +1,63 @@
+From bccf26f7c3b921be8946bfdd1b2de48fea96f90d Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Tue, 21 Mar 2023 16:15:47 +0100
+Subject: [PATCH] Fix documentation of X509_VERIFY_PARAM_add0_policy()
+
+The function was incorrectly documented as enabling policy checking.
+
+Fixes: CVE-2023-0466
+---
+ CHANGES                                  |    5 +++++
+ NEWS                                     |    1 +
+ doc/man3/X509_VERIFY_PARAM_set_flags.pod |    9 +++++++--
+ 3 files changed, 13 insertions(+), 2 deletions(-)
+
+--- a/CHANGES
++++ b/CHANGES
+@@ -9,6 +9,11 @@
+ 
+  Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
+ 
++  *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
++     that it does not enable policy checking. Thanks to
++     David Benjamin for discovering this issue. (CVE-2023-0466)
++     [Tomas Mraz]
++
+   *) Fixed an issue where invalid certificate policies in leaf certificates are
+      silently ignored by OpenSSL and other certificate policy checks are skipped
+      for that certificate. A malicious CA could use this to deliberately assert
+--- a/NEWS
++++ b/NEWS
+@@ -7,6 +7,7 @@
+ 
+   Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021]
+ 
++      o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
+       o Fixed handling of invalid certificate policies in leaf certificates
+         (CVE-2023-0465)
+       o Limited the number of nodes created in a policy tree ([CVE-2023-0464])
+--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
++++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+@@ -92,8 +92,9 @@ B<trust>.
+ X509_VERIFY_PARAM_set_time() sets the verification time in B<param> to
+ B<t>. Normally the current time is used.
+ 
+-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled
+-by default) and adds B<policy> to the acceptable policy set.
++X509_VERIFY_PARAM_add0_policy() adds B<policy> to the acceptable policy set.
++Contrary to preexisting documentation of this function it does not enable
++policy checking.
+ 
+ X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled
+ by default) and sets the acceptable policy set to B<policies>. Any existing
+@@ -377,6 +378,10 @@ and has no effect.
+ 
+ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i.
+ 
++The function X509_VERIFY_PARAM_add0_policy() was historically documented as
++enabling policy checking however the implementation has never done this.
++The documentation was changed to align with the implementation.
++
+ =head1 COPYRIGHT
+ 
+ Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/openssl-CVE-2023-2650.patch b/openssl-CVE-2023-2650.patch
new file mode 100644
index 0000000..22f425d
--- /dev/null
+++ b/openssl-CVE-2023-2650.patch
@@ -0,0 +1,104 @@
+From b82f94afbe612f8fcbcc74b6da42d03682fcdd8d Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Fri, 12 May 2023 10:00:13 +0200
+Subject: [PATCH] Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will
+ translate
+
+OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
+numeric text form.  For gigantic sub-identifiers, this would take a very
+long time, the time complexity being O(n^2) where n is the size of that
+sub-identifier.
+
+To mitigate this, a restriction on the size that OBJ_obj2txt() will
+translate to canonical numeric text form is added, based on RFC 2578
+(STD 58), which says this:
+
+> 3.5. OBJECT IDENTIFIER values
+>
+> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers.
+> For the SMIv2, each number in the list is referred to as a sub-identifier,
+> there are at most 128 sub-identifiers in a value, and each sub-identifier
+> has a maximum value of 2^32-1 (4294967295 decimal).
+
+Fixes otc/security#96
+Fixes CVE-2023-2650
+---
+ CHANGES                  |   26 ++++++++++++++++++++++++++
+ NEWS                     |    2 ++
+ crypto/objects/obj_dat.c |   19 +++++++++++++++++++
+ 3 files changed, 47 insertions(+)
+
+--- a/CHANGES
++++ b/CHANGES
+@@ -9,6 +9,32 @@
+ 
+  Changes between 1.1.1k and 1.1.1l [24 Aug 2021]
+ 
++  *) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
++     OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
++
++     OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
++     numeric text form.  For gigantic sub-identifiers, this would take a very
++     long time, the time complexity being O(n^2) where n is the size of that
++     sub-identifier.  (CVE-2023-2650)
++
++     To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT
++     IDENTIFIER to canonical numeric text form if the size of that OBJECT
++     IDENTIFIER is 586 bytes or less, and fail otherwise.
++
++     The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT
++     IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
++     most 128 sub-identifiers, and that the maximum value that each sub-
++     identifier may have is 2^32-1 (4294967295 decimal).
++
++     For each byte of every sub-identifier, only the 7 lower bits are part of
++     the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with
++     these restrictions may occupy is 32 * 128 / 7, which is approximately 586
++     bytes.
++
++     Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
++
++     [Richard Levitte]
++
+   *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
+      that it does not enable policy checking. Thanks to
+      David Benjamin for discovering this issue. (CVE-2023-0466)
+--- a/NEWS
++++ b/NEWS
+@@ -7,6 +7,8 @@
+ 
+   Major changes between OpenSSL 1.1.1k and OpenSSL 1.1.1l [24 Aug 2021]
+ 
++      o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic
++        OBJECT IDENTIFIER sub-identities.  (CVE-2023-2650)
+       o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
+       o Fixed handling of invalid certificate policies in leaf certificates
+         (CVE-2023-0465)
+--- a/crypto/objects/obj_dat.c
++++ b/crypto/objects/obj_dat.c
+@@ -427,6 +427,25 @@ int OBJ_obj2txt(char *buf, int buf_len,
+     first = 1;
+     bl = NULL;
+ 
++    /*
++     * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs:
++     *
++     * > 3.5. OBJECT IDENTIFIER values
++     * >
++     * > An OBJECT IDENTIFIER value is an ordered list of non-negative
++     * > numbers. For the SMIv2, each number in the list is referred to as a
++     * > sub-identifier, there are at most 128 sub-identifiers in a value,
++     * > and each sub-identifier has a maximum value of 2^32-1 (4294967295
++     * > decimal).
++     *
++     * So a legitimate OID according to this RFC is at most (32 * 128 / 7),
++     * i.e. 586 bytes long.
++     *
++     * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
++     */
++    if (len > 586)
++        goto err;
++
+     while (len > 0) {
+         l = 0;
+         use_bn = 0;
diff --git a/openssl-CVE-2023-3446-test.patch b/openssl-CVE-2023-3446-test.patch
new file mode 100644
index 0000000..e6c7d99
--- /dev/null
+++ b/openssl-CVE-2023-3446-test.patch
@@ -0,0 +1,58 @@
+From e9ddae17e302a7e6a0daf00f25efed7c70f114d4 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Fri, 7 Jul 2023 14:39:48 +0100
+Subject: [PATCH] Add a test for CVE-2023-3446
+
+Confirm that the only errors DH_check() finds with DH parameters with an
+excessively long modulus is that the modulus is too large. We should not
+be performing time consuming checks using that modulus.
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21452)
+---
+ test/dhtest.c | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/test/dhtest.c b/test/dhtest.c
+index 9d5609b943ab..00b3c471015d 100644
+--- a/test/dhtest.c
++++ b/test/dhtest.c
+@@ -63,7 +63,7 @@ static int dh_test(void)
+         || !TEST_true(DH_set0_pqg(dh, p, q, g)))
+         goto err1;
+ 
+-    if (!DH_check(dh, &i))
++    if (!TEST_true(DH_check(dh, &i)))
+         goto err2;
+     if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
+             || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
+@@ -123,6 +123,17 @@ static int dh_test(void)
+     /* check whether the public key was calculated correctly */
+     TEST_uint_eq(BN_get_word(pub_key2), 3331L);
+ 
++    /* Modulus of size: dh check max modulus bits + 1 */
++    if (!TEST_true(BN_set_word(p, 1))
++            || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
++        goto err3;
++
++    /*
++     * We expect no checks at all for an excessively large modulus
++     */
++    if (!TEST_false(DH_check(dh, &i)))
++        goto err3;
++
+     /*
+      * II) key generation
+      */
+@@ -137,7 +148,7 @@ static int dh_test(void)
+         goto err3;
+ 
+     /* ... and check whether it is valid */
+-    if (!DH_check(a, &i))
++    if (!TEST_true(DH_check(a, &i)))
+         goto err3;
+     if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
+             || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
diff --git a/openssl-CVE-2023-3446.patch b/openssl-CVE-2023-3446.patch
new file mode 100644
index 0000000..43851b2
--- /dev/null
+++ b/openssl-CVE-2023-3446.patch
@@ -0,0 +1,105 @@
+From 8780a896543a654e757db1b9396383f9d8095528 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt@openssl.org>
+Date: Thu, 6 Jul 2023 16:36:35 +0100
+Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
+
+The DH_check() function checks numerous aspects of the key or parameters
+that have been supplied. Some of those checks use the supplied modulus
+value even if it is excessively large.
+
+There is already a maximum DH modulus size (10,000 bits) over which
+OpenSSL will not generate or derive keys. DH_check() will however still
+perform various tests for validity on such a large modulus. We introduce a
+new maximum (32,768) over which DH_check() will just fail.
+
+An application that calls DH_check() and supplies a key or parameters
+obtained from an untrusted source could be vulnerable to a Denial of
+Service attack.
+
+The function DH_check() is itself called by a number of other OpenSSL
+functions. An application calling any of those other functions may
+similarly be affected. The other functions affected by this are
+DH_check_ex() and EVP_PKEY_param_check().
+
+CVE-2023-3446
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/21452)
+---
+ crypto/dh/dh_check.c    | 6 ++++++
+ crypto/dh/dh_err.c      | 3 ++-
+ crypto/err/openssl.txt  | 3 ++-
+ include/openssl/dh.h    | 3 +++
+ include/openssl/dherr.h | 3 ++-
+ 5 files changed, 15 insertions(+), 3 deletions(-)
+
+Index: openssl-1.1.1l/crypto/dh/dh_check.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/dh/dh_check.c
++++ openssl-1.1.1l/crypto/dh/dh_check.c
+@@ -109,6 +109,12 @@ int DH_check(const DH *dh, int *ret)
+     BN_CTX *ctx = NULL;
+     BIGNUM *t1 = NULL, *t2 = NULL;
+ 
++    /* Don't do any checks at all with an excessively large modulus */
++    if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
++        DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE);
++        return 0;
++    }
++
+     if (!DH_check_params(dh, ret))
+         return 0;
+ 
+Index: openssl-1.1.1l/crypto/dh/dh_err.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/dh/dh_err.c
++++ openssl-1.1.1l/crypto/dh/dh_err.c
+@@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_func
+     {ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0),
+      "dh_builtin_genparams"},
++    {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"},
+     {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"},
+Index: openssl-1.1.1l/crypto/err/openssl.txt
+===================================================================
+--- openssl-1.1.1l.orig/crypto/err/openssl.txt
++++ openssl-1.1.1l/crypto/err/openssl.txt
+@@ -401,6 +401,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version
+ DH_F_COMPUTE_KEY:102:compute_key
+ DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp
+ DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams
++DH_F_DH_CHECK:126:DH_check
+ DH_F_DH_CHECK_EX:121:DH_check_ex
+ DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex
+ DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex
+Index: openssl-1.1.1l/include/openssl/dh.h
+===================================================================
+--- openssl-1.1.1l.orig/include/openssl/dh.h
++++ openssl-1.1.1l/include/openssl/dh.h
+@@ -29,6 +29,9 @@ extern "C" {
+ # ifndef OPENSSL_DH_MAX_MODULUS_BITS
+ #  define OPENSSL_DH_MAX_MODULUS_BITS    10000
+ # endif
++# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
++#  define OPENSSL_DH_CHECK_MAX_MODULUS_BITS  32768
++# endif
+ 
+ # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
+ # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048
+Index: openssl-1.1.1l/include/openssl/dherr.h
+===================================================================
+--- openssl-1.1.1l.orig/include/openssl/dherr.h
++++ openssl-1.1.1l/include/openssl/dherr.h
+@@ -28,6 +28,7 @@ int ERR_load_DH_strings(void);
+ #  define DH_F_COMPUTE_KEY                                 102
+ #  define DH_F_DHPARAMS_PRINT_FP                           101
+ #  define DH_F_DH_BUILTIN_GENPARAMS                        106
++#  define DH_F_DH_CHECK                                    126
+ #  define DH_F_DH_CHECK_EX                                 121
+ #  define DH_F_DH_CHECK_PARAMS_EX                          122
+ #  define DH_F_DH_CHECK_PUB_KEY_EX                         123
diff --git a/openssl-DEFAULT_SUSE_cipher.patch b/openssl-DEFAULT_SUSE_cipher.patch
new file mode 100644
index 0000000..ed83704
--- /dev/null
+++ b/openssl-DEFAULT_SUSE_cipher.patch
@@ -0,0 +1,63 @@
+Index: openssl-1.1.1/ssl/ssl_ciph.c
+===================================================================
+--- openssl-1.1.1.orig/ssl/ssl_ciph.c	2018-09-11 14:48:23.000000000 +0200
++++ openssl-1.1.1/ssl/ssl_ciph.c	2018-09-11 16:38:40.412543331 +0200
+@@ -1567,7 +1567,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_
+      */
+     ok = 1;
+     rule_p = rule_str;
+-    if (strncmp(rule_str, "DEFAULT", 7) == 0) {
++    if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) {
++        ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST,
++                                        &head, &tail, ca_list, c);
++        rule_p += 12;
++        if (*rule_p == ':')
++            rule_p++;
++    }
++    else if (strncmp(rule_str, "DEFAULT", 7) == 0) {
+         ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST,
+                                         &head, &tail, ca_list, c);
+         rule_p += 7;
+Index: openssl-1.1.1/include/openssl/ssl.h
+===================================================================
+--- openssl-1.1.1.orig/include/openssl/ssl.h	2018-09-11 14:48:23.000000000 +0200
++++ openssl-1.1.1/include/openssl/ssl.h	2018-09-11 16:45:20.979303981 +0200
+@@ -171,6 +171,10 @@ extern "C" {
+  * This applies to ciphersuites for TLSv1.2 and below.
+  */
+ # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
++# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\
++    "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\
++    "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\
++    "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
+ /* This is the default set of TLSv1.3 ciphersuites */
+ # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+ #  define TLS_DEFAULT_CIPHERSUITES "TLS_AES_256_GCM_SHA384:" \
+Index: openssl-1.1.1/test/recipes/99-test_suse_default_ciphers.t
+===================================================================
+--- /dev/null	1970-01-01 00:00:00.000000000 +0000
++++ openssl-1.1.1/test/recipes/99-test_suse_default_ciphers.t	2018-09-11 16:38:23.292423281 +0200
+@@ -0,0 +1,23 @@
++#! /usr/bin/env perl
++
++use strict;
++use warnings;
++
++use OpenSSL::Test qw/:DEFAULT/;
++use OpenSSL::Test::Utils;
++
++setup("test_default_ciphersuites");
++
++plan tests => 6;
++
++my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT");
++
++foreach my $cipherlist (@cipher_suites) {
++  ok(run(app(["openssl", "ciphers", "-s", $cipherlist])),
++     "openssl ciphers works with ciphersuite $cipherlist");
++  ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "-s", $cipherlist]), capture => 1)),
++         "$cipherlist shouldn't contain MD5, DES or RC4\n");
++  ok(grep(/(TLSv1.3)/, run(app(["openssl", "ciphers", "-tls1_3", "-s", "-v", $cipherlist]), capture => 1)),
++         "$cipherlist should contain TLSv1.3 ciphers\n");
++}
++
diff --git a/openssl-DH.patch b/openssl-DH.patch
new file mode 100644
index 0000000..12b8bba
--- /dev/null
+++ b/openssl-DH.patch
@@ -0,0 +1,3294 @@
+Index: openssl-1.1.1m/crypto/bn/bn_const.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/bn/bn_const.c
++++ openssl-1.1.1m/crypto/bn/bn_const.c
+@@ -8,6 +8,10 @@
+  */
+ 
+ #include <openssl/bn.h>
++#include "crypto/bn_dh.h"
++
++#define COPY_BN(dst, src) (dst != NULL) ? BN_copy(dst, &src) : BN_dup(&src)
++
+ 
+ /*-
+  * "First Oakley Default Group" from RFC2409, section 6.1.
+@@ -80,33 +84,7 @@ BIGNUM *BN_get_rfc2409_prime_1024(BIGNUM
+ 
+ BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *bn)
+ {
+-    static const unsigned char RFC3526_PRIME_1536[] = {
+-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+-        0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
+-        0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+-        0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
+-        0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22,
+-        0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+-        0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B,
+-        0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,
+-        0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+-        0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,
+-        0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B,
+-        0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+-        0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,
+-        0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,
+-        0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+-        0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,
+-        0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A,
+-        0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+-        0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96,
+-        0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,
+-        0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+-        0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,
+-        0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x23, 0x73, 0x27,
+-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+-    };
+-    return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), bn);
++    return COPY_BN(bn, _bignum_modp_1536_p);
+ }
+ 
+ /*-
+@@ -119,41 +97,7 @@ BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM
+ 
+ BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn)
+ {
+-    static const unsigned char RFC3526_PRIME_2048[] = {
+-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+-        0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
+-        0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+-        0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
+-        0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22,
+-        0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+-        0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B,
+-        0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,
+-        0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+-        0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,
+-        0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B,
+-        0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+-        0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,
+-        0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,
+-        0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+-        0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,
+-        0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A,
+-        0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+-        0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96,
+-        0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,
+-        0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+-        0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,
+-        0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C,
+-        0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+-        0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03,
+-        0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,
+-        0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
+-        0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,
+-        0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5,
+-        0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+-        0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68,
+-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+-    };
+-    return BN_bin2bn(RFC3526_PRIME_2048, sizeof(RFC3526_PRIME_2048), bn);
++    return COPY_BN(bn, _bignum_modp_2048_p);
+ }
+ 
+ /*-
+@@ -166,57 +110,7 @@ BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM
+ 
+ BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn)
+ {
+-    static const unsigned char RFC3526_PRIME_3072[] = {
+-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+-        0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
+-        0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+-        0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
+-        0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22,
+-        0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+-        0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B,
+-        0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,
+-        0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+-        0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,
+-        0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B,
+-        0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+-        0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,
+-        0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,
+-        0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+-        0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,
+-        0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A,
+-        0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+-        0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96,
+-        0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,
+-        0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+-        0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,
+-        0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C,
+-        0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+-        0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03,
+-        0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,
+-        0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
+-        0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,
+-        0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5,
+-        0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+-        0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D,
+-        0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33,
+-        0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,
+-        0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A,
+-        0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D,
+-        0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,
+-        0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7,
+-        0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D,
+-        0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,
+-        0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64,
+-        0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64,
+-        0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,
+-        0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C,
+-        0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2,
+-        0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,
+-        0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E,
+-        0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x3A, 0xD2, 0xCA,
+-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+-    };
+-    return BN_bin2bn(RFC3526_PRIME_3072, sizeof(RFC3526_PRIME_3072), bn);
++    return COPY_BN(bn, _bignum_modp_3072_p);
+ }
+ 
+ /*-
+@@ -229,73 +123,7 @@ BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM
+ 
+ BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn)
+ {
+-    static const unsigned char RFC3526_PRIME_4096[] = {
+-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+-        0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
+-        0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+-        0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
+-        0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22,
+-        0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+-        0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B,
+-        0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,
+-        0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+-        0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,
+-        0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B,
+-        0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+-        0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,
+-        0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,
+-        0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+-        0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,
+-        0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A,
+-        0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+-        0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96,
+-        0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,
+-        0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+-        0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,
+-        0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C,
+-        0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+-        0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03,
+-        0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,
+-        0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
+-        0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,
+-        0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5,
+-        0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+-        0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D,
+-        0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33,
+-        0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,
+-        0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A,
+-        0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D,
+-        0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,
+-        0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7,
+-        0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D,
+-        0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,
+-        0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64,
+-        0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64,
+-        0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,
+-        0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C,
+-        0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2,
+-        0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,
+-        0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E,
+-        0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01,
+-        0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7,
+-        0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26,
+-        0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C,
+-        0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA,
+-        0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8,
+-        0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9,
+-        0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6,
+-        0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D,
+-        0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2,
+-        0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED,
+-        0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF,
+-        0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C,
+-        0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9,
+-        0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1,
+-        0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F,
+-        0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99,
+-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+-    };
+-    return BN_bin2bn(RFC3526_PRIME_4096, sizeof(RFC3526_PRIME_4096), bn);
++    return COPY_BN(bn, _bignum_modp_4096_p);
+ }
+ 
+ /*-
+@@ -308,105 +136,7 @@ BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM
+ 
+ BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn)
+ {
+-    static const unsigned char RFC3526_PRIME_6144[] = {
+-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+-        0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
+-        0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+-        0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
+-        0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22,
+-        0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+-        0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B,
+-        0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,
+-        0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+-        0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,
+-        0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B,
+-        0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+-        0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,
+-        0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,
+-        0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+-        0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,
+-        0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A,
+-        0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+-        0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96,
+-        0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,
+-        0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+-        0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,
+-        0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C,
+-        0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+-        0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03,
+-        0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,
+-        0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
+-        0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,
+-        0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5,
+-        0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+-        0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D,
+-        0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33,
+-        0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,
+-        0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A,
+-        0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D,
+-        0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,
+-        0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7,
+-        0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D,
+-        0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,
+-        0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64,
+-        0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64,
+-        0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,
+-        0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C,
+-        0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2,
+-        0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,
+-        0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E,
+-        0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01,
+-        0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7,
+-        0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26,
+-        0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C,
+-        0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA,
+-        0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8,
+-        0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9,
+-        0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6,
+-        0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D,
+-        0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2,
+-        0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED,
+-        0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF,
+-        0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C,
+-        0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9,
+-        0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1,
+-        0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F,
+-        0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92,
+-        0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26,
+-        0xC1, 0xD4, 0xDC, 0xB2, 0x60, 0x26, 0x46, 0xDE,
+-        0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD,
+-        0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E,
+-        0xE5, 0xDB, 0x38, 0x2F, 0x41, 0x30, 0x01, 0xAE,
+-        0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31,
+-        0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18,
+-        0xDA, 0x3E, 0xDB, 0xEB, 0xCF, 0x9B, 0x14, 0xED,
+-        0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B,
+-        0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B,
+-        0x33, 0x20, 0x51, 0x51, 0x2B, 0xD7, 0xAF, 0x42,
+-        0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF,
+-        0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC,
+-        0xF0, 0x32, 0xEA, 0x15, 0xD1, 0x72, 0x1D, 0x03,
+-        0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6,
+-        0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82,
+-        0xB5, 0xA8, 0x40, 0x31, 0x90, 0x0B, 0x1C, 0x9E,
+-        0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3,
+-        0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE,
+-        0x0F, 0x1D, 0x45, 0xB7, 0xFF, 0x58, 0x5A, 0xC5,
+-        0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA,
+-        0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8,
+-        0x14, 0xCC, 0x5E, 0xD2, 0x0F, 0x80, 0x37, 0xE0,
+-        0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28,
+-        0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76,
+-        0xF5, 0x50, 0xAA, 0x3D, 0x8A, 0x1F, 0xBF, 0xF0,
+-        0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C,
+-        0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32,
+-        0x38, 0x7F, 0xE8, 0xD7, 0x6E, 0x3C, 0x04, 0x68,
+-        0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE,
+-        0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6,
+-        0xE6, 0x94, 0xF9, 0x1E, 0x6D, 0xCC, 0x40, 0x24,
+-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+-    };
+-    return BN_bin2bn(RFC3526_PRIME_6144, sizeof(RFC3526_PRIME_6144), bn);
++    return COPY_BN(bn, _bignum_modp_6144_p);
+ }
+ 
+ /*-
+@@ -419,135 +149,5 @@ BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM
+ 
+ BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn)
+ {
+-    static const unsigned char RFC3526_PRIME_8192[] = {
+-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+-        0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34,
+-        0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1,
+-        0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74,
+-        0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22,
+-        0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+-        0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B,
+-        0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,
+-        0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45,
+-        0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,
+-        0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B,
+-        0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+-        0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5,
+-        0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,
+-        0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D,
+-        0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05,
+-        0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A,
+-        0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+-        0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96,
+-        0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,
+-        0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D,
+-        0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04,
+-        0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C,
+-        0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+-        0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03,
+-        0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,
+-        0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9,
+-        0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,
+-        0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5,
+-        0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+-        0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D,
+-        0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33,
+-        0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64,
+-        0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A,
+-        0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D,
+-        0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7,
+-        0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7,
+-        0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D,
+-        0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B,
+-        0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64,
+-        0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64,
+-        0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C,
+-        0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C,
+-        0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2,
+-        0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31,
+-        0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E,
+-        0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01,
+-        0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7,
+-        0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26,
+-        0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C,
+-        0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA,
+-        0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8,
+-        0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9,
+-        0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6,
+-        0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D,
+-        0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2,
+-        0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED,
+-        0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF,
+-        0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C,
+-        0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9,
+-        0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1,
+-        0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F,
+-        0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92,
+-        0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26,
+-        0xC1, 0xD4, 0xDC, 0xB2, 0x60, 0x26, 0x46, 0xDE,
+-        0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD,
+-        0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E,
+-        0xE5, 0xDB, 0x38, 0x2F, 0x41, 0x30, 0x01, 0xAE,
+-        0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31,
+-        0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18,
+-        0xDA, 0x3E, 0xDB, 0xEB, 0xCF, 0x9B, 0x14, 0xED,
+-        0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B,
+-        0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B,
+-        0x33, 0x20, 0x51, 0x51, 0x2B, 0xD7, 0xAF, 0x42,
+-        0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF,
+-        0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC,
+-        0xF0, 0x32, 0xEA, 0x15, 0xD1, 0x72, 0x1D, 0x03,
+-        0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6,
+-        0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82,
+-        0xB5, 0xA8, 0x40, 0x31, 0x90, 0x0B, 0x1C, 0x9E,
+-        0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3,
+-        0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE,
+-        0x0F, 0x1D, 0x45, 0xB7, 0xFF, 0x58, 0x5A, 0xC5,
+-        0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA,
+-        0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8,
+-        0x14, 0xCC, 0x5E, 0xD2, 0x0F, 0x80, 0x37, 0xE0,
+-        0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28,
+-        0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76,
+-        0xF5, 0x50, 0xAA, 0x3D, 0x8A, 0x1F, 0xBF, 0xF0,
+-        0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C,
+-        0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32,
+-        0x38, 0x7F, 0xE8, 0xD7, 0x6E, 0x3C, 0x04, 0x68,
+-        0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE,
+-        0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6,
+-        0xE6, 0x94, 0xF9, 0x1E, 0x6D, 0xBE, 0x11, 0x59,
+-        0x74, 0xA3, 0x92, 0x6F, 0x12, 0xFE, 0xE5, 0xE4,
+-        0x38, 0x77, 0x7C, 0xB6, 0xA9, 0x32, 0xDF, 0x8C,
+-        0xD8, 0xBE, 0xC4, 0xD0, 0x73, 0xB9, 0x31, 0xBA,
+-        0x3B, 0xC8, 0x32, 0xB6, 0x8D, 0x9D, 0xD3, 0x00,
+-        0x74, 0x1F, 0xA7, 0xBF, 0x8A, 0xFC, 0x47, 0xED,
+-        0x25, 0x76, 0xF6, 0x93, 0x6B, 0xA4, 0x24, 0x66,
+-        0x3A, 0xAB, 0x63, 0x9C, 0x5A, 0xE4, 0xF5, 0x68,
+-        0x34, 0x23, 0xB4, 0x74, 0x2B, 0xF1, 0xC9, 0x78,
+-        0x23, 0x8F, 0x16, 0xCB, 0xE3, 0x9D, 0x65, 0x2D,
+-        0xE3, 0xFD, 0xB8, 0xBE, 0xFC, 0x84, 0x8A, 0xD9,
+-        0x22, 0x22, 0x2E, 0x04, 0xA4, 0x03, 0x7C, 0x07,
+-        0x13, 0xEB, 0x57, 0xA8, 0x1A, 0x23, 0xF0, 0xC7,
+-        0x34, 0x73, 0xFC, 0x64, 0x6C, 0xEA, 0x30, 0x6B,
+-        0x4B, 0xCB, 0xC8, 0x86, 0x2F, 0x83, 0x85, 0xDD,
+-        0xFA, 0x9D, 0x4B, 0x7F, 0xA2, 0xC0, 0x87, 0xE8,
+-        0x79, 0x68, 0x33, 0x03, 0xED, 0x5B, 0xDD, 0x3A,
+-        0x06, 0x2B, 0x3C, 0xF5, 0xB3, 0xA2, 0x78, 0xA6,
+-        0x6D, 0x2A, 0x13, 0xF8, 0x3F, 0x44, 0xF8, 0x2D,
+-        0xDF, 0x31, 0x0E, 0xE0, 0x74, 0xAB, 0x6A, 0x36,
+-        0x45, 0x97, 0xE8, 0x99, 0xA0, 0x25, 0x5D, 0xC1,
+-        0x64, 0xF3, 0x1C, 0xC5, 0x08, 0x46, 0x85, 0x1D,
+-        0xF9, 0xAB, 0x48, 0x19, 0x5D, 0xED, 0x7E, 0xA1,
+-        0xB1, 0xD5, 0x10, 0xBD, 0x7E, 0xE7, 0x4D, 0x73,
+-        0xFA, 0xF3, 0x6B, 0xC3, 0x1E, 0xCF, 0xA2, 0x68,
+-        0x35, 0x90, 0x46, 0xF4, 0xEB, 0x87, 0x9F, 0x92,
+-        0x40, 0x09, 0x43, 0x8B, 0x48, 0x1C, 0x6C, 0xD7,
+-        0x88, 0x9A, 0x00, 0x2E, 0xD5, 0xEE, 0x38, 0x2B,
+-        0xC9, 0x19, 0x0D, 0xA6, 0xFC, 0x02, 0x6E, 0x47,
+-        0x95, 0x58, 0xE4, 0x47, 0x56, 0x77, 0xE9, 0xAA,
+-        0x9E, 0x30, 0x50, 0xE2, 0x76, 0x56, 0x94, 0xDF,
+-        0xC8, 0x1F, 0x56, 0xE8, 0x80, 0xB9, 0x6E, 0x71,
+-        0x60, 0xC9, 0x80, 0xDD, 0x98, 0xED, 0xD3, 0xDF,
+-        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+-    };
+-    return BN_bin2bn(RFC3526_PRIME_8192, sizeof(RFC3526_PRIME_8192), bn);
++    return COPY_BN(bn, _bignum_modp_8192_p);
+ }
+Index: openssl-1.1.1m/crypto/bn/bn_dh.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/bn/bn_dh.c
++++ openssl-1.1.1m/crypto/bn/bn_dh.c
+@@ -11,474 +11,995 @@
+ #include "internal/nelem.h"
+ 
+ #ifndef OPENSSL_NO_DH
+-#include <openssl/dh.h>
+-#include "crypto/bn_dh.h"
+-/* DH parameters from RFC5114 */
++# include <openssl/dh.h>
++# include "crypto/bn_dh.h"
+ 
+ # if BN_BITS2 == 64
+-static const BN_ULONG dh1024_160_p[] = {
+-    0xDF1FB2BC2E4A4371ULL, 0xE68CFDA76D4DA708ULL, 0x45BF37DF365C1A65ULL,
+-    0xA151AF5F0DC8B4BDULL, 0xFAA31A4FF55BCCC0ULL, 0x4EFFD6FAE5644738ULL,
+-    0x98488E9C219A7372ULL, 0xACCBDD7D90C4BD70ULL, 0x24975C3CD49B83BFULL,
+-    0x13ECB4AEA9061123ULL, 0x9838EF1E2EE652C0ULL, 0x6073E28675A23D18ULL,
+-    0x9A6A9DCA52D23B61ULL, 0x52C99FBCFB06A3C6ULL, 0xDE92DE5EAE5D54ECULL,
+-    0xB10B8F96A080E01DULL
+-};
+-
+-static const BN_ULONG dh1024_160_g[] = {
+-    0x855E6EEB22B3B2E5ULL, 0x858F4DCEF97C2A24ULL, 0x2D779D5918D08BC8ULL,
+-    0xD662A4D18E73AFA3ULL, 0x1DBF0A0169B6A28AULL, 0xA6A24C087A091F53ULL,
+-    0x909D0D2263F80A76ULL, 0xD7FBD7D3B9A92EE1ULL, 0x5E91547F9E2749F4ULL,
+-    0x160217B4B01B886AULL, 0x777E690F5504F213ULL, 0x266FEA1E5C41564BULL,
+-    0xD6406CFF14266D31ULL, 0xF8104DD258AC507FULL, 0x6765A442EFB99905ULL,
+-    0xA4D1CBD5C3FD3412ULL
+-};
+-
+-static const BN_ULONG dh1024_160_q[] = {
+-    0x64B7CB9D49462353ULL, 0x81A8DF278ABA4E7DULL, 0x00000000F518AA87ULL
+-};
+-
+-static const BN_ULONG dh2048_224_p[] = {
+-    0x0AC4DFFE0C10E64FULL, 0xCF9DE5384E71B81CULL, 0x7EF363E2FFA31F71ULL,
+-    0xE3FB73C16B8E75B9ULL, 0xC9B53DCF4BA80A29ULL, 0x23F10B0E16E79763ULL,
+-    0xC52172E413042E9BULL, 0xBE60E69CC928B2B9ULL, 0x80CD86A1B9E587E8ULL,
+-    0x315D75E198C641A4ULL, 0xCDF93ACC44328387ULL, 0x15987D9ADC0A486DULL,
+-    0x7310F7121FD5A074ULL, 0x278273C7DE31EFDCULL, 0x1602E714415D9330ULL,
+-    0x81286130BC8985DBULL, 0xB3BF8A3170918836ULL, 0x6A00E0A0B9C49708ULL,
+-    0xC6BA0B2C8BBC27BEULL, 0xC9F98D11ED34DBF6ULL, 0x7AD5B7D0B6C12207ULL,
+-    0xD91E8FEF55B7394BULL, 0x9037C9EDEFDA4DF8ULL, 0x6D3F8152AD6AC212ULL,
+-    0x1DE6B85A1274A0A6ULL, 0xEB3D688A309C180EULL, 0xAF9A3C407BA1DF15ULL,
+-    0xE6FA141DF95A56DBULL, 0xB54B1597B61D0A75ULL, 0xA20D64E5683B9FD1ULL,
+-    0xD660FAA79559C51FULL, 0xAD107E1E9123A9D0ULL
+-};
+-
+-static const BN_ULONG dh2048_224_g[] = {
+-    0x84B890D3191F2BFAULL, 0x81BC087F2A7065B3ULL, 0x19C418E1F6EC0179ULL,
+-    0x7B5A0F1C71CFFF4CULL, 0xEDFE72FE9B6AA4BDULL, 0x81E1BCFE94B30269ULL,
+-    0x566AFBB48D6C0191ULL, 0xB539CCE3409D13CDULL, 0x6AA21E7F5F2FF381ULL,
+-    0xD9E263E4770589EFULL, 0x10E183EDD19963DDULL, 0xB70A8137150B8EEBULL,
+-    0x051AE3D428C8F8ACULL, 0xBB77A86F0C1AB15BULL, 0x6E3025E316A330EFULL,
+-    0x19529A45D6F83456ULL, 0xF180EB34118E98D1ULL, 0xB5F6C6B250717CBEULL,
+-    0x09939D54DA7460CDULL, 0xE247150422EA1ED4ULL, 0xB8A762D0521BC98AULL,
+-    0xF4D027275AC1348BULL, 0xC17669101999024AULL, 0xBE5E9001A8D66AD7ULL,
+-    0xC57DB17C620A8652ULL, 0xAB739D7700C29F52ULL, 0xDD921F01A70C4AFAULL,
+-    0xA6824A4E10B9A6F0ULL, 0x74866A08CFE4FFE3ULL, 0x6CDEBE7B89998CAFULL,
+-    0x9DF30B5C8FFDAC50ULL, 0xAC4032EF4F2D9AE3ULL
+-};
+-
+-static const BN_ULONG dh2048_224_q[] = {
+-    0xBF389A99B36371EBULL, 0x1F80535A4738CEBCULL, 0xC58D93FE99717710ULL,
+-    0x00000000801C0D34ULL
+-};
+-
+-static const BN_ULONG dh2048_256_p[] = {
+-    0xDB094AE91E1A1597ULL, 0x693877FAD7EF09CAULL, 0x6116D2276E11715FULL,
+-    0xA4B54330C198AF12ULL, 0x75F26375D7014103ULL, 0xC3A3960A54E710C3ULL,
+-    0xDED4010ABD0BE621ULL, 0xC0B857F689962856ULL, 0xB3CA3F7971506026ULL,
+-    0x1CCACB83E6B486F6ULL, 0x67E144E514056425ULL, 0xF6A167B5A41825D9ULL,
+-    0x3AD8347796524D8EULL, 0xF13C6D9A51BFA4ABULL, 0x2D52526735488A0EULL,
+-    0xB63ACAE1CAA6B790ULL, 0x4FDB70C581B23F76ULL, 0xBC39A0BF12307F5CULL,
+-    0xB941F54EB1E59BB8ULL, 0x6C5BFC11D45F9088ULL, 0x22E0B1EF4275BF7BULL,
+-    0x91F9E6725B4758C0ULL, 0x5A8A9D306BCF67EDULL, 0x209E0C6497517ABDULL,
+-    0x3BF4296D830E9A7CULL, 0x16C3D91134096FAAULL, 0xFAF7DF4561B2AA30ULL,
+-    0xE00DF8F1D61957D4ULL, 0x5D2CEED4435E3B00ULL, 0x8CEEF608660DD0F2ULL,
+-    0xFFBBD19C65195999ULL, 0x87A8E61DB4B6663CULL
+-};
+-
+-static const BN_ULONG dh2048_256_g[] = {
+-    0x664B4C0F6CC41659ULL, 0x5E2327CFEF98C582ULL, 0xD647D148D4795451ULL,
+-    0x2F63078490F00EF8ULL, 0x184B523D1DB246C3ULL, 0xC7891428CDC67EB6ULL,
+-    0x7FD028370DF92B52ULL, 0xB3353BBB64E0EC37ULL, 0xECD06E1557CD0915ULL,
+-    0xB7D2BBD2DF016199ULL, 0xC8484B1E052588B9ULL, 0xDB2A3B7313D3FE14ULL,
+-    0xD052B985D182EA0AULL, 0xA4BD1BFFE83B9C80ULL, 0xDFC967C1FB3F2E55ULL,
+-    0xB5045AF2767164E1ULL, 0x1D14348F6F2F9193ULL, 0x64E67982428EBC83ULL,
+-    0x8AC376D282D6ED38ULL, 0x777DE62AAAB8A862ULL, 0xDDF463E5E9EC144BULL,
+-    0x0196F931C77A57F2ULL, 0xA55AE31341000A65ULL, 0x901228F8C28CBB18ULL,
+-    0xBC3773BF7E8C6F62ULL, 0xBE3A6C1B0C6B47B1ULL, 0xFF4FED4AAC0BB555ULL,
+-    0x10DBC15077BE463FULL, 0x07F4793A1A0BA125ULL, 0x4CA7B18F21EF2054ULL,
+-    0x2E77506660EDBD48ULL, 0x3FB32C9B73134D0BULL
+-};
+-
+-static const BN_ULONG dh2048_256_q[] = {
+-    0xA308B0FE64F5FBD3ULL, 0x99B1A47D1EB3750BULL, 0xB447997640129DA2ULL,
+-    0x8CF83642A709A097ULL
+-};
+-
+-/* Primes from RFC 7919 */
+-static const BN_ULONG ffdhe2048_p[] = {
+-    0xFFFFFFFFFFFFFFFFULL, 0x886B423861285C97ULL, 0xC6F34A26C1B2EFFAULL,
+-    0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL,
+-    0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL,
+-    0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL,
+-    0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL,
+-    0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL,
+-    0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL,
+-    0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL,
+-    0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL,
+-    0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL,
+-    0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL
+-};
+-
+-static const BN_ULONG ffdhe3072_p[] = {
+-    0xFFFFFFFFFFFFFFFFULL, 0x25E41D2B66C62E37ULL, 0x3C1B20EE3FD59D7CULL,
+-    0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL,
+-    0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL,
+-    0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL,
+-    0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL,
+-    0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL,
+-    0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL,
+-    0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL,
+-    0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL,
+-    0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL,
+-    0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL,
+-    0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL,
+-    0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL,
+-    0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL,
+-    0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL,
+-    0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL
+-};
+-
+-static const BN_ULONG ffdhe4096_p[] = {
+-    0xFFFFFFFFFFFFFFFFULL, 0xC68A007E5E655F6AULL, 0x4DB5A851F44182E1ULL,
+-    0x8EC9B55A7F88A46BULL, 0x0A8291CDCEC97DCFULL, 0x2A4ECEA9F98D0ACCULL,
+-    0x1A1DB93D7140003CULL, 0x092999A333CB8B7AULL, 0x6DC778F971AD0038ULL,
+-    0xA907600A918130C4ULL, 0xED6A1E012D9E6832ULL, 0x7135C886EFB4318AULL,
+-    0x87F55BA57E31CC7AULL, 0x7763CF1D55034004ULL, 0xAC7D5F42D69F6D18ULL,
+-    0x7930E9E4E58857B6ULL, 0x6E6F52C3164DF4FBULL, 0x25E41D2B669E1EF1ULL,
+-    0x3C1B20EE3FD59D7CULL, 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL,
+-    0xABC521979B0DEADAULL, 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL,
+-    0x64F2E21E71F54BFFULL, 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL,
+-    0xAEFE130985139270ULL, 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL,
+-    0x61B46FC9D6E6C907ULL, 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL,
+-    0x886B4238611FCFDCULL, 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL,
+-    0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL,
+-    0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL,
+-    0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL,
+-    0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL,
+-    0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL,
+-    0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL,
+-    0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL,
+-    0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL,
+-    0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL,
+-    0xFFFFFFFFFFFFFFFFULL
+-};
++#  define BN_DEF(lo, hi) (BN_ULONG)hi << 32 | lo
++# else
++#  define BN_DEF(lo, hi) lo, hi
++# endif
+ 
+-static const BN_ULONG ffdhe6144_p[] = {
+-    0xFFFFFFFFFFFFFFFFULL, 0xA40E329CD0E40E65ULL, 0xA41D570D7938DAD4ULL,
+-    0x62A69526D43161C1ULL, 0x3FDD4A8E9ADB1E69ULL, 0x5B3B71F9DC6B80D6ULL,
+-    0xEC9D1810C6272B04ULL, 0x8CCF2DD5CACEF403ULL, 0xE49F5235C95B9117ULL,
+-    0x505DC82DB854338AULL, 0x62292C311562A846ULL, 0xD72B03746AE77F5EULL,
+-    0xF9C9091B462D538CULL, 0x0AE8DB5847A67CBEULL, 0xB3A739C122611682ULL,
+-    0xEEAAC0232A281BF6ULL, 0x94C6651E77CAF992ULL, 0x763E4E4B94B2BBC1ULL,
+-    0x587E38DA0077D9B4ULL, 0x7FB29F8C183023C3ULL, 0x0ABEC1FFF9E3A26EULL,
+-    0xA00EF092350511E3ULL, 0xB855322EDB6340D8ULL, 0xA52471F7A9A96910ULL,
+-    0x388147FB4CFDB477ULL, 0x9B1F5C3E4E46041FULL, 0xCDAD0657FCCFEC71ULL,
+-    0xB38E8C334C701C3AULL, 0x917BDD64B1C0FD4CULL, 0x3BB454329B7624C8ULL,
+-    0x23BA4442CAF53EA6ULL, 0x4E677D2C38532A3AULL, 0x0BFD64B645036C7AULL,
+-    0xC68A007E5E0DD902ULL, 0x4DB5A851F44182E1ULL, 0x8EC9B55A7F88A46BULL,
+-    0x0A8291CDCEC97DCFULL, 0x2A4ECEA9F98D0ACCULL, 0x1A1DB93D7140003CULL,
+-    0x092999A333CB8B7AULL, 0x6DC778F971AD0038ULL, 0xA907600A918130C4ULL,
+-    0xED6A1E012D9E6832ULL, 0x7135C886EFB4318AULL, 0x87F55BA57E31CC7AULL,
+-    0x7763CF1D55034004ULL, 0xAC7D5F42D69F6D18ULL, 0x7930E9E4E58857B6ULL,
+-    0x6E6F52C3164DF4FBULL, 0x25E41D2B669E1EF1ULL, 0x3C1B20EE3FD59D7CULL,
+-    0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL,
+-    0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL,
+-    0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL,
+-    0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL,
+-    0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL,
+-    0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL,
+-    0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL,
+-    0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL,
+-    0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL,
+-    0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL,
+-    0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL,
+-    0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL,
+-    0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL,
+-    0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL,
+-    0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL
+-};
++/* DH parameters from RFC3526 */
+ 
+-static const BN_ULONG ffdhe8192_p[] = {
+-    0xFFFFFFFFFFFFFFFFULL, 0xD68C8BB7C5C6424CULL, 0x011E2A94838FF88CULL,
+-    0x0822E506A9F4614EULL, 0x97D11D49F7A8443DULL, 0xA6BBFDE530677F0DULL,
+-    0x2F741EF8C1FE86FEULL, 0xFAFABE1C5D71A87EULL, 0xDED2FBABFBE58A30ULL,
+-    0xB6855DFE72B0A66EULL, 0x1EFC8CE0BA8A4FE8ULL, 0x83F81D4A3F2FA457ULL,
+-    0xA1FE3075A577E231ULL, 0xD5B8019488D9C0A0ULL, 0x624816CDAD9A95F9ULL,
+-    0x99E9E31650C1217BULL, 0x51AA691E0E423CFCULL, 0x1C217E6C3826E52CULL,
+-    0x51A8A93109703FEEULL, 0xBB7099876A460E74ULL, 0x541FC68C9C86B022ULL,
+-    0x59160CC046FD8251ULL, 0x2846C0BA35C35F5CULL, 0x54504AC78B758282ULL,
+-    0x29388839D2AF05E4ULL, 0xCB2C0F1CC01BD702ULL, 0x555B2F747C932665ULL,
+-    0x86B63142A3AB8829ULL, 0x0B8CC3BDF64B10EFULL, 0x687FEB69EDD1CC5EULL,
+-    0xFDB23FCEC9509D43ULL, 0x1E425A31D951AE64ULL, 0x36AD004CF600C838ULL,
+-    0xA40E329CCFF46AAAULL, 0xA41D570D7938DAD4ULL, 0x62A69526D43161C1ULL,
+-    0x3FDD4A8E9ADB1E69ULL, 0x5B3B71F9DC6B80D6ULL, 0xEC9D1810C6272B04ULL,
+-    0x8CCF2DD5CACEF403ULL, 0xE49F5235C95B9117ULL, 0x505DC82DB854338AULL,
+-    0x62292C311562A846ULL, 0xD72B03746AE77F5EULL, 0xF9C9091B462D538CULL,
+-    0x0AE8DB5847A67CBEULL, 0xB3A739C122611682ULL, 0xEEAAC0232A281BF6ULL,
+-    0x94C6651E77CAF992ULL, 0x763E4E4B94B2BBC1ULL, 0x587E38DA0077D9B4ULL,
+-    0x7FB29F8C183023C3ULL, 0x0ABEC1FFF9E3A26EULL, 0xA00EF092350511E3ULL,
+-    0xB855322EDB6340D8ULL, 0xA52471F7A9A96910ULL, 0x388147FB4CFDB477ULL,
+-    0x9B1F5C3E4E46041FULL, 0xCDAD0657FCCFEC71ULL, 0xB38E8C334C701C3AULL,
+-    0x917BDD64B1C0FD4CULL, 0x3BB454329B7624C8ULL, 0x23BA4442CAF53EA6ULL,
+-    0x4E677D2C38532A3AULL, 0x0BFD64B645036C7AULL, 0xC68A007E5E0DD902ULL,
+-    0x4DB5A851F44182E1ULL, 0x8EC9B55A7F88A46BULL, 0x0A8291CDCEC97DCFULL,
+-    0x2A4ECEA9F98D0ACCULL, 0x1A1DB93D7140003CULL, 0x092999A333CB8B7AULL,
+-    0x6DC778F971AD0038ULL, 0xA907600A918130C4ULL, 0xED6A1E012D9E6832ULL,
+-    0x7135C886EFB4318AULL, 0x87F55BA57E31CC7AULL, 0x7763CF1D55034004ULL,
+-    0xAC7D5F42D69F6D18ULL, 0x7930E9E4E58857B6ULL, 0x6E6F52C3164DF4FBULL,
+-    0x25E41D2B669E1EF1ULL, 0x3C1B20EE3FD59D7CULL, 0x0ABCD06BFA53DDEFULL,
+-    0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL, 0xE86D2BC522363A0DULL,
+-    0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL, 0xF4FD4452E2D74DD3ULL,
+-    0xB4130C93BC437944ULL, 0xAEFE130985139270ULL, 0x598CB0FAC186D91CULL,
+-    0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL, 0xBC34F4DEF99C0238ULL,
+-    0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL, 0xC6F34A26C1B2EFFAULL,
+-    0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL,
+-    0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL,
+-    0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL,
+-    0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL,
+-    0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL,
+-    0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL,
+-    0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL,
+-    0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL,
+-    0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL,
+-    0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL
++/*
++ * "1536-bit MODP Group" from RFC3526, Section 2.
++ *
++ * The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }
++ *
++ * RFC3526 specifies a generator of 2.
++ * RFC2312 specifies a generator of 22.
++ */
++static const BN_ULONG modp_1536_p[] = {
++    BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCA237327, 0xF1746C08),
++    BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907),
++    BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23),
++    BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836),
++    BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651),
++    BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB),
++    BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9),
++    BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D),
++    BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3),
++    BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6),
++    BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B),
++    BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG modp_1536_q[] = {
++    BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6511B993, 0x78BA3604),
++    BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483),
++    BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91),
++    BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B),
++    BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328),
++    BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD),
++    BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174),
++    BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6),
++    BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9),
++    BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53),
++    BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145),
++    BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF)
++};
++
++/*-
++ * "2048-bit MODP Group" from RFC3526, Section 3.
++ *
++ * The prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 }
++ *
++ * RFC3526 specifies a generator of 2.
++ */
++static const BN_ULONG modp_2048_p[] = {
++    BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x8AACAA68, 0x15728E5A),
++    BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C),
++    BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0),
++    BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C),
++    BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08),
++    BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907),
++    BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23),
++    BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836),
++    BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651),
++    BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB),
++    BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9),
++    BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D),
++    BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3),
++    BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6),
++    BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B),
++    BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG modp_2048_q[] = {
++    BN_DEF(0xFFFFFFFF,  0x7FFFFFFF), BN_DEF(0x45565534,  0x0AB9472D),
++    BN_DEF(0x4C7D0288,  0x8AE9130C), BN_DEF(0x754AB572,  0x1CCAA4BE),
++    BN_DEF(0x4AAC0B8C,  0xEF15E5FB), BN_DEF(0x37A62964,  0xDAE2AEF8),
++    BN_DEF(0x7603D147,  0xCD93C1D1), BN_DEF(0x0C074301,  0xF1CF3B96),
++    BN_DEF(0x171B671D,  0x19482F23), BN_DEF(0x650C10BE,  0x78BA3604),
++    BN_DEF(0x255E4C02,  0xB3861AA7), BN_DEF(0xB84B4B36,  0xCF6A9483),
++    BN_DEF(0x1042A95D,  0x0E3179AB), BN_DEF(0xEE51D6CB,  0xC1B2AE91),
++    BN_DEF(0x7E9267AF,  0x348B1FD4), BN_DEF(0x0E2AE9CD,  0xCC6D241B),
++    BN_DEF(0x50B1DF82,  0xE1003E5C), BN_DEF(0xF6722D9E,  0x24943328),
++    BN_DEF(0xBE258FF3,  0xD74F9208), BN_DEF(0xAD44CFD2,  0xF71C35FD),
++    BN_DEF(0x7A035BF6,  0x85FFAE5B), BN_DEF(0xD31BF6B5,  0x7A262174),
++    BN_DEF(0x312F3F63,  0xF242DABB), BN_DEF(0xB6A8E122,  0xA7F09AB6),
++    BN_DEF(0xF92F8A1B,  0x98158536), BN_DEF(0xE69D218D,  0xF7CA8CD9),
++    BN_DEF(0xC71A026E,  0x28A5043C), BN_DEF(0x1D89CD91,  0x0105DF53),
++    BN_DEF(0x4533E63A,  0x94812704), BN_DEF(0xC06E0E68,  0x62633145),
++    BN_DEF(0x10B4611A,  0xE487ED51), BN_DEF(0xFFFFFFFF,  0x7FFFFFFF),
++};
++
++/*-
++ * "3072-bit MODP Group" from RFC3526, Section 4.
++ *
++ * The prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 }
++ *
++ * RFC3526 specifies a generator of 2.
++ */
++static const BN_ULONG modp_3072_p[] = {
++    BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xA93AD2CA, 0x4B82D120),
++    BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0),
++    BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757),
++    BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273),
++    BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226),
++    BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C),
++    BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157),
++    BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB),
++    BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A),
++    BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C),
++    BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0),
++    BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C),
++    BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08),
++    BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907),
++    BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23),
++    BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836),
++    BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651),
++    BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB),
++    BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9),
++    BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D),
++    BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3),
++    BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6),
++    BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B),
++    BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG modp_3072_q[] = {
++    BN_DEF(0xFFFFFFFF,  0x7FFFFFFF), BN_DEF(0x549D6965,  0x25C16890),
++    BN_DEF(0x707E8847,  0xA1EDADFE), BN_DEF(0x3A72D598,  0x047127D0),
++    BN_DEF(0x5D6CA371,  0x3B84C460), BN_DEF(0xBD30AEB6,  0x5DF08BAB),
++    BN_DEF(0x0BBD9006,  0x290F958C), BN_DEF(0x9F643532,  0x6C3B0139),
++    BN_DEF(0x6CC50432,  0xF897FD03), BN_DEF(0x0D697735,  0xE771E913),
++    BN_DEF(0x2512B0CE,  0x8F464A70), BN_DEF(0x6D8499EB,  0xD5FAD746),
++    BN_DEF(0xD370F263,  0xD9CB87C2), BN_DEF(0xAE83063E,  0x457538AB),
++    BN_DEF(0x2C6DF785,  0x767DC282), BN_DEF(0xEF8E5D32,  0xD42A90D5),
++    BN_DEF(0x82283D19,  0xD6998B86), BN_DEF(0x45556216,  0x0AB9472D),
++    BN_DEF(0x4C7D0288,  0x8AE9130C), BN_DEF(0x754AB572,  0x1CCAA4BE),
++    BN_DEF(0x4AAC0B8C,  0xEF15E5FB), BN_DEF(0x37A62964,  0xDAE2AEF8),
++    BN_DEF(0x7603D147,  0xCD93C1D1), BN_DEF(0x0C074301,  0xF1CF3B96),
++    BN_DEF(0x171B671D,  0x19482F23), BN_DEF(0x650C10BE,  0x78BA3604),
++    BN_DEF(0x255E4C02,  0xB3861AA7), BN_DEF(0xB84B4B36,  0xCF6A9483),
++    BN_DEF(0x1042A95D,  0x0E3179AB), BN_DEF(0xEE51D6CB,  0xC1B2AE91),
++    BN_DEF(0x7E9267AF,  0x348B1FD4), BN_DEF(0x0E2AE9CD,  0xCC6D241B),
++    BN_DEF(0x50B1DF82,  0xE1003E5C), BN_DEF(0xF6722D9E,  0x24943328),
++    BN_DEF(0xBE258FF3,  0xD74F9208), BN_DEF(0xAD44CFD2,  0xF71C35FD),
++    BN_DEF(0x7A035BF6,  0x85FFAE5B), BN_DEF(0xD31BF6B5,  0x7A262174),
++    BN_DEF(0x312F3F63,  0xF242DABB), BN_DEF(0xB6A8E122,  0xA7F09AB6),
++    BN_DEF(0xF92F8A1B,  0x98158536), BN_DEF(0xE69D218D,  0xF7CA8CD9),
++    BN_DEF(0xC71A026E,  0x28A5043C), BN_DEF(0x1D89CD91,  0x0105DF53),
++    BN_DEF(0x4533E63A,  0x94812704), BN_DEF(0xC06E0E68,  0x62633145),
++    BN_DEF(0x10B4611A,  0xE487ED51), BN_DEF(0xFFFFFFFF,  0x7FFFFFFF),
++};
++
++/*-
++ * "4096-bit MODP Group" from RFC3526, Section 5.
++ *
++ * The prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 }
++ *
++ * RFC3526 specifies a generator of 2.
++ */
++static const BN_ULONG modp_4096_p[] = {
++    BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x34063199, 0x4DF435C9),
++    BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98),
++    BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76),
++    BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186),
++    BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947),
++    BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB),
++    BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834),
++    BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10),
++    BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120),
++    BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0),
++    BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757),
++    BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273),
++    BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226),
++    BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C),
++    BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157),
++    BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB),
++    BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A),
++    BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C),
++    BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0),
++    BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C),
++    BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08),
++    BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907),
++    BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23),
++    BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836),
++    BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651),
++    BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB),
++    BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9),
++    BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D),
++    BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3),
++    BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6),
++    BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B),
++    BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG modp_4096_q[] = {
++    BN_DEF(0xFFFFFFFF,  0xFFFFFFFF), BN_DEF(0x9A0318CC,  0xA6FA1AE4),
++    BN_DEF(0x48536047,  0xC37FDBEE), BN_DEF(0x46C7EEE0,  0xC9DA754C),
++    BN_DEF(0xEAD82D54,  0x68034893), BN_DEF(0x10B8240E,  0xDC0DEEBB),
++    BN_DEF(0x67716BD7,  0x8FB094B8), BN_DEF(0x28ADF3F6,  0x119DD0C3),
++    BN_DEF(0xD04861D1,  0xCCD94B27), BN_DEF(0xA735E02E,  0x143E2CA3),
++    BN_DEF(0x0FDF6553,  0x97477E0A), BN_DEF(0x826F477C,  0x6DDDE16D),
++    BN_DEF(0x156A2674,  0x12C1F4E5), BN_DEF(0x5B0A85ED,  0x0D4A341A),
++    BN_DEF(0x357A711E,  0x4CE1938C), BN_DEF(0x5EDD2D93,  0xC438CD08),
++    BN_DEF(0x53C3F36B,  0x8D391E09), BN_DEF(0x54908400,  0x25C16890),
++    BN_DEF(0x707E8847,  0xA1EDADFE), BN_DEF(0x3A72D598,  0x047127D0),
++    BN_DEF(0x5D6CA371,  0x3B84C460), BN_DEF(0xBD30AEB6,  0x5DF08BAB),
++    BN_DEF(0x0BBD9006,  0x290F958C), BN_DEF(0x9F643532,  0x6C3B0139),
++    BN_DEF(0x6CC50432,  0xF897FD03), BN_DEF(0x0D697735,  0xE771E913),
++    BN_DEF(0x2512B0CE,  0x8F464A70), BN_DEF(0x6D8499EB,  0xD5FAD746),
++    BN_DEF(0xD370F263,  0xD9CB87C2), BN_DEF(0xAE83063E,  0x457538AB),
++    BN_DEF(0x2C6DF785,  0x767DC282), BN_DEF(0xEF8E5D32,  0xD42A90D5),
++    BN_DEF(0x82283D19,  0xD6998B86), BN_DEF(0x45556216,  0x0AB9472D),
++    BN_DEF(0x4C7D0288,  0x8AE9130C), BN_DEF(0x754AB572,  0x1CCAA4BE),
++    BN_DEF(0x4AAC0B8C,  0xEF15E5FB), BN_DEF(0x37A62964,  0xDAE2AEF8),
++    BN_DEF(0x7603D147,  0xCD93C1D1), BN_DEF(0x0C074301,  0xF1CF3B96),
++    BN_DEF(0x171B671D,  0x19482F23), BN_DEF(0x650C10BE,  0x78BA3604),
++    BN_DEF(0x255E4C02,  0xB3861AA7), BN_DEF(0xB84B4B36,  0xCF6A9483),
++    BN_DEF(0x1042A95D,  0x0E3179AB), BN_DEF(0xEE51D6CB,  0xC1B2AE91),
++    BN_DEF(0x7E9267AF,  0x348B1FD4), BN_DEF(0x0E2AE9CD,  0xCC6D241B),
++    BN_DEF(0x50B1DF82,  0xE1003E5C), BN_DEF(0xF6722D9E,  0x24943328),
++    BN_DEF(0xBE258FF3,  0xD74F9208), BN_DEF(0xAD44CFD2,  0xF71C35FD),
++    BN_DEF(0x7A035BF6,  0x85FFAE5B), BN_DEF(0xD31BF6B5,  0x7A262174),
++    BN_DEF(0x312F3F63,  0xF242DABB), BN_DEF(0xB6A8E122,  0xA7F09AB6),
++    BN_DEF(0xF92F8A1B,  0x98158536), BN_DEF(0xE69D218D,  0xF7CA8CD9),
++    BN_DEF(0xC71A026E,  0x28A5043C), BN_DEF(0x1D89CD91,  0x0105DF53),
++    BN_DEF(0x4533E63A,  0x94812704), BN_DEF(0xC06E0E68,  0x62633145),
++    BN_DEF(0x10B4611A,  0xE487ED51), BN_DEF(0xFFFFFFFF,  0x7FFFFFFF),
++};
++
++/*-
++ * "6144-bit MODP Group" from RFC3526, Section 6.
++ *
++ * The prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 }
++ *
++ * RFC3526 specifies a generator of 2.
++ */
++static const BN_ULONG modp_6144_p[] = {
++    BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6DCC4024, 0xE694F91E),
++    BN_DEF(0x0B7474D6, 0x12BF2D5B), BN_DEF(0x3F4860EE, 0x043E8F66),
++    BN_DEF(0x6E3C0468, 0x387FE8D7), BN_DEF(0x2EF29632, 0xDA56C9EC),
++    BN_DEF(0xA313D55C, 0xEB19CCB1), BN_DEF(0x8A1FBFF0, 0xF550AA3D),
++    BN_DEF(0xB7C5DA76, 0x06A1D58B), BN_DEF(0xF29BE328, 0xA79715EE),
++    BN_DEF(0x0F8037E0, 0x14CC5ED2), BN_DEF(0xBF48E1D8, 0xCC8F6D7E),
++    BN_DEF(0x2B4154AA, 0x4BD407B2), BN_DEF(0xFF585AC5, 0x0F1D45B7),
++    BN_DEF(0x36CC88BE, 0x23A97A7E), BN_DEF(0xBEC7E8F3, 0x59E7C97F),
++    BN_DEF(0x900B1C9E, 0xB5A84031), BN_DEF(0x46980C82, 0xD55E702F),
++    BN_DEF(0x6E74FEF6, 0xF482D7CE), BN_DEF(0xD1721D03, 0xF032EA15),
++    BN_DEF(0xC64B92EC, 0x5983CA01), BN_DEF(0x378CD2BF, 0x6FB8F401),
++    BN_DEF(0x2BD7AF42, 0x33205151), BN_DEF(0xE6CC254B, 0xDB7F1447),
++    BN_DEF(0xCED4BB1B, 0x44CE6CBA), BN_DEF(0xCF9B14ED, 0xDA3EDBEB),
++    BN_DEF(0x865A8918, 0x179727B0), BN_DEF(0x9027D831, 0xB06A53ED),
++    BN_DEF(0x413001AE, 0xE5DB382F), BN_DEF(0xAD9E530E, 0xF8FF9406),
++    BN_DEF(0x3DBA37BD, 0xC9751E76), BN_DEF(0x602646DE, 0xC1D4DCB2),
++    BN_DEF(0xD27C7026, 0x36C3FAB4), BN_DEF(0x34028492, 0x4DF435C9),
++    BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98),
++    BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76),
++    BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186),
++    BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947),
++    BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB),
++    BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834),
++    BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10),
++    BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120),
++    BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0),
++    BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757),
++    BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273),
++    BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226),
++    BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C),
++    BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157),
++    BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB),
++    BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A),
++    BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C),
++    BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0),
++    BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C),
++    BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08),
++    BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907),
++    BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23),
++    BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836),
++    BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651),
++    BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB),
++    BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9),
++    BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D),
++    BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3),
++    BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6),
++    BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B),
++    BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG modp_6144_q[] = {
++    BN_DEF(0xFFFFFFFF,  0x7FFFFFFF), BN_DEF(0x36E62012,  0x734A7C8F),
++    BN_DEF(0x85BA3A6B,  0x095F96AD), BN_DEF(0x1FA43077,  0x021F47B3),
++    BN_DEF(0xB71E0234,  0x1C3FF46B), BN_DEF(0x17794B19,  0x6D2B64F6),
++    BN_DEF(0xD189EAAE,  0x758CE658), BN_DEF(0xC50FDFF8,  0x7AA8551E),
++    BN_DEF(0xDBE2ED3B,  0x0350EAC5), BN_DEF(0x794DF194,  0x53CB8AF7),
++    BN_DEF(0x07C01BF0,  0x0A662F69), BN_DEF(0x5FA470EC,  0x6647B6BF),
++    BN_DEF(0x15A0AA55,  0xA5EA03D9), BN_DEF(0xFFAC2D62,  0x078EA2DB),
++    BN_DEF(0x1B66445F,  0x91D4BD3F), BN_DEF(0xDF63F479,  0x2CF3E4BF),
++    BN_DEF(0xC8058E4F,  0x5AD42018), BN_DEF(0xA34C0641,  0x6AAF3817),
++    BN_DEF(0x373A7F7B,  0xFA416BE7), BN_DEF(0xE8B90E81,  0x7819750A),
++    BN_DEF(0xE325C976,  0xACC1E500), BN_DEF(0x9BC6695F,  0x37DC7A00),
++    BN_DEF(0x95EBD7A1,  0x999028A8), BN_DEF(0xF36612A5,  0xEDBF8A23),
++    BN_DEF(0x676A5D8D,  0xA267365D), BN_DEF(0xE7CD8A76,  0x6D1F6DF5),
++    BN_DEF(0x432D448C,  0x8BCB93D8), BN_DEF(0xC813EC18,  0x583529F6),
++    BN_DEF(0xA09800D7,  0x72ED9C17), BN_DEF(0x56CF2987,  0xFC7FCA03),
++    BN_DEF(0x1EDD1BDE,  0x64BA8F3B), BN_DEF(0x3013236F,  0x60EA6E59),
++    BN_DEF(0x693E3813,  0x1B61FD5A), BN_DEF(0x9A014249,  0xA6FA1AE4),
++    BN_DEF(0x48536047,  0xC37FDBEE), BN_DEF(0x46C7EEE0,  0xC9DA754C),
++    BN_DEF(0xEAD82D54,  0x68034893), BN_DEF(0x10B8240E,  0xDC0DEEBB),
++    BN_DEF(0x67716BD7,  0x8FB094B8), BN_DEF(0x28ADF3F6,  0x119DD0C3),
++    BN_DEF(0xD04861D1,  0xCCD94B27), BN_DEF(0xA735E02E,  0x143E2CA3),
++    BN_DEF(0x0FDF6553,  0x97477E0A), BN_DEF(0x826F477C,  0x6DDDE16D),
++    BN_DEF(0x156A2674,  0x12C1F4E5), BN_DEF(0x5B0A85ED,  0x0D4A341A),
++    BN_DEF(0x357A711E,  0x4CE1938C), BN_DEF(0x5EDD2D93,  0xC438CD08),
++    BN_DEF(0x53C3F36B,  0x8D391E09), BN_DEF(0x54908400,  0x25C16890),
++    BN_DEF(0x707E8847,  0xA1EDADFE), BN_DEF(0x3A72D598,  0x047127D0),
++    BN_DEF(0x5D6CA371,  0x3B84C460), BN_DEF(0xBD30AEB6,  0x5DF08BAB),
++    BN_DEF(0x0BBD9006,  0x290F958C), BN_DEF(0x9F643532,  0x6C3B0139),
++    BN_DEF(0x6CC50432,  0xF897FD03), BN_DEF(0x0D697735,  0xE771E913),
++    BN_DEF(0x2512B0CE,  0x8F464A70), BN_DEF(0x6D8499EB,  0xD5FAD746),
++    BN_DEF(0xD370F263,  0xD9CB87C2), BN_DEF(0xAE83063E,  0x457538AB),
++    BN_DEF(0x2C6DF785,  0x767DC282), BN_DEF(0xEF8E5D32,  0xD42A90D5),
++    BN_DEF(0x82283D19,  0xD6998B86), BN_DEF(0x45556216,  0x0AB9472D),
++    BN_DEF(0x4C7D0288,  0x8AE9130C), BN_DEF(0x754AB572,  0x1CCAA4BE),
++    BN_DEF(0x4AAC0B8C,  0xEF15E5FB), BN_DEF(0x37A62964,  0xDAE2AEF8),
++    BN_DEF(0x7603D147,  0xCD93C1D1), BN_DEF(0x0C074301,  0xF1CF3B96),
++    BN_DEF(0x171B671D,  0x19482F23), BN_DEF(0x650C10BE,  0x78BA3604),
++    BN_DEF(0x255E4C02,  0xB3861AA7), BN_DEF(0xB84B4B36,  0xCF6A9483),
++    BN_DEF(0x1042A95D,  0x0E3179AB), BN_DEF(0xEE51D6CB,  0xC1B2AE91),
++    BN_DEF(0x7E9267AF,  0x348B1FD4), BN_DEF(0x0E2AE9CD,  0xCC6D241B),
++    BN_DEF(0x50B1DF82,  0xE1003E5C), BN_DEF(0xF6722D9E,  0x24943328),
++    BN_DEF(0xBE258FF3,  0xD74F9208), BN_DEF(0xAD44CFD2,  0xF71C35FD),
++    BN_DEF(0x7A035BF6,  0x85FFAE5B), BN_DEF(0xD31BF6B5,  0x7A262174),
++    BN_DEF(0x312F3F63,  0xF242DABB), BN_DEF(0xB6A8E122,  0xA7F09AB6),
++    BN_DEF(0xF92F8A1B,  0x98158536), BN_DEF(0xE69D218D,  0xF7CA8CD9),
++    BN_DEF(0xC71A026E,  0x28A5043C), BN_DEF(0x1D89CD91,  0x0105DF53),
++    BN_DEF(0x4533E63A,  0x94812704), BN_DEF(0xC06E0E68,  0x62633145),
++    BN_DEF(0x10B4611A,  0xE487ED51), BN_DEF(0xFFFFFFFF,  0x7FFFFFFF),
++};
++
++/*
++ * "8192-bit MODP Group" from RFC3526, Section 7.
++ *
++ * The prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 }
++ *
++ * RFC3526 specifies a generator of 2.
++ */
++static const BN_ULONG modp_8192_p[] = {
++    BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x98EDD3DF, 0x60C980DD),
++    BN_DEF(0x80B96E71, 0xC81F56E8), BN_DEF(0x765694DF, 0x9E3050E2),
++    BN_DEF(0x5677E9AA, 0x9558E447), BN_DEF(0xFC026E47, 0xC9190DA6),
++    BN_DEF(0xD5EE382B, 0x889A002E), BN_DEF(0x481C6CD7, 0x4009438B),
++    BN_DEF(0xEB879F92, 0x359046F4), BN_DEF(0x1ECFA268, 0xFAF36BC3),
++    BN_DEF(0x7EE74D73, 0xB1D510BD), BN_DEF(0x5DED7EA1, 0xF9AB4819),
++    BN_DEF(0x0846851D, 0x64F31CC5), BN_DEF(0xA0255DC1, 0x4597E899),
++    BN_DEF(0x74AB6A36, 0xDF310EE0), BN_DEF(0x3F44F82D, 0x6D2A13F8),
++    BN_DEF(0xB3A278A6, 0x062B3CF5), BN_DEF(0xED5BDD3A, 0x79683303),
++    BN_DEF(0xA2C087E8, 0xFA9D4B7F), BN_DEF(0x2F8385DD, 0x4BCBC886),
++    BN_DEF(0x6CEA306B, 0x3473FC64), BN_DEF(0x1A23F0C7, 0x13EB57A8),
++    BN_DEF(0xA4037C07, 0x22222E04), BN_DEF(0xFC848AD9, 0xE3FDB8BE),
++    BN_DEF(0xE39D652D, 0x238F16CB), BN_DEF(0x2BF1C978, 0x3423B474),
++    BN_DEF(0x5AE4F568, 0x3AAB639C), BN_DEF(0x6BA42466, 0x2576F693),
++    BN_DEF(0x8AFC47ED, 0x741FA7BF), BN_DEF(0x8D9DD300, 0x3BC832B6),
++    BN_DEF(0x73B931BA, 0xD8BEC4D0), BN_DEF(0xA932DF8C, 0x38777CB6),
++    BN_DEF(0x12FEE5E4, 0x74A3926F), BN_DEF(0x6DBE1159, 0xE694F91E),
++    BN_DEF(0x0B7474D6, 0x12BF2D5B), BN_DEF(0x3F4860EE, 0x043E8F66),
++    BN_DEF(0x6E3C0468, 0x387FE8D7), BN_DEF(0x2EF29632, 0xDA56C9EC),
++    BN_DEF(0xA313D55C, 0xEB19CCB1), BN_DEF(0x8A1FBFF0, 0xF550AA3D),
++    BN_DEF(0xB7C5DA76, 0x06A1D58B), BN_DEF(0xF29BE328, 0xA79715EE),
++    BN_DEF(0x0F8037E0, 0x14CC5ED2), BN_DEF(0xBF48E1D8, 0xCC8F6D7E),
++    BN_DEF(0x2B4154AA, 0x4BD407B2), BN_DEF(0xFF585AC5, 0x0F1D45B7),
++    BN_DEF(0x36CC88BE, 0x23A97A7E), BN_DEF(0xBEC7E8F3, 0x59E7C97F),
++    BN_DEF(0x900B1C9E, 0xB5A84031), BN_DEF(0x46980C82, 0xD55E702F),
++    BN_DEF(0x6E74FEF6, 0xF482D7CE), BN_DEF(0xD1721D03, 0xF032EA15),
++    BN_DEF(0xC64B92EC, 0x5983CA01), BN_DEF(0x378CD2BF, 0x6FB8F401),
++    BN_DEF(0x2BD7AF42, 0x33205151), BN_DEF(0xE6CC254B, 0xDB7F1447),
++    BN_DEF(0xCED4BB1B, 0x44CE6CBA), BN_DEF(0xCF9B14ED, 0xDA3EDBEB),
++    BN_DEF(0x865A8918, 0x179727B0), BN_DEF(0x9027D831, 0xB06A53ED),
++    BN_DEF(0x413001AE, 0xE5DB382F), BN_DEF(0xAD9E530E, 0xF8FF9406),
++    BN_DEF(0x3DBA37BD, 0xC9751E76), BN_DEF(0x602646DE, 0xC1D4DCB2),
++    BN_DEF(0xD27C7026, 0x36C3FAB4), BN_DEF(0x34028492, 0x4DF435C9),
++    BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98),
++    BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76),
++    BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186),
++    BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947),
++    BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB),
++    BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834),
++    BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10),
++    BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120),
++    BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0),
++    BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757),
++    BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273),
++    BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226),
++    BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C),
++    BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157),
++    BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB),
++    BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A),
++    BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C),
++    BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0),
++    BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C),
++    BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08),
++    BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907),
++    BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23),
++    BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836),
++    BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651),
++    BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB),
++    BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9),
++    BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D),
++    BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3),
++    BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6),
++    BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B),
++    BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG modp_8192_q[] = {
++    BN_DEF(0xFFFFFFFF,  0xFFFFFFFF), BN_DEF(0xCC76E9EF,  0xB064C06E),
++    BN_DEF(0x405CB738,  0xE40FAB74), BN_DEF(0x3B2B4A6F,  0x4F182871),
++    BN_DEF(0xAB3BF4D5,  0xCAAC7223), BN_DEF(0x7E013723,  0xE48C86D3),
++    BN_DEF(0x6AF71C15,  0xC44D0017), BN_DEF(0xA40E366B,  0x2004A1C5),
++    BN_DEF(0x75C3CFC9,  0x1AC8237A), BN_DEF(0x8F67D134,  0xFD79B5E1),
++    BN_DEF(0xBF73A6B9,  0xD8EA885E), BN_DEF(0xAEF6BF50,  0xFCD5A40C),
++    BN_DEF(0x8423428E,  0xB2798E62), BN_DEF(0xD012AEE0,  0x22CBF44C),
++    BN_DEF(0x3A55B51B,  0xEF988770), BN_DEF(0x1FA27C16,  0x369509FC),
++    BN_DEF(0xD9D13C53,  0x03159E7A), BN_DEF(0xF6ADEE9D,  0x3CB41981),
++    BN_DEF(0xD16043F4,  0xFD4EA5BF), BN_DEF(0x17C1C2EE,  0xA5E5E443),
++    BN_DEF(0x36751835,  0x9A39FE32), BN_DEF(0x0D11F863,  0x89F5ABD4),
++    BN_DEF(0x5201BE03,  0x91111702), BN_DEF(0x7E42456C,  0xF1FEDC5F),
++    BN_DEF(0xF1CEB296,  0x11C78B65), BN_DEF(0x15F8E4BC,  0x1A11DA3A),
++    BN_DEF(0x2D727AB4,  0x1D55B1CE), BN_DEF(0xB5D21233,  0x92BB7B49),
++    BN_DEF(0xC57E23F6,  0x3A0FD3DF), BN_DEF(0x46CEE980,  0x1DE4195B),
++    BN_DEF(0x39DC98DD,  0x6C5F6268), BN_DEF(0x54996FC6,  0x1C3BBE5B),
++    BN_DEF(0x897F72F2,  0xBA51C937), BN_DEF(0x36DF08AC,  0x734A7C8F),
++    BN_DEF(0x85BA3A6B,  0x095F96AD), BN_DEF(0x1FA43077,  0x021F47B3),
++    BN_DEF(0xB71E0234,  0x1C3FF46B), BN_DEF(0x17794B19,  0x6D2B64F6),
++    BN_DEF(0xD189EAAE,  0x758CE658), BN_DEF(0xC50FDFF8,  0x7AA8551E),
++    BN_DEF(0xDBE2ED3B,  0x0350EAC5), BN_DEF(0x794DF194,  0x53CB8AF7),
++    BN_DEF(0x07C01BF0,  0x0A662F69), BN_DEF(0x5FA470EC,  0x6647B6BF),
++    BN_DEF(0x15A0AA55,  0xA5EA03D9), BN_DEF(0xFFAC2D62,  0x078EA2DB),
++    BN_DEF(0x1B66445F,  0x91D4BD3F), BN_DEF(0xDF63F479,  0x2CF3E4BF),
++    BN_DEF(0xC8058E4F,  0x5AD42018), BN_DEF(0xA34C0641,  0x6AAF3817),
++    BN_DEF(0x373A7F7B,  0xFA416BE7), BN_DEF(0xE8B90E81,  0x7819750A),
++    BN_DEF(0xE325C976,  0xACC1E500), BN_DEF(0x9BC6695F,  0x37DC7A00),
++    BN_DEF(0x95EBD7A1,  0x999028A8), BN_DEF(0xF36612A5,  0xEDBF8A23),
++    BN_DEF(0x676A5D8D,  0xA267365D), BN_DEF(0xE7CD8A76,  0x6D1F6DF5),
++    BN_DEF(0x432D448C,  0x8BCB93D8), BN_DEF(0xC813EC18,  0x583529F6),
++    BN_DEF(0xA09800D7,  0x72ED9C17), BN_DEF(0x56CF2987,  0xFC7FCA03),
++    BN_DEF(0x1EDD1BDE,  0x64BA8F3B), BN_DEF(0x3013236F,  0x60EA6E59),
++    BN_DEF(0x693E3813,  0x1B61FD5A), BN_DEF(0x9A014249,  0xA6FA1AE4),
++    BN_DEF(0x48536047,  0xC37FDBEE), BN_DEF(0x46C7EEE0,  0xC9DA754C),
++    BN_DEF(0xEAD82D54,  0x68034893), BN_DEF(0x10B8240E,  0xDC0DEEBB),
++    BN_DEF(0x67716BD7,  0x8FB094B8), BN_DEF(0x28ADF3F6,  0x119DD0C3),
++    BN_DEF(0xD04861D1,  0xCCD94B27), BN_DEF(0xA735E02E,  0x143E2CA3),
++    BN_DEF(0x0FDF6553,  0x97477E0A), BN_DEF(0x826F477C,  0x6DDDE16D),
++    BN_DEF(0x156A2674,  0x12C1F4E5), BN_DEF(0x5B0A85ED,  0x0D4A341A),
++    BN_DEF(0x357A711E,  0x4CE1938C), BN_DEF(0x5EDD2D93,  0xC438CD08),
++    BN_DEF(0x53C3F36B,  0x8D391E09), BN_DEF(0x54908400,  0x25C16890),
++    BN_DEF(0x707E8847,  0xA1EDADFE), BN_DEF(0x3A72D598,  0x047127D0),
++    BN_DEF(0x5D6CA371,  0x3B84C460), BN_DEF(0xBD30AEB6,  0x5DF08BAB),
++    BN_DEF(0x0BBD9006,  0x290F958C), BN_DEF(0x9F643532,  0x6C3B0139),
++    BN_DEF(0x6CC50432,  0xF897FD03), BN_DEF(0x0D697735,  0xE771E913),
++    BN_DEF(0x2512B0CE,  0x8F464A70), BN_DEF(0x6D8499EB,  0xD5FAD746),
++    BN_DEF(0xD370F263,  0xD9CB87C2), BN_DEF(0xAE83063E,  0x457538AB),
++    BN_DEF(0x2C6DF785,  0x767DC282), BN_DEF(0xEF8E5D32,  0xD42A90D5),
++    BN_DEF(0x82283D19,  0xD6998B86), BN_DEF(0x45556216,  0x0AB9472D),
++    BN_DEF(0x4C7D0288,  0x8AE9130C), BN_DEF(0x754AB572,  0x1CCAA4BE),
++    BN_DEF(0x4AAC0B8C,  0xEF15E5FB), BN_DEF(0x37A62964,  0xDAE2AEF8),
++    BN_DEF(0x7603D147,  0xCD93C1D1), BN_DEF(0x0C074301,  0xF1CF3B96),
++    BN_DEF(0x171B671D,  0x19482F23), BN_DEF(0x650C10BE,  0x78BA3604),
++    BN_DEF(0x255E4C02,  0xB3861AA7), BN_DEF(0xB84B4B36,  0xCF6A9483),
++    BN_DEF(0x1042A95D,  0x0E3179AB), BN_DEF(0xEE51D6CB,  0xC1B2AE91),
++    BN_DEF(0x7E9267AF,  0x348B1FD4), BN_DEF(0x0E2AE9CD,  0xCC6D241B),
++    BN_DEF(0x50B1DF82,  0xE1003E5C), BN_DEF(0xF6722D9E,  0x24943328),
++    BN_DEF(0xBE258FF3,  0xD74F9208), BN_DEF(0xAD44CFD2,  0xF71C35FD),
++    BN_DEF(0x7A035BF6,  0x85FFAE5B), BN_DEF(0xD31BF6B5,  0x7A262174),
++    BN_DEF(0x312F3F63,  0xF242DABB), BN_DEF(0xB6A8E122,  0xA7F09AB6),
++    BN_DEF(0xF92F8A1B,  0x98158536), BN_DEF(0xE69D218D,  0xF7CA8CD9),
++    BN_DEF(0xC71A026E,  0x28A5043C), BN_DEF(0x1D89CD91,  0x0105DF53),
++    BN_DEF(0x4533E63A,  0x94812704), BN_DEF(0xC06E0E68,  0x62633145),
++    BN_DEF(0x10B4611A,  0xE487ED51), BN_DEF(0xFFFFFFFF,  0x7FFFFFFF),
+ };
+ 
+-# elif BN_BITS2 == 32
+-
++/* DH parameters from RFC5114 */
+ static const BN_ULONG dh1024_160_p[] = {
+-    0x2E4A4371, 0xDF1FB2BC, 0x6D4DA708, 0xE68CFDA7, 0x365C1A65, 0x45BF37DF,
+-    0x0DC8B4BD, 0xA151AF5F, 0xF55BCCC0, 0xFAA31A4F, 0xE5644738, 0x4EFFD6FA,
+-    0x219A7372, 0x98488E9C, 0x90C4BD70, 0xACCBDD7D, 0xD49B83BF, 0x24975C3C,
+-    0xA9061123, 0x13ECB4AE, 0x2EE652C0, 0x9838EF1E, 0x75A23D18, 0x6073E286,
+-    0x52D23B61, 0x9A6A9DCA, 0xFB06A3C6, 0x52C99FBC, 0xAE5D54EC, 0xDE92DE5E,
+-    0xA080E01D, 0xB10B8F96
+-};
+-
+-static const BN_ULONG dh1024_160_g[] = {
+-    0x22B3B2E5, 0x855E6EEB, 0xF97C2A24, 0x858F4DCE, 0x18D08BC8, 0x2D779D59,
+-    0x8E73AFA3, 0xD662A4D1, 0x69B6A28A, 0x1DBF0A01, 0x7A091F53, 0xA6A24C08,
+-    0x63F80A76, 0x909D0D22, 0xB9A92EE1, 0xD7FBD7D3, 0x9E2749F4, 0x5E91547F,
+-    0xB01B886A, 0x160217B4, 0x5504F213, 0x777E690F, 0x5C41564B, 0x266FEA1E,
+-    0x14266D31, 0xD6406CFF, 0x58AC507F, 0xF8104DD2, 0xEFB99905, 0x6765A442,
+-    0xC3FD3412, 0xA4D1CBD5
++    BN_DEF(0x2E4A4371, 0xDF1FB2BC), BN_DEF(0x6D4DA708, 0xE68CFDA7),
++    BN_DEF(0x365C1A65, 0x45BF37DF), BN_DEF(0x0DC8B4BD, 0xA151AF5F),
++    BN_DEF(0xF55BCCC0, 0xFAA31A4F), BN_DEF(0xE5644738, 0x4EFFD6FA),
++    BN_DEF(0x219A7372, 0x98488E9C), BN_DEF(0x90C4BD70, 0xACCBDD7D),
++    BN_DEF(0xD49B83BF, 0x24975C3C), BN_DEF(0xA9061123, 0x13ECB4AE),
++    BN_DEF(0x2EE652C0, 0x9838EF1E), BN_DEF(0x75A23D18, 0x6073E286),
++    BN_DEF(0x52D23B61, 0x9A6A9DCA), BN_DEF(0xFB06A3C6, 0x52C99FBC),
++    BN_DEF(0xAE5D54EC, 0xDE92DE5E), BN_DEF(0xA080E01D, 0xB10B8F96)
+ };
+-
+ static const BN_ULONG dh1024_160_q[] = {
+-    0x49462353, 0x64B7CB9D, 0x8ABA4E7D, 0x81A8DF27, 0xF518AA87
++    BN_DEF(0x49462353, 0x64B7CB9D), BN_DEF(0x8ABA4E7D, 0x81A8DF27),
++    (BN_ULONG)0xF518AA87
+ };
+-
+-static const BN_ULONG dh2048_224_p[] = {
+-    0x0C10E64F, 0x0AC4DFFE, 0x4E71B81C, 0xCF9DE538, 0xFFA31F71, 0x7EF363E2,
+-    0x6B8E75B9, 0xE3FB73C1, 0x4BA80A29, 0xC9B53DCF, 0x16E79763, 0x23F10B0E,
+-    0x13042E9B, 0xC52172E4, 0xC928B2B9, 0xBE60E69C, 0xB9E587E8, 0x80CD86A1,
+-    0x98C641A4, 0x315D75E1, 0x44328387, 0xCDF93ACC, 0xDC0A486D, 0x15987D9A,
+-    0x1FD5A074, 0x7310F712, 0xDE31EFDC, 0x278273C7, 0x415D9330, 0x1602E714,
+-    0xBC8985DB, 0x81286130, 0x70918836, 0xB3BF8A31, 0xB9C49708, 0x6A00E0A0,
+-    0x8BBC27BE, 0xC6BA0B2C, 0xED34DBF6, 0xC9F98D11, 0xB6C12207, 0x7AD5B7D0,
+-    0x55B7394B, 0xD91E8FEF, 0xEFDA4DF8, 0x9037C9ED, 0xAD6AC212, 0x6D3F8152,
+-    0x1274A0A6, 0x1DE6B85A, 0x309C180E, 0xEB3D688A, 0x7BA1DF15, 0xAF9A3C40,
+-    0xF95A56DB, 0xE6FA141D, 0xB61D0A75, 0xB54B1597, 0x683B9FD1, 0xA20D64E5,
+-    0x9559C51F, 0xD660FAA7, 0x9123A9D0, 0xAD107E1E
++static const BN_ULONG dh1024_160_g[] = {
++    BN_DEF(0x22B3B2E5, 0x855E6EEB), BN_DEF(0xF97C2A24, 0x858F4DCE),
++    BN_DEF(0x18D08BC8, 0x2D779D59), BN_DEF(0x8E73AFA3, 0xD662A4D1),
++    BN_DEF(0x69B6A28A, 0x1DBF0A01), BN_DEF(0x7A091F53, 0xA6A24C08),
++    BN_DEF(0x63F80A76, 0x909D0D22), BN_DEF(0xB9A92EE1, 0xD7FBD7D3),
++    BN_DEF(0x9E2749F4, 0x5E91547F), BN_DEF(0xB01B886A, 0x160217B4),
++    BN_DEF(0x5504F213, 0x777E690F), BN_DEF(0x5C41564B, 0x266FEA1E),
++    BN_DEF(0x14266D31, 0xD6406CFF), BN_DEF(0x58AC507F, 0xF8104DD2),
++    BN_DEF(0xEFB99905, 0x6765A442), BN_DEF(0xC3FD3412, 0xA4D1CBD5)
+ };
+ 
+-static const BN_ULONG dh2048_224_g[] = {
+-    0x191F2BFA, 0x84B890D3, 0x2A7065B3, 0x81BC087F, 0xF6EC0179, 0x19C418E1,
+-    0x71CFFF4C, 0x7B5A0F1C, 0x9B6AA4BD, 0xEDFE72FE, 0x94B30269, 0x81E1BCFE,
+-    0x8D6C0191, 0x566AFBB4, 0x409D13CD, 0xB539CCE3, 0x5F2FF381, 0x6AA21E7F,
+-    0x770589EF, 0xD9E263E4, 0xD19963DD, 0x10E183ED, 0x150B8EEB, 0xB70A8137,
+-    0x28C8F8AC, 0x051AE3D4, 0x0C1AB15B, 0xBB77A86F, 0x16A330EF, 0x6E3025E3,
+-    0xD6F83456, 0x19529A45, 0x118E98D1, 0xF180EB34, 0x50717CBE, 0xB5F6C6B2,
+-    0xDA7460CD, 0x09939D54, 0x22EA1ED4, 0xE2471504, 0x521BC98A, 0xB8A762D0,
+-    0x5AC1348B, 0xF4D02727, 0x1999024A, 0xC1766910, 0xA8D66AD7, 0xBE5E9001,
+-    0x620A8652, 0xC57DB17C, 0x00C29F52, 0xAB739D77, 0xA70C4AFA, 0xDD921F01,
+-    0x10B9A6F0, 0xA6824A4E, 0xCFE4FFE3, 0x74866A08, 0x89998CAF, 0x6CDEBE7B,
+-    0x8FFDAC50, 0x9DF30B5C, 0x4F2D9AE3, 0xAC4032EF
++static const BN_ULONG dh2048_224_p[] = {
++    BN_DEF(0x0C10E64F, 0x0AC4DFFE), BN_DEF(0x4E71B81C, 0xCF9DE538),
++    BN_DEF(0xFFA31F71, 0x7EF363E2), BN_DEF(0x6B8E75B9, 0xE3FB73C1),
++    BN_DEF(0x4BA80A29, 0xC9B53DCF), BN_DEF(0x16E79763, 0x23F10B0E),
++    BN_DEF(0x13042E9B, 0xC52172E4), BN_DEF(0xC928B2B9, 0xBE60E69C),
++    BN_DEF(0xB9E587E8, 0x80CD86A1), BN_DEF(0x98C641A4, 0x315D75E1),
++    BN_DEF(0x44328387, 0xCDF93ACC), BN_DEF(0xDC0A486D, 0x15987D9A),
++    BN_DEF(0x1FD5A074, 0x7310F712), BN_DEF(0xDE31EFDC, 0x278273C7),
++    BN_DEF(0x415D9330, 0x1602E714), BN_DEF(0xBC8985DB, 0x81286130),
++    BN_DEF(0x70918836, 0xB3BF8A31), BN_DEF(0xB9C49708, 0x6A00E0A0),
++    BN_DEF(0x8BBC27BE, 0xC6BA0B2C), BN_DEF(0xED34DBF6, 0xC9F98D11),
++    BN_DEF(0xB6C12207, 0x7AD5B7D0), BN_DEF(0x55B7394B, 0xD91E8FEF),
++    BN_DEF(0xEFDA4DF8, 0x9037C9ED), BN_DEF(0xAD6AC212, 0x6D3F8152),
++    BN_DEF(0x1274A0A6, 0x1DE6B85A), BN_DEF(0x309C180E, 0xEB3D688A),
++    BN_DEF(0x7BA1DF15, 0xAF9A3C40), BN_DEF(0xF95A56DB, 0xE6FA141D),
++    BN_DEF(0xB61D0A75, 0xB54B1597), BN_DEF(0x683B9FD1, 0xA20D64E5),
++    BN_DEF(0x9559C51F, 0xD660FAA7), BN_DEF(0x9123A9D0, 0xAD107E1E)
+ };
+-
+ static const BN_ULONG dh2048_224_q[] = {
+-    0xB36371EB, 0xBF389A99, 0x4738CEBC, 0x1F80535A, 0x99717710, 0xC58D93FE,
+-    0x801C0D34
++    BN_DEF(0xB36371EB, 0xBF389A99), BN_DEF(0x4738CEBC, 0x1F80535A),
++    BN_DEF(0x99717710, 0xC58D93FE), (BN_ULONG)0x801C0D34
+ };
+-
+-static const BN_ULONG dh2048_256_p[] = {
+-    0x1E1A1597, 0xDB094AE9, 0xD7EF09CA, 0x693877FA, 0x6E11715F, 0x6116D227,
+-    0xC198AF12, 0xA4B54330, 0xD7014103, 0x75F26375, 0x54E710C3, 0xC3A3960A,
+-    0xBD0BE621, 0xDED4010A, 0x89962856, 0xC0B857F6, 0x71506026, 0xB3CA3F79,
+-    0xE6B486F6, 0x1CCACB83, 0x14056425, 0x67E144E5, 0xA41825D9, 0xF6A167B5,
+-    0x96524D8E, 0x3AD83477, 0x51BFA4AB, 0xF13C6D9A, 0x35488A0E, 0x2D525267,
+-    0xCAA6B790, 0xB63ACAE1, 0x81B23F76, 0x4FDB70C5, 0x12307F5C, 0xBC39A0BF,
+-    0xB1E59BB8, 0xB941F54E, 0xD45F9088, 0x6C5BFC11, 0x4275BF7B, 0x22E0B1EF,
+-    0x5B4758C0, 0x91F9E672, 0x6BCF67ED, 0x5A8A9D30, 0x97517ABD, 0x209E0C64,
+-    0x830E9A7C, 0x3BF4296D, 0x34096FAA, 0x16C3D911, 0x61B2AA30, 0xFAF7DF45,
+-    0xD61957D4, 0xE00DF8F1, 0x435E3B00, 0x5D2CEED4, 0x660DD0F2, 0x8CEEF608,
+-    0x65195999, 0xFFBBD19C, 0xB4B6663C, 0x87A8E61D
++static const BN_ULONG dh2048_224_g[] = {
++    BN_DEF(0x191F2BFA, 0x84B890D3), BN_DEF(0x2A7065B3, 0x81BC087F),
++    BN_DEF(0xF6EC0179, 0x19C418E1), BN_DEF(0x71CFFF4C, 0x7B5A0F1C),
++    BN_DEF(0x9B6AA4BD, 0xEDFE72FE), BN_DEF(0x94B30269, 0x81E1BCFE),
++    BN_DEF(0x8D6C0191, 0x566AFBB4), BN_DEF(0x409D13CD, 0xB539CCE3),
++    BN_DEF(0x5F2FF381, 0x6AA21E7F), BN_DEF(0x770589EF, 0xD9E263E4),
++    BN_DEF(0xD19963DD, 0x10E183ED), BN_DEF(0x150B8EEB, 0xB70A8137),
++    BN_DEF(0x28C8F8AC, 0x051AE3D4), BN_DEF(0x0C1AB15B, 0xBB77A86F),
++    BN_DEF(0x16A330EF, 0x6E3025E3), BN_DEF(0xD6F83456, 0x19529A45),
++    BN_DEF(0x118E98D1, 0xF180EB34), BN_DEF(0x50717CBE, 0xB5F6C6B2),
++    BN_DEF(0xDA7460CD, 0x09939D54), BN_DEF(0x22EA1ED4, 0xE2471504),
++    BN_DEF(0x521BC98A, 0xB8A762D0), BN_DEF(0x5AC1348B, 0xF4D02727),
++    BN_DEF(0x1999024A, 0xC1766910), BN_DEF(0xA8D66AD7, 0xBE5E9001),
++    BN_DEF(0x620A8652, 0xC57DB17C), BN_DEF(0x00C29F52, 0xAB739D77),
++    BN_DEF(0xA70C4AFA, 0xDD921F01), BN_DEF(0x10B9A6F0, 0xA6824A4E),
++    BN_DEF(0xCFE4FFE3, 0x74866A08), BN_DEF(0x89998CAF, 0x6CDEBE7B),
++    BN_DEF(0x8FFDAC50, 0x9DF30B5C), BN_DEF(0x4F2D9AE3, 0xAC4032EF)
+ };
+ 
+-static const BN_ULONG dh2048_256_g[] = {
+-    0x6CC41659, 0x664B4C0F, 0xEF98C582, 0x5E2327CF, 0xD4795451, 0xD647D148,
+-    0x90F00EF8, 0x2F630784, 0x1DB246C3, 0x184B523D, 0xCDC67EB6, 0xC7891428,
+-    0x0DF92B52, 0x7FD02837, 0x64E0EC37, 0xB3353BBB, 0x57CD0915, 0xECD06E15,
+-    0xDF016199, 0xB7D2BBD2, 0x052588B9, 0xC8484B1E, 0x13D3FE14, 0xDB2A3B73,
+-    0xD182EA0A, 0xD052B985, 0xE83B9C80, 0xA4BD1BFF, 0xFB3F2E55, 0xDFC967C1,
+-    0x767164E1, 0xB5045AF2, 0x6F2F9193, 0x1D14348F, 0x428EBC83, 0x64E67982,
+-    0x82D6ED38, 0x8AC376D2, 0xAAB8A862, 0x777DE62A, 0xE9EC144B, 0xDDF463E5,
+-    0xC77A57F2, 0x0196F931, 0x41000A65, 0xA55AE313, 0xC28CBB18, 0x901228F8,
+-    0x7E8C6F62, 0xBC3773BF, 0x0C6B47B1, 0xBE3A6C1B, 0xAC0BB555, 0xFF4FED4A,
+-    0x77BE463F, 0x10DBC150, 0x1A0BA125, 0x07F4793A, 0x21EF2054, 0x4CA7B18F,
+-    0x60EDBD48, 0x2E775066, 0x73134D0B, 0x3FB32C9B
++static const BN_ULONG dh2048_256_p[] = {
++    BN_DEF(0x1E1A1597, 0xDB094AE9), BN_DEF(0xD7EF09CA, 0x693877FA),
++    BN_DEF(0x6E11715F, 0x6116D227), BN_DEF(0xC198AF12, 0xA4B54330),
++    BN_DEF(0xD7014103, 0x75F26375), BN_DEF(0x54E710C3, 0xC3A3960A),
++    BN_DEF(0xBD0BE621, 0xDED4010A), BN_DEF(0x89962856, 0xC0B857F6),
++    BN_DEF(0x71506026, 0xB3CA3F79), BN_DEF(0xE6B486F6, 0x1CCACB83),
++    BN_DEF(0x14056425, 0x67E144E5), BN_DEF(0xA41825D9, 0xF6A167B5),
++    BN_DEF(0x96524D8E, 0x3AD83477), BN_DEF(0x51BFA4AB, 0xF13C6D9A),
++    BN_DEF(0x35488A0E, 0x2D525267), BN_DEF(0xCAA6B790, 0xB63ACAE1),
++    BN_DEF(0x81B23F76, 0x4FDB70C5), BN_DEF(0x12307F5C, 0xBC39A0BF),
++    BN_DEF(0xB1E59BB8, 0xB941F54E), BN_DEF(0xD45F9088, 0x6C5BFC11),
++    BN_DEF(0x4275BF7B, 0x22E0B1EF), BN_DEF(0x5B4758C0, 0x91F9E672),
++    BN_DEF(0x6BCF67ED, 0x5A8A9D30), BN_DEF(0x97517ABD, 0x209E0C64),
++    BN_DEF(0x830E9A7C, 0x3BF4296D), BN_DEF(0x34096FAA, 0x16C3D911),
++    BN_DEF(0x61B2AA30, 0xFAF7DF45), BN_DEF(0xD61957D4, 0xE00DF8F1),
++    BN_DEF(0x435E3B00, 0x5D2CEED4), BN_DEF(0x660DD0F2, 0x8CEEF608),
++    BN_DEF(0x65195999, 0xFFBBD19C), BN_DEF(0xB4B6663C, 0x87A8E61D)
+ };
+-
+ static const BN_ULONG dh2048_256_q[] = {
+-    0x64F5FBD3, 0xA308B0FE, 0x1EB3750B, 0x99B1A47D, 0x40129DA2, 0xB4479976,
+-    0xA709A097, 0x8CF83642
++    BN_DEF(0x64F5FBD3, 0xA308B0FE), BN_DEF(0x1EB3750B, 0x99B1A47D),
++    BN_DEF(0x40129DA2, 0xB4479976), BN_DEF(0xA709A097, 0x8CF83642)
++};
++static const BN_ULONG dh2048_256_g[] = {
++    BN_DEF(0x6CC41659, 0x664B4C0F), BN_DEF(0xEF98C582, 0x5E2327CF),
++    BN_DEF(0xD4795451, 0xD647D148), BN_DEF(0x90F00EF8, 0x2F630784),
++    BN_DEF(0x1DB246C3, 0x184B523D), BN_DEF(0xCDC67EB6, 0xC7891428),
++    BN_DEF(0x0DF92B52, 0x7FD02837), BN_DEF(0x64E0EC37, 0xB3353BBB),
++    BN_DEF(0x57CD0915, 0xECD06E15), BN_DEF(0xDF016199, 0xB7D2BBD2),
++    BN_DEF(0x052588B9, 0xC8484B1E), BN_DEF(0x13D3FE14, 0xDB2A3B73),
++    BN_DEF(0xD182EA0A, 0xD052B985), BN_DEF(0xE83B9C80, 0xA4BD1BFF),
++    BN_DEF(0xFB3F2E55, 0xDFC967C1), BN_DEF(0x767164E1, 0xB5045AF2),
++    BN_DEF(0x6F2F9193, 0x1D14348F), BN_DEF(0x428EBC83, 0x64E67982),
++    BN_DEF(0x82D6ED38, 0x8AC376D2), BN_DEF(0xAAB8A862, 0x777DE62A),
++    BN_DEF(0xE9EC144B, 0xDDF463E5), BN_DEF(0xC77A57F2, 0x0196F931),
++    BN_DEF(0x41000A65, 0xA55AE313), BN_DEF(0xC28CBB18, 0x901228F8),
++    BN_DEF(0x7E8C6F62, 0xBC3773BF), BN_DEF(0x0C6B47B1, 0xBE3A6C1B),
++    BN_DEF(0xAC0BB555, 0xFF4FED4A), BN_DEF(0x77BE463F, 0x10DBC150),
++    BN_DEF(0x1A0BA125, 0x07F4793A), BN_DEF(0x21EF2054, 0x4CA7B18F),
++    BN_DEF(0x60EDBD48, 0x2E775066), BN_DEF(0x73134D0B, 0x3FB32C9B)
+ };
+ 
+ /* Primes from RFC 7919 */
+-
+ static const BN_ULONG ffdhe2048_p[] = {
+-    0xFFFFFFFF, 0xFFFFFFFF, 0x61285C97, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26,
+-    0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B,
+-    0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD,
+-    0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7,
+-    0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B,
+-    0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1,
+-    0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E,
+-    0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5,
+-    0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE,
+-    0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620,
+-    0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF
++    BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x61285C97, 0x886B4238),
++    BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183),
++    BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B),
++    BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C),
++    BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1),
++    BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7),
++    BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7),
++    BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182),
++    BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1),
++    BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70),
++    BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555),
++    BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5),
++    BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363),
++    BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641),
++    BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620),
++    BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG ffdhe2048_q[] = {
++    BN_DEF(0xFFFFFFFF,  0xFFFFFFFF), BN_DEF(0x30942E4B,  0x4435A11C),
++    BN_DEF(0x60D977FD,  0x6379A513), BN_DEF(0xBE8B41D9,  0xE2C778C1),
++    BN_DEF(0x17611002,  0x9DDAFE5E), BN_DEF(0xA637D6B9,  0xE1FF1D8D),
++    BN_DEF(0x777940C1,  0xC7278919), BN_DEF(0x74C2C1FF,  0xC8B97F4E),
++    BN_DEF(0x941A17B0,  0x601A0266), BN_DEF(0xE6FBF176,  0x4F017E70),
++    BN_DEF(0x770536B8,  0x8583D3E4), BN_DEF(0xB1B95D8C,  0x572B76F3),
++    BN_DEF(0xEF1CA6FA,  0x0EA7A151), BN_DEF(0xB06BFA34,  0xDCB56D5B),
++    BN_DEF(0xD96471FD,  0xE88454A5), BN_DEF(0x59927DB0,  0x5E0558C1),
++    BN_DEF(0xA41D3CBD,  0x98566527), BN_DEF(0x9B56F39A,  0x0EF8AC50),
++    BN_DEF(0x79F7F439,  0xF15344ED), BN_DEF(0x707345BB,  0xCC278638),
++    BN_DEF(0x3FABE49A,  0xDAAB89AF), BN_DEF(0x9EF68D79,  0x42B1B2AA),
++    BN_DEF(0xAF833768,  0x9219FA8F), BN_DEF(0xEAFEB2B0,  0x69EF8F6A),
++    BN_DEF(0x576230BD,  0x7B40D901), BN_DEF(0xB1863AEC,  0xBE97F1B1),
++    BN_DEF(0x124D9F7C,  0xE649CEE7), BN_DEF(0x8A3219FD,  0xD4F09B20),
++    BN_DEF(0xE7169B4A,  0xEC5CE2C1), BN_DEF(0x139E9E78,  0x57EE2B10),
++    BN_DEF(0x515DA54D,  0xD6FC2A2C), BN_DEF(0xFFFFFFFF,  0x7FFFFFFF),
+ };
+ 
+ static const BN_ULONG ffdhe3072_p[] = {
+-    0xFFFFFFFF, 0xFFFFFFFF, 0x66C62E37, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE,
+-    0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197,
+-    0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E,
+-    0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309,
+-    0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9,
+-    0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238,
+-    0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC,
+-    0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C,
+-    0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8,
+-    0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7,
+-    0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F,
+-    0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70,
+-    0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F,
+-    0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363,
+-    0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583,
+-    0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF
++    BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x66C62E37, 0x25E41D2B),
++    BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B),
++    BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197),
++    BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB),
++    BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452),
++    BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309),
++    BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26),
++    BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE),
++    BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238),
++    BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183),
++    BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B),
++    BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C),
++    BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1),
++    BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7),
++    BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7),
++    BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182),
++    BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1),
++    BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70),
++    BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555),
++    BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5),
++    BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363),
++    BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641),
++    BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620),
++    BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG ffdhe3072_q[] = {
++    BN_DEF(0xFFFFFFFF,  0xFFFFFFFF), BN_DEF(0xB363171B,  0x12F20E95),
++    BN_DEF(0x1FEACEBE,  0x9E0D9077), BN_DEF(0xFD29EEF7,  0x055E6835),
++    BN_DEF(0x6AE22427,  0x0EDFCD21), BN_DEF(0xCD86F56D,  0xD5E290CB),
++    BN_DEF(0x911B1D06,  0x743695E2), BN_DEF(0xCE4EFB4F,  0xAE574155),
++    BN_DEF(0x38FAA5FF,  0xB279710F), BN_DEF(0x716BA6E9,  0x7A7EA229),
++    BN_DEF(0xDE21BCA2,  0x5A098649), BN_DEF(0xC289C938,  0x577F0984),
++    BN_DEF(0x60C36C8E,  0x2CC6587D), BN_DEF(0x48FBFBF7,  0xBD6C8E93),
++    BN_DEF(0xEB736483,  0x30DA37E4), BN_DEF(0x7CCE011C,  0xDE1A7A6F),
++    BN_DEF(0xB28C81AD,  0x6F1AAD9D), BN_DEF(0x308FE7EE,  0x4435A11C),
++    BN_DEF(0x60D977FD,  0x6379A513), BN_DEF(0xBE8B41D9,  0xE2C778C1),
++    BN_DEF(0x17611002,  0x9DDAFE5E), BN_DEF(0xA637D6B9,  0xE1FF1D8D),
++    BN_DEF(0x777940C1,  0xC7278919), BN_DEF(0x74C2C1FF,  0xC8B97F4E),
++    BN_DEF(0x941A17B0,  0x601A0266), BN_DEF(0xE6FBF176,  0x4F017E70),
++    BN_DEF(0x770536B8,  0x8583D3E4), BN_DEF(0xB1B95D8C,  0x572B76F3),
++    BN_DEF(0xEF1CA6FA,  0x0EA7A151), BN_DEF(0xB06BFA34,  0xDCB56D5B),
++    BN_DEF(0xD96471FD,  0xE88454A5), BN_DEF(0x59927DB0,  0x5E0558C1),
++    BN_DEF(0xA41D3CBD,  0x98566527), BN_DEF(0x9B56F39A,  0x0EF8AC50),
++    BN_DEF(0x79F7F439,  0xF15344ED), BN_DEF(0x707345BB,  0xCC278638),
++    BN_DEF(0x3FABE49A,  0xDAAB89AF), BN_DEF(0x9EF68D79,  0x42B1B2AA),
++    BN_DEF(0xAF833768,  0x9219FA8F), BN_DEF(0xEAFEB2B0,  0x69EF8F6A),
++    BN_DEF(0x576230BD,  0x7B40D901), BN_DEF(0xB1863AEC,  0xBE97F1B1),
++    BN_DEF(0x124D9F7C,  0xE649CEE7), BN_DEF(0x8A3219FD,  0xD4F09B20),
++    BN_DEF(0xE7169B4A,  0xEC5CE2C1), BN_DEF(0x139E9E78,  0x57EE2B10),
++    BN_DEF(0x515DA54D,  0xD6FC2A2C), BN_DEF(0xFFFFFFFF,  0x7FFFFFFF),
+ };
+ 
+ static const BN_ULONG ffdhe4096_p[] = {
+-    0xFFFFFFFF, 0xFFFFFFFF, 0x5E655F6A, 0xC68A007E, 0xF44182E1, 0x4DB5A851,
+-    0x7F88A46B, 0x8EC9B55A, 0xCEC97DCF, 0x0A8291CD, 0xF98D0ACC, 0x2A4ECEA9,
+-    0x7140003C, 0x1A1DB93D, 0x33CB8B7A, 0x092999A3, 0x71AD0038, 0x6DC778F9,
+-    0x918130C4, 0xA907600A, 0x2D9E6832, 0xED6A1E01, 0xEFB4318A, 0x7135C886,
+-    0x7E31CC7A, 0x87F55BA5, 0x55034004, 0x7763CF1D, 0xD69F6D18, 0xAC7D5F42,
+-    0xE58857B6, 0x7930E9E4, 0x164DF4FB, 0x6E6F52C3, 0x669E1EF1, 0x25E41D2B,
+-    0x3FD59D7C, 0x3C1B20EE, 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42,
+-    0x9B0DEADA, 0xABC52197, 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB,
+-    0x71F54BFF, 0x64F2E21E, 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93,
+-    0x85139270, 0xAEFE1309, 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26,
+-    0xD6E6C907, 0x61B46FC9, 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B,
+-    0x611FCFDC, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183,
+-    0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232,
+-    0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1,
+-    0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3,
+-    0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182,
+-    0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA,
+-    0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555,
+-    0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202,
+-    0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641,
+-    0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458,
+-    0xFFFFFFFF, 0xFFFFFFFF
++    BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x5E655F6A, 0xC68A007E),
++    BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A),
++    BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9),
++    BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3),
++    BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A),
++    BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886),
++    BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D),
++    BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4),
++    BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B),
++    BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B),
++    BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197),
++    BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB),
++    BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452),
++    BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309),
++    BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26),
++    BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE),
++    BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238),
++    BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183),
++    BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B),
++    BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C),
++    BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1),
++    BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7),
++    BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7),
++    BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182),
++    BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1),
++    BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70),
++    BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555),
++    BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5),
++    BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363),
++    BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641),
++    BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620),
++    BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG ffdhe4096_q[] = {
++    BN_DEF(0xFFFFFFFF,  0x7FFFFFFF), BN_DEF(0x2F32AFB5,  0xE345003F),
++    BN_DEF(0xFA20C170,  0xA6DAD428), BN_DEF(0x3FC45235,  0xC764DAAD),
++    BN_DEF(0xE764BEE7,  0x054148E6), BN_DEF(0xFCC68566,  0x15276754),
++    BN_DEF(0xB8A0001E,  0x0D0EDC9E), BN_DEF(0x99E5C5BD,  0x0494CCD1),
++    BN_DEF(0xB8D6801C,  0x36E3BC7C), BN_DEF(0x48C09862,  0x5483B005),
++    BN_DEF(0x96CF3419,  0x76B50F00), BN_DEF(0x77DA18C5,  0x389AE443),
++    BN_DEF(0xBF18E63D,  0x43FAADD2), BN_DEF(0xAA81A002,  0x3BB1E78E),
++    BN_DEF(0x6B4FB68C,  0x563EAFA1), BN_DEF(0x72C42BDB,  0xBC9874F2),
++    BN_DEF(0x8B26FA7D,  0xB737A961), BN_DEF(0xB34F0F78,  0x12F20E95),
++    BN_DEF(0x1FEACEBE,  0x9E0D9077), BN_DEF(0xFD29EEF7,  0x055E6835),
++    BN_DEF(0x6AE22427,  0x0EDFCD21), BN_DEF(0xCD86F56D,  0xD5E290CB),
++    BN_DEF(0x911B1D06,  0x743695E2), BN_DEF(0xCE4EFB4F,  0xAE574155),
++    BN_DEF(0x38FAA5FF,  0xB279710F), BN_DEF(0x716BA6E9,  0x7A7EA229),
++    BN_DEF(0xDE21BCA2,  0x5A098649), BN_DEF(0xC289C938,  0x577F0984),
++    BN_DEF(0x60C36C8E,  0x2CC6587D), BN_DEF(0x48FBFBF7,  0xBD6C8E93),
++    BN_DEF(0xEB736483,  0x30DA37E4), BN_DEF(0x7CCE011C,  0xDE1A7A6F),
++    BN_DEF(0xB28C81AD,  0x6F1AAD9D), BN_DEF(0x308FE7EE,  0x4435A11C),
++    BN_DEF(0x60D977FD,  0x6379A513), BN_DEF(0xBE8B41D9,  0xE2C778C1),
++    BN_DEF(0x17611002,  0x9DDAFE5E), BN_DEF(0xA637D6B9,  0xE1FF1D8D),
++    BN_DEF(0x777940C1,  0xC7278919), BN_DEF(0x74C2C1FF,  0xC8B97F4E),
++    BN_DEF(0x941A17B0,  0x601A0266), BN_DEF(0xE6FBF176,  0x4F017E70),
++    BN_DEF(0x770536B8,  0x8583D3E4), BN_DEF(0xB1B95D8C,  0x572B76F3),
++    BN_DEF(0xEF1CA6FA,  0x0EA7A151), BN_DEF(0xB06BFA34,  0xDCB56D5B),
++    BN_DEF(0xD96471FD,  0xE88454A5), BN_DEF(0x59927DB0,  0x5E0558C1),
++    BN_DEF(0xA41D3CBD,  0x98566527), BN_DEF(0x9B56F39A,  0x0EF8AC50),
++    BN_DEF(0x79F7F439,  0xF15344ED), BN_DEF(0x707345BB,  0xCC278638),
++    BN_DEF(0x3FABE49A,  0xDAAB89AF), BN_DEF(0x9EF68D79,  0x42B1B2AA),
++    BN_DEF(0xAF833768,  0x9219FA8F), BN_DEF(0xEAFEB2B0,  0x69EF8F6A),
++    BN_DEF(0x576230BD,  0x7B40D901), BN_DEF(0xB1863AEC,  0xBE97F1B1),
++    BN_DEF(0x124D9F7C,  0xE649CEE7), BN_DEF(0x8A3219FD,  0xD4F09B20),
++    BN_DEF(0xE7169B4A,  0xEC5CE2C1), BN_DEF(0x139E9E78,  0x57EE2B10),
++    BN_DEF(0x515DA54D,  0xD6FC2A2C), BN_DEF(0xFFFFFFFF,  0x7FFFFFFF),
+ };
+ 
+ static const BN_ULONG ffdhe6144_p[] = {
+-    0xFFFFFFFF, 0xFFFFFFFF, 0xD0E40E65, 0xA40E329C, 0x7938DAD4, 0xA41D570D,
+-    0xD43161C1, 0x62A69526, 0x9ADB1E69, 0x3FDD4A8E, 0xDC6B80D6, 0x5B3B71F9,
+-    0xC6272B04, 0xEC9D1810, 0xCACEF403, 0x8CCF2DD5, 0xC95B9117, 0xE49F5235,
+-    0xB854338A, 0x505DC82D, 0x1562A846, 0x62292C31, 0x6AE77F5E, 0xD72B0374,
+-    0x462D538C, 0xF9C9091B, 0x47A67CBE, 0x0AE8DB58, 0x22611682, 0xB3A739C1,
+-    0x2A281BF6, 0xEEAAC023, 0x77CAF992, 0x94C6651E, 0x94B2BBC1, 0x763E4E4B,
+-    0x0077D9B4, 0x587E38DA, 0x183023C3, 0x7FB29F8C, 0xF9E3A26E, 0x0ABEC1FF,
+-    0x350511E3, 0xA00EF092, 0xDB6340D8, 0xB855322E, 0xA9A96910, 0xA52471F7,
+-    0x4CFDB477, 0x388147FB, 0x4E46041F, 0x9B1F5C3E, 0xFCCFEC71, 0xCDAD0657,
+-    0x4C701C3A, 0xB38E8C33, 0xB1C0FD4C, 0x917BDD64, 0x9B7624C8, 0x3BB45432,
+-    0xCAF53EA6, 0x23BA4442, 0x38532A3A, 0x4E677D2C, 0x45036C7A, 0x0BFD64B6,
+-    0x5E0DD902, 0xC68A007E, 0xF44182E1, 0x4DB5A851, 0x7F88A46B, 0x8EC9B55A,
+-    0xCEC97DCF, 0x0A8291CD, 0xF98D0ACC, 0x2A4ECEA9, 0x7140003C, 0x1A1DB93D,
+-    0x33CB8B7A, 0x092999A3, 0x71AD0038, 0x6DC778F9, 0x918130C4, 0xA907600A,
+-    0x2D9E6832, 0xED6A1E01, 0xEFB4318A, 0x7135C886, 0x7E31CC7A, 0x87F55BA5,
+-    0x55034004, 0x7763CF1D, 0xD69F6D18, 0xAC7D5F42, 0xE58857B6, 0x7930E9E4,
+-    0x164DF4FB, 0x6E6F52C3, 0x669E1EF1, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE,
+-    0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197,
+-    0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E,
+-    0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309,
+-    0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9,
+-    0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238,
+-    0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC,
+-    0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C,
+-    0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8,
+-    0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7,
+-    0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F,
+-    0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70,
+-    0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F,
+-    0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363,
+-    0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583,
+-    0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF
++    BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xD0E40E65, 0xA40E329C),
++    BN_DEF(0x7938DAD4, 0xA41D570D), BN_DEF(0xD43161C1, 0x62A69526),
++    BN_DEF(0x9ADB1E69, 0x3FDD4A8E), BN_DEF(0xDC6B80D6, 0x5B3B71F9),
++    BN_DEF(0xC6272B04, 0xEC9D1810), BN_DEF(0xCACEF403, 0x8CCF2DD5),
++    BN_DEF(0xC95B9117, 0xE49F5235), BN_DEF(0xB854338A, 0x505DC82D),
++    BN_DEF(0x1562A846, 0x62292C31), BN_DEF(0x6AE77F5E, 0xD72B0374),
++    BN_DEF(0x462D538C, 0xF9C9091B), BN_DEF(0x47A67CBE, 0x0AE8DB58),
++    BN_DEF(0x22611682, 0xB3A739C1), BN_DEF(0x2A281BF6, 0xEEAAC023),
++    BN_DEF(0x77CAF992, 0x94C6651E), BN_DEF(0x94B2BBC1, 0x763E4E4B),
++    BN_DEF(0x0077D9B4, 0x587E38DA), BN_DEF(0x183023C3, 0x7FB29F8C),
++    BN_DEF(0xF9E3A26E, 0x0ABEC1FF), BN_DEF(0x350511E3, 0xA00EF092),
++    BN_DEF(0xDB6340D8, 0xB855322E), BN_DEF(0xA9A96910, 0xA52471F7),
++    BN_DEF(0x4CFDB477, 0x388147FB), BN_DEF(0x4E46041F, 0x9B1F5C3E),
++    BN_DEF(0xFCCFEC71, 0xCDAD0657), BN_DEF(0x4C701C3A, 0xB38E8C33),
++    BN_DEF(0xB1C0FD4C, 0x917BDD64), BN_DEF(0x9B7624C8, 0x3BB45432),
++    BN_DEF(0xCAF53EA6, 0x23BA4442), BN_DEF(0x38532A3A, 0x4E677D2C),
++    BN_DEF(0x45036C7A, 0x0BFD64B6), BN_DEF(0x5E0DD902, 0xC68A007E),
++    BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A),
++    BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9),
++    BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3),
++    BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A),
++    BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886),
++    BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D),
++    BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4),
++    BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B),
++    BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B),
++    BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197),
++    BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB),
++    BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452),
++    BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309),
++    BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26),
++    BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE),
++    BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238),
++    BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183),
++    BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B),
++    BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C),
++    BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1),
++    BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7),
++    BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7),
++    BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182),
++    BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1),
++    BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70),
++    BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555),
++    BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5),
++    BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363),
++    BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641),
++    BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620),
++    BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG ffdhe6144_q[] = {
++    BN_DEF(0xFFFFFFFF,  0xFFFFFFFF), BN_DEF(0x68720732,  0x5207194E),
++    BN_DEF(0xBC9C6D6A,  0xD20EAB86), BN_DEF(0x6A18B0E0,  0xB1534A93),
++    BN_DEF(0x4D6D8F34,  0x1FEEA547), BN_DEF(0xEE35C06B,  0x2D9DB8FC),
++    BN_DEF(0x63139582,  0xF64E8C08), BN_DEF(0xE5677A01,  0xC66796EA),
++    BN_DEF(0xE4ADC88B,  0x724FA91A), BN_DEF(0xDC2A19C5,  0x282EE416),
++    BN_DEF(0x8AB15423,  0x31149618), BN_DEF(0x3573BFAF,  0x6B9581BA),
++    BN_DEF(0xA316A9C6,  0x7CE4848D), BN_DEF(0x23D33E5F,  0x05746DAC),
++    BN_DEF(0x91308B41,  0x59D39CE0), BN_DEF(0x95140DFB,  0x77556011),
++    BN_DEF(0x3BE57CC9,  0xCA63328F), BN_DEF(0xCA595DE0,  0x3B1F2725),
++    BN_DEF(0x003BECDA,  0xAC3F1C6D), BN_DEF(0x0C1811E1,  0x3FD94FC6),
++    BN_DEF(0xFCF1D137,  0x855F60FF), BN_DEF(0x1A8288F1,  0x50077849),
++    BN_DEF(0x6DB1A06C,  0x5C2A9917), BN_DEF(0xD4D4B488,  0xD29238FB),
++    BN_DEF(0xA67EDA3B,  0x9C40A3FD), BN_DEF(0x2723020F,  0xCD8FAE1F),
++    BN_DEF(0xFE67F638,  0x66D6832B), BN_DEF(0xA6380E1D,  0x59C74619),
++    BN_DEF(0x58E07EA6,  0x48BDEEB2), BN_DEF(0x4DBB1264,  0x1DDA2A19),
++    BN_DEF(0x657A9F53,  0x11DD2221), BN_DEF(0x1C29951D,  0x2733BE96),
++    BN_DEF(0x2281B63D,  0x05FEB25B), BN_DEF(0x2F06EC81,  0xE345003F),
++    BN_DEF(0xFA20C170,  0xA6DAD428), BN_DEF(0x3FC45235,  0xC764DAAD),
++    BN_DEF(0xE764BEE7,  0x054148E6), BN_DEF(0xFCC68566,  0x15276754),
++    BN_DEF(0xB8A0001E,  0x0D0EDC9E), BN_DEF(0x99E5C5BD,  0x0494CCD1),
++    BN_DEF(0xB8D6801C,  0x36E3BC7C), BN_DEF(0x48C09862,  0x5483B005),
++    BN_DEF(0x96CF3419,  0x76B50F00), BN_DEF(0x77DA18C5,  0x389AE443),
++    BN_DEF(0xBF18E63D,  0x43FAADD2), BN_DEF(0xAA81A002,  0x3BB1E78E),
++    BN_DEF(0x6B4FB68C,  0x563EAFA1), BN_DEF(0x72C42BDB,  0xBC9874F2),
++    BN_DEF(0x8B26FA7D,  0xB737A961), BN_DEF(0xB34F0F78,  0x12F20E95),
++    BN_DEF(0x1FEACEBE,  0x9E0D9077), BN_DEF(0xFD29EEF7,  0x055E6835),
++    BN_DEF(0x6AE22427,  0x0EDFCD21), BN_DEF(0xCD86F56D,  0xD5E290CB),
++    BN_DEF(0x911B1D06,  0x743695E2), BN_DEF(0xCE4EFB4F,  0xAE574155),
++    BN_DEF(0x38FAA5FF,  0xB279710F), BN_DEF(0x716BA6E9,  0x7A7EA229),
++    BN_DEF(0xDE21BCA2,  0x5A098649), BN_DEF(0xC289C938,  0x577F0984),
++    BN_DEF(0x60C36C8E,  0x2CC6587D), BN_DEF(0x48FBFBF7,  0xBD6C8E93),
++    BN_DEF(0xEB736483,  0x30DA37E4), BN_DEF(0x7CCE011C,  0xDE1A7A6F),
++    BN_DEF(0xB28C81AD,  0x6F1AAD9D), BN_DEF(0x308FE7EE,  0x4435A11C),
++    BN_DEF(0x60D977FD,  0x6379A513), BN_DEF(0xBE8B41D9,  0xE2C778C1),
++    BN_DEF(0x17611002,  0x9DDAFE5E), BN_DEF(0xA637D6B9,  0xE1FF1D8D),
++    BN_DEF(0x777940C1,  0xC7278919), BN_DEF(0x74C2C1FF,  0xC8B97F4E),
++    BN_DEF(0x941A17B0,  0x601A0266), BN_DEF(0xE6FBF176,  0x4F017E70),
++    BN_DEF(0x770536B8,  0x8583D3E4), BN_DEF(0xB1B95D8C,  0x572B76F3),
++    BN_DEF(0xEF1CA6FA,  0x0EA7A151), BN_DEF(0xB06BFA34,  0xDCB56D5B),
++    BN_DEF(0xD96471FD,  0xE88454A5), BN_DEF(0x59927DB0,  0x5E0558C1),
++    BN_DEF(0xA41D3CBD,  0x98566527), BN_DEF(0x9B56F39A,  0x0EF8AC50),
++    BN_DEF(0x79F7F439,  0xF15344ED), BN_DEF(0x707345BB,  0xCC278638),
++    BN_DEF(0x3FABE49A,  0xDAAB89AF), BN_DEF(0x9EF68D79,  0x42B1B2AA),
++    BN_DEF(0xAF833768,  0x9219FA8F), BN_DEF(0xEAFEB2B0,  0x69EF8F6A),
++    BN_DEF(0x576230BD,  0x7B40D901), BN_DEF(0xB1863AEC,  0xBE97F1B1),
++    BN_DEF(0x124D9F7C,  0xE649CEE7), BN_DEF(0x8A3219FD,  0xD4F09B20),
++    BN_DEF(0xE7169B4A,  0xEC5CE2C1), BN_DEF(0x139E9E78,  0x57EE2B10),
++    BN_DEF(0x515DA54D,  0xD6FC2A2C), BN_DEF(0xFFFFFFFF,  0x7FFFFFFF),
+ };
+ 
+ static const BN_ULONG ffdhe8192_p[] = {
+-    0xFFFFFFFF, 0xFFFFFFFF, 0xC5C6424C, 0xD68C8BB7, 0x838FF88C, 0x011E2A94,
+-    0xA9F4614E, 0x0822E506, 0xF7A8443D, 0x97D11D49, 0x30677F0D, 0xA6BBFDE5,
+-    0xC1FE86FE, 0x2F741EF8, 0x5D71A87E, 0xFAFABE1C, 0xFBE58A30, 0xDED2FBAB,
+-    0x72B0A66E, 0xB6855DFE, 0xBA8A4FE8, 0x1EFC8CE0, 0x3F2FA457, 0x83F81D4A,
+-    0xA577E231, 0xA1FE3075, 0x88D9C0A0, 0xD5B80194, 0xAD9A95F9, 0x624816CD,
+-    0x50C1217B, 0x99E9E316, 0x0E423CFC, 0x51AA691E, 0x3826E52C, 0x1C217E6C,
+-    0x09703FEE, 0x51A8A931, 0x6A460E74, 0xBB709987, 0x9C86B022, 0x541FC68C,
+-    0x46FD8251, 0x59160CC0, 0x35C35F5C, 0x2846C0BA, 0x8B758282, 0x54504AC7,
+-    0xD2AF05E4, 0x29388839, 0xC01BD702, 0xCB2C0F1C, 0x7C932665, 0x555B2F74,
+-    0xA3AB8829, 0x86B63142, 0xF64B10EF, 0x0B8CC3BD, 0xEDD1CC5E, 0x687FEB69,
+-    0xC9509D43, 0xFDB23FCE, 0xD951AE64, 0x1E425A31, 0xF600C838, 0x36AD004C,
+-    0xCFF46AAA, 0xA40E329C, 0x7938DAD4, 0xA41D570D, 0xD43161C1, 0x62A69526,
+-    0x9ADB1E69, 0x3FDD4A8E, 0xDC6B80D6, 0x5B3B71F9, 0xC6272B04, 0xEC9D1810,
+-    0xCACEF403, 0x8CCF2DD5, 0xC95B9117, 0xE49F5235, 0xB854338A, 0x505DC82D,
+-    0x1562A846, 0x62292C31, 0x6AE77F5E, 0xD72B0374, 0x462D538C, 0xF9C9091B,
+-    0x47A67CBE, 0x0AE8DB58, 0x22611682, 0xB3A739C1, 0x2A281BF6, 0xEEAAC023,
+-    0x77CAF992, 0x94C6651E, 0x94B2BBC1, 0x763E4E4B, 0x0077D9B4, 0x587E38DA,
+-    0x183023C3, 0x7FB29F8C, 0xF9E3A26E, 0x0ABEC1FF, 0x350511E3, 0xA00EF092,
+-    0xDB6340D8, 0xB855322E, 0xA9A96910, 0xA52471F7, 0x4CFDB477, 0x388147FB,
+-    0x4E46041F, 0x9B1F5C3E, 0xFCCFEC71, 0xCDAD0657, 0x4C701C3A, 0xB38E8C33,
+-    0xB1C0FD4C, 0x917BDD64, 0x9B7624C8, 0x3BB45432, 0xCAF53EA6, 0x23BA4442,
+-    0x38532A3A, 0x4E677D2C, 0x45036C7A, 0x0BFD64B6, 0x5E0DD902, 0xC68A007E,
+-    0xF44182E1, 0x4DB5A851, 0x7F88A46B, 0x8EC9B55A, 0xCEC97DCF, 0x0A8291CD,
+-    0xF98D0ACC, 0x2A4ECEA9, 0x7140003C, 0x1A1DB93D, 0x33CB8B7A, 0x092999A3,
+-    0x71AD0038, 0x6DC778F9, 0x918130C4, 0xA907600A, 0x2D9E6832, 0xED6A1E01,
+-    0xEFB4318A, 0x7135C886, 0x7E31CC7A, 0x87F55BA5, 0x55034004, 0x7763CF1D,
+-    0xD69F6D18, 0xAC7D5F42, 0xE58857B6, 0x7930E9E4, 0x164DF4FB, 0x6E6F52C3,
+-    0x669E1EF1, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE, 0xFA53DDEF, 0x0ABCD06B,
+-    0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197, 0x22363A0D, 0xE86D2BC5,
+-    0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E, 0xE2D74DD3, 0xF4FD4452,
+-    0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309, 0xC186D91C, 0x598CB0FA,
+-    0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9, 0xF99C0238, 0xBC34F4DE,
+-    0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26,
+-    0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B,
+-    0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD,
+-    0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7,
+-    0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B,
+-    0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1,
+-    0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E,
+-    0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5,
+-    0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE,
+-    0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620,
+-    0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF
++    BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xC5C6424C, 0xD68C8BB7),
++    BN_DEF(0x838FF88C, 0x011E2A94), BN_DEF(0xA9F4614E, 0x0822E506),
++    BN_DEF(0xF7A8443D, 0x97D11D49), BN_DEF(0x30677F0D, 0xA6BBFDE5),
++    BN_DEF(0xC1FE86FE, 0x2F741EF8), BN_DEF(0x5D71A87E, 0xFAFABE1C),
++    BN_DEF(0xFBE58A30, 0xDED2FBAB), BN_DEF(0x72B0A66E, 0xB6855DFE),
++    BN_DEF(0xBA8A4FE8, 0x1EFC8CE0), BN_DEF(0x3F2FA457, 0x83F81D4A),
++    BN_DEF(0xA577E231, 0xA1FE3075), BN_DEF(0x88D9C0A0, 0xD5B80194),
++    BN_DEF(0xAD9A95F9, 0x624816CD), BN_DEF(0x50C1217B, 0x99E9E316),
++    BN_DEF(0x0E423CFC, 0x51AA691E), BN_DEF(0x3826E52C, 0x1C217E6C),
++    BN_DEF(0x09703FEE, 0x51A8A931), BN_DEF(0x6A460E74, 0xBB709987),
++    BN_DEF(0x9C86B022, 0x541FC68C), BN_DEF(0x46FD8251, 0x59160CC0),
++    BN_DEF(0x35C35F5C, 0x2846C0BA), BN_DEF(0x8B758282, 0x54504AC7),
++    BN_DEF(0xD2AF05E4, 0x29388839), BN_DEF(0xC01BD702, 0xCB2C0F1C),
++    BN_DEF(0x7C932665, 0x555B2F74), BN_DEF(0xA3AB8829, 0x86B63142),
++    BN_DEF(0xF64B10EF, 0x0B8CC3BD), BN_DEF(0xEDD1CC5E, 0x687FEB69),
++    BN_DEF(0xC9509D43, 0xFDB23FCE), BN_DEF(0xD951AE64, 0x1E425A31),
++    BN_DEF(0xF600C838, 0x36AD004C), BN_DEF(0xCFF46AAA, 0xA40E329C),
++    BN_DEF(0x7938DAD4, 0xA41D570D), BN_DEF(0xD43161C1, 0x62A69526),
++    BN_DEF(0x9ADB1E69, 0x3FDD4A8E), BN_DEF(0xDC6B80D6, 0x5B3B71F9),
++    BN_DEF(0xC6272B04, 0xEC9D1810), BN_DEF(0xCACEF403, 0x8CCF2DD5),
++    BN_DEF(0xC95B9117, 0xE49F5235), BN_DEF(0xB854338A, 0x505DC82D),
++    BN_DEF(0x1562A846, 0x62292C31), BN_DEF(0x6AE77F5E, 0xD72B0374),
++    BN_DEF(0x462D538C, 0xF9C9091B), BN_DEF(0x47A67CBE, 0x0AE8DB58),
++    BN_DEF(0x22611682, 0xB3A739C1), BN_DEF(0x2A281BF6, 0xEEAAC023),
++    BN_DEF(0x77CAF992, 0x94C6651E), BN_DEF(0x94B2BBC1, 0x763E4E4B),
++    BN_DEF(0x0077D9B4, 0x587E38DA), BN_DEF(0x183023C3, 0x7FB29F8C),
++    BN_DEF(0xF9E3A26E, 0x0ABEC1FF), BN_DEF(0x350511E3, 0xA00EF092),
++    BN_DEF(0xDB6340D8, 0xB855322E), BN_DEF(0xA9A96910, 0xA52471F7),
++    BN_DEF(0x4CFDB477, 0x388147FB), BN_DEF(0x4E46041F, 0x9B1F5C3E),
++    BN_DEF(0xFCCFEC71, 0xCDAD0657), BN_DEF(0x4C701C3A, 0xB38E8C33),
++    BN_DEF(0xB1C0FD4C, 0x917BDD64), BN_DEF(0x9B7624C8, 0x3BB45432),
++    BN_DEF(0xCAF53EA6, 0x23BA4442), BN_DEF(0x38532A3A, 0x4E677D2C),
++    BN_DEF(0x45036C7A, 0x0BFD64B6), BN_DEF(0x5E0DD902, 0xC68A007E),
++    BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A),
++    BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9),
++    BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3),
++    BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A),
++    BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886),
++    BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D),
++    BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4),
++    BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B),
++    BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B),
++    BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197),
++    BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB),
++    BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452),
++    BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309),
++    BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26),
++    BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE),
++    BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238),
++    BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183),
++    BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B),
++    BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C),
++    BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1),
++    BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7),
++    BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7),
++    BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182),
++    BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1),
++    BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70),
++    BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555),
++    BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5),
++    BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363),
++    BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641),
++    BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620),
++    BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF)
++};
++/* q = (p - 1) / 2 */
++static const BN_ULONG ffdhe8192_q[] = {
++    BN_DEF(0xFFFFFFFF,  0x7FFFFFFF), BN_DEF(0xE2E32126,  0x6B4645DB),
++    BN_DEF(0x41C7FC46,  0x008F154A), BN_DEF(0x54FA30A7,  0x84117283),
++    BN_DEF(0xFBD4221E,  0xCBE88EA4), BN_DEF(0x9833BF86,  0x535DFEF2),
++    BN_DEF(0x60FF437F,  0x17BA0F7C), BN_DEF(0x2EB8D43F,  0x7D7D5F0E),
++    BN_DEF(0xFDF2C518,  0x6F697DD5), BN_DEF(0x39585337,  0x5B42AEFF),
++    BN_DEF(0x5D4527F4,  0x8F7E4670), BN_DEF(0x1F97D22B,  0xC1FC0EA5),
++    BN_DEF(0xD2BBF118,  0x50FF183A), BN_DEF(0x446CE050,  0xEADC00CA),
++    BN_DEF(0xD6CD4AFC,  0xB1240B66), BN_DEF(0x286090BD,  0x4CF4F18B),
++    BN_DEF(0x07211E7E,  0x28D5348F), BN_DEF(0x1C137296,  0x0E10BF36),
++    BN_DEF(0x84B81FF7,  0x28D45498), BN_DEF(0xB523073A,  0x5DB84CC3),
++    BN_DEF(0x4E435811,  0xAA0FE346), BN_DEF(0x237EC128,  0x2C8B0660),
++    BN_DEF(0x1AE1AFAE,  0x1423605D), BN_DEF(0xC5BAC141,  0x2A282563),
++    BN_DEF(0xE95782F2,  0x149C441C), BN_DEF(0x600DEB81,  0xE596078E),
++    BN_DEF(0x3E499332,  0xAAAD97BA), BN_DEF(0x51D5C414,  0xC35B18A1),
++    BN_DEF(0xFB258877,  0x05C661DE), BN_DEF(0xF6E8E62F,  0xB43FF5B4),
++    BN_DEF(0x64A84EA1,  0x7ED91FE7), BN_DEF(0xECA8D732,  0x0F212D18),
++    BN_DEF(0x7B00641C,  0x1B568026), BN_DEF(0x67FA3555,  0x5207194E),
++    BN_DEF(0xBC9C6D6A,  0xD20EAB86), BN_DEF(0x6A18B0E0,  0xB1534A93),
++    BN_DEF(0x4D6D8F34,  0x1FEEA547), BN_DEF(0xEE35C06B,  0x2D9DB8FC),
++    BN_DEF(0x63139582,  0xF64E8C08), BN_DEF(0xE5677A01,  0xC66796EA),
++    BN_DEF(0xE4ADC88B,  0x724FA91A), BN_DEF(0xDC2A19C5,  0x282EE416),
++    BN_DEF(0x8AB15423,  0x31149618), BN_DEF(0x3573BFAF,  0x6B9581BA),
++    BN_DEF(0xA316A9C6,  0x7CE4848D), BN_DEF(0x23D33E5F,  0x05746DAC),
++    BN_DEF(0x91308B41,  0x59D39CE0), BN_DEF(0x95140DFB,  0x77556011),
++    BN_DEF(0x3BE57CC9,  0xCA63328F), BN_DEF(0xCA595DE0,  0x3B1F2725),
++    BN_DEF(0x003BECDA,  0xAC3F1C6D), BN_DEF(0x0C1811E1,  0x3FD94FC6),
++    BN_DEF(0xFCF1D137,  0x855F60FF), BN_DEF(0x1A8288F1,  0x50077849),
++    BN_DEF(0x6DB1A06C,  0x5C2A9917), BN_DEF(0xD4D4B488,  0xD29238FB),
++    BN_DEF(0xA67EDA3B,  0x9C40A3FD), BN_DEF(0x2723020F,  0xCD8FAE1F),
++    BN_DEF(0xFE67F638,  0x66D6832B), BN_DEF(0xA6380E1D,  0x59C74619),
++    BN_DEF(0x58E07EA6,  0x48BDEEB2), BN_DEF(0x4DBB1264,  0x1DDA2A19),
++    BN_DEF(0x657A9F53,  0x11DD2221), BN_DEF(0x1C29951D,  0x2733BE96),
++    BN_DEF(0x2281B63D,  0x05FEB25B), BN_DEF(0x2F06EC81,  0xE345003F),
++    BN_DEF(0xFA20C170,  0xA6DAD428), BN_DEF(0x3FC45235,  0xC764DAAD),
++    BN_DEF(0xE764BEE7,  0x054148E6), BN_DEF(0xFCC68566,  0x15276754),
++    BN_DEF(0xB8A0001E,  0x0D0EDC9E), BN_DEF(0x99E5C5BD,  0x0494CCD1),
++    BN_DEF(0xB8D6801C,  0x36E3BC7C), BN_DEF(0x48C09862,  0x5483B005),
++    BN_DEF(0x96CF3419,  0x76B50F00), BN_DEF(0x77DA18C5,  0x389AE443),
++    BN_DEF(0xBF18E63D,  0x43FAADD2), BN_DEF(0xAA81A002,  0x3BB1E78E),
++    BN_DEF(0x6B4FB68C,  0x563EAFA1), BN_DEF(0x72C42BDB,  0xBC9874F2),
++    BN_DEF(0x8B26FA7D,  0xB737A961), BN_DEF(0xB34F0F78,  0x12F20E95),
++    BN_DEF(0x1FEACEBE,  0x9E0D9077), BN_DEF(0xFD29EEF7,  0x055E6835),
++    BN_DEF(0x6AE22427,  0x0EDFCD21), BN_DEF(0xCD86F56D,  0xD5E290CB),
++    BN_DEF(0x911B1D06,  0x743695E2), BN_DEF(0xCE4EFB4F,  0xAE574155),
++    BN_DEF(0x38FAA5FF,  0xB279710F), BN_DEF(0x716BA6E9,  0x7A7EA229),
++    BN_DEF(0xDE21BCA2,  0x5A098649), BN_DEF(0xC289C938,  0x577F0984),
++    BN_DEF(0x60C36C8E,  0x2CC6587D), BN_DEF(0x48FBFBF7,  0xBD6C8E93),
++    BN_DEF(0xEB736483,  0x30DA37E4), BN_DEF(0x7CCE011C,  0xDE1A7A6F),
++    BN_DEF(0xB28C81AD,  0x6F1AAD9D), BN_DEF(0x308FE7EE,  0x4435A11C),
++    BN_DEF(0x60D977FD,  0x6379A513), BN_DEF(0xBE8B41D9,  0xE2C778C1),
++    BN_DEF(0x17611002,  0x9DDAFE5E), BN_DEF(0xA637D6B9,  0xE1FF1D8D),
++    BN_DEF(0x777940C1,  0xC7278919), BN_DEF(0x74C2C1FF,  0xC8B97F4E),
++    BN_DEF(0x941A17B0,  0x601A0266), BN_DEF(0xE6FBF176,  0x4F017E70),
++    BN_DEF(0x770536B8,  0x8583D3E4), BN_DEF(0xB1B95D8C,  0x572B76F3),
++    BN_DEF(0xEF1CA6FA,  0x0EA7A151), BN_DEF(0xB06BFA34,  0xDCB56D5B),
++    BN_DEF(0xD96471FD,  0xE88454A5), BN_DEF(0x59927DB0,  0x5E0558C1),
++    BN_DEF(0xA41D3CBD,  0x98566527), BN_DEF(0x9B56F39A,  0x0EF8AC50),
++    BN_DEF(0x79F7F439,  0xF15344ED), BN_DEF(0x707345BB,  0xCC278638),
++    BN_DEF(0x3FABE49A,  0xDAAB89AF), BN_DEF(0x9EF68D79,  0x42B1B2AA),
++    BN_DEF(0xAF833768,  0x9219FA8F), BN_DEF(0xEAFEB2B0,  0x69EF8F6A),
++    BN_DEF(0x576230BD,  0x7B40D901), BN_DEF(0xB1863AEC,  0xBE97F1B1),
++    BN_DEF(0x124D9F7C,  0xE649CEE7), BN_DEF(0x8A3219FD,  0xD4F09B20),
++    BN_DEF(0xE7169B4A,  0xEC5CE2C1), BN_DEF(0x139E9E78,  0x57EE2B10),
++    BN_DEF(0x515DA54D,  0xD6FC2A2C), BN_DEF(0xFFFFFFFF,  0x7FFFFFFF),
+ };
+ 
+-# else
+-#  error "unsupported BN_BITS2"
+-# endif
+-
+ /* Macro to make a BIGNUM from static data */
+ 
+ # define make_dh_bn(x) extern const BIGNUM _bignum_##x; \
+@@ -489,24 +1010,42 @@ static const BN_ULONG ffdhe8192_p[] = {
+ 
+ static const BN_ULONG value_2 = 2;
+ 
+-const BIGNUM _bignum_const_2 =
+-    { (BN_ULONG *)&value_2, 1, 1, 0, BN_FLG_STATIC_DATA };
++const BIGNUM _bignum_const_2 = {
++    (BN_ULONG *)&value_2, 1, 1, 0, BN_FLG_STATIC_DATA
++};
+ 
+ make_dh_bn(dh1024_160_p)
+-make_dh_bn(dh1024_160_g)
+ make_dh_bn(dh1024_160_q)
++make_dh_bn(dh1024_160_g)
+ make_dh_bn(dh2048_224_p)
+-make_dh_bn(dh2048_224_g)
+ make_dh_bn(dh2048_224_q)
++make_dh_bn(dh2048_224_g)
+ make_dh_bn(dh2048_256_p)
+-make_dh_bn(dh2048_256_g)
+ make_dh_bn(dh2048_256_q)
++make_dh_bn(dh2048_256_g)
+ 
+ make_dh_bn(ffdhe2048_p)
++make_dh_bn(ffdhe2048_q)
+ make_dh_bn(ffdhe3072_p)
++make_dh_bn(ffdhe3072_q)
+ make_dh_bn(ffdhe4096_p)
++make_dh_bn(ffdhe4096_q)
+ make_dh_bn(ffdhe6144_p)
++make_dh_bn(ffdhe6144_q)
+ make_dh_bn(ffdhe8192_p)
++make_dh_bn(ffdhe8192_q)
+ 
++make_dh_bn(modp_1536_p)
++make_dh_bn(modp_1536_q)
++make_dh_bn(modp_2048_p)
++make_dh_bn(modp_2048_q)
++make_dh_bn(modp_3072_p)
++make_dh_bn(modp_3072_q)
++make_dh_bn(modp_4096_p)
++make_dh_bn(modp_4096_q)
++make_dh_bn(modp_6144_p)
++make_dh_bn(modp_6144_q)
++make_dh_bn(modp_8192_p)
++make_dh_bn(modp_8192_q)
+ 
+-#endif
++#endif /* OPENSSL_NO_DH */
+Index: openssl-1.1.1m/crypto/dh/dh_check.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/dh/dh_check.c
++++ openssl-1.1.1m/crypto/dh/dh_check.c
+@@ -10,6 +10,7 @@
+ #include <stdio.h>
+ #include "internal/cryptlib.h"
+ #include <openssl/bn.h>
++#include <openssl/obj_mac.h>
+ #include "dh_local.h"
+ 
+ # define DH_NUMBER_ITERATIONS_FOR_PRIME 64
+@@ -41,6 +42,12 @@ int DH_check_params(const DH *dh, int *r
+     BIGNUM *tmp = NULL;
+     BN_CTX *ctx = NULL;
+ 
++    if (FIPS_mode()) {
++        int nid = dh->nid == NID_undef ? DH_get_nid(dh) : dh->nid;
++
++        return nid != NID_undef;
++    }
++
+     *ret = 0;
+     ctx = BN_CTX_new();
+     if (ctx == NULL)
+@@ -95,6 +102,7 @@ int DH_check_ex(const DH *dh)
+     return errflags == 0;
+ }
+ 
++/* Note: according to documentation - this only checks the params */
+ int DH_check(const DH *dh, int *ret)
+ {
+     int ok = 0, r;
+@@ -104,6 +112,9 @@ int DH_check(const DH *dh, int *ret)
+     if (!DH_check_params(dh, ret))
+         return 0;
+ 
++    if (FIPS_mode()) /* we allow only well-known params */
++        return 1;
++
+     ctx = BN_CTX_new();
+     if (ctx == NULL)
+         goto err;
+@@ -177,7 +188,7 @@ int DH_check_pub_key_ex(const DH *dh, co
+     return errflags == 0;
+ }
+ 
+-int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
++static int dh_check_pub_key_int(const DH *dh, const BIGNUM *q, const BIGNUM *pub_key, int *ret)
+ {
+     int ok = 0;
+     BIGNUM *tmp = NULL;
+@@ -187,28 +198,68 @@ int DH_check_pub_key(const DH *dh, const
+     ctx = BN_CTX_new();
+     if (ctx == NULL)
+         goto err;
++
+     BN_CTX_start(ctx);
+     tmp = BN_CTX_get(ctx);
++    /* Step(1): Verify pub_key >= 2 */
+     if (tmp == NULL || !BN_set_word(tmp, 1))
+         goto err;
+-    if (BN_cmp(pub_key, tmp) <= 0)
++    if (BN_cmp(pub_key, tmp) <= 0) {
+         *ret |= DH_CHECK_PUBKEY_TOO_SMALL;
++        goto err;
++    }
++    /* Step(1): Verify pub_key <=  p-2 */
+     if (BN_copy(tmp, dh->p) == NULL || !BN_sub_word(tmp, 1))
+         goto err;
+-    if (BN_cmp(pub_key, tmp) >= 0)
++    if (BN_cmp(pub_key, tmp) >= 0) {
+         *ret |= DH_CHECK_PUBKEY_TOO_LARGE;
++        goto err;
++    }
++
++    if (q != NULL) {
++        ctx = BN_CTX_new();
++        if (ctx == NULL)
++            goto err;
++        BN_CTX_start(ctx);
++        tmp = BN_CTX_get(ctx);
+ 
+-    if (dh->q != NULL) {
+         /* Check pub_key^q == 1 mod p */
+-        if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx))
++        if (tmp == NULL || !BN_mod_exp(tmp, pub_key, q, dh->p, ctx))
+             goto err;
+-        if (!BN_is_one(tmp))
++        if (!BN_is_one(tmp)) {
+             *ret |= DH_CHECK_PUBKEY_INVALID;
++            goto err;
++        }
+     }
+ 
+     ok = 1;
+  err:
+-    BN_CTX_end(ctx);
+-    BN_CTX_free(ctx);
++    if (ctx != NULL) {
++        BN_CTX_end(ctx);
++        BN_CTX_free(ctx);
++    }
+     return ok;
+ }
++
++/*
++ * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Full public key validation.
++ */
++int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
++{
++    return dh_check_pub_key_int(dh, dh->q, pub_key, ret);
++}
++
++int dh_check_pub_key_full(const DH *dh, const BIGNUM *pub_key, int *ret)
++{
++    BIGNUM *q = dh->q;
++
++    if (q == NULL) {
++        if (dh_get_known_q(dh, &q) == 0) {
++            *ret |= DH_CHECK_INVALID_Q_VALUE;
++            return 0;
++        }
++    }
++
++    return dh_check_pub_key_int(dh, q, pub_key, ret);
++}
++
+Index: openssl-1.1.1m/crypto/dh/dh_gen.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/dh/dh_gen.c
++++ openssl-1.1.1m/crypto/dh/dh_gen.c
+@@ -27,8 +27,7 @@ int DH_generate_parameters_ex(DH *ret, i
+                               BN_GENCB *cb)
+ {
+ #ifdef OPENSSL_FIPS
+-    if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD)
+-        && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) {
++    if (FIPS_mode()) {
+         DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD);
+         return 0;
+     }
+@@ -75,18 +74,6 @@ static int dh_builtin_genparams(DH *ret,
+     int g, ok = -1;
+     BN_CTX *ctx = NULL;
+ 
+-#ifdef OPENSSL_FIPS
+-    if (FIPS_selftest_failed()) {
+-        FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED);
+-        return 0;
+-    }
+-
+-    if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) {
+-        DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL);
+-        goto err;
+-    }
+-#endif
+-
+     ctx = BN_CTX_new();
+     if (ctx == NULL)
+         goto err;
+Index: openssl-1.1.1m/crypto/dh/dh_key.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/dh/dh_key.c
++++ openssl-1.1.1m/crypto/dh/dh_key.c
+@@ -128,10 +128,18 @@ static int generate_key(DH *dh)
+     BIGNUM *pub_key = NULL, *priv_key = NULL;
+ 
+ #ifdef OPENSSL_FIPS
+-    if (FIPS_mode()
+-        && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) {
+-        DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
+-        return 0;
++    if (FIPS_mode()) {
++        if (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS) {
++            DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL);
++            return 0;
++        }
++        if (dh->nid == NID_undef)
++            dh_cache_nid(dh);
++        if (dh->nid == NID_undef || dh->length > BN_num_bits(dh->p) - 2
++            || dh->length < 224) {
++            DHerr(DH_F_GENERATE_KEY, DH_R_NON_FIPS_METHOD);
++            return 0;
++        }
+     }
+ #endif
+ 
+@@ -167,7 +175,15 @@ static int generate_key(DH *dh)
+     }
+ 
+     if (generate_new_key) {
+-        if (dh->q) {
++        if (FIPS_mode()) {
++            do {
++                if (!BN_priv_rand(priv_key, dh->length, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY))
++                    goto err;
++                if (!BN_add_word(priv_key, 1))
++                    goto err;
++            }
++            while (BN_num_bits(priv_key) > dh->length);
++        } else if (dh->q) {
+             do {
+                 if (!BN_priv_rand_range(priv_key, dh->q))
+                     goto err;
+@@ -203,6 +219,15 @@ static int generate_key(DH *dh)
+         }
+         /* We MUST free prk before any further use of priv_key */
+         BN_clear_free(prk);
++
++        if (FIPS_mode()) {
++            int check_result;
++
++            if (!dh_check_pub_key_full(dh, pub_key, &check_result) || check_result) {
++                DHerr(DH_F_GENERATE_KEY, DH_R_INVALID_PUBKEY);
++                goto err;
++            }
++        }
+     }
+ 
+     dh->pub_key = pub_key;
+@@ -225,6 +250,7 @@ static int compute_key(unsigned char *ke
+     BN_CTX *ctx = NULL;
+     BN_MONT_CTX *mont = NULL;
+     BIGNUM *tmp;
++    BIGNUM *p1;
+     int ret = -1;
+     int check_result;
+ 
+@@ -271,6 +297,18 @@ static int compute_key(unsigned char *ke
+         DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB);
+         goto err;
+     }
++
++    if (BN_is_zero(tmp) || BN_is_one(tmp) || BN_is_negative(tmp)) {
++        DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB);
++        goto err;
++    }
++
++    if ((p1 = BN_CTX_get(ctx)) == NULL
++        || !BN_sub(p1, dh->p, BN_value_one())
++        || BN_cmp(p1, tmp) <= 0) {
++        DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB);
++        goto err;
++    }
+ 
+     ret = BN_bn2binpad(tmp, key, BN_num_bytes(dh->p));
+  err:
+Index: openssl-1.1.1m/crypto/dh/dh_lib.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/dh/dh_lib.c
++++ openssl-1.1.1m/crypto/dh/dh_lib.c
+@@ -8,6 +8,7 @@
+  */
+ 
+ #include <stdio.h>
++#include <openssl/objects.h>
+ #include "internal/cryptlib.h"
+ #include "internal/refcount.h"
+ #include <openssl/bn.h>
+@@ -86,6 +87,8 @@ DH *DH_new_method(ENGINE *engine)
+         goto err;
+     }
+ 
++    ret->nid = NID_undef;
++
+     return ret;
+ 
+  err:
+@@ -205,7 +208,10 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU
+         dh->g = g;
+     }
+ 
+-    if (q != NULL) {
++    dh->nid = NID_undef;
++    dh_cache_nid(dh);
++
++    if (q != NULL && dh->nid == NID_undef) {
+         dh->length = BN_num_bits(q);
+     }
+ 
+Index: openssl-1.1.1m/crypto/dh/dh_local.h
+===================================================================
+--- openssl-1.1.1m.orig/crypto/dh/dh_local.h
++++ openssl-1.1.1m/crypto/dh/dh_local.h
+@@ -35,6 +35,7 @@ struct dh_st {
+     const DH_METHOD *meth;
+     ENGINE *engine;
+     CRYPTO_RWLOCK *lock;
++    int nid;
+ };
+ 
+ struct dh_method {
+@@ -55,3 +56,12 @@ struct dh_method {
+     int (*generate_params) (DH *dh, int prime_len, int generator,
+                             BN_GENCB *cb);
+ };
++
++void dh_cache_nid(DH *dh);
++
++/* Obtain known q value based on nid or p */
++int dh_get_known_q(const DH *dh, BIGNUM **q);
++
++/* FIPS mode only check which requires nid set and looks up q based on it. */
++int dh_check_pub_key_full(const DH *dh, const BIGNUM *pub_key, int *ret);
++
+Index: openssl-1.1.1m/crypto/dh/dh_rfc7919.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/dh/dh_rfc7919.c
++++ openssl-1.1.1m/crypto/dh/dh_rfc7919.c
+@@ -7,6 +7,8 @@
+  * https://www.openssl.org/source/license.html
+  */
+ 
++/* DH parameters from RFC7919 and RFC3526 */
++
+ #include <stdio.h>
+ #include "internal/cryptlib.h"
+ #include "dh_local.h"
+@@ -14,14 +16,19 @@
+ #include <openssl/objects.h>
+ #include "crypto/bn_dh.h"
+ 
+-static DH *dh_param_init(const BIGNUM *p, int32_t nbits)
++static DH *dh_param_init(int nid, const BIGNUM *p, const BIGNUM *q, int32_t nbits)
+ {
+     DH *dh = DH_new();
+     if (dh == NULL)
+         return NULL;
+     dh->p = (BIGNUM *)p;
++    /*
++     * We do not set q as it would enable the inefficient and
++     * unnecessary pubkey modular exponentiation check.
++     */
+     dh->g = (BIGNUM *)&_bignum_const_2;
+     dh->length = nbits;
++    dh->nid = nid;
+     return dh;
+ }
+ 
+@@ -29,46 +36,121 @@ DH *DH_new_by_nid(int nid)
+ {
+     switch (nid) {
+     case NID_ffdhe2048:
+-        return dh_param_init(&_bignum_ffdhe2048_p, 225);
++        return dh_param_init(nid, &_bignum_ffdhe2048_p, &_bignum_ffdhe2048_q, 225);
+     case NID_ffdhe3072:
+-        return dh_param_init(&_bignum_ffdhe3072_p, 275);
++        return dh_param_init(nid, &_bignum_ffdhe3072_p, &_bignum_ffdhe3072_q, 275);
+     case NID_ffdhe4096:
+-        return dh_param_init(&_bignum_ffdhe4096_p, 325);
++        return dh_param_init(nid, &_bignum_ffdhe4096_p, &_bignum_ffdhe4096_q, 325);
+     case NID_ffdhe6144:
+-        return dh_param_init(&_bignum_ffdhe6144_p, 375);
++        return dh_param_init(nid, &_bignum_ffdhe6144_p, &_bignum_ffdhe6144_q, 375);
+     case NID_ffdhe8192:
+-        return dh_param_init(&_bignum_ffdhe8192_p, 400);
++        return dh_param_init(nid, &_bignum_ffdhe8192_p, &_bignum_ffdhe8192_q, 400);
++    case NID_modp_2048:
++        return dh_param_init(nid, &_bignum_modp_2048_p, &_bignum_modp_2048_q, 225);
++    case NID_modp_3072:
++        return dh_param_init(nid, &_bignum_modp_3072_p, &_bignum_modp_3072_q, 275);
++    case NID_modp_4096:
++        return dh_param_init(nid, &_bignum_modp_4096_p, &_bignum_modp_4096_q, 325);
++    case NID_modp_6144:
++        return dh_param_init(nid, &_bignum_modp_6144_p, &_bignum_modp_6144_q, 375);
++    case NID_modp_8192:
++        return dh_param_init(nid, &_bignum_modp_8192_p, &_bignum_modp_8192_q, 400);
++    case NID_modp_1536:
++        if (!FIPS_mode())
++            return dh_param_init(nid, &_bignum_modp_1536_p, &_bignum_modp_1536_q, 175);
++        /* fallthrough */
+     default:
+         DHerr(DH_F_DH_NEW_BY_NID, DH_R_INVALID_PARAMETER_NID);
+         return NULL;
+     }
+ }
+ 
+-int DH_get_nid(const DH *dh)
++static int dh_match_group(const DH *dh, BIGNUM **qout, int *lout)
+ {
+     int nid;
++    const BIGNUM *q;
++    int length;
+ 
+     if (BN_get_word(dh->g) != 2)
+         return NID_undef;
+-    if (!BN_cmp(dh->p, &_bignum_ffdhe2048_p))
++
++    if (dh->nid == NID_ffdhe2048 || !BN_cmp(dh->p, &_bignum_ffdhe2048_p)) {
+         nid = NID_ffdhe2048;
+-    else if (!BN_cmp(dh->p, &_bignum_ffdhe3072_p))
++        q = &_bignum_ffdhe2048_q;
++        length = 225;
++    } else if (dh->nid == NID_ffdhe3072 || !BN_cmp(dh->p, &_bignum_ffdhe3072_p)) {
+         nid = NID_ffdhe3072;
+-    else if (!BN_cmp(dh->p, &_bignum_ffdhe4096_p))
++        q = &_bignum_ffdhe3072_q;
++        length = 275;
++    } else if (dh->nid == NID_ffdhe4096 || !BN_cmp(dh->p, &_bignum_ffdhe4096_p)) {
+         nid = NID_ffdhe4096;
+-    else if (!BN_cmp(dh->p, &_bignum_ffdhe6144_p))
++        q = &_bignum_ffdhe4096_q;
++        length = 325;
++    } else if (dh->nid == NID_ffdhe6144 || !BN_cmp(dh->p, &_bignum_ffdhe6144_p)) {
+         nid = NID_ffdhe6144;
+-    else if (!BN_cmp(dh->p, &_bignum_ffdhe8192_p))
++        q = &_bignum_ffdhe6144_q;
++        length = 375;
++    } else if (dh->nid == NID_ffdhe8192 || !BN_cmp(dh->p, &_bignum_ffdhe8192_p)) {
+         nid = NID_ffdhe8192;
+-    else
++        q = &_bignum_ffdhe8192_q;
++        length = 400;
++    } else if (dh->nid == NID_modp_2048 || !BN_cmp(dh->p, &_bignum_modp_2048_p)) {
++        nid = NID_modp_2048;
++        q = &_bignum_modp_2048_q;
++        length = 225;
++    } else if (dh->nid == NID_modp_3072 || !BN_cmp(dh->p, &_bignum_modp_3072_p)) {
++        nid = NID_modp_3072;
++        q = &_bignum_modp_3072_q;
++        length = 275;
++    } else if (dh->nid == NID_modp_4096 || !BN_cmp(dh->p, &_bignum_modp_4096_p)) {
++        nid = NID_modp_4096;
++        q = &_bignum_modp_4096_q;
++        length = 325;
++    } else if (dh->nid == NID_modp_6144 || !BN_cmp(dh->p, &_bignum_modp_6144_p)) {
++        nid = NID_modp_6144;
++        q = &_bignum_modp_6144_q;
++        length = 375;
++    } else if (dh->nid == NID_modp_8192 || !BN_cmp(dh->p, &_bignum_modp_8192_p)) {
++        nid = NID_modp_8192;
++        q = &_bignum_modp_8192_q;
++        length = 400;
++    } else if (!FIPS_mode() && (dh->nid == NID_modp_1536 || !BN_cmp(dh->p, &_bignum_modp_1536_p))) {
++        nid = NID_modp_1536;
++        q = &_bignum_modp_1536_q;
++        length = 175;
++    } else {
+         return NID_undef;
++    }
++
+     if (dh->q != NULL) {
+-        BIGNUM *q = BN_dup(dh->p);
++        /* Check that q matches the known q. */
++        if (BN_cmp(dh->q, q))
++            return NID_undef;
++    } else if (qout != NULL) {
++        *qout = (BIGNUM *)q;
++    }
+ 
+-        /* Check q = p * 2 + 1 we already know q is odd, so just shift right */
+-        if (q == NULL || !BN_rshift1(q, q) || !BN_cmp(dh->q, q))
+-            nid = NID_undef;
+-        BN_free(q);
++    if (lout != NULL) {
++        *lout = length;
+     }
+     return nid;
+ }
++
++int DH_get_nid(const DH *dh)
++{
++    if (dh->nid != NID_undef) {
++        return dh->nid;
++    }
++    return dh_match_group(dh, NULL, NULL);
++}
++
++void dh_cache_nid(DH *dh)
++{
++    dh->nid = dh_match_group(dh, NULL, &dh->length);
++}
++
++int dh_get_known_q(const DH *dh, BIGNUM **q)
++{
++    return dh_match_group(dh, q, NULL) != NID_undef;
++}
++
+Index: openssl-1.1.1m/crypto/ec/ecdh_ossl.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/ec/ecdh_ossl.c
++++ openssl-1.1.1m/crypto/ec/ecdh_ossl.c
+@@ -42,9 +42,14 @@ int ossl_ecdh_compute_key(unsigned char
+ }
+ 
+ /*-
+- * This implementation is based on the following primitives in the IEEE 1363 standard:
++ * This implementation is based on the following primitives in the
++ * IEEE 1363 standard:
+  *  - ECKAS-DH1
+  *  - ECSVDP-DH
++ *
++ * It also conforms to SP800-56A r3
++ * See Section 5.7.1.2 "Elliptic Curve Cryptography Cofactor Diffie-Hellman
++ * (ECC CDH) Primitive:". The steps listed below refer to SP800-56A.
+  */
+ int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen,
+                             const EC_POINT *pub_key, const EC_KEY *ecdh)
+@@ -75,6 +80,10 @@ int ecdh_simple_compute_key(unsigned cha
+ 
+     group = EC_KEY_get0_group(ecdh);
+ 
++    /*
++     * Step(1) - Compute the point tmp = cofactor * owners_private_key
++     *                                   * peer_public_key.
++     */
+     if (EC_KEY_get_flags(ecdh) & EC_FLAG_COFACTOR_ECDH) {
+         if (!EC_GROUP_get_cofactor(group, x, NULL) ||
+             !BN_mul(x, x, priv_key, ctx)) {
+@@ -94,11 +103,20 @@ int ecdh_simple_compute_key(unsigned cha
+         goto err;
+     }
+ 
++    /*
++     * Step(2) : If point tmp is at infinity then clear intermediate values and
++     * exit. Note: getting affine coordinates returns 0 if point is at infinity.
++     * Step(3a) : Get x-coordinate of point x = tmp.x
++     */
+     if (!EC_POINT_get_affine_coordinates(group, tmp, x, NULL, ctx)) {
+         ECerr(EC_F_ECDH_SIMPLE_COMPUTE_KEY, EC_R_POINT_ARITHMETIC_FAILURE);
+         goto err;
+     }
+ 
++    /*
++     * Step(3b) : convert x to a byte string, using the field-element-to-byte
++     * string conversion routine defined in Appendix C.2
++     */
+     buflen = (EC_GROUP_get_degree(group) + 7) / 8;
+     len = BN_num_bytes(x);
+     if (len > buflen) {
+@@ -123,6 +141,8 @@ int ecdh_simple_compute_key(unsigned cha
+     ret = 1;
+ 
+  err:
++    /* Step(4) : Destroy all intermediate calculations */
++    BN_clear(x);
+     EC_POINT_clear_free(tmp);
+     BN_CTX_end(ctx);
+     BN_CTX_free(ctx);
+Index: openssl-1.1.1m/crypto/ec/ecdsa_ossl.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/ec/ecdsa_ossl.c
++++ openssl-1.1.1m/crypto/ec/ecdsa_ossl.c
+@@ -104,7 +104,7 @@ static int ecdsa_sign_setup(EC_KEY *ecke
+         }
+     }
+ 
+-    k = BN_new();               /* this value is later returned in *kinvp */
++    k = BN_secure_new();        /* this value is later returned in *kinvp */
+     r = BN_new();               /* this value is later returned in *rp */
+     X = BN_new();
+     if (k == NULL || r == NULL || X == NULL) {
+Index: openssl-1.1.1m/crypto/ec/ec_key.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/ec/ec_key.c
++++ openssl-1.1.1m/crypto/ec/ec_key.c
+@@ -244,61 +244,117 @@ int ossl_ec_key_gen(EC_KEY *eckey)
+     return eckey->group->meth->keygen(eckey);
+ }
+ 
++/*
++ * ECC Key generation.
++ * See SP800-56AR3 5.6.1.2.2 "Key Pair Generation by Testing Candidates"
++ *
++ * Params:
++ *     eckey An EC key object that contains domain params. The generated keypair
++ *           is stored in this object.
++ * Returns 1 if the keypair was generated or 0 otherwise.
++ */
+ int ec_key_simple_generate_key(EC_KEY *eckey)
+ {
+     int ok = 0;
+-    BN_CTX *ctx = NULL;
+     BIGNUM *priv_key = NULL;
+     const BIGNUM *order = NULL;
+     EC_POINT *pub_key = NULL;
+-
+-    if ((ctx = BN_CTX_new()) == NULL)
+-        goto err;
++    const EC_GROUP *group = eckey->group;
+ 
+     if (eckey->priv_key == NULL) {
+-        priv_key = BN_new();
++        priv_key = BN_secure_new();
+         if (priv_key == NULL)
+             goto err;
+     } else
+         priv_key = eckey->priv_key;
+ 
+-    order = EC_GROUP_get0_order(eckey->group);
++    /*
++     * Steps (1-2): Check domain parameters and security strength.
++     * These steps must be done by the user. This would need to be
++     * stated in the security policy.
++     */
++
++    order = EC_GROUP_get0_order(group);
+     if (order == NULL)
+         goto err;
+ 
++    /*
++     * Steps (3-7): priv_key = DRBG_RAND(order_n_bits) (range [1, n-1]).
++     * Although this is slightly different from the standard, it is effectively
++     * equivalent as it gives an unbiased result ranging from 1..n-1. It is also
++     * faster as the standard needs to retry more often. Also doing
++     * 1 + rand[0..n-2] would effect the way that tests feed dummy entropy into
++     * rand so the simpler backward compatible method has been used here.
++     */
+     do
+         if (!BN_priv_rand_range(priv_key, order))
+             goto err;
+     while (BN_is_zero(priv_key)) ;
+ 
+     if (eckey->pub_key == NULL) {
+-        pub_key = EC_POINT_new(eckey->group);
++        pub_key = EC_POINT_new(group);
+         if (pub_key == NULL)
+             goto err;
+     } else
+         pub_key = eckey->pub_key;
+ 
+-    if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx))
++    /* Step (8) : pub_key = priv_key * G (where G is a point on the curve) */
++    if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, NULL))
+         goto err;
+ 
+-    eckey->priv_key = priv_key;
+     eckey->pub_key = pub_key;
++    pub_key = NULL;
++
++    if (FIPS_mode()) {
++        eckey->priv_key = NULL;
++        if (EC_KEY_check_key(eckey) <= 0) {
++            eckey->pub_key = NULL;
++            goto err;
++        }
++    }
++
++    eckey->priv_key = priv_key;
++    priv_key = NULL;
+ 
+     ok = 1;
+ 
+  err:
+-    if (eckey->pub_key == NULL)
+-        EC_POINT_free(pub_key);
+-    if (eckey->priv_key != priv_key)
+-        BN_free(priv_key);
+-    BN_CTX_free(ctx);
++    /* Step (9): If there is an error return an invalid keypair. */
++    if (!ok) {
++        BN_clear(eckey->priv_key);
++        if (eckey->pub_key != NULL)
++            EC_POINT_set_to_infinity(group, eckey->pub_key);
++    }
++
++    EC_POINT_free(pub_key);
++    BN_clear_free(priv_key);
+     return ok;
+ }
+ 
+ int ec_key_simple_generate_public_key(EC_KEY *eckey)
+ {
+-    return EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL,
++    BIGNUM *priv_key;
++
++    /*
++     * See SP800-56AR3 5.6.1.2.2: Step (8)
++     * pub_key = priv_key * G (where G is a point on the curve)
++     */
++    int ret = EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL,
+                         NULL, NULL);
++
++    if (ret <= 0 || !FIPS_mode())
++        return ret;
++
++    /* no need to perform private key test, temporarily hide it */
++    priv_key = eckey->priv_key;
++    eckey->priv_key = NULL;
++    ret = EC_KEY_check_key(eckey);
++    eckey->priv_key = priv_key;
++
++    if (ret <= 0)
++        EC_POINT_set_to_infinity(eckey->group, eckey->pub_key);
++
++    return ret;
+ }
+ 
+ int EC_KEY_check_key(const EC_KEY *eckey)
+@@ -316,47 +372,100 @@ int EC_KEY_check_key(const EC_KEY *eckey
+     return eckey->group->meth->keycheck(eckey);
+ }
+ 
+-int ec_key_simple_check_key(const EC_KEY *eckey)
++/*
++ * Check the range of the EC public key.
++ * See SP800-56A R3 Section 5.6.2.3.3 (Part 2)
++ * i.e.
++ *  - If q = odd prime p: Verify that xQ and yQ are integers in the
++ *    interval[0, p − 1], OR
++ *  - If q = 2m: Verify that xQ and yQ are bit strings of length m bits.
++ * Returns 1 if the public key has a valid range, otherwise it returns 0.
++ */
++static int ec_key_public_range_check(BN_CTX *ctx, const EC_KEY *key)
+ {
+-    int ok = 0;
+-    BN_CTX *ctx = NULL;
+-    const BIGNUM *order = NULL;
++    int ret = 0;
++    BIGNUM *x, *y;
++
++    BN_CTX_start(ctx);
++    x = BN_CTX_get(ctx);
++    y = BN_CTX_get(ctx);
++    if (y == NULL)
++        goto err;
++
++    if (!EC_POINT_get_affine_coordinates(key->group, key->pub_key, x, y, ctx))
++        goto err;
++
++    if (EC_METHOD_get_field_type(key->group->meth) == NID_X9_62_prime_field) {
++        if (BN_is_negative(x)
++            || BN_cmp(x, key->group->field) >= 0
++            || BN_is_negative(y)
++            || BN_cmp(y, key->group->field) >= 0) {
++            goto err;
++        }
++    } else {
++        int m = EC_GROUP_get_degree(key->group);
++        if (BN_num_bits(x) > m || BN_num_bits(y) > m) {
++            goto err;
++        }
++    }
++    ret = 1;
++err:
++    BN_CTX_end(ctx);
++    return ret;
++}
++
++/*
++ * ECC Key validation as specified in SP800-56A R3.
++ * Section 5.6.2.3.3 ECC Full Public-Key Validation.
++ */
++int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx)
++{
++    int ret = 0;
+     EC_POINT *point = NULL;
++    const BIGNUM *order = NULL;
+ 
+     if (eckey == NULL || eckey->group == NULL || eckey->pub_key == NULL) {
+-        ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, ERR_R_PASSED_NULL_PARAMETER);
++        ECerr(0, ERR_R_PASSED_NULL_PARAMETER);
+         return 0;
+     }
+ 
++    /* 5.6.2.3.3 (Step 1): Q != infinity */
+     if (EC_POINT_is_at_infinity(eckey->group, eckey->pub_key)) {
+-        ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_POINT_AT_INFINITY);
+-        goto err;
++        ECerr(0, EC_R_POINT_AT_INFINITY);
++        return 0;
+     }
+ 
+-    if ((ctx = BN_CTX_new()) == NULL)
+-        goto err;
+-    if ((point = EC_POINT_new(eckey->group)) == NULL)
++    point = EC_POINT_new(eckey->group);
++    if (point == NULL)
++        return 0;
++
++    /* 5.6.2.3.3 (Step 2) Test if the public key is in range */
++    if (!ec_key_public_range_check(ctx, eckey)) {
++        ECerr(0, EC_R_COORDINATES_OUT_OF_RANGE);
+         goto err;
++    }
+ 
+-    /* testing whether the pub_key is on the elliptic curve */
++    /* 5.6.2.3.3 (Step 3) is the pub_key on the elliptic curve */
+     if (EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx) <= 0) {
+-        ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_POINT_IS_NOT_ON_CURVE);
++        ECerr(0, EC_R_POINT_IS_NOT_ON_CURVE);
+         goto err;
+     }
+-    /* testing whether pub_key * order is the point at infinity */
++
+     order = eckey->group->order;
+     if (BN_is_zero(order)) {
+-        ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_INVALID_GROUP_ORDER);
++        ECerr(0, EC_R_INVALID_GROUP_ORDER);
+         goto err;
+     }
++    /* 5.6.2.3.3 (Step 4) : pub_key * order is the point at infinity. */
+     if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx)) {
+-        ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, ERR_R_EC_LIB);
++        ECerr(0, ERR_R_EC_LIB);
+         goto err;
+     }
+     if (!EC_POINT_is_at_infinity(eckey->group, point)) {
+-        ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_WRONG_ORDER);
++        ECerr(0, EC_R_WRONG_ORDER);
+         goto err;
+     }
++
+     /*
+      * in case the priv_key is present : check if generator * priv_key ==
+      * pub_key
+@@ -376,10 +485,40 @@ int ec_key_simple_check_key(const EC_KEY
+             goto err;
+         }
+     }
++
++    ret = 1;
++ err:
++    EC_POINT_free(point);
++    return ret;
++}
++
++
++/*
++ * ECC Key validation as specified in SP800-56A R3.
++ *    Section 5.6.2.3.3 ECC Full Public-Key Validation
++ * NOTES:
++ *    Before calling this method in fips mode, there should be an assurance that
++ *    an approved elliptic-curve group is used.
++ * Returns 1 if the key is valid, otherwise it returns 0.
++ */
++int ec_key_simple_check_key(const EC_KEY *eckey)
++{
++    int ok = 0;
++    BN_CTX *ctx = NULL;
++
++    if (eckey == NULL) {
++        ECerr(0, ERR_R_PASSED_NULL_PARAMETER);
++        return 0;
++    }
++    if ((ctx = BN_CTX_new()) == NULL)
++        return 0;
++
++    if (!ec_key_public_check(eckey, ctx))
++        goto err;
++
+     ok = 1;
+  err:
+     BN_CTX_free(ctx);
+-    EC_POINT_free(point);
+     return ok;
+ }
+ 
+@@ -417,12 +556,10 @@ int EC_KEY_set_public_key_affine_coordin
+         goto err;
+ 
+     /*
+-     * Check if retrieved coordinates match originals and are less than field
+-     * order: if not values are out of range.
++     * Check if retrieved coordinates match originals. The range check is done
++     * inside EC_KEY_check_key().
+      */
+-    if (BN_cmp(x, tx) || BN_cmp(y, ty)
+-        || (BN_cmp(x, key->group->field) >= 0)
+-        || (BN_cmp(y, key->group->field) >= 0)) {
++    if (BN_cmp(x, tx) || BN_cmp(y, ty)) {
+         ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES,
+               EC_R_COORDINATES_OUT_OF_RANGE);
+         goto err;
+Index: openssl-1.1.1m/crypto/ec/ec_local.h
+===================================================================
+--- openssl-1.1.1m.orig/crypto/ec/ec_local.h
++++ openssl-1.1.1m/crypto/ec/ec_local.h
+@@ -610,6 +610,8 @@ int ec_key_simple_generate_key(EC_KEY *e
+ int ec_key_simple_generate_public_key(EC_KEY *eckey);
+ int ec_key_simple_check_key(const EC_KEY *eckey);
+ 
++int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx);
++
+ int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx);
+ 
+ /* EC_METHOD definitions */
+Index: openssl-1.1.1m/crypto/ec/ec_lib.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/ec/ec_lib.c
++++ openssl-1.1.1m/crypto/ec/ec_lib.c
+@@ -454,6 +454,11 @@ int EC_GROUP_get_curve_name(const EC_GRO
+     return group->curve_name;
+ }
+ 
++const BIGNUM *EC_GROUP_get0_field(const EC_GROUP *group)
++{
++    return group->field;
++}
++
+ void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag)
+ {
+     group->asn1_flag = flag;
+Index: openssl-1.1.1m/crypto/evp/p_lib.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/evp/p_lib.c
++++ openssl-1.1.1m/crypto/evp/p_lib.c
+@@ -545,7 +545,8 @@ EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *p
+ 
+ int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key)
+ {
+-    int type = DH_get0_q(key) == NULL ? EVP_PKEY_DH : EVP_PKEY_DHX;
++    int type = DH_get0_q(key) == NULL || DH_get_nid(key) != NID_undef ?
++               EVP_PKEY_DH : EVP_PKEY_DHX;
+     int ret = EVP_PKEY_assign(pkey, type, key);
+ 
+     if (ret)
+Index: openssl-1.1.1m/include/crypto/bn_dh.h
+===================================================================
+--- openssl-1.1.1m.orig/include/crypto/bn_dh.h
++++ openssl-1.1.1m/include/crypto/bn_dh.h
+@@ -9,16 +9,35 @@
+ 
+ #define declare_dh_bn(x) \
+     extern const BIGNUM _bignum_dh##x##_p;              \
++    extern const BIGNUM _bignum_dh##x##_q;              \
+     extern const BIGNUM _bignum_dh##x##_g;              \
+-    extern const BIGNUM _bignum_dh##x##_q;
+ 
+ declare_dh_bn(1024_160)
+ declare_dh_bn(2048_224)
+ declare_dh_bn(2048_256)
+ 
++extern const BIGNUM _bignum_const_2;
++
+ extern const BIGNUM _bignum_ffdhe2048_p;
+ extern const BIGNUM _bignum_ffdhe3072_p;
+ extern const BIGNUM _bignum_ffdhe4096_p;
+ extern const BIGNUM _bignum_ffdhe6144_p;
+ extern const BIGNUM _bignum_ffdhe8192_p;
+-extern const BIGNUM _bignum_const_2;
++extern const BIGNUM _bignum_ffdhe2048_q;
++extern const BIGNUM _bignum_ffdhe3072_q;
++extern const BIGNUM _bignum_ffdhe4096_q;
++extern const BIGNUM _bignum_ffdhe6144_q;
++extern const BIGNUM _bignum_ffdhe8192_q;
++
++extern const BIGNUM _bignum_modp_1536_p;
++extern const BIGNUM _bignum_modp_2048_p;
++extern const BIGNUM _bignum_modp_3072_p;
++extern const BIGNUM _bignum_modp_4096_p;
++extern const BIGNUM _bignum_modp_6144_p;
++extern const BIGNUM _bignum_modp_8192_p;
++extern const BIGNUM _bignum_modp_1536_q;
++extern const BIGNUM _bignum_modp_2048_q;
++extern const BIGNUM _bignum_modp_3072_q;
++extern const BIGNUM _bignum_modp_4096_q;
++extern const BIGNUM _bignum_modp_6144_q;
++extern const BIGNUM _bignum_modp_8192_q;
+Index: openssl-1.1.1m/crypto/objects/obj_dat.h
+===================================================================
+--- openssl-1.1.1m.orig/crypto/objects/obj_dat.h
++++ openssl-1.1.1m/crypto/objects/obj_dat.h
+@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = {
+     0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D,       /* [ 7753] OBJ_hmacWithSHA512_256 */
+ };
+ 
+-#define NUM_NID 1196
++#define NUM_NID 1202
+ static const ASN1_OBJECT nid_objs[NUM_NID] = {
+     {"UNDEF", "undefined", NID_undef},
+     {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]},
+@@ -2276,9 +2276,15 @@ static const ASN1_OBJECT nid_objs[NUM_NI
+     {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]},
+     {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]},
+     {"SSHKDF", "sshkdf", NID_sshkdf},
++    {"modp_1536", "modp_1536", NID_modp_1536},
++    {"modp_2048", "modp_2048", NID_modp_2048},
++    {"modp_3072", "modp_3072", NID_modp_3072},
++    {"modp_4096", "modp_4096", NID_modp_4096},
++    {"modp_6144", "modp_6144", NID_modp_6144},
++    {"modp_8192", "modp_8192", NID_modp_8192},
+ };
+ 
+-#define NUM_SN 1187
++#define NUM_SN 1193
+ static const unsigned int sn_objs[NUM_SN] = {
+      364,    /* "AD_DVCS" */
+      419,    /* "AES-128-CBC" */
+@@ -3121,6 +3127,12 @@ static const unsigned int sn_objs[NUM_SN
+      506,    /* "mime-mhs-bodies" */
+      505,    /* "mime-mhs-headings" */
+      488,    /* "mobileTelephoneNumber" */
++    1196,    /* "modp_1536" */
++    1197,    /* "modp_2048" */
++    1198,    /* "modp_3072" */
++    1199,    /* "modp_4096" */
++    1200,    /* "modp_6144" */
++    1201,    /* "modp_8192" */
+      136,    /* "msCTLSign" */
+      135,    /* "msCodeCom" */
+      134,    /* "msCodeInd" */
+@@ -3469,7 +3481,7 @@ static const unsigned int sn_objs[NUM_SN
+     1093,    /* "x509ExtAdmission" */
+ };
+ 
+-#define NUM_LN 1187
++#define NUM_LN 1193
+ static const unsigned int ln_objs[NUM_LN] = {
+      363,    /* "AD Time Stamping" */
+      405,    /* "ANSI X9.62" */
+@@ -4305,6 +4317,12 @@ static const unsigned int ln_objs[NUM_LN
+      506,    /* "mime-mhs-bodies" */
+      505,    /* "mime-mhs-headings" */
+      488,    /* "mobileTelephoneNumber" */
++    1196,    /* "modp_1536" */
++    1197,    /* "modp_2048" */
++    1198,    /* "modp_3072" */
++    1199,    /* "modp_4096" */
++    1200,    /* "modp_6144" */
++    1201,    /* "modp_8192" */
+      481,    /* "nSRecord" */
+      173,    /* "name" */
+      681,    /* "onBasis" */
+Index: openssl-1.1.1m/crypto/objects/objects.txt
+===================================================================
+--- openssl-1.1.1m.orig/crypto/objects/objects.txt
++++ openssl-1.1.1m/crypto/objects/objects.txt
+@@ -1648,6 +1648,13 @@ id-pkinit 5                     : pkInit
+                             : ffdhe4096
+                             : ffdhe6144
+                             : ffdhe8192
++# NIDs for RFC3526 DH parameters
++                            : modp_1536
++                            : modp_2048
++                            : modp_3072
++                            : modp_4096
++                            : modp_6144
++                            : modp_8192
+ 
+ # OIDs for DSTU-4145/DSTU-7564 (http://zakon2.rada.gov.ua/laws/show/z0423-17)
+ 
+Index: openssl-1.1.1m/crypto/objects/obj_mac.num
+===================================================================
+--- openssl-1.1.1m.orig/crypto/objects/obj_mac.num
++++ openssl-1.1.1m/crypto/objects/obj_mac.num
+@@ -1193,3 +1193,9 @@ magma_mac		1192
+ hmacWithSHA512_224		1193
+ hmacWithSHA512_256		1194
+ sshkdf		1195
++modp_1536		1196
++modp_2048		1197
++modp_3072		1198
++modp_4096		1199
++modp_6144		1200
++modp_8192		1201
+Index: openssl-1.1.1m/doc/man3/DH_new_by_nid.pod
+===================================================================
+--- openssl-1.1.1m.orig/doc/man3/DH_new_by_nid.pod
++++ openssl-1.1.1m/doc/man3/DH_new_by_nid.pod
+@@ -8,13 +8,15 @@ DH_new_by_nid, DH_get_nid - get or find
+ 
+  #include <openssl/dh.h>
+  DH *DH_new_by_nid(int nid);
+- int *DH_get_nid(const DH *dh);
++ int DH_get_nid(const DH *dh);
+ 
+ =head1 DESCRIPTION
+ 
+ DH_new_by_nid() creates and returns a DH structure containing named parameters
+ B<nid>. Currently B<nid> must be B<NID_ffdhe2048>, B<NID_ffdhe3072>,
+-B<NID_ffdhe4096>, B<NID_ffdhe6144> or B<NID_ffdhe8192>.
++B<NID_ffdhe4096>, B<NID_ffdhe6144>, B<NID_ffdhe8192>,
++B<NID_modp_1536>, B<NID_modp_2048>, B<NID_modp_3072>,
++B<NID_modp_4096>, B<NID_modp_6144> or B<NID_modp_8192>.
+ 
+ DH_get_nid() determines if the parameters contained in B<dh> match
+ any named set. It returns the NID corresponding to the matching parameters or
+Index: openssl-1.1.1m/doc/man3/EVP_PKEY_CTX_ctrl.pod
+===================================================================
+--- openssl-1.1.1m.orig/doc/man3/EVP_PKEY_CTX_ctrl.pod
++++ openssl-1.1.1m/doc/man3/EVP_PKEY_CTX_ctrl.pod
+@@ -294,10 +294,11 @@ The EVP_PKEY_CTX_set_dh_pad() macro sets
+ If B<pad> is zero (the default) then no padding is performed.
+ 
+ EVP_PKEY_CTX_set_dh_nid() sets the DH parameters to values corresponding to
+-B<nid> as defined in RFC7919. The B<nid> parameter must be B<NID_ffdhe2048>,
+-B<NID_ffdhe3072>, B<NID_ffdhe4096>, B<NID_ffdhe6144>, B<NID_ffdhe8192>
+-or B<NID_undef> to clear the stored value. This macro can be called during
+-parameter or key generation.
++I<nid> as defined in RFC7919 or RFC3526. The I<nid> parameter must be
++B<NID_ffdhe2048>, B<NID_ffdhe3072>, B<NID_ffdhe4096>, B<NID_ffdhe6144>,
++B<NID_ffdhe8192>, B<NID_modp_1536>, B<NID_modp_2048>, B<NID_modp_3072>,
++B<NID_modp_4096>, B<NID_modp_6144>, B<NID_modp_8192> or B<NID_undef> to clear
++the stored value. This macro can be called during parameter or key generation.
+ The nid parameter and the rfc5114 parameter are mutually exclusive.
+ 
+ The EVP_PKEY_CTX_set_dh_rfc5114() and EVP_PKEY_CTX_set_dhx_rfc5114() macros are
+Index: openssl-1.1.1m/include/openssl/ec.h
+===================================================================
+--- openssl-1.1.1m.orig/include/openssl/ec.h
++++ openssl-1.1.1m/include/openssl/ec.h
+@@ -212,6 +212,12 @@ void EC_GROUP_set_curve_name(EC_GROUP *g
+  */
+ int EC_GROUP_get_curve_name(const EC_GROUP *group);
+ 
++/** Gets the field of an EC_GROUP
++ *  \param  group  EC_GROUP object
++ *  \return the group field
++ */
++const BIGNUM *EC_GROUP_get0_field(const EC_GROUP *group);
++
+ void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag);
+ int EC_GROUP_get_asn1_flag(const EC_GROUP *group);
+ 
+Index: openssl-1.1.1m/include/openssl/obj_mac.h
+===================================================================
+--- openssl-1.1.1m.orig/include/openssl/obj_mac.h
++++ openssl-1.1.1m/include/openssl/obj_mac.h
+@@ -5103,6 +5103,24 @@
+ #define SN_ffdhe8192            "ffdhe8192"
+ #define NID_ffdhe8192           1130
+ 
++#define SN_modp_1536            "modp_1536"
++#define NID_modp_1536           1196
++
++#define SN_modp_2048            "modp_2048"
++#define NID_modp_2048           1197
++
++#define SN_modp_3072            "modp_3072"
++#define NID_modp_3072           1198
++
++#define SN_modp_4096            "modp_4096"
++#define NID_modp_4096           1199
++
++#define SN_modp_6144            "modp_6144"
++#define NID_modp_6144           1200
++
++#define SN_modp_8192            "modp_8192"
++#define NID_modp_8192           1201
++
+ #define SN_ISO_UA               "ISO-UA"
+ #define NID_ISO_UA              1150
+ #define OBJ_ISO_UA              OBJ_member_body,804L
+Index: openssl-1.1.1m/ssl/s3_lib.c
+===================================================================
+--- openssl-1.1.1m.orig/ssl/s3_lib.c
++++ openssl-1.1.1m/ssl/s3_lib.c
+@@ -4846,13 +4846,51 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey
+ EVP_PKEY *ssl_dh_to_pkey(DH *dh)
+ {
+     EVP_PKEY *ret;
++    DH *dhp = NULL;
++
+     if (dh == NULL)
+         return NULL;
++
++    if (FIPS_mode() && DH_get_nid(dh) == NID_undef) {
++        int bits = DH_bits(dh);
++        BIGNUM *p, *g;
++
++        dhp = DH_new();
++        if (dhp == NULL)
++            return NULL;
++        g = BN_new();
++        if (g == NULL || !BN_set_word(g, 2)) {
++            DH_free(dhp);
++            BN_free(g);
++            return NULL;
++        }
++
++        if (bits >= 7000)
++            p = BN_get_rfc3526_prime_8192(NULL);
++        else if (bits >= 5000)
++            p = BN_get_rfc3526_prime_6144(NULL);
++        else if (bits >= 3800)
++            p = BN_get_rfc3526_prime_4096(NULL);
++        else if (bits >= 2500)
++            p = BN_get_rfc3526_prime_3072(NULL);
++        else
++            p = BN_get_rfc3526_prime_2048(NULL);
++        if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
++            DH_free(dhp);
++            BN_free(p);
++            BN_free(g);
++            return NULL;
++        }
++        dh = dhp;
++    }
++
+     ret = EVP_PKEY_new();
+     if (EVP_PKEY_set1_DH(ret, dh) <= 0) {
++        DH_free(dhp);
+         EVP_PKEY_free(ret);
+         return NULL;
+     }
++    DH_free(dhp);
+     return ret;
+ }
+ #endif
+Index: openssl-1.1.1m/test/ectest.c
+===================================================================
+--- openssl-1.1.1m.orig/test/ectest.c
++++ openssl-1.1.1m/test/ectest.c
+@@ -1208,6 +1208,42 @@ static int internal_curve_test_method(in
+     return r;
+ }
+ 
++static int group_field_test(void)
++{
++    int r = 1;
++    BIGNUM *secp521r1_field = NULL;
++    BIGNUM *sect163r2_field = NULL;
++    EC_GROUP *secp521r1_group = NULL;
++    EC_GROUP *sect163r2_group = NULL;
++
++    BN_hex2bn(&secp521r1_field,
++                "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
++                "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
++                "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
++                "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
++                "FFFF");
++
++    BN_hex2bn(&sect163r2_field,
++                "08000000000000000000000000000000"
++                "00000000C9");
++
++    secp521r1_group = EC_GROUP_new_by_curve_name(NID_secp521r1);
++    if (BN_cmp(secp521r1_field, EC_GROUP_get0_field(secp521r1_group)))
++      r = 0;
++
++    # ifndef OPENSSL_NO_EC2M
++    sect163r2_group = EC_GROUP_new_by_curve_name(NID_sect163r2);
++    if (BN_cmp(sect163r2_field, EC_GROUP_get0_field(sect163r2_group)))
++      r = 0;
++    # endif
++
++    EC_GROUP_free(secp521r1_group);
++    EC_GROUP_free(sect163r2_group);
++    BN_free(secp521r1_field);
++    BN_free(sect163r2_field);
++    return r;
++}
++
+ # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+ /*
+  * nistp_test_params contains magic numbers for testing our optimized
+@@ -1876,6 +1912,61 @@ err:
+     return r;
+ }
+ 
++static int check_ec_key_field_public_range_test(int id)
++{
++    int ret = 0, type = 0;
++    const EC_POINT *pub = NULL;
++    const EC_GROUP *group = NULL;
++    const EC_METHOD *meth = NULL;
++    const BIGNUM *field = NULL;
++    BIGNUM *x = NULL, *y = NULL;
++    EC_KEY *key = NULL;
++
++    if (!(TEST_ptr(x = BN_new())
++          && TEST_ptr(y = BN_new())
++          && TEST_ptr(key = EC_KEY_new_by_curve_name(curves[id].nid))
++          && TEST_ptr(group = EC_KEY_get0_group(key))
++          && TEST_ptr(meth = EC_GROUP_method_of(group))
++          && TEST_ptr(field = EC_GROUP_get0_field(group))
++          && TEST_int_gt(EC_KEY_generate_key(key), 0)
++          && TEST_int_gt(EC_KEY_check_key(key), 0)
++          && TEST_ptr(pub = EC_KEY_get0_public_key(key))
++          && TEST_int_gt(EC_POINT_get_affine_coordinates(group, pub, x, y,
++                                                         NULL), 0)))
++        goto err;
++
++    /*
++     * Make the public point out of range by adding the field (which will still
++     * be the same point on the curve). The add is different for char2 fields.
++     */
++    type = EC_METHOD_get_field_type(meth);
++#ifndef OPENSSL_NO_EC2M
++    if (type == NID_X9_62_characteristic_two_field) {
++        /* test for binary curves */
++        if (!TEST_true(BN_GF2m_add(x, x, field)))
++            goto err;
++    } else
++#endif
++    if (type == NID_X9_62_prime_field) {
++        /* test for prime curves */
++        if (!TEST_true(BN_add(x, x, field)))
++            goto err;
++    } else {
++        /* this should never happen */
++        TEST_error("Unsupported EC_METHOD field_type");
++        goto err;
++    }
++    if (!TEST_int_le(EC_KEY_set_public_key_affine_coordinates(key, x, y), 0))
++        goto err;
++
++    ret = 1;
++err:
++    BN_free(x);
++    BN_free(y);
++    EC_KEY_free(key);
++    return ret;
++}
++
+ /*-
+  * random 256-bit explicit parameters curve, cofactor absent
+  * order:    0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit)
+@@ -2254,8 +2345,10 @@ int setup_tests(void)
+ # endif
+     ADD_ALL_TESTS(internal_curve_test, crv_len);
+     ADD_ALL_TESTS(internal_curve_test_method, crv_len);
++    ADD_TEST(group_field_test);
+ 
+     ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
++    ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len);
+     ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
+     ADD_ALL_TESTS(custom_generator_test, crv_len);
+ #endif /* OPENSSL_NO_EC */
+Index: openssl-1.1.1m/crypto/ec/ec_kmeth.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/ec/ec_kmeth.c
++++ openssl-1.1.1m/crypto/ec/ec_kmeth.c
+@@ -148,6 +148,14 @@ int ECDH_compute_key(void *out, size_t o
+             outlen = seclen;
+         memcpy(out, sec, outlen);
+     }
++
++    if (FIPS_mode()) {
++        if (EC_KEY_check_key(eckey) <= 0) {
++           EC_POINT_set_to_infinity(eckey->group, eckey->pub_key);
++           return 0;
++        }
++    }
++
+     OPENSSL_clear_free(sec, seclen);
+     return outlen;
+ }
+Index: openssl-1.1.1m/ssl/t1_lib.c
+===================================================================
+--- openssl-1.1.1m.orig/ssl/t1_lib.c
++++ openssl-1.1.1m/ssl/t1_lib.c
+@@ -2479,7 +2479,7 @@ DH *ssl_get_auto_dh(SSL *s)
+         p = BN_get_rfc3526_prime_4096(NULL);
+     else if (dh_secbits >= 128)
+         p = BN_get_rfc3526_prime_3072(NULL);
+-    else if (dh_secbits >= 112)
++    else if (dh_secbits >= 112 || FIPS_mode())
+         p = BN_get_rfc3526_prime_2048(NULL);
+     else
+         p = BN_get_rfc2409_prime_1024(NULL);
diff --git a/openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch b/openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch
new file mode 100644
index 0000000..c4dd857
--- /dev/null
+++ b/openssl-Enable-curve-spefific-ECDSA-implementations-via-EC_M.patch
@@ -0,0 +1,504 @@
+diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c
+index 84e5537..de35634 100644
+--- a/crypto/ec/ec2_smpl.c
++++ b/crypto/ec/ec2_smpl.c
+@@ -956,6 +956,9 @@ const EC_METHOD *EC_GF2m_simple_method(void)
+         0, /* keycopy */
+         0, /* keyfinish */
+         ecdh_simple_compute_key,
++        ecdsa_simple_sign_setup,
++        ecdsa_simple_sign_sig,
++        ecdsa_simple_verify_sig,
+         0, /* field_inverse_mod_ord */
+         0, /* blind_coordinates */
+         ec_GF2m_simple_ladder_pre,
+diff --git a/crypto/ec/ec_local.h b/crypto/ec/ec_local.h
+index 4c76ca9..43be4cb 100644
+--- a/crypto/ec/ec_local.h
++++ b/crypto/ec/ec_local.h
+@@ -179,6 +179,14 @@ struct ec_method_st {
+     /* custom ECDH operation */
+     int (*ecdh_compute_key)(unsigned char **pout, size_t *poutlen,
+                             const EC_POINT *pub_key, const EC_KEY *ecdh);
++    /* custom ECDSA */
++    int (*ecdsa_sign_setup)(EC_KEY *eckey, BN_CTX *ctx, BIGNUM **kinvp,
++                            BIGNUM **rp);
++    ECDSA_SIG *(*ecdsa_sign_sig)(const unsigned char *dgst, int dgstlen,
++                                 const BIGNUM *kinv, const BIGNUM *r,
++                                 EC_KEY *eckey);
++    int (*ecdsa_verify_sig)(const unsigned char *dgst, int dgstlen,
++                            const ECDSA_SIG *sig, EC_KEY *eckey);
+     /* Inverse modulo order */
+     int (*field_inverse_mod_ord)(const EC_GROUP *, BIGNUM *r,
+                                  const BIGNUM *x, BN_CTX *);
+@@ -658,6 +666,13 @@ int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len,
+                       const unsigned char *sigbuf, int sig_len, EC_KEY *eckey);
+ int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
+                           const ECDSA_SIG *sig, EC_KEY *eckey);
++int ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
++                            BIGNUM **rp);
++ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
++                                 const BIGNUM *in_kinv, const BIGNUM *in_r,
++                                 EC_KEY *eckey);
++int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len,
++                            const ECDSA_SIG *sig, EC_KEY *eckey);
+ 
+ int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
+                  const uint8_t public_key[32], const uint8_t private_key[32]);
+diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c
+index 1da87bf..6f1edea 100644
+--- a/crypto/ec/ecdsa_ossl.c
++++ b/crypto/ec/ecdsa_ossl.c
+@@ -14,6 +14,41 @@
+ #include "crypto/bn.h"
+ #include "ec_local.h"
+ 
++int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
++                          BIGNUM **rp)
++{
++    if (eckey->group->meth->ecdsa_sign_setup == NULL) {
++        ECerr(EC_F_OSSL_ECDSA_SIGN_SETUP, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
++        return 0;
++    }
++
++    return eckey->group->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp);
++}
++
++ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
++                               const BIGNUM *in_kinv, const BIGNUM *in_r,
++                               EC_KEY *eckey)
++{
++    if (eckey->group->meth->ecdsa_sign_sig == NULL) {
++        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
++        return NULL;
++    }
++
++    return eckey->group->meth->ecdsa_sign_sig(dgst, dgst_len,
++                                              in_kinv, in_r, eckey);
++}
++
++int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
++                          const ECDSA_SIG *sig, EC_KEY *eckey)
++{
++    if (eckey->group->meth->ecdsa_verify_sig == NULL) {
++        ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA);
++        return 0;
++    }
++
++    return eckey->group->meth->ecdsa_verify_sig(dgst, dgst_len, sig, eckey);
++}
++
+ int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen,
+                     unsigned char *sig, unsigned int *siglen,
+                     const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey)
+@@ -145,15 +180,15 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
+     return ret;
+ }
+ 
+-int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
+-                          BIGNUM **rp)
++int ecdsa_simple_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
++                            BIGNUM **rp)
+ {
+     return ecdsa_sign_setup(eckey, ctx_in, kinvp, rp, NULL, 0);
+ }
+ 
+-ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
+-                               const BIGNUM *in_kinv, const BIGNUM *in_r,
+-                               EC_KEY *eckey)
++ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
++                                 const BIGNUM *in_kinv, const BIGNUM *in_r,
++                                 EC_KEY *eckey)
+ {
+     int ok = 0, i;
+     BIGNUM *kinv = NULL, *s, *m = NULL;
+@@ -167,35 +202,35 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
+     priv_key = EC_KEY_get0_private_key(eckey);
+ 
+     if (group == NULL) {
+-        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_PASSED_NULL_PARAMETER);
++        ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_PASSED_NULL_PARAMETER);
+         return NULL;
+     }
+     if (priv_key == NULL) {
+-        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_MISSING_PRIVATE_KEY);
++        ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, EC_R_MISSING_PRIVATE_KEY);
+         return NULL;
+     }
+ 
+     if (!EC_KEY_can_sign(eckey)) {
+-        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
++        ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
+         return NULL;
+     }
+ 
+     ret = ECDSA_SIG_new();
+     if (ret == NULL) {
+-        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
++        ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE);
+         return NULL;
+     }
+     ret->r = BN_new();
+     ret->s = BN_new();
+     if (ret->r == NULL || ret->s == NULL) {
+-        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
++        ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE);
+         goto err;
+     }
+     s = ret->s;
+ 
+     if ((ctx = BN_CTX_new()) == NULL
+         || (m = BN_new()) == NULL) {
+-        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
++        ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE);
+         goto err;
+     }
+ 
+@@ -207,25 +242,25 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
+     if (8 * dgst_len > i)
+         dgst_len = (i + 7) / 8;
+     if (!BN_bin2bn(dgst, dgst_len, m)) {
+-        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
++        ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
+         goto err;
+     }
+     /* If still too long, truncate remaining bits with a shift */
+     if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
+-        ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
++        ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
+         goto err;
+     }
+     do {
+         if (in_kinv == NULL || in_r == NULL) {
+             if (!ecdsa_sign_setup(eckey, ctx, &kinv, &ret->r, dgst, dgst_len)) {
+-                ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_ECDSA_LIB);
++                ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_ECDSA_LIB);
+                 goto err;
+             }
+             ckinv = kinv;
+         } else {
+             ckinv = in_kinv;
+             if (BN_copy(ret->r, in_r) == NULL) {
+-                ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_MALLOC_FAILURE);
++                ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_MALLOC_FAILURE);
+                 goto err;
+             }
+         }
+@@ -239,11 +274,11 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
+          */
+         if (!bn_to_mont_fixed_top(s, ret->r, group->mont_data, ctx)
+             || !bn_mul_mont_fixed_top(s, s, priv_key, group->mont_data, ctx)) {
+-            ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
++            ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
+             goto err;
+         }
+         if (!bn_mod_add_fixed_top(s, s, m, order)) {
+-            ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
++            ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
+             goto err;
+         }
+         /*
+@@ -252,7 +287,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
+          */
+         if (!bn_to_mont_fixed_top(s, s, group->mont_data, ctx)
+             || !BN_mod_mul_montgomery(s, s, ckinv, group->mont_data, ctx)) {
+-            ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, ERR_R_BN_LIB);
++            ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, ERR_R_BN_LIB);
+             goto err;
+         }
+ 
+@@ -262,7 +297,7 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len,
+              * generate new kinv and r values
+              */
+             if (in_kinv != NULL && in_r != NULL) {
+-                ECerr(EC_F_OSSL_ECDSA_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES);
++                ECerr(EC_F_ECDSA_SIMPLE_SIGN_SIG, EC_R_NEED_NEW_SETUP_VALUES);
+                 goto err;
+             }
+         } else {
+@@ -314,8 +349,8 @@ int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len,
+     return ret;
+ }
+ 
+-int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
+-                          const ECDSA_SIG *sig, EC_KEY *eckey)
++int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len,
++                            const ECDSA_SIG *sig, EC_KEY *eckey)
+ {
+     int ret = -1, i;
+     BN_CTX *ctx;
+@@ -328,18 +363,18 @@ int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
+     /* check input values */
+     if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL ||
+         (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) {
+-        ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_MISSING_PARAMETERS);
++        ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_MISSING_PARAMETERS);
+         return -1;
+     }
+ 
+     if (!EC_KEY_can_sign(eckey)) {
+-        ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
++        ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
+         return -1;
+     }
+ 
+     ctx = BN_CTX_new();
+     if (ctx == NULL) {
+-        ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
++        ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
+         return -1;
+     }
+     BN_CTX_start(ctx);
+@@ -348,26 +383,26 @@ int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
+     m = BN_CTX_get(ctx);
+     X = BN_CTX_get(ctx);
+     if (X == NULL) {
+-        ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
++        ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
+         goto err;
+     }
+ 
+     order = EC_GROUP_get0_order(group);
+     if (order == NULL) {
+-        ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB);
++        ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB);
+         goto err;
+     }
+ 
+     if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
+         BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) ||
+         BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) {
+-        ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, EC_R_BAD_SIGNATURE);
++        ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, EC_R_BAD_SIGNATURE);
+         ret = 0;                /* signature is invalid */
+         goto err;
+     }
+     /* calculate tmp1 = inv(S) mod order */
+     if (!ec_group_do_inverse_ord(group, u2, sig->s, ctx)) {
+-        ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
++        ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
+         goto err;
+     }
+     /* digest -> m */
+@@ -378,41 +413,41 @@ int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len,
+     if (8 * dgst_len > i)
+         dgst_len = (i + 7) / 8;
+     if (!BN_bin2bn(dgst, dgst_len, m)) {
+-        ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
++        ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
+         goto err;
+     }
+     /* If still too long truncate remaining bits with a shift */
+     if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) {
+-        ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
++        ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
+         goto err;
+     }
+     /* u1 = m * tmp mod order */
+     if (!BN_mod_mul(u1, m, u2, order, ctx)) {
+-        ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
++        ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
+         goto err;
+     }
+     /* u2 = r * w mod q */
+     if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) {
+-        ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
++        ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
+         goto err;
+     }
+ 
+     if ((point = EC_POINT_new(group)) == NULL) {
+-        ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
++        ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
+         goto err;
+     }
+     if (!EC_POINT_mul(group, point, u1, pub_key, u2, ctx)) {
+-        ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB);
++        ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB);
+         goto err;
+     }
+ 
+     if (!EC_POINT_get_affine_coordinates(group, point, X, NULL, ctx)) {
+-        ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_EC_LIB);
++        ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_EC_LIB);
+         goto err;
+     }
+ 
+     if (!BN_nnmod(u1, X, order, ctx)) {
+-        ECerr(EC_F_OSSL_ECDSA_VERIFY_SIG, ERR_R_BN_LIB);
++        ECerr(EC_F_ECDSA_SIMPLE_VERIFY_SIG, ERR_R_BN_LIB);
+         goto err;
+     }
+     /*  if the signature is correct u1 is equal to sig->r */
+diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c
+index bdc39d5..479130d 100644
+--- a/crypto/ec/ecp_mont.c
++++ b/crypto/ec/ecp_mont.c
+@@ -63,6 +63,9 @@ const EC_METHOD *EC_GFp_mont_method(void)
+         0, /* keycopy */
+         0, /* keyfinish */
+         ecdh_simple_compute_key,
++        ecdsa_simple_sign_setup,
++        ecdsa_simple_sign_sig,
++        ecdsa_simple_verify_sig,
+         0, /* field_inverse_mod_ord */
+         ec_GFp_simple_blind_coordinates,
+         ec_GFp_simple_ladder_pre,
+diff --git a/crypto/ec/ecp_nist.c b/crypto/ec/ecp_nist.c
+index 9fd0127..55644f3 100644
+--- a/crypto/ec/ecp_nist.c
++++ b/crypto/ec/ecp_nist.c
+@@ -65,6 +65,9 @@ const EC_METHOD *EC_GFp_nist_method(void)
+         0, /* keycopy */
+         0, /* keyfinish */
+         ecdh_simple_compute_key,
++        ecdsa_simple_sign_setup,
++        ecdsa_simple_sign_sig,
++        ecdsa_simple_verify_sig,
+         0, /* field_inverse_mod_ord */
+         ec_GFp_simple_blind_coordinates,
+         ec_GFp_simple_ladder_pre,
+diff --git a/crypto/ec/ecp_nistp224.c b/crypto/ec/ecp_nistp224.c
+index 6f7d66c..c1dc8f2 100644
+--- a/crypto/ec/ecp_nistp224.c
++++ b/crypto/ec/ecp_nistp224.c
+@@ -292,6 +292,9 @@ const EC_METHOD *EC_GFp_nistp224_method(void)
+         ec_key_simple_generate_public_key,
+         0, /* keycopy */
+         0, /* keyfinish */
++        ecdsa_simple_sign_setup,
++        ecdsa_simple_sign_sig,
++        ecdsa_simple_verify_sig,
+         ecdh_simple_compute_key,
+         0, /* field_inverse_mod_ord */
+         0, /* blind_coordinates */
+diff --git a/crypto/ec/ecp_nistp256.c b/crypto/ec/ecp_nistp256.c
+index e23e9d2..eb88e7c 100644
+--- a/crypto/ec/ecp_nistp256.c
++++ b/crypto/ec/ecp_nistp256.c
+@@ -1829,6 +1829,9 @@ const EC_METHOD *EC_GFp_nistp256_method(void)
+         0, /* keycopy */
+         0, /* keyfinish */
+         ecdh_simple_compute_key,
++        ecdsa_simple_sign_setup,
++        ecdsa_simple_sign_sig,
++        ecdsa_simple_verify_sig,
+         0, /* field_inverse_mod_ord */
+         0, /* blind_coordinates */
+         0, /* ladder_pre */
+diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c
+index 08b3278..8e13e42 100644
+--- a/crypto/ec/ecp_nistp521.c
++++ b/crypto/ec/ecp_nistp521.c
+@@ -1670,6 +1670,9 @@ const EC_METHOD *EC_GFp_nistp521_method(void)
+         0, /* keycopy */
+         0, /* keyfinish */
+         ecdh_simple_compute_key,
++        ecdsa_simple_sign_setup,
++        ecdsa_simple_sign_sig,
++        ecdsa_simple_verify_sig,
+         0, /* field_inverse_mod_ord */
+         0, /* blind_coordinates */
+         0, /* ladder_pre */
+diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c
+index 5005249..8154fad 100644
+--- a/crypto/ec/ecp_nistz256.c
++++ b/crypto/ec/ecp_nistz256.c
+@@ -1512,6 +1512,9 @@ const EC_METHOD *EC_GFp_nistz256_method(void)
+         0, /* keycopy */
+         0, /* keyfinish */
+         ecdh_simple_compute_key,
++        ecdsa_simple_sign_setup,
++        ecdsa_simple_sign_sig,
++        ecdsa_simple_verify_sig,
+         ecp_nistz256_inv_mod_ord,                   /* can be #define-d NULL */
+         0,                                          /* blind_coordinates */
+         0,                                          /* ladder_pre */
+diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c
+index a0f062a..f01816d 100644
+--- a/crypto/ec/ecp_s390x_nistp.c
++++ b/crypto/ec/ecp_s390x_nistp.c
+@@ -175,6 +175,9 @@ const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void)                \
+         NULL, /* keycopy */                                             \
+         NULL, /* keyfinish */                                           \
+         ecdh_simple_compute_key,                                        \
++        ecdsa_simple_sign_setup,                                        \
++        ecdsa_simple_sign_sig,                                          \
++        ecdsa_simple_verify_sig,                                        \
+         NULL, /* field_inverse_mod_ord */                               \
+         ec_GFp_simple_blind_coordinates,                                \
+         ec_GFp_simple_ladder_pre,                                       \
+diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c
+index b3110ec..fbc1c93 100644
+--- a/crypto/ec/ecp_smpl.c
++++ b/crypto/ec/ecp_smpl.c
+@@ -64,6 +64,9 @@ const EC_METHOD *EC_GFp_simple_method(void)
+         0, /* keycopy */
+         0, /* keyfinish */
+         ecdh_simple_compute_key,
++        ecdsa_simple_sign_setup,
++        ecdsa_simple_sign_sig,
++        ecdsa_simple_verify_sig,
+         0, /* field_inverse_mod_ord */
+         ec_GFp_simple_blind_coordinates,
+         ec_GFp_simple_ladder_pre,
+diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+index 902e97b..7c16f40 100644
+--- a/crypto/err/openssl.txt
++++ b/crypto/err/openssl.txt
+@@ -497,6 +497,9 @@ EC_F_ECDSA_SIGN_EX:254:ECDSA_sign_ex
+ EC_F_ECDSA_SIGN_SETUP:248:ECDSA_sign_setup
+ EC_F_ECDSA_SIG_NEW:265:ECDSA_SIG_new
+ EC_F_ECDSA_VERIFY:253:ECDSA_verify
++EC_F_ECDSA_SIMPLE_SIGN_SETUP:310:ecdsa_simple_sign_setup
++EC_F_ECDSA_SIMPLE_SIGN_SIG:311:ecdsa_simple_sign_sig
++EC_F_ECDSA_SIMPLE_VERIFY_SIG:312:ecdsa_simple_verify_sig
+ EC_F_ECD_ITEM_VERIFY:270:ecd_item_verify
+ EC_F_ECKEY_PARAM2TYPE:223:eckey_param2type
+ EC_F_ECKEY_PARAM_DECODE:212:eckey_param_decode
+@@ -658,6 +661,7 @@ EC_F_NISTP521_PRE_COMP_NEW:237:nistp521_pre_comp_new
+ EC_F_O2I_ECPUBLICKEY:152:o2i_ECPublicKey
+ EC_F_OLD_EC_PRIV_DECODE:222:old_ec_priv_decode
+ EC_F_OSSL_ECDH_COMPUTE_KEY:247:ossl_ecdh_compute_key
++EC_F_OSSL_ECDSA_SIGN_SETUP:300:ossl_ecdsa_sign_setup
+ EC_F_OSSL_ECDSA_SIGN_SIG:249:ossl_ecdsa_sign_sig
+ EC_F_OSSL_ECDSA_VERIFY_SIG:250:ossl_ecdsa_verify_sig
+ EC_F_PKEY_ECD_CTRL:271:pkey_ecd_ctrl
+@@ -2141,6 +2145,7 @@ EC_R_BUFFER_TOO_SMALL:100:buffer too small
+ EC_R_CANNOT_INVERT:165:cannot invert
+ EC_R_COORDINATES_OUT_OF_RANGE:146:coordinates out of range
+ EC_R_CURVE_DOES_NOT_SUPPORT_ECDH:160:curve does not support ecdh
++EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA:170:curve does not support ecdsa
+ EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing
+ EC_R_D2I_ECPKPARAMETERS_FAILURE:117:d2i ecpkparameters failure
+ EC_R_DECODE_ERROR:142:decode error
+diff --git a/include/openssl/ecerr.h b/include/openssl/ecerr.h
+index 5173811..883c4cc 100644
+--- a/include/openssl/ecerr.h
++++ b/include/openssl/ecerr.h
+@@ -41,6 +41,9 @@ int ERR_load_EC_strings(void);
+ #  define EC_F_ECDSA_SIGN_EX                               254
+ #  define EC_F_ECDSA_SIGN_SETUP                            248
+ #  define EC_F_ECDSA_SIG_NEW                               265
++#  define EC_F_ECDSA_SIMPLE_SIGN_SETUP                     310
++#  define EC_F_ECDSA_SIMPLE_SIGN_SIG                       311
++#  define EC_F_ECDSA_SIMPLE_VERIFY_SIG                     312
+ #  define EC_F_ECDSA_VERIFY                                253
+ #  define EC_F_ECD_ITEM_VERIFY                             270
+ #  define EC_F_ECKEY_PARAM2TYPE                            223
+@@ -185,6 +188,7 @@ int ERR_load_EC_strings(void);
+ #  define EC_F_O2I_ECPUBLICKEY                             152
+ #  define EC_F_OLD_EC_PRIV_DECODE                          222
+ #  define EC_F_OSSL_ECDH_COMPUTE_KEY                       247
++#  define EC_F_OSSL_ECDSA_SIGN_SETUP                       300
+ #  define EC_F_OSSL_ECDSA_SIGN_SIG                         249
+ #  define EC_F_OSSL_ECDSA_VERIFY_SIG                       250
+ #  define EC_F_PKEY_ECD_CTRL                               271
+@@ -212,6 +216,7 @@ int ERR_load_EC_strings(void);
+ #  define EC_R_CANNOT_INVERT                               165
+ #  define EC_R_COORDINATES_OUT_OF_RANGE                    146
+ #  define EC_R_CURVE_DOES_NOT_SUPPORT_ECDH                 160
++#  define EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA                170
+ #  define EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING              159
+ #  define EC_R_D2I_ECPKPARAMETERS_FAILURE                  117
+ #  define EC_R_DECODE_ERROR                                142
diff --git a/openssl-FIPS-KAT-before-integrity-tests.patch b/openssl-FIPS-KAT-before-integrity-tests.patch
new file mode 100644
index 0000000..cfce8f9
--- /dev/null
+++ b/openssl-FIPS-KAT-before-integrity-tests.patch
@@ -0,0 +1,26 @@
+Index: openssl-1.1.1l/crypto/fips/fips.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/fips/fips.c
++++ openssl-1.1.1l/crypto/fips/fips.c
+@@ -453,15 +453,17 @@ int FIPS_module_mode_set(int onoff)
+ 
+         fips_post = 1;
+ 
+-        if (!verify_checksums()) {
+-            FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+-                    FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
++	/* Run the KATs before the HMAC verification for FIPS 140-3 compliance */
++        if (!FIPS_selftest()) {
+             fips_selftest_fail = 1;
+             ret = 0;
+             goto end;
+         }
+ 
+-        if (!FIPS_selftest()) {
++	/* Run the HMAC verification after the KATs for FIPS 140-3 compliance */
++        if (!verify_checksums()) {
++            FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++                    FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+             fips_selftest_fail = 1;
+             ret = 0;
+             goto end;
diff --git a/openssl-Fix-9bf682f-which-broke-nistp224_method.patch b/openssl-Fix-9bf682f-which-broke-nistp224_method.patch
new file mode 100644
index 0000000..07b07d0
--- /dev/null
+++ b/openssl-Fix-9bf682f-which-broke-nistp224_method.patch
@@ -0,0 +1,57 @@
+From 653b883b97f72a15d35d21246696881aa65311e2 Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Thu, 15 Aug 2019 22:51:57 +0200
+Subject: [PATCH] Fix 9bf682f which broke nistp224_method
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/9607)
+---
+ crypto/ec/ecp_nistp224.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: openssl-1.1.1d/crypto/ec/ecp_nistp224.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/ec/ecp_nistp224.c	2020-01-23 13:45:11.104632265 +0100
++++ openssl-1.1.1d/crypto/ec/ecp_nistp224.c	2020-01-23 13:45:11.208632883 +0100
+@@ -291,10 +291,10 @@ const EC_METHOD *EC_GFp_nistp224_method(
+         ec_key_simple_generate_public_key,
+         0, /* keycopy */
+         0, /* keyfinish */
++        ecdh_simple_compute_key,
+         ecdsa_simple_sign_setup,
+         ecdsa_simple_sign_sig,
+         ecdsa_simple_verify_sig,
+-        ecdh_simple_compute_key,
+         0, /* field_inverse_mod_ord */
+         0, /* blind_coordinates */
+         0, /* ladder_pre */
+Index: openssl-1.1.1d/crypto/ec/build.info
+===================================================================
+--- openssl-1.1.1d.orig/crypto/ec/build.info	2019-09-10 15:13:07.000000000 +0200
++++ openssl-1.1.1d/crypto/ec/build.info	2020-01-23 13:45:11.208632883 +0100
+@@ -20,6 +20,9 @@ GENERATE[ecp_nistz256-avx2.s]=asm/ecp_ni
+ GENERATE[ecp_nistz256-sparcv9.S]=asm/ecp_nistz256-sparcv9.pl $(PERLASM_SCHEME)
+ INCLUDE[ecp_nistz256-sparcv9.o]=..
+ 
++INCLUDE[ecp_s390x_nistp.o]=..
++INCLUDE[ecx_meth.o]=..
++
+ GENERATE[ecp_nistz256-armv4.S]=asm/ecp_nistz256-armv4.pl $(PERLASM_SCHEME)
+ INCLUDE[ecp_nistz256-armv4.o]=..
+ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_nistz256-armv8.pl $(PERLASM_SCHEME)
+Index: openssl-1.1.1d/include/openssl/ecerr.h
+===================================================================
+--- openssl-1.1.1d.orig/include/openssl/ecerr.h	2020-01-23 13:45:11.108632290 +0100
++++ openssl-1.1.1d/include/openssl/ecerr.h	2020-01-23 13:45:11.208632883 +0100
+@@ -38,6 +38,8 @@ int ERR_load_EC_strings(void);
+ #  define EC_F_ECDH_SIMPLE_COMPUTE_KEY                     257
+ #  define EC_F_ECDSA_DO_SIGN_EX                            251
+ #  define EC_F_ECDSA_DO_VERIFY                             252
++#  define EC_F_ECDSA_S390X_NISTP_SIGN_SIG                  313
++#  define EC_F_ECDSA_S390X_NISTP_VERIFY_SIG                314
+ #  define EC_F_ECDSA_SIGN_EX                               254
+ #  define EC_F_ECDSA_SIGN_SETUP                            248
+ #  define EC_F_ECDSA_SIG_NEW                               265
diff --git a/openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch b/openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch
new file mode 100644
index 0000000..760f8d0
--- /dev/null
+++ b/openssl-OPENSSL_s390xcap.pod-list-msa9-facility-bit-155.patch
@@ -0,0 +1,30 @@
+From 3ded2288a45d2cc3a27a1b08d29499cbcec52c0e Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Fri, 12 Jul 2019 13:47:32 +0200
+Subject: [PATCH 09207/10000] OPENSSL_s390xcap.pod: list msa9 facility bit
+ (155)
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/9348)
+---
+ doc/man3/OPENSSL_s390xcap.pod | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod
+index e45da4467f..1f4ee85fdf 100644
+--- a/doc/man3/OPENSSL_s390xcap.pod
++++ b/doc/man3/OPENSSL_s390xcap.pod
+@@ -72,6 +72,7 @@ the numbering is continuous across 64-bit mask boundaries.
+       #134    1<<57    vector packed decimal facility
+       #135    1<<56    vector enhancements facility 1
+       #146    1<<45    message-security assist extension 8
++      #155    1<<36    message-security assist extension 9
+ 
+  kimd :
+       #  1    1<<62    KIMD-SHA-1
+-- 
+2.24.0
+
diff --git a/openssl-Update-further-expiring-certificates.patch b/openssl-Update-further-expiring-certificates.patch
new file mode 100644
index 0000000..3b46390
--- /dev/null
+++ b/openssl-Update-further-expiring-certificates.patch
@@ -0,0 +1,960 @@
+From ab7d05617a444cfcf4f930f81caa4cf66495ab9b Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Thu, 2 Jun 2022 18:12:05 +0200
+Subject: [PATCH] Update further expiring certificates that affect tests
+
+Namely the smime certificates used in test_cms
+will expire soon and affect tests.
+
+Fixes #15179
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Paul Dale <pauli@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/18481)
+---
+ test/smime-certs/mksmime-certs.sh | 22 ++++----
+ test/smime-certs/smdh.pem         | 72 +++++++++++++++----------
+ test/smime-certs/smdsa1.pem       | 86 ++++++++++++++---------------
+ test/smime-certs/smdsa2.pem       | 86 ++++++++++++++---------------
+ test/smime-certs/smdsa3.pem       | 86 ++++++++++++++---------------
+ test/smime-certs/smec1.pem        | 36 ++++++-------
+ test/smime-certs/smec2.pem        | 38 ++++++-------
+ test/smime-certs/smroot.pem       | 90 +++++++++++++++----------------
+ test/smime-certs/smrsa1.pem       | 90 +++++++++++++++----------------
+ test/smime-certs/smrsa2.pem       | 90 +++++++++++++++----------------
+ test/smime-certs/smrsa3.pem       | 90 +++++++++++++++----------------
+ 11 files changed, 400 insertions(+), 386 deletions(-)
+
+diff --git a/test/smime-certs/mksmime-certs.sh b/test/smime-certs/mksmime-certs.sh
+index c98e164b1871..caa191ed770c 100644
+--- a/test/smime-certs/mksmime-certs.sh
++++ b/test/smime-certs/mksmime-certs.sh
+@@ -15,23 +15,23 @@ export OPENSSL_CONF
+ 
+ # Root CA: create certificate directly
+ CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -nodes \
+-	-keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 3650
++	-keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 36501
+ 
+ # EE RSA certificates: create request first
+ CN="Test S/MIME EE RSA #1" $OPENSSL req -config ca.cnf -nodes \
+ 	-keyout smrsa1.pem -out req.pem -newkey rsa:2048
+ # Sign request: end entity extensions
+-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
+ 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1.pem
+ 
+ CN="Test S/MIME EE RSA #2" $OPENSSL req -config ca.cnf -nodes \
+ 	-keyout smrsa2.pem -out req.pem -newkey rsa:2048
+-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
+ 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa2.pem
+ 
+ CN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -nodes \
+ 	-keyout smrsa3.pem -out req.pem -newkey rsa:2048
+-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
+ 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa3.pem
+ 
+ # Create DSA parameters
+@@ -40,15 +40,15 @@ $OPENSSL dsaparam -out dsap.pem 2048
+ 
+ CN="Test S/MIME EE DSA #1" $OPENSSL req -config ca.cnf -nodes \
+ 	-keyout smdsa1.pem -out req.pem -newkey dsa:dsap.pem
+-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
+ 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa1.pem
+ CN="Test S/MIME EE DSA #2" $OPENSSL req -config ca.cnf -nodes \
+ 	-keyout smdsa2.pem -out req.pem -newkey dsa:dsap.pem
+-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
+ 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa2.pem
+ CN="Test S/MIME EE DSA #3" $OPENSSL req -config ca.cnf -nodes \
+ 	-keyout smdsa3.pem -out req.pem -newkey dsa:dsap.pem
+-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
+ 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa3.pem
+ 
+ # Create EC parameters
+@@ -58,15 +58,15 @@ $OPENSSL ecparam -out ecp2.pem -name K-283
+ 
+ CN="Test S/MIME EE EC #1" $OPENSSL req -config ca.cnf -nodes \
+ 	-keyout smec1.pem -out req.pem -newkey ec:ecp.pem
+-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
+ 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec1.pem
+ CN="Test S/MIME EE EC #2" $OPENSSL req -config ca.cnf -nodes \
+ 	-keyout smec2.pem -out req.pem -newkey ec:ecp2.pem
+-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
+ 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec2.pem
+ CN="Test S/MIME EE EC #3" $OPENSSL req -config ca.cnf -nodes \
+ 	-keyout smec3.pem -out req.pem -newkey ec:ecp.pem
+-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
+ 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec3.pem
+ # Create X9.42 DH parameters.
+ $OPENSSL genpkey -genparam -algorithm DH -pkeyopt dh_paramgen_type:2 \
+@@ -78,7 +78,7 @@ $OPENSSL pkey -pubout -in smdh.pem -out dhpub.pem
+ CN="Test S/MIME EE DH #1" $OPENSSL req -config ca.cnf -nodes \
+ 	-keyout smtmp.pem -out req.pem -newkey rsa:2048
+ # Sign request but force public key to DH
+-$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 36500 \
+ 	-force_pubkey dhpub.pem \
+ 	-extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdh.pem
+ # Remove temp files.
+diff --git a/test/smime-certs/smdh.pem b/test/smime-certs/smdh.pem
+index f831b0713b95..273dfca5e05c 100644
+--- a/test/smime-certs/smdh.pem
++++ b/test/smime-certs/smdh.pem
+@@ -1,33 +1,47 @@
+ -----BEGIN PRIVATE KEY-----
+-MIIBSgIBADCCASsGByqGSM4+AgEwggEeAoGBANQMSgwEcnEZ31kZxa9Ef8qOK/AJ
+-9dMlsXMWVYnf/QevGdN/0Aei/j9a8QHG+CvvTm0DOEKhN9QUtABKsYZag865CA7B
+-mSdHjQuFqILtzA25sDJ+3+jk9vbss+56ETRll/wasJVLGbmmHNkBMvc1fC1d/sGF
+-cEn4zJnQvvFaeMgDAoGAaQD9ZvL8FYsJuNxN6qp5VfnfRqYvyi2PWSqtRKPGGC+V
+-thYg49PRjwPOcXzvOsdEOQ7iH9jTiSvnUdwSSEwYTZkSBuQXAgOMJAWOpoXyaRvh
+-atziBDoBnWS+/kX5RBhxvS0+em9yfRqAQleuGG+R1mEDihyJc8dWQQPT+O1l4oUC
+-FQCJlKsQZ0VBrWPGcUCNa54ZW6TH9QQWAhRR2NMZrQSfWthXDO8Lj5WZ34zQrA==
++MIICXAIBADCCAjUGByqGSM4+AgEwggIoAoIBAQCB6AUA/1eXRh+iLWHXe+lUl6e+
+++460tAIIpsQ1jw1ZaTmlH9SlrWSBNVRVHwDuBW7vA+lKgBvDpCIjmhRbgrZIGwcZ
++6ruCYy5KF/B3AW5MApC9QCDaVrG6Hb7NfpMgwuUIKvvvOMrrvn4r5Oxtsx9rORTE
++bdS33MuZCOIbodjs5u+e/2hhssOwgUTMASDwXppJTyeMwAAZ+p78ByrSULP6yYdP
++PTh8sK1begDG6YTSKE3VqYNg1yaE5tQvCQ0U2L4qZ8JqexAVHbR8LA8MNhtA1pma
++Zj4q2WNAEevpprIIRXgJEZY278nPlvVeoKfOef9RBHgQ6ZTnZ1Et5iLMCwYHAoIB
++AFVgJaHfnBVJYfaQh1NyoVZJ5xX6UvvL5xEKUwwEMgs8JSOzp2UI+KRDpy9KbNH7
++93Kwa2d8Q7ynciDiCmd1ygF4CJKb4ZOwjWjpZ4DedHr0XokGhyBCyjaBxOi3i4tP
++EFO8YHs5B/yOZHzcpTfs2VxJqIm3KF8q0Ify9PWDAsgo+d21/+eye60FHjF9o2/D
++l3NRlOhUhHNGykfqFgKEEEof3/3c6r5BS0oRXdsu6dx/y2/v8j9aJoHfyGHkswxr
++ULSBxJENOBB89C+GET6yhbxV1e4SFwzHnXgG8bWXwk7bea6ZqXbHq0pT3kUiQeKe
++assXKqRBAG9NLbQ3mmx8RFkCHQDIVBWPf6VwBa2s1CAcsIziVJ8qr/KAKx9DZ3h5
++BB4CHAF3VZBAC/TB85J4PzsLJ+VrOWr0c8kQlYUR9rw=
+ -----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIID/zCCAuegAwIBAgIJANv1TSKgememMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0xMzA4MDIxNDQ5MjlaFw0yMzA2MTExNDQ5MjlaMEQx
+-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
+-ZXN0IFMvTUlNRSBFRSBESCAjMTCCAbYwggErBgcqhkjOPgIBMIIBHgKBgQDUDEoM
+-BHJxGd9ZGcWvRH/KjivwCfXTJbFzFlWJ3/0HrxnTf9AHov4/WvEBxvgr705tAzhC
+-oTfUFLQASrGGWoPOuQgOwZknR40LhaiC7cwNubAyft/o5Pb27LPuehE0ZZf8GrCV
+-Sxm5phzZATL3NXwtXf7BhXBJ+MyZ0L7xWnjIAwKBgGkA/Wby/BWLCbjcTeqqeVX5
+-30amL8otj1kqrUSjxhgvlbYWIOPT0Y8DznF87zrHRDkO4h/Y04kr51HcEkhMGE2Z
+-EgbkFwIDjCQFjqaF8mkb4Wrc4gQ6AZ1kvv5F+UQYcb0tPnpvcn0agEJXrhhvkdZh
+-A4ociXPHVkED0/jtZeKFAhUAiZSrEGdFQa1jxnFAjWueGVukx/UDgYQAAoGAL1ve
+-cgI2awBeJH8ULBhSQpdL224VUDxFPiXzt8Vu5VLnxPv0pfA5En+8VByTuV7u6RSw
+-3/78NuTyr/sTyN8YlB1AuXHdTJynA1ICte1xgD4j2ijlq+dv8goOAFt9xkvXx7LD
+-umJ/cCignXETcNGfMi8+0s0bpMZyoHRdce8DQ26jYDBeMAwGA1UdEwEB/wQCMAAw
+-DgYDVR0PAQH/BAQDAgXgMB0GA1UdDgQWBBQLWk1ffSXH8p3Bqrdjgi/6jzLnwDAf
+-BgNVHSMEGDAWgBTffl6IBSQzCN0igQKXzJq3sTMnMDANBgkqhkiG9w0BAQUFAAOC
+-AQEAWvJj79MW1/Wq3RIANgAhonsI1jufYqxTH+1M0RU0ZXHulgem77Le2Ls1bizi
+-0SbvfpTiiFGkbKonKtO2wvfqwwuptSg3omMI5IjAGxYbyv2KBzIpp1O1LTDk9RbD
+-48JMMF01gByi2+NLUQ1MYF+5RqyoRqcyp5x2+Om1GeIM4Q/GRuI4p4dybWy8iC+d
+-LeXQfR7HXfh+tAum+WzjfLJwbnWbHmPhTbKB01U4lBp6+r8BGHAtNdPjEHqap4/z
+-vVZVXti9ThZ20EhM+VFU3y2wyapeQjhQvw/A2YRES0Ik7BSj3hHfWH/CTbLVQnhu
+-Uj6tw18ExOYxqoEGixNLPA5qsQ==
++MIIFmDCCBICgAwIBAgIUWlJkHZZ2eZgkGCHFtcMAjlLdDH8wDQYJKoZIhvcNAQEL
++BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
++BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw
++NTA5MTUzMzE0WjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
++cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgRUUgREggIzEwggNCMIICNQYHKoZIzj4C
++ATCCAigCggEBAIHoBQD/V5dGH6ItYdd76VSXp777jrS0AgimxDWPDVlpOaUf1KWt
++ZIE1VFUfAO4Fbu8D6UqAG8OkIiOaFFuCtkgbBxnqu4JjLkoX8HcBbkwCkL1AINpW
++sbodvs1+kyDC5Qgq++84yuu+fivk7G2zH2s5FMRt1Lfcy5kI4huh2Ozm757/aGGy
++w7CBRMwBIPBemklPJ4zAABn6nvwHKtJQs/rJh089OHywrVt6AMbphNIoTdWpg2DX
++JoTm1C8JDRTYvipnwmp7EBUdtHwsDww2G0DWmZpmPirZY0AR6+mmsghFeAkRljbv
++yc+W9V6gp855/1EEeBDplOdnUS3mIswLBgcCggEAVWAlod+cFUlh9pCHU3KhVknn
++FfpS+8vnEQpTDAQyCzwlI7OnZQj4pEOnL0ps0fv3crBrZ3xDvKdyIOIKZ3XKAXgI
++kpvhk7CNaOlngN50evReiQaHIELKNoHE6LeLi08QU7xgezkH/I5kfNylN+zZXEmo
++ibcoXyrQh/L09YMCyCj53bX/57J7rQUeMX2jb8OXc1GU6FSEc0bKR+oWAoQQSh/f
++/dzqvkFLShFd2y7p3H/Lb+/yP1omgd/IYeSzDGtQtIHEkQ04EHz0L4YRPrKFvFXV
++7hIXDMedeAbxtZfCTtt5rpmpdserSlPeRSJB4p5qyxcqpEEAb00ttDeabHxEWQId
++AMhUFY9/pXAFrazUIBywjOJUnyqv8oArH0NneHkDggEFAAKCAQBigH0Mp4jUMSfK
++yOhKlEfyZ/hj/EImsUYW4+u8xjBN+ruOJUTJ06Mtgw3g2iLkhQoO9NROqvC9rdLj
+++j3e+1QWm9EDNKQAa4nUp8/W+XZ5KkQWudmtaojEXD1+kd44ieNLtPGuVnPtDGO4
++zPf04IUq7tDGbMDMMn6YXvW6f28lR3gF5vvVIsnjsd/Lau6orzmNSrymXegsEsFR
++Q7hT+/tPoAtro6Hx9rBrYb/0OCiRe4YuYrFKkC0aaJfUQepVyuVMSTxxKTzq8T06
++M8SBITlmkPFZJHyGzV/+a72hpJsAa0BaDnpxH3cFpEMzeYG1XQK461zexoIYN3ub
++i3xNPUzPo2AwXjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4E
++FgQULayIqKcWHtUH4pFolI6dKxycIG8wHwYDVR0jBBgwFoAUFcETIWviVV+nah1X
++INbP86lzZFkwDQYJKoZIhvcNAQELBQADggEBAKjKvvJ6Vc9HiQXACqqRZnekz2gO
++ue71nsXXDr2+y4PPpgcDzgtO3vhQc7Akv6Uyca9LY7w/X+temP63yxdLpKXTV19w
++Or0p4VEvTZ8AttMjFh4Hl8caVYk/J4TIudSXLIfKROP6sFu5GOw7W3xpBkL5Zio6
++3dqe6xAYK0woNQPDfj5yOAlqj1Ohth81JywW5h2g8GfLtNe62coAqwjMJT+ExHfU
++EkF/beSqRGOvXwyhSxFpe7HVjUMgrgdfoZnNsoPmpH3eTiF4BjamGWI1+Z0o+RHa
++oPwN+cCzbDsi9uTQJO1D5S697heX00zzzU/KSW7djNzKv55vm24znuFkXTM=
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smdsa1.pem b/test/smime-certs/smdsa1.pem
+index b424f6704ed9..0104e207cb27 100644
+--- a/test/smime-certs/smdsa1.pem
++++ b/test/smime-certs/smdsa1.pem
+@@ -1,47 +1,47 @@
+ -----BEGIN PRIVATE KEY-----
+-MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
+-k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
+-zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
+-wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
+-v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
+-0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
+-rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
+-zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
+-DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
+-xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
+-ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
+-Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
+-TQMsxQQjAiEAkolGvb/76X3vm5Ov09ezqyBYt9cdj/FLH7DyMkxO7X0=
++MIICXQIBADCCAjYGByqGSM44BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1
++i0SuHnFvPc5gHMLIxJhDp3cLJ5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t
++4INbA4D+QSkxb4SWNurRBQj5LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAa
++kOxI+l/rPAQlIUMCHSF6xXgd62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLg
++c9HnYvwxlpoV+SHi+QXSrcrtMBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S
++8EP8eXSDD+1Sni2Jk38etU+laS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0A
++mkjrU1XrCahV9d78Rklpd4fK3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huaw
++V6wj7hT99kjzQjZqbvLENW9bbAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7
++ioJmtded5hhS6GDg3Oj4IYiJ9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKR
++CnZ2/FeRyjSS3cUey89GE2N2DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL
++5H4Oo6NaSUc8dl7HWEeWoS8BE7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdL
++QldkaQkHAEg0QqYb2Hv/xHfVhn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwX
++ygQeAhwE9yuqObvNXzUTN+PY2rg00PzdyJw3XJAUrmlY
+ -----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIIFkDCCBHigAwIBAgIJANk5lu6mSyBDMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
+-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
+-ZXN0IFMvTUlNRSBFRSBEU0EgIzEwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
+-uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
+-7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
+-wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
+-+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
+-Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
+-AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
+-0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
+-g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
+-0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
+-yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
+-7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
+-aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAGXSQADbuRIZBjiQ6NikwZl+x
+-EDEffIE0RWbvwf1tfWxw4ZvanO/djyz5FePO0AIJDBCLUjr9D32nkmIG1Hu3dWgV
+-86knQsM6uFiMSzY9nkJGZOlH3w4NHLE78pk75xR1sg1MEZr4x/t+a/ea9Y4AXklE
+-DCcaHtpMGeAx3ZAqSKec+zQOOA73JWP1/gYHGdYyTQpQtwRTsh0Gi5mOOdpoJ0vp
+-O83xYbFCZ+ZZKX1RWOjJe2OQBRtw739q1nRga1VMLAT/LFSQsSE3IOp8hiWbjnit
+-1SE6q3II2a/aHZH/x4OzszfmtQfmerty3eQSq3bgajfxCsccnRjSbLeNiazRSKNg
+-MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFNHQYTOO
+-xaZ/N68OpxqjHKuatw6sMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
+-MA0GCSqGSIb3DQEBBQUAA4IBAQAAiLociMMXcLkO/uKjAjCIQMrsghrOrxn4ZGBx
+-d/mCTeqPxhcrX2UorwxVCKI2+Dmz5dTC2xKprtvkiIadJamJmxYYzeF1pgRriFN3
+-MkmMMkTbe/ekSvSeMtHQ2nHDCAJIaA/k9akWfA0+26Ec25/JKMrl3LttllsJMK1z
+-Xj7TcQpAIWORKWSNxY/ezM34+9ABHDZB2waubFqS+irlZsn38aZRuUI0K67fuuIt
+-17vMUBqQpe2hfNAjpZ8dIpEdAGjQ6izV2uwP1lXbiaK9U4dvUqmwyCIPniX7Hpaf
+-0VnX0mEViXMT6vWZTjLBUv0oKmO7xBkWHIaaX6oyF32pK5AO
++MIIFmjCCBIKgAwIBAgIUUoOmJmXAY29/2rWY0wJphQ5/pzUwDQYJKoZIhvcNAQEL
++BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
++BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw
++NTA5MTUzMzE0WjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
++cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgRFNBICMxMIIDQzCCAjYGByqGSM44
++BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1i0SuHnFvPc5gHMLIxJhDp3cL
++J5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t4INbA4D+QSkxb4SWNurRBQj5
++LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAakOxI+l/rPAQlIUMCHSF6xXgd
++62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLgc9HnYvwxlpoV+SHi+QXSrcrt
++MBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S8EP8eXSDD+1Sni2Jk38etU+l
++aS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0AmkjrU1XrCahV9d78Rklpd4fK
++3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huawV6wj7hT99kjzQjZqbvLENW9b
++bAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7ioJmtded5hhS6GDg3Oj4IYiJ
++9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKRCnZ2/FeRyjSS3cUey89GE2N2
++DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL5H4Oo6NaSUc8dl7HWEeWoS8B
++E7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdLQldkaQkHAEg0QqYb2Hv/xHfV
++hn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwXygOCAQUAAoIBACGS7hCpTL0g
++lx9C1Bwz5xfVd0mwCqx9UGiH8Bf4lRsSagL0Irwvnjz++WH1vecZa2bWsYsPhQ+D
++KDzaCo20CYln4IFEPgY0fSE+KTF1icFj/mD+MgxWgsgKoTI120ENPGHqHpKkv0Uv
++OlwTImU4BxxkctZ5273XEv3VPQE8COGnXgqt7NBazU/O7vibFm0iaEsVjHFHYcoo
+++sMcm3F2E/gvR9IJGaGPeCk0sMW8qloPzErWIugx/OGqM7fni2cIcZwGdju52O+l
++cLV0tZdgC7eTbVDMLspyuiYME+zvEzRwCQF/GqcCDSn68zxJv/zSNZ9XxOgZaBfs
++Na7e8YGATiujYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMB0GA1Ud
++DgQWBBSFVrWPZrHzhHUg0MMEAAKwQIfsazAfBgNVHSMEGDAWgBQVwRMha+JVX6dq
++HVcg1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAbm49FB+eyeX7OBUC/akhnkFw
++cDXqw7Fl2OibRK+g/08zp4CruwJdb72j5+pTmG+9SF7tGyQBfHFf1+epa3ZiIc+0
++UzFf2xQBMyHjesL19cTe4i176dHz8pCxx9OEow0GlZVV85+Anev101NskKVNNVA7
++YnB2xKQWgf8HORh66XVCk54xMcd99ng8xQ8vhZC6KckVbheQgdPp7gUAcDgxH2Yo
++JF8jHQlsWNcCGURDldP6FQ49TGWHj24IGjnjGapWxMUjvCz+kV6sGW/OIYu+MM9w
++FMIOyEdUUtKowWT6eXwrITup3T6pspPTicbK61ZCPuxMvP2JBFGZsqat+F5g+w==
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smdsa2.pem b/test/smime-certs/smdsa2.pem
+index 648447fc89a1..7d5b969dc3b3 100644
+--- a/test/smime-certs/smdsa2.pem
++++ b/test/smime-certs/smdsa2.pem
+@@ -1,47 +1,47 @@
+ -----BEGIN PRIVATE KEY-----
+-MIICZAIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
+-k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
+-zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
+-wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
+-v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
+-0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
+-rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
+-zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
+-DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
+-xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
+-ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
+-Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
+-TQMsxQQiAiAdCUJ5n2Q9hIynN8BMpnRcdfH696BKejGx+2Mr2kfnnA==
++MIICXQIBADCCAjYGByqGSM44BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1
++i0SuHnFvPc5gHMLIxJhDp3cLJ5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t
++4INbA4D+QSkxb4SWNurRBQj5LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAa
++kOxI+l/rPAQlIUMCHSF6xXgd62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLg
++c9HnYvwxlpoV+SHi+QXSrcrtMBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S
++8EP8eXSDD+1Sni2Jk38etU+laS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0A
++mkjrU1XrCahV9d78Rklpd4fK3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huaw
++V6wj7hT99kjzQjZqbvLENW9bbAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7
++ioJmtded5hhS6GDg3Oj4IYiJ9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKR
++CnZ2/FeRyjSS3cUey89GE2N2DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL
++5H4Oo6NaSUc8dl7HWEeWoS8BE7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdL
++QldkaQkHAEg0QqYb2Hv/xHfVhn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwX
++ygQeAhwmRauZi+nQ3kQ+GSKD7JCwv8XkD9NObMGlW018
+ -----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIIFkDCCBHigAwIBAgIJANk5lu6mSyBEMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
+-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
+-ZXN0IFMvTUlNRSBFRSBEU0EgIzIwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
+-uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
+-7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
+-wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
+-+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
+-Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
+-AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
+-0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
+-g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
+-0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
+-yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
+-7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
+-aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAItQlFu0t7Mw1HHROuuwKLS+E
+-h2WNNZP96MLQTygOVlqgaJY+1mJLzvl/51LLH6YezX0t89Z2Dm/3SOJEdNrdbIEt
+-tbu5rzymXxFhc8uaIYZFhST38oQwJOjM8wFitAQESe6/9HZjkexMqSqx/r5aEKTa
+-LBinqA1BJRI72So1/1dv8P99FavPADdj8V7fAccReKEQKnfnwA7mrnD+OlIqFKFn
+-3wCGk8Sw7tSJ9g6jgCI+zFwrKn2w+w+iot/Ogxl9yMAtKmAd689IAZr5GPPvV2y0
+-KOogCiUYgSTSawZhr+rjyFavfI5dBWzMq4tKx/zAi6MJ+6hGJjJ8jHoT9JAPmaNg
+-MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFGaxw04k
+-qpufeGZC+TTBq8oMnXyrMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
+-MA0GCSqGSIb3DQEBBQUAA4IBAQCk2Xob1ICsdHYx/YsBzY6E1eEwcI4RZbZ3hEXp
+-VA72/Mbz60gjv1OwE5Ay4j+xG7IpTio6y2A9ZNepGpzidYcsL/Lx9Sv1LlN0Ukzb
+-uk6Czd2sZJp+PFMTTrgCd5rXKnZs/0D84Vci611vGMA1hnUnbAnBBmgLXe9pDNRV
+-6mhmCLLjJ4GOr5Wxt/hhknr7V2e1VMx3Q47GZhc0o/gExfhxXA8+gicM0nEYNakD
+-2A1F0qDhQGakjuofANHhjdUDqKJ1sxurAy80fqb0ddzJt2el89iXKN+aXx/zEX96
+-GI5ON7z/bkVwIi549lUOpWb2Mved61NBzCLKVP7HSuEIsC/I
++MIIFmjCCBIKgAwIBAgIUHGKu2FMhT1wCiJTK3uAnklo55uowDQYJKoZIhvcNAQEL
++BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
++BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw
++NTA5MTUzMzE0WjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
++cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgRFNBICMyMIIDQzCCAjYGByqGSM44
++BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1i0SuHnFvPc5gHMLIxJhDp3cL
++J5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t4INbA4D+QSkxb4SWNurRBQj5
++LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAakOxI+l/rPAQlIUMCHSF6xXgd
++62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLgc9HnYvwxlpoV+SHi+QXSrcrt
++MBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S8EP8eXSDD+1Sni2Jk38etU+l
++aS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0AmkjrU1XrCahV9d78Rklpd4fK
++3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huawV6wj7hT99kjzQjZqbvLENW9b
++bAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7ioJmtded5hhS6GDg3Oj4IYiJ
++9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKRCnZ2/FeRyjSS3cUey89GE2N2
++DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL5H4Oo6NaSUc8dl7HWEeWoS8B
++E7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdLQldkaQkHAEg0QqYb2Hv/xHfV
++hn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwXygOCAQUAAoIBAE0+OYS0s8/o
++HwuuiPsBZTlRynqdwF6FHdE0Ei2uVTxnJouPYB2HvaMioG2inbISzPtEcnLF9Pyx
++4hsXz7D49yqyMFjE3G8ObBOs/Vdno6E9ZZshWiRDwPf8JmoYp551UuJDoVaOTnhx
++pEs30nuidtqd54PMdWUQPfp58kTu6bXvcRxdUj5CK/PyjavJCnGfppq/6j8jtrji
++mOjIIeLZIbWp7hTVS/ffmfqZ8Lx/ShOcUzDa0VS3lfO28XqXpeqbyHdojsYlG2oA
++shKJL7/scq3ab8cI5QuHEIGSbxinKfjCX4OEQ04CNsgUwMY9emPSaNdYDZOPqq/K
++3bGk2PLcRsyjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMB0GA1Ud
++DgQWBBTQAQyUCqYWGo5RuwGCtHNgXgzEQzAfBgNVHSMEGDAWgBQVwRMha+JVX6dq
++HVcg1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAc3rayE2FGgG1RhLXAHYAs1Ky
++4fcVcrzaPaz5jjWbpBCStkx+gNcUiBf+aSxNrRvUoPOSwMDLpMhbNBj2cjJqQ0W1
++oq4RUQth11qH89uPtBqiOqRTdlWAGZJbUTtVfrlc58DsDxFCwdcktSDYZwlO2lGO
++vMCOn9N7oqEEuwRa++xVnYc8ZbY8lGwJD3bGR6iC7NkYk+2LSqPS52m8e0GO8dpf
++RUrndbhmtsYa925dj2LlI218F3XwVcAUPW67dbpeEVw5OG8OCHRHqrwBEJj2PMV3
++tHeNXDEhjTzI3wiFia4kDBAKIsrC/XQ4tEiFzq0V00BiVY0ykhy+v/qNPskTsg==
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smdsa3.pem b/test/smime-certs/smdsa3.pem
+index 77acc5e46ffc..6df4699450f0 100644
+--- a/test/smime-certs/smdsa3.pem
++++ b/test/smime-certs/smdsa3.pem
+@@ -1,47 +1,47 @@
+ -----BEGIN PRIVATE KEY-----
+-MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
+-k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
+-zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
+-wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
+-v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
+-0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
+-rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
+-zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
+-DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
+-xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
+-ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
+-Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
+-TQMsxQQjAiEArJr6p2zTbhRppQurHGTdmdYHqrDdZH4MCsD9tQCw1xY=
++MIICXgIBADCCAjYGByqGSM44BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1
++i0SuHnFvPc5gHMLIxJhDp3cLJ5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t
++4INbA4D+QSkxb4SWNurRBQj5LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAa
++kOxI+l/rPAQlIUMCHSF6xXgd62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLg
++c9HnYvwxlpoV+SHi+QXSrcrtMBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S
++8EP8eXSDD+1Sni2Jk38etU+laS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0A
++mkjrU1XrCahV9d78Rklpd4fK3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huaw
++V6wj7hT99kjzQjZqbvLENW9bbAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7
++ioJmtded5hhS6GDg3Oj4IYiJ9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKR
++CnZ2/FeRyjSS3cUey89GE2N2DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL
++5H4Oo6NaSUc8dl7HWEeWoS8BE7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdL
++QldkaQkHAEg0QqYb2Hv/xHfVhn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwX
++ygQfAh0AkfI6533W5nBIVrDPcp2DCXC8u2SIwBob6OoK5A==
+ -----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIIFkDCCBHigAwIBAgIJANk5lu6mSyBFMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
+-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
+-ZXN0IFMvTUlNRSBFRSBEU0EgIzMwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
+-uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
+-7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
+-wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
+-+Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
+-Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
+-AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
+-0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
+-g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
+-0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
+-yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
+-7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
+-aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAcXvtfiJfIZ0wgGpN72ZeGrJ9
+-msUXOxow7w3fDbP8r8nfVkBNbfha8rx0eY6fURFVZzIOd8EHGKypcH1gS6eZNucf
+-zgsH1g5r5cRahMZmgGXBEBsWrh2IaDG7VSKt+9ghz27EKgjAQCzyHQL5FCJgR2p7
+-cv0V4SRqgiAGYlJ191k2WtLOsVd8kX//jj1l8TUgE7TqpuSEpaSyQ4nzJROpZWZp
+-N1RwFmCURReykABU/Nzin/+rZnvZrp8WoXSXEqxeB4mShRSaH57xFnJCpRwKJ4qS
+-2uhATzJaKH7vu63k3DjftbSBVh+32YXwtHc+BGjs8S2aDtCW3FtDA7Z6J8BIxaNg
+-MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFMJxatDE
+-FCEFGl4uoiQQ1050Ju9RMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
+-MA0GCSqGSIb3DQEBBQUAA4IBAQBGZD1JnMep39KMOhD0iBTmyjhtcnRemckvRask
+-pS/CqPwo+M+lPNdxpLU2w9b0QhPnj0yAS/BS1yBjsLGY4DP156k4Q3QOhwsrTmrK
+-YOxg0w7DOpkv5g11YLJpHsjSOwg5uIMoefL8mjQK6XOFOmQXHJrUtGulu+fs6FlM
+-khGJcW4xYVPK0x/mHvTT8tQaTTkgTdVHObHF5Dyx/F9NMpB3RFguQPk2kT4lJc4i
+-Up8T9mLzaxz6xc4wwh8h70Zw81lkGYhX+LRk3sfd/REq9x4QXQNP9t9qU1CgrBzv
+-4orzt9cda4r+rleSg2XjWnXzMydE6DuwPVPZlqnLbSYUy660
++MIIFmjCCBIKgAwIBAgIUO2QHMd9V/S6KlrFDIPd7asRP4FAwDQYJKoZIhvcNAQEL
++BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
++BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw
++NTA5MTUzMzE0WjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
++cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgRFNBICMzMIIDQzCCAjYGByqGSM44
++BAEwggIpAoIBAQCg5xGADjdINCKODDX6yq3w8vQ1i0SuHnFvPc5gHMLIxJhDp3cL
++J5eJmcHZ07WflsMgSxD2Wd5lX5Q9uxtv78/erv5t4INbA4D+QSkxb4SWNurRBQj5
++LuoGhFMpCubDYSxiKkTJ4pmOEbsjnlGLiN5R1jAakOxI+l/rPAQlIUMCHSF6xXgd
++62fUdEAnRYj46Lgw+FWKAKNhcH7rOLA7k4JnYCLgc9HnYvwxlpoV+SHi+QXSrcrt
++MBNCmIgIONI5uNuBnZq6jjHE/Wg1+D4wGxOZl+/S8EP8eXSDD+1Sni2Jk38etU+l
++aS0pVV9lh6sV3zV28YXVZl01CHUfwH+3w/XJAh0AmkjrU1XrCahV9d78Rklpd4fK
++3K53+X5MeTgNLQKCAQEAoA32HKvIhx6wvmT9huawV6wj7hT99kjzQjZqbvLENW9b
++bAgOdPzZzusqZmZMgGdDr94oYz1/MhmAKNY4lQv7ioJmtded5hhS6GDg3Oj4IYiJ
++9trAQ/ATrDrSi3sQAZ3Pvip7j4oljvsQBmAj3KKRCnZ2/FeRyjSS3cUey89GE2N2
++DQbHEmuG/F8aDmUhLNusZm6nXs2Y1W7+kQRwswBL5H4Oo6NaSUc8dl7HWEeWoS8B
++E7G4JFCXBQwwgInOJINyQlknxMSpv7dwxp32SgdLQldkaQkHAEg0QqYb2Hv/xHfV
++hn9vTpGJQyWvnT5RvbXSGdTk1CTlZTrUAGmbHOwXygOCAQUAAoIBAEj25Os9f57G
++TaxsP8NzdCRBThCLqZWqLADh6S/aFOQQFpRRk3vGkvrOK/5La8KGKIDyzCEQo7Kg
++sPwI1o4N5GKx15Cer2ekDWLtP4hA2CChs4tWJzEa8VxIDTg4EUnASFCbfDUY/Yt0
++5NM4nxtBhnr6PT7XmRehEFaTAgmsQFJ29jKx4tJkr+Gmj9J4i10CPd9DvIgIEnNt
++rYMAlfbGovaZVCgKp5INVA4IkDfCcbzDeNiOGaACeV+4QuEbgIbUhMq9vbw3Vvqe
++jwozPdrTYjd7oNxx/tY7gqxFRFxdDPXPno230afsAJsHmNF7lpj9Q4vBhy8w/EI1
++jGzuiXjei9qjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMB0GA1Ud
++DgQWBBTwbCT+wSR9cvTg70jA2yIWgQSDZjAfBgNVHSMEGDAWgBQVwRMha+JVX6dq
++HVcg1s/zqXNkWTANBgkqhkiG9w0BAQsFAAOCAQEAe5t9oi8K76y+wnV6I21vKgEh
++M6DEe3+XTq10kAgYbcbMm+a6n86beaID7FANGET+3bsShxFeAX9g4Qsdw+Z3PF3P
++wvqiBD8MaXczj28zP6j9TxsjGzpAsV3xo1n7aQ+hHzpopJUxAyx4hLBqSSwdj/xe
++azELeVKoXY/nlokXnONWC5AvtfR7m7mKFPOmUghbeGCJH7+FXnC58eiF7BEpSbQl
++SniAdQFis+Dne6/kwZnQQaSDg55ELfaZOLhaLcRtqqgU+kv24mXGGEBhs9bBKMz5
++ZNiKLafE3tCGRA5iMRwzdeSgrdnkQDHFiYXh3JHk5oKwGOdxusgt3DTHAFej1A==
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smec1.pem b/test/smime-certs/smec1.pem
+index 75a862666b25..a94f65c60042 100644
+--- a/test/smime-certs/smec1.pem
++++ b/test/smime-certs/smec1.pem
+@@ -1,22 +1,22 @@
+ -----BEGIN PRIVATE KEY-----
+-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgXzBRX9Z5Ib4LAVAS
+-DMlYvkj0SmLmYvWULe2LfyXRmpWhRANCAAS+SIj2FY2DouPRuNDp9WVpsqef58tV
+-3gIwV0EOV/xyYTzZhufZi/aBcXugWR1x758x4nHus2uEuEFi3Mr3K3+x
++MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgdOomk0EB/oWMnTZB
++Qm5XMjlKnZNF4PMpwgov0Tj3u8OhRANCAATbG6XprSqHiD9AxWJiXRFgS+y38DGZ
++7hpSjs4bd95L+Lli+O91/lUy7Tb8aJ6VU2CoyWQjV4sQjbdVqeD+y4Ky
+ -----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIICoDCCAYigAwIBAgIJANk5lu6mSyBGMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEQx
+-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
+-ZXN0IFMvTUlNRSBFRSBFQyAjMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL5I
+-iPYVjYOi49G40On1ZWmyp5/ny1XeAjBXQQ5X/HJhPNmG59mL9oFxe6BZHXHvnzHi
+-ce6za4S4QWLcyvcrf7GjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXg
+-MB0GA1UdDgQWBBR/ybxC2DI+Jydhx1FMgPbMTmLzRzAfBgNVHSMEGDAWgBTJkVMK
+-Y3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEAdk9si83JjtgHHHGy
+-WcgWDfM0jzlWBsgFNQ9DwAuB7gJd/LG+5Ocajg5XdA5FXAdKkfwI6be3PdcVs3Bt
+-7f/fdKfBxfr9/SvFHnK7PVAX2x1wwS4HglX1lfoyq1boSvsiJOnAX3jsqXJ9TJiV
+-FlgRVnhnrw6zz3Xs/9ZDMTENUrqDHPNsDkKEi+9SqIsqDXpMCrGHP4ic+S8Rov1y
+-S+0XioMxVyXDp6XcL4PQ/NgHbw5/+UcS0me0atZ6pW68C0vi6xeU5vxojyuZxMI1
+-DXXwMhOXWaKff7KNhXDUN0g58iWlnyaCz4XQwFsbbFs88TQ1+e/aj3bbwTxUeyN7
+-qtcHJA==
++MIICrTCCAZWgAwIBAgIUdLT4B443vbxt0B8Mzy0sR4+6AyowDQYJKoZIhvcNAQEL
++BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
++BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw
++NTA5MTUzMzE0WjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
++cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgRUUgRUMgIzEwWTATBgcqhkjOPQIBBggq
++hkjOPQMBBwNCAATbG6XprSqHiD9AxWJiXRFgS+y38DGZ7hpSjs4bd95L+Lli+O91
++/lUy7Tb8aJ6VU2CoyWQjV4sQjbdVqeD+y4Kyo2AwXjAMBgNVHRMBAf8EAjAAMA4G
++A1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUOia9H7l0qw3ftsDgEEeSBrHwQrwwHwYD
++VR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZIhvcNAQELBQADggEB
++AC7h/QkMocYANPqMQAO2okygG+OaE4qpKnlzHPUFMYedJGCvAWrwxu4hWL9T+hZo
++qilM7Fwaxw/P4Zaaa15SOOhXkIdn9Fu2ROmBQtEiklmWGMjiZ6F+9NCZPk0cTAXK
++2WQZOy41YNuvts+20osD4X/8x3fiARlokufj/TVyE73wG8pSSDh4KxWDfKv5Pi1F
++PC5IJh8XVELnFkeY3xjtoux5AYT+1xIQHO4eBua02Y1oPiWG7l/sK3grVlxrupd9
++pXowwFlezWZP9q12VlWkcqwNb9hF9PkZge9bpiOJipSYgyobtAnms/CRHu3e6izl
++LJRua7p4Wt/8GQENDrVkHqU=
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smec2.pem b/test/smime-certs/smec2.pem
+index 457297a760f1..3fe14b3a1193 100644
+--- a/test/smime-certs/smec2.pem
++++ b/test/smime-certs/smec2.pem
+@@ -1,23 +1,23 @@
+ -----BEGIN PRIVATE KEY-----
+-MIGPAgEAMBAGByqGSM49AgEGBSuBBAAQBHgwdgIBAQQjhHaq507MOBznelrLG/pl
+-brnnJi/iEJUUp+Pm3PEiteXqckmhTANKAAQF2zs6vobmoT+M+P2+9LZ7asvFBNi7
+-uCzLYF/8j1Scn/spczoC9vNzVhNw+Lg7dnjNL4EDIyYZLl7E0v69luzbvy+q44/8
+-6bQ=
++MIGQAgEAMBAGByqGSM49AgEGBSuBBAAQBHkwdwIBAQQkAEkuzLBwx5bIw3Q2PMNQ
++HzaY8yL3QLjzaJ8tCHrI/JTb9Q7VoUwDSgAEAu8b2HvLzKd0qhPtIw65Lh3OgF3X
++IN5874qHwt9zPSvokijSAH3v9tcBJPdRLD3Lweh2ZPn5hMwVwVorHqSgASk5vnjp
++HqER
+ -----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIICpTCCAY2gAwIBAgIJANk5lu6mSyBHMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEQx
+-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
+-ZXN0IFMvTUlNRSBFRSBFQyAjMjBeMBAGByqGSM49AgEGBSuBBAAQA0oABAXbOzq+
+-huahP4z4/b70tntqy8UE2Lu4LMtgX/yPVJyf+ylzOgL283NWE3D4uDt2eM0vgQMj
+-JhkuXsTS/r2W7Nu/L6rjj/zptKNgMF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8E
+-BAMCBeAwHQYDVR0OBBYEFGf+QSQlkN20PsNN7x+jmQIJBDcXMB8GA1UdIwQYMBaA
+-FMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3DQEBBQUAA4IBAQBaBBryl2Ez
+-ftBrGENXMKQP3bBEw4n9ely6HvYQi9IC7HyK0ktz7B2FcJ4z96q38JN3cLxV0DhK
+-xT/72pFmQwZVJngvRaol0k1B+bdmM03llxCw/uNNZejixDjHUI9gEfbigehd7QY0
+-uYDu4k4O35/z/XPQ6O5Kzw+J2vdzU8GXlMBbWeZWAmEfLGbk3Ux0ouITnSz0ty5P
+-rkHTo0uprlFcZAsrsNY5v5iuomYT7ZXAR3sqGZL1zPOKBnyfXeNFUfnKsZW7Fnlq
+-IlYBQIjqR1HGxxgCSy66f1oplhxSch4PUpk5tqrs6LeOqc2+xROy1T5YrB3yjVs0
+-4ZdCllHZkhop
++MIICsjCCAZqgAwIBAgIUFMjrNKt+D8tzvn7jtjZ5HrLcUlswDQYJKoZIhvcNAQEL
++BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
++BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxNFoYDzIxMjIw
++NTA5MTUzMzE0WjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
++cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgRUUgRUMgIzIwXjAQBgcqhkjOPQIBBgUr
++gQQAEANKAAQC7xvYe8vMp3SqE+0jDrkuHc6AXdcg3nzviofC33M9K+iSKNIAfe/2
++1wEk91EsPcvB6HZk+fmEzBXBWisepKABKTm+eOkeoRGjYDBeMAwGA1UdEwEB/wQC
++MAAwDgYDVR0PAQH/BAQDAgXgMB0GA1UdDgQWBBSqWRYUy2syIUwfSR31e19LeNXK
++9TAfBgNVHSMEGDAWgBQVwRMha+JVX6dqHVcg1s/zqXNkWTANBgkqhkiG9w0BAQsF
++AAOCAQEASbh+sI03xUMMzPT8bRbWNF5gG3ab8IUzqm05rTa54NCPRSn+ZdMXcCFz
++5fSU0T1dgEjeD+cCRVAZxskTZF7FWmRLc2weJMf7x+nPE5KaWyRAoD7FIKGP2m6m
++IMCVOmiafuzmHASBYOz6RwjgWS0AWES48DJX6o0KpuT4bsknz+H7Xo+4+NYGCRao
++enqIMZmWesGVXJ63pl32jUlXeAg59W6PpV2L9XRWLzDW1t1q2Uji7coCWtNjkojZ
++rv0yRMc1czkT+mAJRAJ8D9MoTnRXm1dH4bOxte4BGUHNQ2P1HeV01vkd1RTL0g0R
++lPyDAlBASvMn7RZ9nX8G3UOOL6gtVA==
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smroot.pem b/test/smime-certs/smroot.pem
+index d1a253f40958..9af38d310b4f 100644
+--- a/test/smime-certs/smroot.pem
++++ b/test/smime-certs/smroot.pem
+@@ -1,49 +1,49 @@
+ -----BEGIN PRIVATE KEY-----
+-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyyQXED5HyVWwq
+-nXyzmY317yMUJrIfsKvREG2C691dJNHgNg+oq5sjt/fzkyS84AvdOiicAsao4cYL
+-DulthaLpbC7msEBhvwAil0FNb5g3ERupe1KuTdUV1UuD/i6S2VoaNXUBBn1rD9Wc
+-BBc0lnx/4Wt92eQTI6925pt7ZHPQw2Olp7TQDElyi5qPxCem4uT0g3zbZsWqmmsI
+-MXbu+K3dEprzqA1ucKXbxUmZNkMwVs2XCmlLxrRUj8C3/zENtH17HWCznhR/IVcV
+-kgIuklkeiDsEhbWvUQumVXR7oPh/CPZAbjGqq5mVueHSHrp7brBVZKHZvoUka28Q
+-LWitq1W5AgMBAAECggEASkRnOMKfBeOmQy2Yl6K57eeg0sYgSDnDpd0FINWJ5x9c
+-b58FcjOXBodtYKlHIY6QXx3BsM0WaSEge4d+QBi7S+u8r+eXVwNYswXSArDQsk9R
+-Bl5MQkvisGciL3pvLmFLpIeASyS/BLJXMbAhU58PqK+jT2wr6idwxBuXivJ3ichu
+-ISdT1s2aMmnD86ulCD2DruZ4g0mmk5ffV+Cdj+WWkyvEaJW2GRYov2qdaqwSOxV4
+-Yve9qStvEIWAf2cISQjbnw2Ww6Z5ebrqlOz9etkmwIly6DTbrIneBnoqJlFFWGlF
+-ghuzc5RE2w1GbcKSOt0qXH44MTf/j0r86dlu7UIxgQKBgQDq0pEaiZuXHi9OQAOp
+-PsDEIznCU1bcTDJewANHag5DPEnMKLltTNyLaBRulMypI+CrDbou0nDr29VOzfXx
+-mNvi/c7RttOBOx7kXKvu0JUFKe2oIWRsg0KsyMX7UFMVaHFgrW+8DhQc7HK7URiw
+-nitOnA7YwIHRF9BMmcWcLFEYBQKBgQDC6LPbXV8COKO0YCfGXPnE7EZGD/p0Q92Z
+-8CoSefphEScSdO1IpxFXG7fOZ4x2GQb9q7D3IvaeKAqNjUjkuyxdB30lIWDBwSWw
+-fFgsa2SZwD5P60G/ar50YJr6LiF333aUMDVmC9swFfZERAEmGUz2NTrPWQdIx/lu
+-PyDtUR75JQKBgHaoCCJ8vl5SJl1IA5GV4Bo8IoeLTSzsY9d09zMy6BoZcMD1Ix2T
+-5S2cXhayoegl9PT6bsYSGHVWFCdJ86ktMI826TcXRzDaCvYhzc9THroJQcnfdbtP
+-aHWezkv7fsAmkoPjn75K7ubeo+r7Q5qbkg6a1PW58N8TRXIvkackzaVxAoGBALAq
+-qh3U+AHG9dgbrPeyo6KkuCOtX39ks8/mbfCDRZYkbb9V5f5r2tVz3R93IlK/7jyr
+-yWimtmde46Lrl33922w+T5OW5qBZllo9GWkUrDn3s5qClcuQjJIdmxYTSfbSCJiK
+-NkmE39lHkG5FVRB9f71tgTlWS6ox7TYDYxx83NTtAoGAUJPAkGt4yGAN4Pdebv53
+-bSEpAAULBHntiqDEOu3lVColHuZIucml/gbTpQDruE4ww4wE7dOhY8Q4wEBVYbRI
+-vHkSiWpJUvZCuKG8Foh5pm9hU0qb+rbQV7NhLJ02qn1AMGO3F/WKrHPPY8/b9YhQ
+-KfvPCYimQwBjVrEnSntLPR0=
++MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDZLSl8LdU54OUA
++T8ctFuKLShJul2IMzaEDkFLoL4agccajgvsRxW+8vbc2Re0y1mVMvfNz7Cg5a7Ke
++iSuFJOrQtvDt+HkU5c706YDmw15mBpDSHapkXr80G/ABFbstWafOfagVW45wv65K
++H4cnpcqwrLhagmC8QG0KfWbf+Z2efOxaGu/dTNA3Cnq/BQGTdlkQ28xbrvd+Ubzg
++cY4Y/hJ7Fw1/IeEhgr/iVJhQIUAklp9B+xqDfWuxIt5mNwWWh/Lfk+UxqE99EhQR
++0YZWyIKfKzbeJLBzDqY2hQzVL6kAvY9cR1WbBItTA0G2F5qZ9B/3EHEFWZMBvobt
+++UTEkuBdAgMBAAECggEAF3Eagz7nPyIZVdlGpIVN2r8aEjng6YTglmPjrxBCNdtS
++F6AxvY9UKklIF2Gg4tXlhU0TlDWvedM4Koif2/VKK1Ez3FvvpePQXPs/YKlB7T1U
++MHnnRII9nUBOva88zv5YcJ97nyKM03q9M18H1a29nShnlc1w56EEpBc5HX/yFYMv
++kMYydvB5j0DQkJlkQNFn4yRag0wIIPeyXwwh5l98SMlr40hO10OYTOQPrrgP/ham
++AOZ//DvGo5gF8hGJYoqG4vcYbxRfTqbc2lQ4XRknOT182l9gRum52ahkBY6LKb4r
++IZXPStS6fCAR5S0lcdBb3uN/ap9SUfb9w/Dhj5DZAQKBgQDr06DcsBpoGV2dK9ib
++YL5MxC5JL7G79IBPi3ThRiOSttKXv3oDAFB0AlJvFKwYmVz8SxXqQ2JUA4BfvMGF
++TNrbhukzo0ou5boExnQW/RjLN3fWVq1JM7iLbNU9YYpPCIG5LXrt4ZDOwITeGe8f
++bmZK9zxWxc6BBJtc3mTFS5tm4QKBgQDrwRyEn6oZ9TPbR69fPgWvDqQwKs+6TtYn
++0otMG9UejbSMcyU4sI+bZouoca2CzoNi2qZVIvI9aOygUHQAP7Dyq1KhsvYtzJub
++KEua379WnzBMMjJ56Q/e4aKTq229QvOk+ZEYl6aklZX7xnYetYNZQrp4QzUyOQTG
++gfxgxKi0/QKBgQCy1esAUJ/F366JOS3rLqNBjehX4c5T7ae8KtJ433qskO4E29TI
++H93jC7u9txyHDw5f2QUGgRE5Cuq4L2lGEDFMFvQUD7l69QVrB6ATqt25hhffuB1z
++DMDfIqpXAPgk1Rui9SVq7gqlb4OS9nHLESqLoQ/l8d2XI4o6FACxSZPQoQKBgQCR
++8AvwSUoqIXDFaB22jpVEJYMb0hSfFxhYtGvIZF5MOJowa0L6UcnD//mp/xzSoXYR
++pppaj3R28VGxd7wnP0YRIl7XfAoKleMpbAtJRwKR458pO9WlQ9GwPeq/ENqw0xYx
++5M+d8pqUvYiHv/X00pYJllYKBkiS21sKawLJAFQTHQKBgQCJCwVHxvxkdQ8G0sU2
++Vtv2W38hWOSg5+cxa+g1W6My2LhX34RkgKzuaUpYMlWGHzILpxIxhPrVLk1ZIjil
++GIP969XJ1BjB/kFtLWdxXG8tH1If3JgzfSHUofPHF3CENoJYEZ1ugEfIPzWPZJDI
++DL5zP8gmBL9ZAOO/J9YacxWYMQ==
+ -----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIIDbjCCAlagAwIBAgIJAMc+8VKBJ/S9MA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MjlaFw0yMzA3MTUxNzI4MjlaMEQx
+-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
+-ZXN0IFMvTUlNRSBSU0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+-ggEBALLJBcQPkfJVbCqdfLOZjfXvIxQmsh+wq9EQbYLr3V0k0eA2D6irmyO39/OT
+-JLzgC906KJwCxqjhxgsO6W2FoulsLuawQGG/ACKXQU1vmDcRG6l7Uq5N1RXVS4P+
+-LpLZWho1dQEGfWsP1ZwEFzSWfH/ha33Z5BMjr3bmm3tkc9DDY6WntNAMSXKLmo/E
+-J6bi5PSDfNtmxaqaawgxdu74rd0SmvOoDW5wpdvFSZk2QzBWzZcKaUvGtFSPwLf/
+-MQ20fXsdYLOeFH8hVxWSAi6SWR6IOwSFta9RC6ZVdHug+H8I9kBuMaqrmZW54dIe
+-untusFVkodm+hSRrbxAtaK2rVbkCAwEAAaNjMGEwHQYDVR0OBBYEFMmRUwpjexZb
+-i71E8HaIqSTm5bZsMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA8G
+-A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IB
+-AQAwpIVWQey2u/XoQSMSu0jd0EZvU+lhLaFrDy/AHQeG3yX1+SAOM6f6w+efPvyb
+-Op1NPI9UkMPb4PCg9YC7jgYokBkvAcI7J4FcuDKMVhyCD3cljp0ouuKruvEf4FBl
+-zyQ9pLqA97TuG8g1hLTl8G90NzTRcmKpmhs18BmCxiqHcTfoIpb3QvPkDX8R7LVt
+-9BUGgPY+8ELCgw868TuHh/Cnc67gBtRjBp0sCYVzGZmKsO5f1XdHrAZKYN5mEp0C
+-7/OqcDoFqORTquLeycg1At/9GqhDEgxNrqA+YEsPbLGAfsNuXUsXs2ubpGsOZxKt
+-Emsny2ah6fU2z7PztrUy/A80
++MIIDezCCAmOgAwIBAgIUBxh2L3ItsVPuBogDI0WfUX1lFnMwDQYJKoZIhvcNAQEL
++BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
++BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw
++NTEwMTUzMzEzWjBEMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
++cDEdMBsGA1UEAwwUVGVzdCBTL01JTUUgUlNBIFJvb3QwggEiMA0GCSqGSIb3DQEB
++AQUAA4IBDwAwggEKAoIBAQDZLSl8LdU54OUAT8ctFuKLShJul2IMzaEDkFLoL4ag
++ccajgvsRxW+8vbc2Re0y1mVMvfNz7Cg5a7KeiSuFJOrQtvDt+HkU5c706YDmw15m
++BpDSHapkXr80G/ABFbstWafOfagVW45wv65KH4cnpcqwrLhagmC8QG0KfWbf+Z2e
++fOxaGu/dTNA3Cnq/BQGTdlkQ28xbrvd+UbzgcY4Y/hJ7Fw1/IeEhgr/iVJhQIUAk
++lp9B+xqDfWuxIt5mNwWWh/Lfk+UxqE99EhQR0YZWyIKfKzbeJLBzDqY2hQzVL6kA
++vY9cR1WbBItTA0G2F5qZ9B/3EHEFWZMBvobt+UTEkuBdAgMBAAGjYzBhMB0GA1Ud
++DgQWBBQVwRMha+JVX6dqHVcg1s/zqXNkWTAfBgNVHSMEGDAWgBQVwRMha+JVX6dq
++HVcg1s/zqXNkWTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkq
++hkiG9w0BAQsFAAOCAQEAvdAmpDPi1Wt7Hk30dXKF7Ug6MUKETi+uoO1Suo9JhNko
++/cpvoi8fbo/dnWVDfHVoItEn644Svver5UJdKJY62DvhilpCtAywYfCpgxkpKoKE
++dnpjnRBSMcbVDImsqvf1YjzFKiOiD7kcVvz4V0NZY91ZWwu3vgaSvcTJQkpWN0a+
++LWanpVKqigl8nskttnBeiHDHGebxj3hawlIdtVlkbQwLLwlVkX99x1F73uS33IzB
++Y6+ZJ2is7mD839B8fOVd9pvPvBBgahIrw5tzJ/Q+gITuVQd9E6RVXh10/Aw+i/8S
++7tHpEUgP3hBk1P+wRQBWDxbHB28lE+41jvh3JObQWQ==
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smrsa1.pem b/test/smime-certs/smrsa1.pem
+index d0d0b9e66b01..d32d88904788 100644
+--- a/test/smime-certs/smrsa1.pem
++++ b/test/smime-certs/smrsa1.pem
+@@ -1,49 +1,49 @@
+ -----BEGIN PRIVATE KEY-----
+-MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDXr9uzB/20QXKC
+-xhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK2bcj54XB26i1kXuOrxID
+-3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt+W6lSd6Hmfrk4GmE9LTU
+-/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JFYg4c7qt5RCk/w8kwrQ0D
+-orQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSebvt0APeqgRxSpCxqYnHs
+-CoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxMkjpJSv3/ekDG2CHYxXSH
+-XxpJstxZAgMBAAECggEASY4xsJaTEPwY3zxLqPdag2/yibBBW7ivz/9p80HQTlXp
+-KnbxXj8nNXLjCytAZ8A3P2t316PrrTdLP4ML5lGwkM4MNPhek00GY79syhozTa0i
+-cPHVJt+5Kwee/aVI9JmCiGAczh0yHyOM3+6ttIZvvXMVaSl4BUHvJ0ikQBc5YdzL
+-s6VM2gCOR6K6n+39QHDI/T7WwO9FFSNnpWFOCHwAWtyBMlleVj+xeZX8OZ/aT+35
+-27yjsGNBftWKku29VDineiQC+o+fZGJs6w4JZHoBSP8TfxP8fRCFVNA281G78Xak
+-cEnKXwZ54bpoSa3ThKl+56J6NHkkfRGb8Rgt/ipJYQKBgQD5DKb82mLw85iReqsT
+-8bkp408nPOBGz7KYnQsZqAVNGfehM02+dcN5z+w0jOj6GMPLPg5whlEo/O+rt9ze
+-j6c2+8/+B4Bt5oqCKoOCIndH68jl65+oUxFkcHYxa3zYKGC9Uvb+x2BtBmYgvDRG
+-ew6I2Q3Zyd2ThZhJygUZpsjsbQKBgQDdtNiGTkgWOm+WuqBI1LT5cQfoPfgI7/da
+-ZA+37NBUQRe0cM7ddEcNqx7E3uUa1JJOoOYv65VyGI33Ul+evI8h5WE5bupcCEFk
+-LolzbMc4YQUlsySY9eUXM8jQtfVtaWhuQaABt97l+9oADkrhA+YNdEu2yiz3T6W+
+-msI5AnvkHQKBgDEjuPMdF/aY6dqSjJzjzfgg3KZOUaZHJuML4XvPdjRPUlfhKo7Q
+-55/qUZ3Qy8tFBaTderXjGrJurc+A+LiFOaYUq2ZhDosguOWUA9yydjyfnkUXZ6or
+-sbvSoM+BeOGhnezdKNT+e90nLRF6cQoTD7war6vwM6L+8hxlGvqDuRNFAoGAD4K8
+-d0D4yB1Uez4ZQp8m/iCLRhM3zCBFtNw1QU/fD1Xye5w8zL96zRkAsRNLAgKHLdsR
+-355iuTXAkOIBcJCOjveGQsdgvAmT0Zdz5FBi663V91o+IDlryqDD1t40CnCKbtRG
+-hng/ruVczg4x7OYh7SUKuwIP/UlkNh6LogNreX0CgYBQF9troLex6X94VTi1V5hu
+-iCwzDT6AJj63cS3VRO2ait3ZiLdpKdSNNW2WrlZs8FZr/mVutGEcWho8BugGMWST
+-1iZkYwly9Xfjnpd0I00ZIlr2/B3+ZsK8w5cOW5Lpb7frol6+BkDnBjbNZI5kQndn
+-zQpuMJliRlrq/5JkIbH6SA==
++MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDax3T7alefZcbm
++CcdN0kEoBLwV8H25vre43RYjuPo64TBjeKUy27ayC1TXydF1eYm3HPrFYfkS0fZ6
++YK0xvwyxiQnesvcfnVe2fpXFPsl5RQvu1JKM7rJAuLC+YTRLez07IHhQnHQ25ZkR
+++B4SL5mIhuOSJ9yyFJYJQ3Kdw/aX/jtnWVR8p3FyghJptWIm90ufW4xWFY0yNSW1
++KmkZuOWF7VPh5RC1C7woB/RHhyD2gOP7tF+eDJ/QbX4iki4gPRFHuNrSV8ZpvDkI
++qqyF5BW8tyJneDkoWW8IuEpmNIzfbOCHvI6y7roeAmRrwH4/o5WxaEIsnQ/3pNvj
++n6+vA+nfAgMBAAECggEAFR5MHQQYCYjDXoDoI7YdgwA+AFIoGLjKYZu5yjX4tZv3
++gJ/si7sTaMlY5cGTU1HUPirxIVeCjv4Eha31BJ3KsGJ9jj6Gm0nOuzd/O+ctKeRv
++2/HaDvpFlk4dsCrlkjmxteuS9u5l9hygniWYutcBwjY0cRnMScZcm0VO+DVVMDj0
++9yNrFzhlmqV+ckawjK/J91r0uvnCVIsGA6akhlc5K0gwvFb/CC1WuceEeGx/38k3
++4OuiHtLyJfIlgyGD8C3QfJlMOBHeQ/DCo6GMqrOAad/chtcO7JklcJ+k2qylP2gu
++e25NJCQVh+L32b9WrH3quH6fbLIg8a8MmUWl6te3FQKBgQDddu0Dp8R8fe2WnAE5
++oXdASAf2BpthRNqUdYpkkO7gOV0MXCKIEiGZ+WuWEYmNlsXZCJRABprqLw9O/5Td
++2q+rCbdG9mSW2x82t/Ia4zd3r0RSHZyKbtOLtgmWfQkwVHy+rED8Juie5bNzHbjS
++1mYtFP2KDQ5yZA95yFg8ZtXOawKBgQD85VOPnfXGOJ783JHepAn4J2x1Edi+ZDQ+
++Ml9g2LwetI46dQ0bF6V8RtcyWp0+6+ydX5U4JKhERFDivolD7Z1KFmlNLPs0cqSX
++5g5kzTD+R+zpr9FRragYKyLdHsLP0ur75Rh5FQkUl2DmeKCMvMKAkio0cduVpVXT
++SvWUBtkHXQKBgBy4VoZZ1GZcolocwx/pK6DfdoDWXIIhvsLv91GRZhkX91QqAqRo
++zYi9StF8Vr1Q5zl9HlSrRp3GGpMhG/olaRCiQu1l+KeDpSmgczo/aysPRKntgyaE
++ttRweA/XCUEGQ+MqTYcluJcarMnp+dUFztxb04F6rfvxs/wUGjVDFMkfAoGBAK+F
++wx9UtPZk6gP6Wsu58qlnQ2Flh5dtGM1qTMR86OQu0OBFyVjaaqL8z/NE7Qp02H7J
++jlmvJ5JqD/Gv6Llau+Zl86P66kcWoqJCrA7OU4jJBueSfadA7gAIQGRUK0Xuz+UQ
++tpGjRfAiuMB9TIEhqaVuzRglRhBw9kZ2KkgZEJyJAoGBANrEpEwOhCv8Vt1Yiw6o
++co96wYj+0LARJXw6rIfEuLkthBRRoHqQMKqwIGMrwjHlHXPnQmajONzIJd+u+OS4
++psCGetAIGegd3xNVpK2uZv9QBWBpQbuofOh/c2Ctmm2phL2sVwCZ0qwIeXuBwJEc
++NOlOojKDO+dELErpShJgFIaU
+ -----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBAMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
+-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
+-ZXN0IFMvTUlNRSBFRSBSU0EgIzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+-AoIBAQDXr9uzB/20QXKCxhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK
+-2bcj54XB26i1kXuOrxID3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt
+-+W6lSd6Hmfrk4GmE9LTU/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JF
+-Yg4c7qt5RCk/w8kwrQ0DorQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSe
+-bvt0APeqgRxSpCxqYnHsCoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxM
+-kjpJSv3/ekDG2CHYxXSHXxpJstxZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
+-VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBTmjc+lrTQuYx/VBOBGjMvufajvhDAfBgNV
+-HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
+-dr2IRXcFtlF16kKWs1VTaFIHHNQrfSVHBkhKblPX3f/0s/i3eXgwKUu7Hnb6T3/o
+-E8L+e4ioQNhahTLt9ruJNHWA/QDwOfkqM3tshCs2xOD1Cpy7Bd3Dn0YBrHKyNXRK
+-WelGp+HetSXJGW4IZJP7iES7Um0DGktLabhZbe25EnthRDBjNnaAmcofHECWESZp
+-lEHczGZfS9tRbzOCofxvgLbF64H7wYSyjAe6R8aain0VRbIusiD4tCHX/lOMh9xT
+-GNBW8zTL+tV9H1unjPMORLnT0YQ3oAyEND0jCu0ACA1qGl+rzxhF6bQcTUNEbRMu
+-9Hjq6s316fk4Ne0EUF3PbA==
++MIIDeTCCAmGgAwIBAgIUM6U1Peo3wzfAJIrzINejJJfmRzkwDQYJKoZIhvcNAQEL
++BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
++BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw
++NTA5MTUzMzEzWjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
++cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgUlNBICMxMIIBIjANBgkqhkiG9w0B
++AQEFAAOCAQ8AMIIBCgKCAQEA2sd0+2pXn2XG5gnHTdJBKAS8FfB9ub63uN0WI7j6
++OuEwY3ilMtu2sgtU18nRdXmJtxz6xWH5EtH2emCtMb8MsYkJ3rL3H51Xtn6VxT7J
++eUUL7tSSjO6yQLiwvmE0S3s9OyB4UJx0NuWZEfgeEi+ZiIbjkifcshSWCUNyncP2
++l/47Z1lUfKdxcoISabViJvdLn1uMVhWNMjUltSppGbjlhe1T4eUQtQu8KAf0R4cg
++9oDj+7Rfngyf0G1+IpIuID0RR7ja0lfGabw5CKqsheQVvLciZ3g5KFlvCLhKZjSM
++32zgh7yOsu66HgJka8B+P6OVsWhCLJ0P96Tb45+vrwPp3wIDAQABo2AwXjAMBgNV
++HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUHw4Us7FXwgLtZ1JB
++MOAHSkNYfEkwHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZI
++hvcNAQELBQADggEBAAMAXEjTNo7evn6BvfEaG2q21q9xfFear/M0zxc5xcTj+WP+
++BKrlxXg5RlVFyvmzGhwZBERsDMJYa54aw8scDJsy/0zPdWST39dNev7xH13pP8nF
++QF4MGPKIqBzX8iDCqhz70p1w2ndLjz1dvsAqn6z9/Sh3T2kj6DfZY3jA49pMEim1
++vYd4lWa5AezU3+cLtBbo2c2iyG2W7SFpnNTjLX823f9rbVPnUb93ZI/tDXDIf5hL
++0hocZs+MWdC7Ly1Ru4PXa6+DeOM0z673me/Q27e24OBbG2eq5g7eW5euxJinGkpI
++XGGKTKrBCPxSdTtwSNHU9HsggT8a0wXL2QocZ3w=
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smrsa2.pem b/test/smime-certs/smrsa2.pem
+index 2f17cb2978f4..a7a21fc80fac 100644
+--- a/test/smime-certs/smrsa2.pem
++++ b/test/smime-certs/smrsa2.pem
+@@ -1,49 +1,49 @@
+ -----BEGIN PRIVATE KEY-----
+-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDcYC4tS2Uvn1Z2
+-iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iFAzAnwqR/UB1R67ETrsWq
+-V8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFpcXepPWQacpuBq2VvcKRD
+-lDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS0PZ9EZB63T1gmwaK1Rd5
+-U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1NcojhptIWyI0r7dgn5J3
+-NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0EFWyQf7iDxGaA93Y9ePB
+-Jv5iFZVZAgMBAAECggEBAILIPX856EHb0KclbhlpfY4grFcdg9LS04grrcTISQW1
+-J3p9nBpZ+snKe6I8Yx6lf5PiipPsSLlCliHiWpIzJZVQCkAQiSPiHttpEYgP2IYI
+-dH8dtznkdVbLRthZs0bnnPmpHCpW+iqpcYJ9eqkz0cvUNUGOjjWmwWmoRqwp/8CW
+-3S1qbkQiCh0Mk2fQeGar76R06kXQ9MKDEj14zyS3rJX+cokjEoMSlH8Sbmdh2mJz
+-XlNZcvqmeGJZwQWgbVVHOMUuZaKJiFa+lqvOdppbqSx0AsCRq6vjmjEYQEoOefYK
+-3IJM9IvqW5UNx0Cy4kQdjhZFFwMO/ALD3QyF21iP4gECgYEA+isQiaWdaY4UYxwK
+-Dg+pnSCKD7UGZUaCUIv9ds3CbntMOONFe0FxPsgcc4jRYQYj1rpQiFB8F11+qXGa
+-P/IHcnjr2+mTrNY4I9Bt1Lg+pHSS8QCgzeueFybYMLaSsXUo7tGwpvw6UUb6/YWI
+-LNCzZbrCLg1KZjGODhhxtvN45ZkCgYEA4YNSe+GMZlxgsvxbLs86WOm6DzJUPvxN
+-bWmni0+Oe0cbevgGEUjDVc895uMFnpvlgO49/C0AYJ+VVbStjIMgAeMnWj6OZoSX
+-q49rI8KmKUxKgORZiiaMqGWQ7Rxv68+4S8WANsjFxoUrE6dNV3uYDIUsiSLbZeI8
+-38KVTcLohcECgYEAiOdyWHGq0G4xl/9rPUCzCMsa4velNV09yYiiwBZgVgfhsawm
+-hQpOSBZJA60XMGqkyEkT81VgY4UF4QLLcD0qeCnWoXWVHFvrQyY4RNZDacpl87/t
+-QGO2E2NtolL3umesa+2TJ/8Whw46Iu2llSjtVDm9NGiPk5eA7xPPf1iEi9kCgYAb
+-0EmVE91wJoaarLtGS7LDkpgrFacEWbPnAbfzW62UENIX2Y1OBm5pH/Vfi7J+vHWS
+-8E9e0eIRCL2vY2hgQy/oa67H151SkZnvQ/IP6Ar8Xvd1bDSK8HQ6tMQqKm63Y9g0
+-KDjHCP4znOsSMnk8h/bZ3HcAtvbeWwftBR/LBnYNQQKBgA1leIXLLHRoX0VtS/7e
+-y7Xmn7gepj+gDbSuCs5wGtgw0RB/1z/S3QoS2TCbZzKPBo20+ivoRP7gcuFhduFR
+-hT8V87esr/QzLVpjLedQDW8Xb7GiO3BsU/gVC9VcngenbL7JObl3NgvdreIYo6+n
+-yrLyf+8hjm6H6zkjqiOkHAl+
++MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDkoMi4sqj2mN8j
++SaFAibXEfeYYrzBHIdCm/uaXWit81fXOSFVw1rbeAppxz7bOcSEN50lpdP2UX3/b
++FYFD3exHXjvch9NPNgQaNkCqTNTuYa2L9wrpltXnon7tH3W/zZfF+/qpUSu1f6rk
++GyxjVXxLwjIawCX0rbLcdFCVVy+EyvQkvSxXjafrDMzshWzPDbtjUv3SH6avqrPn
++4NX0fv3BdBwTfDLAw/m8nN+9B9Mg0V7UNM1IJY/Vo5pLhv+MrEf8SnAS+1Wt43rT
++3PY9iMZMMWUswdgmPY0yCN95ggwNrSMGV60yvEDxINWuJoR8s0lybDdFa+AB5v4T
++hqKpspFNAgMBAAECggEAZmWu0K5QJ7Y7Rlo9ayLicsFyk36vUESQZ6MF0ybzEEPi
++BkR2ZAX+vDuNQckm1pprlAcRZbactl35bT3Z+fQE1cgaZoC8/x6xwq2m0796pNPB
++v0zjqdBBOLAaSgjLm56wyd88GqZ8vZsTBnw3KrxIYcP13e5OcaJ0V/GOf/yfD0lg
++Tq9i7V5Iq++Fpo2KvJA8FMgqcfhvhdo40rRykoBfzEZpBk4Ia/Yijsbx5sE15pFZ
++DfmsMbD+vViuM8IavHo61mBNyYeydwlgIMqUgP/6xbYUov/XSUojrLG+IQuvDx9D
++xzTHGM+IBJxQZMza/mDVcjUAcDEjWt/Mve8ibTQCbwKBgQDyaiGsURtlf/8xmmvT
++RQQFFFsJ8SXHNYmnceNULIjfDxpLk1yC4kBNUD+liAJscoVlOcByHmXQRtnY1PHq
++AwyrwplGd82773mtriDVFSjhD+GB7I0Hv2j+uiFZury0jR/6/AsWKCtTqd0opyuB
++8rGZjguiwZIjeyxd8mL1dncUHwKBgQDxcNxHUvIeDBvAmtK65xWUuLcqtK9BblBH
++YVA7p93RqX4E+w3J0OCvQRQ3r1GCMMzFEO0oOvNfMucU4rbQmx1pbzF8aQU+8iEW
++kYpaWUbPUQ2hmBblhjGYHsigt/BrzaW0QveVIWcGiyVVX9wiCzJH5moJlCRK2oHR
++B36hdlmNEwKBgQCSlWSpOx4y4RQiHXtn9Eq6+5UVTPGIJTKIwxAwnQFiyFIhMwl0
++x3UUixsBcF3uz80j6akaGJF+QOmH+TQTSibGUdS3TMhmBSfxwuJtlu7yMNUu6Chb
++b/4AUfLKvGVRVCjrbq8Rhda1L3jhFTz0xhlofgFBOIWy2M96O5BlV24oBwKBgQDs
++cf93ZfawkGEZVUXsPeQ3mlHe48YCCPtbfCSr13B3JErCq+5L52AyoUQgaHQlUI8o
++qrPmQx0V7O662G/6iP3bxEYtNVgq1cqrpGpeorGi1BjKWPyLWMj21abbJmev21xc
++1XxLMsQHd3tfSZp2SIq8OR09NjP4jla1k2Ziz1lRuwKBgQCUJXjhW4dPoOzC7DJK
++u4PsxcKkJDwwtfNudVDaHcbvvaHELTAkE2639vawH0TRwP6TDwmlbTQJP4EW+/0q
++13VcNXVAZSruA9dvxlh4vNUH3PzTDdFIJzGVbYbV9p5t++EQ7gRLuLZqs99BOzM9
++k6W9F60mEFz1Owh+lQv7WfSIVA==
+ -----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBBMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
+-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
+-ZXN0IFMvTUlNRSBFRSBSU0EgIzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+-AoIBAQDcYC4tS2Uvn1Z2iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iF
+-AzAnwqR/UB1R67ETrsWqV8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFp
+-cXepPWQacpuBq2VvcKRDlDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS
+-0PZ9EZB63T1gmwaK1Rd5U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1
+-NcojhptIWyI0r7dgn5J3NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0
+-EFWyQf7iDxGaA93Y9ePBJv5iFZVZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
+-VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBT0arpyYMHXDPVL7MvzE+lx71L7sjAfBgNV
+-HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
+-I8nM42am3aImkZyrw8iGkaGhKyi/dfajSWx6B9izBUh+3FleBnUxxOA+mn7M8C47
+-Ne18iaaWK8vEux9KYTIY8BzXQZL1AuZ896cXEc6bGKsME37JSsocfuB5BIGWlYLv
+-/ON5/SJ0iVFj4fAp8z7Vn5qxRJj9BhZDxaO1Raa6cz6pm0imJy9v8y01TI6HsK8c
+-XJQLs7/U4Qb91K+IDNX/lgW3hzWjifNpIpT5JyY3DUgbkD595LFV5DDMZd0UOqcv
+-6cyN42zkX8a0TWr3i5wu7pw4k1oD19RbUyljyleEp0DBauIct4GARdBGgi5y1H2i
+-NzYzLAPBkHCMY0Is3KKIBw==
++MIIDeTCCAmGgAwIBAgIUTMQXiTcI/rpzqO91NyFWpjLE3KkwDQYJKoZIhvcNAQEL
++BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
++BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw
++NTA5MTUzMzEzWjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
++cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgUlNBICMyMIIBIjANBgkqhkiG9w0B
++AQEFAAOCAQ8AMIIBCgKCAQEA5KDIuLKo9pjfI0mhQIm1xH3mGK8wRyHQpv7ml1or
++fNX1zkhVcNa23gKacc+2znEhDedJaXT9lF9/2xWBQ93sR1473IfTTzYEGjZAqkzU
++7mGti/cK6ZbV56J+7R91v82Xxfv6qVErtX+q5BssY1V8S8IyGsAl9K2y3HRQlVcv
++hMr0JL0sV42n6wzM7IVszw27Y1L90h+mr6qz5+DV9H79wXQcE3wywMP5vJzfvQfT
++INFe1DTNSCWP1aOaS4b/jKxH/EpwEvtVreN609z2PYjGTDFlLMHYJj2NMgjfeYIM
++Da0jBletMrxA8SDVriaEfLNJcmw3RWvgAeb+E4aiqbKRTQIDAQABo2AwXjAMBgNV
++HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUSJ0v3SKahe6eKssR
++rBvYLBprFTgwHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZI
++hvcNAQELBQADggEBAKoyszyZ3DfCOIVzeJrnScXuMvRkVqO5aGmgZxtY9r6gPk8v
++gXaEFXDKqRbGqEnuwEjpew+SVZO8nrVpdIP7fydpufy7Cu91Ev4YL1ui5Vc66+IK
++7dXV7eZYcH/dDJBPZddHx9vGhcr0w8B1W9nldM3aQE/RQjOmMRDc7/Hnk0f0RzJp
++LA0adW3ry27z2s4qeCwkV9DNSh1KoGfcLwydBiXmJ1XINMFH/scD4pk9UeJpUL+5
++zvTaDzUmzLsI1gH3j/rlzJuNJ7EMfggKlfQdit9Qn6+6Gjk6T5jkZfzcq3LszuEA
++EFtkxWyBmmEgh4EmvZGAyrUvne1hIIksKe3iJ+E=
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smrsa3.pem b/test/smime-certs/smrsa3.pem
+index 14c27f64aa90..980d3af3b4c9 100644
+--- a/test/smime-certs/smrsa3.pem
++++ b/test/smime-certs/smrsa3.pem
+@@ -1,49 +1,49 @@
+ -----BEGIN PRIVATE KEY-----
+-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyK+BTAOJKJjji
+-OhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVCFoVBz5doMf3M6QIS2jL3
+-Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsFSTxytUVpfcByrubWiLKX
+-63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuWm/gavozkK103gQ+dUq4H
+-XamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enhav2sXDfOmZp/DYf9IqS7l
+-vFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p1diWRpaSn62bbkRN49j6
+-L2dVb+DfAgMBAAECggEAciwDl6zdVT6g/PbT/+SMA+7qgYHSN+1koEQaJpgjzGEP
+-lUUfj8TewCtzXaIoyj9IepBuXryBg6snNXpT/w3bqgYon/7zFBvxkUpDj4A5tvKf
+-BuY2fZFlpBvUu1Ju1eKrFCptBBBoA9mc+BUB/ze4ktrAdJFcxZoMlVScjqGB3GdR
+-OHw2x9BdWGCJBhiu9VHhAAb/LVWi6xgDumYSWZwN2yovg+7J91t5bsENeBRHycK+
+-i5dNFh1umIK9N0SH6bpHPnLHrCRchrQ6ZRRxL4ZBKA9jFRDeI7OOsJuCvhGyJ1se
+-snsLjr/Ahg00aiHCcC1SPQ6pmXAVBCG7hf4AX82V4QKBgQDaFDE+Fcpv84mFo4s9
+-wn4CZ8ymoNIaf5zPl/gpH7MGots4NT5+Ns+6zzJQ6TEpDjTPx+vDaabP7QGXwVZn
+-8NAHYvCQK37b+u9HrOt256YYRDOmnJFSbsJdmqzMEzpTNmQ8GuI37cZCS9CmSMv+
+-ab/plcwuv0cJRSC83NN2AFyu1QKBgQDRJzKIBQlpprF9rA0D5ZjLVW4OH18A0Mmm
+-oanw7qVutBaM4taFN4M851WnNIROyYIlkk2fNgW57Y4M8LER4zLrjU5HY4lB0BMX
+-LQWDbyz4Y7L4lVnnEKfQxWFt9avNZwiCxCxEKy/n/icmVCzc91j9uwKcupdzrN6E
+-yzPd1s5y4wKBgQCkJvzmAdsOp9/Fg1RFWcgmIWHvrzBXl+U+ceLveZf1j9K5nYJ7
+-2OBGer4iH1XM1I+2M4No5XcWHg3L4FEdDixY0wXHT6Y/CcThS+015Kqmq3fBmyrc
+-RNjzQoF9X5/QkSmkAIx1kvpgXtcgw70htRIrToGSUpKzDKDW6NYXhbA+PQKBgDJK
+-KH5IJ8E9kYPUMLT1Kc4KVpISvPcnPLVSPdhuqVx69MkfadFSTb4BKbkwiXegQCjk
+-isFzbeEM25EE9q6EYKP+sAm+RyyJ6W0zKBY4TynSXyAiWSGUAaXTL+AOqCaVVZiL
+-rtEdSUGQ/LzclIT0/HLV2oTw4KWxtTdc3LXEhpNdAoGBAM3LckiHENqtoeK2gVNw
+-IPeEuruEqoN4n+XltbEEv6Ymhxrs6T6HSKsEsLhqsUiIvIzH43KMm45SNYTn5eZh
+-yzYMXLmervN7c1jJe2Y2MYv6hE+Ypj1xGW4w7s8WNKmVzLv97beisD9AZrS7sXfF
+-RvOAi5wVkYylDxV4238MAZIq
++MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQD5A/t3norj/167
++toKG1Ygtg3G+pZ4Nwl5a9flnm8JdSMW5TEEP1TSvDVIEuAVi7xqoAn6heypoaMkB
++GJ+AoSo9R7umdhhq2vnmWFNsdH6oDzynVXixyURo81YrN3sn9Xd55ivTiSpZXldi
++ECr2T0BYvOw0h497bPs6gY9LqgrBHNYVF3lFhdOmYWv+2qSdti+1gV3t24pv1CrK
++2AdX5Epdd5jR+eNnt+suZqoPC0hTcNjszJLcfDYFXHva9BcE0DfrgcYSmoSBU53M
++jt63TClK6ZoVcPJ7vXjFRHncvs1/d+nc9BdL9FsGI1ezspSwcJHqex2wgo76yDrq
++DE4s23rPAgMBAAECggEAEDi+VWD5VUpjD5zWOoPQiRDGBJBhtMAKkl6okxEmXvWb
++Xz3STFnjHgA1JFHW3bRU9BHI9k8vSHmnlnkfKb3V/ZX5IHNcKCHb/x9NBak+QLVQ
++0zLtfE9vxiTC0B/oac+MPaiD4hYFQ81pFwK6VS0Poi8ZCBJtOkRqfUvsyV8zZrgh
++/6cs4mwOVyZPFRgF9eWXYv7PJz8pNRizhII0iv9H/r2I3DzsZLPCg7c29mP+I/SG
++A7Pl82UXjtOc0KurGY2M5VheZjxJT/k/FLMkWY2GS5n6dfcyzsVSKb25HoeuvQsI
++vs1mKs+Onbobdc17hCcKVJzbi3DwXs5XDhrEzfHccQKBgQD88uBxVCRV31PsCN6I
++pKxQDGgz+1BqPqe7KMRiZI7HgDUK0eCM3/oG089/jsBtJcSxnScLSVNBjQ+xGiFi
++YCD4icQoJSzpqJyR6gDq5lTHASAe+9LWRW771MrtyACQWNXowYEyu8AjekrZkCUS
++wIKVpw57oWykzIoS7ixZsJ8gxwKBgQD8BPWqJEsLiQvOlS5E/g88eV1KTpxm9Xs+
++BbwsDXZ7m4Iw5lYaUu5CwBB/2jkGGRl8Q/EfAdUT7gXv3t6x5b1qMXaIczmRGYto
++NuI3AH2MPxAa7lg5TgBgie1r7PKwyPMfG3CtDx6n8W5sexgJpbIy5u7E+U6d8s1o
++c7EcsefduQKBgCkHJAx9v18GWFBip+W2ABUDzisQSlzRSNd8p03mTZpiWzgkDq4K
++7j0JQhDIkMGjbKH6gYi9Hfn17WOmf1+7g92MSvrP/NbxeGPadsejEIEu14zu/6Wt
++oXDLdRbYZ+8B2cBlEpWuCl42yck8Lic6fnPTou++oSah3otvglYR5d2lAoGACd8L
++3FE1m0sP6lSPjmZBJIZAcDOqDqJY5HIHD9arKGZL8CxlfPx4lqa9PrTGfQWoqORk
++YmmI9hHhq6aYJHGyPKGZWfjhbVyJyFg1/h+Hy2GA+P0S+ZOjkiR050BNtTz5wOMr
++Q6wO8FcVkywzIdWaqEHBYne9a5RiFVBKxKv3QAkCgYBxmCBKajFkMVb4Uc55WqJs
++Add0mctGgmZ1l5vq81eWe3wjM8wgfJgaD3Q3gwx2ABUX/R+OsVWSh4o5ZR86sYoz
++TviknBHF8GeDLjpT49+04fEaz336J2JOptF9zIpz7ZK1nrOEjzaZGtumReVjUP7X
++fNcb5iDYqZRzD8ixBbLxUw==
+ -----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBCMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
+-CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
+-ZXN0IFMvTUlNRSBFRSBSU0EgIzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+-AoIBAQCyK+BTAOJKJjjiOhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVC
+-FoVBz5doMf3M6QIS2jL3Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsF
+-STxytUVpfcByrubWiLKX63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuW
+-m/gavozkK103gQ+dUq4HXamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enha
+-v2sXDfOmZp/DYf9IqS7lvFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p
+-1diWRpaSn62bbkRN49j6L2dVb+DfAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
+-VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBQ6CkW5sa6HrBsWvuPOvMjyL5AnsDAfBgNV
+-HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
+-JhcrD7AKafVzlncA3cZ6epAruj1xwcfiE+EbuAaeWEGjoSltmevcjgoIxvijRVcp
+-sCbNmHJZ/siQlqzWjjf3yoERvLDqngJZZpQeocMIbLRQf4wgLAuiBcvT52wTE+sa
+-VexeETDy5J1OW3wE4A3rkdBp6hLaymlijFNnd5z/bP6w3AcIMWm45yPm0skM8RVr
+-O3UstEFYD/iy+p+Y/YZDoxYQSW5Vl+NkpGmc5bzet8gQz4JeXtH3z5zUGoDM4XK7
+-tXP3yUi2eecCbyjh/wgaQiVdylr1Kv3mxXcTl+cFO22asDkh0R/y72nTCu5fSILY
+-CscFo2Z2pYROGtZDmYqhRw==
++MIIDeTCCAmGgAwIBAgIUIDyc//j/LoNDesZTGbPBoVarv4EwDQYJKoZIhvcNAQEL
++BQAwRDELMAkGA1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxHTAbBgNV
++BAMMFFRlc3QgUy9NSU1FIFJTQSBSb290MCAXDTIyMDYwMjE1MzMxM1oYDzIxMjIw
++NTA5MTUzMzEzWjBFMQswCQYDVQQGEwJVSzEWMBQGA1UECgwNT3BlblNTTCBHcm91
++cDEeMBwGA1UEAwwVVGVzdCBTL01JTUUgRUUgUlNBICMzMIIBIjANBgkqhkiG9w0B
++AQEFAAOCAQ8AMIIBCgKCAQEA+QP7d56K4/9eu7aChtWILYNxvqWeDcJeWvX5Z5vC
++XUjFuUxBD9U0rw1SBLgFYu8aqAJ+oXsqaGjJARifgKEqPUe7pnYYatr55lhTbHR+
++qA88p1V4sclEaPNWKzd7J/V3eeYr04kqWV5XYhAq9k9AWLzsNIePe2z7OoGPS6oK
++wRzWFRd5RYXTpmFr/tqknbYvtYFd7duKb9QqytgHV+RKXXeY0fnjZ7frLmaqDwtI
++U3DY7MyS3Hw2BVx72vQXBNA364HGEpqEgVOdzI7et0wpSumaFXDye714xUR53L7N
++f3fp3PQXS/RbBiNXs7KUsHCR6nsdsIKO+sg66gxOLNt6zwIDAQABo2AwXjAMBgNV
++HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHQ4EFgQUN9pGq/UFS3o50rTi
++V+AYgAk+3R4wHwYDVR0jBBgwFoAUFcETIWviVV+nah1XINbP86lzZFkwDQYJKoZI
++hvcNAQELBQADggEBAGcOh380/6aJqMpYBssuf2CB3DX/hGKdvEF7fF8iNSfl5HHq
++112kHl3MhbL9Th/safJq9sLDJqjXRNdVCUJJbU4YI2P2gsi04paC0qxWxMLtzQLd
++CE7ki2xH94Fuu/dThbpzZBABROO1RrdI24GDGt9t4Gf0WVkobmT/zNlwGppKTIB2
++iV/Ug30iKr/C49UzwUIa+XXXujkjPTmGSnrKwVQNxQh81rb+iTL7GEnNuqDsatHW
++ZyLS2SaVdG5tMqDkITPMDGjehUzJcAbVc8Bv4m8Ukuov3uDj2Doc6MxlvrVkV0AE
++BcSCb/bWQJJ/X4LQZlx9cMk4NINxV9UeFPZOefg=
+ -----END CERTIFICATE-----
diff --git a/openssl-assembly-pack-accelerate-scalar-multiplication.patch b/openssl-assembly-pack-accelerate-scalar-multiplication.patch
new file mode 100644
index 0000000..374baa5
--- /dev/null
+++ b/openssl-assembly-pack-accelerate-scalar-multiplication.patch
@@ -0,0 +1,311 @@
+From 1461e66706f24da657d7322706d1165ae515533f Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Tue, 9 Jul 2019 10:25:04 +0200
+Subject: [PATCH 09204/10000] s390x assembly pack: accelerate scalar
+ multiplication
+
+for NIST P-256, P-384 and P-521 using PCC instruction.
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/9348)
+---
+ crypto/ec/build.info        |   3 +-
+ crypto/ec/ec_curve.c        |  42 +++++---
+ crypto/ec/ec_local.h        |   5 +
+ crypto/ec/ecp_s390x_nistp.c | 197 ++++++++++++++++++++++++++++++++++++
+ 4 files changed, 234 insertions(+), 13 deletions(-)
+ create mode 100644 crypto/ec/ecp_s390x_nistp.c
+
+Index: openssl-1.1.1d/crypto/ec/ec_curve.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/ec/ec_curve.c
++++ openssl-1.1.1d/crypto/ec/ec_curve.c
+@@ -2829,16 +2829,25 @@ static const ec_list_element curve_list[
+     {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0,
+      "SECG curve over a 256 bit prime field"},
+     /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
+-    {NID_secp384r1, &_EC_NIST_PRIME_384.h, 0,
++    {NID_secp384r1, &_EC_NIST_PRIME_384.h,
++# if defined(S390X_NISTP_ASM)
++     EC_GFp_s390x_nistp384_method,
++# else
++     0,
++# endif
+      "NIST/SECG curve over a 384 bit prime field"},
+-#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+-    {NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method,
+-     "NIST/SECG curve over a 521 bit prime field"},
++
++     {NID_secp521r1, &_EC_NIST_PRIME_521.h,
++# if defined(S390X_NISTP_ASM)
++     EC_GFp_s390x_nistp521_method,
++# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
++     EC_GFp_nistp521_method,
+ #else
+-    {NID_secp521r1, &_EC_NIST_PRIME_521.h, 0,
+-     "NIST/SECG curve over a 521 bit prime field"},
++     0,
+ #endif
+-    /* X9.62 curves */
++      "NIST/SECG curve over a 521 bit prime field"},
++
++     /* X9.62 curves */
+     {NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0,
+      "NIST/X9.62/SECG curve over a 192 bit prime field"},
+     {NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2.h, 0,
+@@ -2854,6 +2863,8 @@ static const ec_list_element curve_list[
+     {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
+ #if defined(ECP_NISTZ256_ASM)
+      EC_GFp_nistz256_method,
++# elif defined(S390X_NISTP_ASM)
++     EC_GFp_s390x_nistp256_method,
+ #elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
+      EC_GFp_nistp256_method,
+ #else
+Index: openssl-1.1.1d/crypto/ec/ec_local.h
+===================================================================
+--- openssl-1.1.1d.orig/crypto/ec/ec_local.h
++++ openssl-1.1.1d/crypto/ec/ec_local.h
+@@ -587,6 +587,11 @@ int ec_group_simple_order_bits(const EC_
+  */
+ const EC_METHOD *EC_GFp_nistz256_method(void);
+ #endif
++#ifdef S390X_NISTP_ASM
++const EC_METHOD *EC_GFp_s390x_nistp256_method(void);
++const EC_METHOD *EC_GFp_s390x_nistp384_method(void);
++const EC_METHOD *EC_GFp_s390x_nistp521_method(void);
++#endif
+ 
+ size_t ec_key_simple_priv2oct(const EC_KEY *eckey,
+                               unsigned char *buf, size_t len);
+Index: openssl-1.1.1d/crypto/ec/ecp_s390x_nistp.c
+===================================================================
+--- /dev/null
++++ openssl-1.1.1d/crypto/ec/ecp_s390x_nistp.c
+@@ -0,0 +1,197 @@
++/*
++ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include <stdlib.h>
++#include <string.h>
++#include <openssl/err.h>
++#include "ec_local.h"
++#include "s390x_arch.h"
++
++/* Size of parameter blocks */
++#define S390X_SIZE_PARAM                4096
++
++/* Size of fields in parameter blocks */
++#define S390X_SIZE_P256                 32
++#define S390X_SIZE_P384                 48
++#define S390X_SIZE_P521                 80
++
++/* Offsets of fields in PCC parameter blocks */
++#define S390X_OFF_RES_X(n)              (0 * n)
++#define S390X_OFF_RES_Y(n)              (1 * n)
++#define S390X_OFF_SRC_X(n)              (2 * n)
++#define S390X_OFF_SRC_Y(n)              (3 * n)
++#define S390X_OFF_SCALAR(n)             (4 * n)
++
++static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r,
++                                  const BIGNUM *scalar,
++                                  size_t num, const EC_POINT *points[],
++                                  const BIGNUM *scalars[],
++                                  BN_CTX *ctx, unsigned int fc, int len)
++{
++    unsigned char param[S390X_SIZE_PARAM];
++    BIGNUM *x, *y;
++    const EC_POINT *point_ptr = NULL;
++    const BIGNUM *scalar_ptr = NULL;
++    BN_CTX *new_ctx = NULL;
++    int rc = -1;
++
++    if (ctx == NULL) {
++        ctx = new_ctx = BN_CTX_new();
++        if (ctx == NULL)
++            return 0;
++    }
++
++    BN_CTX_start(ctx);
++
++    x = BN_CTX_get(ctx);
++    y = BN_CTX_get(ctx);
++    if (x == NULL || y == NULL) {
++        rc = 0;
++        goto ret;
++    }
++
++    /*
++     * Use PCC for EC keygen and ECDH key derivation:
++     * scalar * generator and scalar * peer public key,
++     * scalar in [0,order).
++     */
++    if ((scalar != NULL && num == 0 && BN_is_negative(scalar) == 0)
++        || (scalar == NULL && num == 1 && BN_is_negative(scalars[0]) == 0)) {
++
++        if (num == 0) {
++            point_ptr = EC_GROUP_get0_generator(group);
++            scalar_ptr = scalar;
++        } else {
++            point_ptr = points[0];
++            scalar_ptr = scalars[0];
++        }
++
++        if (EC_POINT_is_at_infinity(group, point_ptr) == 1
++            || BN_is_zero(scalar_ptr)) {
++            rc = EC_POINT_set_to_infinity(group, r);
++            goto ret;
++        }
++
++        memset(&param, 0, sizeof(param));
++
++        if (group->meth->point_get_affine_coordinates(group, point_ptr,
++                                                      x, y, ctx) != 1
++            || BN_bn2binpad(x, param + S390X_OFF_SRC_X(len), len) == -1
++            || BN_bn2binpad(y, param + S390X_OFF_SRC_Y(len), len) == -1
++            || BN_bn2binpad(scalar_ptr,
++                            param + S390X_OFF_SCALAR(len), len) == -1
++            || s390x_pcc(fc, param) != 0
++            || BN_bin2bn(param + S390X_OFF_RES_X(len), len, x) == NULL
++            || BN_bin2bn(param + S390X_OFF_RES_Y(len), len, y) == NULL
++            || group->meth->point_set_affine_coordinates(group, r,
++                                                         x, y, ctx) != 1)
++            goto ret;
++
++        rc = 1;
++    }
++
++ret:
++    /* Otherwise use default. */
++    if (rc == -1)
++        rc = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
++    OPENSSL_cleanse(param, sizeof(param));
++    BN_CTX_end(ctx);
++    BN_CTX_free(new_ctx);
++    return rc;
++}
++
++#define EC_GFP_S390X_NISTP_METHOD(bits)                                 \
++                                                                        \
++static int ec_GFp_s390x_nistp##bits##_mul(const EC_GROUP *group,        \
++                                          EC_POINT *r,                  \
++                                          const BIGNUM *scalar,         \
++                                          size_t num,                   \
++                                          const EC_POINT *points[],     \
++                                          const BIGNUM *scalars[],      \
++                                          BN_CTX *ctx)                  \
++{                                                                       \
++    return ec_GFp_s390x_nistp_mul(group, r, scalar, num, points,        \
++                                  scalars, ctx,                         \
++                                  S390X_SCALAR_MULTIPLY_P##bits,        \
++                                  S390X_SIZE_P##bits);                  \
++}                                                                       \
++                                                                        \
++const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void)                \
++{                                                                       \
++    static const EC_METHOD EC_GFp_s390x_nistp##bits##_meth = {          \
++        EC_FLAGS_DEFAULT_OCT,                                           \
++        NID_X9_62_prime_field,                                          \
++        ec_GFp_simple_group_init,                                       \
++        ec_GFp_simple_group_finish,                                     \
++        ec_GFp_simple_group_clear_finish,                               \
++        ec_GFp_simple_group_copy,                                       \
++        ec_GFp_simple_group_set_curve,                                  \
++        ec_GFp_simple_group_get_curve,                                  \
++        ec_GFp_simple_group_get_degree,                                 \
++        ec_group_simple_order_bits,                                     \
++        ec_GFp_simple_group_check_discriminant,                         \
++        ec_GFp_simple_point_init,                                       \
++        ec_GFp_simple_point_finish,                                     \
++        ec_GFp_simple_point_clear_finish,                               \
++        ec_GFp_simple_point_copy,                                       \
++        ec_GFp_simple_point_set_to_infinity,                            \
++        ec_GFp_simple_set_Jprojective_coordinates_GFp,                  \
++        ec_GFp_simple_get_Jprojective_coordinates_GFp,                  \
++        ec_GFp_simple_point_set_affine_coordinates,                     \
++        ec_GFp_simple_point_get_affine_coordinates,                     \
++        NULL, /* point_set_compressed_coordinates */                    \
++        NULL, /* point2oct */                                           \
++        NULL, /* oct2point */                                           \
++        ec_GFp_simple_add,                                              \
++        ec_GFp_simple_dbl,                                              \
++        ec_GFp_simple_invert,                                           \
++        ec_GFp_simple_is_at_infinity,                                   \
++        ec_GFp_simple_is_on_curve,                                      \
++        ec_GFp_simple_cmp,                                              \
++        ec_GFp_simple_make_affine,                                      \
++        ec_GFp_simple_points_make_affine,                               \
++        ec_GFp_s390x_nistp##bits##_mul,                                 \
++        NULL, /* precompute_mult */                                     \
++        NULL, /* have_precompute_mult */                                \
++        ec_GFp_simple_field_mul,                                        \
++        ec_GFp_simple_field_sqr,                                        \
++        NULL, /* field_div */                                           \
++        ec_GFp_simple_field_inv,                                        \
++        NULL, /* field_encode */                                        \
++        NULL, /* field_decode */                                        \
++        NULL, /* field_set_to_one */                                    \
++        ec_key_simple_priv2oct,                                         \
++        ec_key_simple_oct2priv,                                         \
++        NULL, /* set_private */                                         \
++        ec_key_simple_generate_key,                                     \
++        ec_key_simple_check_key,                                        \
++        ec_key_simple_generate_public_key,                              \
++        NULL, /* keycopy */                                             \
++        NULL, /* keyfinish */                                           \
++        ecdh_simple_compute_key,                                        \
++        NULL, /* field_inverse_mod_ord */                               \
++        ec_GFp_simple_blind_coordinates,                                \
++        ec_GFp_simple_ladder_pre,                                       \
++        ec_GFp_simple_ladder_step,                                      \
++        ec_GFp_simple_ladder_post                                       \
++    };                                                                  \
++    static const EC_METHOD *ret;                                        \
++                                                                        \
++    if (OPENSSL_s390xcap_P.pcc[1]                                       \
++        & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P##bits))                  \
++        ret = &EC_GFp_s390x_nistp##bits##_meth;                         \
++    else                                                                \
++        ret = EC_GFp_mont_method();                                     \
++                                                                        \
++    return ret;                                                         \
++}
++
++EC_GFP_S390X_NISTP_METHOD(256)
++EC_GFP_S390X_NISTP_METHOD(384)
++EC_GFP_S390X_NISTP_METHOD(521)
+Index: openssl-1.1.1d/Configurations/00-base-templates.conf
+===================================================================
+--- openssl-1.1.1d.orig/Configurations/00-base-templates.conf
++++ openssl-1.1.1d/Configurations/00-base-templates.conf
+@@ -289,6 +289,7 @@ my %targets=(
+ 	template	=> 1,
+ 	cpuid_asm_src   => "s390xcap.c s390xcpuid.S",
+ 	bn_asm_src      => "asm/s390x.S s390x-mont.S s390x-gf2m.s",
++	ec_asm_src      => "ecp_s390x_nistp.c",
+ 	aes_asm_src     => "aes-s390x.S aes-ctr.fake aes-xts.fake",
+ 	sha1_asm_src    => "sha1-s390x.S sha256-s390x.S sha512-s390x.S",
+ 	rc4_asm_src     => "rc4-s390x.s",
+Index: openssl-1.1.1d/Configure
+===================================================================
+--- openssl-1.1.1d.orig/Configure
++++ openssl-1.1.1d/Configure
+@@ -1400,6 +1400,9 @@ unless ($disabled{asm}) {
+     if ($target{ec_asm_src} =~ /x25519/) {
+         push @{$config{lib_defines}}, "X25519_ASM";
+     }
++    if ($target{ec_asm_src} =~ /ecp_s390x_nistp/) {
++        push @{$config{lib_defines}}, "S390X_NISTP_ASM";
++    }
+     if ($target{padlock_asm_src} ne $table{DEFAULTS}->{padlock_asm_src}) {
+         push @{$config{dso_defines}}, "PADLOCK_ASM";
+     }
diff --git a/openssl-fips-DH_selftest_shared_secret_KAT.patch b/openssl-fips-DH_selftest_shared_secret_KAT.patch
new file mode 100644
index 0000000..80308cb
--- /dev/null
+++ b/openssl-fips-DH_selftest_shared_secret_KAT.patch
@@ -0,0 +1,82 @@
+Index: openssl-1.1.1d/crypto/fips/fips_dh_selftest.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/fips/fips_dh_selftest.c	2020-09-08 20:40:41.313074570 +0200
++++ openssl-1.1.1d/crypto/fips/fips_dh_selftest.c	2020-09-08 20:41:05.337219024 +0200
+@@ -119,6 +119,41 @@ static const unsigned char dh_test_2048_
+     0xEC, 0x55, 0xF6, 0xCC
+ };
+ 
++static const unsigned char dh_test_2048_shared_secret[] = {
++    0x62, 0x68, 0x15, 0xbd, 0xc4, 0x9a, 0x3c, 0xfc,
++    0xda, 0x5d, 0xc5, 0x81, 0xc9, 0xe7, 0x1b, 0xbb,
++    0x94, 0x19, 0xb0, 0x5d, 0x95, 0xc3, 0x98, 0xd0,
++    0xc6, 0x8b, 0x05, 0x34, 0xa5, 0xe2, 0xe4, 0xa8,
++    0x7c, 0x4b, 0x7c, 0x41, 0xf9, 0x6d, 0xc1, 0xcc,
++    0x6e, 0xb6, 0x34, 0xe1, 0x71, 0xc3, 0x00, 0x03,
++    0x06, 0x08, 0x1d, 0x90, 0x88, 0x3c, 0x5d, 0x14,
++    0x2d, 0x56, 0xac, 0x78, 0x83, 0xd6, 0xe9, 0x7c,
++    0x6c, 0x34, 0xdf, 0xe0, 0x98, 0x14, 0xaa, 0xbe,
++    0x3b, 0x83, 0xc5, 0xd1, 0xac, 0xec, 0xa6, 0x0b,
++    0xc1, 0x94, 0x8d, 0x42, 0x3f, 0xb8, 0x63, 0xef,
++    0xb1, 0x1b, 0x60, 0x4f, 0xfa, 0xfa, 0xbb, 0x57,
++    0x28, 0x27, 0x4d, 0x78, 0xa4, 0x3d, 0x7a, 0xd8,
++    0xab, 0x2e, 0x7d, 0x8b, 0xd3, 0xa9, 0x78, 0x74,
++    0xfe, 0x3a, 0x08, 0x5f, 0xe3, 0xf5, 0x5a, 0xfa,
++    0xa6, 0x93, 0x67, 0xea, 0xae, 0x5e, 0xd6, 0xc5,
++    0xa1, 0xab, 0x0a, 0x1e, 0x78, 0xe7, 0xdd, 0xbc,
++    0xae, 0xb7, 0x3e, 0x7d, 0x8b, 0xd8, 0x66, 0x92,
++    0x38, 0x1b, 0x96, 0xeb, 0xcb, 0xcb, 0x6a, 0xcc,
++    0xd8, 0x42, 0x80, 0x66, 0xa9, 0xa2, 0x75, 0xeb,
++    0xe4, 0x79, 0x11, 0x7a, 0xca, 0x84, 0x77, 0x7a,
++    0xe6, 0xe2, 0x13, 0xb1, 0x90, 0xd3, 0x0f, 0x87,
++    0x2a, 0x0f, 0xf5, 0x17, 0x61, 0x15, 0x05, 0x31,
++    0x5f, 0xdf, 0xb4, 0x8e, 0xf3, 0x21, 0x27, 0x6a,
++    0x69, 0xdc, 0x52, 0x79, 0x64, 0x51, 0x1f, 0xc0,
++    0xed, 0x55, 0x57, 0xd9, 0x5c, 0x6f, 0xdb, 0xaa,
++    0x08, 0x44, 0xb9, 0x71, 0x71, 0x15, 0x27, 0xe8,
++    0xe9, 0x42, 0x78, 0xc1, 0xc4, 0xc0, 0xbd, 0x28,
++    0x23, 0xa1, 0x30, 0x57, 0xf0, 0x2e, 0x24, 0xf0,
++    0x34, 0x17, 0x97, 0x1c, 0x4c, 0x2a, 0x98, 0x76,
++    0x3d, 0x50, 0x7f, 0x32, 0xa2, 0x25, 0x94, 0x9e,
++    0x1e, 0xbc, 0x97, 0x96, 0xd6, 0x14, 0x61, 0x5b
++};
++
+ int FIPS_selftest_dh()
+ {
+     DH *dh = NULL;
+@@ -127,6 +162,7 @@ int FIPS_selftest_dh()
+     int len;
+     BIGNUM *p = NULL, *g = NULL, *priv_key = NULL, *tmp_pub_key = NULL;
+     const BIGNUM *pub_key;
++    unsigned char *shared_secret = NULL;
+ 
+     fips_load_key_component(p, dh_test_2048);
+     fips_load_key_component(g, dh_test_2048);
+@@ -162,6 +198,19 @@ int FIPS_selftest_dh()
+         memcmp(pub_key_bin, dh_test_2048_pub_key, len) != 0)
+         goto err;
+ 
++    /* Shared secret KAT test */
++    len = DH_size(dh);
++    if ((shared_secret = OPENSSL_malloc(len)) == NULL)
++        goto err;
++
++    if ((len = DH_compute_key(shared_secret, pub_key, dh)) == -1)
++        goto err;
++
++    if (len != sizeof(dh_test_2048_shared_secret) ||
++       (memcmp(shared_secret, dh_test_2048_shared_secret, len) != 0)) {
++        goto err;
++    }
++
+     ret = 1;
+ 
+  err:
+@@ -175,6 +224,7 @@ int FIPS_selftest_dh()
+     }
+ 
+     OPENSSL_free(pub_key_bin);
++    OPENSSL_free(shared_secret);
+     return ret;
+ }
+ #endif
diff --git a/openssl-fips-add-SHA3-selftest.patch b/openssl-fips-add-SHA3-selftest.patch
new file mode 100644
index 0000000..3c479b2
--- /dev/null
+++ b/openssl-fips-add-SHA3-selftest.patch
@@ -0,0 +1,347 @@
+Index: openssl-1.1.1d/crypto/fips/fips_hmac_selftest.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/fips/fips_hmac_selftest.c
++++ openssl-1.1.1d/crypto/fips/fips_hmac_selftest.c
+@@ -55,12 +55,23 @@
+ #include <openssl/hmac.h>
+ 
+ #ifdef OPENSSL_FIPS
++
++#define MAX_SHA3_KEY_LENGTH 200
++
+ typedef struct {
+     const EVP_MD *(*alg) (void);
+     const char *key, *iv;
+     unsigned char kaval[EVP_MAX_MD_SIZE];
+ } HMAC_KAT;
+ 
++typedef struct {
++    const EVP_MD *(*alg) (void);
++    unsigned char key[MAX_SHA3_KEY_LENGTH];
++    size_t keylen; /* strlen() doesn't work with NIST test vector keys */
++    const char *iv;
++    unsigned char kaval[EVP_MAX_MD_SIZE];
++} HMAC_KAT_SHA3;
++
+ static const HMAC_KAT vector[] = {
+     {EVP_sha1,
+      /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */
+@@ -111,6 +122,289 @@ static const HMAC_KAT vector[] = {
+      },
+ };
+ 
++static const HMAC_KAT_SHA3 vector_SHA3[] = {
++    /* using SHA3-224 from https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/HMAC_SHA3-224.pdf */
++    {EVP_sha3_224,
++     {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++      0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
++      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
++      0x18, 0x19, 0x1a, 0x1b},
++     0x1c,
++     "Sample message for keylen<blocklen",
++     {0x33, 0x2c, 0xfd, 0x59, 0x34, 0x7f, 0xdb, 0x8e,
++      0x57, 0x6e, 0x77, 0x26, 0x0b, 0xe4, 0xab, 0xa2,
++      0xd6, 0xdc, 0x53, 0x11, 0x7b, 0x3b, 0xfb, 0x52,
++      0xc6, 0xd1, 0x8c, 0x04}
++     },
++    {EVP_sha3_224,
++     {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++      0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
++      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
++      0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
++      0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
++      0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
++      0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
++      0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
++      0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
++      0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
++      0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
++      0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
++      0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
++      0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
++      0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
++      0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
++      0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
++      0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f},
++     0x90,
++     "Sample message for keylen=blocklen",
++     {0xd8, 0xb7, 0x33, 0xbc, 0xf6, 0x6c, 0x64, 0x4a,
++      0x12, 0x32, 0x3d, 0x56, 0x4e, 0x24, 0xdc, 0xf3,
++      0xfc, 0x75, 0xf2, 0x31, 0xf3, 0xb6, 0x79, 0x68,
++      0x35, 0x91, 0x00, 0xc7}
++     },
++    {EVP_sha3_224,
++     {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++      0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
++      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
++      0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
++      0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
++      0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
++      0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
++      0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
++      0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
++      0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
++      0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
++      0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
++      0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
++      0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
++      0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
++      0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
++      0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
++      0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
++      0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
++      0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
++      0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
++      0xa8, 0xa9, 0xaa, 0xab},
++     0xac,
++     "Sample message for keylen>blocklen",
++     {0x07, 0x86, 0x95, 0xee, 0xcc, 0x22, 0x7c, 0x63,
++      0x6a, 0xd3, 0x1d, 0x06, 0x3a, 0x15, 0xdd, 0x05,
++      0xa7, 0xe8, 0x19, 0xa6, 0x6e, 0xc6, 0xd8, 0xde,
++      0x1e, 0x19, 0x3e, 0x59},
++    },
++    /* using SHA3-256 from https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/HMAC_SHA3-256.pdf */
++    {EVP_sha3_256,
++     {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++      0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
++      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
++      0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f},
++     0x30,
++     "Sample message for keylen<blocklen",
++     {0x4f, 0xe8, 0xe2, 0x02, 0xc4, 0xf0, 0x58, 0xe8,
++      0xdd, 0xdc, 0x23, 0xd8, 0xc3, 0x4e, 0x46, 0x73,
++      0x43, 0xe2, 0x35, 0x55, 0xe2, 0x4f, 0xc2, 0xf0,
++      0x25, 0xd5, 0x98, 0xf5, 0x58, 0xf6, 0x72, 0x05}
++     },
++    {EVP_sha3_256,
++     {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++      0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
++      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
++      0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
++      0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
++      0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
++      0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
++      0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
++      0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
++      0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
++      0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
++      0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
++      0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
++      0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
++      0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
++      0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
++      0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87},
++     0x88,
++     "Sample message for keylen=blocklen",
++     {0x68, 0xb9, 0x4e, 0x2e, 0x53, 0x8a, 0x9b, 0xe4,
++      0x10, 0x3b, 0xeb, 0xb5, 0xaa, 0x01, 0x6d, 0x47,
++      0x96, 0x1d, 0x4d, 0x1a, 0xa9, 0x06, 0x06, 0x13,
++      0x13, 0xb5, 0x57, 0xf8, 0xaf, 0x2c, 0x3f, 0xaa},
++     },
++    {EVP_sha3_256,
++     {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++      0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
++      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
++      0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
++      0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
++      0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
++      0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
++      0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
++      0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
++      0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
++      0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
++      0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
++      0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
++      0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
++      0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
++      0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
++      0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
++      0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
++      0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
++      0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
++      0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7},
++     0xa8,
++     "Sample message for keylen>blocklen",
++     {0x9b, 0xcf, 0x2c, 0x23, 0x8e, 0x23, 0x5c, 0x3c,
++      0xe8, 0x84, 0x04, 0xe8, 0x13, 0xbd, 0x2f, 0x3a,
++      0x97, 0x18, 0x5a, 0xc6, 0xf2, 0x38, 0xc6, 0x3d,
++      0x62, 0x29, 0xa0, 0x0b, 0x07, 0x97, 0x42, 0x58},
++    },
++    /* using SHA3-384 from https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/HMAC_SHA3-384.pdf */
++    {EVP_sha3_384,
++     {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++      0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
++      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
++      0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
++      0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
++      0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f},
++     0x30,
++     "Sample message for keylen<blocklen",
++     {0xd5, 0x88, 0xa3, 0xc5, 0x1f, 0x3f, 0x2d, 0x90,
++      0x6e, 0x82, 0x98, 0xc1, 0x19, 0x9a, 0xa8, 0xff,
++      0x62, 0x96, 0x21, 0x81, 0x27, 0xf6, 0xb3, 0x8a,
++      0x90, 0xb6, 0xaf, 0xe2, 0xc5, 0x61, 0x77, 0x25,
++      0xbc, 0x99, 0x98, 0x7f, 0x79, 0xb2, 0x2a, 0x55,
++      0x7b, 0x65, 0x20, 0xdb, 0x71, 0x0b, 0x7f, 0x42}
++     },
++    {EVP_sha3_384,
++     {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++      0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
++      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
++      0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
++      0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
++      0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
++      0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
++      0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
++      0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
++      0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
++      0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
++      0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
++      0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67},
++     0x68,
++     "Sample message for keylen=blocklen",
++     {0xa2, 0x7d, 0x24, 0xb5, 0x92, 0xe8, 0xc8, 0xcb,
++      0xf6, 0xd4, 0xce, 0x6f, 0xc5, 0xbf, 0x62, 0xd8,
++      0xfc, 0x98, 0xbf, 0x2d, 0x48, 0x66, 0x40, 0xd9,
++      0xeb, 0x80, 0x99, 0xe2, 0x40, 0x47, 0x83, 0x7f,
++      0x5f, 0x3b, 0xff, 0xbe, 0x92, 0xdc, 0xce, 0x90,
++      0xb4, 0xed, 0x5b, 0x1e, 0x7e, 0x44, 0xfa, 0x90},
++     },
++    {EVP_sha3_384,
++     {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++      0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
++      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
++      0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
++      0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
++      0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
++      0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
++      0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
++      0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
++      0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
++      0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
++      0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
++      0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
++      0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
++      0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
++      0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
++      0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
++      0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
++      0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97},
++     0x98,
++     "Sample message for keylen>blocklen",
++     {0xe5, 0xae, 0x4c, 0x73, 0x9f, 0x45, 0x52, 0x79,
++      0x36, 0x8e, 0xbf, 0x36, 0xd4, 0xf5, 0x35, 0x4c,
++      0x95, 0xaa, 0x18, 0x4c, 0x89, 0x9d, 0x38, 0x70,
++      0xe4, 0x60, 0xeb, 0xc2, 0x88, 0xef, 0x1f, 0x94,
++      0x70, 0x05, 0x3f, 0x73, 0xf7, 0xc6, 0xda, 0x2a,
++      0x71, 0xbc, 0xae, 0xc3, 0x8c, 0xe7, 0xd6, 0xac},
++    },
++
++
++
++    /* using SHA3-512 from https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Standards-and-Guidelines/documents/examples/HMAC_SHA3-512.pdf */
++    {EVP_sha3_512,
++     {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++      0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
++      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
++      0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
++      0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
++      0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
++      0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
++      0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f},
++     0x40,
++     "Sample message for keylen<blocklen",
++     {0x4e, 0xfd, 0x62, 0x9d, 0x6c, 0x71, 0xbf, 0x86,
++      0x16, 0x26, 0x58, 0xf2, 0x99, 0x43, 0xb1, 0xc3,
++      0x08, 0xce, 0x27, 0xcd, 0xfa, 0x6d, 0xb0, 0xd9,
++      0xc3, 0xce, 0x81, 0x76, 0x3f, 0x9c, 0xbc, 0xe5,
++      0xf7, 0xeb, 0xe9, 0x86, 0x80, 0x31, 0xdb, 0x1a,
++      0x8f, 0x8e, 0xb7, 0xb6, 0xb9, 0x5e, 0x5c, 0x5e,
++      0x3f, 0x65, 0x7a, 0x89, 0x96, 0xc8, 0x6a, 0x2f,
++      0x65, 0x27, 0xe3, 0x07, 0xf0, 0x21, 0x31, 0x96}
++     },
++    {EVP_sha3_512,
++     {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++      0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
++      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
++      0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
++      0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
++      0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
++      0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
++      0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
++      0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47},
++     0x48,
++     "Sample message for keylen=blocklen",
++     {0x54, 0x4e, 0x25, 0x7e, 0xa2, 0xa3, 0xe5, 0xea,
++      0x19, 0xa5, 0x90, 0xe6, 0xa2, 0x4b, 0x72, 0x4c,
++      0xe6, 0x32, 0x77, 0x57, 0x72, 0x3f, 0xe2, 0x75,
++      0x1b, 0x75, 0xbf, 0x00, 0x7d, 0x80, 0xf6, 0xb3,
++      0x60, 0x74, 0x4b, 0xf1, 0xb7, 0xa8, 0x8e, 0xa5,
++      0x85, 0xf9, 0x76, 0x5b, 0x47, 0x91, 0x19, 0x76,
++      0xd3, 0x19, 0x1c, 0xf8, 0x3c, 0x03, 0x9f, 0x5f,
++      0xfa, 0xb0, 0xd2, 0x9c, 0xc9, 0xd9, 0xb6, 0xda},
++     },
++    {EVP_sha3_512,
++     {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
++      0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
++      0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
++      0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
++      0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
++      0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
++      0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37,
++      0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f,
++      0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
++      0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f,
++      0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57,
++      0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
++      0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67,
++      0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f,
++      0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
++      0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f,
++      0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87},
++     0x88,
++     "Sample message for keylen>blocklen",
++     {0x5f, 0x46, 0x4f, 0x5e, 0x5b, 0x78, 0x48, 0xe3,
++      0x88, 0x5e, 0x49, 0xb2, 0xc3, 0x85, 0xf0, 0x69,
++      0x49, 0x85, 0xd0, 0xe3, 0x89, 0x66, 0x24, 0x2d,
++      0xc4, 0xa5, 0xfe, 0x3f, 0xea, 0x4b, 0x37, 0xd4,
++      0x6b, 0x65, 0xce, 0xce, 0xd5, 0xdc, 0xf5, 0x94,
++      0x38, 0xdd, 0x84, 0x0b, 0xab, 0x22, 0x26, 0x9f,
++      0x0b, 0xa7, 0xfe, 0xbd, 0xb9, 0xfc, 0xf7, 0x46,
++      0x02, 0xa3, 0x56, 0x66, 0xb2, 0xa3, 0x29, 0x15},
++    },
++};
++
++
+ int FIPS_selftest_hmac()
+ {
+     int n;
+@@ -118,7 +412,9 @@ int FIPS_selftest_hmac()
+     unsigned char out[EVP_MAX_MD_SIZE];
+     const EVP_MD *md;
+     const HMAC_KAT *t;
++    const HMAC_KAT_SHA3 *t3;
+ 
++    /* SHA1 and SHA2 */
+     for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) {
+         md = (*t->alg) ();
+         HMAC(md, t->key, strlen(t->key),
+@@ -128,6 +424,18 @@ int FIPS_selftest_hmac()
+             FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED);
+             return 0;
+         }
++    }
++
++    /* SHA3 */
++    for (n = 0, t3 = vector_SHA3; n < sizeof(vector_SHA3) / sizeof(vector_SHA3[0]); n++, t3++) {
++        md = (*t3->alg) ();
++        HMAC(md, t3->key, t3->keylen,
++             (const unsigned char *)t3->iv, strlen(t3->iv), out, &outlen);
++
++        if (memcmp(out, t3->kaval, outlen)) {
++            FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED);
++            return 0;
++        }
+     }
+     return 1;
+ }
diff --git a/openssl-fips-clearerror.patch b/openssl-fips-clearerror.patch
new file mode 100644
index 0000000..cf385c7
--- /dev/null
+++ b/openssl-fips-clearerror.patch
@@ -0,0 +1,12 @@
+Index: openssl-1.1.1d/crypto/o_init.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/o_init.c	2020-01-23 13:45:11.556634952 +0100
++++ openssl-1.1.1d/crypto/o_init.c	2020-01-23 13:45:11.572635047 +0100
+@@ -49,6 +49,7 @@ static void init_fips_mode(void)
+         NONFIPS_selftest_check();
+         /* drop down to non-FIPS mode if it is not requested */
+         FIPS_mode_set(0);
++        ERR_clear_error();
+     } else {
+         /* abort if selftest failed */
+         FIPS_selftest_check();
diff --git a/openssl-fips-ignore_broken_atexit_test.patch b/openssl-fips-ignore_broken_atexit_test.patch
new file mode 100644
index 0000000..25e2a58
--- /dev/null
+++ b/openssl-fips-ignore_broken_atexit_test.patch
@@ -0,0 +1,22 @@
+Index: openssl-1.1.1d/test/recipes/90-test_shlibload.t
+===================================================================
+--- openssl-1.1.1d.orig/test/recipes/90-test_shlibload.t	2019-09-10 15:13:07.000000000 +0200
++++ openssl-1.1.1d/test/recipes/90-test_shlibload.t	2020-01-23 15:22:27.355814857 +0100
+@@ -23,7 +23,7 @@ plan skip_all => "Test is disabled on AI
+ plan skip_all => "Test is disabled on VMS" if config('target') =~ m|^vms|;
+ plan skip_all => "Test only supported in a dso build" if disabled("dso");
+ 
+-plan tests => 10;
++plan tests => 9;
+ 
+ # When libssl and libcrypto are compiled on Linux with "-rpath", but not
+ # "--enable-new-dtags", the RPATH takes precedence over LD_LIBRARY_PATH,
+@@ -56,7 +56,7 @@ unlink $filename;
+ ($fh, $filename) = tempfile();
+ ok(run(test(["shlibloadtest", "-no_atexit", $libcrypto, $libssl, $filename])),
+    "running shlibloadtest -no_atexit $filename");
+-ok(!check_atexit($fh));
++#ok(!check_atexit($fh));
+ unlink $filename;
+ 
+ sub shlib {
diff --git a/openssl-fips-kdf-hkdf-selftest.patch b/openssl-fips-kdf-hkdf-selftest.patch
new file mode 100644
index 0000000..e34e68e
--- /dev/null
+++ b/openssl-fips-kdf-hkdf-selftest.patch
@@ -0,0 +1,103 @@
+Index: openssl-1.1.1m/crypto/fips/fips_err.h
+===================================================================
+--- openssl-1.1.1m.orig/crypto/fips/fips_err.h
++++ openssl-1.1.1m/crypto/fips/fips_err.h
+@@ -114,6 +114,7 @@ static ERR_STRING_DATA FIPS_str_functs[]
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"},
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_TLS), "FIPS_selftest_tls"},
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SSH), "FIPS_selftest_ssh"},
++    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HKDF), "FIPS_selftest_hkdf"},
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"},
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"},
+     {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"},
+Index: openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/fips/fips_kdf_selftest.c
++++ openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c
+@@ -16,6 +16,49 @@
+ #include <openssl/kdf.h>
+ 
+ #ifdef OPENSSL_FIPS
++
++int FIPS_selftest_hkdf(void)
++{
++    int ret = 0;
++    EVP_KDF_CTX *kctx;
++    unsigned char out[10];
++
++    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF)) == NULL) {
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) {
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO,
++                     "label", (size_t)5) <= 0) {
++        goto err;
++    }
++    if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
++        goto err;
++    }
++
++    {
++        const unsigned char expected[sizeof(out)] = {
++            0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13
++        };
++        if (memcmp(out, expected, sizeof(expected))) {
++            goto err;
++        }
++    }
++    ret = 1;
++err:
++    if (!ret)
++        FIPSerr(FIPS_F_FIPS_SELFTEST_HKDF, FIPS_R_SELFTEST_FAILED);
++    EVP_KDF_CTX_free(kctx);
++    return ret;
++}
++
+ int FIPS_selftest_pbkdf2(void)
+ {
+     int ret = 0;
+Index: openssl-1.1.1m/crypto/fips/fips_post.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/fips/fips_post.c
++++ openssl-1.1.1m/crypto/fips/fips_post.c
+@@ -110,6 +110,8 @@ int FIPS_selftest(void)
+         rv = 0;
+     if (!FIPS_selftest_ssh())
+         rv = 0;
++    if (!FIPS_selftest_hkdf())
++        rv = 0;
+ 
+     return rv;
+ }
+Index: openssl-1.1.1m/include/openssl/fips.h
+===================================================================
+--- openssl-1.1.1m.orig/include/openssl/fips.h
++++ openssl-1.1.1m/include/openssl/fips.h
+@@ -127,6 +127,7 @@ extern "C" {
+ # define FIPS_F_FIPS_SELFTEST_PBKDF2                      152
+ # define FIPS_F_FIPS_SELFTEST_TLS                         153
+ # define FIPS_F_FIPS_SELFTEST_SSH                         154
++# define FIPS_F_FIPS_SELFTEST_HKDF                        155
+ # define FIPS_F_FIPS_SELFTEST_SHA1                        115
+ # define FIPS_F_FIPS_SELFTEST_SHA2                        105
+ # define FIPS_F_OSSL_ECDSA_SIGN_SIG                       143
+Index: openssl-1.1.1m/include/crypto/fips.h
+===================================================================
+--- openssl-1.1.1m.orig/include/crypto/fips.h
++++ openssl-1.1.1m/include/crypto/fips.h
+@@ -79,6 +79,7 @@ int FIPS_selftest_cmac(void);
+ int FIPS_selftest_pbkdf2(void);
+ int FIPS_selftest_tls(void);
+ int FIPS_selftest_ssh(void);
++int FIPS_selftest_hkdf(void);
+ 
+ int fips_in_post(void);
+ 
diff --git a/openssl-fips-run_selftests_only_when_module_is_complete.patch b/openssl-fips-run_selftests_only_when_module_is_complete.patch
new file mode 100644
index 0000000..fc105aa
--- /dev/null
+++ b/openssl-fips-run_selftests_only_when_module_is_complete.patch
@@ -0,0 +1,24 @@
+Index: openssl-1.1.1d/crypto/fips/fips.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/fips/fips.c	2020-01-23 13:45:11.368633835 +0100
++++ openssl-1.1.1d/crypto/fips/fips.c	2020-01-23 13:45:21.316692954 +0100
+@@ -454,15 +454,15 @@ int FIPS_module_mode_set(int onoff)
+ 
+         fips_post = 1;
+ 
+-        if (!FIPS_selftest()) {
++        if (!verify_checksums()) {
++            FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
++                    FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
+             fips_selftest_fail = 1;
+             ret = 0;
+             goto end;
+         }
+ 
+-        if (!verify_checksums()) {
+-            FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET,
+-                    FIPS_R_FINGERPRINT_DOES_NOT_MATCH);
++        if (!FIPS_selftest()) {
+             fips_selftest_fail = 1;
+             ret = 0;
+             goto end;
diff --git a/openssl-fips-selftests_in_nonfips_mode.patch b/openssl-fips-selftests_in_nonfips_mode.patch
new file mode 100644
index 0000000..b98371b
--- /dev/null
+++ b/openssl-fips-selftests_in_nonfips_mode.patch
@@ -0,0 +1,74 @@
+Index: openssl-1.1.1d/crypto/fips/fips.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/fips/fips.c	2020-01-23 13:45:11.416634119 +0100
++++ openssl-1.1.1d/crypto/fips/fips.c	2020-01-23 13:45:11.556634952 +0100
+@@ -486,6 +486,44 @@ int FIPS_module_mode_set(int onoff)
+     return ret;
+ }
+ 
++/* In non-FIPS mode, the selftests must succeed if the
++ * checksum files are present
++ */
++void NONFIPS_selftest_check(void)
++{
++        int rv;
++	char *hmacpath;
++        char path[PATH_MAX+1];
++
++        if (fips_selftest_fail)
++	     {
++                /* check if the checksum files are installed */
++                rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, "FIPS_mode_set", path, sizeof(path));
++                if (rv < 0)
++                        OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE");
++
++                hmacpath = make_hmac_path(path);
++	        if (hmacpath == NULL)
++                        OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE");
++
++                if (access(hmacpath, F_OK))
++                    {
++                        /* no hmac file is present, ignore the failed selftests */
++                        if (errno == ENOENT)
++                            {
++                                free(hmacpath);
++                                return;
++                            }
++                        /* we fail on any other error */
++                    }
++                /* if the file exists, but the selftests failed
++                   (eg wrong checksum), we fail too */
++                free(hmacpath);
++                OpenSSLDie(__FILE__,__LINE__, "FATAL FIPS SELFTEST FAILURE");
++	     }
++        /* otherwise ok, selftests were successful */
++}
++
+ static CRYPTO_THREAD_ID fips_threadid;
+ static int fips_thread_set = 0;
+ 
+Index: openssl-1.1.1d/crypto/o_init.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/o_init.c	2020-01-23 13:45:11.536634832 +0100
++++ openssl-1.1.1d/crypto/o_init.c	2020-01-23 13:45:17.000667299 +0100
+@@ -45,6 +45,8 @@ static void init_fips_mode(void)
+      */
+ 
+     if (buf[0] != '1') {
++        /* abort if selftest failed and the module is complete */
++        NONFIPS_selftest_check();
+         /* drop down to non-FIPS mode if it is not requested */
+         FIPS_mode_set(0);
+     } else {
+Index: openssl-1.1.1d/include/openssl/fips.h
+===================================================================
+--- openssl-1.1.1d.orig/include/openssl/fips.h	2020-01-23 13:45:11.344633691 +0100
++++ openssl-1.1.1d/include/openssl/fips.h	2020-01-23 13:45:11.556634952 +0100
+@@ -65,6 +65,7 @@ extern "C" {
+     int FIPS_selftest(void);
+     int FIPS_selftest_failed(void);
+     int FIPS_selftest_drbg_all(void);
++    void NONFIPS_selftest_check(void);
+ 
+     int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N,
+                                const EVP_MD *evpmd, const unsigned char *seed_in,
diff --git a/openssl-fips_mode.patch b/openssl-fips_mode.patch
new file mode 100644
index 0000000..0ef901b
--- /dev/null
+++ b/openssl-fips_mode.patch
@@ -0,0 +1,20 @@
+Index: openssl-1.1.1d/apps/openssl.c
+===================================================================
+--- openssl-1.1.1d.orig/apps/openssl.c	2019-09-10 15:13:07.000000000 +0200
++++ openssl-1.1.1d/apps/openssl.c	2020-01-23 13:45:11.452634334 +0100
+@@ -151,8 +151,15 @@ int main(int argc, char *argv[])
+     CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+ 
+     if (getenv("OPENSSL_FIPS")) {
++#ifdef OPENSSL_FIPS
++        if (!FIPS_mode_set(1)) {
++            ERR_print_errors(bio_err);
++            return 1;
++        }
++#else
+         BIO_printf(bio_err, "FIPS mode not supported.\n");
+         return 1;
++#endif
+     }
+ 
+     if (!apps_startup()) {
diff --git a/openssl-fips_selftest_upstream_drbg.patch b/openssl-fips_selftest_upstream_drbg.patch
new file mode 100644
index 0000000..9bd2520
--- /dev/null
+++ b/openssl-fips_selftest_upstream_drbg.patch
@@ -0,0 +1,1838 @@
+Index: openssl-1.1.1l/crypto/fips/drbgtest.c
+===================================================================
+--- /dev/null
++++ openssl-1.1.1l/crypto/fips/drbgtest.c
+@@ -0,0 +1,1180 @@
++/*
++ * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the OpenSSL license (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include <string.h>
++#include "internal/nelem.h"
++#include <openssl/crypto.h>
++#include <openssl/err.h>
++#include <openssl/rand.h>
++#include <openssl/obj_mac.h>
++#include <openssl/evp.h>
++#include <openssl/aes.h>
++#include <openssl/fips_rand.h>
++#include "../crypto/rand/rand_local.h"
++#include "crypto/rand.h"
++
++#if defined(_WIN32)
++# include <windows.h>
++#endif
++
++
++#if defined(OPENSSL_SYS_UNIX)
++# include <sys/types.h>
++# include <sys/wait.h>
++# include <unistd.h>
++#endif
++
++#include "../../test/drbgtest.h"
++
++typedef struct drbg_selftest_data_st {
++    int post;
++    int nid;
++    unsigned int flags;
++
++    /* KAT data for no PR */
++    const unsigned char *entropy;
++    size_t entropylen;
++    const unsigned char *nonce;
++    size_t noncelen;
++    const unsigned char *pers;
++    size_t perslen;
++    const unsigned char *adin;
++    size_t adinlen;
++    const unsigned char *entropyreseed;
++    size_t entropyreseedlen;
++    const unsigned char *adinreseed;
++    size_t adinreseedlen;
++    const unsigned char *adin2;
++    size_t adin2len;
++    const unsigned char *expected;
++    size_t exlen;
++    const unsigned char *kat2;
++    size_t kat2len;
++
++    /* KAT data for PR */
++    const unsigned char *entropy_pr;
++    size_t entropylen_pr;
++    const unsigned char *nonce_pr;
++    size_t noncelen_pr;
++    const unsigned char *pers_pr;
++    size_t perslen_pr;
++    const unsigned char *adin_pr;
++    size_t adinlen_pr;
++    const unsigned char *entropypr_pr;
++    size_t entropyprlen_pr;
++    const unsigned char *ading_pr;
++    size_t adinglen_pr;
++    const unsigned char *entropyg_pr;
++    size_t entropyglen_pr;
++    const unsigned char *kat_pr;
++    size_t katlen_pr;
++    const unsigned char *kat2_pr;
++    size_t kat2len_pr;
++} DRBG_SELFTEST_DATA;
++
++#define make_drbg_test_data(nid, flag, pr, post) {\
++    post, nid, flag, \
++    pr##_entropyinput, sizeof(pr##_entropyinput), \
++    pr##_nonce, sizeof(pr##_nonce), \
++    pr##_personalizationstring, sizeof(pr##_personalizationstring), \
++    pr##_additionalinput, sizeof(pr##_additionalinput), \
++    pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \
++    pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \
++    pr##_additionalinput2, sizeof(pr##_additionalinput2), \
++    pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \
++    pr##_returnedbits, sizeof(pr##_returnedbits), \
++    pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \
++    pr##_pr_nonce, sizeof(pr##_pr_nonce), \
++    pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \
++    pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \
++    pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \
++    pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \
++    pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \
++    pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \
++    pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits) \
++    }
++
++#define make_drbg_test_data_use_df(nid, pr, p) \
++    make_drbg_test_data(nid, 0, pr, p)
++
++#define make_drbg_test_data_no_df(nid, pr, p)                      \
++    make_drbg_test_data(nid, RAND_DRBG_FLAG_CTR_NO_DF, pr, p)
++
++static DRBG_SELFTEST_DATA drbg_test[] = {
++    make_drbg_test_data_no_df (NID_aes_128_ctr, aes_128_no_df,  0),
++    make_drbg_test_data_no_df (NID_aes_192_ctr, aes_192_no_df,  0),
++    make_drbg_test_data_no_df (NID_aes_256_ctr, aes_256_no_df,  1),
++    make_drbg_test_data_use_df(NID_aes_128_ctr, aes_128_use_df, 0),
++    make_drbg_test_data_use_df(NID_aes_192_ctr, aes_192_use_df, 0),
++    make_drbg_test_data_use_df(NID_aes_256_ctr, aes_256_use_df, 1),
++};
++
++static int app_data_index;
++
++/*
++ * Test context data, attached as EXDATA to the RAND_DRBG
++ */
++typedef struct test_ctx_st {
++    const unsigned char *entropy;
++    size_t entropylen;
++    int entropycnt;
++    const unsigned char *nonce;
++    size_t noncelen;
++    int noncecnt;
++} TEST_CTX;
++
++static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout,
++                          int entropy, size_t min_len, size_t max_len,
++                          int prediction_resistance)
++{
++    TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
++
++    t->entropycnt++;
++    *pout = (unsigned char *)t->entropy;
++    return t->entropylen;
++}
++
++static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout,
++                        int entropy, size_t min_len, size_t max_len)
++{
++    TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
++
++    t->noncecnt++;
++    *pout = (unsigned char *)t->nonce;
++    return t->noncelen;
++}
++
++ /*
++ * Disable CRNG testing if it is enabled.
++ * If the DRBG is ready or in an error state, this means an instantiate cycle
++ * for which the default personalisation string is used.
++ */
++static int disable_crngt(RAND_DRBG *drbg)
++{
++    static const char pers[] = DRBG_DEFAULT_PERS_STRING;
++    const int instantiate = drbg->state != DRBG_UNINITIALISED;
++
++    if (drbg->get_entropy != rand_crngt_get_entropy)
++        return 1;
++
++     if ((instantiate && !RAND_DRBG_uninstantiate(drbg))
++        || !RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy,
++                                              &rand_drbg_cleanup_entropy,
++                                              &rand_drbg_get_nonce,
++                                              &rand_drbg_cleanup_nonce)
++        || (instantiate
++            && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers,
++                                      sizeof(pers) - 1)))
++        return 0;
++    return 1;
++}
++
++static int uninstantiate(RAND_DRBG *drbg)
++{
++    int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg);
++
++    ERR_clear_error();
++    return ret;
++}
++
++/*
++ * Do a single KAT test.  Return 0 on failure.
++ */
++static int single_kat(DRBG_SELFTEST_DATA *td)
++{
++    RAND_DRBG *drbg = NULL;
++    TEST_CTX t;
++    int failures = 0;
++    unsigned char buff[1024];
++
++    /*
++     * Test without PR: Instantiate DRBG with test entropy, nonce and
++     * personalisation string.
++     */
++    if ((drbg = RAND_DRBG_new(td->nid, td->flags, NULL)) == NULL)
++        return 0;
++    if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
++                                           kat_nonce, NULL)
++        || !disable_crngt(drbg)) {
++        failures++;
++        goto err;
++    }
++    memset(&t, 0, sizeof(t));
++    t.entropy = td->entropy;
++    t.entropylen = td->entropylen;
++    t.nonce = td->nonce;
++    t.noncelen = td->noncelen;
++    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
++
++    if (!RAND_DRBG_instantiate(drbg, td->pers, td->perslen)
++            || !RAND_DRBG_generate(drbg, buff, td->exlen, 0,
++                                             td->adin, td->adinlen)
++            || memcmp(td->expected, buff, td->exlen))
++        failures++;
++
++    /* Reseed DRBG with test entropy and additional input */
++    t.entropy = td->entropyreseed;
++    t.entropylen = td->entropyreseedlen;
++    if (!RAND_DRBG_reseed(drbg, td->adinreseed, td->adinreseedlen, 0)
++            || !RAND_DRBG_generate(drbg, buff, td->kat2len, 0,
++                                             td->adin2, td->adin2len)
++            || memcmp(td->kat2, buff, td->kat2len))
++        failures++;
++    uninstantiate(drbg);
++
++    /*
++     * Now test with PR: Instantiate DRBG with test entropy, nonce and
++     * personalisation string.
++     */
++    if (!RAND_DRBG_set(drbg, td->nid, td->flags)
++            || !RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
++                                                  kat_nonce, NULL))
++        failures++;
++    RAND_DRBG_set_ex_data(drbg, app_data_index, &t);
++    t.entropy = td->entropy_pr;
++    t.entropylen = td->entropylen_pr;
++    t.nonce = td->nonce_pr;
++    t.noncelen = td->noncelen_pr;
++    t.entropycnt = 0;
++    t.noncecnt = 0;
++    if (!RAND_DRBG_instantiate(drbg, td->pers_pr, td->perslen_pr))
++        failures++;
++
++    /*
++     * Now generate with PR: we need to supply entropy as this will
++     * perform a reseed operation.
++     */
++    t.entropy = td->entropypr_pr;
++    t.entropylen = td->entropyprlen_pr;
++    if (!RAND_DRBG_generate(drbg, buff, td->katlen_pr, 1,
++                                      td->adin_pr, td->adinlen_pr)
++            || memcmp(td->kat_pr, buff, td->katlen_pr))
++        failures++;
++
++    /*
++     * Now generate again with PR: supply new entropy again.
++     */
++    t.entropy = td->entropyg_pr;
++    t.entropylen = td->entropyglen_pr;
++
++    if (!RAND_DRBG_generate(drbg, buff, td->kat2len_pr, 1,
++                                      td->ading_pr, td->adinglen_pr)
++                || memcmp(td->kat2_pr, buff, td->kat2len_pr))
++        failures++;
++
++err:
++    uninstantiate(drbg);
++    RAND_DRBG_free(drbg);
++    return failures == 0;
++}
++
++/*
++ * Initialise a DRBG based on selftest data
++ */
++static int init(RAND_DRBG *drbg, DRBG_SELFTEST_DATA *td, TEST_CTX *t)
++{
++    if (!RAND_DRBG_set(drbg, td->nid, td->flags)
++            || !RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL,
++                                                  kat_nonce, NULL))
++        return 0;
++    RAND_DRBG_set_ex_data(drbg, app_data_index, t);
++    t->entropy = td->entropy;
++    t->entropylen = td->entropylen;
++    t->nonce = td->nonce;
++    t->noncelen = td->noncelen;
++    t->entropycnt = 0;
++    t->noncecnt = 0;
++    return 1;
++}
++
++/*
++ * Initialise and instantiate DRBG based on selftest data
++ */
++static int instantiate(RAND_DRBG *drbg, DRBG_SELFTEST_DATA *td,
++                       TEST_CTX *t)
++{
++    if (!init(drbg, td, t)
++            || !RAND_DRBG_instantiate(drbg, td->pers, td->perslen))
++        return 0;
++    return 1;
++}
++
++/*
++ * Perform extensive error checking as required by SP800-90.
++ * Induce several failure modes and check an error condition is set.
++ */
++static int error_check(DRBG_SELFTEST_DATA *td)
++{
++    static char zero[sizeof(RAND_DRBG)];
++    RAND_DRBG *drbg = NULL;
++    TEST_CTX t;
++    unsigned char buff[1024];
++    unsigned int reseed_counter_tmp;
++    int ret = 0;
++
++    if (!(drbg = RAND_DRBG_new(0, 0, NULL))
++	|| !disable_crngt(drbg))
++        goto err;
++
++    /*
++     * Personalisation string tests
++     */
++
++    /* Test detection of too large personalisation string */
++    if (!init(drbg, td, &t)
++            || RAND_DRBG_instantiate(drbg, td->pers, drbg->max_perslen + 1) > 0)
++        goto err;
++
++    /*
++     * Entropy source tests
++     */
++
++    /* Test entropy source failure detection: i.e. returns no data */
++    t.entropylen = 0;
++    if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0)
++        goto err;
++
++    /* Try to generate output from uninstantiated DRBG */
++    if (RAND_DRBG_generate(drbg, buff, td->exlen, 0,
++                                       td->adin, td->adinlen)
++            || !uninstantiate(drbg))
++        goto err;
++
++    /* Test insufficient entropy */
++    if (!init(drbg, td, &t))
++        goto err;
++    t.entropylen = drbg->min_entropylen - 1;
++    if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
++            || !uninstantiate(drbg))
++        goto err;
++
++    /* Test too much entropy */
++    if (!init(drbg, td, &t))
++        goto err;
++    t.entropylen = drbg->max_entropylen + 1;
++    if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
++            || !uninstantiate(drbg))
++        goto err;
++
++    /*
++     * Nonce tests
++     */
++
++    /* Test too small nonce */
++    if (drbg->min_noncelen) {
++        if (!init(drbg, td, &t))
++            goto err;
++        t.noncelen = drbg->min_noncelen - 1;
++        if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
++                || !uninstantiate(drbg))
++            goto err;
++    }
++
++    /* Test too large nonce */
++    if (drbg->max_noncelen) {
++        if (!init(drbg, td, &t))
++            goto err;
++        t.noncelen = drbg->max_noncelen + 1;
++        if (RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
++                || !uninstantiate(drbg))
++            goto err;
++    }
++
++    /* Instantiate with valid data, Check generation is now OK */
++    if (!instantiate(drbg, td, &t)
++            || !RAND_DRBG_generate(drbg, buff, td->exlen, 0,
++                                             td->adin, td->adinlen))
++        goto err;
++
++    /* Request too much data for one request */
++    if (RAND_DRBG_generate(drbg, buff, drbg->max_request + 1, 0,
++                                       td->adin, td->adinlen))
++        goto err;
++
++    /* Try too large additional input */
++    if (RAND_DRBG_generate(drbg, buff, td->exlen, 0,
++                                       td->adin, drbg->max_adinlen + 1))
++        goto err;
++
++    /*
++     * Check prediction resistance request fails if entropy source
++     * failure.
++     */
++    t.entropylen = 0;
++    if (RAND_DRBG_generate(drbg, buff, td->exlen, 1,
++                                      td->adin, td->adinlen)
++            || !uninstantiate(drbg))
++        goto err;
++
++    /* Instantiate again with valid data */
++    if (!instantiate(drbg, td, &t))
++        goto err;
++    reseed_counter_tmp = drbg->generate_counter;
++    drbg->generate_counter = drbg->reseed_interval;
++
++    /* Generate output and check entropy has been requested for reseed */
++    t.entropycnt = 0;
++    if (!RAND_DRBG_generate(drbg, buff, td->exlen, 0,
++                                      td->adin, td->adinlen)
++            || t.entropycnt != 1
++            || drbg->generate_counter != reseed_counter_tmp + 1
++            || !uninstantiate(drbg))
++        goto err;
++
++    /*
++     * Check prediction resistance request fails if entropy source
++     * failure.
++     */
++    t.entropylen = 0;
++    if (RAND_DRBG_generate(drbg, buff, td->exlen, 1,
++                                       td->adin, td->adinlen)
++            || !uninstantiate(drbg))
++        goto err;
++
++    /* Test reseed counter works */
++    if (!instantiate(drbg, td, &t))
++        goto err;
++    reseed_counter_tmp = drbg->generate_counter;
++    drbg->generate_counter = drbg->reseed_interval;
++
++    /* Generate output and check entropy has been requested for reseed */
++    t.entropycnt = 0;
++    if (!RAND_DRBG_generate(drbg, buff, td->exlen, 0,
++                                      td->adin, td->adinlen)
++            || t.entropycnt != 1
++            || drbg->generate_counter != reseed_counter_tmp + 1
++            || !uninstantiate(drbg))
++        goto err;
++
++    /*
++     * Explicit reseed tests
++     */
++
++    /* Test explicit reseed with too large additional input */
++    if (!instantiate(drbg, td, &t)
++            || RAND_DRBG_reseed(drbg, td->adin, drbg->max_adinlen + 1, 0) > 0)
++        goto err;
++
++    /* Test explicit reseed with entropy source failure */
++    t.entropylen = 0;
++    if (RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0) > 0
++            || !uninstantiate(drbg))
++        goto err;
++
++    /* Test explicit reseed with too much entropy */
++    if (!instantiate(drbg, td, &t))
++        goto err;
++    t.entropylen = drbg->max_entropylen + 1;
++    if (RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0) > 0
++            || !uninstantiate(drbg))
++        goto err;
++
++    /* Test explicit reseed with too little entropy */
++    if (!instantiate(drbg, td, &t))
++        goto err;
++    t.entropylen = drbg->min_entropylen - 1;
++    if (RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0) > 0
++            || !uninstantiate(drbg))
++        goto err;
++
++    /* Standard says we have to check uninstantiate really zeroes */
++    /*
++     * RAND_DRBG_uninstantiate() cleanses the data via drbg_ctr_uninstantiate(),
++     * but right after that it resets drbg->data.ctr using RAND_DRBG_set(), so
++     * the following memcmp will fail.
++     */
++#if 0
++    if (memcmp(zero, &drbg->data, sizeof(drbg->data)))
++        goto err;
++#endif
++
++    ret = 1;
++
++err:
++    uninstantiate(drbg);
++    RAND_DRBG_free(drbg);
++    return ret;
++}
++
++static int test_kats(int i)
++{
++    DRBG_SELFTEST_DATA *td = &drbg_test[i];
++    int rv = 0;
++
++    if (!single_kat(td))
++        goto err;
++    rv = 1;
++
++err:
++    return rv;
++}
++
++static int test_error_checks(int i)
++{
++    DRBG_SELFTEST_DATA *td = &drbg_test[i];
++    int rv = 0;
++
++    if (!error_check(td))
++        goto err;
++    rv = 1;
++
++err:
++    return rv;
++}
++
++/*
++ * Hook context data, attached as EXDATA to the RAND_DRBG
++ */
++typedef struct hook_ctx_st {
++    RAND_DRBG *drbg;
++    /*
++     * Currently, all DRBGs use the same get_entropy() callback.
++     * The tests however, don't assume this and store
++     * the original callback for every DRBG separately.
++     */
++    RAND_DRBG_get_entropy_fn get_entropy;
++    /* forces a failure of the get_entropy() call if nonzero */
++    int fail;
++    /* counts successful reseeds */
++    int reseed_count;
++} HOOK_CTX;
++
++static HOOK_CTX master_ctx, public_ctx, private_ctx;
++
++static HOOK_CTX *get_hook_ctx(RAND_DRBG *drbg)
++{
++    return (HOOK_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index);
++}
++
++/* Intercepts and counts calls to the get_entropy() callback */
++static size_t get_entropy_hook(RAND_DRBG *drbg, unsigned char **pout,
++                              int entropy, size_t min_len, size_t max_len,
++                              int prediction_resistance)
++{
++    size_t ret;
++    HOOK_CTX *ctx = get_hook_ctx(drbg);
++
++    if (ctx->fail != 0)
++        return 0;
++
++    ret = ctx->get_entropy(drbg, pout, entropy, min_len, max_len,
++                           prediction_resistance);
++
++    if (ret != 0)
++        ctx->reseed_count++;
++    return ret;
++}
++
++/* Installs a hook for the get_entropy() callback of the given drbg */
++static void hook_drbg(RAND_DRBG *drbg, HOOK_CTX *ctx)
++{
++    memset(ctx, 0, sizeof(*ctx));
++    ctx->drbg = drbg;
++    ctx->get_entropy = drbg->get_entropy;
++    drbg->get_entropy = get_entropy_hook;
++    RAND_DRBG_set_ex_data(drbg, app_data_index, ctx);
++}
++
++/* Installs the hook for the get_entropy() callback of the given drbg */
++static void unhook_drbg(RAND_DRBG *drbg)
++{
++    HOOK_CTX *ctx = get_hook_ctx(drbg);
++
++    drbg->get_entropy = ctx->get_entropy;
++    CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DRBG, drbg, &drbg->ex_data);
++}
++
++/* Resets the given hook context */
++static void reset_hook_ctx(HOOK_CTX *ctx)
++{
++    ctx->fail = 0;
++    ctx->reseed_count = 0;
++}
++
++/* Resets all drbg hook contexts */
++static void reset_drbg_hook_ctx(void)
++{
++    reset_hook_ctx(&master_ctx);
++    reset_hook_ctx(&public_ctx);
++    reset_hook_ctx(&private_ctx);
++}
++
++/*
++ * Generates random output using RAND_bytes() and RAND_priv_bytes()
++ * and checks whether the three shared DRBGs were reseeded as
++ * expected.
++ *
++ * |expect_success|: expected outcome (as reported by RAND_status())
++ * |master|, |public|, |private|: pointers to the three shared DRBGs
++ * |expect_xxx_reseed| =
++ *       1:  it is expected that the specified DRBG is reseeded
++ *       0:  it is expected that the specified DRBG is not reseeded
++ *      -1:  don't check whether the specified DRBG was reseeded or not
++ * |reseed_time|: if nonzero, used instead of time(NULL) to set the
++ *                |before_reseed| time.
++ */
++static int test_drbg_reseed(int expect_success,
++                            RAND_DRBG *master,
++                            RAND_DRBG *public,
++                            RAND_DRBG *private,
++                            int expect_master_reseed,
++                            int expect_public_reseed,
++                            int expect_private_reseed,
++                            time_t reseed_time
++                           )
++{
++    unsigned char buf[32];
++    time_t before_reseed, after_reseed;
++    int expected_state = (expect_success ? DRBG_READY : DRBG_ERROR);
++
++    /*
++     * step 1: check preconditions
++     */
++
++    /* Test whether seed propagation is enabled */
++    if (master->reseed_counter == 0
++        || public->reseed_counter == 0
++        || private->reseed_counter == 0)
++        return 0;
++
++    /* Check whether the master DRBG's reseed counter is the largest one */
++    if (public->reseed_counter > master->reseed_counter
++        || private->reseed_counter > master->reseed_counter)
++        return 0;
++
++    /*
++     * step 2: generate random output
++     */
++
++    if (reseed_time == 0)
++        reseed_time = time(NULL);
++
++    /* Generate random output from the public and private DRBG */
++    before_reseed = expect_master_reseed == 1 ? reseed_time : 0;
++    if (RAND_bytes(buf, sizeof(buf)) != expect_success
++        || RAND_priv_bytes(buf, sizeof(buf)) != expect_success)
++        return 0;
++    after_reseed = time(NULL);
++
++
++    /*
++     * step 3: check postconditions
++     */
++
++    /* Test whether reseeding succeeded as expected */
++    if (master->state != expected_state
++        || public->state != expected_state
++        || private->state != expected_state)
++        return 0;
++
++    if (expect_master_reseed >= 0) {
++        /* Test whether master DRBG was reseeded as expected */
++        if (master_ctx.reseed_count != expect_master_reseed)
++            return 0;
++    }
++
++    if (expect_public_reseed >= 0) {
++        /* Test whether public DRBG was reseeded as expected */
++        if (public_ctx.reseed_count != expect_public_reseed)
++            return 0;
++    }
++
++    if (expect_private_reseed >= 0) {
++        /* Test whether public DRBG was reseeded as expected */
++        if (private_ctx.reseed_count != expect_private_reseed)
++            return 0;
++    }
++
++    if (expect_success == 1) {
++        /* Test whether all three reseed counters are synchronized */
++        if (public->reseed_counter != master->reseed_counter
++            || private->reseed_counter != master->reseed_counter)
++            return 0;
++
++        /* Test whether reseed time of master DRBG is set correctly */
++        if (before_reseed > master->reseed_time
++            || master->reseed_time > after_reseed)
++            return 0;
++
++        /* Test whether reseed times of child DRBGs are synchronized with master */
++        if (public->reseed_time < master->reseed_time
++            || private->reseed_time < master->reseed_time)
++            return 0;
++    } else {
++        ERR_clear_error();
++    }
++
++    return 1;
++}
++
++
++#if defined(OPENSSL_SYS_UNIX)
++/*
++ * Test whether master, public and private DRBG are reseeded after
++ * forking the process.
++ */
++static int test_drbg_reseed_after_fork(RAND_DRBG *master,
++                                       RAND_DRBG *public,
++                                       RAND_DRBG *private)
++{
++    pid_t pid;
++    int status=0;
++
++    pid = fork();
++    if (pid < 0)
++        return 0;
++
++    if (pid > 0) {
++        /* I'm the parent; wait for the child and check its exit code */
++        return (waitpid(pid, &status, 0) == pid) && status == 0;
++    }
++
++    /* I'm the child; check whether all three DRBGs reseed. */
++    if (!test_drbg_reseed(1, master, public, private, 1, 1, 1, 0))
++        status = 1;
++
++    /* Remove hooks  */
++    unhook_drbg(master);
++    unhook_drbg(public);
++    unhook_drbg(private);
++    exit(status);
++}
++#endif
++
++/*
++ * Test whether the default rand_method (RAND_OpenSSL()) is
++ * setup correctly, in particular whether reseeding  works
++ * as designed.
++ */
++static int test_rand_drbg_reseed(void)
++{
++    RAND_DRBG *master, *public, *private;
++    unsigned char rand_add_buf[256];
++    int rv=0;
++    time_t before_reseed;
++
++    /* Check whether RAND_OpenSSL() is the default method */
++    if (RAND_get_rand_method() != RAND_OpenSSL())
++        return 0;
++
++    /* All three DRBGs should be non-null */
++    if (!(master = RAND_DRBG_get0_master())
++        || !(public = RAND_DRBG_get0_public())
++        || !(private = RAND_DRBG_get0_private()))
++        return 0;
++
++    /* There should be three distinct DRBGs, two of them chained to master */
++    if (public == private
++        || public == master
++        || private == master
++        || public->parent != master
++        || private->parent != master)
++        return 0;
++
++    /* Disable CRNG testing for the master DRBG */
++    if (!disable_crngt(master))
++        return 0;
++
++    /* uninstantiate the three global DRBGs */
++    RAND_DRBG_uninstantiate(private);
++    RAND_DRBG_uninstantiate(public);
++    RAND_DRBG_uninstantiate(master);
++
++
++    /* Install hooks for the following tests */
++    hook_drbg(master,  &master_ctx);
++    hook_drbg(public,  &public_ctx);
++    hook_drbg(private, &private_ctx);
++
++
++    /*
++     * Test initial seeding of shared DRBGs
++     */
++    if (!test_drbg_reseed(1, master, public, private, 1, 1, 1, 0))
++        goto error;
++    reset_drbg_hook_ctx();
++
++
++    /*
++     * Test initial state of shared DRBGs
++     */
++    if (!test_drbg_reseed(1, master, public, private, 0, 0, 0, 0))
++        goto error;
++    reset_drbg_hook_ctx();
++
++    /*
++     * Test whether the public and private DRBG are both reseeded when their
++     * reseed counters differ from the master's reseed counter.
++     */
++    master->reseed_counter++;
++    if (!test_drbg_reseed(1, master, public, private, 0, 1, 1, 0))
++        goto error;
++    reset_drbg_hook_ctx();
++
++    /*
++     * Test whether the public DRBG is reseeded when its reseed counter differs
++     * from the master's reseed counter.
++     */
++    master->reseed_counter++;
++    private->reseed_counter++;
++    if (!test_drbg_reseed(1, master, public, private, 0, 1, 0, 0))
++        goto error;
++    reset_drbg_hook_ctx();
++
++    /*
++     * Test whether the private DRBG is reseeded when its reseed counter differs
++     * from the master's reseed counter.
++     */
++    master->reseed_counter++;
++    public->reseed_counter++;
++    if (!test_drbg_reseed(1, master, public, private, 0, 0, 1, 0))
++        goto error;
++    reset_drbg_hook_ctx();
++
++#if defined(OPENSSL_SYS_UNIX)
++    if (!test_drbg_reseed_after_fork(master, public, private))
++        goto error;
++#endif
++
++    /* fill 'randomness' buffer with some arbitrary data */
++    memset(rand_add_buf, 'r', sizeof(rand_add_buf));
++
++    /*
++     * Test whether all three DRBGs are reseeded by RAND_add().
++     * The before_reseed time has to be measured here and passed into the
++     * test_drbg_reseed() test, because the master DRBG gets already reseeded
++     * in RAND_add(), whence the check for the condition
++     * before_reseed <= master->reseed_time will fail if the time value happens
++     * to increase between the RAND_add() and the test_drbg_reseed() call.
++     */
++    before_reseed = time(NULL);
++    RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
++    if (!test_drbg_reseed(1, master, public, private, 1, 1, 1,
++                                    before_reseed))
++        goto error;
++    reset_drbg_hook_ctx();
++
++
++    /*
++     * Test whether none of the DRBGs is reseed if the master fails to reseed
++     */
++    master_ctx.fail = 1;
++    master->reseed_counter++;
++    RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
++    if (!test_drbg_reseed(0, master, public, private, 0, 0, 0, 0))
++        goto error;
++    reset_drbg_hook_ctx();
++
++    rv = 1;
++
++error:
++    /* Remove hooks  */
++    unhook_drbg(master);
++    unhook_drbg(public);
++    unhook_drbg(private);
++
++    return rv;
++}
++
++#if defined(OPENSSL_THREADS)
++static int multi_thread_rand_bytes_succeeded = 1;
++static int multi_thread_rand_priv_bytes_succeeded = 1;
++
++static void run_multi_thread_test(void)
++{
++    unsigned char buf[256];
++    time_t start = time(NULL);
++    RAND_DRBG *public = NULL, *private = NULL;
++
++    if (!(public = RAND_DRBG_get0_public())
++            || !(private = RAND_DRBG_get0_private())) {
++        multi_thread_rand_bytes_succeeded = 0;
++        return;
++    }
++    RAND_DRBG_set_reseed_time_interval(private, 1);
++    RAND_DRBG_set_reseed_time_interval(public, 1);
++
++    do {
++        if (RAND_bytes(buf, sizeof(buf)) <= 0)
++            multi_thread_rand_bytes_succeeded = 0;
++        if (RAND_priv_bytes(buf, sizeof(buf)) <= 0)
++            multi_thread_rand_priv_bytes_succeeded = 0;
++    }
++    while(time(NULL) - start < 5);
++}
++
++# if defined(OPENSSL_SYS_WINDOWS)
++
++typedef HANDLE thread_t;
++
++static DWORD WINAPI thread_run(LPVOID arg)
++{
++    run_multi_thread_test();
++    /*
++     * Because we're linking with a static library, we must stop each
++     * thread explicitly, or so says OPENSSL_thread_stop(3)
++     */
++    OPENSSL_thread_stop();
++    return 0;
++}
++
++static int run_thread(thread_t *t)
++{
++    *t = CreateThread(NULL, 0, thread_run, NULL, 0, NULL);
++    return *t != NULL;
++}
++
++static int wait_for_thread(thread_t thread)
++{
++    return WaitForSingleObject(thread, INFINITE) == 0;
++}
++
++# else
++
++typedef pthread_t thread_t;
++
++static void *thread_run(void *arg)
++{
++    run_multi_thread_test();
++    /*
++     * Because we're linking with a static library, we must stop each
++     * thread explicitly, or so says OPENSSL_thread_stop(3)
++     */
++    OPENSSL_thread_stop();
++    return NULL;
++}
++
++static int run_thread(thread_t *t)
++{
++    return pthread_create(t, NULL, thread_run, NULL) == 0;
++}
++
++static int wait_for_thread(thread_t thread)
++{
++    return pthread_join(thread, NULL) == 0;
++}
++
++# endif
++
++/*
++ * The main thread will also run the test, so we'll have THREADS+1 parallel
++ * tests running
++ */
++# define THREADS 3
++
++static int test_multi_thread(void)
++{
++    thread_t t[THREADS];
++    int i;
++
++    for (i = 0; i < THREADS; i++)
++        run_thread(&t[i]);
++    run_multi_thread_test();
++    for (i = 0; i < THREADS; i++)
++        wait_for_thread(t[i]);
++
++    if (!multi_thread_rand_bytes_succeeded)
++        return 0;
++    if (!multi_thread_rand_priv_bytes_succeeded)
++        return 0;
++
++    return 1;
++}
++#endif
++
++/*
++ * Test that instantiation with RAND_seed() works as expected
++ *
++ * If no os entropy source is available then RAND_seed(buffer, bufsize)
++ * is expected to succeed if and only if the buffer length is at least
++ * rand_drbg_seedlen(master) bytes.
++ *
++ * If an os entropy source is available then RAND_seed(buffer, bufsize)
++ * is expected to succeed always.
++ */
++static int test_rand_seed(void)
++{
++    RAND_DRBG *master = NULL;
++    unsigned char rand_buf[256];
++    size_t rand_buflen;
++    size_t required_seed_buflen = 0;
++
++    if (!(master = RAND_DRBG_get0_master())
++        || !disable_crngt(master))
++        return 0;
++
++#ifdef OPENSSL_RAND_SEED_NONE
++    required_seed_buflen = rand_drbg_seedlen(master);
++#endif
++
++    memset(rand_buf, 0xCD, sizeof(rand_buf));
++
++    for ( rand_buflen = 256 ; rand_buflen > 0 ; --rand_buflen ) {
++        RAND_DRBG_uninstantiate(master);
++        RAND_seed(rand_buf, rand_buflen);
++
++        if (RAND_status() != (rand_buflen >= required_seed_buflen))
++            return 0;
++    }
++
++    return 1;
++}
++
++/*
++ * Test that adding additional data with RAND_add() works as expected
++ * when the master DRBG is instantiated (and below its reseed limit).
++ *
++ * This should succeed regardless of whether an os entropy source is
++ * available or not.
++ */
++static int test_rand_add(void)
++{
++    unsigned char rand_buf[256];
++    size_t rand_buflen;
++
++    memset(rand_buf, 0xCD, sizeof(rand_buf));
++
++    /* make sure it's instantiated */
++    RAND_seed(rand_buf, sizeof(rand_buf));
++    if (!RAND_status())
++        return 0;
++
++    for ( rand_buflen = 256 ; rand_buflen > 0 ; --rand_buflen ) {
++        RAND_add(rand_buf, rand_buflen, 0.0);
++        if (!RAND_status())
++            return 0;
++    }
++
++    return 1;
++}
++
++/*
++ * A list of the FIPS DRGB types.
++ */
++static const struct s_drgb_types {
++    int nid;
++    int flags;
++} drgb_types[] = {
++    { NID_aes_128_ctr,  0                   },
++    { NID_aes_192_ctr,  0                   },
++    { NID_aes_256_ctr,  0                   },
++};
++
++/* Six cases for each covers seed sizes up to 32 bytes */
++static const size_t crngt_num_cases = 6;
++
++static size_t crngt_case, crngt_idx;
++
++static int crngt_entropy_cb(unsigned char *buf, unsigned char *md,
++                            unsigned int *md_size)
++{
++    size_t i, z;
++
++    if (crngt_idx >= crngt_num_cases)
++        return 0;
++    /* Generate a block of unique data unless this is the duplication point */
++    z = crngt_idx++;
++    if (z > 0 && crngt_case == z)
++        z--;
++    for (i = 0; i < CRNGT_BUFSIZ; i++)
++        buf[i] = (unsigned char)(i + 'A' + z);
++    return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL);
++}
++
++static int test_crngt(int n)
++{
++    const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases;
++    RAND_DRBG *drbg = NULL;
++    unsigned char buff[100];
++    size_t ent;
++    int res = 0;
++    int expect;
++
++    if (!rand_crngt_single_init())
++        return 0;
++    rand_crngt_cleanup();
++
++    if (!(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL)))
++        return 0;
++    ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ;
++    crngt_case = n % crngt_num_cases;
++    crngt_idx = 0;
++    crngt_get_entropy = &crngt_entropy_cb;
++    if (!rand_crngt_init())
++        goto err;
++#ifndef OPENSSL_FIPS
++    if (!RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy,
++                                           &rand_crngt_cleanup_entropy,
++                                           &rand_drbg_get_nonce,
++                                           &rand_drbg_cleanup_nonce))
++        goto err;
++#endif
++    expect = crngt_case == 0 || crngt_case > ent;
++    if (RAND_DRBG_instantiate(drbg, NULL, 0) != expect)
++        goto err;
++    if (!expect)
++        goto fin;
++    if (!RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0))
++        goto err;
++
++    expect = crngt_case == 0 || crngt_case > 2 * ent;
++    if (RAND_DRBG_reseed(drbg, NULL, 0, 0) != expect)
++        goto err;
++    if (!expect)
++        goto fin;
++    if (!RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0))
++        goto err;
++
++fin:
++    res = 1;
++err:
++#if 0
++    if (!res)
++        TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases,
++                  crngt_case, crngt_idx);
++#endif
++    uninstantiate(drbg);
++    RAND_DRBG_free(drbg);
++    crngt_get_entropy = &rand_crngt_get_entropy_cb;
++    return res;
++}
++
++int FIPS_selftest_drbg(void)
++{
++    app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL);
++    int i;
++
++    for (i = 0; i < OSSL_NELEM(drbg_test); i++) {
++        if (!test_kats(i))
++            return 0;
++    }
++    for (i = 0; i < OSSL_NELEM(drbg_test); i++) {
++        if (!test_error_checks(i))
++            return 0;
++    }
++
++#if 0
++    if (!test_rand_drbg_reseed())
++            return 0;
++    if (!test_rand_seed())
++            return 0;
++    if (!test_rand_add())
++            return 0;
++#if defined(OPENSSL_THREADS)
++    if (!test_multi_thread())
++            return 0;
++#endif
++    for (i = 0; i < crngt_num_cases * OSSL_NELEM(drgb_types); i++) {
++        if (!test_crngt(i))
++            return 0;
++    }
++#endif
++    return 1;
++}
++
+Index: openssl-1.1.1l/crypto/fips/drbgtest.h
+===================================================================
+--- /dev/null
++++ openssl-1.1.1l/crypto/fips/drbgtest.h
+@@ -0,0 +1,579 @@
++/*
++ * Copyright 2011-2017 The OpenSSL Project Authors. All Rights Reserved.
++ *
++ * Licensed under the OpenSSL license (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++/*
++ * Known answer tests for SP800-90 DRBG CTR mode.
++ */
++
++
++/*
++ * AES-128 use df PR
++ */
++static const unsigned char aes_128_use_df_pr_entropyinput[] = {
++    0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33,
++    0xc8, 0xdb, 0xff, 0x12
++};
++static const unsigned char aes_128_use_df_pr_nonce[] = {
++    0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28
++};
++static const unsigned char aes_128_use_df_pr_personalizationstring[] = {
++    0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe,
++    0xd7, 0xd7, 0x01, 0x67
++};
++static const unsigned char aes_128_use_df_pr_additionalinput[] = {
++    0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e,
++    0x9a, 0x47, 0x08, 0x76
++};
++static const unsigned char aes_128_use_df_pr_entropyinputpr[] = {
++    0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51,
++    0x09, 0xfb, 0xa3, 0xb6
++};
++static const unsigned char aes_128_use_df_pr_int_returnedbits[] = {
++    0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52,
++    0x66, 0x1c, 0xea, 0x5b
++};
++static const unsigned char aes_128_use_df_pr_additionalinput2[] = {
++    0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11,
++    0x3f, 0x5e, 0x31, 0x06
++};
++static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = {
++    0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae,
++    0xa7, 0xe3, 0xa8, 0x67
++};
++static const unsigned char aes_128_use_df_pr_returnedbits[] = {
++    0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24,
++    0x0f, 0x38, 0x43, 0xc6
++};
++
++
++/*
++ * AES-128 use df no PR
++ */
++static const unsigned char aes_128_use_df_entropyinput[] = {
++    0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3,
++    0x9d, 0x7d, 0x1c, 0x9b
++};
++static const unsigned char aes_128_use_df_nonce[] = {
++    0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96,
++};
++static const unsigned char aes_128_use_df_personalizationstring[] = {
++    0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3,
++    0x38, 0x66, 0xba, 0x1b
++};
++static const unsigned char aes_128_use_df_additionalinput[] = {
++    0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46,
++    0xb5, 0xe2, 0xb2, 0x41
++};
++static const unsigned char aes_128_use_df_int_returnedbits[] = {
++    0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67,
++    0xe7, 0x57, 0x11, 0xb4
++};
++static const unsigned char aes_128_use_df_entropyinputreseed[] = {
++    0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b,
++    0xc7, 0xc4, 0x9e, 0x39
++};
++static const unsigned char aes_128_use_df_additionalinputreseed[] = {
++    0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a,
++    0xc8, 0x93, 0xfa, 0x84
++};
++static const unsigned char aes_128_use_df_additionalinput2[] = {
++    0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5,
++    0x06, 0x0c, 0x15, 0x2c
++};
++static const unsigned char aes_128_use_df_returnedbits[] = {
++    0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88,
++    0x46, 0x81, 0xc7, 0x19
++};
++
++
++/*
++ * AES-192 use df PR
++ */
++static const unsigned char aes_192_use_df_pr_entropyinput[] = {
++    0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec,
++    0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d
++};
++static const unsigned char aes_192_use_df_pr_nonce[] = {
++    0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0,
++    0xd1, 0x80, 0x78, 0xfa
++};
++static const unsigned char aes_192_use_df_pr_personalizationstring[] = {
++    0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16,
++    0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5,
++    0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04
++};
++static const unsigned char aes_192_use_df_pr_additionalinput[] = {
++    0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac,
++    0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb,
++    0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36
++};
++static const unsigned char aes_192_use_df_pr_entropyinputpr[] = {
++    0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5,
++    0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5,
++};
++static const unsigned char aes_192_use_df_pr_int_returnedbits[] = {
++    0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9,
++    0x19, 0x30, 0x6b, 0x67
++};
++static const unsigned char aes_192_use_df_pr_additionalinput2[] = {
++    0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32,
++    0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda,
++    0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99
++};
++static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = {
++    0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0,
++    0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e,
++};
++static const unsigned char aes_192_use_df_pr_returnedbits[] = {
++    0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c,
++    0x7e, 0x1a, 0x2b, 0x83
++};
++
++
++/*
++ * AES-192 use df no PR
++ */
++static const unsigned char aes_192_use_df_entropyinput[] = {
++    0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82,
++    0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b,
++};
++static const unsigned char aes_192_use_df_nonce[] = {
++    0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d,
++    0x77, 0xd7, 0x41, 0x0e
++};
++static const unsigned char aes_192_use_df_personalizationstring[] = {
++    0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf,
++    0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65,
++    0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70
++};
++static const unsigned char aes_192_use_df_additionalinput[] = {
++    0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69,
++    0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22,
++    0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7
++};
++static const unsigned char aes_192_use_df_int_returnedbits[] = {
++    0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6,
++    0xb7, 0xed, 0xe9, 0xea
++};
++static const unsigned char aes_192_use_df_entropyinputreseed[] = {
++    0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02,
++    0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01,
++};
++static const unsigned char aes_192_use_df_additionalinputreseed[] = {
++    0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76,
++    0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77,
++    0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65
++};
++static const unsigned char aes_192_use_df_additionalinput2[] = {
++    0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e,
++    0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0,
++    0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77
++};
++static const unsigned char aes_192_use_df_returnedbits[] = {
++    0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58,
++    0x1a, 0xf9, 0x13, 0x28
++};
++
++
++/*
++ * AES-256 use df PR
++ */
++static const unsigned char aes_256_use_df_pr_entropyinput[] = {
++    0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74,
++    0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f,
++    0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a
++};
++static const unsigned char aes_256_use_df_pr_nonce[] = {
++    0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33,
++    0x2b, 0x36, 0xff, 0xa4
++};
++static const unsigned char aes_256_use_df_pr_personalizationstring[] = {
++    0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24,
++    0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83,
++    0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d
++};
++static const unsigned char aes_256_use_df_pr_additionalinput[] = {
++    0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0,
++    0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3,
++    0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde
++};
++static const unsigned char aes_256_use_df_pr_entropyinputpr[] = {
++    0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77,
++    0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54,
++    0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9
++};
++static const unsigned char aes_256_use_df_pr_int_returnedbits[] = {
++    0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7,
++    0x17, 0xab, 0x3c, 0x7a
++};
++static const unsigned char aes_256_use_df_pr_additionalinput2[] = {
++    0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00,
++    0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78,
++    0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3
++};
++static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = {
++    0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73,
++    0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8,
++    0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f
++};
++static const unsigned char aes_256_use_df_pr_returnedbits[] = {
++    0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0,
++    0xd9, 0xe2, 0x97, 0x00
++};
++
++
++/*
++ * AES-256 use df no PR
++ */
++static const unsigned char aes_256_use_df_entropyinput[] = {
++    0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50,
++    0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68,
++    0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47
++};
++static const unsigned char aes_256_use_df_nonce[] = {
++    0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a,
++    0x4c, 0x44, 0x84, 0x40
++};
++static const unsigned char aes_256_use_df_personalizationstring[] = {
++    0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05,
++    0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b,
++    0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2
++};
++static const unsigned char aes_256_use_df_additionalinput[] = {
++    0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f,
++    0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf,
++    0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46
++};
++static const unsigned char aes_256_use_df_int_returnedbits[] = {
++    0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1,
++    0x28, 0x0c, 0x3b, 0xc1
++};
++static const unsigned char aes_256_use_df_entropyinputreseed[] = {
++    0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76,
++    0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46,
++    0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e
++};
++static const unsigned char aes_256_use_df_additionalinputreseed[] = {
++    0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99,
++    0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75,
++    0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75
++};
++static const unsigned char aes_256_use_df_additionalinput2[] = {
++    0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d,
++    0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a,
++    0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d
++};
++static const unsigned char aes_256_use_df_returnedbits[] = {
++    0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad,
++    0xfa, 0xfd, 0x35, 0x5e
++};
++
++
++/*
++ * AES-128 no df PR
++ */
++static const unsigned char aes_128_no_df_pr_entropyinput[] = {
++    0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4,
++    0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf,
++    0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a
++};
++static const unsigned char aes_128_no_df_pr_nonce[] = {
++    0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1,
++};
++static const unsigned char aes_128_no_df_pr_personalizationstring[] = {
++    0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c,
++    0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c,
++    0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8
++};
++static const unsigned char aes_128_no_df_pr_additionalinput[] = {
++    0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02,
++    0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73,
++    0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12
++};
++static const unsigned char aes_128_no_df_pr_entropyinputpr[] = {
++    0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a,
++    0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7,
++    0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e
++};
++static const unsigned char aes_128_no_df_pr_int_returnedbits[] = {
++    0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71,
++    0xaf, 0x19, 0x32, 0x16
++};
++static const unsigned char aes_128_no_df_pr_additionalinput2[] = {
++    0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f,
++    0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83,
++    0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50
++};
++static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = {
++    0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a,
++    0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07,
++    0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9
++};
++static const unsigned char aes_128_no_df_pr_returnedbits[] = {
++    0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33,
++    0x57, 0x82, 0x33, 0xaf
++};
++
++
++/*
++ * AES-128 no df no PR
++ */
++static const unsigned char aes_128_no_df_entropyinput[] = {
++    0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67,
++    0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42,
++    0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60
++};
++static const unsigned char aes_128_no_df_nonce[] = {
++    0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13,
++};
++static const unsigned char aes_128_no_df_personalizationstring[] = {
++    0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb,
++    0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b,
++    0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce
++};
++static const unsigned char aes_128_no_df_additionalinput[] = {
++    0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37,
++    0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24,
++    0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95
++};
++static const unsigned char aes_128_no_df_int_returnedbits[] = {
++    0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6,
++    0xed, 0x3e, 0x65, 0xc2
++};
++static const unsigned char aes_128_no_df_entropyinputreseed[] = {
++    0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66,
++    0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1,
++    0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00
++};
++static const unsigned char aes_128_no_df_additionalinputreseed[] = {
++    0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2,
++    0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4,
++    0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4
++};
++static const unsigned char aes_128_no_df_additionalinput2[] = {
++    0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f,
++    0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac,
++    0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6
++};
++static const unsigned char aes_128_no_df_returnedbits[] = {
++    0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36,
++    0x81, 0x37, 0x19, 0xd4
++};
++
++
++/*
++ * AES-192 no df PR
++ */
++static const unsigned char aes_192_no_df_pr_entropyinput[] = {
++    0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7,
++    0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61,
++    0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a,
++    0x17, 0x1f, 0x8d, 0x9a
++};
++static const unsigned char aes_192_no_df_pr_nonce[] = {
++    0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19,
++    0x61, 0x5c, 0xee, 0x0f
++};
++static const unsigned char aes_192_no_df_pr_personalizationstring[] = {
++    0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1,
++    0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4,
++    0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10,
++    0x57, 0x2e, 0xe7, 0x55
++};
++static const unsigned char aes_192_no_df_pr_additionalinput[] = {
++    0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad,
++    0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85,
++    0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f,
++    0xe2, 0xd0, 0x0c, 0x2f
++};
++static const unsigned char aes_192_no_df_pr_entropyinputpr[] = {
++    0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94,
++    0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb,
++    0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58,
++    0x1d, 0x30, 0xb3, 0x78
++};
++static const unsigned char aes_192_no_df_pr_int_returnedbits[] = {
++    0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40,
++    0x7e, 0x3e, 0x0c, 0x26
++};
++static const unsigned char aes_192_no_df_pr_additionalinput2[] = {
++    0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a,
++    0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57,
++    0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee,
++    0x0c, 0x4b, 0xee, 0x6e
++};
++static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = {
++    0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0,
++    0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f,
++    0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b,
++    0x8e, 0x0a, 0x83, 0xdf
++};
++static const unsigned char aes_192_no_df_pr_returnedbits[] = {
++    0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91,
++    0xb9, 0xa1, 0x21, 0x68
++};
++
++
++/*
++ * AES-192 no df no PR
++ */
++static const unsigned char aes_192_no_df_entropyinput[] = {
++    0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e,
++    0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe,
++    0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28,
++    0x94, 0xc3, 0x59, 0x63
++};
++static const unsigned char aes_192_no_df_nonce[] = {
++    0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb,
++    0x29, 0xfd, 0x45, 0x71
++};
++static const unsigned char aes_192_no_df_personalizationstring[] = {
++    0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08,
++    0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96,
++    0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b,
++    0x3b, 0x88, 0xce, 0x35
++};
++static const unsigned char aes_192_no_df_additionalinput[] = {
++    0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b,
++    0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71,
++    0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3,
++    0x3e, 0xbe, 0xd4, 0x8e
++};
++static const unsigned char aes_192_no_df_int_returnedbits[] = {
++    0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a,
++    0x45, 0xe7, 0x4a, 0xc5
++};
++static const unsigned char aes_192_no_df_entropyinputreseed[] = {
++    0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e,
++    0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1,
++    0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33,
++    0x9b, 0xcb, 0x7e, 0x75
++};
++static const unsigned char aes_192_no_df_additionalinputreseed[] = {
++    0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01,
++    0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27,
++    0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40,
++    0x5d, 0x7a, 0x25, 0x79
++};
++static const unsigned char aes_192_no_df_additionalinput2[] = {
++    0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71,
++    0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5,
++    0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a,
++    0x91, 0x6a, 0xe3, 0x5f
++};
++static const unsigned char aes_192_no_df_returnedbits[] = {
++    0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8,
++    0x66, 0x67, 0x2c, 0x92
++};
++
++
++/*
++ * AES-256 no df PR
++ */
++static const unsigned char aes_256_no_df_pr_entropyinput[] = {
++    0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8,
++    0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2,
++    0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03,
++    0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c,
++};
++static const unsigned char aes_256_no_df_pr_nonce[] = {
++    0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30,
++    0xcc, 0x4b, 0xee, 0x2e
++};
++static const unsigned char aes_256_no_df_pr_personalizationstring[] = {
++    0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7,
++    0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b,
++    0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac,
++    0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06,
++};
++static const unsigned char aes_256_no_df_pr_additionalinput[] = {
++    0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40,
++    0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c,
++    0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69,
++    0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e,
++};
++static const unsigned char aes_256_no_df_pr_entropyinputpr[] = {
++    0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16,
++    0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc,
++    0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9,
++    0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f,
++};
++static const unsigned char aes_256_no_df_pr_int_returnedbits[] = {
++    0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56,
++    0x79, 0x60, 0x93, 0xcf
++};
++static const unsigned char aes_256_no_df_pr_additionalinput2[] = {
++    0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a,
++    0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35,
++    0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34,
++    0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb,
++};
++static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = {
++    0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3,
++    0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa,
++    0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83,
++    0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f,
++};
++static const unsigned char aes_256_no_df_pr_returnedbits[] = {
++    0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7,
++    0x2d, 0x5f, 0x4a, 0x46
++};
++
++
++/*
++ * AES-256 no df no PR
++ */
++static const unsigned char aes_256_no_df_entropyinput[] = {
++    0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3,
++    0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb,
++    0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96,
++    0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3,
++};
++static const unsigned char aes_256_no_df_nonce[] = {
++    0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99,
++    0x43, 0x96, 0xb9, 0xf0
++};
++static const unsigned char aes_256_no_df_personalizationstring[] = {
++    0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60,
++    0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc,
++    0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f,
++    0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d,
++};
++static const unsigned char aes_256_no_df_additionalinput[] = {
++    0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6,
++    0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9,
++    0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed,
++    0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17,
++};
++static const unsigned char aes_256_no_df_int_returnedbits[] = {
++    0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6,
++    0xd2, 0x25, 0x75, 0x0e
++};
++static const unsigned char aes_256_no_df_entropyinputreseed[] = {
++    0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b,
++    0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5,
++    0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed,
++    0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb,
++};
++static const unsigned char aes_256_no_df_additionalinputreseed[] = {
++    0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e,
++    0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18,
++    0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b,
++    0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29,
++};
++static const unsigned char aes_256_no_df_additionalinput2[] = {
++    0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe,
++    0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42,
++    0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba,
++    0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6,
++};
++static const unsigned char aes_256_no_df_returnedbits[] = {
++    0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67,
++    0xf6, 0x02, 0x32, 0xe2
++};
+Index: openssl-1.1.1l/crypto/fips/fips_post.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/fips/fips_post.c
++++ openssl-1.1.1l/crypto/fips/fips_post.c
+@@ -51,7 +51,6 @@
+ 
+ #include <openssl/crypto.h>
+ #include <openssl/rand.h>
+-#include <openssl/fips_rand.h>
+ #include <openssl/err.h>
+ #include <openssl/bio.h>
+ #include <openssl/hmac.h>
+Index: openssl-1.1.1l/crypto/rand/rand_lib.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/rand/rand_lib.c
++++ openssl-1.1.1l/crypto/rand/rand_lib.c
+@@ -18,7 +18,6 @@
+ #include "e_os.h"
+ #ifdef OPENSSL_FIPS
+ # include <openssl/fips.h>
+-# include <openssl/fips_rand.h>
+ #endif
+ 
+ #ifndef OPENSSL_NO_ENGINE
+Index: openssl-1.1.1l/crypto/fips/build.info
+===================================================================
+--- openssl-1.1.1l.orig/crypto/fips/build.info
++++ openssl-1.1.1l/crypto/fips/build.info
+@@ -2,7 +2,7 @@ LIBS=../../libcrypto
+ SOURCE[../../libcrypto]=\
+         fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \
+         fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \
+-        fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
++        fips_post.c drbgtest.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
+         fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
+         fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
+         fips_dh_selftest.c fips_ers.c
+Index: openssl-1.1.1l/crypto/fips/fips_drbg_selftest.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/fips/fips_drbg_selftest.c
++++ openssl-1.1.1l/crypto/fips/fips_drbg_selftest.c
+@@ -774,6 +774,7 @@ int FIPS_drbg_health_check(DRBG_CTX *dct
+     return rv;
+ }
+ 
++#if 0
+ int FIPS_selftest_drbg(void)
+ {
+     DRBG_CTX *dctx;
+@@ -798,6 +799,7 @@ int FIPS_selftest_drbg(void)
+     FIPS_drbg_free(dctx);
+     return rv;
+ }
++#endif
+ 
+ int FIPS_selftest_drbg_all(void)
+ {
+Index: openssl-1.1.1l/crypto/fips/fips.c
+===================================================================
+--- openssl-1.1.1l.orig/crypto/fips/fips.c
++++ openssl-1.1.1l/crypto/fips/fips.c
+@@ -50,7 +50,6 @@
+ #define _GNU_SOURCE
+ 
+ #include <openssl/rand.h>
+-#include <openssl/fips_rand.h>
+ #include <openssl/err.h>
+ #include <openssl/bio.h>
+ #include <openssl/hmac.h>
diff --git a/openssl-kdf-selftest.patch b/openssl-kdf-selftest.patch
new file mode 100644
index 0000000..d4eccb2
--- /dev/null
+++ b/openssl-kdf-selftest.patch
@@ -0,0 +1,131 @@
+Index: openssl-1.1.1m/crypto/fips/build.info
+===================================================================
+--- openssl-1.1.1m.orig/crypto/fips/build.info
++++ openssl-1.1.1m/crypto/fips/build.info
+@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\
+         fips_post.c drbgtest.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \
+         fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \
+         fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
+-        fips_dh_selftest.c fips_ers.c
++        fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c
+ 
+ PROGRAMS=\
+           fips_standalone_hmac
+Index: openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c
+===================================================================
+--- /dev/null
++++ openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c
+@@ -0,0 +1,64 @@
++/*
++ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
++ * Copyright (c) 2018-2019, Oracle and/or its affiliates.  All rights reserved.
++ *
++ * Licensed under the Apache License 2.0 (the "License").  You may not use
++ * this file except in compliance with the License.  You can obtain a copy
++ * in the file LICENSE in the source distribution or at
++ * https://www.openssl.org/source/license.html
++ */
++
++#include <string.h>
++#include <openssl/err.h>
++#include <openssl/fips.h>
++
++#include <openssl/evp.h>
++#include <openssl/kdf.h>
++
++#ifdef OPENSSL_FIPS
++int FIPS_selftest_pbkdf2(void)
++{
++    int ret = 0;
++    EVP_KDF_CTX *kctx;
++    unsigned char out[32];
++
++    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) {
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) {
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) {
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) {
++        goto err;
++    }
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) {
++        goto err;
++    }
++    if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) {
++        goto err;
++    }
++
++    {
++        const unsigned char expected[sizeof(out)] = {
++            0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3,
++            0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0,
++            0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf,
++            0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43
++        };
++        if (memcmp(out, expected, sizeof(expected))) {
++            goto err;
++        }
++    }
++    ret = 1;
++
++err:
++    if (!ret)
++        FIPSerr(FIPS_F_FIPS_SELFTEST_PBKDF2, FIPS_R_SELFTEST_FAILED);
++    EVP_KDF_CTX_free(kctx);
++    return ret;
++}
++
++#endif
+Index: openssl-1.1.1m/crypto/fips/fips_post.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/fips/fips_post.c
++++ openssl-1.1.1m/crypto/fips/fips_post.c
+@@ -104,6 +104,8 @@ int FIPS_selftest(void)
+         rv = 0;
+     if (!FIPS_selftest_ecdh())
+         rv = 0;
++    if (!FIPS_selftest_pbkdf2())
++        rv = 0;
+     return rv;
+ }
+ 
+Index: openssl-1.1.1m/include/crypto/fips.h
+===================================================================
+--- openssl-1.1.1m.orig/include/crypto/fips.h
++++ openssl-1.1.1m/include/crypto/fips.h
+@@ -76,6 +76,7 @@ void FIPS_drbg_stick(int onoff);
+ int FIPS_selftest_hmac(void);
+ int FIPS_selftest_drbg(void);
+ int FIPS_selftest_cmac(void);
++int FIPS_selftest_pbkdf2(void);
+ 
+ int fips_in_post(void);
+ 
+Index: openssl-1.1.1m/include/openssl/fips.h
+===================================================================
+--- openssl-1.1.1m.orig/include/openssl/fips.h
++++ openssl-1.1.1m/include/openssl/fips.h
+@@ -124,6 +124,7 @@ extern "C" {
+ # define FIPS_F_FIPS_SELFTEST_DSA                         112
+ # define FIPS_F_FIPS_SELFTEST_ECDSA                       133
+ # define FIPS_F_FIPS_SELFTEST_HMAC                        113
++# define FIPS_F_FIPS_SELFTEST_PBKDF2                      152
+ # define FIPS_F_FIPS_SELFTEST_SHA1                        115
+ # define FIPS_F_FIPS_SELFTEST_SHA2                        105
+ # define FIPS_F_OSSL_ECDSA_SIGN_SIG                       143
+Index: openssl-1.1.1m/crypto/fips/fips_err.h
+===================================================================
+--- openssl-1.1.1m.orig/crypto/fips/fips_err.h
++++ openssl-1.1.1m/crypto/fips/fips_err.h
+@@ -111,6 +111,7 @@ static ERR_STRING_DATA FIPS_str_functs[]
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"},
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"},
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"},
++    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"},
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"},
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"},
+     {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"},
diff --git a/openssl-kdf-ssh-selftest.patch b/openssl-kdf-ssh-selftest.patch
new file mode 100644
index 0000000..1df7a4f
--- /dev/null
+++ b/openssl-kdf-ssh-selftest.patch
@@ -0,0 +1,122 @@
+Index: openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/fips/fips_kdf_selftest.c
++++ openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c
+@@ -101,4 +101,68 @@ err:
+     return ret;
+ }
+ 
++int FIPS_selftest_ssh(void)
++{
++    int ret = 0;
++    EVP_KDF_CTX *kctx;
++    unsigned char out[8];
++
++    /* Test data from NIST CAVS 14.1 test vectors */
++    const unsigned char key[] = {
++        0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a,
++        0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a,
++        0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa,
++        0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78,
++        0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2,
++        0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90,
++        0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80,
++        0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2,
++        0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08,
++        0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43,
++        0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14,
++        0x4e
++    };
++    const unsigned char xcghash[] = {
++        0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
++        0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
++        0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
++    };
++    const unsigned char sessid[] = {
++        0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23,
++        0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7,
++        0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42
++    };
++    const unsigned char expected[sizeof(out)] = {
++        0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6
++    };
++
++    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF)) == NULL)
++        goto err;
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0)
++        goto err;
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key, sizeof(key)) <= 0)
++        goto err;
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, xcghash,
++		     sizeof(xcghash)) <= 0)
++        goto err;
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, sessid,
++		     sizeof(sessid)) <= 0)
++        goto err;
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE,
++		     (int)EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV) <= 0)
++        goto err;
++    if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0)
++        goto err;
++    if (memcmp(out, expected, sizeof(expected)))
++	goto err;
++
++    ret = 1;
++
++ err:
++    if (!ret)
++        FIPSerr(FIPS_F_FIPS_SELFTEST_SSH, FIPS_R_SELFTEST_FAILED);
++    EVP_KDF_CTX_free(kctx);
++    return ret;
++}
++
+ #endif
+Index: openssl-1.1.1m/crypto/fips/fips_post.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/fips/fips_post.c
++++ openssl-1.1.1m/crypto/fips/fips_post.c
+@@ -108,6 +108,8 @@ int FIPS_selftest(void)
+         rv = 0;
+     if (!FIPS_selftest_tls())
+         rv = 0;
++    if (!FIPS_selftest_ssh())
++        rv = 0;
+ 
+     return rv;
+ }
+Index: openssl-1.1.1m/include/crypto/fips.h
+===================================================================
+--- openssl-1.1.1m.orig/include/crypto/fips.h
++++ openssl-1.1.1m/include/crypto/fips.h
+@@ -78,6 +78,7 @@ int FIPS_selftest_drbg(void);
+ int FIPS_selftest_cmac(void);
+ int FIPS_selftest_pbkdf2(void);
+ int FIPS_selftest_tls(void);
++int FIPS_selftest_ssh(void);
+ 
+ int fips_in_post(void);
+ 
+Index: openssl-1.1.1m/include/openssl/fips.h
+===================================================================
+--- openssl-1.1.1m.orig/include/openssl/fips.h
++++ openssl-1.1.1m/include/openssl/fips.h
+@@ -126,6 +126,7 @@ extern "C" {
+ # define FIPS_F_FIPS_SELFTEST_HMAC                        113
+ # define FIPS_F_FIPS_SELFTEST_PBKDF2                      152
+ # define FIPS_F_FIPS_SELFTEST_TLS                         153
++# define FIPS_F_FIPS_SELFTEST_SSH                         154
+ # define FIPS_F_FIPS_SELFTEST_SHA1                        115
+ # define FIPS_F_FIPS_SELFTEST_SHA2                        105
+ # define FIPS_F_OSSL_ECDSA_SIGN_SIG                       143
+Index: openssl-1.1.1m/crypto/fips/fips_err.h
+===================================================================
+--- openssl-1.1.1m.orig/crypto/fips/fips_err.h
++++ openssl-1.1.1m/crypto/fips/fips_err.h
+@@ -113,6 +113,7 @@ static ERR_STRING_DATA FIPS_str_functs[]
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"},
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"},
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_TLS), "FIPS_selftest_tls"},
++    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SSH), "FIPS_selftest_ssh"},
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"},
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"},
+     {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"},
diff --git a/openssl-kdf-tls-selftest.patch b/openssl-kdf-tls-selftest.patch
new file mode 100644
index 0000000..f72ed73
--- /dev/null
+++ b/openssl-kdf-tls-selftest.patch
@@ -0,0 +1,99 @@
+Index: openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/fips/fips_kdf_selftest.c
++++ openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c
+@@ -61,4 +61,44 @@ err:
+     return ret;
+ }
+ 
++int FIPS_selftest_tls(void)
++{
++    int ret = 0;
++    EVP_KDF_CTX *kctx;
++    unsigned char out[16];
++
++    if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF)) == NULL)
++        goto err;
++
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0)
++        goto err;
++
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET,
++                     "secret", (size_t)6) <= 0)
++        goto err;
++
++    if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0)
++        goto err;
++
++    if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0)
++        goto err;
++
++    {
++        const unsigned char expected[sizeof(out)] = {
++            0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0,
++            0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc
++        };
++        if (memcmp(out, expected, sizeof(expected))) {
++            goto err;
++        }
++    }
++    ret = 1;
++
++err:
++    if (!ret)
++        FIPSerr(FIPS_F_FIPS_SELFTEST_TLS, FIPS_R_SELFTEST_FAILED);
++    EVP_KDF_CTX_free(kctx);
++    return ret;
++}
++
+ #endif
+Index: openssl-1.1.1m/crypto/fips/fips_post.c
+===================================================================
+--- openssl-1.1.1m.orig/crypto/fips/fips_post.c
++++ openssl-1.1.1m/crypto/fips/fips_post.c
+@@ -106,6 +106,9 @@ int FIPS_selftest(void)
+         rv = 0;
+     if (!FIPS_selftest_pbkdf2())
+         rv = 0;
++    if (!FIPS_selftest_tls())
++        rv = 0;
++
+     return rv;
+ }
+ 
+Index: openssl-1.1.1m/include/crypto/fips.h
+===================================================================
+--- openssl-1.1.1m.orig/include/crypto/fips.h
++++ openssl-1.1.1m/include/crypto/fips.h
+@@ -77,6 +77,7 @@ int FIPS_selftest_hmac(void);
+ int FIPS_selftest_drbg(void);
+ int FIPS_selftest_cmac(void);
+ int FIPS_selftest_pbkdf2(void);
++int FIPS_selftest_tls(void);
+ 
+ int fips_in_post(void);
+ 
+Index: openssl-1.1.1m/include/openssl/fips.h
+===================================================================
+--- openssl-1.1.1m.orig/include/openssl/fips.h
++++ openssl-1.1.1m/include/openssl/fips.h
+@@ -125,6 +125,7 @@ extern "C" {
+ # define FIPS_F_FIPS_SELFTEST_ECDSA                       133
+ # define FIPS_F_FIPS_SELFTEST_HMAC                        113
+ # define FIPS_F_FIPS_SELFTEST_PBKDF2                      152
++# define FIPS_F_FIPS_SELFTEST_TLS                         153
+ # define FIPS_F_FIPS_SELFTEST_SHA1                        115
+ # define FIPS_F_FIPS_SELFTEST_SHA2                        105
+ # define FIPS_F_OSSL_ECDSA_SIGN_SIG                       143
+Index: openssl-1.1.1m/crypto/fips/fips_err.h
+===================================================================
+--- openssl-1.1.1m.orig/crypto/fips/fips_err.h
++++ openssl-1.1.1m/crypto/fips/fips_err.h
+@@ -112,6 +112,7 @@ static ERR_STRING_DATA FIPS_str_functs[]
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"},
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"},
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"},
++    {ERR_FUNC(FIPS_F_FIPS_SELFTEST_TLS), "FIPS_selftest_tls"},
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"},
+     {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"},
+     {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"},
diff --git a/openssl-no-date.patch b/openssl-no-date.patch
new file mode 100644
index 0000000..ad461cf
--- /dev/null
+++ b/openssl-no-date.patch
@@ -0,0 +1,13 @@
+Index: openssl-1.1.1-pre1/util/mkbuildinf.pl
+===================================================================
+--- openssl-1.1.1-pre1.orig/util/mkbuildinf.pl	2018-02-13 16:31:28.011389734 +0100
++++ openssl-1.1.1-pre1/util/mkbuildinf.pl	2018-02-13 16:31:51.539764582 +0100
+@@ -28,7 +28,7 @@ print <<"END_OUTPUT";
+  */
+ 
+ #define PLATFORM "platform: $platform"
+-#define DATE "built on: $date"
++#define DATE ""
+ 
+ /*
+  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/openssl-pkgconfig.patch b/openssl-pkgconfig.patch
new file mode 100644
index 0000000..175fe30
--- /dev/null
+++ b/openssl-pkgconfig.patch
@@ -0,0 +1,22 @@
+Index: openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl
+===================================================================
+--- openssl-1.1.1-pre3.orig/Configurations/unix-Makefile.tmpl	2018-03-20 15:20:03.037124698 +0100
++++ openssl-1.1.1-pre3/Configurations/unix-Makefile.tmpl	2018-03-20 15:21:04.206084731 +0100
+@@ -843,7 +843,7 @@ libcrypto.pc:
+ 	    echo 'Version: '$(VERSION); \
+ 	    echo 'Libs: -L$${libdir} -lcrypto'; \
+ 	    echo 'Libs.private: $(LIB_EX_LIBS)'; \
+-	    echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
++	    echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libcrypto.pc
+ 
+ libssl.pc:
+ 	@ ( echo 'prefix=$(INSTALLTOP)'; \
+@@ -860,7 +860,7 @@ libssl.pc:
+ 	    echo 'Version: '$(VERSION); \
+ 	    echo 'Requires.private: libcrypto'; \
+ 	    echo 'Libs: -L$${libdir} -lssl'; \
+-	    echo 'Cflags: -I$${includedir}' ) > libssl.pc
++	    echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libssl.pc
+ 
+ openssl.pc:
+ 	@ ( echo 'prefix=$(INSTALLTOP)'; \
diff --git a/openssl-ppc64-config.patch b/openssl-ppc64-config.patch
new file mode 100644
index 0000000..26ca2e9
--- /dev/null
+++ b/openssl-ppc64-config.patch
@@ -0,0 +1,18 @@
+Index: openssl-1.1.1-pre3/config
+===================================================================
+--- openssl-1.1.1-pre3.orig/config	2018-03-20 15:24:38.037441210 +0100
++++ openssl-1.1.1-pre3/config	2018-03-20 15:26:20.163043492 +0100
+@@ -552,12 +552,7 @@ case "$GUESSOS" in
+ 	    OUT="linux-ppc64"
+ 	else
+ 	    OUT="linux-ppc"
+-	    if (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null); then
+-		:;
+-	    else
+-		__CNF_CFLAGS="$__CNF_CFLAGS -m32"
+-		__CNF_CXXFLAGS="$__CNF_CXXFLAGS -m32"
+-	    fi
++	    (echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null) || OUT="linux-ppc64"
+ 	fi
+ 	;;
+   ppc64le-*-linux2) OUT="linux-ppc64le" ;;
diff --git a/openssl-s390x-assembly-pack-accelerate-ECDSA.patch b/openssl-s390x-assembly-pack-accelerate-ECDSA.patch
new file mode 100644
index 0000000..23e0b97
--- /dev/null
+++ b/openssl-s390x-assembly-pack-accelerate-ECDSA.patch
@@ -0,0 +1,281 @@
+From 58c35587eacba090414522a6506cb86f2d0e91af Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Thu, 11 Jul 2019 10:38:18 +0200
+Subject: [PATCH 09206/10000] s390x assembly pack: accelerate ECDSA
+
+for NIST P-256, P-384 and P-521 using KDSA instruction.
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/9348)
+---
+ crypto/ec/ecp_s390x_nistp.c | 202 +++++++++++++++++++++++++++++++++++-
+ crypto/err/openssl.txt      |   2 +
+ 2 files changed, 200 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c
+index 0b03d7fd04..be81f0b8f0 100644
+--- a/crypto/ec/ecp_s390x_nistp.c
++++ b/crypto/ec/ecp_s390x_nistp.c
+@@ -10,6 +10,7 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <openssl/err.h>
++#include <openssl/rand.h>
+ #include "ec_local.h"
+ #include "s390x_arch.h"
+ 
+@@ -28,6 +29,15 @@
+ #define S390X_OFF_SRC_Y(n)              (3 * n)
+ #define S390X_OFF_SCALAR(n)             (4 * n)
+ 
++/* Offsets of fields in KDSA parameter blocks */
++#define S390X_OFF_R(n)                  (0 * n)
++#define S390X_OFF_S(n)                  (1 * n)
++#define S390X_OFF_H(n)                  (2 * n)
++#define S390X_OFF_K(n)                  (3 * n)
++#define S390X_OFF_X(n)                  (3 * n)
++#define S390X_OFF_RN(n)                 (4 * n)
++#define S390X_OFF_Y(n)                  (4 * n)
++
+ static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r,
+                                   const BIGNUM *scalar,
+                                   size_t num, const EC_POINT *points[],
+@@ -106,6 +116,163 @@ ret:
+     return rc;
+ }
+ 
++static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst,
++                                             int dgstlen,
++                                             const BIGNUM *kinv,
++                                             const BIGNUM *r,
++                                             EC_KEY *eckey,
++                                             unsigned int fc, int len)
++{
++    unsigned char param[S390X_SIZE_PARAM];
++    int ok = 0;
++    BIGNUM *k;
++    ECDSA_SIG *sig;
++    const EC_GROUP *group;
++    const BIGNUM *privkey;
++    int off;
++
++    group = EC_KEY_get0_group(eckey);
++    privkey = EC_KEY_get0_private_key(eckey);
++    if (group == NULL || privkey == NULL) {
++        ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, EC_R_MISSING_PARAMETERS);
++        return NULL;
++    }
++
++    if (!EC_KEY_can_sign(eckey)) {
++        ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG,
++              EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
++        return NULL;
++    }
++
++    k = BN_secure_new();
++    sig = ECDSA_SIG_new();
++    if (k == NULL || sig == NULL) {
++        ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_MALLOC_FAILURE);
++        goto ret;
++    }
++
++    sig->r = BN_new();
++    sig->s = BN_new();
++    if (sig->r == NULL || sig->s == NULL) {
++        ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_MALLOC_FAILURE);
++        goto ret;
++    }
++
++    memset(param, 0, sizeof(param));
++    off = len - (dgstlen > len ? len : dgstlen);
++    memcpy(param + S390X_OFF_H(len) + off, dgst, len - off);
++
++    if (BN_bn2binpad(privkey, param + S390X_OFF_K(len), len) == -1) {
++        ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB);
++        goto ret;
++    }
++
++    if (r == NULL || kinv == NULL) {
++        /*
++         * Generate random k and copy to param param block. RAND_priv_bytes
++         * is used instead of BN_priv_rand_range or BN_generate_dsa_nonce
++         * because kdsa instruction constructs an in-range, invertible nonce
++         * internally implementing counter-measures for RNG weakness.
++         */
++         if (RAND_priv_bytes(param + S390X_OFF_RN(len), len) != 1) {
++             ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG,
++                   EC_R_RANDOM_NUMBER_GENERATION_FAILED);
++             goto ret;
++         }
++    } else {
++        /* Reconstruct k = (k^-1)^-1. */
++        if (ec_group_do_inverse_ord(group, k, kinv, NULL) == 0
++            || BN_bn2binpad(k, param + S390X_OFF_RN(len), len) == -1) {
++            ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB);
++            goto ret;
++        }
++        /* Turns KDSA internal nonce-generation off. */
++        fc |= S390X_KDSA_D;
++    }
++
++    if (s390x_kdsa(fc, param, NULL, 0) != 0) {
++        ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_ECDSA_LIB);
++        goto ret;
++    }
++
++    if (BN_bin2bn(param + S390X_OFF_R(len), len, sig->r) == NULL
++        || BN_bin2bn(param + S390X_OFF_S(len), len, sig->s) == NULL) {
++        ECerr(EC_F_ECDSA_S390X_NISTP_SIGN_SIG, ERR_R_BN_LIB);
++        goto ret;
++    }
++
++    ok = 1;
++ret:
++    OPENSSL_cleanse(param, sizeof(param));
++    if (ok != 1) {
++        ECDSA_SIG_free(sig);
++        sig = NULL;
++    }
++    BN_clear_free(k);
++    return sig;
++}
++
++static int ecdsa_s390x_nistp_verify_sig(const unsigned char *dgst, int dgstlen,
++                                        const ECDSA_SIG *sig, EC_KEY *eckey,
++                                        unsigned int fc, int len)
++{
++    unsigned char param[S390X_SIZE_PARAM];
++    int rc = -1;
++    BN_CTX *ctx;
++    BIGNUM *x, *y;
++    const EC_GROUP *group;
++    const EC_POINT *pubkey;
++    int off;
++
++    group = EC_KEY_get0_group(eckey);
++    pubkey = EC_KEY_get0_public_key(eckey);
++    if (eckey == NULL || group == NULL || pubkey == NULL || sig == NULL) {
++        ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, EC_R_MISSING_PARAMETERS);
++        return -1;
++    }
++
++    if (!EC_KEY_can_sign(eckey)) {
++        ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG,
++              EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING);
++        return -1;
++    }
++
++    ctx = BN_CTX_new();
++    if (ctx == NULL) {
++        ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
++        return -1;
++    }
++
++    BN_CTX_start(ctx);
++
++    x = BN_CTX_get(ctx);
++    y = BN_CTX_get(ctx);
++    if (x == NULL || y == NULL) {
++        ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_MALLOC_FAILURE);
++        goto ret;
++    }
++
++    memset(param, 0, sizeof(param));
++    off = len - (dgstlen > len ? len : dgstlen);
++    memcpy(param + S390X_OFF_H(len) + off, dgst, len - off);
++
++    if (group->meth->point_get_affine_coordinates(group, pubkey,
++                                                  x, y, ctx) != 1
++        || BN_bn2binpad(sig->r, param + S390X_OFF_R(len), len) == -1
++        || BN_bn2binpad(sig->s, param + S390X_OFF_S(len), len) == -1
++        || BN_bn2binpad(x, param + S390X_OFF_X(len), len) == -1
++        || BN_bn2binpad(y, param + S390X_OFF_Y(len), len) == -1) {
++        ECerr(EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, ERR_R_BN_LIB);
++        goto ret;
++    }
++
++    rc = s390x_kdsa(fc, param, NULL, 0) == 0 ? 1 : 0;
++ret:
++    BN_CTX_end(ctx);
++    BN_CTX_free(ctx);
++    return rc;
++}
++
+ #define EC_GFP_S390X_NISTP_METHOD(bits)                                 \
+                                                                         \
+ static int ec_GFp_s390x_nistp##bits##_mul(const EC_GROUP *group,        \
+@@ -122,6 +289,29 @@ static int ec_GFp_s390x_nistp##bits##_mul(const EC_GROUP *group,        \
+                                   S390X_SIZE_P##bits);                  \
+ }                                                                       \
+                                                                         \
++static ECDSA_SIG *ecdsa_s390x_nistp##bits##_sign_sig(const unsigned     \
++                                                     char *dgst,        \
++                                                     int dgstlen,       \
++                                                     const BIGNUM *kinv,\
++                                                     const BIGNUM *r,   \
++                                                     EC_KEY *eckey)     \
++{                                                                       \
++    return ecdsa_s390x_nistp_sign_sig(dgst, dgstlen, kinv, r, eckey,    \
++                                      S390X_ECDSA_SIGN_P##bits,         \
++                                      S390X_SIZE_P##bits);              \
++}                                                                       \
++                                                                        \
++static int ecdsa_s390x_nistp##bits##_verify_sig(const                   \
++                                                unsigned char *dgst,    \
++                                                int dgstlen,            \
++                                                const ECDSA_SIG *sig,   \
++                                                EC_KEY *eckey)          \
++{                                                                       \
++    return ecdsa_s390x_nistp_verify_sig(dgst, dgstlen, sig, eckey,      \
++                                        S390X_ECDSA_VERIFY_P##bits,     \
++                                        S390X_SIZE_P##bits);            \
++}                                                                       \
++                                                                        \
+ const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void)                \
+ {                                                                       \
+     static const EC_METHOD EC_GFp_s390x_nistp##bits##_meth = {          \
+@@ -176,8 +366,8 @@ const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void)                \
+         NULL, /* keyfinish */                                           \
+         ecdh_simple_compute_key,                                        \
+         ecdsa_simple_sign_setup,                                        \
+-        ecdsa_simple_sign_sig,                                          \
+-        ecdsa_simple_verify_sig,                                        \
++        ecdsa_s390x_nistp##bits##_sign_sig,                             \
++        ecdsa_s390x_nistp##bits##_verify_sig,                           \
+         NULL, /* field_inverse_mod_ord */                               \
+         ec_GFp_simple_blind_coordinates,                                \
+         ec_GFp_simple_ladder_pre,                                       \
+@@ -186,8 +376,12 @@ const EC_METHOD *EC_GFp_s390x_nistp##bits##_method(void)                \
+     };                                                                  \
+     static const EC_METHOD *ret;                                        \
+                                                                         \
+-    if (OPENSSL_s390xcap_P.pcc[1]                                       \
+-        & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P##bits))                  \
++    if ((OPENSSL_s390xcap_P.pcc[1]                                      \
++         & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P##bits))                 \
++        && (OPENSSL_s390xcap_P.kdsa[0]                                  \
++            & S390X_CAPBIT(S390X_ECDSA_VERIFY_P##bits))                 \
++        && (OPENSSL_s390xcap_P.kdsa[0]                                  \
++            & S390X_CAPBIT(S390X_ECDSA_SIGN_P##bits)))                  \
+         ret = &EC_GFp_s390x_nistp##bits##_meth;                         \
+     else                                                                \
+         ret = EC_GFp_mont_method();                                     \
+diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
+index 035bd729f3..5d5981035c 100644
+--- a/crypto/err/openssl.txt
++++ b/crypto/err/openssl.txt
+@@ -554,6 +554,8 @@ EC_F_ECDSA_VERIFY:253:ECDSA_verify
+ EC_F_ECDSA_SIMPLE_SIGN_SETUP:310:ecdsa_simple_sign_setup
+ EC_F_ECDSA_SIMPLE_SIGN_SIG:311:ecdsa_simple_sign_sig
+ EC_F_ECDSA_SIMPLE_VERIFY_SIG:312:ecdsa_simple_verify_sig
++EC_F_ECDSA_S390X_NISTP_SIGN_SIG:313:ecdsa_s390x_nistp_sign_sig
++EC_F_ECDSA_S390X_NISTP_VERIFY_SIG:314:ecdsa_s390x_nistp_verify_sig
+ EC_F_ECD_ITEM_VERIFY:270:ecd_item_verify
+ EC_F_ECKEY_PARAM2TYPE:223:eckey_param2type
+ EC_F_ECKEY_PARAM_DECODE:212:eckey_param_decode
+-- 
+2.24.0
+
diff --git a/openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch b/openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
new file mode 100644
index 0000000..6c3f6d4
--- /dev/null
+++ b/openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch
@@ -0,0 +1,1467 @@
+From 19bd1fa1ef17ff0ac071402cb6b002f1c29e37b9 Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Thu, 19 Sep 2019 15:31:27 +0200
+Subject: [PATCH] s390x assembly pack: accelerate X25519, X448, Ed25519 and
+ Ed448
+
+using PCC and KDSA instructions.
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/10004)
+---
+ CHANGES                           |   4 +
+ crypto/dh/dh_pmeth.c              |  14 +-
+ crypto/dsa/dsa_pmeth.c            |   7 +-
+ crypto/ec/build.info              |   2 +-
+ crypto/ec/ec_curve.c              |  12 +-
+ crypto/ec/ec_local.h                |   2 +-
+ crypto/ec/ec_pmeth.c              |   7 +-
+ crypto/ec/ecx_meth.c              | 672 +++++++++++++++++++++++++++++-
+ crypto/err/openssl.txt            |   6 +
+ crypto/evp/pkey_kdf.c             |  20 +-
+ crypto/evp/pkey_mac.c             |  28 +-
+ crypto/evp/pmeth_lib.c            |  65 +--
+ include/crypto/evp.h |  37 +-
+ crypto/rsa/rsa_pmeth.c            |  14 +-
+ crypto/s390x_arch.h               |  11 +
+ crypto/s390xcap.c                 |  12 +-
+ crypto/s390xcpuid.pl              |  56 +++
+ crypto/sm2/sm2_pmeth.c            |   7 +-
+ doc/man3/OPENSSL_s390xcap.pod     |   8 +
+ include/openssl/ecerr.h           |   6 +
+ 20 files changed, 914 insertions(+), 76 deletions(-)
+
+Index: openssl-1.1.1d/crypto/dh/dh_pmeth.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/dh/dh_pmeth.c
++++ openssl-1.1.1d/crypto/dh/dh_pmeth.c
+@@ -478,7 +478,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX *
+     return 0;
+ }
+ 
+-const EVP_PKEY_METHOD dh_pkey_meth = {
++static const EVP_PKEY_METHOD dh_pkey_meth = {
+     EVP_PKEY_DH,
+     EVP_PKEY_FLAG_FIPS,
+     pkey_dh_init,
+@@ -512,7 +512,12 @@ const EVP_PKEY_METHOD dh_pkey_meth = {
+     pkey_dh_ctrl_str
+ };
+ 
+-const EVP_PKEY_METHOD dhx_pkey_meth = {
++const EVP_PKEY_METHOD *dh_pkey_method(void)
++{
++    return &dh_pkey_meth;
++}
++
++static const EVP_PKEY_METHOD dhx_pkey_meth = {
+     EVP_PKEY_DHX,
+     EVP_PKEY_FLAG_FIPS,
+     pkey_dh_init,
+@@ -545,3 +550,8 @@ const EVP_PKEY_METHOD dhx_pkey_meth = {
+     pkey_dh_ctrl,
+     pkey_dh_ctrl_str
+ };
++
++const EVP_PKEY_METHOD *dhx_pkey_method(void)
++{
++    return &dhx_pkey_meth;
++}
+Index: openssl-1.1.1d/crypto/dsa/dsa_pmeth.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/dsa/dsa_pmeth.c
++++ openssl-1.1.1d/crypto/dsa/dsa_pmeth.c
+@@ -243,7 +243,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX
+     return DSA_generate_key(pkey->pkey.dsa);
+ }
+ 
+-const EVP_PKEY_METHOD dsa_pkey_meth = {
++static const EVP_PKEY_METHOD dsa_pkey_meth = {
+     EVP_PKEY_DSA,
+     EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS,
+     pkey_dsa_init,
+@@ -275,3 +275,8 @@ const EVP_PKEY_METHOD dsa_pkey_meth = {
+     pkey_dsa_ctrl,
+     pkey_dsa_ctrl_str
+ };
++
++const EVP_PKEY_METHOD *dsa_pkey_method(void)
++{
++    return &dsa_pkey_meth;
++}
+Index: openssl-1.1.1d/crypto/ec/ec_curve.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/ec/ec_curve.c
++++ openssl-1.1.1d/crypto/ec/ec_curve.c
+@@ -2830,7 +2830,7 @@ static const ec_list_element curve_list[
+      "SECG curve over a 256 bit prime field"},
+     /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
+     {NID_secp384r1, &_EC_NIST_PRIME_384.h,
+-# if defined(S390X_NISTP_ASM)
++# if defined(S390X_EC_ASM)
+      EC_GFp_s390x_nistp384_method,
+ # else
+      0,
+@@ -2838,7 +2838,7 @@ static const ec_list_element curve_list[
+      "NIST/SECG curve over a 384 bit prime field"},
+ 
+      {NID_secp521r1, &_EC_NIST_PRIME_521.h,
+-# if defined(S390X_NISTP_ASM)
++# if defined(S390X_EC_ASM)
+      EC_GFp_s390x_nistp521_method,
+ # elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
+      EC_GFp_nistp521_method,
+@@ -2863,7 +2863,7 @@ static const ec_list_element curve_list[
+     {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h,
+ #if defined(ECP_NISTZ256_ASM)
+      EC_GFp_nistz256_method,
+-# elif defined(S390X_NISTP_ASM)
++# elif defined(S390X_EC_ASM)
+      EC_GFp_s390x_nistp256_method,
+ #elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128)
+      EC_GFp_nistp256_method,
+Index: openssl-1.1.1d/crypto/ec/ec_local.h
+===================================================================
+--- openssl-1.1.1d.orig/crypto/ec/ec_local.h
++++ openssl-1.1.1d/crypto/ec/ec_local.h
+@@ -595,7 +595,7 @@ int ec_group_simple_order_bits(const EC_
+  */
+ const EC_METHOD *EC_GFp_nistz256_method(void);
+ #endif
+-#ifdef S390X_NISTP_ASM
++#ifdef S390X_EC_ASM
+ const EC_METHOD *EC_GFp_s390x_nistp256_method(void);
+ const EC_METHOD *EC_GFp_s390x_nistp384_method(void);
+ const EC_METHOD *EC_GFp_s390x_nistp521_method(void);
+Index: openssl-1.1.1d/crypto/ec/ec_pmeth.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/ec/ec_pmeth.c
++++ openssl-1.1.1d/crypto/ec/ec_pmeth.c
+@@ -436,7 +436,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX *
+     return ret ? EC_KEY_generate_key(ec) : 0;
+ }
+ 
+-const EVP_PKEY_METHOD ec_pkey_meth = {
++static const EVP_PKEY_METHOD ec_pkey_meth = {
+     EVP_PKEY_EC,
+     EVP_PKEY_FLAG_FIPS,
+     pkey_ec_init,
+@@ -474,3 +474,8 @@ const EVP_PKEY_METHOD ec_pkey_meth = {
+     pkey_ec_ctrl,
+     pkey_ec_ctrl_str
+ };
++
++const EVP_PKEY_METHOD *ec_pkey_method(void)
++{
++    return &ec_pkey_meth;
++}
+Index: openssl-1.1.1d/crypto/ec/ecx_meth.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/ec/ecx_meth.c
++++ openssl-1.1.1d/crypto/ec/ecx_meth.c
+@@ -715,7 +715,7 @@ static int pkey_ecx_ctrl(EVP_PKEY_CTX *c
+     return -2;
+ }
+ 
+-const EVP_PKEY_METHOD ecx25519_pkey_meth = {
++static const EVP_PKEY_METHOD ecx25519_pkey_meth = {
+     EVP_PKEY_X25519,
+     0, 0, 0, 0, 0, 0, 0,
+     pkey_ecx_keygen,
+@@ -725,7 +725,7 @@ const EVP_PKEY_METHOD ecx25519_pkey_meth
+     0
+ };
+ 
+-const EVP_PKEY_METHOD ecx448_pkey_meth = {
++static const EVP_PKEY_METHOD ecx448_pkey_meth = {
+     EVP_PKEY_X448,
+     0, 0, 0, 0, 0, 0, 0,
+     pkey_ecx_keygen,
+@@ -818,7 +818,7 @@ static int pkey_ecd_ctrl(EVP_PKEY_CTX *c
+     return -2;
+ }
+ 
+-const EVP_PKEY_METHOD ed25519_pkey_meth = {
++static const EVP_PKEY_METHOD ed25519_pkey_meth = {
+     EVP_PKEY_ED25519, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
+     0, 0, 0, 0, 0, 0,
+     pkey_ecx_keygen,
+@@ -829,7 +829,7 @@ const EVP_PKEY_METHOD ed25519_pkey_meth
+     pkey_ecd_digestverify25519
+ };
+ 
+-const EVP_PKEY_METHOD ed448_pkey_meth = {
++static const EVP_PKEY_METHOD ed448_pkey_meth = {
+     EVP_PKEY_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
+     0, 0, 0, 0, 0, 0,
+     pkey_ecx_keygen,
+@@ -839,3 +839,667 @@ const EVP_PKEY_METHOD ed448_pkey_meth =
+     pkey_ecd_digestsign448,
+     pkey_ecd_digestverify448
+ };
++
++#ifdef S390X_EC_ASM
++# include "s390x_arch.h"
++
++static void s390x_x25519_mod_p(unsigned char u[32])
++{
++    unsigned char u_red[32];
++    unsigned int c = 0;
++    int i;
++
++    memcpy(u_red, u, sizeof(u_red));
++
++    c += (unsigned int)u_red[31] + 19;
++    u_red[31] = (unsigned char)c;
++    c >>= 8;
++
++    for (i = 30; c > 0 && i >= 0; i--) {
++        c += (unsigned int)u_red[i];
++        u_red[i] = (unsigned char)c;
++        c >>= 8;
++    }
++
++    if (u_red[0] & 0x80) {
++        u_red[0] &= 0x7f;
++        memcpy(u, u_red, sizeof(u_red));
++    }
++}
++
++static void s390x_x448_mod_p(unsigned char u[56])
++{
++    unsigned char u_red[56];
++    unsigned int c = 0;
++    int i;
++
++    memcpy(u_red, u, sizeof(u_red));
++
++    c += (unsigned int)u_red[55] + 1;
++    u_red[55] = (unsigned char)c;
++    c >>= 8;
++
++    for (i = 54; i >= 28; i--) {
++        c += (unsigned int)u_red[i];
++        u_red[i] = (unsigned char)c;
++        c >>= 8;
++    }
++
++    c += (unsigned int)u_red[27] + 1;
++    u_red[27] = (unsigned char)c;
++    c >>= 8;
++
++    for (i = 26; c > 0 && i >= 0; i--) {
++        c += (unsigned int)u_red[i];
++        u_red[i] = (unsigned char)c;
++        c >>= 8;
++    }
++
++    if (u_red[0] & 0x80) {
++        u_red[0] &= 0x7f;
++        memcpy(u, u_red, sizeof(u_red));
++    }
++}
++
++static int s390x_x25519_mul(unsigned char u_dst[32],
++                            const unsigned char u_src[32],
++                            const unsigned char d_src[32])
++{
++    union {
++        struct {
++            unsigned char u_dst[32];
++            unsigned char u_src[32];
++            unsigned char d_src[32];
++        } x25519;
++        unsigned long long buff[512];
++    } param;
++    int rc;
++
++    memset(&param, 0, sizeof(param));
++
++    s390x_flip_endian32(param.x25519.u_src, u_src);
++    param.x25519.u_src[0] &= 0x7f;
++    s390x_x25519_mod_p(param.x25519.u_src);
++
++    s390x_flip_endian32(param.x25519.d_src, d_src);
++    param.x25519.d_src[31] &= 248;
++    param.x25519.d_src[0] &= 127;
++    param.x25519.d_src[0] |= 64;
++
++    rc = s390x_pcc(S390X_SCALAR_MULTIPLY_X25519, &param.x25519) ? 0 : 1;
++    if (rc == 1)
++        s390x_flip_endian32(u_dst, param.x25519.u_dst);
++
++    OPENSSL_cleanse(param.x25519.d_src, sizeof(param.x25519.d_src));
++    return rc;
++}
++
++static int s390x_x448_mul(unsigned char u_dst[56],
++                          const unsigned char u_src[56],
++                          const unsigned char d_src[56])
++{
++    union {
++        struct {
++            unsigned char u_dst[64];
++            unsigned char u_src[64];
++            unsigned char d_src[64];
++        } x448;
++        unsigned long long buff[512];
++    } param;
++    int rc;
++
++    memset(&param, 0, sizeof(param));
++
++    memcpy(param.x448.u_src, u_src, 56);
++    memcpy(param.x448.d_src, d_src, 56);
++
++    s390x_flip_endian64(param.x448.u_src, param.x448.u_src);
++    s390x_x448_mod_p(param.x448.u_src);
++
++    s390x_flip_endian64(param.x448.d_src, param.x448.d_src);
++    param.x448.d_src[63] &= 252;
++    param.x448.d_src[8] |= 128;
++
++    rc = s390x_pcc(S390X_SCALAR_MULTIPLY_X448, &param.x448) ? 0 : 1;
++    if (rc == 1) {
++        s390x_flip_endian64(param.x448.u_dst, param.x448.u_dst);
++        memcpy(u_dst, param.x448.u_dst, 56);
++    }
++
++    OPENSSL_cleanse(param.x448.d_src, sizeof(param.x448.d_src));
++    return rc;
++}
++
++static int s390x_ed25519_mul(unsigned char x_dst[32],
++                             unsigned char y_dst[32],
++                             const unsigned char x_src[32],
++                             const unsigned char y_src[32],
++                             const unsigned char d_src[32])
++{
++    union {
++        struct {
++            unsigned char x_dst[32];
++            unsigned char y_dst[32];
++            unsigned char x_src[32];
++            unsigned char y_src[32];
++            unsigned char d_src[32];
++        } ed25519;
++        unsigned long long buff[512];
++    } param;
++    int rc;
++
++    memset(&param, 0, sizeof(param));
++
++    s390x_flip_endian32(param.ed25519.x_src, x_src);
++    s390x_flip_endian32(param.ed25519.y_src, y_src);
++    s390x_flip_endian32(param.ed25519.d_src, d_src);
++
++    rc = s390x_pcc(S390X_SCALAR_MULTIPLY_ED25519, &param.ed25519) ? 0 : 1;
++    if (rc == 1) {
++        s390x_flip_endian32(x_dst, param.ed25519.x_dst);
++        s390x_flip_endian32(y_dst, param.ed25519.y_dst);
++    }
++
++    OPENSSL_cleanse(param.ed25519.d_src, sizeof(param.ed25519.d_src));
++    return rc;
++}
++
++static int s390x_ed448_mul(unsigned char x_dst[57],
++                           unsigned char y_dst[57],
++                           const unsigned char x_src[57],
++                           const unsigned char y_src[57],
++                           const unsigned char d_src[57])
++{
++    union {
++        struct {
++            unsigned char x_dst[64];
++            unsigned char y_dst[64];
++            unsigned char x_src[64];
++            unsigned char y_src[64];
++            unsigned char d_src[64];
++        } ed448;
++        unsigned long long buff[512];
++    } param;
++    int rc;
++
++    memset(&param, 0, sizeof(param));
++
++    memcpy(param.ed448.x_src, x_src, 57);
++    memcpy(param.ed448.y_src, y_src, 57);
++    memcpy(param.ed448.d_src, d_src, 57);
++    s390x_flip_endian64(param.ed448.x_src, param.ed448.x_src);
++    s390x_flip_endian64(param.ed448.y_src, param.ed448.y_src);
++    s390x_flip_endian64(param.ed448.d_src, param.ed448.d_src);
++
++    rc = s390x_pcc(S390X_SCALAR_MULTIPLY_ED448, &param.ed448) ? 0 : 1;
++    if (rc == 1) {
++        s390x_flip_endian64(param.ed448.x_dst, param.ed448.x_dst);
++        s390x_flip_endian64(param.ed448.y_dst, param.ed448.y_dst);
++        memcpy(x_dst, param.ed448.x_dst, 57);
++        memcpy(y_dst, param.ed448.y_dst, 57);
++    }
++
++    OPENSSL_cleanse(param.ed448.d_src, sizeof(param.ed448.d_src));
++    return rc;
++}
++
++static int s390x_pkey_ecx_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
++{
++    static const unsigned char generator[] = {
++        0x09, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
++    };
++    ECX_KEY *key;
++    unsigned char *privkey = NULL, *pubkey;
++
++    key = OPENSSL_zalloc(sizeof(*key));
++    if (key == NULL) {
++        ECerr(EC_F_S390X_PKEY_ECX_KEYGEN25519, ERR_R_MALLOC_FAILURE);
++        goto err;
++    }
++
++    pubkey = key->pubkey;
++
++    privkey = key->privkey = OPENSSL_secure_malloc(X25519_KEYLEN);
++    if (privkey == NULL) {
++        ECerr(EC_F_S390X_PKEY_ECX_KEYGEN25519, ERR_R_MALLOC_FAILURE);
++        goto err;
++    }
++
++    if (RAND_priv_bytes(privkey, X25519_KEYLEN) <= 0)
++        goto err;
++
++    privkey[0] &= 248;
++    privkey[31] &= 127;
++    privkey[31] |= 64;
++
++    if (s390x_x25519_mul(pubkey, generator, privkey) != 1)
++        goto err;
++
++    EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
++    return 1;
++ err:
++    OPENSSL_secure_clear_free(privkey, X25519_KEYLEN);
++    key->privkey = NULL;
++    OPENSSL_free(key);
++    return 0;
++}
++
++static int s390x_pkey_ecx_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
++{
++    static const unsigned char generator[] = {
++        0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
++        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
++    };
++    ECX_KEY *key;
++    unsigned char *privkey = NULL, *pubkey;
++
++    key = OPENSSL_zalloc(sizeof(*key));
++    if (key == NULL) {
++        ECerr(EC_F_S390X_PKEY_ECX_KEYGEN448, ERR_R_MALLOC_FAILURE);
++        goto err;
++    }
++
++    pubkey = key->pubkey;
++
++    privkey = key->privkey = OPENSSL_secure_malloc(X448_KEYLEN);
++    if (privkey == NULL) {
++        ECerr(EC_F_S390X_PKEY_ECX_KEYGEN448, ERR_R_MALLOC_FAILURE);
++        goto err;
++    }
++
++    if (RAND_priv_bytes(privkey, X448_KEYLEN) <= 0)
++        goto err;
++
++    privkey[0] &= 252;
++    privkey[55] |= 128;
++
++    if (s390x_x448_mul(pubkey, generator, privkey) != 1)
++        goto err;
++
++    EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
++    return 1;
++ err:
++    OPENSSL_secure_clear_free(privkey, X448_KEYLEN);
++    key->privkey = NULL;
++    OPENSSL_free(key);
++    return 0;
++}
++
++static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
++{
++    static const unsigned char generator_x[] = {
++        0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95,
++        0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0,
++        0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21
++    };
++    static const unsigned char generator_y[] = {
++        0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
++        0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
++        0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
++    };
++    unsigned char x_dst[32], buff[SHA512_DIGEST_LENGTH];
++    ECX_KEY *key;
++    unsigned char *privkey = NULL, *pubkey;
++
++    key = OPENSSL_zalloc(sizeof(*key));
++    if (key == NULL) {
++        ECerr(EC_F_S390X_PKEY_ECD_KEYGEN25519, ERR_R_MALLOC_FAILURE);
++        goto err;
++    }
++
++    pubkey = key->pubkey;
++
++    privkey = key->privkey = OPENSSL_secure_malloc(ED25519_KEYLEN);
++    if (privkey == NULL) {
++        ECerr(EC_F_S390X_PKEY_ECD_KEYGEN25519, ERR_R_MALLOC_FAILURE);
++        goto err;
++    }
++
++    if (RAND_priv_bytes(privkey, ED25519_KEYLEN) <= 0)
++        goto err;
++
++    SHA512(privkey, 32, buff);
++    buff[0] &= 248;
++    buff[31] &= 63;
++    buff[31] |= 64;
++
++    if (s390x_ed25519_mul(x_dst, pubkey,
++                          generator_x, generator_y, buff) != 1)
++        goto err;
++
++    pubkey[31] |= ((x_dst[0] & 0x01) << 7);
++
++    EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
++    return 1;
++ err:
++    OPENSSL_secure_clear_free(privkey, ED25519_KEYLEN);
++    key->privkey = NULL;
++    OPENSSL_free(key);
++    return 0;
++}
++
++static int s390x_pkey_ecd_keygen448(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
++{
++    static const unsigned char generator_x[] = {
++        0x5e, 0xc0, 0x0c, 0xc7, 0x2b, 0xa8, 0x26, 0x26, 0x8e, 0x93, 0x00, 0x8b,
++        0xe1, 0x80, 0x3b, 0x43, 0x11, 0x65, 0xb6, 0x2a, 0xf7, 0x1a, 0xae, 0x12,
++        0x64, 0xa4, 0xd3, 0xa3, 0x24, 0xe3, 0x6d, 0xea, 0x67, 0x17, 0x0f, 0x47,
++        0x70, 0x65, 0x14, 0x9e, 0xda, 0x36, 0xbf, 0x22, 0xa6, 0x15, 0x1d, 0x22,
++        0xed, 0x0d, 0xed, 0x6b, 0xc6, 0x70, 0x19, 0x4f, 0x00
++    };
++    static const unsigned char generator_y[] = {
++        0x14, 0xfa, 0x30, 0xf2, 0x5b, 0x79, 0x08, 0x98, 0xad, 0xc8, 0xd7, 0x4e,
++        0x2c, 0x13, 0xbd, 0xfd, 0xc4, 0x39, 0x7c, 0xe6, 0x1c, 0xff, 0xd3, 0x3a,
++        0xd7, 0xc2, 0xa0, 0x05, 0x1e, 0x9c, 0x78, 0x87, 0x40, 0x98, 0xa3, 0x6c,
++        0x73, 0x73, 0xea, 0x4b, 0x62, 0xc7, 0xc9, 0x56, 0x37, 0x20, 0x76, 0x88,
++        0x24, 0xbc, 0xb6, 0x6e, 0x71, 0x46, 0x3f, 0x69, 0x00
++    };
++    unsigned char x_dst[57], buff[114];
++    ECX_KEY *key;
++    unsigned char *privkey = NULL, *pubkey;
++    EVP_MD_CTX *hashctx = NULL;
++
++    key = OPENSSL_zalloc(sizeof(*key));
++    if (key == NULL) {
++        ECerr(EC_F_S390X_PKEY_ECD_KEYGEN448, ERR_R_MALLOC_FAILURE);
++        goto err;
++    }
++
++    pubkey = key->pubkey;
++
++    privkey = key->privkey = OPENSSL_secure_malloc(ED448_KEYLEN);
++    if (privkey == NULL) {
++        ECerr(EC_F_S390X_PKEY_ECD_KEYGEN448, ERR_R_MALLOC_FAILURE);
++        goto err;
++    }
++
++    if (RAND_priv_bytes(privkey, ED448_KEYLEN) <= 0)
++        goto err;
++
++    hashctx = EVP_MD_CTX_new();
++    if (hashctx == NULL)
++        goto err;
++    if (EVP_DigestInit_ex(hashctx, EVP_shake256(), NULL) != 1)
++        goto err;
++    if (EVP_DigestUpdate(hashctx, privkey, 57) != 1)
++        goto err;
++    if (EVP_DigestFinalXOF(hashctx, buff, sizeof(buff)) != 1)
++        goto err;
++
++    buff[0] &= -4;
++    buff[55] |= 0x80;
++    buff[56] = 0;
++
++    if (s390x_ed448_mul(x_dst, pubkey,
++                        generator_x, generator_y, buff) != 1)
++        goto err;
++
++    pubkey[56] |= ((x_dst[0] & 0x01) << 7);
++
++    EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, key);
++    EVP_MD_CTX_free(hashctx);
++    return 1;
++ err:
++    OPENSSL_secure_clear_free(privkey, ED448_KEYLEN);
++    key->privkey = NULL;
++    OPENSSL_free(key);
++    EVP_MD_CTX_free(hashctx);
++    return 0;
++}
++
++static int s390x_pkey_ecx_derive25519(EVP_PKEY_CTX *ctx, unsigned char *key,
++                                      size_t *keylen)
++{
++    const unsigned char *privkey, *pubkey;
++
++    if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey))
++        return 0;
++
++    if (key != NULL)
++        return s390x_x25519_mul(key, pubkey, privkey);
++
++    *keylen = X25519_KEYLEN;
++    return 1;
++}
++
++static int s390x_pkey_ecx_derive448(EVP_PKEY_CTX *ctx, unsigned char *key,
++                                      size_t *keylen)
++{
++    const unsigned char *privkey, *pubkey;
++
++    if (!validate_ecx_derive(ctx, key, keylen, &privkey, &pubkey))
++        return 0;
++
++    if (key != NULL)
++        return s390x_x448_mul(key, pubkey, privkey);
++
++    *keylen = X448_KEYLEN;
++    return 1;
++}
++
++static int s390x_pkey_ecd_digestsign25519(EVP_MD_CTX *ctx,
++                                          unsigned char *sig, size_t *siglen,
++                                          const unsigned char *tbs,
++                                          size_t tbslen)
++{
++    union {
++        struct {
++            unsigned char sig[64];
++            unsigned char priv[32];
++        } ed25519;
++        unsigned long long buff[512];
++    } param;
++    const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
++    int rc;
++
++    if (sig == NULL) {
++        *siglen = ED25519_SIGSIZE;
++        return 1;
++    }
++
++    if (*siglen < ED25519_SIGSIZE) {
++        ECerr(EC_F_S390X_PKEY_ECD_DIGESTSIGN25519, EC_R_BUFFER_TOO_SMALL);
++        return 0;
++    }
++
++    memset(&param, 0, sizeof(param));
++    memcpy(param.ed25519.priv, edkey->privkey, sizeof(param.ed25519.priv));
++
++    rc = s390x_kdsa(S390X_EDDSA_SIGN_ED25519, &param.ed25519, tbs, tbslen);
++    OPENSSL_cleanse(param.ed25519.priv, sizeof(param.ed25519.priv));
++    if (rc != 0)
++        return 0;
++
++    s390x_flip_endian32(sig, param.ed25519.sig);
++    s390x_flip_endian32(sig + 32, param.ed25519.sig + 32);
++
++    *siglen = ED25519_SIGSIZE;
++    return 1;
++}
++
++static int s390x_pkey_ecd_digestsign448(EVP_MD_CTX *ctx,
++                                        unsigned char *sig, size_t *siglen,
++                                        const unsigned char *tbs,
++                                        size_t tbslen)
++{
++    union {
++        struct {
++            unsigned char sig[128];
++            unsigned char priv[64];
++        } ed448;
++        unsigned long long buff[512];
++    } param;
++    const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
++    int rc;
++
++    if (sig == NULL) {
++        *siglen = ED448_SIGSIZE;
++        return 1;
++    }
++
++    if (*siglen < ED448_SIGSIZE) {
++        ECerr(EC_F_S390X_PKEY_ECD_DIGESTSIGN448, EC_R_BUFFER_TOO_SMALL);
++        return 0;
++    }
++
++    memset(&param, 0, sizeof(param));
++    memcpy(param.ed448.priv + 64 - 57, edkey->privkey, 57);
++
++    rc = s390x_kdsa(S390X_EDDSA_SIGN_ED448, &param.ed448, tbs, tbslen);
++    OPENSSL_cleanse(param.ed448.priv, sizeof(param.ed448.priv));
++    if (rc != 0)
++        return 0;
++
++    s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
++    s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
++    memcpy(sig, param.ed448.sig, 57);
++    memcpy(sig + 57, param.ed448.sig + 64, 57);
++
++    *siglen = ED448_SIGSIZE;
++    return 1;
++}
++
++static int s390x_pkey_ecd_digestverify25519(EVP_MD_CTX *ctx,
++                                            const unsigned char *sig,
++                                            size_t siglen,
++                                            const unsigned char *tbs,
++                                            size_t tbslen)
++{
++    union {
++        struct {
++            unsigned char sig[64];
++            unsigned char pub[32];
++        } ed25519;
++        unsigned long long buff[512];
++    } param;
++    const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
++
++    if (siglen != ED25519_SIGSIZE)
++        return 0;
++
++    memset(&param, 0, sizeof(param));
++    s390x_flip_endian32(param.ed25519.sig, sig);
++    s390x_flip_endian32(param.ed25519.sig + 32, sig + 32);
++    s390x_flip_endian32(param.ed25519.pub, edkey->pubkey);
++
++    return s390x_kdsa(S390X_EDDSA_VERIFY_ED25519,
++                      &param.ed25519, tbs, tbslen) == 0 ? 1 : 0;
++}
++
++static int s390x_pkey_ecd_digestverify448(EVP_MD_CTX *ctx,
++                                          const unsigned char *sig,
++                                          size_t siglen,
++                                          const unsigned char *tbs,
++                                          size_t tbslen)
++{
++    union {
++        struct {
++            unsigned char sig[128];
++            unsigned char pub[64];
++        } ed448;
++        unsigned long long buff[512];
++    } param;
++    const ECX_KEY *edkey = EVP_MD_CTX_pkey_ctx(ctx)->pkey->pkey.ecx;
++
++    if (siglen != ED448_SIGSIZE)
++        return 0;
++
++    memset(&param, 0, sizeof(param));
++    memcpy(param.ed448.sig, sig, 57);
++    s390x_flip_endian64(param.ed448.sig, param.ed448.sig);
++    memcpy(param.ed448.sig + 64, sig + 57, 57);
++    s390x_flip_endian64(param.ed448.sig + 64, param.ed448.sig + 64);
++    memcpy(param.ed448.pub, edkey->pubkey, 57);
++    s390x_flip_endian64(param.ed448.pub, param.ed448.pub);
++
++    return s390x_kdsa(S390X_EDDSA_VERIFY_ED448,
++                      &param.ed448, tbs, tbslen) == 0 ? 1 : 0;
++}
++
++static const EVP_PKEY_METHOD ecx25519_s390x_pkey_meth = {
++    EVP_PKEY_X25519,
++    0, 0, 0, 0, 0, 0, 0,
++    s390x_pkey_ecx_keygen25519,
++    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++    s390x_pkey_ecx_derive25519,
++    pkey_ecx_ctrl,
++    0
++};
++
++static const EVP_PKEY_METHOD ecx448_s390x_pkey_meth = {
++    EVP_PKEY_X448,
++    0, 0, 0, 0, 0, 0, 0,
++    s390x_pkey_ecx_keygen448,
++    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++    s390x_pkey_ecx_derive448,
++    pkey_ecx_ctrl,
++    0
++};
++static const EVP_PKEY_METHOD ed25519_s390x_pkey_meth = {
++    EVP_PKEY_ED25519, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
++    0, 0, 0, 0, 0, 0,
++    s390x_pkey_ecd_keygen25519,
++    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++    pkey_ecd_ctrl,
++    0,
++    s390x_pkey_ecd_digestsign25519,
++    s390x_pkey_ecd_digestverify25519
++};
++
++static const EVP_PKEY_METHOD ed448_s390x_pkey_meth = {
++    EVP_PKEY_ED448, EVP_PKEY_FLAG_SIGCTX_CUSTOM,
++    0, 0, 0, 0, 0, 0,
++    s390x_pkey_ecd_keygen448,
++    0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
++    pkey_ecd_ctrl,
++    0,
++    s390x_pkey_ecd_digestsign448,
++    s390x_pkey_ecd_digestverify448
++};
++#endif
++
++const EVP_PKEY_METHOD *ecx25519_pkey_method(void)
++{
++#ifdef S390X_EC_ASM
++    if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X25519))
++        return &ecx25519_s390x_pkey_meth;
++#endif
++    return &ecx25519_pkey_meth;
++}
++
++const EVP_PKEY_METHOD *ecx448_pkey_method(void)
++{
++#ifdef S390X_EC_ASM
++    if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X448))
++        return &ecx448_s390x_pkey_meth;
++#endif
++    return &ecx448_pkey_meth;
++}
++
++const EVP_PKEY_METHOD *ed25519_pkey_method(void)
++{
++#ifdef S390X_EC_ASM
++    if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED25519)
++        && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED25519)
++        && OPENSSL_s390xcap_P.kdsa[0]
++            & S390X_CAPBIT(S390X_EDDSA_VERIFY_ED25519))
++        return &ed25519_s390x_pkey_meth;
++#endif
++    return &ed25519_pkey_meth;
++}
++
++const EVP_PKEY_METHOD *ed448_pkey_method(void)
++{
++#ifdef S390X_EC_ASM
++    if (OPENSSL_s390xcap_P.pcc[1] & S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED448)
++        && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_SIGN_ED448)
++        && OPENSSL_s390xcap_P.kdsa[0] & S390X_CAPBIT(S390X_EDDSA_VERIFY_ED448))
++        return &ed448_s390x_pkey_meth;
++#endif
++    return &ed448_pkey_meth;
++}
+Index: openssl-1.1.1d/crypto/err/openssl.txt
+===================================================================
+--- openssl-1.1.1d.orig/crypto/err/openssl.txt
++++ openssl-1.1.1d/crypto/err/openssl.txt
+@@ -678,6 +678,12 @@ EC_F_PKEY_EC_KDF_DERIVE:283:pkey_ec_kdf_
+ EC_F_PKEY_EC_KEYGEN:199:pkey_ec_keygen
+ EC_F_PKEY_EC_PARAMGEN:219:pkey_ec_paramgen
+ EC_F_PKEY_EC_SIGN:218:pkey_ec_sign
++EC_F_S390X_PKEY_ECD_DIGESTSIGN25519:303:s390x_pkey_ecd_digestsign25519
++EC_F_S390X_PKEY_ECD_DIGESTSIGN448:304:s390x_pkey_ecd_digestsign448
++EC_F_S390X_PKEY_ECD_KEYGEN25519:305:s390x_pkey_ecd_keygen25519
++EC_F_S390X_PKEY_ECD_KEYGEN448:306:s390x_pkey_ecd_keygen448
++EC_F_S390X_PKEY_ECX_KEYGEN25519:307:s390x_pkey_ecx_keygen25519
++EC_F_S390X_PKEY_ECX_KEYGEN448:308:s390x_pkey_ecx_keygen448
+ EC_F_VALIDATE_ECX_DERIVE:278:validate_ecx_derive
+ ENGINE_F_DIGEST_UPDATE:198:digest_update
+ ENGINE_F_DYNAMIC_CTRL:180:dynamic_ctrl
+Index: openssl-1.1.1d/crypto/evp/pkey_kdf.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/evp/pkey_kdf.c
++++ openssl-1.1.1d/crypto/evp/pkey_kdf.c
+@@ -162,7 +162,7 @@ static int pkey_kdf_derive(EVP_PKEY_CTX
+ }
+ 
+ #ifndef OPENSSL_NO_SCRYPT
+-const EVP_PKEY_METHOD scrypt_pkey_meth = {
++static const EVP_PKEY_METHOD scrypt_pkey_meth = {
+     EVP_PKEY_SCRYPT,
+     0,
+     pkey_kdf_init,
+@@ -191,9 +191,14 @@ const EVP_PKEY_METHOD scrypt_pkey_meth =
+     pkey_kdf_ctrl,
+     pkey_kdf_ctrl_str
+ };
++
++const EVP_PKEY_METHOD *scrypt_pkey_method(void)
++{
++    return &scrypt_pkey_meth;
++}
+ #endif
+ 
+-const EVP_PKEY_METHOD tls1_prf_pkey_meth = {
++static const EVP_PKEY_METHOD tls1_prf_pkey_meth = {
+     EVP_PKEY_TLS1_PRF,
+     EVP_PKEY_FLAG_FIPS,
+     pkey_kdf_init,
+@@ -223,7 +228,12 @@ const EVP_PKEY_METHOD tls1_prf_pkey_meth
+     pkey_kdf_ctrl_str
+ };
+ 
+-const EVP_PKEY_METHOD hkdf_pkey_meth = {
++const EVP_PKEY_METHOD *tls1_prf_pkey_method(void)
++{
++    return &tls1_prf_pkey_meth;
++}
++
++static const EVP_PKEY_METHOD hkdf_pkey_meth = {
+     EVP_PKEY_HKDF,
+     EVP_PKEY_FLAG_FIPS,
+     pkey_kdf_init,
+@@ -253,3 +263,7 @@ const EVP_PKEY_METHOD hkdf_pkey_meth = {
+     pkey_kdf_ctrl_str
+ };
+ 
++const EVP_PKEY_METHOD *hkdf_pkey_method(void)
++{
++    return &hkdf_pkey_meth;
++}
+Index: openssl-1.1.1d/crypto/evp/pmeth_lib.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/evp/pmeth_lib.c
++++ openssl-1.1.1d/crypto/evp/pmeth_lib.c
+@@ -17,60 +17,67 @@
+ #include "crypto/evp.h"
+ #include "internal/numbers.h"
+ 
++typedef const EVP_PKEY_METHOD *(*pmeth_fn)(void);
+ typedef int sk_cmp_fn_type(const char *const *a, const char *const *b);
+ 
+ static STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL;
+ 
+ /* This array needs to be in order of NIDs */
+-static const EVP_PKEY_METHOD *standard_methods[] = {
++static pmeth_fn standard_methods[] = {
+ #ifndef OPENSSL_NO_RSA
+-    &rsa_pkey_meth,
++    rsa_pkey_method,
+ #endif
+ #ifndef OPENSSL_NO_DH
+-    &dh_pkey_meth,
++    dh_pkey_method,
+ #endif
+ #ifndef OPENSSL_NO_DSA
+-    &dsa_pkey_meth,
++    dsa_pkey_method,
+ #endif
+ #ifndef OPENSSL_NO_EC
+-    &ec_pkey_meth,
++    ec_pkey_method,
+ #endif
+-    &hmac_pkey_meth,
++    hmac_pkey_method,
+ #ifndef OPENSSL_NO_CMAC
+-    &cmac_pkey_meth,
++    cmac_pkey_method,
+ #endif
+ #ifndef OPENSSL_NO_RSA
+-    &rsa_pss_pkey_meth,
++    rsa_pss_pkey_method,
+ #endif
+ #ifndef OPENSSL_NO_DH
+-    &dhx_pkey_meth,
++    dhx_pkey_method,
+ #endif
+ #ifndef OPENSSL_NO_SCRYPT
+-    &scrypt_pkey_meth,
++    scrypt_pkey_method,
+ #endif
+-    &tls1_prf_pkey_meth,
++    tls1_prf_pkey_method,
+ #ifndef OPENSSL_NO_EC
+-    &ecx25519_pkey_meth,
+-    &ecx448_pkey_meth,
++    ecx25519_pkey_method,
++    ecx448_pkey_method,
+ #endif
+-    &hkdf_pkey_meth,
++    hkdf_pkey_method,
+ #ifndef OPENSSL_NO_POLY1305
+-    &poly1305_pkey_meth,
++    poly1305_pkey_method,
+ #endif
+ #ifndef OPENSSL_NO_SIPHASH
+-    &siphash_pkey_meth,
++    siphash_pkey_method,
+ #endif
+ #ifndef OPENSSL_NO_EC
+-    &ed25519_pkey_meth,
+-    &ed448_pkey_meth,
++    ed25519_pkey_method,
++    ed448_pkey_method,
+ #endif
+ #ifndef OPENSSL_NO_SM2
+-    &sm2_pkey_meth,
++    sm2_pkey_method,
+ #endif
+ };
+ 
+-DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *,
+-                           pmeth);
++DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, pmeth_fn, pmeth_func);
++
++static int pmeth_func_cmp(const EVP_PKEY_METHOD *const *a, pmeth_fn const *b)
++{
++    return ((*a)->pkey_id - ((**b)())->pkey_id);
++}
++
++IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, pmeth_fn, pmeth_func);
+ 
+ static int pmeth_cmp(const EVP_PKEY_METHOD *const *a,
+                      const EVP_PKEY_METHOD *const *b)
+@@ -78,13 +85,11 @@ static int pmeth_cmp(const EVP_PKEY_METH
+     return ((*a)->pkey_id - (*b)->pkey_id);
+ }
+ 
+-IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_PKEY_METHOD *, const EVP_PKEY_METHOD *,
+-                             pmeth);
+-
+ const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type)
+ {
++    pmeth_fn *ret;
+     EVP_PKEY_METHOD tmp;
+-    const EVP_PKEY_METHOD *t = &tmp, **ret;
++    const EVP_PKEY_METHOD *t = &tmp;
+     tmp.pkey_id = type;
+     if (app_pkey_methods) {
+         int idx;
+@@ -92,12 +97,12 @@ const EVP_PKEY_METHOD *EVP_PKEY_meth_fin
+         if (idx >= 0)
+             return sk_EVP_PKEY_METHOD_value(app_pkey_methods, idx);
+     }
+-    ret = OBJ_bsearch_pmeth(&t, standard_methods,
+-                            sizeof(standard_methods) /
+-                            sizeof(EVP_PKEY_METHOD *));
++    ret = OBJ_bsearch_pmeth_func(&t, standard_methods,
++                                 sizeof(standard_methods) /
++                                 sizeof(pmeth_fn));
+     if (!ret || !*ret)
+         return NULL;
+-    return *ret;
++    return (**ret)();
+ }
+ 
+ static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id)
+@@ -348,7 +353,7 @@ size_t EVP_PKEY_meth_get_count(void)
+ const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx)
+ {
+     if (idx < OSSL_NELEM(standard_methods))
+-        return standard_methods[idx];
++        return (standard_methods[idx])();
+     if (app_pkey_methods == NULL)
+         return NULL;
+     idx -= OSSL_NELEM(standard_methods);
+Index: openssl-1.1.1d/include/crypto/evp.h
+===================================================================
+--- openssl-1.1.1d.orig/include/crypto/evp.h
++++ openssl-1.1.1d/include/crypto/evp.h
+@@ -93,24 +93,24 @@ DEFINE_STACK_OF_CONST(EVP_PKEY_METHOD)
+ 
+ void evp_pkey_set_cb_translate(BN_GENCB *cb, EVP_PKEY_CTX *ctx);
+ 
+-extern const EVP_PKEY_METHOD cmac_pkey_meth;
+-extern const EVP_PKEY_METHOD dh_pkey_meth;
+-extern const EVP_PKEY_METHOD dhx_pkey_meth;
+-extern const EVP_PKEY_METHOD dsa_pkey_meth;
+-extern const EVP_PKEY_METHOD ec_pkey_meth;
+-extern const EVP_PKEY_METHOD sm2_pkey_meth;
+-extern const EVP_PKEY_METHOD ecx25519_pkey_meth;
+-extern const EVP_PKEY_METHOD ecx448_pkey_meth;
+-extern const EVP_PKEY_METHOD ed25519_pkey_meth;
+-extern const EVP_PKEY_METHOD ed448_pkey_meth;
+-extern const EVP_PKEY_METHOD hmac_pkey_meth;
+-extern const EVP_PKEY_METHOD rsa_pkey_meth;
+-extern const EVP_PKEY_METHOD rsa_pss_pkey_meth;
+-extern const EVP_PKEY_METHOD scrypt_pkey_meth;
+-extern const EVP_PKEY_METHOD tls1_prf_pkey_meth;
+-extern const EVP_PKEY_METHOD hkdf_pkey_meth;
+-extern const EVP_PKEY_METHOD poly1305_pkey_meth;
+-extern const EVP_PKEY_METHOD siphash_pkey_meth;
++const EVP_PKEY_METHOD *cmac_pkey_method(void);
++const EVP_PKEY_METHOD *dh_pkey_method(void);
++const EVP_PKEY_METHOD *dhx_pkey_method(void);
++const EVP_PKEY_METHOD *dsa_pkey_method(void);
++const EVP_PKEY_METHOD *ec_pkey_method(void);
++const EVP_PKEY_METHOD *sm2_pkey_method(void);
++const EVP_PKEY_METHOD *ecx25519_pkey_method(void);
++const EVP_PKEY_METHOD *ecx448_pkey_method(void);
++const EVP_PKEY_METHOD *ed25519_pkey_method(void);
++const EVP_PKEY_METHOD *ed448_pkey_method(void);
++const EVP_PKEY_METHOD *hmac_pkey_method(void);
++const EVP_PKEY_METHOD *rsa_pkey_method(void);
++const EVP_PKEY_METHOD *rsa_pss_pkey_method(void);
++const EVP_PKEY_METHOD *scrypt_pkey_method(void);
++const EVP_PKEY_METHOD *tls1_prf_pkey_method(void);
++const EVP_PKEY_METHOD *hkdf_pkey_method(void);
++const EVP_PKEY_METHOD *poly1305_pkey_method(void);
++const EVP_PKEY_METHOD *siphash_pkey_method(void);
+ 
+ /* struct evp_kdf_impl_st is defined by the implementation */
+ typedef struct evp_kdf_impl_st EVP_KDF_IMPL;
+@@ -396,6 +396,7 @@ const EVP_CIPHER *EVP_##cname##_ecb(void
+ 
+ #define X25519_KEYLEN        32
+ #define X448_KEYLEN          56
++#define ED25519_KEYLEN       32
+ #define ED448_KEYLEN         57
+ 
+ #define MAX_KEYLEN  ED448_KEYLEN
+Index: openssl-1.1.1d/crypto/rsa/rsa_pmeth.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/rsa/rsa_pmeth.c
++++ openssl-1.1.1d/crypto/rsa/rsa_pmeth.c
+@@ -754,7 +754,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX
+     return ret;
+ }
+ 
+-const EVP_PKEY_METHOD rsa_pkey_meth = {
++static const EVP_PKEY_METHOD rsa_pkey_meth = {
+     EVP_PKEY_RSA,
+     EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS,
+     pkey_rsa_init,
+@@ -789,6 +789,11 @@ const EVP_PKEY_METHOD rsa_pkey_meth = {
+     pkey_rsa_ctrl_str
+ };
+ 
++const EVP_PKEY_METHOD *rsa_pkey_method(void)
++{
++    return &rsa_pkey_meth;
++}
++
+ /*
+  * Called for PSS sign or verify initialisation: checks PSS parameter
+  * sanity and sets any restrictions on key usage.
+@@ -836,7 +841,7 @@ static int pkey_pss_init(EVP_PKEY_CTX *c
+     return 1;
+ }
+ 
+-const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
++static const EVP_PKEY_METHOD rsa_pss_pkey_meth = {
+     EVP_PKEY_RSA_PSS,
+     EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS,
+     pkey_rsa_init,
+@@ -859,3 +864,8 @@ const EVP_PKEY_METHOD rsa_pss_pkey_meth
+     pkey_rsa_ctrl,
+     pkey_rsa_ctrl_str
+ };
++
++const EVP_PKEY_METHOD *rsa_pss_pkey_method(void)
++{
++    return &rsa_pss_pkey_meth;
++}
+Index: openssl-1.1.1d/crypto/s390x_arch.h
+===================================================================
+--- openssl-1.1.1d.orig/crypto/s390x_arch.h
++++ openssl-1.1.1d/crypto/s390x_arch.h
+@@ -30,6 +30,9 @@ int s390x_pcc(unsigned int fc, void *par
+ int s390x_kdsa(unsigned int fc, void *param, const unsigned char *in,
+                size_t len);
+ 
++void s390x_flip_endian32(unsigned char dst[32], const unsigned char src[32]);
++void s390x_flip_endian64(unsigned char dst[64], const unsigned char src[64]);
++
+ /*
+  * The field elements of OPENSSL_s390xcap_P are the 64-bit words returned by
+  * the STFLE instruction followed by the 64-bit word pairs returned by
+@@ -123,6 +126,10 @@ extern struct OPENSSL_s390xcap_st OPENSS
+ # define S390X_SCALAR_MULTIPLY_P256	64
+ # define S390X_SCALAR_MULTIPLY_P384	65
+ # define S390X_SCALAR_MULTIPLY_P521	66
++# define S390X_SCALAR_MULTIPLY_ED25519  72
++# define S390X_SCALAR_MULTIPLY_ED448    73
++# define S390X_SCALAR_MULTIPLY_X25519   80
++# define S390X_SCALAR_MULTIPLY_X448     81
+ 
+ /* kdsa */
+ # define S390X_ECDSA_VERIFY_P256	1
+@@ -131,6 +138,10 @@ extern struct OPENSSL_s390xcap_st OPENSS
+ # define S390X_ECDSA_SIGN_P256		9
+ # define S390X_ECDSA_SIGN_P384		10
+ # define S390X_ECDSA_SIGN_P521		11
++# define S390X_EDDSA_VERIFY_ED25519     32
++# define S390X_EDDSA_VERIFY_ED448       36
++# define S390X_EDDSA_SIGN_ED25519       40
++# define S390X_EDDSA_SIGN_ED448         44
+ 
+ /* Register 0 Flags */
+ # define S390X_DECRYPT		0x80
+Index: openssl-1.1.1d/crypto/s390xcap.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/s390xcap.c
++++ openssl-1.1.1d/crypto/s390xcap.c
+@@ -615,14 +615,22 @@ static int parse_env(struct OPENSSL_s390
+         /*.pcc    = */{S390X_CAPBIT(S390X_QUERY),
+                        S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256)
+                        | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P384)
+-                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521)},
++                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521)
++                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED25519)
++                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_ED448)
++                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X25519)
++                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_X448)},
+         /*.kdsa   = */{S390X_CAPBIT(S390X_QUERY)
+                        | S390X_CAPBIT(S390X_ECDSA_VERIFY_P256)
+                        | S390X_CAPBIT(S390X_ECDSA_VERIFY_P384)
+                        | S390X_CAPBIT(S390X_ECDSA_VERIFY_P521)
+                        | S390X_CAPBIT(S390X_ECDSA_SIGN_P256)
+                        | S390X_CAPBIT(S390X_ECDSA_SIGN_P384)
+-                       | S390X_CAPBIT(S390X_ECDSA_SIGN_P521),
++                       | S390X_CAPBIT(S390X_ECDSA_SIGN_P521)
++                       | S390X_CAPBIT(S390X_EDDSA_VERIFY_ED25519)
++                       | S390X_CAPBIT(S390X_EDDSA_VERIFY_ED448)
++                       | S390X_CAPBIT(S390X_EDDSA_SIGN_ED25519)
++                       | S390X_CAPBIT(S390X_EDDSA_SIGN_ED448),
+                        0ULL},
+     };
+ 
+Index: openssl-1.1.1d/crypto/s390xcpuid.pl
+===================================================================
+--- openssl-1.1.1d.orig/crypto/s390xcpuid.pl
++++ openssl-1.1.1d/crypto/s390xcpuid.pl
+@@ -493,6 +493,62 @@ s390x_kdsa:
+ ___
+ }
+ 
++################
++# void s390x_flip_endian32(unsigned char dst[32], const unsigned char src[32])
++{
++my ($dst,$src) = map("%r$_",(2..3));
++$code.=<<___;
++.globl	s390x_flip_endian32
++.type	s390x_flip_endian32,\@function
++.align	16
++s390x_flip_endian32:
++	lrvg	%r0,0(%r0,$src)
++	lrvg	%r1,8(%r0,$src)
++	lrvg	%r4,16(%r0,$src)
++	lrvg	%r5,24(%r0,$src)
++	stg	%r0,24(%r0,$dst)
++	stg	%r1,16(%r0,$dst)
++	stg	%r4,8(%r0,$dst)
++	stg	%r5,0(%r0,$dst)
++	br	$ra
++.size	s390x_flip_endian32,.-s390x_flip_endian32
++___
++}
++
++################
++# void s390x_flip_endian64(unsigned char dst[64], const unsigned char src[64])
++{
++my ($dst,$src) = map("%r$_",(2..3));
++$code.=<<___;
++.globl	s390x_flip_endian64
++.type	s390x_flip_endian64,\@function
++.align	16
++s390x_flip_endian64:
++	stmg	%r6,%r9,6*$SIZE_T($sp)
++
++	lrvg	%r0,0(%r0,$src)
++	lrvg	%r1,8(%r0,$src)
++	lrvg	%r4,16(%r0,$src)
++	lrvg	%r5,24(%r0,$src)
++	lrvg	%r6,32(%r0,$src)
++	lrvg	%r7,40(%r0,$src)
++	lrvg	%r8,48(%r0,$src)
++	lrvg	%r9,56(%r0,$src)
++	stg	%r0,56(%r0,$dst)
++	stg	%r1,48(%r0,$dst)
++	stg	%r4,40(%r0,$dst)
++	stg	%r5,32(%r0,$dst)
++	stg	%r6,24(%r0,$dst)
++	stg	%r7,16(%r0,$dst)
++	stg	%r8,8(%r0,$dst)
++	stg	%r9,0(%r0,$dst)
++
++	lmg	%r6,%r9,6*$SIZE_T($sp)
++	br	$ra
++.size	s390x_flip_endian64,.-s390x_flip_endian64
++___
++}
++
+ $code.=<<___;
+ .section	.init
+ 	brasl	$ra,OPENSSL_cpuid_setup
+Index: openssl-1.1.1d/crypto/sm2/sm2_pmeth.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/sm2/sm2_pmeth.c
++++ openssl-1.1.1d/crypto/sm2/sm2_pmeth.c
+@@ -283,7 +283,7 @@ static int pkey_sm2_digest_custom(EVP_PK
+     return EVP_DigestUpdate(mctx, z, (size_t)mdlen);
+ }
+ 
+-const EVP_PKEY_METHOD sm2_pkey_meth = {
++static const EVP_PKEY_METHOD sm2_pkey_meth = {
+     EVP_PKEY_SM2,
+     0,
+     pkey_sm2_init,
+@@ -323,3 +323,8 @@ const EVP_PKEY_METHOD sm2_pkey_meth = {
+ 
+     pkey_sm2_digest_custom
+ };
++
++const EVP_PKEY_METHOD *sm2_pkey_method(void)
++{
++    return &sm2_pkey_meth;
++}
+Index: openssl-1.1.1d/doc/man3/OPENSSL_s390xcap.pod
+===================================================================
+--- openssl-1.1.1d.orig/doc/man3/OPENSSL_s390xcap.pod
++++ openssl-1.1.1d/doc/man3/OPENSSL_s390xcap.pod
+@@ -159,6 +159,10 @@ Disables the KM-XTS-AES and and the KIMD
+       # 64    1<<63    PCC-Scalar-Multiply-P256
+       # 65    1<<62    PCC-Scalar-Multiply-P384
+       # 66    1<<61    PCC-Scalar-Multiply-P521
++      # 72    1<<55    PCC-Scalar-Multiply-Ed25519
++      # 73    1<<54    PCC-Scalar-Multiply-Ed448
++      # 80    1<<47    PCC-Scalar-Multiply-X25519
++      # 81    1<<46    PCC-Scalar-Multiply-X448
+ 
+  kdsa :
+       #  1    1<<62    KDSA-ECDSA-Verify-P256
+@@ -167,6 +171,10 @@ Disables the KM-XTS-AES and and the KIMD
+       #  9    1<<54    KDSA-ECDSA-Sign-P256
+       # 10    1<<53    KDSA-ECDSA-Sign-P384
+       # 11    1<<52    KDSA-ECDSA-Sign-P521
++      # 32    1<<31    KDSA-EdDSA-Verify-Ed25519
++      # 36    1<<27    KDSA-EdDSA-Verify-Ed448
++      # 40    1<<23    KDSA-EdDSA-Sign-Ed25519
++      # 44    1<<19    KDSA-EdDSA-Sign-Ed448
+       :
+ 
+ =head1 RETURN VALUES
+Index: openssl-1.1.1d/include/openssl/ecerr.h
+===================================================================
+--- openssl-1.1.1d.orig/include/openssl/ecerr.h
++++ openssl-1.1.1d/include/openssl/ecerr.h
+@@ -206,6 +206,12 @@ int ERR_load_EC_strings(void);
+ #  define EC_F_PKEY_EC_KEYGEN                              199
+ #  define EC_F_PKEY_EC_PARAMGEN                            219
+ #  define EC_F_PKEY_EC_SIGN                                218
++#  define EC_F_S390X_PKEY_ECD_DIGESTSIGN25519              303
++#  define EC_F_S390X_PKEY_ECD_DIGESTSIGN448                304
++#  define EC_F_S390X_PKEY_ECD_KEYGEN25519                  305
++#  define EC_F_S390X_PKEY_ECD_KEYGEN448                    306
++#  define EC_F_S390X_PKEY_ECX_KEYGEN25519                  307
++#  define EC_F_S390X_PKEY_ECX_KEYGEN448                    308
+ #  define EC_F_VALIDATE_ECX_DERIVE                         278
+ 
+ /*
+Index: openssl-1.1.1d/Configure
+===================================================================
+--- openssl-1.1.1d.orig/Configure
++++ openssl-1.1.1d/Configure
+@@ -1401,7 +1401,7 @@ unless ($disabled{asm}) {
+         push @{$config{lib_defines}}, "X25519_ASM";
+     }
+     if ($target{ec_asm_src} =~ /ecp_s390x_nistp/) {
+-        push @{$config{lib_defines}}, "S390X_NISTP_ASM";
++        push @{$config{lib_defines}}, "S390X_EC_ASM";
+     }
+     if ($target{padlock_asm_src} ne $table{DEFAULTS}->{padlock_asm_src}) {
+         push @{$config{dso_defines}}, "PADLOCK_ASM";
+Index: openssl-1.1.1d/crypto/cmac/cm_pmeth.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/cmac/cm_pmeth.c
++++ openssl-1.1.1d/crypto/cmac/cm_pmeth.c
+@@ -127,7 +127,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C
+     return -2;
+ }
+ 
+-const EVP_PKEY_METHOD cmac_pkey_meth = {
++static const EVP_PKEY_METHOD cmac_pkey_meth = {
+     EVP_PKEY_CMAC,
+     EVP_PKEY_FLAG_SIGCTX_CUSTOM | EVP_PKEY_FLAG_FIPS,
+     pkey_cmac_init,
+@@ -159,3 +159,8 @@ const EVP_PKEY_METHOD cmac_pkey_meth = {
+     pkey_cmac_ctrl,
+     pkey_cmac_ctrl_str
+ };
++
++const EVP_PKEY_METHOD *cmac_pkey_method(void)
++{
++    return &cmac_pkey_meth;
++}
+Index: openssl-1.1.1d/crypto/hmac/hm_pmeth.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/hmac/hm_pmeth.c
++++ openssl-1.1.1d/crypto/hmac/hm_pmeth.c
+@@ -178,7 +178,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C
+     return -2;
+ }
+ 
+-const EVP_PKEY_METHOD hmac_pkey_meth = {
++static const EVP_PKEY_METHOD hmac_pkey_meth = {
+     EVP_PKEY_HMAC,
+     EVP_PKEY_FLAG_FIPS,
+     pkey_hmac_init,
+@@ -210,3 +210,9 @@ const EVP_PKEY_METHOD hmac_pkey_meth = {
+     pkey_hmac_ctrl,
+     pkey_hmac_ctrl_str
+ };
++
++const EVP_PKEY_METHOD *hmac_pkey_method(void)
++{
++    return &hmac_pkey_meth;
++}
++
+Index: openssl-1.1.1d/crypto/poly1305/poly1305_pmeth.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/poly1305/poly1305_pmeth.c
++++ openssl-1.1.1d/crypto/poly1305/poly1305_pmeth.c
+@@ -160,7 +160,7 @@ static int pkey_poly1305_ctrl_str(EVP_PK
+     return -2;
+ }
+ 
+-const EVP_PKEY_METHOD poly1305_pkey_meth = {
++static const EVP_PKEY_METHOD poly1305_pkey_meth = {
+     EVP_PKEY_POLY1305,
+     EVP_PKEY_FLAG_SIGCTX_CUSTOM, /* we don't deal with a separate MD */
+     pkey_poly1305_init,
+@@ -192,3 +192,8 @@ const EVP_PKEY_METHOD poly1305_pkey_meth
+     pkey_poly1305_ctrl,
+     pkey_poly1305_ctrl_str
+ };
++
++const EVP_PKEY_METHOD *poly1305_pkey_method(void)
++{
++    return &poly1305_pkey_meth;
++}
+Index: openssl-1.1.1d/crypto/siphash/siphash_pmeth.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/siphash/siphash_pmeth.c
++++ openssl-1.1.1d/crypto/siphash/siphash_pmeth.c
+@@ -171,7 +171,7 @@ static int pkey_siphash_ctrl_str(EVP_PKE
+     return -2;
+ }
+ 
+-const EVP_PKEY_METHOD siphash_pkey_meth = {
++static const EVP_PKEY_METHOD siphash_pkey_meth = {
+     EVP_PKEY_SIPHASH,
+     EVP_PKEY_FLAG_SIGCTX_CUSTOM, /* we don't deal with a separate MD */
+     pkey_siphash_init,
+@@ -203,3 +203,8 @@ const EVP_PKEY_METHOD siphash_pkey_meth
+     pkey_siphash_ctrl,
+     pkey_siphash_ctrl_str
+ };
++
++const EVP_PKEY_METHOD *siphash_pkey_method(void)
++{
++    return &siphash_pkey_meth;
++}
diff --git a/openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch b/openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
new file mode 100644
index 0000000..f85bb4a
--- /dev/null
+++ b/openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-environment.patch
@@ -0,0 +1,694 @@
+From f39ad8dcaa75293968d2633d043de3f5fce4f37b Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Mon, 30 Jan 2017 17:37:54 +0100
+Subject: [PATCH] s390x assembly pack: add OPENSSL_s390xcap environment
+ variable.
+
+The OPENSSL_s390xcap environment variable is used to set bits in the s390x
+capability vector to zero. This simplifies testing of different code paths.
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Andy Polyakov <appro@openssl.org>
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/6813)
+---
+ crypto/s390x_arch.h  |  23 +-
+ crypto/s390xcap.c    | 515 +++++++++++++++++++++++++++++++++++++++++++
+ crypto/s390xcpuid.pl |  31 ++-
+ 3 files changed, 556 insertions(+), 13 deletions(-)
+
+Index: openssl-1.1.1d/crypto/s390x_arch.h
+===================================================================
+--- openssl-1.1.1d.orig/crypto/s390x_arch.h
++++ openssl-1.1.1d/crypto/s390x_arch.h
+@@ -49,6 +49,9 @@ struct OPENSSL_s390xcap_st {
+ 
+ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
+ 
++/* Max number of 64-bit words currently returned by STFLE */
++#  define S390X_STFLE_MAX	3
++
+ /* convert facility bit number or function code to bit mask */
+ #  define S390X_CAPBIT(i)	(1ULL << (63 - (i) % 64))
+ 
+@@ -68,9 +71,15 @@ extern struct OPENSSL_s390xcap_st OPENSS
+ # define S390X_KMA		0xb0
+ 
+ /* Facility Bit Numbers */
+-# define S390X_VX		129
+-# define S390X_VXD		134
+-# define S390X_VXE		135
++# define S390X_MSA		17	/* message-security-assist */
++# define S390X_STCKF		25	/* store-clock-fast */
++# define S390X_MSA5		57	/* message-security-assist-ext. 5 */
++# define S390X_MSA3		76	/* message-security-assist-ext. 3 */
++# define S390X_MSA4		77	/* message-security-assist-ext. 4 */
++# define S390X_VX		129	/* vector */
++# define S390X_VXD		134	/* vector packed decimal */
++# define S390X_VXE		135	/* vector enhancements 1 */
++# define S390X_MSA8		146	/* message-security-assist-ext. 8 */
+ 
+ /* Function Codes */
+ 
+@@ -78,6 +87,9 @@ extern struct OPENSSL_s390xcap_st OPENSS
+ # define S390X_QUERY		0
+ 
+ /* kimd/klmd */
++# define S390X_SHA_1		1
++# define S390X_SHA_256		2
++# define S390X_SHA_512		3
+ # define S390X_SHA3_224		32
+ # define S390X_SHA3_256		33
+ # define S390X_SHA3_384		34
+@@ -91,7 +103,12 @@ extern struct OPENSSL_s390xcap_st OPENSS
+ # define S390X_AES_192		19
+ # define S390X_AES_256		20
+ 
++/* km */
++# define S390X_XTS_AES_128	50
++# define S390X_XTS_AES_256	52
++
+ /* prno */
++# define S390X_SHA_512_DRNG	3
+ # define S390X_TRNG		114
+ 
+ /* Register 0 Flags */
+Index: openssl-1.1.1d/crypto/s390xcap.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/s390xcap.c
++++ openssl-1.1.1d/crypto/s390xcap.c
+@@ -13,15 +13,51 @@
+ #include <setjmp.h>
+ #include <signal.h>
+ #include "internal/cryptlib.h"
++#include "crypto/ctype.h"
+ #include "s390x_arch.h"
+ 
++#define LEN	128
++#define STR_(S)	#S
++#define STR(S)	STR_(S)
++
++#define TOK_FUNC(NAME)							\
++    (sscanf(tok_begin,							\
++            " " STR(NAME) " : %" STR(LEN) "[^:] : "			\
++            "%" STR(LEN) "s %" STR(LEN) "s ",				\
++            tok[0], tok[1], tok[2]) == 2) {				\
++									\
++        off = (tok[0][0] == '~') ? 1 : 0;				\
++        if (sscanf(tok[0] + off, "%llx", &cap->NAME[0]) != 1)		\
++            goto ret;							\
++        if (off)							\
++            cap->NAME[0] = ~cap->NAME[0];				\
++									\
++        off = (tok[1][0] == '~') ? 1 : 0;				\
++        if (sscanf(tok[1] + off, "%llx", &cap->NAME[1]) != 1)		\
++            goto ret;							\
++        if (off)							\
++            cap->NAME[1] = ~cap->NAME[1];				\
++    }
++
++#define TOK_CPU(NAME)							\
++    (sscanf(tok_begin,							\
++            " %" STR(LEN) "s %" STR(LEN) "s ",				\
++            tok[0], tok[1]) == 1					\
++     && !strcmp(tok[0], #NAME)) {					\
++            memcpy(cap, &NAME, sizeof(*cap));				\
++    }
++
+ static sigjmp_buf ill_jmp;
+ static void ill_handler(int sig)
+ {
+     siglongjmp(ill_jmp, sig);
+ }
+ 
++static const char *env;
++static int parse_env(struct OPENSSL_s390xcap_st *cap);
++
+ void OPENSSL_s390x_facilities(void);
++void OPENSSL_s390x_functions(void);
+ void OPENSSL_vx_probe(void);
+ 
+ struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
+@@ -30,6 +66,7 @@ void OPENSSL_cpuid_setup(void)
+ {
+     sigset_t oset;
+     struct sigaction ill_act, oact_ill, oact_fpe;
++    struct OPENSSL_s390xcap_st cap;
+ 
+     if (OPENSSL_s390xcap_P.stfle[0])
+         return;
+@@ -37,6 +74,12 @@ void OPENSSL_cpuid_setup(void)
+     /* set a bit that will not be tested later */
+     OPENSSL_s390xcap_P.stfle[0] |= S390X_CAPBIT(0);
+ 
++    env = getenv("OPENSSL_s390xcap");
++    if (env != NULL) {
++        if (!parse_env(&cap))
++            env = NULL;
++    }
++
+     memset(&ill_act, 0, sizeof(ill_act));
+     ill_act.sa_handler = ill_handler;
+     sigfillset(&ill_act.sa_mask);
+@@ -51,6 +94,12 @@ void OPENSSL_cpuid_setup(void)
+     if (sigsetjmp(ill_jmp, 1) == 0)
+         OPENSSL_s390x_facilities();
+ 
++    if (env != NULL) {
++        OPENSSL_s390xcap_P.stfle[0] &= cap.stfle[0];
++        OPENSSL_s390xcap_P.stfle[1] &= cap.stfle[1];
++        OPENSSL_s390xcap_P.stfle[2] &= cap.stfle[2];
++    }
++
+     /* protection against disabled vector facility */
+     if ((OPENSSL_s390xcap_P.stfle[2] & S390X_CAPBIT(S390X_VX))
+         && (sigsetjmp(ill_jmp, 1) == 0)) {
+@@ -64,4 +113,470 @@ void OPENSSL_cpuid_setup(void)
+     sigaction(SIGFPE, &oact_fpe, NULL);
+     sigaction(SIGILL, &oact_ill, NULL);
+     sigprocmask(SIG_SETMASK, &oset, NULL);
++
++    OPENSSL_s390x_functions();
++
++    if (env != NULL) {
++        OPENSSL_s390xcap_P.kimd[0] &= cap.kimd[0];
++        OPENSSL_s390xcap_P.kimd[1] &= cap.kimd[1];
++        OPENSSL_s390xcap_P.klmd[0] &= cap.klmd[0];
++        OPENSSL_s390xcap_P.klmd[1] &= cap.klmd[1];
++        OPENSSL_s390xcap_P.km[0] &= cap.km[0];
++        OPENSSL_s390xcap_P.km[1] &= cap.km[1];
++        OPENSSL_s390xcap_P.kmc[0] &= cap.kmc[0];
++        OPENSSL_s390xcap_P.kmc[1] &= cap.kmc[1];
++        OPENSSL_s390xcap_P.kmac[0] &= cap.kmac[0];
++        OPENSSL_s390xcap_P.kmac[1] &= cap.kmac[1];
++        OPENSSL_s390xcap_P.kmctr[0] &= cap.kmctr[0];
++        OPENSSL_s390xcap_P.kmctr[1] &= cap.kmctr[1];
++        OPENSSL_s390xcap_P.kmo[0] &= cap.kmo[0];
++        OPENSSL_s390xcap_P.kmo[1] &= cap.kmo[1];
++        OPENSSL_s390xcap_P.kmf[0] &= cap.kmf[0];
++        OPENSSL_s390xcap_P.kmf[1] &= cap.kmf[1];
++        OPENSSL_s390xcap_P.prno[0] &= cap.prno[0];
++        OPENSSL_s390xcap_P.prno[1] &= cap.prno[1];
++        OPENSSL_s390xcap_P.kma[0] &= cap.kma[0];
++        OPENSSL_s390xcap_P.kma[1] &= cap.kma[1];
++    }
++}
++
++static int parse_env(struct OPENSSL_s390xcap_st *cap)
++{
++    /*-
++     * CPU model data
++     * (only the STFLE- and QUERY-bits relevant to libcrypto are set)
++     */
++
++    /*-
++     * z900 (2000) - z/Architecture POP SA22-7832-00
++     * Facility detection would fail on real hw (no STFLE).
++     */
++    static const struct OPENSSL_s390xcap_st z900 = {
++        .stfle  = {0ULL, 0ULL, 0ULL, 0ULL},
++        .kimd   = {0ULL, 0ULL},
++        .klmd   = {0ULL, 0ULL},
++        .km     = {0ULL, 0ULL},
++        .kmc    = {0ULL, 0ULL},
++        .kmac   = {0ULL, 0ULL},
++        .kmctr  = {0ULL, 0ULL},
++        .kmo    = {0ULL, 0ULL},
++        .kmf    = {0ULL, 0ULL},
++        .prno   = {0ULL, 0ULL},
++        .kma    = {0ULL, 0ULL},
++    };
++
++    /*-
++     * z990 (2003) - z/Architecture POP SA22-7832-02
++     * Implements MSA. Facility detection would fail on real hw (no STFLE).
++     */
++    static const struct OPENSSL_s390xcap_st z990 = {
++        .stfle  = {S390X_CAPBIT(S390X_MSA),
++                   0ULL, 0ULL, 0ULL},
++        .kimd   = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_SHA_1),
++                   0ULL},
++        .klmd   = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_SHA_1),
++                   0ULL},
++        .km     = {S390X_CAPBIT(S390X_QUERY),
++                   0ULL},
++        .kmc    = {S390X_CAPBIT(S390X_QUERY),
++                   0ULL},
++        .kmac   = {S390X_CAPBIT(S390X_QUERY),
++                   0ULL},
++        .kmctr  = {0ULL, 0ULL},
++        .kmo    = {0ULL, 0ULL},
++        .kmf    = {0ULL, 0ULL},
++        .prno   = {0ULL, 0ULL},
++        .kma    = {0ULL, 0ULL},
++    };
++
++    /*-
++     * z9 (2005) - z/Architecture POP SA22-7832-04
++     * Implements MSA and MSA1.
++     */
++    static const struct OPENSSL_s390xcap_st z9 = {
++        .stfle  = {S390X_CAPBIT(S390X_MSA)
++                     | S390X_CAPBIT(S390X_STCKF),
++                   0ULL, 0ULL, 0ULL},
++        .kimd   = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_SHA_1)
++                     | S390X_CAPBIT(S390X_SHA_256),
++                   0ULL},
++        .klmd   = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_SHA_1)
++                     | S390X_CAPBIT(S390X_SHA_256),
++                   0ULL},
++        .km     = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128),
++                   0ULL},
++        .kmc    = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128),
++                   0ULL},
++        .kmac   = {S390X_CAPBIT(S390X_QUERY),
++                   0ULL},
++        .kmctr  = {0ULL, 0ULL},
++        .kmo    = {0ULL, 0ULL},
++        .kmf    = {0ULL, 0ULL},
++        .prno   = {0ULL, 0ULL},
++        .kma    = {0ULL, 0ULL},
++    };
++
++    /*-
++     * z10 (2008) - z/Architecture POP SA22-7832-06
++     * Implements MSA and MSA1-2.
++     */
++    static const struct OPENSSL_s390xcap_st z10 = {
++        .stfle  = {S390X_CAPBIT(S390X_MSA)
++                     | S390X_CAPBIT(S390X_STCKF),
++                   0ULL, 0ULL, 0ULL},
++        .kimd   = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_SHA_1)
++                     | S390X_CAPBIT(S390X_SHA_256)
++                     | S390X_CAPBIT(S390X_SHA_512),
++                   0ULL},
++        .klmd   = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_SHA_1)
++                     | S390X_CAPBIT(S390X_SHA_256)
++                     | S390X_CAPBIT(S390X_SHA_512),
++                   0ULL},
++        .km     = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .kmc    = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .kmac   = {S390X_CAPBIT(S390X_QUERY),
++                   0ULL},
++        .kmctr  = {0ULL, 0ULL},
++        .kmo    = {0ULL, 0ULL},
++        .kmf    = {0ULL, 0ULL},
++        .prno   = {0ULL, 0ULL},
++        .kma    = {0ULL, 0ULL},
++    };
++
++    /*-
++     * z196 (2010) - z/Architecture POP SA22-7832-08
++     * Implements MSA and MSA1-4.
++     */
++    static const struct OPENSSL_s390xcap_st z196 = {
++        .stfle  = {S390X_CAPBIT(S390X_MSA)
++                     | S390X_CAPBIT(S390X_STCKF),
++                   S390X_CAPBIT(S390X_MSA3)
++                     | S390X_CAPBIT(S390X_MSA4),
++                   0ULL, 0ULL},
++        .kimd   = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_SHA_1)
++                     | S390X_CAPBIT(S390X_SHA_256)
++                     | S390X_CAPBIT(S390X_SHA_512),
++                   S390X_CAPBIT(S390X_GHASH)},
++        .klmd   = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_SHA_1)
++                     | S390X_CAPBIT(S390X_SHA_256)
++                     | S390X_CAPBIT(S390X_SHA_512),
++                   0ULL},
++        .km     = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256)
++                     | S390X_CAPBIT(S390X_XTS_AES_128)
++                     | S390X_CAPBIT(S390X_XTS_AES_256),
++                   0ULL},
++        .kmc    = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .kmac   = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .kmctr  = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .kmo    = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .kmf    = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .prno   = {0ULL, 0ULL},
++        .kma    = {0ULL, 0ULL},
++    };
++
++    /*-
++     * zEC12 (2012) - z/Architecture POP SA22-7832-09
++     * Implements MSA and MSA1-4.
++     */
++    static const struct OPENSSL_s390xcap_st zEC12 = {
++        .stfle  = {S390X_CAPBIT(S390X_MSA)
++                     | S390X_CAPBIT(S390X_STCKF),
++                   S390X_CAPBIT(S390X_MSA3)
++                     | S390X_CAPBIT(S390X_MSA4),
++                   0ULL, 0ULL},
++        .kimd   = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_SHA_1)
++                     | S390X_CAPBIT(S390X_SHA_256)
++                     | S390X_CAPBIT(S390X_SHA_512),
++                   S390X_CAPBIT(S390X_GHASH)},
++        .klmd   = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_SHA_1)
++                     | S390X_CAPBIT(S390X_SHA_256)
++                     | S390X_CAPBIT(S390X_SHA_512),
++                   0ULL},
++        .km     = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256)
++                     | S390X_CAPBIT(S390X_XTS_AES_128)
++                     | S390X_CAPBIT(S390X_XTS_AES_256),
++                   0ULL},
++        .kmc    = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .kmac   = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .kmctr  = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .kmo    = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .kmf    = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .prno   = {0ULL, 0ULL},
++        .kma    = {0ULL, 0ULL},
++    };
++
++    /*-
++     * z13 (2015) - z/Architecture POP SA22-7832-10
++     * Implements MSA and MSA1-5.
++     */
++    static const struct OPENSSL_s390xcap_st z13 = {
++        .stfle  = {S390X_CAPBIT(S390X_MSA)
++                     | S390X_CAPBIT(S390X_STCKF)
++                     | S390X_CAPBIT(S390X_MSA5),
++                   S390X_CAPBIT(S390X_MSA3)
++                     | S390X_CAPBIT(S390X_MSA4),
++                   S390X_CAPBIT(S390X_VX),
++                   0ULL},
++        .kimd   = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_SHA_1)
++                     | S390X_CAPBIT(S390X_SHA_256)
++                     | S390X_CAPBIT(S390X_SHA_512),
++                   S390X_CAPBIT(S390X_GHASH)},
++        .klmd   = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_SHA_1)
++                     | S390X_CAPBIT(S390X_SHA_256)
++                     | S390X_CAPBIT(S390X_SHA_512),
++                   0ULL},
++        .km     = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256)
++                     | S390X_CAPBIT(S390X_XTS_AES_128)
++                     | S390X_CAPBIT(S390X_XTS_AES_256),
++                   0ULL},
++        .kmc    = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .kmac   = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .kmctr  = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .kmo    = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .kmf    = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .prno   = {S390X_CAPBIT(S390X_QUERY)
++                   | S390X_CAPBIT(S390X_SHA_512_DRNG),
++                   0ULL},
++        .kma    = {0ULL, 0ULL},
++    };
++
++    /*-
++     * z14 (2017) - z/Architecture POP SA22-7832-11
++     * Implements MSA and MSA1-8.
++     */
++    static const struct OPENSSL_s390xcap_st z14 = {
++        .stfle  = {S390X_CAPBIT(S390X_MSA)
++                     | S390X_CAPBIT(S390X_STCKF)
++                     | S390X_CAPBIT(S390X_MSA5),
++                   S390X_CAPBIT(S390X_MSA3)
++                     | S390X_CAPBIT(S390X_MSA4),
++                   S390X_CAPBIT(S390X_VX)
++                     | S390X_CAPBIT(S390X_VXD)
++                     | S390X_CAPBIT(S390X_VXE)
++                     | S390X_CAPBIT(S390X_MSA8),
++                   0ULL},
++        .kimd   = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_SHA_1)
++                     | S390X_CAPBIT(S390X_SHA_256)
++                     | S390X_CAPBIT(S390X_SHA_512)
++                     | S390X_CAPBIT(S390X_SHA3_224)
++                     | S390X_CAPBIT(S390X_SHA3_256)
++                     | S390X_CAPBIT(S390X_SHA3_384)
++                     | S390X_CAPBIT(S390X_SHA3_512)
++                     | S390X_CAPBIT(S390X_SHAKE_128)
++                     | S390X_CAPBIT(S390X_SHAKE_256),
++                   S390X_CAPBIT(S390X_GHASH)},
++        .klmd   = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_SHA_1)
++                     | S390X_CAPBIT(S390X_SHA_256)
++                     | S390X_CAPBIT(S390X_SHA_512)
++                     | S390X_CAPBIT(S390X_SHA3_224)
++                     | S390X_CAPBIT(S390X_SHA3_256)
++                     | S390X_CAPBIT(S390X_SHA3_384)
++                     | S390X_CAPBIT(S390X_SHA3_512)
++                     | S390X_CAPBIT(S390X_SHAKE_128)
++                     | S390X_CAPBIT(S390X_SHAKE_256),
++                   0ULL},
++        .km     = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256)
++                     | S390X_CAPBIT(S390X_XTS_AES_128)
++                     | S390X_CAPBIT(S390X_XTS_AES_256),
++                   0ULL},
++        .kmc    = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .kmac   = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .kmctr  = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .kmo    = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .kmf    = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++        .prno   = {S390X_CAPBIT(S390X_QUERY)
++                   | S390X_CAPBIT(S390X_SHA_512_DRNG),
++                   S390X_CAPBIT(S390X_TRNG)},
++        .kma    = {S390X_CAPBIT(S390X_QUERY)
++                     | S390X_CAPBIT(S390X_AES_128)
++                     | S390X_CAPBIT(S390X_AES_192)
++                     | S390X_CAPBIT(S390X_AES_256),
++                   0ULL},
++    };
++
++    char *tok_begin, *tok_end, *buff, tok[S390X_STFLE_MAX][LEN + 1];
++    int rc, off, i, n;
++
++    buff = malloc(strlen(env) + 1);
++    if (buff == NULL)
++        return 0;
++
++    rc = 0;
++    memset(cap, ~0, sizeof(*cap));
++    strcpy(buff, env);
++
++    tok_begin = buff + strspn(buff, ";");
++    strtok(tok_begin, ";");
++    tok_end = strtok(NULL, ";");
++
++    while (tok_begin != NULL) {
++        /* stfle token */
++        if ((n = sscanf(tok_begin,
++                        " stfle : %" STR(LEN) "[^:] : "
++                        "%" STR(LEN) "[^:] : %" STR(LEN) "s ",
++                        tok[0], tok[1], tok[2]))) {
++            for (i = 0; i < n; i++) {
++                off = (tok[i][0] == '~') ? 1 : 0;
++                if (sscanf(tok[i] + off, "%llx", &cap->stfle[i]) != 1)
++                    goto ret;
++                if (off)
++                    cap->stfle[i] = ~cap->stfle[i];
++            }
++        }
++
++        /* query function tokens */
++        else if TOK_FUNC(kimd)
++        else if TOK_FUNC(klmd)
++        else if TOK_FUNC(km)
++        else if TOK_FUNC(kmc)
++        else if TOK_FUNC(kmac)
++        else if TOK_FUNC(kmctr)
++        else if TOK_FUNC(kmo)
++        else if TOK_FUNC(kmf)
++        else if TOK_FUNC(prno)
++        else if TOK_FUNC(kma)
++
++        /* CPU model tokens */
++        else if TOK_CPU(z900)
++        else if TOK_CPU(z990)
++        else if TOK_CPU(z9)
++        else if TOK_CPU(z10)
++        else if TOK_CPU(z196)
++        else if TOK_CPU(zEC12)
++        else if TOK_CPU(z13)
++        else if TOK_CPU(z14)
++
++        /* whitespace(ignored) or invalid tokens */
++        else {
++            while (*tok_begin != '\0') {
++                if (!ossl_isspace(*tok_begin))
++                    goto ret;
++                tok_begin++;
++            }
++        }
++
++        tok_begin = tok_end;
++        tok_end = strtok(NULL, ";");
++    }
++
++    rc = 1;
++ret:
++    free(buff);
++    return rc;
+ }
+Index: openssl-1.1.1d/crypto/s390xcpuid.pl
+===================================================================
+--- openssl-1.1.1d.orig/crypto/s390xcpuid.pl
++++ openssl-1.1.1d/crypto/s390xcpuid.pl
+@@ -38,7 +38,26 @@ OPENSSL_s390x_facilities:
+ 	stg	%r0,S390X_STFLE+8(%r4)	# wipe capability vectors
+ 	stg	%r0,S390X_STFLE+16(%r4)
+ 	stg	%r0,S390X_STFLE+24(%r4)
+-	stg	%r0,S390X_KIMD(%r4)
++
++	.long	0xb2b04000		# stfle	0(%r4)
++	brc	8,.Ldone
++	lghi	%r0,1
++	.long	0xb2b04000		# stfle 0(%r4)
++	brc	8,.Ldone
++	lghi	%r0,2
++	.long	0xb2b04000		# stfle 0(%r4)
++.Ldone:
++	br	$ra
++.size	OPENSSL_s390x_facilities,.-OPENSSL_s390x_facilities
++
++.globl	OPENSSL_s390x_functions
++.type	OPENSSL_s390x_functions,\@function
++.align	16
++OPENSSL_s390x_functions:
++	lghi	%r0,0
++	larl	%r4,OPENSSL_s390xcap_P
++
++	stg	%r0,S390X_KIMD(%r4)	# wipe capability vectors
+ 	stg	%r0,S390X_KIMD+8(%r4)
+ 	stg	%r0,S390X_KLMD(%r4)
+ 	stg	%r0,S390X_KLMD+8(%r4)
+@@ -59,14 +78,6 @@ OPENSSL_s390x_facilities:
+ 	stg	%r0,S390X_KMA(%r4)
+ 	stg	%r0,S390X_KMA+8(%r4)
+ 
+-	.long	0xb2b04000		# stfle	0(%r4)
+-	brc	8,.Ldone
+-	lghi	%r0,1
+-	.long	0xb2b04000		# stfle 0(%r4)
+-	brc	8,.Ldone
+-	lghi	%r0,2
+-	.long	0xb2b04000		# stfle 0(%r4)
+-.Ldone:
+ 	lmg	%r2,%r3,S390X_STFLE(%r4)
+ 	tmhl	%r2,0x4000		# check for message-security-assist
+ 	jz	.Lret
+@@ -123,7 +134,7 @@ OPENSSL_s390x_facilities:
+ 
+ .Lret:
+ 	br	$ra
+-.size	OPENSSL_s390x_facilities,.-OPENSSL_s390x_facilities
++.size	OPENSSL_s390x_functions,.-OPENSSL_s390x_functions
+ 
+ .globl	OPENSSL_rdtsc
+ .type	OPENSSL_rdtsc,\@function
diff --git a/openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch b/openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
new file mode 100644
index 0000000..0c737b8
--- /dev/null
+++ b/openssl-s390x-assembly-pack-add-OPENSSL_s390xcap-man-page.patch
@@ -0,0 +1,208 @@
+From d68af00685c4a76e9545882e350717ae5e4071df Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Tue, 31 Jan 2017 12:43:35 +0100
+Subject: [PATCH] s390x assembly pack: add OPENSSL_s390xcap man page.
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Andy Polyakov <appro@openssl.org>
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/6813)
+---
+ doc/man3/OPENSSL_s390xcap.pod | 173 ++++++++++++++++++++++++++++++++++
+ util/private.num              |   1 +
+ 2 files changed, 174 insertions(+)
+ create mode 100644 doc/man3/OPENSSL_s390xcap.pod
+
+diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod
+new file mode 100644
+index 00000000000..550136a82b8
+--- /dev/null
++++ b/doc/man3/OPENSSL_s390xcap.pod
+@@ -0,0 +1,173 @@
++=pod
++
++=head1 NAME
++
++OPENSSL_s390xcap - the IBM z processor capabilities vector
++
++=head1 SYNOPSIS
++
++ env OPENSSL_s390xcap=... <application>
++
++=head1 DESCRIPTION
++
++libcrypto supports z/Architecture instruction set extensions. These
++extensions are denoted by individual bits in the capabilities vector.
++When libcrypto is initialized, the bits returned by the STFLE instruction
++and by the QUERY functions are stored in the vector.
++
++To change the set of instructions available to an application, you can
++set the OPENSSL_s390xcap environment variable before you start the
++application. After initialization, the capability vector is ANDed bitwise
++with a mask which is derived from the environment variable.
++
++The environment variable is a semicolon-separated list of tokens which is
++processed from left to right (whitespace is ignored):
++
++ OPENSSL_s390xcap="<tok1>;<tok2>;..."
++
++There are three types of tokens:
++
++=over 4
++
++=item <string>
++
++The name of a processor generation. A bit in the environment variable's
++mask is set to one if and only if the specified processor generation
++implements the corresponding instruction set extension. Possible values
++are z900, z990, z9, z10, z196, zEC12, z13 and z14.
++
++=item <string>:<mask>:<mask>
++
++The name of an instruction followed by two 64-bit masks. The part of the
++environment variable's mask corresponding to the specified instruction is
++set to the specified 128-bit mask. Possible values are kimd, klmd, km, kmc,
++kmac, kmctr, kmo, kmf, prno and kma.
++
++=item stfle:<mask>:<mask>:<mask>
++
++Store-facility-list-extended (stfle) followed by three 64-bit masks. The
++part of the environment variable's mask corresponding to the stfle
++instruction is set to the specified 192-bit mask.
++
++=back
++
++The 64-bit masks are specified in hexadecimal notation. The 0x prefix is
++optional. Prefix a mask with a tilde (~) to denote a bitwise NOT operation.
++
++The following is a list of significant bits for each instruction. Colon
++rows separate the individual 64-bit masks. The bit numbers in the first
++column are consistent with [1], that is, 0 denotes the leftmost bit and
++the numbering is continuous across 64-bit mask boundaries.
++
++      Bit     Mask     Facility/Function
++
++ stfle:
++      # 17    1<<46    message-security assist
++      # 25    1<<38    store-clock-fast facility
++      :
++      # 76    1<<51    message-security assist extension 3
++      # 77    1<<50    message-security assist extension 4
++      :
++      #129    1<<62    vector facility
++      #134    1<<57    vector packed decimal facility
++      #135    1<<56    vector enhancements facility 1
++      #146    1<<45    message-security assist extension 8
++
++ kimd :
++      #  1    1<<62    KIMD-SHA-1
++      #  2    1<<61    KIMD-SHA-256
++      #  3    1<<60    KIMD-SHA-512
++      # 32    1<<31    KIMD-SHA3-224
++      # 33    1<<30    KIMD-SHA3-256
++      # 34    1<<29    KIMD-SHA3-384
++      # 35    1<<28    KIMD-SHA3-512
++      # 36    1<<27    KIMD-SHAKE-128
++      # 37    1<<26    KIMD-SHAKE-256
++      :
++      # 65    1<<62    KIMD-GHASH
++
++ klmd :
++      # 32    1<<31    KLMD-SHA3-224
++      # 33    1<<30    KLMD-SHA3-256
++      # 34    1<<29    KLMD-SHA3-384
++      # 35    1<<28    KLMD-SHA3-512
++      # 36    1<<27    KLMD-SHAKE-128
++      # 37    1<<26    KLMD-SHAKE-256
++      :
++
++ km   :
++      # 18    1<<45    KM-AES-128
++      # 19    1<<44    KM-AES-192
++      # 20    1<<43    KM-AES-256
++      # 50    1<<13    KM-XTS-AES-128
++      # 52    1<<11    KM-XTS-AES-256
++      :
++
++ kmc  :
++      # 18    1<<45    KMC-AES-128
++      # 19    1<<44    KMC-AES-192
++      # 20    1<<43    KMC-AES-256
++      :
++
++ kmac :
++      # 18    1<<45    KMAC-AES-128
++      # 19    1<<44    KMAC-AES-192
++      # 20    1<<43    KMAC-AES-256
++      :
++
++ kmctr:
++      :
++
++ kmo  :
++      # 18    1<<45    KMO-AES-128
++      # 19    1<<44    KMO-AES-192
++      # 20    1<<43    KMO-AES-256
++      :
++
++ kmf  :
++      # 18    1<<45    KMF-AES-128
++      # 19    1<<44    KMF-AES-192
++      # 20    1<<43    KMF-AES-256
++      :
++
++ prno :
++      :
++
++ kma  :
++      # 18    1<<45    KMA-GCM-AES-128
++      # 19    1<<44    KMA-GCM-AES-192
++      # 20    1<<43    KMA-GCM-AES-256
++      :
++
++=head1 EXAMPLES
++
++Disables all instruction set extensions which the z196 processor does not implement:
++
++ OPENSSL_s390xcap="z196"
++
++Disables the vector facility:
++
++ OPENSSL_s390xcap="stfle:~0:~0:~0x4000000000000000"
++
++Disables the KM-XTS-AES and and the KIMD-SHAKE function codes:
++
++ OPENSSL_s390xcap="km:~0x2800:~0;kimd:~0xc000000:~0"
++
++=head1 RETURN VALUES
++
++Not available.
++
++=head1 SEE ALSO
++
++[1] z/Architecture Principles of Operation, SA22-7832-11
++
++=head1 COPYRIGHT
++
++Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
++
++Licensed under the OpenSSL license (the "License").  You may not use
++this file except in compliance with the License.  You can obtain a copy
++in the file LICENSE in the source distribution or at
++L<https://www.openssl.org/source/license.html>.
++
++=cut
+diff --git a/util/private.num b/util/private.num
+index c456578c335..2bfe987b437 100644
+--- a/util/private.num
++++ b/util/private.num
+@@ -3,6 +3,7 @@
+ # assembly language, etc.
+ #
+ OPENSSL_ia32cap                         environment
++OPENSSL_s390xcap                        environment
+ OPENSSL_MALLOC_FD                       environment
+ OPENSSL_MALLOC_FAILURES                 environment
+ OPENSSL_instrument_bus                  assembler
diff --git a/openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch b/openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch
new file mode 100644
index 0000000..4b30220
--- /dev/null
+++ b/openssl-s390x-assembly-pack-add-support-for-pcc-and-kma-inst.patch
@@ -0,0 +1,394 @@
+From e382f507fb67863be02bfa69b08533cc55f0cd96 Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Thu, 27 Jun 2019 01:07:54 +0200
+Subject: [PATCH 08967/10000] s390x assembly pack: add support for pcc and kma
+ instructions
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/9258)
+---
+ crypto/s390x_arch.h  |  22 ++++++++
+ crypto/s390xcap.c    | 119 +++++++++++++++++++++++++++++++++++++++++++
+ crypto/s390xcpuid.pl |  71 ++++++++++++++++++++++++++
+ 3 files changed, 212 insertions(+)
+
+Index: openssl-1.1.1d/crypto/s390x_arch.h
+===================================================================
+--- openssl-1.1.1d.orig/crypto/s390x_arch.h
++++ openssl-1.1.1d/crypto/s390x_arch.h
+@@ -26,6 +26,9 @@ void s390x_kmf(const unsigned char *in,
+                unsigned int fc, void *param);
+ void s390x_kma(const unsigned char *aad, size_t alen, const unsigned char *in,
+                size_t len, unsigned char *out, unsigned int fc, void *param);
++int s390x_pcc(unsigned int fc, void *param);
++int s390x_kdsa(unsigned int fc, void *param, const unsigned char *in,
++               size_t len);
+ 
+ /*
+  * The field elements of OPENSSL_s390xcap_P are the 64-bit words returned by
+@@ -45,6 +48,8 @@ struct OPENSSL_s390xcap_st {
+     unsigned long long kmf[2];
+     unsigned long long prno[2];
+     unsigned long long kma[2];
++    unsigned long long pcc[2];
++    unsigned long long kdsa[2];
+ };
+ 
+ extern struct OPENSSL_s390xcap_st OPENSSL_s390xcap_P;
+@@ -69,6 +74,8 @@ extern struct OPENSSL_s390xcap_st OPENSS
+ # define S390X_KMF		0x90
+ # define S390X_PRNO		0xa0
+ # define S390X_KMA		0xb0
++# define S390X_PCC		0xc0
++# define S390X_KDSA		0xd0
+ 
+ /* Facility Bit Numbers */
+ # define S390X_MSA		17	/* message-security-assist */
+@@ -80,6 +87,7 @@ extern struct OPENSSL_s390xcap_st OPENSS
+ # define S390X_VXD		134	/* vector packed decimal */
+ # define S390X_VXE		135	/* vector enhancements 1 */
+ # define S390X_MSA8		146	/* message-security-assist-ext. 8 */
++# define S390X_MSA9		155	/* message-security-assist-ext. 9 */
+ 
+ /* Function Codes */
+ 
+@@ -111,10 +119,24 @@ extern struct OPENSSL_s390xcap_st OPENSS
+ # define S390X_SHA_512_DRNG	3
+ # define S390X_TRNG		114
+ 
++/* pcc */
++# define S390X_SCALAR_MULTIPLY_P256	64
++# define S390X_SCALAR_MULTIPLY_P384	65
++# define S390X_SCALAR_MULTIPLY_P521	66
++
++/* kdsa */
++# define S390X_ECDSA_VERIFY_P256	1
++# define S390X_ECDSA_VERIFY_P384	2
++# define S390X_ECDSA_VERIFY_P521	3
++# define S390X_ECDSA_SIGN_P256		9
++# define S390X_ECDSA_SIGN_P384		10
++# define S390X_ECDSA_SIGN_P521		11
++
+ /* Register 0 Flags */
+ # define S390X_DECRYPT		0x80
+ # define S390X_KMA_LPC		0x100
+ # define S390X_KMA_LAAD		0x200
+ # define S390X_KMA_HS		0x400
++# define S390X_KDSA_D		0x80
+ 
+ #endif
+Index: openssl-1.1.1d/crypto/s390xcap.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/s390xcap.c
++++ openssl-1.1.1d/crypto/s390xcap.c
+@@ -137,6 +137,10 @@ void OPENSSL_cpuid_setup(void)
+         OPENSSL_s390xcap_P.prno[1] &= cap.prno[1];
+         OPENSSL_s390xcap_P.kma[0] &= cap.kma[0];
+         OPENSSL_s390xcap_P.kma[1] &= cap.kma[1];
++        OPENSSL_s390xcap_P.pcc[0] &= cap.pcc[0];
++        OPENSSL_s390xcap_P.pcc[1] &= cap.pcc[1];
++        OPENSSL_s390xcap_P.kdsa[0] &= cap.kdsa[0];
++        OPENSSL_s390xcap_P.kdsa[1] &= cap.kdsa[1];
+     }
+ }
+ 
+@@ -163,6 +167,8 @@ static int parse_env(struct OPENSSL_s390
+         .kmf    = {0ULL, 0ULL},
+         .prno   = {0ULL, 0ULL},
+         .kma    = {0ULL, 0ULL},
++	.pcc    = {0ULL, 0ULL},
++        .kdsa   = {0ULL, 0ULL},
+     };
+ 
+     /*-
+@@ -189,6 +195,8 @@ static int parse_env(struct OPENSSL_s390
+         .kmf    = {0ULL, 0ULL},
+         .prno   = {0ULL, 0ULL},
+         .kma    = {0ULL, 0ULL},
++	.pcc    = {0ULL, 0ULL},
++        .kdsa   = {0ULL, 0ULL},
+     };
+ 
+     /*-
+@@ -220,6 +228,8 @@ static int parse_env(struct OPENSSL_s390
+         .kmf    = {0ULL, 0ULL},
+         .prno   = {0ULL, 0ULL},
+         .kma    = {0ULL, 0ULL},
++	.pcc    = {0ULL, 0ULL},
++        .kdsa   = {0ULL, 0ULL},
+     };
+ 
+     /*-
+@@ -257,6 +267,8 @@ static int parse_env(struct OPENSSL_s390
+         .kmf    = {0ULL, 0ULL},
+         .prno   = {0ULL, 0ULL},
+         .kma    = {0ULL, 0ULL},
++	.pcc    = {0ULL, 0ULL},
++        .kdsa   = {0ULL, 0ULL},
+     };
+ 
+     /*-
+@@ -313,6 +325,9 @@ static int parse_env(struct OPENSSL_s390
+                    0ULL},
+         .prno   = {0ULL, 0ULL},
+         .kma    = {0ULL, 0ULL},
++	.pcc    = {S390X_CAPBIT(S390X_QUERY),
++                       0ULL},
++        .kdsa   = {0ULL, 0ULL},
+     };
+ 
+     /*-
+@@ -369,6 +384,9 @@ static int parse_env(struct OPENSSL_s390
+                    0ULL},
+         .prno   = {0ULL, 0ULL},
+         .kma    = {0ULL, 0ULL},
++	.pcc    = {S390X_CAPBIT(S390X_QUERY),
++                       0ULL},
++        .kdsa   = {0ULL, 0ULL},
+     };
+ 
+     /*-
+@@ -429,6 +447,9 @@ static int parse_env(struct OPENSSL_s390
+                    | S390X_CAPBIT(S390X_SHA_512_DRNG),
+                    0ULL},
+         .kma    = {0ULL, 0ULL},
++	.pcc    = {S390X_CAPBIT(S390X_QUERY),
++                       0ULL},
++        .kdsa   = {0ULL, 0ULL},
+     };
+ 
+     /*-
+@@ -508,6 +529,101 @@ static int parse_env(struct OPENSSL_s390
+                      | S390X_CAPBIT(S390X_AES_192)
+                      | S390X_CAPBIT(S390X_AES_256),
+                    0ULL},
++	.pcc    = {S390X_CAPBIT(S390X_QUERY),
++                       0ULL},
++        .kdsa   = {0ULL, 0ULL},
++    };
++
++    /*-
++     * z15 (2019) - z/Architecture POP SA22-7832-12
++     * Implements MSA and MSA1-9.
++     */
++    static const struct OPENSSL_s390xcap_st z15 = {
++        /*.stfle  = */{S390X_CAPBIT(S390X_MSA)
++                       | S390X_CAPBIT(S390X_STCKF)
++                       | S390X_CAPBIT(S390X_MSA5),
++                       S390X_CAPBIT(S390X_MSA3)
++                       | S390X_CAPBIT(S390X_MSA4),
++                       S390X_CAPBIT(S390X_VX)
++                       | S390X_CAPBIT(S390X_VXD)
++                       | S390X_CAPBIT(S390X_VXE)
++                       | S390X_CAPBIT(S390X_MSA8),
++                       0ULL},
++        /*.kimd   = */{S390X_CAPBIT(S390X_QUERY)
++                       | S390X_CAPBIT(S390X_SHA_1)
++                       | S390X_CAPBIT(S390X_SHA_256)
++                       | S390X_CAPBIT(S390X_SHA_512)
++                       | S390X_CAPBIT(S390X_SHA3_224)
++                       | S390X_CAPBIT(S390X_SHA3_256)
++                       | S390X_CAPBIT(S390X_SHA3_384)
++                       | S390X_CAPBIT(S390X_SHA3_512)
++                       | S390X_CAPBIT(S390X_SHAKE_128)
++                       | S390X_CAPBIT(S390X_SHAKE_256),
++                       S390X_CAPBIT(S390X_GHASH)},
++        /*.klmd   = */{S390X_CAPBIT(S390X_QUERY)
++                       | S390X_CAPBIT(S390X_SHA_1)
++                       | S390X_CAPBIT(S390X_SHA_256)
++                       | S390X_CAPBIT(S390X_SHA_512)
++                       | S390X_CAPBIT(S390X_SHA3_224)
++                       | S390X_CAPBIT(S390X_SHA3_256)
++                       | S390X_CAPBIT(S390X_SHA3_384)
++                       | S390X_CAPBIT(S390X_SHA3_512)
++                       | S390X_CAPBIT(S390X_SHAKE_128)
++                       | S390X_CAPBIT(S390X_SHAKE_256),
++                       0ULL},
++        /*.km     = */{S390X_CAPBIT(S390X_QUERY)
++                       | S390X_CAPBIT(S390X_AES_128)
++                       | S390X_CAPBIT(S390X_AES_192)
++                       | S390X_CAPBIT(S390X_AES_256)
++                       | S390X_CAPBIT(S390X_XTS_AES_128)
++                       | S390X_CAPBIT(S390X_XTS_AES_256),
++                       0ULL},
++        /*.kmc    = */{S390X_CAPBIT(S390X_QUERY)
++                       | S390X_CAPBIT(S390X_AES_128)
++                       | S390X_CAPBIT(S390X_AES_192)
++                       | S390X_CAPBIT(S390X_AES_256),
++                       0ULL},
++        /*.kmac   = */{S390X_CAPBIT(S390X_QUERY)
++                       | S390X_CAPBIT(S390X_AES_128)
++                       | S390X_CAPBIT(S390X_AES_192)
++                       | S390X_CAPBIT(S390X_AES_256),
++                       0ULL},
++        /*.kmctr  = */{S390X_CAPBIT(S390X_QUERY)
++                       | S390X_CAPBIT(S390X_AES_128)
++                       | S390X_CAPBIT(S390X_AES_192)
++                       | S390X_CAPBIT(S390X_AES_256),
++                       0ULL},
++        /*.kmo    = */{S390X_CAPBIT(S390X_QUERY)
++                       | S390X_CAPBIT(S390X_AES_128)
++                       | S390X_CAPBIT(S390X_AES_192)
++                       | S390X_CAPBIT(S390X_AES_256),
++                       0ULL},
++        /*.kmf    = */{S390X_CAPBIT(S390X_QUERY)
++                       | S390X_CAPBIT(S390X_AES_128)
++                       | S390X_CAPBIT(S390X_AES_192)
++                       | S390X_CAPBIT(S390X_AES_256),
++                       0ULL},
++        /*.prno   = */{S390X_CAPBIT(S390X_QUERY)
++                       | S390X_CAPBIT(S390X_SHA_512_DRNG),
++                       S390X_CAPBIT(S390X_TRNG)},
++        /*.kma    = */{S390X_CAPBIT(S390X_QUERY)
++                       | S390X_CAPBIT(S390X_AES_128)
++                       | S390X_CAPBIT(S390X_AES_192)
++                       | S390X_CAPBIT(S390X_AES_256),
++                       0ULL},
++        /*.pcc    = */{S390X_CAPBIT(S390X_QUERY)
++                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256)
++                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P384)
++                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521),
++                       0ULL},
++        /*.kdsa   = */{S390X_CAPBIT(S390X_QUERY)
++                       | S390X_CAPBIT(S390X_ECDSA_VERIFY_P256)
++                       | S390X_CAPBIT(S390X_ECDSA_VERIFY_P384)
++                       | S390X_CAPBIT(S390X_ECDSA_VERIFY_P521)
++                       | S390X_CAPBIT(S390X_ECDSA_SIGN_P256)
++                       | S390X_CAPBIT(S390X_ECDSA_SIGN_P384)
++                       | S390X_CAPBIT(S390X_ECDSA_SIGN_P521),
++                       0ULL},
+     };
+ 
+     char *tok_begin, *tok_end, *buff, tok[S390X_STFLE_MAX][LEN + 1];
+@@ -551,6 +667,8 @@ static int parse_env(struct OPENSSL_s390
+         else if TOK_FUNC(kmf)
+         else if TOK_FUNC(prno)
+         else if TOK_FUNC(kma)
++        else if TOK_FUNC(pcc)
++        else if TOK_FUNC(kdsa)
+ 
+         /* CPU model tokens */
+         else if TOK_CPU(z900)
+@@ -561,6 +679,7 @@ static int parse_env(struct OPENSSL_s390
+         else if TOK_CPU(zEC12)
+         else if TOK_CPU(z13)
+         else if TOK_CPU(z14)
++        else if TOK_CPU(z15)
+ 
+         /* whitespace(ignored) or invalid tokens */
+         else {
+Index: openssl-1.1.1d/crypto/s390xcpuid.pl
+===================================================================
+--- openssl-1.1.1d.orig/crypto/s390xcpuid.pl
++++ openssl-1.1.1d/crypto/s390xcpuid.pl
+@@ -77,8 +77,13 @@ OPENSSL_s390x_functions:
+ 	stg	%r0,S390X_PRNO+8(%r4)
+ 	stg	%r0,S390X_KMA(%r4)
+ 	stg	%r0,S390X_KMA+8(%r4)
++	stg	%r0,S390X_PCC(%r4)
++	stg	%r0,S390X_PCC+8(%r4)
++	stg	%r0,S390X_KDSA(%r4)
++	stg	%r0,S390X_KDSA+8(%r4)
+ 
+ 	lmg	%r2,%r3,S390X_STFLE(%r4)
++
+ 	tmhl	%r2,0x4000		# check for message-security-assist
+ 	jz	.Lret
+ 
+@@ -102,6 +107,13 @@ OPENSSL_s390x_functions:
+ 	la	%r1,S390X_KMAC(%r4)
+ 	.long	0xb91e0042		# kmac %r4,%r2
+ 
++	tmhh	%r3,0x0003		# check for message-security-assist-3
++	jz	.Lret
++
++	lghi	%r0,S390X_QUERY		# query pcc capability vector
++	la	%r1,S390X_PCC(%r4)
++	.long	0xb92c0000		# pcc
++
+ 	tmhh	%r3,0x0004		# check for message-security-assist-4
+ 	jz	.Lret
+ 
+@@ -125,6 +137,7 @@ OPENSSL_s390x_functions:
+ 	.long	0xb93c0042		# prno %r4,%r2
+ 
+ 	lg	%r2,S390X_STFLE+16(%r4)
++
+ 	tmhl	%r2,0x2000		# check for message-security-assist-8
+ 	jz	.Lret
+ 
+@@ -132,6 +145,13 @@ OPENSSL_s390x_functions:
+ 	la	%r1,S390X_KMA(%r4)
+ 	.long	0xb9294022		# kma %r2,%r4,%r2
+ 
++	tmhl	%r2,0x0010		# check for message-security-assist-9
++	jz	.Lret
++
++	lghi	%r0,S390X_QUERY		# query kdsa capability vector
++	la	%r1,S390X_KDSA(%r4)
++	.long	0xb93a0002		# kdsa %r0,%r2
++
+ .Lret:
+ 	br	$ra
+ .size	OPENSSL_s390x_functions,.-OPENSSL_s390x_functions
+@@ -422,6 +442,57 @@ s390x_kma:
+ ___
+ }
+ 
++################
++# void s390x_pcc(unsigned int fc, void *param)
++{
++my ($fc,$param) = map("%r$_",(2..3));
++$code.=<<___;
++.globl	s390x_pcc
++.type	s390x_pcc,\@function
++.align	16
++s390x_pcc:
++	lr	%r0,$fc
++	l${g}r	%r1,$param
++	lhi	%r2,0
++
++	.long	0xb92c0000	# pcc
++	brc	1,.-4		# pay attention to "partial completion"
++	brc	7,.Lpcc_err	# if CC==0 return 0, else return 1
++.Lpcc_out:
++	br	$ra
++.Lpcc_err:
++	lhi	%r2,1
++	j	.Lpcc_out
++.size	s390x_pcc,.-s390x_pcc
++___
++}
++
++################
++# void s390x_kdsa(unsigned int fc, void *param,
++#                 const unsigned char *in, size_t len)
++{
++my ($fc,$param,$in,$len) = map("%r$_",(2..5));
++$code.=<<___;
++.globl	s390x_kdsa
++.type	s390x_kdsa,\@function
++.align	16
++s390x_kdsa:
++	lr	%r0,$fc
++	l${g}r	%r1,$param
++	lhi	%r2,0
++
++	.long	0xb93a0004	# kdsa %r0,$in
++	brc	1,.-4		# pay attention to "partial completion"
++	brc	7,.Lkdsa_err	# if CC==0 return 0, else return 1
++.Lkdsa_out:
++	br	$ra
++.Lkdsa_err:
++	lhi	%r2,1
++	j	.Lkdsa_out
++.size	s390x_kdsa,.-s390x_kdsa
++___
++}
++
+ $code.=<<___;
+ .section	.init
+ 	brasl	$ra,OPENSSL_cpuid_setup
diff --git a/openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch b/openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch
new file mode 100644
index 0000000..f189677
--- /dev/null
+++ b/openssl-s390x-assembly-pack-cleanse-only-sensitive-fields.patch
@@ -0,0 +1,41 @@
+From 2281be2ed4a7df462677661d30b13826ae6b3e26 Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Tue, 24 Sep 2019 14:44:27 +0200
+Subject: [PATCH 09530/10000] s390x assembly pack: cleanse only sensitive
+ fields
+
+of instruction parameter blocks.
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/10004)
+---
+ crypto/ec/ecp_s390x_nistp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/ec/ecp_s390x_nistp.c b/crypto/ec/ecp_s390x_nistp.c
+index be81f0b8f0..9533698b0f 100644
+--- a/crypto/ec/ecp_s390x_nistp.c
++++ b/crypto/ec/ecp_s390x_nistp.c
+@@ -110,7 +110,7 @@ ret:
+     /* Otherwise use default. */
+     if (rc == -1)
+         rc = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx);
+-    OPENSSL_cleanse(param, sizeof(param));
++    OPENSSL_cleanse(param + S390X_OFF_SCALAR(len), len);
+     BN_CTX_end(ctx);
+     BN_CTX_free(new_ctx);
+     return rc;
+@@ -203,7 +203,7 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign_sig(const unsigned char *dgst,
+ 
+     ok = 1;
+ ret:
+-    OPENSSL_cleanse(param, sizeof(param));
++    OPENSSL_cleanse(param + S390X_OFF_K(len), 2 * len);
+     if (ok != 1) {
+         ECDSA_SIG_free(sig);
+         sig = NULL;
+-- 
+2.24.0
+
diff --git a/openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch b/openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch
new file mode 100644
index 0000000..4b74bdf
--- /dev/null
+++ b/openssl-s390x-assembly-pack-fix-OPENSSL_s390xcap-z15-cpu-mas.patch
@@ -0,0 +1,46 @@
+From ac037dc874a721ca81a33b4314e26cef4a7e8d48 Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Tue, 24 Sep 2019 23:20:00 +0200
+Subject: [PATCH 09529/10000] s390x assembly pack: fix OPENSSL_s390xcap z15 cpu
+ mask
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/10004)
+---
+ crypto/s390xcap.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/crypto/s390xcap.c b/crypto/s390xcap.c
+index 5123e14fa6..3e6aeae1df 100644
+--- a/crypto/s390xcap.c
++++ b/crypto/s390xcap.c
+@@ -578,7 +578,8 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap)
+                        S390X_CAPBIT(S390X_VX)
+                        | S390X_CAPBIT(S390X_VXD)
+                        | S390X_CAPBIT(S390X_VXE)
+-                       | S390X_CAPBIT(S390X_MSA8),
++                       | S390X_CAPBIT(S390X_MSA8)
++                       | S390X_CAPBIT(S390X_MSA9),
+                        0ULL},
+         /*.kimd   = */{S390X_CAPBIT(S390X_QUERY)
+                        | S390X_CAPBIT(S390X_SHA_1)
+@@ -642,11 +643,10 @@ static int parse_env(struct OPENSSL_s390xcap_st *cap)
+                        | S390X_CAPBIT(S390X_AES_192)
+                        | S390X_CAPBIT(S390X_AES_256),
+                        0ULL},
+-        /*.pcc    = */{S390X_CAPBIT(S390X_QUERY)
+-                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256)
++        /*.pcc    = */{S390X_CAPBIT(S390X_QUERY),
++                       S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P256)
+                        | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P384)
+-                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521),
+-                       0ULL},
++                       | S390X_CAPBIT(S390X_SCALAR_MULTIPLY_P521)},
+         /*.kdsa   = */{S390X_CAPBIT(S390X_QUERY)
+                        | S390X_CAPBIT(S390X_ECDSA_VERIFY_P256)
+                        | S390X_CAPBIT(S390X_ECDSA_VERIFY_P384)
+-- 
+2.24.0
+
diff --git a/openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch b/openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch
new file mode 100644
index 0000000..e5b7c6f
--- /dev/null
+++ b/openssl-s390x-assembly-pack-fix-msa3-stfle-bit-detection.patch
@@ -0,0 +1,26 @@
+From b3681e2641999be6c1f70e66497fe384d683a07e Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Tue, 24 Sep 2019 23:03:19 +0200
+Subject: [PATCH 09528/10000] s390x assembly pack: fix msa3 stfle bit detection
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/10004)
+---
+ crypto/s390xcpuid.pl | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: openssl-1.1.1d/crypto/s390xcpuid.pl
+===================================================================
+--- openssl-1.1.1d.orig/crypto/s390xcpuid.pl	2020-01-23 13:45:11.064632028 +0100
++++ openssl-1.1.1d/crypto/s390xcpuid.pl	2020-01-23 13:45:11.188632764 +0100
+@@ -107,7 +107,7 @@ OPENSSL_s390x_functions:
+ 	la	%r1,S390X_KMAC(%r4)
+ 	.long	0xb91e0042		# kmac %r4,%r2
+ 
+-	tmhh	%r3,0x0003		# check for message-security-assist-3
++	tmhh	%r3,0x0008		# check for message-security-assist-3
+ 	jz	.Lret
+ 
+ 	lghi	%r0,S390X_QUERY		# query pcc capability vector
diff --git a/openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch b/openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch
new file mode 100644
index 0000000..ddacfd6
--- /dev/null
+++ b/openssl-s390x-assembly-pack-update-OPENSSL_s390xcap-3.patch
@@ -0,0 +1,67 @@
+From da93b5cc2bc931b998f33ee432bc1ae2b38fccca Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Wed, 26 Jun 2019 23:41:35 +0200
+Subject: [PATCH 08968/10000] s390x assembly pack: update OPENSSL_s390xcap(3)
+
+Add description of capability vector's pcc and kma parts.
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/9258)
+---
+ doc/man3/OPENSSL_s390xcap.pod | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+Index: openssl-1.1.1d/doc/man3/OPENSSL_s390xcap.pod
+===================================================================
+--- openssl-1.1.1d.orig/doc/man3/OPENSSL_s390xcap.pod
++++ openssl-1.1.1d/doc/man3/OPENSSL_s390xcap.pod
+@@ -34,14 +34,14 @@ There are three types of tokens:
+ The name of a processor generation. A bit in the environment variable's
+ mask is set to one if and only if the specified processor generation
+ implements the corresponding instruction set extension. Possible values
+-are z900, z990, z9, z10, z196, zEC12, z13 and z14.
++are z900, z990, z9, z10, z196, zEC12, z13, z14 and z15.
+ 
+ =item <string>:<mask>:<mask>
+ 
+ The name of an instruction followed by two 64-bit masks. The part of the
+ environment variable's mask corresponding to the specified instruction is
+ set to the specified 128-bit mask. Possible values are kimd, klmd, km, kmc,
+-kmac, kmctr, kmo, kmf, prno and kma.
++kmac, kmctr, kmo, kmf, prno, kma, pcc and kdsa.
+ 
+ =item stfle:<mask>:<mask>:<mask>
+ 
+@@ -153,13 +153,28 @@ Disables the KM-XTS-AES and and the KIMD
+ 
+  OPENSSL_s390xcap="km:~0x2800:~0;kimd:~0xc000000:~0"
+ 
++ pcc  :
++      :
++      # 64    1<<63    PCC-Scalar-Multiply-P256
++      # 65    1<<62    PCC-Scalar-Multiply-P384
++      # 66    1<<61    PCC-Scalar-Multiply-P521
++
++ kdsa :
++      #  1    1<<62    KDSA-ECDSA-Verify-P256
++      #  2    1<<61    KDSA-ECDSA-Verify-P384
++      #  3    1<<60    KDSA-ECDSA-Verify-P521
++      #  9    1<<54    KDSA-ECDSA-Sign-P256
++      # 10    1<<53    KDSA-ECDSA-Sign-P384
++      # 11    1<<52    KDSA-ECDSA-Sign-P521
++      :
++
+ =head1 RETURN VALUES
+ 
+ Not available.
+ 
+ =head1 SEE ALSO
+ 
+-[1] z/Architecture Principles of Operation, SA22-7832-11
++[1] z/Architecture Principles of Operation, SA22-7832-12
+ 
+ =head1 COPYRIGHT
+ 
diff --git a/openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch b/openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
new file mode 100644
index 0000000..fa36669
--- /dev/null
+++ b/openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch
@@ -0,0 +1,127 @@
+Index: openssl-1.1.1d/crypto/ec/ecx_meth.c
+===================================================================
+--- openssl-1.1.1d.orig/crypto/ec/ecx_meth.c	2020-02-26 14:33:10.766715365 +0100
++++ openssl-1.1.1d/crypto/ec/ecx_meth.c	2020-02-26 14:33:10.786715482 +0100
+@@ -842,6 +842,7 @@ static const EVP_PKEY_METHOD ed448_pkey_
+ 
+ #ifdef S390X_EC_ASM
+ # include "s390x_arch.h"
++# include "internal/constant_time.h"
+ 
+ static void s390x_x25519_mod_p(unsigned char u[32])
+ {
+@@ -855,16 +856,16 @@ static void s390x_x25519_mod_p(unsigned
+     u_red[31] = (unsigned char)c;
+     c >>= 8;
+ 
+-    for (i = 30; c > 0 && i >= 0; i--) {
++    for (i = 30; i >= 0; i--) {
+         c += (unsigned int)u_red[i];
+         u_red[i] = (unsigned char)c;
+         c >>= 8;
+     }
+ 
+-    if (u_red[0] & 0x80) {
+-        u_red[0] &= 0x7f;
+-        memcpy(u, u_red, sizeof(u_red));
+-    }
++    c = (u_red[0] & 0x80) >> 7;
++    u_red[0] &= 0x7f;
++    constant_time_cond_swap_buff(0 - (unsigned char)c,
++                                 u, u_red, sizeof(u_red));
+ }
+ 
+ static void s390x_x448_mod_p(unsigned char u[56])
+@@ -889,16 +890,14 @@ static void s390x_x448_mod_p(unsigned ch
+     u_red[27] = (unsigned char)c;
+     c >>= 8;
+ 
+-    for (i = 26; c > 0 && i >= 0; i--) {
++    for (i = 26; i >= 0; i--) {
+         c += (unsigned int)u_red[i];
+         u_red[i] = (unsigned char)c;
+         c >>= 8;
+     }
+ 
+-    if (u_red[0] & 0x80) {
+-        u_red[0] &= 0x7f;
+-        memcpy(u, u_red, sizeof(u_red));
+-    }
++    constant_time_cond_swap_buff(0 - (unsigned char)c,
++                                 u, u_red, sizeof(u_red));
+ }
+ 
+ static int s390x_x25519_mul(unsigned char u_dst[32],
+@@ -954,7 +953,7 @@ static int s390x_x448_mul(unsigned char
+     memcpy(param.x448.d_src, d_src, 56);
+ 
+     s390x_flip_endian64(param.x448.u_src, param.x448.u_src);
+-    s390x_x448_mod_p(param.x448.u_src);
++    s390x_x448_mod_p(param.x448.u_src + 8);
+ 
+     s390x_flip_endian64(param.x448.d_src, param.x448.d_src);
+     param.x448.d_src[63] &= 252;
+Index: openssl-1.1.1d/include/internal/constant_time.h
+===================================================================
+--- openssl-1.1.1d.orig/include/internal/constant_time.h	2019-09-10 15:13:07.000000000 +0200
++++ openssl-1.1.1d/include/internal/constant_time.h	2020-02-26 14:33:10.786715482 +0100
+@@ -353,6 +353,34 @@ static ossl_inline void constant_time_co
+ }
+ 
+ /*
++ * mask must be 0xFF or 0x00.
++ * "constant time" is per len.
++ *
++ * if (mask) {
++ *     unsigned char tmp[len];
++ *
++ *     memcpy(tmp, a, len);
++ *     memcpy(a, b);
++ *     memcpy(b, tmp);
++ * }
++ */
++static ossl_inline void constant_time_cond_swap_buff(unsigned char mask,
++                                                     unsigned char *a,
++                                                     unsigned char *b,
++                                                     size_t len)
++{
++    size_t i;
++    unsigned char tmp;
++
++    for (i = 0; i < len; i++) {
++        tmp = a[i] ^ b[i];
++        tmp &= mask;
++        a[i] ^= tmp;
++        b[i] ^= tmp;
++    }
++}
++
++/*
+  * table is a two dimensional array of bytes. Each row has rowsize elements.
+  * Copies row number idx into out. rowsize and numrows are not considered
+  * private.
+Index: openssl-1.1.1d/test/recipes/30-test_evp_data/evppkey.txt
+===================================================================
+--- openssl-1.1.1d.orig/test/recipes/30-test_evp_data/evppkey.txt	2019-09-10 15:13:07.000000000 +0200
++++ openssl-1.1.1d/test/recipes/30-test_evp_data/evppkey.txt	2020-02-26 14:33:10.790715505 +0100
+@@ -814,6 +814,8 @@ PublicKeyRaw=Bob-448-PUBLIC-Raw:X448:3eb
+ 
+ PrivPubKeyPair = Bob-448-Raw:Bob-448-PUBLIC-Raw
+ 
++PublicKeyRaw=Bob-448-PUBLIC-Raw-NonCanonical:X448:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
++
+ Derive=Alice-448
+ PeerKey=Bob-448-PUBLIC
+ SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d
+@@ -830,6 +832,11 @@ Derive=Bob-448-Raw
+ PeerKey=Alice-448-PUBLIC-Raw
+ SharedSecret=07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282bb60c0b56fd2464c335543936521c24403085d59a449a5037514a879d
+ 
++# Self-generated non-canonical
++Derive=Alice-448-Raw
++PeerKey=Bob-448-PUBLIC-Raw-NonCanonical
++SharedSecret=66e2e682b1f8e68c809f1bb3e406bd826921d9c1a5bfbfcbab7ae72feecee63660eabd54934f3382061d17607f581a90bdac917a064959fb
++
+ # Illegal sign/verify operations with X448 key
+ 
+ Sign=Alice-448
diff --git a/openssl-s390xcpuid.pl-fix-comment.patch b/openssl-s390xcpuid.pl-fix-comment.patch
new file mode 100644
index 0000000..f3b9bb4
--- /dev/null
+++ b/openssl-s390xcpuid.pl-fix-comment.patch
@@ -0,0 +1,38 @@
+From 9baa4d5f4c9f596faba2b3e219b367a09c472d1d Mon Sep 17 00:00:00 2001
+From: Patrick Steuer <patrick.steuer@de.ibm.com>
+Date: Wed, 3 Jul 2019 18:02:11 +0200
+Subject: [PATCH 09203/10000] s390xcpuid.pl: fix comment
+
+Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/9348)
+---
+ crypto/s390xcpuid.pl | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+Index: openssl-1.1.1d/crypto/s390xcpuid.pl
+===================================================================
+--- openssl-1.1.1d.orig/crypto/s390xcpuid.pl
++++ openssl-1.1.1d/crypto/s390xcpuid.pl
+@@ -431,7 +431,7 @@ ___
+ }
+ 
+ ################
+-# void s390x_pcc(unsigned int fc, void *param)
++# int s390x_pcc(unsigned int fc, void *param)
+ {
+ my ($fc,$param) = map("%r$_",(2..3));
+ $code.=<<___;
+@@ -456,8 +456,8 @@ ___
+ }
+ 
+ ################
+-# void s390x_kdsa(unsigned int fc, void *param,
+-#                 const unsigned char *in, size_t len)
++# int s390x_kdsa(unsigned int fc, void *param,
++#                const unsigned char *in, size_t len)
+ {
+ my ($fc,$param,$in,$len) = map("%r$_",(2..5));
+ $code.=<<___;
diff --git a/openssl-ship_fips_standalone_hmac.patch b/openssl-ship_fips_standalone_hmac.patch
new file mode 100644
index 0000000..de4133f
--- /dev/null
+++ b/openssl-ship_fips_standalone_hmac.patch
@@ -0,0 +1,13 @@
+Index: openssl-1.1.1d/crypto/fips/build.info
+===================================================================
+--- openssl-1.1.1d.orig/crypto/fips/build.info	2020-01-23 13:45:11.232633025 +0100
++++ openssl-1.1.1d/crypto/fips/build.info	2020-01-23 13:45:11.432634214 +0100
+@@ -7,7 +7,7 @@ SOURCE[../../libcrypto]=\
+         fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \
+         fips_dh_selftest.c fips_ers.c
+ 
+-PROGRAMS_NO_INST=\
++PROGRAMS=\
+           fips_standalone_hmac
+ 
+ SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c
diff --git a/openssl-truststore.patch b/openssl-truststore.patch
new file mode 100644
index 0000000..8ccc84f
--- /dev/null
+++ b/openssl-truststore.patch
@@ -0,0 +1,17 @@
+Don't use the legacy /etc/ssl/certs directory anymore but rather the
+p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991)
+Index: openssl-1.1.1-pre1/include/internal/cryptlib.h
+===================================================================
+--- openssl-1.1.1-pre1.orig/include/internal/cryptlib.h	2018-02-13 14:48:12.000000000 +0100
++++ openssl-1.1.1-pre1/include/internal/cryptlib.h	2018-02-13 16:30:11.738161984 +0100
+@@ -59,8 +59,8 @@ DEFINE_LHASH_OF(MEM);
+ 
+ # ifndef OPENSSL_SYS_VMS
+ #  define X509_CERT_AREA          OPENSSLDIR
+-#  define X509_CERT_DIR           OPENSSLDIR "/certs"
+-#  define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
++#  define X509_CERT_DIR           "/var/lib/ca-certificates/openssl"
++#  define X509_CERT_FILE          "/var/lib/ca-certificates/ca-bundle.pem"
+ #  define X509_PRIVATE_DIR        OPENSSLDIR "/private"
+ #  define CTLOG_FILE              OPENSSLDIR "/ct_log_list.cnf"
+ # else
diff --git a/openssl-unknown_dgst.patch b/openssl-unknown_dgst.patch
new file mode 100644
index 0000000..7244e93
--- /dev/null
+++ b/openssl-unknown_dgst.patch
@@ -0,0 +1,15 @@
+Index: openssl-1.1.1d/apps/dgst.c
+===================================================================
+--- openssl-1.1.1d.orig/apps/dgst.c	2019-09-10 15:13:07.000000000 +0200
++++ openssl-1.1.1d/apps/dgst.c	2020-03-20 11:20:27.618536409 +0100
+@@ -95,6 +95,10 @@ int dgst_main(int argc, char **argv)
+     prog = opt_progname(argv[0]);
+     buf = app_malloc(BUFSIZE, "I/O buffer");
+     md = EVP_get_digestbyname(prog);
++    if (md == NULL && strcmp(prog, "dgst") != 0) {
++        BIO_printf(bio_err, "%s is not a known digest\n", prog);
++        goto end;
++    }
+ 
+     prog = opt_init(argc, argv, dgst_options);
+     while ((o = opt_next()) != OPT_EOF) {
diff --git a/openssl-update_expired_certificates.patch b/openssl-update_expired_certificates.patch
new file mode 100644
index 0000000..5dd10c8
--- /dev/null
+++ b/openssl-update_expired_certificates.patch
@@ -0,0 +1,163 @@
+diff --git a/test/certs/embeddedSCTs1-key.pem b/test/certs/embeddedSCTs1-key.pem
+index e3e66d5..28dd206 100644
+--- a/test/certs/embeddedSCTs1-key.pem
++++ b/test/certs/embeddedSCTs1-key.pem
+@@ -1,15 +1,27 @@
+ -----BEGIN RSA PRIVATE KEY-----
+-MIICWwIBAAKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/BH634c4VyVui+A7k
+-WL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWkEM2cW9tdSSdyba8X
+-EPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWwFAn/Xdh+tQIDAQAB
+-AoGAK/daG0vt6Fkqy/hdrtSJSKUVRoGRmS2nnba4Qzlwzh1+x2kdbMFuaOu2a37g
+-PvmeQclheKZ3EG1+Jb4yShwLcBCV6pkRJhOKuhvqGnjngr6uBH4gMCjpZVj7GDMf
+-flYHhdJCs3Cz/TY0wKN3o1Fldil2DHR/AEOc1nImeSp5/EUCQQDjKS3W957kYtTU
+-X5BeRjvg03Ug8tJq6IFuhTFvUJ+XQ5bAc0DmxAbQVKqRS7Wje59zTknVvS+MFdeQ
+-pz4dGuV7AkEA1y0X2yarIls+0A/S1uwkvwRTIkfS+QwFJ1zVya8sApRdKAcidIzA
+-b70hkKLilU9+LrXg5iZdFp8l752qJiw9jwJAXjItN/7mfH4fExGto+or2kbVQxxt
+-9LcFNPc2UJp2ExuL37HrL8YJrUnukOF8KJaSwBWuuFsC5GwKP4maUCdfEQJAUwBR
+-83c3DEmmMRvpeH4erpA8gTyzZN3+HvDwhpvLnjMcvBQEdnDUykVqbSBnxrCjO+Fs
+-n1qtDczWFVf8Cj2GgQJAQ14Awx32Cn9sF+3M+sEVtlAf6CqiEbkYeYdSCbsplMmZ
+-1UoaxiwXY3z+B7epsRnnPR3KaceAlAxw2/zQJMFNOQ==
++MIIEpQIBAAKCAQEAuIjpA4/iCpDA2mjywI5zG6IBX6bNcRQYDsB7Cv0VonNXtJBw
++XxMENP4jVpvEmWpJ5iMBknGHV+XWBkngYapczIsY4LGn6aMU6ySABBVQpNOQSRfT
++48xGGPR9mzOBG/yplmpFOVq1j+b65lskvAXKYaLFpFn3oY/pBSdcCNBP8LypVXAJ
++b3IqEXsBL/ErgHG9bgIRP8VxBAaryCz77kLzAXkfHL2LfSGIfNONyEKB3xI94S4L
++eouOSoWL1VkEfJs87vG4G5xoXw3KOHyiueQUUlMnu8p+Bx0xPVKPEsLje3R9k0rG
++a5ca7dXAn9UypKKp25x4NXpnjGX5txVEYfNvqQIDAQABAoIBAE0zqhh9Z5n3+Vbm
++tTht4CZdXqm/xQ9b0rzJNjDgtN5j1vuJuhlsgUQSVoJzZIqydvw7BPtZV8AkPagf
++3Cm/9lb0kpHegVsziRrfCFes+zIZ+LE7sMAKxADIuIvnvkoRKHnvN8rI8lCj16/r
++zbCD06mJSZp6sSj8ZgZr8wsU63zRGt1TeGM67uVW4agphfzuKGlXstPLsSMwknpF
++nxFS2TYbitxa9oH76oCpEk5fywYsYgUP4TdzOzfVAgMzNSu0FobvWl0CECB+G3RQ
++XQ5VWbYkFoj5XbE5kYz6sYHMQWL1NQpglUp+tAQ1T8Nca0CvbSpD77doRGm7UqYw
++ziVQKokCgYEA6BtHwzyD1PHdAYtOcy7djrpnIMaiisSxEtMhctoxg8Vr2ePEvMpZ
++S1ka8A1Pa9GzjaUk+VWKWsTf+VkmMHGtpB1sv8S7HjujlEmeQe7p8EltjstvLDmi
++BhAA7ixvZpXXjQV4GCVdUVu0na6gFGGueZb2FHEXB8j1amVwleJj2lcCgYEAy4f3
++2wXqJfz15+YdJPpG9BbH9d/plKJm5ID3p2ojAGo5qvVuIJMNJA4elcfHDwzCWVmn
++MtR/WwtxYVVmy1BAnmk6HPSYc3CStvv1800vqN3fyJWtZ1P+8WBVZWZzIQdjdiaU
++JSRevPnjQGc+SAZQQIk1yVclbz5790yuXsdIxf8CgYEApqlABC5lsvfga4Vt1UMn
++j57FAkHe4KmPRCcZ83A88ZNGd/QWhkD9kR7wOsIz7wVqWiDkxavoZnjLIi4jP9HA
++jwEZ3zER8wl70bRy0IEOtZzj8A6fSzAu6Q+Au4RokU6yse3lZ+EcepjQvhBvnXLu
++ZxxAojj6AnsHzVf9WYJvlI0CgYEAoATIw/TEgRV/KNHs/BOiEWqP0Co5dVix2Nnk
++3EVAO6VIrbbE3OuAm2ZWeaBWSujXLHSmVfpoHubCP6prZVI1W9aTkAxmh+xsDV3P
++o3h+DiBTP1seuGx7tr7spQqFXeR3OH9gXktYCO/W0d3aQ7pjAjpehWv0zJ+ty2MI
++fQ/lkXUCgYEAgbP+P5UmY7Fqm/mi6TprEJ/eYktji4Ne11GDKGFQCfjF5RdKhdw1
++5+elGhZes+cpzu5Ak6zBDu4bviT+tRTWJu5lVLEzlHHv4nAU7Ks5Aj67ApH21AnP
++RtlATdhWOt5Dkdq1WSpDfz5bvWgvyBx9D66dSmQdbKKe2dH327eQll4=
+ -----END RSA PRIVATE KEY-----
+diff --git a/test/certs/embeddedSCTs1.pem b/test/certs/embeddedSCTs1.pem
+index d1e8512..d2a111f 100644
+--- a/test/certs/embeddedSCTs1.pem
++++ b/test/certs/embeddedSCTs1.pem
+@@ -1,20 +1,21 @@
+ -----BEGIN CERTIFICATE-----
+-MIIDWTCCAsKgAwIBAgIBBzANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk
++MIIDeDCCAuGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk
+ MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX
+-YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw
+-MDAwMDBaMFIxCzAJBgNVBAYTAkdCMSEwHwYDVQQKExhDZXJ0aWZpY2F0ZSBUcmFu
+-c3BhcmVuY3kxDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGfMA0G
+-CSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+75jnwmh3rjhfdTJaDB0ym+3xj6r015a/
+-BH634c4VyVui+A7kWL19uG+KSyUhkaeb1wDDjpwDibRc1NyaEgqyHgy0HNDnKAWk
+-EM2cW9tdSSdyba8XEPYBhzd+olsaHjnu0LiBGdwVTcaPfajjDK8VijPmyVCfSgWw
+-FAn/Xdh+tQIDAQABo4IBOjCCATYwHQYDVR0OBBYEFCAxVBryXAX/2GWLaEN5T16Q
+-Nve0MH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQswCQYD
+-VQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4w
+-DAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAJBgNVHRMEAjAAMIGK
+-BgorBgEEAdZ5AgQCBHwEegB4AHYA3xwuwRUAlFJHqWFoMl3cXHlZ6PfG04j8AC4L
+-vT9012QAAAE92yffkwAABAMARzBFAiBIL2dRrzXbplQ2vh/WZA89v5pBQpSVkkUw
+-KI+j5eI+BgIhAOTtwNs6xXKx4vXoq2poBlOYfc9BAn3+/6EFUZ2J7b8IMA0GCSqG
+-SIb3DQEBBQUAA4GBAIoMS+8JnUeSea+goo5on5HhxEIb4tJpoupspOghXd7dyhUE
+-oR58h8S3foDw6XkDUmjyfKIOFmgErlVvMWmB+Wo5Srer/T4lWsAERRP+dlcMZ5Wr
+-5HAxM9MD+J86+mu8/FFzGd/ZW5NCQSEfY0A1w9B4MHpoxgdaLiDInza4kQyg
++YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMDAxMjUxMTUwMTNaGA8yMTIwMDEy
++NjExNTAxM1owGTEXMBUGA1UEAwwOc2VydmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3
++DQEBAQUAA4IBDwAwggEKAoIBAQC4iOkDj+IKkMDaaPLAjnMbogFfps1xFBgOwHsK
++/RWic1e0kHBfEwQ0/iNWm8SZaknmIwGScYdX5dYGSeBhqlzMixjgsafpoxTrJIAE
++FVCk05BJF9PjzEYY9H2bM4Eb/KmWakU5WrWP5vrmWyS8BcphosWkWfehj+kFJ1wI
++0E/wvKlVcAlvcioRewEv8SuAcb1uAhE/xXEEBqvILPvuQvMBeR8cvYt9IYh8043I
++QoHfEj3hLgt6i45KhYvVWQR8mzzu8bgbnGhfDco4fKK55BRSUye7yn4HHTE9Uo8S
++wuN7dH2TSsZrlxrt1cCf1TKkoqnbnHg1emeMZfm3FURh82+pAgMBAAGjggEMMIIB
++CDAdBgNVHQ4EFgQUtMa8XD5ylrF9AqCdnPEhXa63H2owHwYDVR0jBBgwFoAUX52I
++Dchz5lTU+A3Y5rDBJLRHw1UwCQYDVR0TBAIwADATBgNVHSUEDDAKBggrBgEFBQcD
++ATCBigYKKwYBBAHWeQIEAgR8BHoAeAB2AN8cLsEVAJRSR6lhaDJd3Fx5Wej3xtOI
++/AAuC70/dNdkAAABb15m6AAAAAQDAEcwRQIgfDPo8RArm/vcSEZ608Q1u+XQ55QB
++u67SZEuZxLpbUM0CIQDRsgcTud4PDy8Cgg+lHeAS7UxgSKBbWAznYOuorwNewzAZ
++BgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTANBgkqhkiG9w0BAQsFAAOBgQCWFKKR
++RNkDRzB25NK07OLkbzebhnpKtbP4i3blRx1HAvTSamf/3uuHI7kfiPJorJymJpT1
++IuJvSVKyMu1qONWBimiBfiyGL7+le1izHEJIP5lVTbddfzSIBIvrlHHcWIOL3H+W
++YT6yTEIzJuO07Xp61qnB1CE2TrinUWlyC46Zkw==
+ -----END CERTIFICATE-----
+diff --git a/test/certs/embeddedSCTs1.sct b/test/certs/embeddedSCTs1.sct
+index 59362dc..35c9eb9 100644
+--- a/test/certs/embeddedSCTs1.sct
++++ b/test/certs/embeddedSCTs1.sct
+@@ -2,11 +2,11 @@ Signed Certificate Timestamp:
+     Version   : v1 (0x0)
+     Log ID    : DF:1C:2E:C1:15:00:94:52:47:A9:61:68:32:5D:DC:5C:
+                 79:59:E8:F7:C6:D3:88:FC:00:2E:0B:BD:3F:74:D7:64
+-    Timestamp : Apr  5 17:04:16.275 2013 GMT
++    Timestamp : Jan  1 00:00:00.000 2020 GMT
+     Extensions: none
+     Signature : ecdsa-with-SHA256
+-                30:45:02:20:48:2F:67:51:AF:35:DB:A6:54:36:BE:1F:
+-                D6:64:0F:3D:BF:9A:41:42:94:95:92:45:30:28:8F:A3:
+-                E5:E2:3E:06:02:21:00:E4:ED:C0:DB:3A:C5:72:B1:E2:
+-                F5:E8:AB:6A:68:06:53:98:7D:CF:41:02:7D:FE:FF:A1:
+-                05:51:9D:89:ED:BF:08
+\ No newline at end of file
++                30:45:02:20:7C:33:E8:F1:10:2B:9B:FB:DC:48:46:7A:
++                D3:C4:35:BB:E5:D0:E7:94:01:BB:AE:D2:64:4B:99:C4:
++                BA:5B:50:CD:02:21:00:D1:B2:07:13:B9:DE:0F:0F:2F:
++                02:82:0F:A5:1D:E0:12:ED:4C:60:48:A0:5B:58:0C:E7:
++                60:EB:A8:AF:03:5E:C3
+\ No newline at end of file
+diff --git a/test/certs/embeddedSCTs1_issuer.pem b/test/certs/embeddedSCTs1_issuer.pem
+index 1fa449d..6aa9455 100644
+--- a/test/certs/embeddedSCTs1_issuer.pem
++++ b/test/certs/embeddedSCTs1_issuer.pem
+@@ -1,18 +1,18 @@
+ -----BEGIN CERTIFICATE-----
+-MIIC0DCCAjmgAwIBAgIBADANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJHQjEk
++MIIC0jCCAjugAwIBAgIBADANBgkqhkiG9w0BAQsFADBVMQswCQYDVQQGEwJHQjEk
+ MCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENBMQ4wDAYDVQQIEwVX
+-YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAeFw0xMjA2MDEwMDAwMDBaFw0yMjA2MDEw
+-MDAwMDBaMFUxCzAJBgNVBAYTAkdCMSQwIgYDVQQKExtDZXJ0aWZpY2F0ZSBUcmFu
+-c3BhcmVuY3kgQ0ExDjAMBgNVBAgTBVdhbGVzMRAwDgYDVQQHEwdFcncgV2VuMIGf
+-MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVimhTYhCicRmTbneDIRgcKkATxtB7
+-jHbrkVfT0PtLO1FuzsvRyY2RxS90P6tjXVUJnNE6uvMa5UFEJFGnTHgW8iQ8+EjP
+-KDHM5nugSlojgZ88ujfmJNnDvbKZuDnd/iYx0ss6hPx7srXFL8/BT/9Ab1zURmnL
+-svfP34b7arnRsQIDAQABo4GvMIGsMB0GA1UdDgQWBBRfnYgNyHPmVNT4DdjmsMEk
+-tEfDVTB9BgNVHSMEdjB0gBRfnYgNyHPmVNT4DdjmsMEktEfDVaFZpFcwVTELMAkG
+-A1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRyYW5zcGFyZW5jeSBDQTEO
+-MAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW6CAQAwDAYDVR0TBAUwAwEB
+-/zANBgkqhkiG9w0BAQUFAAOBgQAGCMxKbWTyIF4UbASydvkrDvqUpdryOvw4BmBt
+-OZDQoeojPUApV2lGOwRmYef6HReZFSCa6i4Kd1F2QRIn18ADB8dHDmFYT9czQiRy
+-f1HWkLxHqd81TbD26yWVXeGJPE3VICskovPkQNJ0tU4b03YmnKliibduyqQQkOFP
+-OwqULg==
++YWxlczEQMA4GA1UEBxMHRXJ3IFdlbjAgFw0yMjA2MDExMDM4MDJaGA8yMTIyMDUw
++ODEwMzgwMlowVTELMAkGA1UEBhMCR0IxJDAiBgNVBAoTG0NlcnRpZmljYXRlIFRy
++YW5zcGFyZW5jeSBDQTEOMAwGA1UECBMFV2FsZXMxEDAOBgNVBAcTB0VydyBXZW4w
++gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANWKaFNiEKJxGZNud4MhGBwqQBPG
++0HuMduuRV9PQ+0s7UW7Oy9HJjZHFL3Q/q2NdVQmc0Tq68xrlQUQkUadMeBbyJDz4
++SM8oMczme6BKWiOBnzy6N+Yk2cO9spm4Od3+JjHSyzqE/HuytcUvz8FP/0BvXNRG
++acuy98/fhvtqudGxAgMBAAGjga8wgawwHQYDVR0OBBYEFF+diA3Ic+ZU1PgN2Oaw
++wSS0R8NVMH0GA1UdIwR2MHSAFF+diA3Ic+ZU1PgN2OawwSS0R8NVoVmkVzBVMQsw
++CQYDVQQGEwJHQjEkMCIGA1UEChMbQ2VydGlmaWNhdGUgVHJhbnNwYXJlbmN5IENB
++MQ4wDAYDVQQIEwVXYWxlczEQMA4GA1UEBxMHRXJ3IFdlboIBADAMBgNVHRMEBTAD
++AQH/MA0GCSqGSIb3DQEBCwUAA4GBAD0aYh9OkFYfXV7kBfhrtD0PJG2U47OV/1qq
+++uFpqB0S1WO06eJT0pzYf1ebUcxjBkajbJZm/FHT85VthZ1lFHsky87aFD8XlJCo
++2IOhKOkvvWKPUdFLoO/ZVXqEVKkcsS1eXK1glFvb07eJZya3JVG0KdMhV2YoDg6c
++Doud4XrO
+ -----END CERTIFICATE-----
+diff --git a/test/ct_test.c b/test/ct_test.c
+index 78d11ca..535897d 100644
+--- a/test/ct_test.c
++++ b/test/ct_test.c
+@@ -63,7 +63,7 @@ static CT_TEST_FIXTURE *set_up(const char *const test_case_name)
+     if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture))))
+         goto end;
+     fixture->test_case_name = test_case_name;
+-    fixture->epoch_time_in_ms = 1473269626000ULL; /* Sep 7 17:33:46 2016 GMT */
++    fixture->epoch_time_in_ms = 1580335307000ULL; /* Wed 29 Jan 2020 10:01:47 PM UTC */
+     if (!TEST_ptr(fixture->ctlog_store = CTLOG_STORE_new())
+             || !TEST_int_eq(
+                     CTLOG_STORE_load_default_file(fixture->ctlog_store), 1))
diff --git a/openssl.keyring b/openssl.keyring
new file mode 100644
index 0000000..aff51c7
--- /dev/null
+++ b/openssl.keyring
@@ -0,0 +1,711 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFGALsIBCADBkh6zfxbewW2KJjaMaishSrpxuiVaUyvWgpe6Moae7JNCW8ay
+hJbwAtsQ69SGA4gUkyrR6PBvDMVYEiYqZwXB/3IErStESjcu+gkbmsa0XcwHpkE3
+iN7I8aU66yMt710nGEmcrR5E4u4NuNoHtnOBKEh+RCLGp5mo6hwbUYUzG3eUI/zi
+2hLApPpaATXnD3ZkhgtHV3ln3Z16nUWQAdIVToxYhvVno2EQsqe8Q3ifl2Uf0Ypa
+N19BDBrxM3WPOAKbJk0Ab1bjgEadavrFBCOl9CrbThewRGmkOdxJWaVkERXMShlz
+UzjJvKOUEUGOxJCmnfQimPQoCdQyVFLgHfRFABEBAAG0IE1hdHQgQ2Fzd2VsbCA8
+ZnJvZG9AYmFnZ2lucy5vcmc+iQE4BBMBAgAiBQJRgC7CAhsDBgsJCAcDAgYVCAIJ
+CgsEFgIDAQIeAQIXgAAKCRDZxNJtDmBEkWP+B/0SsWSeLGo+viob8935Uirei4Fv
+nzGOUV1w/dgDLSzavmysVxb4q9psp1vj1KEtm18vzZO79AeARGwWTQYGmFmrNRWZ
+2DgbjGyJ4LS5kLBqQ9FaF7vUFtml6R04yx+RTgQTg601XsAjeU8uSarmeZgGVMAI
+nsdMrUc74lJeWKSnovr4IFOdgiU/env19tK355bsfTvb0ksE5Q7wnnoRXdLyNet0
+AWf4ednWDEnRb6cIVDF28URjxH6yIfqAVe7VnuDB4Sfuck4R4gYFS/xGfTgocPUD
+Z4rUz8wleGLwDIiU7GpilmtZTl1FTPkFa/mqbcJgdVTJqLZO5vISJkZvqE5UiQEc
+BBABAgAGBQJUV6uPAAoJEPI0eUVcUbJ8A/4H/2h9ONzArTOEl5y/eN6jJrZc1Af3
+sC/CKxOVBJzpfVnda9O9Ldc4IFJG40ksNWuetDvShQTQtTy7dgne1lkfhud/uUG0
+uo5W2ZoYaHIXOqoC0uxCR3ctOQg5hiVsL5XPjR7YQT+0c/bDK4HWr2GgX7Fo03dt
+8LETRSjovUO2xPb8MFUNc9eZNokLPq9CbOMvmEdbZIt2EEXBOnhktdT0SvXu5E0t
+AC6HqZXAo+my1vSqDxxF9MlpDHysLKIM9G2mvLDbG583pYB3+DEYyr0F/vQIVEb+
+O8qUFaYCFaZKmEhIb3NC4SqLXV24+QKVu2NWtKY7wrg/rsmSI5/DmHVejXeJARwE
+EwECAAYFAlRX/6sACgkQumzaRh/o4CMu2AgAl1Th443nVuobOv3tKlC89l0m048J
+LG7fg8uMV0ejogQ7MAHkzQt/9uq5pQfDEtuIdLaoKqz93RtPECXfj/cBUT5iEkWl
+PmOOR4UXfKUahU3qHED9+niOmlip3vZII/92oGSHv4KXPHZHOFUPn+nvaNypnIWG
+TUJODueW9neoa+D8y3CC0KlZ9jTbwxSHVWTZjo8pezpJ1Fr4tE9bDibkWEm3pIcp
+demSodBatNliSFcj/VeOF2AV4ABSKH0PGSrZazrefdTKPGiz01ZHmPAb6qsbLd66
+94/brzuVz9YhoSRJCTqSmXmEowPbs8TsjfMeSQkkx4STSr86+DNYmG3Kc4kCHAQQ
+AQIABgUCVDuigAAKCRDfq1kqvdUvHHktD/9je36p4LXhLda0+NqWsh1Vm9dC9RxM
+023LqwoMNw6khLiLzzhmXKyazvV/q/lidPYCr3rWR3tCrmEkULogHf60unBghxYH
+xva5XvObFDVXDmMBTP2M3XvKIAQXhNk9I22HtfgYTIhI2Bs/D7HDFgszoBurLLQK
+l+rjDevDbeWbdXJZ7J4Z63kb0GaIIHnNXnvxWo7muomXfdKJEL8LIlmeUOh/ZYcI
+u8HMoGvDKYMeRZ9ph7f2Z7iJDCUmtMauLM/qPP9wiyzZKZE/wwapWkWL1KgAC+vt
+hwrFzcirkhvI2rnWUOeec+nEjmnnnPzA5tDtpyOQYqkcIf9hewkfA6l9js3fbf1i
+jCluP+nZjsbYb7MO9IT+bBQ1Jm0tjwu8MiX3HJZGl8CNBzk0UXImIl+0kSzSAnQg
+MK6EweTzDkCMIjVLRQAmpNw/8smvzu4JF3bX+w1S1MWZ5NNebCT5hs4kVhXT8Uvw
+TLmdt+afRpxtlKFxhJ05v6lNgV1o8CaOm1tmmgyqWM53/nGUi1XqtXu1+0uoO65f
+JMoJOjCoK+tHzNUvyoPmU/qhyCC0yftZHA0k1BRaI7Kf0ll+i+8laJceFlFr+k6/
+Be2Mzp/C/3KyK04nU3/jY9oyUKAjq5D1mb/Ht5TWEOPoSuUtlqzgWWpNxJWTq0xe
+jsLg/e/q5z7mR4kCHAQQAQIABgUCVDumsQAKCRDV6eQ/ffnujDUSD/9ar/zoYKhJ
+/SsEuhEZ+taED4YRgKy0eeaT7YPqtmGVcs4meww06Og9L9FeK/8Qn/pa3xnFtTvX
+K6XriSLly4DtmAZnwmtARidgXeXp+hfjEoeIXoAUpY88Af4FQhIkmJwcWRZYtM6x
+/Gno8+LyzQGrGNmeoNNLJ5t7RsvBHYRR44LQNbGpv8dN0LTOAWKCmnGmNn5cN9Uq
+BvrgJRsJvvBRtF/V53Y5giHX4N9C4VT21odQ4sEq3HrsofwEWDHnl0hEoWOpu3zu
+AcxsAdm4A113z2+WnTLcQnCRjmG7mGpDStLTiBcw45MsGOLnR2CgtNXEQOYp97/C
+wkgNF5rUyx/Owr63uw0EWOFkaqDWd8KPt4ZTmOcOUChVnEyFCXu9F3oD2ypbaM5O
+ielMwj3Uq8Br5c21g0qCeDAIUaNQLl6cFfPtD6jDiYNhVBgOGrlvHyGP3+mm+Ix3
+w2CpKmHv6z0ed2XWqQElBuOr2I8vcSos8SAK5oJz50t1joLP5PQ4T/FlbBBfXYgW
+PtEGsae9K/cXVSV6NSxcfXDtNggfDG1S4AkwH1Ka96AtrGutJCPm1xSMpMJ7m3+G
+5EfEqHnF5lnn/By+gZTvC+nnqGM4UolcAyz6FFVha/CtfoYBiXekUXnz6dDEgxm5
+fA7CVeo+TDg4LgvvHh+P+EuJKQ4lQqGQl4kCHAQQAQIABgUCVEJylwAKCRBDFxH3
+bRiS9VfrD/9yo5fWTBHdCMAVRsLa/rKSk0oB2jKXg+5Jo1m/FM3UF4JibDor8VLo
+TgKUXTn2eyqX3Dr6/3UiGFzU43kg+IG9ZdCLx8FwGAEo0MA7Tef7W0Drq00kAdVy
+dhS+1gi4NZc4Hj+rSYcYkto2/e+zlSmD5CB3X3kgTK3+qv7bQbGlLMxZfP1sWsUd
+jI2gWpxIeqqUZXM1CwIzqXWFEktKTov2CRLftk3pSQ6pS4sw60dpq2+e7EeARZfp
+WIHAG8PXCgbq2M8mhAZ1NADWgXRPHCN3MeDV3qM5Lj6ov2/i3Crmy1IV5Bxt6QLD
+A04Sbv5TpJ1tecriW2wTWUU3b/QWzFuCS+FUNSKWJe7tbQJyWQY+BtVZsMeFdjiY
+B8QrUY5WOc97tgBVXZG7+5ustM5d0VDk83sHnQrGxPVqQq57Pwi1JFTxM7YDzePX
+3KZVNXi5NR+EI69+Ej3cBRKpOUdAsq7ywKzlqiYtpcZD/uzJKi0F+AyOKLPFG4Ny
+f8eGqr75tDAXqdoE4fu6IKSybc3MKlX9+LiDyTlQmgoZIRmczHPfbCBQQln7NNk/
+6BegL87/yJYSZuR10SLzRNdYa2E1wliPZezrUxu6Y4OeYEIxL0/w6j7I1YFGqwR4
+83B2SdTXC1NKQVDUR6tbm/oDhNVo7mZ4VjUFJ7oS8en5+rbNv30svokCHAQQAQoA
+BgUCVD7PygAKCRAgZMU2QcJeXYG/D/9KUEi7mN50xURhILUp7KKJnS3WbGP32N+/
+/XXr1QIEiOuRhbCBp49Y9/Q9TGYFYGm42ClkMyGLW9Dp7zcyejjVrVRO5srQ5e9g
+q5IPgfeoa6Wu301YzsvO3RBa10dg9thA6HJsDlU+vyCnU8fKThdSS1aaYtBqEAUJ
+IzdFK0KIShqHyjKB31iVg2NL8AziBKHWIqr5Tyh84DFRuT+PAwwSYW5sy5j9wsyX
+FK1ZAfkmS9fJsrr3n0l9KsUYW8dJzLcdEmtS+dbJLAPrqbhssK1wk/NE1/N+8+Y6
+ocegn2lFfMheA6s+d1ejBnk0angY8ZGgLIvCuB/iTfivDefqM2KtbQBOqbw6rf3B
+TLlVVfiCbFo/RJgxoAQTKs4D+OH8RnWoNANoIOitpIpieBD2I0pFmVDob9sh0toV
+Hk8aDO6s6lNoEiLEJVWoh/6+qxsRX/rDAGyWO+4Oz6ctyS/laQjT2FxLGODZBMxj
+XrdyRXrC/nIcwYUlFfB3xX54xAo1j38OIauO9u93338LFLYAcpHhkW78nmkRxNa5
+SjiribecDj5/bzOI7G7gfTCKmEkUuZltCrG5MwSHorhGP/v8M+TeLsjkvzgm1Hd6
+0pf1+NXOPbZpiCq1S/yIs1zBEj1Q1t1PuJT+BYkOzlR/RhSJFSY/B4dBA+HxN/cY
+KzwNZN88HLQfTWF0dCBDYXN3ZWxsIDxtYXR0QG9wZW5zc2wub3JnPokBOAQTAQIA
+IgUCU96+vAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ2cTSbQ5gRJGg
+PQf/WUQld+vrqt2+yTI6LTNTQBG9RceNuaZiRnsROR1eHtVr9OOfzVPenCavcXgh
+wsY0sPPgSDrvFur9PyuuwQ87HmdX+ZGdRP3tSaxC4udHbAsZtEG7bgUozuhfcpC+
+Ah0lZ3EccmyOkYJWITWYgUBEDOU37qne09udDMA2NHLuL89hT+eIZ2pVwyFydkJf
+kXtgfrDq3RmZgfebVB5ESdap/G7t7Iewi95syApMj9swbxnsqUtmFr0fCsVdAA8h
+JPqx9zVuUon0g1QMz2IroNH+6WTDt7SGYcuqNapizk/PJd6g2ew9cm3r3CIANiqP
+go0Mh02nVGgX2p9vWcT4MzquBokCHAQQAQoABgUCVD7PygAKCRAgZMU2QcJeXSx6
+EACM2ZWwnTz0FwLaQfqcAUEUee2rX03GwXgZsw00fIv+IRtCGvZ+c5OyP6Blujb+
+gylHK6sohL/JBqPO6y49HlQ+VOjo2iFzeFdoC8No936fKxfvM1NeocsXShb1rXak
+LDtiUj3UEqFbfdwrt7s6xqpNF6cEcci8sE8vGTSazNePui0C9NqV5Gh924MCNTwC
+EasEhXvyurKB8Sgo2X5lH3OutDlHnUuiNtJ10n8rRNe87ZKgKcPahjpsMKC87rqK
+55/sGLdqAndyXmnasHUKEd7bwQzq396SZgdKxlEruwQPyrecjaqf0CpHhGVsTpCi
+78IQ7jR6xZWdBBAAn6SeFKfxnDypx5thqXsWDRrzH5gTXAqN3BNUluTn0gQgqGVx
+dU5/uY0fHXlXjjyS/CcEBQlhMeMbXvnWCQ+IGOToRedpUwTENB1+TkdUz/RuQm/U
+EP2Lmkfx4XDj+R+lgbftQ6cfJtZccmvh+euWRcbJUlPXIeM6DJVRaL700R1VHrSi
+2oPXQi9YcMlyzh4BZ9fe3DIBiIDBDOURMGB75ULlCxi39H1H2Anf0/E11aPOOkr7
+oavD6AVziihQJ8LqNI2obdX+UwivoU35NXZMCifmTOcCbrCxw+Xih+X6EPC0qwhR
+pDevf7mqWxWVyu30hLv3YJOgmHEh+++GRzS7SL9iovev+4kBHAQQAQIABgUCU/p2
+2gAKCRA1IssGdHjPYDuZB/9arXoSdE0WGasdEfG+Qup0lL2rsfAYYXyCP08wVsZ0
+pBVmoby+hpIHEkcVH47Au+lYW9UTrvK3yMKEhSrxTzA9LIjC9Q0Mfms1CEo9oRa8
+2p2jM9Yy9thCMR21Xhq/GmCkaKuR3oK5ofMXngTf4eyMwCQYPcYhL69OVx+/60w0
+DbG6/nJ553Rd0qDTGxjk/gzji4VYe0rJcATZSIO5TjJdd2VATkDDvRWa2asvMMN+
+CcPL6U2iZi8g4s413CmImz5W8/u7R2v7dkRJ0FLbP3+OAiHFD6n7uD0WAhZKT4+H
+HSKbOnh6mMnyGMnyn2N5IvrEL3FM0cflUrKfqnbFa/KyiQEcBBABAgAGBQJUV6uP
+AAoJEPI0eUVcUbJ8OaoIALRdJKgFzcsDqtX4SeJpefJ4796u8O5B7w/16nXwOw7i
+2lDUpmz9+bwEliVOc8etFCRvB6nl/NSq8OUCdha5MIIJVoJn3EWz4LNHCcplxE0g
+zHfVMBaV8eB/+AEyvJ6QlaeN+PKBW3VPPGHxnBQBDdXmfIh2ceAkB9pCU6zN/lHV
+95fs+E3X028OAaN/uwbyaJYCmWxRYOA0nIA7A9C2UWugrnka1qISR6XtiOhjTe9u
+G9/K9FclJueW0FnFVXXwl+/O0epy4oOq199UoJvF0FEDChNvnAjjrS1iUOxGcvJ7
+/sSgCV3t8sYyNm+euCCXbKTdF5iPkpRvpSKauPjO5nmJARwEEwECAAYFAlRX/6sA
+CgkQumzaRh/o4CM5egf+J/+ia/Iqes82Gd5Q5I+I9yrNy+itjtEpBHNX3XrT+iJH
+BrRfVUN2MGW/ovElEOkxo7ZuA6c5zSnPBqsrzuLdacFR5LNMVrE2i5B7H5bcMGJ9
+AZPXud1YBTzbGaKCzdVnvW9EnrYSQK5eiDTQkPPJiHjrvz1QLrng7AJUFfWm4/xh
+RchpPT8cVHBRP7qAInkP1IYJ7dVDKOJRFsEM7J1Jx5M6vmSi1du1IvNsSeD19+8a
+fyWc5q88fJRx/DlRZ+y/R4OH8wj4fbwRwuMTqWLXAlY4A8r0AGXYhR5BN4jKZAyx
+pyq7hY64D9WNhojqYRYwxOADWn9GqxMfSesSCr1gzokCHAQQAQIABgUCVDuigAAK
+CRDfq1kqvdUvHGVQD/9WuFZgc24DIw3mAJKk2dNG+zIEmJx+EKRTqhwrs97y48xP
+0KWKGtmuEwx6fHDhBnHiOB41pixk2GD7K0XGy9sqTL3PBINgECgEPEhkmSLATqrp
+bYFA6IiAGlDtc7ySZ3qlajUgLGoUTuen5HfMxrF8waldv1IUm2MarkCYShz7/RD8
+Zq6VpnkqNAlUch9f3hnZgRI2MpuTRl2aij/vtPVzg01t5KFvfZLYI8OkJx57A1L+
+/8w6BEmKyC5WhNEEaH9uF5qhnZjZHsien7BZS7Tvkgb+6OMowS3ShNqUH3A2YVbW
+AupaLq1nRwvs7rTWDuoRMVZGGUm0SM08TUKkl16hWxsAJEzCCdVxO+8l5Ul26LkC
+KJLdeFPrJmutgQnPJOQ6Q/EsYYua3iNAbJp+hZ9quw0R0oiyO5b7Cn8P9KffpiY0
+01GQ4SqYrll80WJn1kUWp+QqvIvZC595aVmF9Fplqp24qXdXt2OMhzZF6FdSB0GS
+xplHgjR866XD2EjH6RgHZ/PTUYI9zjEEro2gk/BG5dshSa42nBkD+aJfmvjQ4CDI
+sccsHdYlLdtvujsN0F/rFRRKdIAPZhnbVB45AqNL81AUDEaXXWa93GyW58GjZy0i
+l29i0Zg/hMn7vhqt3pZY8GL9ND3J90rJuvls/zmeITIUR3wDH20ZdTw07P62RIkC
+HAQQAQIABgUCVDumsQAKCRDV6eQ/ffnujPWzD/43HZVkH0GTm9LpXlEvXGNGTmce
+y5majqUTmEOmqD2j3wJZZatW8uOCDCclKdjcwiL3B1DOZbrtVZqit4mK6uhxN/MW
+lgPnH3lO8o3xtmLNED3POZXkTUD1+VkOJRFiekg9Y9tVAn5CfUlu8/V/1p0smBvI
+HArJmhgpOy4ZzGtMTrlJHxNCuxlj+IAGL48xw+3zIrgpjuUoGHZwiLO0+bTls3Tt
+/xUvPH192OQlbBWIrby2uGfjaoM+iiRuuvztYzd/BpxLlbU61E7yYe9T/9Or35jh
+40T20KC9Ugv9etHER5QdtoNxrXJhkBGfGz9av/apTTgEuG2WeSlyFlom2scfuEsV
+XwXIHHewv9Hqpr9yIEi5vwSwEtn5/FFoAUl5cY3hN+6BMUTn7DEOIrKjuzyOwPTM
+mrS+BL8nUg/FgiO6KvdNBHMwW2cB97DTCo3ThL0Hr87i3J8bg0mB7jUIWcldAox2
+5vsKdGo9UBygEtHIHPojc5n3ludmeMpkMdM7pI8WvWfHqiOstaJhyyfWw+0RWr/c
+n5e2RaK9Ieef5PwCn6yrFmzR/KOnSV34XkBgfzMBf8J3OJzDZXDuZzw9ns/3fU25
+om3OsiCDLuXkRESLBCYBbYnenWiaUacDOkS+DqLw9P9SsPWIKOaz0cVnbPmZFIzu
+67KxPiPHmY9DZ0xuFYkCHAQQAQIABgUCVEJylwAKCRBDFxH3bRiS9VzQEACuEjJC
+doXPGk+e8orcS1Xq7/Y4FbtChfuYaqjreccV1fmTmY7EPMj6YARyVslM39TcwDwN
+gYhZ52pn7BtAGUVoz+p+A+kEerwUE2Id7J3yViH0kFk2ar3FZTUXA8rp3HhBKOZj
+P+d0FBEzTCEhS44s3SyoD+ByY7jZeTg0F9f2p4HBoEeEbTBcOR1fJv0NG/A+5lsc
+zfD6YDgJsT9C3TCLKV4AMRy/wDZjkHMoXYB0ttXASlFzjsMGsy0FwbgyAdg9XIIt
+7jrDuWHy9M9eVHCp8JBW+gEMq116Jmq1FT7/5VMBdK+o1fiU5zRRAPdYGfr9PWy5
+ygH7g6nl/jFV5XmRnnrgL7etWI07pjpoPWqHqjUTGg5UbnzMfRk9TnPBAJGXFJIw
+S2QszDEU3ApESc14NHrUUYVH4GvyeG5DYKZlz7HCpwtdpoYJ4DL2adE8U8qUmQkc
+izaoE8x8rf0h6qrQcOOw4H1vX/RdhDtxbcK/fOgaHeQYOa5+lcNAlE7lU3z/bl6f
+iB2hWlQdyzajceEoFJpxMm+QvRV/Z3wmwWeVPjZexFChbQVtaGagPJxXhid7rc2T
+o8egQq5gAAfUOPwB5YWnvmFnmq3o1zCy5wZGUcm9aU0/sNZjBa9J7Fisv6uCQblQ
+HA90wVUJ351GEm5Nh+j8oOpNafAgVim/zTaYS7kBDQRRgC7CAQgAz2dQkASmxUFj
+Ar3Y8/0yWjX961enomAEjryw4InFPDMGttPMiV69VBepb3N04MPo5spyAY24b4bo
+3Cfng/oxxGl3Z3Giv1gD7JojTJPoJWeHGxePBz++5Di0EAvq1+4wBdFUh4RWTbZw
+qTgckHrwiZcIJF3JGL0cgTmJOtkewcLiyMCyKuGVzSjyFTeCqQqHYSHBrr5TyXM3
+HTqGgURnEhVG16jPWPMIciYXsRfO0RwMhqY7y5yRUoC4psmAUaRTduS82BaVzw+D
+Hi1FQ0kYLUsTidippITB57VKkD9V7CIM5uP3s+jMJMXNEJQEKdK9oCVOekD3ROc4
+Mftqv4vloQARAQABiQEfBBgBAgAJBQJRgC7CAhsMAAoJENnE0m0OYESRCzYH/3pc
+H2HIWlf9uG7jVg2vudIDrl0OL134+Qyq8ummJyQbdVHjFdbLDMQlPDpbYM0zIU7q
+Y611daA12AMXscpli8cGvqnK20sAw/sF9YG9Tthjn24qZRJzm+XQ3OxpJvHk8NJA
+SRIgIsj7+EjC4Rc5vpnuA6tfsXW7LzdOYcU46MPaYuXmKxTMWFotWTR9lJj6YKCD
+f+KdvBvyDfX3VhuTYt9ead1oSx0TMwutPSDrAiCbJvPpR1W5U99I8aXLRVZUAbWw
+084KkC4mk1Xr5XGt1WIDHe9A9vHdfOoMVLUhKWd3SpL/tFfAy4UOlUf8EO/NByiK
+RaelFj+Wg8aRKDhMHtqZAg0EVDBrNgEQALTW/3j3IVjPBufRSQSQzcwdOsOpZun5
+6uFep1UPnKYb+le+arHkqXEvVNky5YQW5qr0RWRbxabmCWTgPXghqUhUoBEAwPCq
+A2s+fDQYICY0h/46a+UbuB2xJH3d4AsmnW+8pml4RVmPQzSBDWLhAghHw8yqz7aN
+pjJ53geFFjNRsYpkyev3g6dvLwUgBirQHv1WoG/k18xzYoQqstfC4NKO1l3ZMYHu
+p4sXuwJzPIWiLldOP4GJV93ELOhgRrVGOnmEaWVWPznDYN18oQP8FbtUJ6Xgf5ZN
+kapMVDV7eQ+jUp2qXAMX4KLYkVTqbI/LQukes2GfoWx1AY65EqBg/JyiXtXMkcq1
+wY0wORQUZXYOyCWNC5ZKPlM01fm6YUIgg33h4u8e1X1tc/3zIoH/mmvYmFqAvqR1
+Ts4TRz+a6ADTmAZBNQkN4s2xGrnhgL4IvIz13Ey8fvIHjfIx9S+ApxJG3SwdSjyD
+lo5h0WrRJdBSvz63+Ife3n8nGGoGKTwUGK7RohKxMNRu9vFBBB78uF9H4VYNlEXA
+c4vRUQtql/DXCGK0Yb7L4X19Agl9rnLMSIL0BZhmMdFoUHurosC8XRXy8/6mRPXn
+t9Mrrdbnea3X5U8y3YvvfaL78KrL/ofPA52c2c3J8R2+bYmiOzwpc3bS8KGd9QaJ
++9OPG6IWJv2xABEBAAG0H1JpY2hhcmQgTGV2aXR0ZSA8bGV2aXR0ZUBscC5zZT6I
+RgQQEQIABgUCVDBs1QAKCRCnr5549wlFO6QSAKC4dTjXWV0KiOSIMstZMyiaMQ0z
+aQCdF3FyGjkLchIr3FwcUx9QvhfikFaIogQQEwoABgUCWEMC4gAKCRAzJke+Dybi
+9pjiAgkBvkwCNCH+YjMiHeiCd1iWfekYp+AXU7Ahc0IukPc3kHxG7rrT5/I/QTdQ
++fhlDbC1dLx+wnPKnevTojJsaG2/vsYCCQE95aCxiuLq8Qur+zssEbBb/z5uFcQe
+JU7Y2D+WPqar/6BnuqPUNwvBU3CPTGzB6PhdF8XLeDv6a+munOcZfbNSa4kBHAQQ
+AQIABgUCVFeq/QAKCRDyNHlFXFGyfE6HB/97H4c2s9pAQfvtrl+tnYE6cYUKFDrM
+INAlaOKKrRAkaZmi9ph3mbJSIudLNS+Q1Ml2p87bs8nnA7UcMIoy52vEAuvNsA+F
+Lvu+r5BzReKWb0SbkkP3At+45oUezYW8pPwJYx1+DcYEY1m0PKw+Nl84CfWH95ro
+rz/zADj6vBA7+DmwEH5f9dIMkrFRAZvDNiSnN8wRAzIeyJPN15t3Iuyw7KGzInYj
+jfP4Yv8uWCUdC+RIPr/d8WHXUzDrNoYy6hikmZdlHFi/L3Qhqw8uEPGBN7BuJMsO
+KtZfg3xvKulksqYIIwUuhg/SCq7EkYBzUcnb9FtoxBQVOFsc2Yy5BYXYiQEcBBAB
+AgAGBQJUWKT/AAoJENnE0m0OYESRLZoH/3XdoVvwfxYGOrzFdhSsszkdxJJ1KPTH
+cEotKuBZjOEOGGlYpHvXCM9s9jUbZmBa+owzK+T9RUUHX7h/Jgx/zaU77aLAJ8Ab
+Ea8gRJJNwT/Dj9FKL2oPXbq0EIdIFzdroeTuQXWnzj/LAwLfyzj+T985H7xVG/pi
+1IfU5hxp4LRTeVVw4KmAD8QF9JOZpsBJbh1zqwjv4iM7frP32C1v5KzQteKKSiGp
+wnrak/DUKB9r1mmH4MedzDwosE3bys8pxJUWjlaSWepm4bavsqq7sSd54YWvpGGd
+Kfvrs88kF/VjY87z+Bf051whsfcCFMJYQTBl8VryaXGKDDetbyo7xYOJARwEEAEI
+AAYFAlgkaBgACgkQJaRoTftHC+79bQgAxd0uPSp2iRdJat9EtT+wjwMCjGXTa7DY
+zOnMgr0OzzJXhrVEC9shtQULwWUKyQVxfJgzvCl1fkQh5bfErmxhSps99blV9jt5
+3bwQSoBYe/W6e7jrFVL8/izqAailXDKwq+zDGTEdo+Xw7knOe4+8hNG1I0U2hAu+
+KT92CF/UAd/OyNIWaop/Y9hzInw0dYFYpdJqLDP1R6vFqRizC+NMwsUovAQg/amB
+yVUgs+JjLJ8w0yOEGYFmv+cg6yrPT13YPic5tsZIRGCf3C5c4lKaGVtz1Iq2IV+I
+G1KENxR4Qt98B2YAuOoqcxv0cHKmcUtTiW5zkVSvNrWJlLG9Nev894kBHAQTAQIA
+BgUCVFf/ywAKCRC6bNpGH+jgI0xGCACe5cKrdW/hiSDEudusKpNvXdeyQT2lxAMC
+St31NQ+lGovvzLl2hwfSu4aFiLuEPQeK4nPwR7dCvIwFIvOXsGYbhocbs2vLAJoA
+97V76lDrx81fbjNG5NzVWUwrXgDF6X0rRZZXVCZYH6a9fksVUzYPMdyXzxJ6fOct
+Kg1urls8vtubpfxCC3b4jT40xtS9DpsWRDiY/C26xCKCH0oXwxMXMhoPgrqxTITi
+d8SSsi+pCEAvQnaOeZCbBp9+QZUfRnaEyLhq0vsKAA65S9uKcJ6O1PMIYGAouqVo
+Lp3g7WAVDduxOg/j1ts5OY3IhzvADxiG89NtXFaD2Llk03k9yRrOiQEcBBMBCAAG
+BQJVIvknAAoJEAgz9RDhjBwy8UIIAI5Cia9btAkTgg7B7c85eGu1FtMU1tKEEYiG
+2Hkg9IgGPH7QsfRW9oHdH2eYBk3gI8OQQGHhiqDC1lO8H1Q/5wIKTkctT2culYHv
+fIxPkwFz7TrJdpAfTMaqJzEk7nmRA+dqqF4kJISSrbbgfKQ0S39P0cmPTCze/EnF
+hAclHp/UCKTKqrc1ooZ7HQPyRs11lgpLRxNH6mgY6zXfhczPIOCgr3lgsopNDqQp
+iZ7bZhKbj5aaaVuYm/NWGFKkx8WGdAAl22NgY7UNMBQmMCmTO6sIdAWpIw9I5DqN
+30hKfyOPjqw3JuDPQ/PP5P5w/V9Vh7wb1lF/7RnvlCrKrSJnCNOJAhwEEAECAAYF
+AlQ7pasACgkQ36tZKr3VLxzlDw//Q+8G3NW2awzhaGscNk70JukOMY3Q2G2ASh9X
+LJMMpjYgsLSvrWpqrm9AZX3kk616sMQM0PjZF+95++0rJUcWgx/TgPVryH2Axzav
+XjbZVBU+HC3oKzSilCLHxpM3WNzXg8o1PjzHUDZ1Y3L3n7qEroXiXzkgndVEU7FN
+OUdLLbiBj40cIX/2/483Yjb1IlHAvR9AvO6i5wwM2CDsK5Tjn21mW3h/Uloz9LzU
+hlMPE0QKfMd0sUp5SyGWCHyZIUhRD7pJZuohEvVtd1D+QB73gPasQonENffuUUkm
+vBw9QRIZs5Pw8VXwJP60CY9RRjVvkgO4CCWXa7DN2viIVFCsS17b40DofKuGxfNP
+lJDYIR5N1lDxgrUzq8c96mM/bkQ4aHqxikWAnRSK1pt8ATwwKJJaR6Wd4E/7oijr
+gUWL7fUelOYEIj5pA9nbQiKHxU89qYFjb9fZG4znsvb7cdnKmTyMl5vFrPXPDBRu
+U0neqIxDG/KK02QtxXOsxvdOEcu8JDmJjfDooDPAWK2WfK50KdoFSRgjLo36fl9h
+YQANa5C2q/D8k/3LJzTQp7o1izppXIi2wb/0Yhw6J1wF2bh7I4Ld4Kedia0xkGOS
+9+uIQ9A+tiT0P17IXi8S9byJruJhlvWdOH7xHMVelml1qZ51cWGn3hVYo5FTpsPM
+lioMitOJAhwEEAECAAYFAlRCc6EACgkQQxcR920YkvUrXA//VoAEZCnokCHQLR6j
+Kxo/Tygw+fmqpBuEoTsmwF1QVj8+/tV3Cq6bjl+HVHGdAxvKqYbdlRe1oiuz547A
+Rrd7JiC/jxfwWwsJZZDXgwm4pwBLi+Y2ZDbsmN0FEvOKfBpftote1J53/NVYUDcB
+S2HLKLZpqQmUbPqvf+zh9/1y4+a+MWN2v5k40YwAdsr1oFifc1MgJ7r0Zy/HbLdC
+pW58nsTgrd1fKbBwDI7XRVJ+FABTFTHUykd/DHg+HQAirX3dnyLtZsUdIb5bPZwZ
+n55X97DTglHifcfF3n8ZIwZISVzxlnolQ3Ig1j6RVaJ0yGJKbtHTNgcuD6j1jCEg
+RZKbhKX9zJDF52FIZ8t2bcyO5NpA1UAwNiB5a/6MCtWtNX5/CZh8FPLiaoxu6nUF
+Xzi1ZXStXyXyTcXww6w4NftdnYNk8e6p/mt89HgYXw+tn6QQ04wWUI7iglbVakO1
+gYj4Xmc5GwUdk+4WZs5Z+gg5TAx9Igw7kQb7NYnkP/+er0k/NYhjXl0cuUn9B4UI
+zxRP5Lm4DqrZ7BgKAggiqUt/pFIPTzvHq54odqbpNZKmZaO6L07lZF8PrvDZktyH
+t7cg9+yO6cmUJae6jxTDO/it17Gtq+p5OzC48nGPjlQxVHfrNhLl/NAJGmyo5oam
+VaxZOozz2efHULa+iyLi41IARJ6JAhwEEAEIAAYFAleM34cACgkQg/Wup2H5JEHS
+5w/+OLogSBY5Pk1YfmUN9NeYpt6QQ44u6IBuJf2fHGdDBVtVxDKq1I7wkyXDYZlY
+gy2zomoU1WFm21YgcpBQfOJ5NjDM21JlDrDstaw2LgvNFdL+OBP2B7bM7H30PI/H
+ZQ2jHxkpH3t8ggS4CtSS48K1e5OvMBlueZn/S4aMHEEGUL4pF/T9tA506p7fUJhr
+7ax2uYk1TuOUh8BN40A6b3igeSb5bFTN5dn48qKWQbjWwAtDyEdssEyGTmz6UVdx
+zXORvu0B20uEVHgcD8vnIUZEuZxbyIHYJLXLtOxcUzqi3otnGXPyj/HLllJrP+lw
+rtOcfE6li96/H+kYOEEeY8WW/NN0Hxj20b8UR/jZupOsxweyEIKqqc4IjDOC2pOL
+BuxlAGgxd5UKM2kdHmwrL1+t2RZ/NTQVd20kPU8K3DM2M0xl/v8KDIu268wKBbxr
+DjE8/4HEViIBPAaAh/wnvQ23WWbgxLy7OexXGFymVZN31SMNp/sn93KmeKPlKDBi
+a6dtwAc6XtUFfHqeXgRwFAwzSi2//rVw0hT/DVYVdPA0rNORypzgRRM6w65wV9CX
+rEXQZAlZRXc/e0RZ8vNZUlkQnXnwj0N0xgTAjhu7vvFMM1FZJZRdfSkc3w3KyFjb
+fF1vxW6eOa7pYnWJYTj3q9dpXDJR7Fp/t7Qjd2dyfpbauimJAhwEEAEKAAYFAlQ+
+z5gACgkQIGTFNkHCXl1rMA/+Pls8tR4C8ZKXJAk2CcM2U988m5pjLJ9HgydChsjq
+lfUWT8JRTZsAhcXYsq99imZiVZJcd3DrWJq4/+CeIQhvcNUxRt4zhTiIWS2CMDFm
+69ioNGtdOFdlFHaJFax0QqOKzpiyakuiLKGoexJFK8Ifw3+z5+OqomToi9evPA8R
+VdS+hLGhwWkYorNeuZl4tcpJ48wq1qbz/ln9sTX8/pQN4eKfTSCKwqta6NQ+Uyyh
+nLrlqeEE3TATKlo7loZG3acXOIrXg40RtTzRKwN3MF3h55rFNLcDuf6qCegyfIeC
+7sJnHSQGorsJ92PUfKvmL8KJzduFRDosRGhmrrJOexW5mfUAU0OSom/LyMspxtLT
+Cdk8TKgjITF2Y57NTZHbrOuiC4pCPcX6JSs0dhGB6sNoehp7FnOUZxOVKD2lSvyJ
+QhO2Wfb22JjASjKeNjvnuPJjeoc7AGqQmK5BsSR0TDIPHm9Tcl2UmhXyEwqyL7Lp
+4o/9Vnfn8KpGvJnBSC7ahVbssZRkx11H/uEo/AzHNYhhNlQ0gQ7MSXy16Su+TJWa
+VdoUM6GiQAJaC0EbRXdWClWC5Z0OaLNmJ+IA2jeXPOIJOokp8AMvpF+MRgaU0oCY
+3rWxrW3qBOtLGufLibJ5+Q960lM/2CLeC6aE3q18SoxtpZzuOegIp1qgG2QexZ+X
+4C2JAhwEEAEKAAYFAlhmV+UACgkQKrDB9E0M+Vy3ig/+OxBPMbDz0JmTJKBMZNoY
+FEr1Z+UYNEylo+/UHwQlzc6n1bnvDtFLV5QTBeVq90M9dzq967N7L+cWopEPJrqs
+XzOhoz10iPvzOcR2ud4eNOBlR8HwBSzDHSl0hTxQLloAIpSJ0p2bgJ3OTVH/jM/N
+P9kP/X7xiALBc1Rnq1ApV74grdX/NFyqs22akebxF9fnKP1YxKosii38YCHbkBKt
+kcmWc7p9YPWEPNmYRi7n8LjrC8S6NGGoes2r9dzAa5tLc9iz+I+oHIYaKNaJbTEN
+SUFBbsNBCyX4vdKcxkwXZ8BlMW/4VNChmkr2Pvc3B6Uy670oziWGla8Qc4ZEQkUe
+ktddzvZWY1D/kxNY3VN2QF1XHxq+AGU4p0XpYyC0JddP5n6wRODWcfWiZP3ldmYq
+BPfYL+NBg7CeX2XfVRuPA32YQWsqD8OTxjJkVmjwrHTMu6BfVuyn8Q3u9tjl1nIM
+Au7dathmJLctsjgCJGycBP6jWC8EyzwGMvAFyr+FGaWUer6RNctN3kWADdv6s+mR
+XgdXKgl/o+gzCiZ8KFRXNrHr5pSbbY04C6ryihjRco/GQYDyPhjowaFbVgIg4zBh
+QWTotF/RKGkh2iIOAthsUHClk1ahrUplbdTdP27pAjlF5hAcuYIh+YTyVAnRcSuG
++8iM3SOMTpKa2eJNb20PlLGJAjgEEwECACIFAlQwbB0CGwMGCwkIBwMCBhUIAgkK
+CwQWAgMBAh4BAheAAAoJENXp5D99+e6Mq7QP/iNhBEDJYRTrYc6JAmRIg6YyiKje
+Ox8kXtVCe9+qCzC+Y9ehyZB5Dyl0Ybej9jNJdEDJzDHKzVwU4NrfefcTWqUOQDNb
+pClGtXcQHlUthjREPWpyAEH1OhD5NDTSMI5YYKZDEfiN6oEpWlc7WK0mXZuY5mHO
+o0B3yNDfV845+7CGPK9zuE56/f9SLmCaFsCkNMGbvV4ybLRoBfZdnC5NPOKyJXQ0
+TG0CbxGMgIN5cOrBphU+ZrPYY+p4jEoD5rvFugQl4+oRsvxygpJV5t8pe1ihNMhm
+zu3CpRtMjmRAdzK+27Z8p7m8BORuoC+NbXVpcmjIueXDkYdxP+09qUyw8xE398tA
+uEXpbCVoQ68b6NDCBpowgvUu34zxDn0wKdt2YGHB6z7Kl7b8RycWG3Y8u/Hs+l6Q
+ehEmiy6UKXl7zW3PIi3192WzElUi7TtG/btqC6YPs0U3SQMkNWzwkjbKM9bC4gPF
+MK05a8QENc66M+USWjNg0TiAkGP9PDlpYyhtjicCTgL51lDm8LBXr9cbzvXav7Jc
+6NVh7Zby89r1DsPFzfDkccOX6nSnqYMISmvRUGrGfgrkeeM0MNu93aPTrs+0fxq+
+HJIZEhX/YCyQN4jqM+hQGh9bOwM7BacaP9F9vnq2hDK2WIXlWChX9Q70xArViJqz
+I8/76Ph1inPbjbJctCVSaWNoYXJkIExldml0dGUgPGxldml0dGVAb3BlbnNzbC5v
+cmc+iEYEEBECAAYFAlQwbNUACgkQp6+eePcJRTsjbgCfZoZL/NcIHSB9EtkrBnOb
+93KARHIAn0LhUmM/Ef2oIDB4V5Zkk2IzC2aBiKAEEBMKAAYFAlhDAuIACgkQMyZH
+vg8m4vZccQII2FyYDP1egwPQGA+daker6cP2fU2Le6ZaJA4bl2KNoUDKak48+OiK
+gG8RK3QoOlT48xppMdmOQOUot74ba7hExZMCCPclYxUV5kbOQwSPD1zvzhc+i76M
+PNvKN05gPDZ+VhzPVbfZ6NeNuslfOHCiX8VXzlzlmAH8jYQSxTEV8QHKX15OiQEc
+BBABAgAGBQJUV6r9AAoJEPI0eUVcUbJ8880H/i3rQ2XwO50gk0pL9r+OpoaQ+sn6
+aHXrh5k1Ao32e39/iWSonfimtg813OpZ2M2DvX8GZCxVQdetuOczCtwXrH84PLl5
+KaTo8pJBtrmuPACcRbJ/j88NGkllkX3Z9x5EvwLB8lZ7pLIMiqzRhTjKM5UcJ8gU
+dI2iM2f9GkaslnEDct/YcoDFgnV6bj3BL7Z/gmuruY/1+YtQJypFi7wPHYsk8E+W
+CvrEXOXnQvfmYtzTRBZb0j5eZCUZxhd3QyBSjUfrpVrlwtkqfRc9ktUMjFnO9p06
+pUT3aWEgwagZYW7IPdFILs0nzUanAVSQSn1s9CfoQy5IMS800D8L8WgoDaWJARwE
+EAECAAYFAlRYpP8ACgkQ2cTSbQ5gRJEVqAf/YTNvHgGHzhmnrWqoGC8OXtXE5+g2
+b0ooy9fRzVymYv8LFUmC7KXIMOdir2kke+ZEeEJs+LBFS8fef1Nv3JOccozJLsFf
+13fiY6T7mPMdU5cIPiInhxSw5LS0fdXHfKNuJmjIqaQl3D6ZRR5mM3a7612OfSkr
+ONiv5JaLIMT1/jAkeYwRpo+MnewSUq1C0sKyDpNGEtWgMqrc9kdA1WYQACbUMHYO
+16/Q/ayxJzL8fUWM7b7z5lLnttKML7fNvmmLPX1cP4FzxOqn8JMm7WAQu3f+Yukl
+R66kllLWKErjuGez0xl9ap3cnA34OVYEyxVCokymHfmT9FG/3tMUSyA7GokBHAQQ
+AQgABgUCWCRoGAAKCRAlpGhN+0cL7j38CACjPouTRmJpdDv3vv1igvaYarPhNDyk
+0GqcuNSBYEqYpAt7xYvpP3Utq6C1SMzOisiV0YPV9cezYxx77/n+kgmZ7avivaFf
+9OnN0w0vhWORo/f6kynxETp4L9Xtdn42BnceS4Do7rKxCTzGTqCc39cY9YIuryfU
+xAT4OjWqvC9/eVD43w7Fzkg22uIFKvIuECs/phDdrmbzsgSSLT7ouPSueMTgN086
+mZzloDzAbt2OMYHUMDL85kxfoDgoLYYSy9jb5owSjCZHxJntRW3VQ776ml/4TtgT
+kqz31FI08kINcMpA6ZGWZl1Ia2/psbP259pdEWn0awSE+eAqZKjec51biQEcBBMB
+AgAGBQJUV//LAAoJELps2kYf6OAj/AYIAIfGNnp7iCLJs+HRR7yjnjCqy98OM6mf
++xpnxG9T0gACa2djed+uUiB8FqTcG2Fwb56ThFeh92tkOncpl8SbKTdno1CdkB+V
+5invnGCAEAk1jhcyPpjJOiNfytSn/C85Ec2PwNXReSlmpskBc7MzewGnpaBn7Opk
+yYBN91glWkaMglSDfQXq6b92+76PKCdpTHuXGoAsKEC2cZX+urMO4oCEQCuWmRp5
+s/86hJpueCPouRt/oQFZfN/Lkr0OP9CCWOZzQNvLjl8vIsdq6aggIyhWKT6LnnsL
+XFvtuz+qwmcZ1AagLhjRK+Gkzsh5MC6ITwXibovyfBpf3oHADLdLEv6JARwEEwEI
+AAYFAlUi+ScACgkQCDP1EOGMHDJ3+wf/RUZiHg8xeVwgDkfXsUWeC/Vd0oXHwbfQ
+4RNHQBf1n/gPGOb8FobMSMG32wRMI0i3Vjf1tGyemCxz2wIgC22JNHrvty62zv0/
+Q8DvJu61GCJ3A+H1GOO6vCiYwqKdsGNG++btho1bO+ms8BMTjPbBYAXB0MVZxkaH
+bjfsNkVfNQw1mYvVYAYLuKxijTzXrnkigM9Ssc1ZAMcGjgF3blFEmcGtTqrZusRN
+A7tQYBitNs5o73xMMGn3PDtYwfP/Hr5w6++aszK8E2JtLNiuCYLFEUkFaA25Lfzp
+8g2XbVMEyFbXJaQrSbr4luflxa0XaEVYhVKxeUBw9h7yW3YvblrI8IkCHAQQAQIA
+BgUCVDulqwAKCRDfq1kqvdUvHJ+1D/9EHsZemXSRgwdIcs468VzUFe8wOJXzYhGu
+/qcw6kDNcTGMdFQadD2ycJ+m4dmk+4PuGaMAnw+aYCLy1anWWKK+1P+GYzaswvjA
+Pe529edd3EnXj735ixfkzdln96+kZznQRIWphVD/43OaOeFnwINn3pI8DFdAxbia
+XwalcGp7fH7XzmHYHrkPGWbR0Hs9VveX6X9I3dpEgPGFTYg03fjJ0Ci9NHR8uGhC
+/9ZSNtDROghJEIBwUtQj/SSRSw3pD8mGgljVe7dZ2IsHiLY87ClwBiPJ/MuTL4YS
+M+iV98oMc02hIZScHIPlW9Tc9kor6HdNaw/YWY090N08UdhWBd7zs7xu3tEP09YF
+bU4yUdvRtl57TDf2q9iult6sAmOJ3rBeyey8aWmdis5clALqJ5m2h4OowKXk3DH+
+T7P6LYrT9cvepU9CW1r+CdhgvrXRhsqIZP9pN+vxwJqq6nszqiHSDvnl4WUNRIsd
+BiDUi1MfYMkVblvLYE8NEJDMiKnbaFhzN5pWx0AW9yRf2kVpwGbgbzZsq7WLaTcP
+HZa54PvCPYzrUinpTz/lL4vjEpJkgcHXFbN+i6dKQxNgRgqk7pO92zgZ3f7RswNS
+Er/RVBHMoV1RAUvdxYXLSPQqjlaimaVNTP/xHWtRQ9yoUDcfOyuVJgbbVz3Qwv8W
+0MVbRdgBzIkCHAQQAQIABgUCVEJzoQAKCRBDFxH3bRiS9UmDD/9Vb+JIAm0ay05C
+pWAWfa5TpxozdUjtf1H9taiIG43nNPOfXw3WbwhETabjv+Is1RswJWzJDNikByI9
+7NO69hqugnYaSj+3HndRWcbD4Lk6haFYw4GQbWFb5MVCMtNAN+62rzFZc8MMA1ud
+WUXW8eSs9H+kdmKh/Z2x2aPFXdNdac9PG64JJoyk6FqHVBEiAn4gVn3KnnFkHgAv
+EHQLgmunUUsCPmqQg//fFD51I/aVNAsxQ/qSHA4oHARnYsZPc/2+W+PHyKugY68V
++9mPTsOaJntmaBxAApO5grLOhT7ZtQCChqU6UwdqYmaE9g9MQc0TWgH3yg6vOATC
+l+kGyJ+LqB3ixlLrp2QN8bzaIOyZu7ZFycofVY7+r+OQnw6OCpX/YUhYL6m1VY5m
+IIQexwJdq8EmdAvS+HIHdWy6D68Z8+wl6DYOZN3k7DY3gDJq9jClokWWCXYEqfhp
+HX6aKxThhgJUZLSA2llksH7qGf3nNcis0BQNCcMxVcztdUeAT513AhIaTluPV6ur
+kV1CsH2Fgc426jf7wQzUlkKbMYSerkbOjApnqz96cAkKc0ogeFPCO0N6y88s+BSW
+XHnduQnBXDb1j+oyixK6whxQAkJy/KNatInslTLV45Q2WHmHMI8+gfzwDyUJ1dU1
+ZTUQDAfSGeDTYW+w4SRZ8zOCrm/jU4kCHAQQAQgABgUCV4zfhwAKCRCD9a6nYfkk
+QV2eD/9RkqhWd7xjom+Pr7Ek1GxXs3zgfu/RM4LZgSuWDeEDlB4Q7/D/G4z2UsFe
+C/Xkq917J0hCVjzDwRkZWovkm5Qr7UJRwvZgYu60Bvm/1FDn8AmNkUvax+pSIadW
+3zEy6vbWYJ5X3VyCcavpU7mpSCtepsfdJRnfCrUT3PJIS35jRGMXzBulwf8nWYCP
+OuBY+PYjXH/jMqNIhuf8thOdU5wm/KdEVqZRjQkB5gBDJAxJ+EqLPBT4cGgjRieg
+fy2tMF7OWkickvK6IQHlJbZEzzOMsh1+rTsndaD+iVXTGfvAVy3WNtVQfovyvd2v
+3FJY6sT+DkOfLemC4OR48Z2BMXCO3atO/l0vVNs2+/o5mCoRkUPsEoQbPKCCMTk3
+h0mRw/qpqWXPC3qiQ/U/iX7uV5UvTPifObmViRplXIGKu85uBPx5+ZuKUuoLxiTj
+D6hGOxUhVO9cO6i7hCCCHebE+shnmskJcghnEESpMJ1M0iZ5HSLThDq5hAssEBYB
+5pB1pPZVv6ONKklurfsXca1aCFQS388ZZevEqg02kRk2/BaQJplyHF1dY6uU6r+r
+sS4UYCVreLW8JuQCCX4UeylJefKmx4QOV82ECwk3Q80UDxMpwezCxdAFYmawtXj4
+zWwOvt++D8aMamMRQHsNwxa8lPMiVow6QFr3jBUeG4jYTuX50YkCHAQQAQoABgUC
+VD7PmAAKCRAgZMU2QcJeXW13EACpPoulKd0dV6bkxV7ncYW4gMiaHMlou2VYVDdK
+3uYN+5sKkRAqa6fUSUaMd1UJHqNo1LK0lrAw9KxrnYFmw+/oz0xt5bcaUr7yQCFV
+4XOvGX2tVDOW7acGjG16wdbxUOXQ3Oy9j9FIxKxZhMUKeK10c3PtLj208xnTw3Fa
+BFIczu3QAXj77mG6OYDzWeHFzMXxCsoh3CrrYO32ZvK9oR1OVHXc47cMxxNANBHl
+aoz+5HYWMQ0hmnkdigNNzq0h0BRQJibJ8JO7cUnuqoZhvcnE1+2Z9dhN9JkxDpr/
+QUclbGyWYPTX1ThhDgSRMgbFyRIvE7vxf+MQGKUzaXvj7V1BhlQfdu3KDpnxrq6o
+9IzU27/9dmE3eQwZ720mb19hO646x4JrlqVsiE8n0vgpiVgoF7/wVe0xuVqaNrYC
+SQEK7XVPsq18sy5CKaT9dFbfjmd5Ztz71n64NbU3RIOnYn+Bb8ZykbLKcU7X0tyq
+fe7AqnTMRc7sgACGfdslNgZKycxfkE5ig8no99p/U/1gztQ/yOHLnz/XpRg0+JxR
+9YojVpSu/09FbSuiIbo4JVL0ukvYkxmRC9B2RdkobVnHKgtj1cb4wtbtjHElwGge
+0qwaitp2qNfAh79BdmyUBaYg2JdvqaQaBItDD0mrn3IjUYNthOqVS2qPe3mY+re4
+EF8h1IkCHAQQAQoABgUCWGZX5QAKCRAqsMH0TQz5XM0aD/9FHunEMKvuE87Rpq0d
+nC6MmEYXTabR71Txel72j0S3sv082JMP+y/fcRcHndJs/6P/UZgTkHQ03mq/pU6g
+/magL0zwN1uaVBOyz7/HSEDUby3ZUeCfp6GJzhCDEoDJHNFHX/q6EfnpHAJSu4oK
+0JMSgkOC8YPk2JfJXD5XqxzlpkpWGcsrnRgUXm4H8E4br6HPVuNgXNfXrvO8DzyH
+SND8U8ZM5h/UCM8kS5ArywnpDlm38r7Gmglckx0bYkrlhB2mA7z8yrVVFdJogeic
+OxroGsoEkxnrBq0VwPy5rQDS46MV0ZOjaQQZGZDhMlt8UagUhhN3tDUCyTPIHm7x
+N2PXGC6t45fih2TyD1VNJU9SaF2B3Sevl1iHNNLyUmviaw669feq9COjxYNJVWom
+6HLwNNGWzelsRTWwh2sUnCSWFcCYZEhIHoAY2uQ3UaLjEi740aYkKN02pwVyVl34
+ij4MtVXxtwpue1+cpyAhjVM83FHFcQSAjQLUS3HcxMAJJIOuUYJ1jlm8VvNPrj71
+xJQZavU24lrljcfB+tB1itvjk3XeeZt0coj80Io7+DOfYWtxu9FyuVkWQvGQk4eK
+QkxfOVbwAjwVFdWdOdPjQF5sz1ImcbBI+tV3VkEPYHVTcSYPQ4w1dikMbZM7c/Z3
+rS+a2OR10TV5kBg3O+rXtfGSiIkCOAQTAQIAIgUCVDBsCgIbAwYLCQgHAwIGFQgC
+CQoLBBYCAwECHgECF4AACgkQ1enkP3357ozVsA//RvKgkyIyyzBqlsHKlAJP+9CZ
+qheNnM1xTioAqUHkQyUeTGXVPzK0RfGY0x397SW1X0cAt4GpfV5gdLuhMbesxcq5
+hVhM7X14zbAuIJbrrgRS06wH3MCemnpf7xRYyg0SlaUQeCR2UANDTEiusfem3b1I
+Bt3HRCy/CRY9rASgoyhSIY+dVjiEC3tfH2AOZYRrZPq0TF32ygEFMi4ilMfcxsAQ
+ey+cFt3Jqs2W0YX+ldgYyYZpiZTRa6OorOqkGnLfPB3RHHUqazl7RlzKlXOrHdeB
+y55bx9sw9Nlsb5n3bYZQUMnXf1aMADYWwwn0RLtcgigmH/id8HCT49dyPb1OJ4Oe
+Xat3jHtjGeqnhXNq74gBHP1WvU4gVWVBtpJ1d+YMWL9+9V/0IlmdbBxLCSqnimTn
+RnKcQD7xPMRCPTyN2PT7Ksk29tHGpshp/NKahTvtsA2ziBzRY51NOm+/iGidRBE4
+BGkb8lPjuETsBNUY10XtuZY0TIRgW1kx0Y/TEP4rTESCyKvrlqu5WLFWs0rE5f3C
+rHokbMdNJOC0BVgC8wixYlMu4JdlsxGaaaa5t/JVowCKzPlQhgP5MI+dy4nV0xRb
+1Yi4s0UYtNEYeuLTURZ7Z6lodlYDRYHRxBlp4alzsL3zpayQOL1ID1nMIgZbihAg
+FBeVEmONjEgEKePG1Ra0JVJpY2hhcmQgTGV2aXR0ZSA8cmljaGFyZEBsZXZpdHRl
+Lm9yZz6IRgQQEQIABgUCVDBs1QAKCRCnr5549wlFOyt7AKCM3vHEv7yKed4eVN8K
+VYct2RmVmQCfRTOxZYnUGsgJroZS1lKCaUGzEQWIogQQEwoABgUCWEMC4gAKCRAz
+Jke+Dybi9mcNAgkBhWYFpZ7nhaP+5O1RF/ZgGszL81UAJIgbE4XMIgPbBhWeJRFQ
+z2nUu/7PI74fZH0Ua5IZaKcQtbc3j2xoBkHcmEQCCQEJ6OsIfs8xpFp1Oo6Vx8Rw
+fpYNsWjmI7RuvNmRPYGpihfFyT6hm/ZJG//T+tCFv+BePwOhAFClmafyc4I7ib2r
+aIkBHAQQAQIABgUCVFeq/QAKCRDyNHlFXFGyfNDICACOvajYF/fIJ+Rnl99733RC
+EUOYXhHKOyp20UM1kOXI/PTLW/dP+Wr3qYoPkGgE+625ByqqzbAPH6WSYUrjt0Zx
+bmnDey8o6+VObBDetI+1qXgMRolQiNW3StAQOkTAbnl6wKrk+WHCzbFUNJS6ulOo
+eGX+QMhk27aaYu/dx1vXp2f8NNYvZjXMWY7Vc+5MEuAZ1CMSJIPdhRjPolyrlYPh
+5SEDNOao7sXYvkT931MN2GjElFrJ7CwLfqviTiJ583kMAcPrddmP1qdpxc7mmqNx
+MIP2lbooxfbQG/psOsJmaou7DD71jHb4jiURRxHgPbnRsygxvqr16BS5mZSs680M
+iQEcBBABAgAGBQJUWKT/AAoJENnE0m0OYESRClIH/0+h6tOXU8i6iQlb0wME4GaB
++15Qyp4Y5OkzUHHAYdAbKxAVdzqbqWiagV5Ju09tzlmZYLSYnyBPIkJ1YMaA7kRt
+vyq/n+5I8uof8Nau3YfNy/tQ01jonwdmHJxrdAafmx7CVXrHhOyE89yC5yas0zjf
+59dnTQSMbIUEpxq9nl3qSVo5N8fjV27/JtGgSuZunbUm2zpHiKo4v2s4f+kbW7OR
+IhkTu0rRiCldjHKPgStsSak0XJfRA3a5dKPLS9ijlU/tKCpZao5Gl8MF10iSdzxU
+PBrhlotF39j5zFIb830XAHSJyacpgh58xSFnxiO/lz+mW4KPT7W4UtJSnXi+xkmJ
+ARwEEAEIAAYFAlgkaBgACgkQJaRoTftHC+7w5gf/ZTh183iMrExItFeYXownmoAA
+s/roubKIQ4mrTlTRoxY5VFvlCQqiA4LGz4aj+ehbUbmoeABafi3JvshT21Jt3LOL
+1yNOCWBe6GCcN2Co2eQLWN2m6cIdv4Bxoi3PqP9qE6rbFALwvvNKtXNzmHThuxRr
+kncJiNpCbNm63yMh+KgFI3XhApIiJnmUf/X11OJY0hY4AwONqsjABgADWzcVc+jJ
+LNOzACgjNMyqWyGOJFnx+M++YCOr/M2xZ+S6MjJnbSmcW+HsLnpTxdRKknhSL9oL
+wWfd8AL6zHbfNcGUZM2ByWEvWBglhrXEa/nRMGNfhH/pHroopyWUWE0QCFvSYokB
+HAQTAQIABgUCVFf/ywAKCRC6bNpGH+jgI8yTCACtilH/A5v5AzomrGDTGObk9diM
+emk37MoW58P2QTm0ykvnrx3XuJn9y59LYyfn1xD6KL4ExxlFGpgKlvKjHYX6gh9f
+t1kZCtB+aJlodNSZAJqgTwgqbagslpdi7o8kEToVesxswVeCc5wedqI3vgqZbir6
++dbTB5Du2l1OaKSiiswxpryncPpl7UQCxjcaYrvPETdDk3qOX2rZtqmhfGZusM9D
+Awpjt+SA6Y8/7Jl5LTS2WrEkL4o3ONc+Xs2OVnwkDqOyDxQp1aKQwcDs5PE2RHXX
+YBy7ern/e6M+g5gLZ6k2T8g5Pv1acFo24nzhzg+Pnx6Pp+RBNn0fQEIdFpT3iQEc
+BBMBCAAGBQJVIvknAAoJEAgz9RDhjBwyDmAH/Rv6E9CO08kbyebhoDeisLuLFnaW
+vmt5sHUKabIEV3XUlnse95KQQ8+ozxF1tPhvrvp1eAfOrGIdAyDyYvvBpEcDcWJ9
+6lZIOLQsQp5xDoraM19/+rQRS0Xvuf7/sH5TFmmipAMImdiqNXF6dSM1OgCupU6b
+r2Ltgu9Rx/06T7Ok9DkJDm2l7Do7oJgY0Yf+UiLarDgmBtTUOlpHn1quO/qn1mqA
+XZSBkzyOw29fUXx9Gmqe5gwDcqjq1MYNZ0dSN8copYp8nTuZF/RuR9OpYHIA36u4
+Dquoy5g1bLkGiyB7p1XpXyqfjVl6FC6xkW8sJp5Zh9x9qdGM6Z3ElhsRszKJAhwE
+EAECAAYFAlQ7pasACgkQ36tZKr3VLxxrqg/9E4YrKyJZRfpavYwGekRh3RkZmRQs
+JeNxsxWPVDFCJslZcGHRQEFx5Vk9WzweTM0c1SrwSD7E0GWVarVUwmP2ygfuvtjS
+XCdnEqYlmlKNFWTxzUjUspyPyc7CGpBKCfXcg4tbHGJNghuxWhg4+7zGjIsDVHmW
+QphOS8ABz05S9AA8cv1sSYwhO9DEGSJDKbMgcnTXOXZpCyEBtzj3RB1f1VjENTHZ
+rqOUbPJeoXqkFW4WStAyVcgILSfJibgB/uFhcwmNJUODMNGdlpaervuKKWqJZq/+
+335hV4cKOV70u6+Trz+uDBHMG3sWa0gFRGol7W27mM2YJ3d8fgbtnFtPHZzKwSWf
+lbnUAeNvb9vJQhbiTGegqCte0WZZneyM1bK+TCT584OzxlywFfTv+xwj2STt1nM4
+l1I9eawzEB9BdFnZd9VjyvebansyDOb7XZbQk0zdHJd9MM5Wg+gObE9/sLiVMQU0
+ZQvFVyYIZ1dL3iqi6z1b0sJKCX1EX/jpai/cPaZGQMfgG0JzUXZq1QCIlFky1xY2
+QnoaLCCOoo+Qm2ZQamRhTGn5uGPQ/qiljj1X5zji9oWG+/Uc2hiB4O062tCq9r4U
+bIxqHUB1qAeyyZu70+L1gPHXdlD0uA/x2b1c9tmEBla0p3769vJGlONOwpNhJOEY
+qHFZRlkWelL/v7GJAhwEEAECAAYFAlRCc6EACgkQQxcR920YkvWOeRAAnCg111Nf
+/s11AnMSJYFIEPU86snfHYnh8UeAWmMXa2KGz7g8C8GIb4b49xvBAb0NMkea3xzl
+F7kiNRYzj5G4AL6/7yN2IgopOXkM6rNmrm0Oyc5mljNpVyMd7w5t9V3d+DXUYtSO
+u7SX/sXu/egEH0BjR/FZclT31onrARNuNdIGdenxAsbCOoQXR20U59HRvQ3UneJz
+KV9QEu9EU94oMT/FanzYkKG/t29m+c+Q6SdhAbA6SY3il9ABJvm9RrgKKlzkgu6Y
+b9QsnnOn/9RH0RH6FIlenGYtEfx6l+l3B/mnqmx9shbOHvfm+LHAveN44Ei1LwaM
+vuOFzcMzYpGc0w+4tSOUV7plj+tNY8u6I7lEQBvsZ6swCrNuMhqh1Zb5d2OJLjwx
+8veKxCQ3x+oklJziKGSMZU8yL2iltA74173/kYGLuqrdV9IWsMSSGeX5QQS85E6I
+EDxAuSSwOcUlAgaG0O2lactZ3hnlQLUE0hcYaw4etG7pWbW0MYrEoDroJ1eANkhw
+6Jtn4h92UsV8KUp8cTliHoiqWN+YXvqlilOze1FX+TnLJZ/GMBv8FkxU+wCRA2//
+wynavPeIDsCHfkdVL6f3LHZYM3PB9iUlbqJANM9BEXdWeYK2zARMqCA0xfbCUDHX
+CRoONT9rlTRj5LWouq0O2VjI8xZMtBchLeKJAhwEEAEIAAYFAleM33sACgkQg/Wu
+p2H5JEG3yQ//R9ClTov7keUlpj2ghOKjIP1Mbn2acqU3+UGKY68atwsSgghvKPo+
+EQipUPIogo69TgOX3Bgq7A3Hp3QkHbybYrhZXln4CnVkhtWbFRo8zDJWtj2RH1Re
+kP1Z13ImXOO/mH553ubOdjJ80PNq1iBMn6jAVk/mG+phGcUflPPj4Cuz9tsQwwH5
+htU4ixwMf+bVJNE6xBcSOyPGgR2Yc8jMOBLFRNwdL3zBerJ9T51vfCmb+w/GXXFB
+Zy/kaRRoxkrusiBSPvsy4dvyMTd+qbPcXSCd8r9dijI/qbZo65Aeg9V0oKvKHGnr
+aetf1pWZZxTiq2g0j+8hsh94dl2z7x07ONf3E3q55L0lOOF2LjbNYncxAmTpVeVH
+G4R+xoYJqqBLLotKDHhPszyz6rDYBBLoWJkcDbLwUP+XI0SDc85FaBdFQkSflE74
+A0Jp8cDZjDwjdaiBJDRhTuVTK+PhjwwHCLIZt+i0bzXTszvh6EEcYSpBv/AFTHoF
+RqhdZD29GscTbCAuhOZwQOKSOjF5hnTALrGcKFiaWzlIcif2gWOMCv1q/kD2s8cl
+GRV50Z+orRctNcv8jr/hv50DBz5LpEOOlbSpfIkwGAY8BgGiKhMqo6/92bOpeYMd
+eN1nc5gHVQa83IGFoB1ozUpvqiUEdWhsXeURf7AX85MB39SdA1PIfeOJAhwEEAEK
+AAYFAlQ+z5gACgkQIGTFNkHCXl1yKw//YwwBL0SppkgOcZqbJO+Lea2cVgYqJi+q
+2WU9URUzVz0Yc6IuIe8Zpi+zCcL1E0vP/ml/itSr949qSsYaze4bH3yRGfrIRX45
+wcyTawqLXfS7YHLxSdKGO5JaaksrqzgEBOW7qBsP393VCnucPlTCINz3VoGPJG11
+f7NRlqZLidOxSwjgFbQ6cva3S0IU/AyFJOpnpOqN7rUDXQ9a4nezhpIozMJ3pO0z
+kXSMwL4lU1E1DFuIJ0dnw25taeiHVqCZ24ZbVbZ7wij2Q2lplWsceUH7UotojiIB
+7ahJMq+8RyjcafKRDgkIlfuohUdMdsxxVk9HRQEkcHCkLDkkGeHBbOH23cygUPl3
+05wvRsC1IgDlqT7reZUfPq0opE9MjKX0MMW8VOcdJns1/CTr0QdgsozVL05PuUrz
+Jf27oD9V93T7lq8Oac5kSasrhat5d7XiapmeR1yFefsJgsbxkM5SCQZ7SmItCLog
+Wo4BLk/Pb8X1+Dksu3HhZhC4Fu2jajfUeMwc97yB7iyPUoc5Zmqrn4b2r0elU9ix
+v41K7l8uDNRD0E9TckjbW+Z3rl6hAgMoeRqkzCWdWvE45tCUjvNDAJNuDpUDwe6s
+FKcWP7a86nh6XZk7P4jaxVzVcXUlBYjqrSZ8WNk5wVEVrw1d7d5tfQteXRdPUm3N
+YDjYUy7OJFWJAhwEEAEKAAYFAlhmV+UACgkQKrDB9E0M+VwmrA//Vhiug5YTGjB2
+FKFAyWEOl860KUSSI0sM6RjjVzJmmLSrOpyfeHOvui5RsCmb1KiTPUf+d/fVIB0u
+RmHN3GSzPJQLEPbGtBW1gG92ag67V9/WqCSwPknNWNFe98I7sEeZ46zm4nuZLsQK
+fb6xZUK/Q3uyRbcl41cXZEmqZ0NdbvHrFyuV4ZfsOpsYX7epg0Mn/hfXD9Mx+A3N
+3pRRdBchiN2jiYMMwseDiV3H8kYc9DOKzrBmZ4qLfI9VURtoqtKTUmSMzHkpgYfG
+GUL6hHQqlSA/fk7BspTDwJfIdOHo3m2xCCtvsBZ53qc6i74YVfOZ+0i9ju8PAxOx
+qmpD1YnodDEWYmU2q5CEt8gDBpzpIjADSxJ5tIyQ5qB6iNF1h2rxrEecAbZEKNXh
+w7yjKTm04KyqVshOUlreUxyUT9bIUa6rCyMSLrFcXPW8b4k47tCw13f+E7o9TLjl
+ZIC4rbZCovup0nDZ+cPsNN/YgXpj8K/ojraVjs93YoUzjGqjy8a081YrplmGl5Rg
+S1ptX7KVWag9gqBCjWw22febvpUod7EON/lROGtj4lOZD1jPGQHFD9+WaMmCTmin
+yUv9enaPFOV6QSs2TmpX9/L5SLMQYAoFHSAzJyG/flxZkWM0QH1QN2FNc+V3UZ78
+jgmX93h2y+AAVsUYSJ/vDNXpxCUNspOJAjsEEwECACUCGwMGCwkIBwMCBhUIAgkK
+CwQWAgMBAh4BAheABQJUMG0mAhkBAAoJENXp5D99+e6MmN0P/AmpB8DasBnjh9fA
+lBM8kEZ23MHVdEguPWX8KBML4L6eVlWRn7hdfpvOS90Ll5LTdtWPAQs8lDYh4V86
+hIYgLK9tisZyby+5NT4dEl6CXgHbRjdDbp0xKfGc5F9jWzPZpG8ZdDz6Zbvdooy/
+4ThXNS16HcsJRckan6oFjCNAWSNpXDYcLtA7+9ncimrC/C+kGYlyPWJGYZu1C3I+
+oL3+qWwiqAG9hp/zedsIsNP7o24wb0SgD0dTzphmOAPwTRfGS2DHhpbAH9P6MZPi
+FBRGsARRRFfTRGkzI9W1M4bv9l/L8s6STpjD8+40f+aUE8cyUcNj1ycyRGFAnwf5
+MeO3MqzvjocoUyoZNc4t7/6rh6sceFjgMt/DFFZbi3kvz9cJBcaN6TWWktd4+1Wm
+LxwcF0n3xaB04KCvXTaBZ5f/Hz5D4O8HyYsS6GlW6yIUiuAOvav8WizaTMbYk81X
+fXBuBKv7Vxk0fRYf9+HJ7fyWyIlIN9FqrSiiopA3JR+8gP8ueFcycmLnl2D9fyZn
+/sv+UCLrMR6fyD/5EtzgzW0AJ8BDJw5n7ctmZ6UhuasDZZMPC2uB9LVhpQ8W3mDD
+xJoaYe5bE2p0ca+mwEHZQpbpjmtT/2x5rGFZYxBUOhuGn/94zEYSqLLDirlFIEUg
+ucXLOLQHyEl+kEkCLEmSbn71WsM8tCVSaWNoYXJkIExldml0dGUgPHJpY2hhcmRA
+b3BlbnNzbC5jb20+iEYEEBECAAYFAlQ7rNcACgkQp6+eePcJRTsQmACgiLXt33u1
+vxiPwGivOiR9XVAURHwAn0M6i1LekqnoceLOYfyNIMND+QnqiKEEEBMKAAYFAlhD
+AuIACgkQMyZHvg8m4vYmHQIJAYZCJrJkCQN1y6FBJH12zZ9ZNsim9Z80SacWsK5D
+HZK5pC+Gg/1U/jRbPNJ0pO5ic7ReMxDk4besdvOopwwhyYZ8Agd3g3oT6QJBgtR3
+7ICTC0L28oQRg/beFxXt9ep6sA1M98bnsy+PC+I75pKojJlHUonQhc4OdCm14zP8
+kSWhh9edr4kBHAQQAQIABgUCVFeq/QAKCRDyNHlFXFGyfCY/B/9rkEO8DPul/1Tc
+dRvwhmfMS5RtRXA6XQ8+KTcWW4f+gr+zbA2hMCcHh70JRfIQzJhfjSPwsXZvnfG8
+FYY4/mGEiCJzQrZm7KcrT5L5nC6eJ8N1f+8nP9yHZknQKVr7LU4/C+GanHhYHH2w
+/foxLioP28Djejk4Yrd+VNfr0pr4W+S51rTulVLgtmrbkow551O4JVhzX3ip6P+r
+A1QQS4an9I5r277qT2X+baV3TQvyLHhpsNYkkoTi75gWrOeDxH4lGY/XGHrUlQ9X
+uRw0Cd8K2AxVCMplGwiuCCya5Ge7yseKJqgLpIvm2x8WssQfF636o9HKnVgc4oqD
+OahGh2J/iQEcBBABAgAGBQJUWKT/AAoJENnE0m0OYESRY7AH/ii12qDjzK2flfnq
+qvsk8K41yHNb8eYLGMvjl124qJfEgH2QRtIunJ4BtsOsKHP+I2Ri0tkNUp4ScTtL
+9ijtDNTrox4d2z81Gynv/vOO8hYpcTsH6Dj8HtTCC23Cp8p41HlBn3p6JP4PlEK9
+6rOtjoE5KNqhJ9xS6fZN2vuF/XORAgAs7SpSkJ1AqlFBWi5LKoAlIQ8R39pdblG4
+hrR+egEDOI9TUdeSY+vkhRfXSHlrXd6JeIeJqygg/8QZ7WE9Dz4eAWt+adLcvz2n
+0xQ5q+N4Mb3cxxpM0NSu3YT1jg/CUIHrCyWhJDnQJmjY9m3AYSOMNALY4QvVovDF
+v1qrIoWJARwEEAEIAAYFAlgkaBgACgkQJaRoTftHC+6fdAf/UVS1yJqeuAvu54CG
+aWZNfIXngfqZe7NT4VqBuNpyX9C0zE65w68l8rwqT9lvNg5+CSrjRWPIfPOicsfX
+gdAd6hGLs0KjRgbedyJwbU7pdneuXNNglE5LBujeIupMf3CS/xYo2H66i+gq+hBS
+h9XpqAxrudqKoQlfgf2cPxcDnrAw8sb8kBfGnYOYCS3XTvKXnVHFgxbIsQipH2Ms
+xUQRWLSn482hbT+KagBWZ6K4790ZC5ljMuYMVhY+Id7YuG/S8gEDyoLSN1P0gPdh
+fDLdpSFjcJsvtq//UnRGEXWWztu9IwIxSPWILC+LoDwKcVOlwxcHv0OmgneM/ipu
+KqkWmIkBHAQTAQIABgUCVFf/ywAKCRC6bNpGH+jgI+TZCACu4B483x69heiBxFap
+03IMyisV/n/MXjbBk7/jeBKL5X4YeBHahuiKm2ay8Zt7HCNs188dC/5XSj0Xb7jG
+vbV4fFWER73lss+1aw8oklcPRTWH6UPDXQazE1G03lH2JjD+ggedLm3mWzIXnA2w
+lCLjGdwGkraHAD1HMN//fvinwW8jZNRx4V8GkqitXuf7YbFkxPNlqgtruP70GcMN
+7BDxXjz2zbQ0cCXMoYcvvg05C8CFFvd8CiFmyewY1y3Qwigwsnsgd51MToXS0mNw
+/abobFd9NdGZ0Yl0OxSsLHN0KbFccIR2OA81LZwnker7f2kgfwrcg9BDTmxFmQAw
+xRpDiQEcBBMBCAAGBQJVIvknAAoJEAgz9RDhjBwylYAH/ivXksMmcHSHhooY2ncC
+kjYFP2FtcoUAYYj55nLPBBhOBzKbPGlWBVRYbTzKJ4+bfm7pe8J8veoCnLTZtHhg
+Ow9ZyEj7EtD//ms2lEdoP80ItQLa1ZMMYPPkU21uE+AB9BuByZlj0aUUWrmu3Hw9
+oeR2qZbAN2NVyk1PSgb9tkzrVVTImxNeP/FcrriscTePpL1CFkjyGmXodPpHlL0l
+MBfaVLT1svOJ4THWZxg8DVd5uvTG/fZEWMcdI26QoLJGLxQolqMM18AO4T4iWUaz
+1u7IgacO7w60EyGTcaJLScIo81Ku9KFTYPnE0IxRke66yAxB4N2BJhCQex+bBSNa
+JmOJAhwEEAECAAYFAlQ7pasACgkQ36tZKr3VLxycCA//VEMO/GMdB1mfY04/jwrl
+JA6fWOd7JEk9cavQhQdN4hBRrQF+I6zp+R3QVcKO/LU5/QNpwsexpYMZrl6MJm7Q
+gHfi/sFMzjJOEOkJ8eM1E1y0ps+SLZJIUuP1UP7TINEkKcWL+BVo0cGi6HkwMRBb
+2xEkRQ86b+FdVr7AAgrVQAZWiVv5iniCRXycWpe5H0GRLo0dnnfK+jOID5t1EGOF
+KNS0Jlohv+tAHqWuVDoixT0VpG7ICYibYkHvjozsTCWicuHKOEI0xe692QBvTjru
+cTMMNprNbuP25tjzyH08RTyWkbD3WzOhEdF0MQ32jTVvuB7aQ146vUpkDEI37pVh
+HXZhr4w3Bj5V1TBdgz970THLsnWnLaiecGX5KiMNehDq1xVwfOY+1G2BDnvmMAES
+MYJHu43fVUt1tPjEjliXmC995FQJt3um+ZoGHgAix//gFM/zfGJ+kaS0VZ8QIR6t
+MyskQu7GtNUJhQuY6GPNfc45sCN9bP7NLN2ZuTHm7lS00pSqznRaZkYdTqE+sESl
+DqmLQm9ayL/W5YZHIf60wb90NZtYQITWa9AhAAIVUJ4gdfW92RpbO34tSmKouFWx
+Twxx8M+virz5/uNsmVmHwcdvkYNIUNeeL1/boPMo6Ujc9WUUEAt2rvPiVxBjwne5
+PXE3iGLqQQexCh+MNPUyOoyJAhwEEAECAAYFAlRCc6EACgkQQxcR920YkvXINxAA
+0rMABhgNAOEqRy3+1hRNeFb6+Yny7zQQxTDSB1DSgXlvW0FreIn1Y+K6J8ati/Z0
+ORlVpoLqpd6kl8b3xyXETUv3BIGtBCF8n5FuvxiS9yOkeGqpYBn1XA2pLY0r0QKM
+Wol0ebrZdYiTnzt2jOksZuEqOFn83ptSCl21wiZo+zcE0/2s7S0MnRpV6Q4Z+7ts
+4UwgNymC9mRv3QPqxT9w+yfVPBb4KC4VgoFCw8MFanKJVuLcRDZWvdh0ieN7yff7
+z4gF7tLihiX53V6IbgpQSyPyQikiM17Hnf0UQHrtct9dXVlgqEipxw1Ejt/JQwbr
+NbPvfOwHWNaRyGt1hKmCoCamGhTW35XJ/YBMCNpPFFVYXt5qzFxT7eAtbuxm5jOb
+KIi4cZCwS/I124neIUzs0JdyOPBmhkANc9VncFPrkbTpRXuJB9zXDEYDLFjmdtgR
+3UJDy+SHO9+c6kyK6jaJr9Ikfr6AptyBkRv+UoCkbPPpFJ0sgHbxnca1DEyTPxW2
+Z7u0/GFV7yXCFKEHYr2PeeuPmTzOYNOrrfWC1CU+cmq7+SyAsyfsku3MdkxKxXvY
+J0Trg4gpI+1LQ4pWXxqrb2ucl6TJd5co9pFkQV4JMp560738dPA5w3rcdcG2S7x/
+JcfKGQTkqUKYWrFM5OLK4VvqjeORNkLvqZUsxHQKlQqJAhwEEAEIAAYFAleM34cA
+CgkQg/Wup2H5JEGNMQ/+MOqQu/t4P0ZupMNK15uVctrKEduBTmWvaRXRWWe9FTgm
+oNPZEFRtUJywvafOgcXVC3gZ8eAb9TOX8Tw5vjZS/FHJGOAsWdgIQ2Ntn9B93i2A
+2e6FfwL8iPZWkzXvKuQIzDsAeNzVzB7l0iSdMOabPLEfFbVx9Xd26mEFL5V3kvIM
+YN3DgSyBvpJVI6GpqU8FlVGuQK/BQkhCZYCkg8uVdUJjYwXZZlDfxWV0+1OSuQpH
+mNuFbMTFmCjuwB1mgjJPB4FMxH2eOTarMYNxEtLB/tpPvlkZc8VTGx1W9WuwVUTH
+sKvEKlLkuu9QraAYVsZgyE69dVdMgMxy2UuVem6fiPVNqA86nlfqMV9i+Lh9U8B3
+IM6DY4Rl1rOr2j7fyvnB8pBI7AVGGIEwZCn33zBLOFZ6PYOi4jKhsnXTxevIn1Wt
+Sn4lBXMS6uxVDk65Z6G1SnTbdcqTfVDNb4xOp6rlEXRQyBquEGjBBWjDIbWXu6bE
+6CYx26Ba05+u1t8QQlnUihU+51JdKTs/ew/uDUz15USSZlj5lP5vNqdC5vZMc0iU
+wz3cGwJ8MXZ5pEVgjZdvFQORU90jru1LpM1K3hYQcPcoIfNhNQpBA0kkcGfr0vGP
+B7zXyi0zcpSbX1Q30SX1VWqwo0lCjYKxPYlUyaVfS0kkZxxb9yM+joW0yeI7hXWJ
+AhwEEAEKAAYFAlQ+z5gACgkQIGTFNkHCXl1zAxAAgmDwJiEoxkBx8D3OZmboTdO6
+1hzz5nQnu7kwCQgjXtMxEY4VvinO5e2tkbhgy+13N0TegvT+hFx7GEAGGKKiwbmv
+L09bRvLDI5lweuupW+B3yUIGosI0wZWi509SBieXDuRKj7K+dEw+DIcJeL1+TJbb
+oKfybpCBLbkBJOwbz0RS3CVqcZogmyzhJITMenAiaJ4rkJOMILKqeU7+mYYZm+0N
+u5Vm7dm4xRnMbbK3I5RQ2Oa99r8QqMM0bhxewJc1/VTWdrgsZUtNbq4cwn59j3ij
+j8FtezypXnYsgLwX9peeoGtkpOQK/Yvrdqp4gMH5GEh/fGrbYJx1sXjpPDeDtuYA
+2osO/56qrB3c23VESGc2E+QhhYHy3V5rDT4R05WK4H7wl/D4Ri3XXWlsTX6fHsK1
+YnQR3IRmyvQV/EjEPVcVJ9R742OJdZEErG7ZmSfbg1bWTdKu9Fpjjtd4sZgj6KdI
+NmE6L2bxJn+Rb+uGHhPhuP8MyuCuHerz7m8mOGBTUKkVIGycmsBsukoIXd8k8l40
+eYJbMgyspkjlh3ADBOhQaSb5fxO2JBWL/r7H0MF0tUKDLdCmb7G58/qsWrUYC9BO
+GKQFRNdqKe8CdaxUHhiOCWyT99nIhEYK1TSQCRB08QVha4a75rTObcnK72tvzEP7
+fc4c9IGRK7TO97y7I86JAhwEEAEKAAYFAlhmV+UACgkQKrDB9E0M+VzXAw/+Myxw
+u/MF8h9GP7bj+LOeeM0QgXfdo7l/qR2N2Bxz4NziBgFBMXGtmdqLmcXa6ymiYFyr
+wgG0vsDmFS38CGmx9j5QBJo+WvAwpfWHA3ZitQD+TXvEZqUAJ/10uAuJUkIslLya
+qhcCyHco74GZZ4N44natpe6SxkZ9DEQbam4OxkUdQIjaPt0KJ36GqMM+k+GAtmHa
+HnObhhwW4YTsUErBGDajPufzVK3QT+nbTmAsQ8jr33+iICj9oFCJHmU2Xz4Cxg32
+gh+Pvn0McS4+2JyI0yUCT6ybwqbIXZHrHodheESM5OEjR5tnJz+OZMMEuuJMUiFi
+aXNT5Kj1yMitKaLXtCjy157we3NWi9v3u4HSoepiCGkidK/IpVs3ufh5AZGSM96W
+oz8A+DdW8JfyD511I3+QmWLUO0WBwQhr+OPBgeMem0W+lf+AIDOBXplRzg8jD9vk
+RLQwkE6VmiRBm4ewj5cJCOPCj1vb4Hagb+G4lg7OLs5jAlylYytBleKVjs+8in9P
+jVbVY0AeaJ+puxObilNW+Sa+HonilXLw7x0WcGfn3vVnga3lFym78O9Z8ZdzfUQm
+AXMciituX8mWtWyLNpCy/V12W8Q4VQITYuZ4a231u4uw1DqdDUr/R6aK7jNXGc2P
+L5s06+dQThYceF96PAYZalZi3cEarFuQuPdaBbuJAjgEEwECACIFAlQ7jYMCGwMG
+CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJENXp5D99+e6Ms+EP/ifsmXn8Ugoo
+08gMkMBiar9nfq3Wb6bQi9IvTK5mHZZIIOj7G6tlZUs9Ais/Xg5G9YknNlOZEtRZ
+PFA8MXTPdLiSSikzKpN4eX762j/h5NA8XRCSktwNdUrNF7mPNFRNgLzHua0kd2Aq
+OZapuCqbrdEmDY+mFFJsWqg+R+hnT+Q13MbduQQuWlbximEDiC5AGVTc3unnYo5q
+9WfLTdQMs3WNUT9CYPrjWDgTuI03HJc2zXmJGLzzg7Hj4SMFk5AXKDHtG2tZdWiQ
+5LgFrh+nfIOeQB2qE3cO2MoY+/uioxwm4mm4E/oXVGZ3t4k9Lr6ch8lpzQSeEO7b
+mTmbbjyZQCC+1fw9H2fo4Hf0bpQQqcGgEWmYOlQIkp44vAaO+SkHTiABV0htYlVd
+WRhVTJfqLZVFCJUQSYSxM1FkquPJa0fIDN9KDSgQpRPGKO1VuQdmTfdK4JIBOr7y
+ooxcMMkeFylfz8rfOBU4wNNF7Fjlml7jsiIvT8Jsrcw35KcF+BnOzD9M1qwnRr8B
+TD4UMYirvVQ3KxUvt0od4pBfedFG8entuWl0J/Rs6UFzg2LlGT9BgwBHXNUeBcc6
+sA3NOKbV1Qd6eyeWq5gbHex3CzZ3sbenRVfkp74Ot5qXk2tpGExiTSElOA7Lfi9/
+7PVQZ6NtWJWQSC2zVfadGYEicmFk5LI/tC9SaWNoYXJkIExldml0dGUgPHJpY2hh
+cmRAb3BlbnNzbGZvdW5kYXRpb24uY29tPohGBBARAgAGBQJUMGzVAAoJEKevnnj3
+CUU7PsAAn3oz1sdQmDjwrdkXB2h80Rj8Cp1KAKCFdaXw23yRlbpKIXCkewEoJVkX
+YYiiBBATCgAGBQJYQwLiAAoJEDMmR74PJuL2ha4CCQEXGhwerFHKBU6uaZBSOueu
+RFIf8H6toGsflhFhLGRo8kxrHhtshbKHUZ1IBjjQ4nvMLCndPFKaKpSM/4y96VpU
+RwIJActDMrIY2xXqF2gyfTO9Yp0ah0C3pWZpUwA1ex2XlbAFlcbGHAqmA5BiEaEE
+lnOQl8SFZPQOmgg4BpkKz2Eu1/mkiQEcBBABAgAGBQJUV6r9AAoJEPI0eUVcUbJ8
+JKoH/1ME0Uq5SccGmq7BIY0ayn10WpLbkVD79KL3nmoWAFav/AdMFUDeF5/8SQ7W
+YhZjX0e54nYy+wTKfqDCe0Bj5il9bNd1k02+aj+yZ0abjhVzgGKxKtCJ077rgrnH
+s4oTomrwjkfmfW6pk7U2CiG4mmhiuzZNyHncb5E7OL/DSJInT5Cde/GIZpHQQq2i
+ZRJStA7Z2LMam4GnWrUzhvol4Kp5jSIr2JXDppgNwus1jzCafCel6EqCb32HD8uf
+YX6Wc/aHUPT//LyZqzP2vfgE2lqLFFH0C7L12i04na+W3zXUo2K/tyP8FQWeKRuI
+w7KuMWsKi9XEwh+PAEVkTDsKwRiJARwEEAECAAYFAlRYpP8ACgkQ2cTSbQ5gRJHG
+TAf/Tbhxo4O3/F2DLCk+vtC+569b3kUNeVjiO7NF6YzzHdImi90zI53SALvXuLQF
+18UYBXZVc67rluMmawvqKZiJHiLYkvdF0DKc4CCG9pFycoInBEHCJ1sKu91UHSeS
+5lx+GVeDT/7A+QF5f5y6otzezP3QQo5OEqiOxyoFWXWA2HVzRzcP7Glq9EWqpoZB
+a7fnR3GC6iXHKcgjnJX7kXZwpciQhEgPxmn99STZOqRGttbtN7rHhQLxs/oWi2b7
+0mLvzKjTLr/l6rQvRHYZ3Fkos0kvh1vfX9Uf+iyyYV9zlDZg9CZ32fnJjEgVAsCi
+f0wkYmni5gUTeXx6eQOQbUcP6okBHAQQAQgABgUCWCRoGAAKCRAlpGhN+0cL7lyF
+CACT8kDHBWNSCRdfjWdp6sqa6a6l0tv6bM4Bgs6f+mD17mQpbWRRdHs6a1e5SSCW
+l2G+XzJJDIx6r0gsy4KE+tJ18XJPFeSGUCmYumH8Q+UcNvWnpu2gbv4WNAUcCXlz
+juO8hMCGkf4bTjiP1LDCg+HabXTz0rPfu8g9B2WnI531n4MgwDFwn5isxQqv54o9
+a1hP/kwhw3GqBwmjzA9X6qxIl2GPpEfc6tT8BBwBVH1Bv68OE24z1kAH6mgMcMrb
+ClaJlnzEcprPHPDB4ZFWbij4Xr0bv9U4fF8v6qFczurSgryPUxtGrAzdzZ07eUMv
+MMhFYNdtRI7GEQ6neRQ2WwhjiQEcBBMBAgAGBQJUV//LAAoJELps2kYf6OAjJz8I
+ANbTsM78YyQ3R96G0v/CeOp3etdKg70WtU8YuEu9NS8Ks8Mxvpmq2LVYxBAz7Tti
+J0KmblhYFxszjRqj+uwkn6ZStovZf66B/ZYZ46tAcud6rhbeONLPLFv3Ng2kiihN
+ukyC2/HQx5hAoSr+yn+2hxQDL7ePzOl1ZTles0YrzfvmGx2sVUv9QqUiNPtBKZZF
+o8bjqYY+5S9Z5+7ceUb8KTzV4hELR8doIZLKW1tVdUNJXXebaVRNrnkpmxcHrw+M
+8OLhrnYj5B7iKOtNHh5Tl7o0EoK6L6rFL79wn8Fs2NQQuebSNQH7i0Z3uV43C/v6
+RlbQW5CFBRhpWxwDsKB04NWJARwEEwEIAAYFAlUi+ScACgkQCDP1EOGMHDIwYQf9
+Fprak1oGSSqW3d3J6tN9pF8Yx0Ekv+b4Mpg70GbI6l8zDDBdeLXi7Pco4FsEFy3o
+97ke49kAzWo7ncibAOavlK0ED+1tmbsr81YPMepZ3iGUHXvthkCpSbI3Fi8vw44e
+HexPvcbW7EMKA0EWLA1wyLlskm1kpUML1xwCcMEqZlTkEoT17bmueKvmq3+wwvax
+TaCN/pqWPCM26iiXlI9hwa8tRTTCxJDB9PlEJrSeDaPm+6myDzqc57J/CBaw42Ms
+jx2p9vasBN2348AKYjXG2U3r5iPBoyGdQeRKAKUcA6OwoO7JdO1rytdXy5okwqpH
+TfQ1lMDO/gaWZjTY8NGBB4kCHAQQAQIABgUCVDulqwAKCRDfq1kqvdUvHDElD/4r
+WAVMBEw9iHWPZqaKoFih0cZ77gqgJrgqtEl4BBP16G7nyywNeAVJpNuyWl0c6bry
+Za0J3rC9HOXm2/xj/q4A6UTKPsIp3jhzK4MCsVMH0EnN3qqGNOVDweJSUi5eFUKT
+7vPGQ2W06rt8wdi3JjzvVSRXoOF00GUlnpa+U9UUCvaabImumXtWZuLKnfrfd3TB
+10tmTQTCVtTHW+pQH0kFB1tIuLTQRSRyk5bBKSUQrXa2hpplTrSRKUJit6s1Py19
+JX7K2xOG/CzxLv68IkWj+A4qooSY/+KrIMHg5A3k58njPiOG8vXcjMNh8Agrxk8X
+8BLkZBBZ83CXwk9LdS8NeCKmIW5bdPiJC5l76GtQFX+12++E0WkxrCPIyd+DNEal
+ZJgEBpdxknGd1dTw5rSUwYXAP7uZCLaD+88yS4XRa+j3W/Kidxbnt3ruHu2Kb8AR
+YbRpAWe60HRFbN5vFIUI2QHLShFiaqRf6397N9fID3paNwbyK+DfkOHNAC1lLOMa
+XNnHxuZwbnldQYmn1B5vLtbUEkv9Id8fk4gFUcGkST9o7UBSfsWYholo1Fty6zGw
+nESd+8gEhjRNe+3GR7BRZbwQLD9FVGlpj3m23axsd4ZdkP4E1EknCxBEHcrgFrt5
+9q4SMgAlmL6H4BXZs1lCX6hHic04DOJrReO4ElI1m4kCHAQQAQIABgUCVEJzoQAK
+CRBDFxH3bRiS9TP4EADIK/K8mwjw0Ul//9Xm426jNNWDtTmaBxJGi+PTxS7PYKuG
+30LR5ytNDP0m/pvR0bZJkbHW0FgqDDZD0mUFtKaYmleXscH+UTZBDCsZPJDyGbgS
+EumS2kJVLrdM2aM/mD/7OG+V1ba5hTDa0LY7fYFlJCP46fI4VrMyLykXoTu0nZ5o
+P727KOiSVVTSC6sDPHAz9Hbf1KmsOBkupwZ7xCePfhkGGAegvFEV5Kz1Fdj6q2NZ
+B2nu+kjM1Iw5nvW595K5L+R/wdfvXnXcNwkKjqncpD/p4jd723novLF/KtadZ/9Y
++2q0AsBe+BUD1PwLvjNoN+nWaOJWnlGFx/B9ZpN2ACjBGnhQ/db7WpuUy9pEOva5
+YP0nuTmsiIGUmV32mC48a6ddb4LioTSW5sQeZPoiVIbUip1I2qr0n0kel8AX7IKX
+sUWtdwiPZA+4hPQNmnxakcKYXU5yLckzd8/tXwDGDw/H1aAHQIkbY3rZFJWrkUA+
+Kl3H4YFIRLPnvqFiBcuy1xkWklp+R1oegpobvfGI+5dleHrfSYkJNb63Yi7bJRMz
+X+3PlzkZNV3ZSdF/K7RfbM3cNmv+dnIAKuxZWX5P/ZkR5qxL9Dw1k4oFDXVO8M3u
+XljwCzHGGt1sqmtK9blJ9RGrZkgh2X3MkSXKCqQhCFUvqSqQi5xRD6hcKaMG7YkC
+HAQQAQgABgUCV4zfhwAKCRCD9a6nYfkkQRM0D/9guVTE8sKmx+f9xQuAUCtAYx3I
+2FsP8C8B7XVgGNA3hSWEFx+E2MIj62wqLhR5wgl0Dx+TVJm+e4cYvSLIGg2NAMYS
+wYMxDIvC2q/mbhSaiDRdD1Tu2RKrxyi4sAsjhqEEpwdZc7qfzYdlIEFQHHP6i6Mc
+SvTFztmUFZucKro1A/AjdPwmivUQVkVliKtTw00FQs4Wv1+5fa9AWp0cPVswxFLU
+YZQsXKWSyIxL8O13bv9/O43Eo0D+BFqxE+ProA8jb+MihMbPQa9da8nAiY9r4XVP
+2YuPgM2M//Aa9grfuQVERy3iYh/ylm/Ev4FgratUd8PthaLJPsYnvehle2bb73f9
+vHpfKetlwEzmhtsP6EbSFWEkRmo5scL5OZnrRXYvFIAd8D/cvtwwE01ZZl9JjXIG
+aE7OpLcU9Hrr2fb4ljM/w4mEaMKv1eOhLxZX9sLn9c+Kd15EpWCaedanGJidpvfv
+n07RahZtqpdDD3P3zKy18gtWMt/hnksPGeQ3+qfaPqYjzc3IZxVA4ifHqF2hrwUG
+nxIwoKuP53+eWybBeAnuKa0hFbgfJDYsAoNK/SIs18SqLgRC/F0Tt2l92+8Ofju8
+W76o8KOE0xo6xD1HP4mWFGIfOCZQuWQOE7jBEyNbybT3kiV0RlIsH1kPMxb2Mu9p
+RRAHBMdtKUzVrUS0WokCHAQQAQoABgUCVD7PmAAKCRAgZMU2QcJeXaE+D/9SGqpl
+BBl7w7HE0uYi1DYiRkbni1rlCe4+MzZhHnkn/NlhEdHugkHtEPA8X1vA6gyk7Syi
+r9BUK5Do/2YEdpMDGe3hFJhZLn3WV9dj9U4p1krfs+sGBxEUEC2fhs9DTsiEFtbd
+TajqOVDyUjCJRoQqpaXxOGR1PTd+eJHhmY9Z1U85JCKy5rIa4gi44XKb+Lg78Njd
+zUBkR3Ra/5Lr7DLZcekr9JOJsvtcc/hghPhDCjQptu7BpIKM1AgayzqzlLE+A4ck
+wBmE+MuY4SEI0i92l0chHh9i29sb7A2IFXozVqOebwnHTQ5ZgHVLm8hb3CfaSmnT
+UmjToFdkFhAeN6q/Y5UR3WEc0vyuaNXfsNcwB5gSXWW+kV5EzljoeHKuTiv+7Z9Q
+Vb1TqHL8zp97PW7p1aQzrJR8qjmssxuHaZd/3B2NsrBLCBffCo5FpHl28zrahwuX
+U2IA5UctCXRS5L27MAOVwdiO/Sv3cjhE29lpgYi8D61Ni6G3RBwuhwPEVREWzCiW
+ijcjPztFVz+B5zRBhLvgrsBNaVrN2oBJ3rXhHvjGPPNz3oBHlQX534CF4h87CKp0
+x1kGbRfRAuRi6bhnXnFpqM+s4K70oYgQg5Qt2P+DukFxc0P8yF8jxDu7Xr0IlKiZ
+TYl7kuy4iJZqw1hYxQyTq+WkOC/yS+L4PALo4IkCHAQQAQoABgUCWGZX5QAKCRAq
+sMH0TQz5XAyVD/420SvogwQ1QlfzrQnLfgmwBl3BCH3WN0WXvYJsjz+eHOnvcas2
+pHMYj8QOHqLIxIKJlTaViylWuxSdi9F+JktGOTm/LQTcQ507QZDl0su39B+iZvV8
+DLAd3SwgGmH+SzXvD47nrpNo2T5ZTE9hANMn+zmYwWE3R/M1kXf5qntTh6A6iUjX
+ngIfH/TN3MIX1xbTMoSwsupSR8sJgkzAq02+a7wMMBjNQSHJ/9lWifKms6Vqi97E
+PGuRQb59OBH63O+UR5COEeUAfCekKTZGMTfMt6bmoyhwTzBCSUS98w5EEWOgG+QZ
+Y4VRwgfYgKEQ8zSroJuq9N/F2CQGGv7CjRHLgRRA/5YS9bnAn4isXs/3EAHap/PW
+SlFZugnE3IrvkEgwYoecdL7eoWNbSmdYjAavrcWTQJaRHkn1v1LSnZABiwBtSIZr
+P4ukkGI+rXBZIg4yZb2d5zMsuHMKEw0Q+qMUzZErEoSiTyoDvk4JDcpAEbQXUYoP
+0QrJc4Mf3FZpaQP+gkZxoU5ymHhybRPR63EzSf+2cH+0NSL/t4xdnyFy5eXHayKu
+k7x2P1IL3tjDo/4Fm1tbCvFd8JOe99T9HOHaV9MYYf2dxQwA58nDKIUWCAtx2TDn
+G8FbOmG6LltJQRRehAUNvZl+7VBMoETWDaPeKmKiaMa8ylEo7roEEaFcLIkCOAQT
+AQIAIgUCVDBr9QIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ1enkP335
+7ozcqQ/+LODfZwc9h8NlpYNVvNXVXURzIwzWGmxCbgLdujZRj/To20t6xyf/qRTA
+CWEGef2N+puGg/Ooldz+Rs3G1VFzkm9nGG6UGP5R2CgHfCLKtjy0zT55gxYHhN6P
+jzfSzhzmtR6czY6tQ2ulotUvmkWbUzuTibnFowiQpRVAHQ9oKaz00HjKmVIgRwv1
+zczlQWb+KlBgwvqqnTuqSd381Ns009R9mt4thCICv+RnGyNlHiZwIxpqXytxFlWH
+OQbBfvxpF67TEh2Q9o18kC+s7s0wLPtTfKe3BteZGLWPDg8Be9mMB+BFs6/u6DXE
+9xV1uvthuEveaLJhcfwfvaa4u+yU69trYIEATjHrBmLsgTHdU0b1qSU7HT08NnLb
+23I/HgCEws+P0acZE5RwzMLf5m84+a15pCN0DUyZHY8QB2bU5ksnUtvvwVwahYFd
+1aYjRcUzT1jEAAPVg29WKM+dLX3eO1Op6wq27nsPg8Sos9S6kdlmmJz1f1PXu95K
+NsjoHVUKLjoccXgwRtC3ulOwaI0wpLaL9hVNqnb0WPzH5xPECZXYVvwFY+N0t57l
+UbIfx3ANi0xcrt8TqFAVlfdWftFcie/iiei6iVzKrto+/Fg9WcZ2KM1IwO0d0XHv
+y9K32QzHvmzyPInQguiO4CoHsLYb9JzJu1A1gFcAhm0VlYuI+4S5Ag0EVDBrNgEQ
+AM81wF1pdNTCQbzUr01EqwoZVnVyhVHGQ7Hb5UPZMdNjjmwHH0waZCyZKmNTjmTH
+/A7kqJNWP5sz6xxLPA2ARGouLJ//aGA4gNhqjIpJ8B8hUKabmlJrYB3TVFX2pPeL
+R5JKlrUqnHx4AcpxWwOxZvZkJ3z8wj3vvxwKOsJs8jij3MRUr5+O2Zgq12QewSgx
+JVTonLzoT3Tw4tols56jVrttIqzi1TzMZYBf511jkJv7DdwdBvhCF4NZkcx6Xxlw
+SBNqHuG5LqVQDix5CdMpceaQhn6420HeAUwqyj/oag4ZmdROTx09jc84tjWdsxD9
+0S8xCkXEsI4E1A/SWE7gMY/Qq7AtfOrZcDGvKVfm1jRs2ZkotOOGLgJsoC1z/6LA
+xSRBBclHDtWWn0Wn2iA6/PH9iUxplBlmLGDm43ZvhQPlxaWIefgCrsORPNAl7fWb
+ux7MDdwucVHzqiXZfvvLv2fQZGMawxr5v5701FY0qzbwmII8XfJrfUqT7f6yNq4J
+lBbcpjHfUiXls7e6Usc63GFKQJQfHmwnzU0kiFkWv7vIB6X8QIKJP0ptVuF10kEe
+x3sY2TDNvVCK9yqdiIFb1DNeRD7EAod9LtgzmihhyDobuPDz39bTHOecaLPklOMy
+SPWz1ymlDy12qJXhR6a/H/3o2vkXuf75Qlns69qX3/OzABEBAAGJAh8EGAECAAkF
+AlQwazYCGwwACgkQ1enkP3357ozr2A//YzMQJ6Mo+/SU328dOeoseI/sFypuK882
+pPhXfJqX8l8H1zyHbKWy5lLLiv1MoNOC/8pWbpv2QlWyN3PKrB6srClnpPyiHIO3
+7/lQBcpjvAfy9HWpl21FDxn9Ruxna/IMYwq60EjE5h8NynNn57vydF3qTcTqkhtH
+W61L3vbBAcz9VMSay9QVm1f6qzM5WbbLxp1sfNjQWKSo381kjs1Vj7yCTBrJul3q
+SeX0CsRB7WF5VYMalpNTHPRIqCWpzTMcO3E5SSGIJy+AqwAZZvFiylGrSsux6TnV
+EVJ07s0nn1yj3q7Ii7av+waGmTf79B0AyZv0IZ4j4NUWFNnGhsG1bEumFLkQl7Id
+/M61k0yKOusHdzDcZbCzecyww1w3WD+j4wvGkfBy4mQRqLiyjutsN/dpxRRkULAT
+ME+TH9J5eNq0A5sRRaayEiA1TDcAWfF0PtA4smNy1GyIarobC+xn8AENi4eeYZBb
+fDfh8oRhEsICQ6rs098wiYz8jtZ/pOruzbiD7ZKDy+vjKtYqgjGnioHQalJCZrKT
+UnREpH102pg1Cw6v2OcjiXsqU5L7Yrhv1jQIluII051VIJ/QBWe5uT7YiJOsMLMQ
+GWvkObPXEYLld2UF6hK6MH4epkwV/w1uNqnlvIeEFgHTKmSHvfwlAF64lUiDCUdW
+ExXybKkE2NY=
+=B5lM
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/showciphers.c b/showciphers.c
new file mode 100644
index 0000000..8ef9b8a
--- /dev/null
+++ b/showciphers.c
@@ -0,0 +1,27 @@
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
+int main() {
+    SSL_CTX *ctx = NULL;
+    SSL *ssl = NULL;
+    STACK_OF(SSL_CIPHER) *sk = NULL;
+    const SSL_METHOD *meth = TLS_server_method();
+    int i;
+    const char *p;
+
+    ctx = SSL_CTX_new(meth);
+    if (ctx == NULL)
+        return 1;
+    ssl = SSL_new(ctx);
+    if (ssl == NULL)
+        return 1;
+    sk = SSL_get_ciphers(ssl);
+    for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
+        const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
+        p = SSL_CIPHER_get_name(c);
+        if (p == NULL)
+            break;
+        printf("%s\n", p);
+    }
+    return 0;
+}