70 files changed, 639 insertions, 279 deletions

diff --git a/src/lib/libcrypto/aes/asm/aes-mips.pl b/src/lib/libcrypto/aes/asm/aes-mips.pl
index 2ce6deffc8..e52395421b 100644
--- a/src/lib/libcrypto/aes/asm/aes-mips.pl
+++ b/src/lib/libcrypto/aes/asm/aes-mips.pl
@@ -1036,9 +1036,9 @@ _mips_AES_set_encrypt_key:
         nop
 .end    _mips_AES_set_encrypt_key
 
-.globl  AES_set_encrypt_key
-.ent    AES_set_encrypt_key
-AES_set_encrypt_key:
+.globl  private_AES_set_encrypt_key
+.ent    private_AES_set_encrypt_key
+private_AES_set_encrypt_key:
         .frame  $sp,$FRAMESIZE,$ra
         .mask   $SAVED_REGS_MASK,-$SZREG
         .set    noreorder
@@ -1060,7 +1060,7 @@ $code.=<<___ if ($flavour =~ /nubi/i);	# optimize non-nubi prologue
 ___
 $code.=<<___ if ($flavour !~ /o32/i);   # non-o32 PIC-ification
         .cplocal        $Tbl
-        .cpsetup        $pf,$zero,AES_set_encrypt_key
+        .cpsetup        $pf,$zero,private_AES_set_encrypt_key
 ___
 $code.=<<___;
         .set    reorder
@@ -1083,7 +1083,7 @@ ___
 $code.=<<___;
         jr      $ra
         $PTR_ADD $sp,$FRAMESIZE
-.end    AES_set_encrypt_key
+.end    private_AES_set_encrypt_key
 ___
 
 my ($head,$tail)=($inp,$bits);
@@ -1091,9 +1091,9 @@ my ($tp1,$tp2,$tp4,$tp8,$tp9,$tpb,$tpd,$tpe)=($a4,$a5,$a6,$a7,$s0,$s1,$s2,$s3);
 my ($m,$x80808080,$x7f7f7f7f,$x1b1b1b1b)=($at,$t0,$t1,$t2);
 $code.=<<___;
 .align  5
-.globl  AES_set_decrypt_key
-.ent    AES_set_decrypt_key
-AES_set_decrypt_key:
+.globl  private_AES_set_decrypt_key
+.ent    private_AES_set_decrypt_key
+private_AES_set_decrypt_key:
         .frame  $sp,$FRAMESIZE,$ra
         .mask   $SAVED_REGS_MASK,-$SZREG
         .set    noreorder
@@ -1115,7 +1115,7 @@ $code.=<<___ if ($flavour =~ /nubi/i);	# optimize non-nubi prologue
 ___
 $code.=<<___ if ($flavour !~ /o32/i);   # non-o32 PIC-ification
         .cplocal        $Tbl
-        .cpsetup        $pf,$zero,AES_set_decrypt_key
+        .cpsetup        $pf,$zero,private_AES_set_decrypt_key
 ___
 $code.=<<___;
         .set    reorder
@@ -1226,7 +1226,7 @@ ___
 $code.=<<___;
         jr      $ra
         $PTR_ADD $sp,$FRAMESIZE
-.end    AES_set_decrypt_key
+.end    private_AES_set_decrypt_key
 ___
 }}}
 
diff --git a/src/lib/libcrypto/aes/asm/aes-parisc.pl b/src/lib/libcrypto/aes/asm/aes-parisc.pl
index c36b6a2270..714dcfbbe3 100644
--- a/src/lib/libcrypto/aes/asm/aes-parisc.pl
+++ b/src/lib/libcrypto/aes/asm/aes-parisc.pl
@@ -1015,7 +1015,8 @@ foreach (split("\n",$code)) {
                 $SIZE_T==4 ? sprintf("extru%s,%d,8,",$1,31-$2)
                 :            sprintf("extrd,u%s,%d,8,",$1,63-$2)/e;
 
-        s/,\*/,/ if ($SIZE_T==4);
+        s/,\*/,/                        if ($SIZE_T==4);
+        s/\bbv\b(.*\(%r2\))/bve$1/      if ($SIZE_T==8);
         print $_,"\n";
 }
 close STDOUT;
diff --git a/src/lib/libcrypto/aes/asm/aes-s390x.pl b/src/lib/libcrypto/aes/asm/aes-s390x.pl
index 445a1e6762..e75dcd0315 100644
--- a/src/lib/libcrypto/aes/asm/aes-s390x.pl
+++ b/src/lib/libcrypto/aes/asm/aes-s390x.pl
@@ -1598,11 +1598,11 @@ $code.=<<___ if(1);
         lghi    $s1,0x7f
         nr      $s1,%r0
         lghi    %r0,0                   # query capability vector
-        la      %r1,2*$SIZE_T($sp)
+        la      %r1,$tweak-16($sp)
         .long   0xb92e0042              # km %r4,%r2
         llihh   %r1,0x8000
         srlg    %r1,%r1,32($s1)         # check for 32+function code
-        ng      %r1,2*$SIZE_T($sp)
+        ng      %r1,$tweak-16($sp)
         lgr     %r0,$s0                 # restore the function code
         la      %r1,0($key1)            # restore $key1
         jz      .Lxts_km_vanilla
@@ -1628,7 +1628,7 @@ $code.=<<___ if(1);
 
         lrvg    $s0,$tweak+0($sp)       # load the last tweak
         lrvg    $s1,$tweak+8($sp)
-        stmg    %r0,%r3,$tweak-32(%r1)  # wipe copy of the key
+        stmg    %r0,%r3,$tweak-32($sp)  # wipe copy of the key
 
         nill    %r0,0xffdf              # switch back to original function code
         la      %r1,0($key1)            # restore pointer to $key1
@@ -1684,11 +1684,9 @@ $code.=<<___;
         lghi    $i1,0x87
         srag    $i2,$s1,63              # broadcast upper bit
         ngr     $i1,$i2                 # rem
-        srlg    $i2,$s0,63              # carry bit from lower half
-        sllg    $s0,$s0,1
-        sllg    $s1,$s1,1
+        algr    $s0,$s0
+        alcgr   $s1,$s1
         xgr     $s0,$i1
-        ogr     $s1,$i2
 .Lxts_km_start:
         lrvgr   $i1,$s0                 # flip byte order
         lrvgr   $i2,$s1
@@ -1745,11 +1743,9 @@ $code.=<<___;
         lghi    $i1,0x87
         srag    $i2,$s1,63              # broadcast upper bit
         ngr     $i1,$i2                 # rem
-        srlg    $i2,$s0,63              # carry bit from lower half
-        sllg    $s0,$s0,1
-        sllg    $s1,$s1,1
+        algr    $s0,$s0
+        alcgr   $s1,$s1
         xgr     $s0,$i1
-        ogr     $s1,$i2
 
         ltr     $len,$len               # clear zero flag
         br      $ra
@@ -1781,8 +1777,8 @@ $code.=<<___ if (!$softonly);
         clr     %r0,%r1
         jl      .Lxts_enc_software
 
+        st${g}  $ra,5*$SIZE_T($sp)
         stm${g} %r6,$s3,6*$SIZE_T($sp)
-        st${g}  $ra,14*$SIZE_T($sp)
 
         sllg    $len,$len,4             # $len&=~15
         slgr    $out,$inp
@@ -1830,9 +1826,9 @@ $code.=<<___ if (!$softonly);
         stg     $i2,8($i3)
 
 .Lxts_enc_km_done:
-        l${g}   $ra,14*$SIZE_T($sp)
-        st${g}  $sp,$tweak($sp)         # wipe tweak
-        st${g}  $sp,$tweak($sp)
+        stg     $sp,$tweak+0($sp)       # wipe tweak
+        stg     $sp,$tweak+8($sp)
+        l${g}   $ra,5*$SIZE_T($sp)
         lm${g}  %r6,$s3,6*$SIZE_T($sp)
         br      $ra
 .align  16
@@ -1843,12 +1839,11 @@ $code.=<<___;
 
         slgr    $out,$inp
 
-        xgr     $s0,$s0                 # clear upper half
-        xgr     $s1,$s1
-        lrv     $s0,$stdframe+4($sp)    # load secno
-        lrv     $s1,$stdframe+0($sp)
-        xgr     $s2,$s2
-        xgr     $s3,$s3
+        l${g}   $s3,$stdframe($sp)      # ivp
+        llgf    $s0,0($s3)              # load iv
+        llgf    $s1,4($s3)
+        llgf    $s2,8($s3)
+        llgf    $s3,12($s3)
         stm${g} %r2,%r5,2*$SIZE_T($sp)
         la      $key,0($key2)
         larl    $tbl,AES_Te
@@ -1864,11 +1859,9 @@ $code.=<<___;
         lghi    %r1,0x87
         srag    %r0,$s3,63              # broadcast upper bit
         ngr     %r1,%r0                 # rem
-        srlg    %r0,$s1,63              # carry bit from lower half
-        sllg    $s1,$s1,1
-        sllg    $s3,$s3,1
+        algr    $s1,$s1
+        alcgr   $s3,$s3
         xgr     $s1,%r1
-        ogr     $s3,%r0
         lrvgr   $s1,$s1                 # flip byte order
         lrvgr   $s3,$s3
         srlg    $s0,$s1,32              # smash the tweak to 4x32-bits 
@@ -1917,11 +1910,9 @@ $code.=<<___;
         lghi    %r1,0x87
         srag    %r0,$s3,63              # broadcast upper bit
         ngr     %r1,%r0                 # rem
-        srlg    %r0,$s1,63              # carry bit from lower half
-        sllg    $s1,$s1,1
-        sllg    $s3,$s3,1
+        algr    $s1,$s1
+        alcgr   $s3,$s3
         xgr     $s1,%r1
-        ogr     $s3,%r0
         lrvgr   $s1,$s1                 # flip byte order
         lrvgr   $s3,$s3
         srlg    $s0,$s1,32              # smash the tweak to 4x32-bits 
@@ -1956,7 +1947,8 @@ $code.=<<___;
 .size   AES_xts_encrypt,.-AES_xts_encrypt
 ___
 # void AES_xts_decrypt(const char *inp,char *out,size_t len,
-#       const AES_KEY *key1, const AES_KEY *key2,u64 secno);
+#       const AES_KEY *key1, const AES_KEY *key2,
+#       const unsigned char iv[16]);
 #
 $code.=<<___;
 .globl  AES_xts_decrypt
@@ -1988,8 +1980,8 @@ $code.=<<___ if (!$softonly);
         clr     %r0,%r1
         jl      .Lxts_dec_software
 
+        st${g}  $ra,5*$SIZE_T($sp)
         stm${g} %r6,$s3,6*$SIZE_T($sp)
-        st${g}  $ra,14*$SIZE_T($sp)
 
         nill    $len,0xfff0             # $len&=~15
         slgr    $out,$inp
@@ -2028,11 +2020,9 @@ $code.=<<___ if (!$softonly);
         lghi    $i1,0x87
         srag    $i2,$s1,63              # broadcast upper bit
         ngr     $i1,$i2                 # rem
-        srlg    $i2,$s0,63              # carry bit from lower half
-        sllg    $s0,$s0,1
-        sllg    $s1,$s1,1
+        algr    $s0,$s0
+        alcgr   $s1,$s1
         xgr     $s0,$i1
-        ogr     $s1,$i2
         lrvgr   $i1,$s0                 # flip byte order
         lrvgr   $i2,$s1
 
@@ -2075,9 +2065,9 @@ $code.=<<___ if (!$softonly);
         stg     $s2,0($i3)
         stg     $s3,8($i3)
 .Lxts_dec_km_done:
-        l${g}   $ra,14*$SIZE_T($sp)
-        st${g}  $sp,$tweak($sp)         # wipe tweak
-        st${g}  $sp,$tweak($sp)
+        stg     $sp,$tweak+0($sp)       # wipe tweak
+        stg     $sp,$tweak+8($sp)
+        l${g}   $ra,5*$SIZE_T($sp)
         lm${g}  %r6,$s3,6*$SIZE_T($sp)
         br      $ra
 .align  16
@@ -2089,12 +2079,11 @@ $code.=<<___;
         srlg    $len,$len,4
         slgr    $out,$inp
 
-        xgr     $s0,$s0                 # clear upper half
-        xgr     $s1,$s1
-        lrv     $s0,$stdframe+4($sp)    # load secno
-        lrv     $s1,$stdframe+0($sp)
-        xgr     $s2,$s2
-        xgr     $s3,$s3
+        l${g}   $s3,$stdframe($sp)      # ivp
+        llgf    $s0,0($s3)              # load iv
+        llgf    $s1,4($s3)
+        llgf    $s2,8($s3)
+        llgf    $s3,12($s3)
         stm${g} %r2,%r5,2*$SIZE_T($sp)
         la      $key,0($key2)
         larl    $tbl,AES_Te
@@ -2113,11 +2102,9 @@ $code.=<<___;
         lghi    %r1,0x87
         srag    %r0,$s3,63              # broadcast upper bit
         ngr     %r1,%r0                 # rem
-        srlg    %r0,$s1,63              # carry bit from lower half
-        sllg    $s1,$s1,1
-        sllg    $s3,$s3,1
+        algr    $s1,$s1
+        alcgr   $s3,$s3
         xgr     $s1,%r1
-        ogr     $s3,%r0
         lrvgr   $s1,$s1                 # flip byte order
         lrvgr   $s3,$s3
         srlg    $s0,$s1,32              # smash the tweak to 4x32-bits 
@@ -2156,11 +2143,9 @@ $code.=<<___;
         lghi    %r1,0x87
         srag    %r0,$s3,63              # broadcast upper bit
         ngr     %r1,%r0                 # rem
-        srlg    %r0,$s1,63              # carry bit from lower half
-        sllg    $s1,$s1,1
-        sllg    $s3,$s3,1
+        algr    $s1,$s1
+        alcgr   $s3,$s3
         xgr     $s1,%r1
-        ogr     $s3,%r0
         lrvgr   $i2,$s1                 # flip byte order
         lrvgr   $i3,$s3
         stmg    $i2,$i3,$tweak($sp)     # save the 1st tweak
@@ -2176,11 +2161,9 @@ $code.=<<___;
         lghi    %r1,0x87
         srag    %r0,$s3,63              # broadcast upper bit
         ngr     %r1,%r0                 # rem
-        srlg    %r0,$s1,63              # carry bit from lower half
-        sllg    $s1,$s1,1
-        sllg    $s3,$s3,1
+        algr    $s1,$s1
+        alcgr   $s3,$s3
         xgr     $s1,%r1
-        ogr     $s3,%r0
         lrvgr   $s1,$s1                 # flip byte order
         lrvgr   $s3,$s3
         srlg    $s0,$s1,32              # smash the tweak to 4x32-bits
diff --git a/src/lib/libcrypto/aes/asm/aesni-sha1-x86_64.pl b/src/lib/libcrypto/aes/asm/aesni-sha1-x86_64.pl
index c6f6b3334a..3c8f6c19e7 100644
--- a/src/lib/libcrypto/aes/asm/aesni-sha1-x86_64.pl
+++ b/src/lib/libcrypto/aes/asm/aesni-sha1-x86_64.pl
@@ -69,7 +69,8 @@ $avx=1 if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
            `ml64 2>&1` =~ /Version ([0-9]+)\./ &&
            $1>=10);
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 # void aesni_cbc_sha1_enc(const void *inp,
 #                       void *out,
diff --git a/src/lib/libcrypto/aes/asm/bsaes-x86_64.pl b/src/lib/libcrypto/aes/asm/bsaes-x86_64.pl
index c9c6312fa7..41b90f0844 100644
--- a/src/lib/libcrypto/aes/asm/bsaes-x86_64.pl
+++ b/src/lib/libcrypto/aes/asm/bsaes-x86_64.pl
@@ -83,9 +83,9 @@
 # Add decryption procedure. Performance in CPU cycles spent to decrypt
 # one byte out of 4096-byte buffer with 128-bit key is:
 #
-# Core 2        11.0
-# Nehalem       9.16
-# Atom          20.9
+# Core 2        9.83
+# Nehalem       7.74
+# Atom          19.0
 #
 # November 2011.
 #
@@ -105,7 +105,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 my ($inp,$out,$len,$key,$ivp)=("%rdi","%rsi","%rdx","%rcx");
 my @XMM=map("%xmm$_",(15,0..14));       # best on Atom, +10% over (0..15)
@@ -455,6 +456,7 @@ sub MixColumns {
 # modified to emit output in order suitable for feeding back to aesenc[last]
 my @x=@_[0..7];
 my @t=@_[8..15];
+my $inv=@_[16]; # optional
 $code.=<<___;
         pshufd  \$0x93, @x[0], @t[0]    # x0 <<< 32
         pshufd  \$0x93, @x[1], @t[1]
@@ -496,7 +498,8 @@ $code.=<<___;
         pxor    @t[4], @t[0]
          pshufd \$0x4E, @x[2], @x[6]
         pxor    @t[5], @t[1]
-
+___
+$code.=<<___ if (!$inv);
         pxor    @t[3], @x[4]
         pxor    @t[7], @x[5]
         pxor    @t[6], @x[3]
@@ -504,9 +507,20 @@ $code.=<<___;
         pxor    @t[2], @x[6]
          movdqa @t[1], @x[7]
 ___
+$code.=<<___ if ($inv);
+        pxor    @x[4], @t[3]
+        pxor    @t[7], @x[5]
+        pxor    @x[3], @t[6]
+         movdqa @t[0], @x[3]
+        pxor    @t[2], @x[6]
+         movdqa @t[6], @x[2]
+         movdqa @t[1], @x[7]
+         movdqa @x[6], @x[4]
+         movdqa @t[3], @x[6]
+___
 }
 
-sub InvMixColumns {
+sub InvMixColumns_orig {
 my @x=@_[0..7];
 my @t=@_[8..15];
 
@@ -660,6 +674,54 @@ $code.=<<___;
 ___
 }
 
+sub InvMixColumns {
+my @x=@_[0..7];
+my @t=@_[8..15];
+
+# Thanks to Jussi Kivilinna for providing pointer to
+#
+# | 0e 0b 0d 09 |   | 02 03 01 01 |   | 05 00 04 00 |
+# | 09 0e 0b 0d | = | 01 02 03 01 | x | 00 05 00 04 |
+# | 0d 09 0e 0b |   | 01 01 02 03 |   | 04 00 05 00 |
+# | 0b 0d 09 0e |   | 03 01 01 02 |   | 00 04 00 05 |
+
+$code.=<<___;
+        # multiplication by 0x05-0x00-0x04-0x00
+        pshufd  \$0x4E, @x[0], @t[0]
+        pshufd  \$0x4E, @x[6], @t[6]
+        pxor    @x[0], @t[0]
+        pshufd  \$0x4E, @x[7], @t[7]
+        pxor    @x[6], @t[6]
+        pshufd  \$0x4E, @x[1], @t[1]
+        pxor    @x[7], @t[7]
+        pshufd  \$0x4E, @x[2], @t[2]
+        pxor    @x[1], @t[1]
+        pshufd  \$0x4E, @x[3], @t[3]
+        pxor    @x[2], @t[2]
+         pxor   @t[6], @x[0]
+         pxor   @t[6], @x[1]
+        pshufd  \$0x4E, @x[4], @t[4]
+        pxor    @x[3], @t[3]
+         pxor   @t[0], @x[2]
+         pxor   @t[1], @x[3]
+        pshufd  \$0x4E, @x[5], @t[5]
+        pxor    @x[4], @t[4]
+         pxor   @t[7], @x[1]
+         pxor   @t[2], @x[4]
+        pxor    @x[5], @t[5]
+
+         pxor   @t[7], @x[2]
+         pxor   @t[6], @x[3]
+         pxor   @t[6], @x[4]
+         pxor   @t[3], @x[5]
+         pxor   @t[4], @x[6]
+         pxor   @t[7], @x[4]
+         pxor   @t[7], @x[5]
+         pxor   @t[5], @x[7]
+___
+        &MixColumns     (@x,@t,1);      # flipped 2<->3 and 4<->6
+}
+
 sub aesenc {                            # not used
 my @b=@_[0..7];
 my @t=@_[8..15];
@@ -2027,6 +2089,8 @@ ___
 #       const unsigned char iv[16]);
 #
 my ($twmask,$twres,$twtmp)=@XMM[13..15];
+$arg6=~s/d$//;
+
 $code.=<<___;
 .globl  bsaes_xts_encrypt
 .type   bsaes_xts_encrypt,\@abi-omnipotent
diff --git a/src/lib/libcrypto/aes/asm/vpaes-x86_64.pl b/src/lib/libcrypto/aes/asm/vpaes-x86_64.pl
index 37998db5e1..bd7f45b850 100644
--- a/src/lib/libcrypto/aes/asm/vpaes-x86_64.pl
+++ b/src/lib/libcrypto/aes/asm/vpaes-x86_64.pl
@@ -56,7 +56,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 $PREFIX="vpaes";
 
@@ -1059,7 +1060,7 @@ _vpaes_consts:
 .Lk_dsbo:       # decryption sbox final output
         .quad   0x1387EA537EF94000, 0xC7AA6DB9D4943E2D
         .quad   0x12D7560F93441D00, 0xCA4B8159D8C58E9C
-.asciz  "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"
+.asciz  "Vector Permutation AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"
 .align  64
 .size   _vpaes_consts,.-_vpaes_consts
 ___
diff --git a/src/lib/libcrypto/armcap.c b/src/lib/libcrypto/armcap.c
index 5258d2fbdd..9abaf396e5 100644
--- a/src/lib/libcrypto/armcap.c
+++ b/src/lib/libcrypto/armcap.c
@@ -23,7 +23,7 @@ unsigned int _armv7_tick(void);
 
 unsigned int OPENSSL_rdtsc(void)
         {
-        if (OPENSSL_armcap_P|ARMV7_TICK)
+        if (OPENSSL_armcap_P & ARMV7_TICK)
                 return _armv7_tick();
         else
                 return 0;
diff --git a/src/lib/libcrypto/bn/asm/mips-mont.pl b/src/lib/libcrypto/bn/asm/mips-mont.pl
index b944a12b8e..caae04ed3a 100644
--- a/src/lib/libcrypto/bn/asm/mips-mont.pl
+++ b/src/lib/libcrypto/bn/asm/mips-mont.pl
@@ -133,7 +133,7 @@ $code.=<<___;
         bnez    $at,1f
         li      $t0,0
         slt     $at,$num,17     # on in-order CPU
-        bnezl   $at,bn_mul_mont_internal
+        bnez    $at,bn_mul_mont_internal
         nop
 1:      jr      $ra
         li      $a0,0
diff --git a/src/lib/libcrypto/bn/asm/mips.pl b/src/lib/libcrypto/bn/asm/mips.pl
index c162a3ec23..d2f3ef7bbf 100644
--- a/src/lib/libcrypto/bn/asm/mips.pl
+++ b/src/lib/libcrypto/bn/asm/mips.pl
@@ -140,10 +140,10 @@ $code.=<<___;
         .set    reorder
         li      $minus4,-4
         and     $ta0,$a2,$minus4
-        $LD     $t0,0($a1)
         beqz    $ta0,.L_bn_mul_add_words_tail
 
 .L_bn_mul_add_words_loop:
+        $LD     $t0,0($a1)
         $MULTU  $t0,$a3
         $LD     $t1,0($a0)
         $LD     $t2,$BNSZ($a1)
@@ -200,10 +200,9 @@ $code.=<<___;
         $ADDU   $v0,$ta2
         sltu    $at,$ta3,$at
         $ST     $ta3,-$BNSZ($a0)
-        $ADDU   $v0,$at
         .set    noreorder
-        bgtzl   $ta0,.L_bn_mul_add_words_loop
-        $LD     $t0,0($a1)
+        bgtz    $ta0,.L_bn_mul_add_words_loop
+        $ADDU   $v0,$at
 
         beqz    $a2,.L_bn_mul_add_words_return
         nop
@@ -300,10 +299,10 @@ $code.=<<___;
         .set    reorder
         li      $minus4,-4
         and     $ta0,$a2,$minus4
-        $LD     $t0,0($a1)
         beqz    $ta0,.L_bn_mul_words_tail
 
 .L_bn_mul_words_loop:
+        $LD     $t0,0($a1)
         $MULTU  $t0,$a3
         $LD     $t2,$BNSZ($a1)
         $LD     $ta0,2*$BNSZ($a1)
@@ -341,10 +340,9 @@ $code.=<<___;
         $ADDU   $v0,$at
         sltu    $ta3,$v0,$at
         $ST     $v0,-$BNSZ($a0)
-        $ADDU   $v0,$ta3,$ta2
         .set    noreorder
-        bgtzl   $ta0,.L_bn_mul_words_loop
-        $LD     $t0,0($a1)
+        bgtz    $ta0,.L_bn_mul_words_loop
+        $ADDU   $v0,$ta3,$ta2
 
         beqz    $a2,.L_bn_mul_words_return
         nop
@@ -429,10 +427,10 @@ $code.=<<___;
         .set    reorder
         li      $minus4,-4
         and     $ta0,$a2,$minus4
-        $LD     $t0,0($a1)
         beqz    $ta0,.L_bn_sqr_words_tail
 
 .L_bn_sqr_words_loop:
+        $LD     $t0,0($a1)
         $MULTU  $t0,$t0
         $LD     $t2,$BNSZ($a1)
         $LD     $ta0,2*$BNSZ($a1)
@@ -463,11 +461,10 @@ $code.=<<___;
         mflo    $ta3
         mfhi    $ta2
         $ST     $ta3,-2*$BNSZ($a0)
-        $ST     $ta2,-$BNSZ($a0)
 
         .set    noreorder
-        bgtzl   $ta0,.L_bn_sqr_words_loop
-        $LD     $t0,0($a1)
+        bgtz    $ta0,.L_bn_sqr_words_loop
+        $ST     $ta2,-$BNSZ($a0)
 
         beqz    $a2,.L_bn_sqr_words_return
         nop
@@ -547,10 +544,10 @@ $code.=<<___;
         .set    reorder
         li      $minus4,-4
         and     $at,$a3,$minus4
-        $LD     $t0,0($a1)
         beqz    $at,.L_bn_add_words_tail
 
 .L_bn_add_words_loop:
+        $LD     $t0,0($a1)
         $LD     $ta0,0($a2)
         subu    $a3,4
         $LD     $t1,$BNSZ($a1)
@@ -589,11 +586,10 @@ $code.=<<___;
         $ADDU   $t3,$ta3,$v0
         sltu    $v0,$t3,$ta3
         $ST     $t3,-$BNSZ($a0)
-        $ADDU   $v0,$t9
         
         .set    noreorder
-        bgtzl   $at,.L_bn_add_words_loop
-        $LD     $t0,0($a1)
+        bgtz    $at,.L_bn_add_words_loop
+        $ADDU   $v0,$t9
 
         beqz    $a3,.L_bn_add_words_return
         nop
@@ -679,10 +675,10 @@ $code.=<<___;
         .set    reorder
         li      $minus4,-4
         and     $at,$a3,$minus4
-        $LD     $t0,0($a1)
         beqz    $at,.L_bn_sub_words_tail
 
 .L_bn_sub_words_loop:
+        $LD     $t0,0($a1)
         $LD     $ta0,0($a2)
         subu    $a3,4
         $LD     $t1,$BNSZ($a1)
@@ -722,11 +718,10 @@ $code.=<<___;
         $SUBU   $t3,$ta3,$v0
         sgtu    $v0,$t3,$ta3
         $ST     $t3,-$BNSZ($a0)
-        $ADDU   $v0,$t9
 
         .set    noreorder
-        bgtzl   $at,.L_bn_sub_words_loop
-        $LD     $t0,0($a1)
+        bgtz    $at,.L_bn_sub_words_loop
+        $ADDU   $v0,$t9
 
         beqz    $a3,.L_bn_sub_words_return
         nop
@@ -819,7 +814,7 @@ ___
 $code.=<<___;
         .set    reorder
         move    $ta3,$ra
-        bal     bn_div_words
+        bal     bn_div_words_internal
         move    $ra,$ta3
         $MULTU  $ta2,$v0
         $LD     $t2,-2*$BNSZ($a3)
@@ -840,8 +835,9 @@ $code.=<<___;
         sltu    $ta0,$a1,$a2
         or      $t8,$ta0
         .set    noreorder
-        beqzl   $at,.L_bn_div_3_words_inner_loop
+        beqz    $at,.L_bn_div_3_words_inner_loop
         $SUBU   $v0,1
+        $ADDU   $v0,1
         .set    reorder
 .L_bn_div_3_words_inner_loop_done:
         .set    noreorder
@@ -902,7 +898,8 @@ $code.=<<___;
         and     $t2,$a0
         $SRL    $at,$a1,$t1
         .set    noreorder
-        bnezl   $t2,.+8
+        beqz    $t2,.+12
+        nop
         break   6               # signal overflow
         .set    reorder
         $SLL    $a0,$t9
@@ -917,7 +914,8 @@ $code.=<<___;
         $SRL    $DH,$a2,4*$BNSZ # bits
         sgeu    $at,$a0,$a2
         .set    noreorder
-        bnezl   $at,.+8
+        beqz    $at,.+12
+        nop
         $SUBU   $a0,$a2
         .set    reorder
 
diff --git a/src/lib/libcrypto/bn/asm/modexp512-x86_64.pl b/src/lib/libcrypto/bn/asm/modexp512-x86_64.pl
index 54aeb01921..bfd6e97541 100644
--- a/src/lib/libcrypto/bn/asm/modexp512-x86_64.pl
+++ b/src/lib/libcrypto/bn/asm/modexp512-x86_64.pl
@@ -68,7 +68,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 use strict;
 my $code=".text\n\n";
diff --git a/src/lib/libcrypto/bn/asm/parisc-mont.pl b/src/lib/libcrypto/bn/asm/parisc-mont.pl
index 4a766a87fb..c02ef6f014 100644
--- a/src/lib/libcrypto/bn/asm/parisc-mont.pl
+++ b/src/lib/libcrypto/bn/asm/parisc-mont.pl
@@ -40,7 +40,7 @@
 # of arithmetic operations, most notably multiplications. It requires
 # more memory references, most notably to tp[num], but this doesn't
 # seem to exhaust memory port capacity. And indeed, dedicated PA-RISC
-# 2.0 code path, provides virtually same performance as pa-risc2[W].s:
+# 2.0 code path provides virtually same performance as pa-risc2[W].s:
 # it's ~10% better for shortest key length and ~10% worse for longest
 # one.
 #
@@ -988,6 +988,8 @@ foreach (split("\n",$code)) {
         # assemble 2.0 instructions in 32-bit mode...
         s/^\s+([a-z]+)([\S]*)\s+([\S]*)/&assemble($1,$2,$3)/e if ($BN_SZ==4);
 
+        s/\bbv\b/bve/gm if ($SIZE_T==8);
+
         print $_,"\n";
 }
 close STDOUT;
diff --git a/src/lib/libcrypto/bn/asm/x86_64-gf2m.pl b/src/lib/libcrypto/bn/asm/x86_64-gf2m.pl
index 1658acbbdd..226c66c35e 100644
--- a/src/lib/libcrypto/bn/asm/x86_64-gf2m.pl
+++ b/src/lib/libcrypto/bn/asm/x86_64-gf2m.pl
@@ -31,7 +31,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 ($lo,$hi)=("%rax","%rdx");      $a=$lo;
 ($i0,$i1)=("%rsi","%rdi");
diff --git a/src/lib/libcrypto/bn/asm/x86_64-mont.pl b/src/lib/libcrypto/bn/asm/x86_64-mont.pl
index 5d79b35e1c..17fb94c84c 100755
--- a/src/lib/libcrypto/bn/asm/x86_64-mont.pl
+++ b/src/lib/libcrypto/bn/asm/x86_64-mont.pl
@@ -40,7 +40,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 # int bn_mul_mont(
 $rp="%rdi";     # BN_ULONG *rp,
diff --git a/src/lib/libcrypto/bn/asm/x86_64-mont5.pl b/src/lib/libcrypto/bn/asm/x86_64-mont5.pl
index 057cda28aa..dae0fe2453 100755
--- a/src/lib/libcrypto/bn/asm/x86_64-mont5.pl
+++ b/src/lib/libcrypto/bn/asm/x86_64-mont5.pl
@@ -28,7 +28,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 # int bn_mul_mont_gather5(
 $rp="%rdi";     # BN_ULONG *rp,
@@ -900,8 +901,8 @@ $code.=<<___;
         jnz     .Lgather
 ___
 $code.=<<___ if ($win64);
-        movaps  %xmm6,(%rsp)
-        movaps  %xmm7,0x10(%rsp)
+        movaps  (%rsp),%xmm6
+        movaps  0x10(%rsp),%xmm7
         lea     0x28(%rsp),%rsp
 ___
 $code.=<<___;
diff --git a/src/lib/libcrypto/camellia/asm/cmll-x86_64.pl b/src/lib/libcrypto/camellia/asm/cmll-x86_64.pl
index 76955e4726..9f4b82fa48 100644
--- a/src/lib/libcrypto/camellia/asm/cmll-x86_64.pl
+++ b/src/lib/libcrypto/camellia/asm/cmll-x86_64.pl
@@ -40,7 +40,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 sub hi() { my $r=shift; $r =~ s/%[er]([a-d])x/%\1h/;    $r; }
 sub lo() { my $r=shift; $r =~ s/%[er]([a-d])x/%\1l/;
diff --git a/src/lib/libcrypto/cms/cms_cd.c b/src/lib/libcrypto/cms/cms_cd.c
index a5fc2c4e2b..2021688101 100644
--- a/src/lib/libcrypto/cms/cms_cd.c
+++ b/src/lib/libcrypto/cms/cms_cd.c
@@ -58,7 +58,9 @@
 #include <openssl/err.h>
 #include <openssl/cms.h>
 #include <openssl/bio.h>
+#ifndef OPENSSL_NO_COMP
 #include <openssl/comp.h>
+#endif
 #include "cms_lcl.h"
 
 DECLARE_ASN1_ITEM(CMS_CompressedData)
diff --git a/src/lib/libcrypto/cms/cms_enc.c b/src/lib/libcrypto/cms/cms_enc.c
index f873ce3794..bebeaf29c7 100644
--- a/src/lib/libcrypto/cms/cms_enc.c
+++ b/src/lib/libcrypto/cms/cms_enc.c
@@ -74,7 +74,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
         X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
         unsigned char iv[EVP_MAX_IV_LENGTH], *piv = NULL;
         unsigned char *tkey = NULL;
-        size_t tkeylen;
+        size_t tkeylen = 0;
 
         int ok = 0;
 
diff --git a/src/lib/libcrypto/cms/cms_lib.c b/src/lib/libcrypto/cms/cms_lib.c
index f88e8f3b52..ba08279a04 100644
--- a/src/lib/libcrypto/cms/cms_lib.c
+++ b/src/lib/libcrypto/cms/cms_lib.c
@@ -411,9 +411,7 @@ int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain,
                  * algorithm  OID instead of digest.
                  */
                         || EVP_MD_pkey_type(EVP_MD_CTX_md(mtmp)) == nid)
-                        {
                         return EVP_MD_CTX_copy_ex(mctx, mtmp);
-                        }
                 chain = BIO_next(chain);
                 }
         }
@@ -467,8 +465,6 @@ int CMS_add0_cert(CMS_ContentInfo *cms, X509 *cert)
         pcerts = cms_get0_certificate_choices(cms);
         if (!pcerts)
                 return 0;
-        if (!pcerts)
-                return 0;
         for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++)
                 {
                 cch = sk_CMS_CertificateChoices_value(*pcerts, i);
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_CTX_ctrl.pod b/src/lib/libcrypto/doc/EVP_PKEY_CTX_ctrl.pod
index f2f455990f..13b91f1e6e 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_CTX_ctrl.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_CTX_ctrl.pod
@@ -117,7 +117,7 @@ L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
 L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
 L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
 L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>,
+L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
 L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 
 L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)> 
 
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_decrypt.pod b/src/lib/libcrypto/doc/EVP_PKEY_decrypt.pod
index 42b2a8c44e..847983237b 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_decrypt.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_decrypt.pod
@@ -83,7 +83,7 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
 L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
 L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
 L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>,
+L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
 L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 
 
 =head1 HISTORY
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_derive.pod b/src/lib/libcrypto/doc/EVP_PKEY_derive.pod
index d9d6d76c72..27464be571 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_derive.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_derive.pod
@@ -84,7 +84,7 @@ L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
 L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
 L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
 L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>,
+L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
 
 =head1 HISTORY
 
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_encrypt.pod b/src/lib/libcrypto/doc/EVP_PKEY_encrypt.pod
index 91c9c5d0a5..e495a81242 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_encrypt.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_encrypt.pod
@@ -83,7 +83,7 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
 L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
 L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
 L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>,
+L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
 L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 
 
 =head1 HISTORY
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_get_default_digest.pod b/src/lib/libcrypto/doc/EVP_PKEY_get_default_digest.pod
index 1a9c7954c5..8ff597d44a 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_get_default_digest.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_get_default_digest.pod
@@ -32,7 +32,7 @@ public key algorithm.
 L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
 L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
 L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>,
+L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
 
 =head1 HISTORY
 
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_keygen.pod b/src/lib/libcrypto/doc/EVP_PKEY_keygen.pod
index 37c6fe9503..fd431ace6d 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_keygen.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_keygen.pod
@@ -151,7 +151,7 @@ L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
 L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
 L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
 L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>,
+L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
 L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 
 
 =head1 HISTORY
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_sign.pod b/src/lib/libcrypto/doc/EVP_PKEY_sign.pod
index 2fb52c3486..a044f2c131 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_sign.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_sign.pod
@@ -86,7 +86,7 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
 L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
 L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
 L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
-L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>,
+L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
 L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 
 
 =head1 HISTORY
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_verify.pod b/src/lib/libcrypto/doc/EVP_PKEY_verify.pod
index f93e5fc6c3..90612ba2f0 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_verify.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_verify.pod
@@ -81,7 +81,7 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
 L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
 L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
 L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
-L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>,
+L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
 L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 
 
 =head1 HISTORY
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_verify_recover.pod b/src/lib/libcrypto/doc/EVP_PKEY_verify_recover.pod
new file mode 100644
index 0000000000..23a28a9c43
--- /dev/null
+++ b/src/lib/libcrypto/doc/EVP_PKEY_verify_recover.pod
@@ -0,0 +1,103 @@
+=pod
+
+=head1 NAME
+
+EVP_PKEY_verify_recover_init, EVP_PKEY_verify_recover - recover signature using a public key algorithm
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx);
+ int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx,
+                        unsigned char *rout, size_t *routlen,
+                        const unsigned char *sig, size_t siglen);
+
+=head1 DESCRIPTION
+
+The EVP_PKEY_verify_recover_init() function initializes a public key algorithm
+context using key B<pkey> for a verify recover operation.
+
+The EVP_PKEY_verify_recover() function recovers signed data
+using B<ctx>. The signature is specified using the B<sig> and
+B<siglen> parameters. If B<rout> is B<NULL> then the maximum size of the output
+buffer is written to the B<routlen> parameter. If B<rout> is not B<NULL> then
+before the call the B<routlen> parameter should contain the length of the
+B<rout> buffer, if the call is successful recovered data is written to
+B<rout> and the amount of data written to B<routlen>.
+
+=head1 NOTES
+
+Normally an application is only interested in whether a signature verification
+operation is successful in those cases the EVP_verify() function should be 
+used.
+
+Sometimes however it is useful to obtain the data originally signed using a
+signing operation. Only certain public key algorithms can recover a signature
+in this way (for example RSA in PKCS padding mode).
+
+After the call to EVP_PKEY_verify_recover_init() algorithm specific control
+operations can be performed to set any appropriate parameters for the
+operation.
+
+The function EVP_PKEY_verify_recover() can be called more than once on the same
+context if several operations are performed using the same parameters.
+
+=head1 RETURN VALUES
+
+EVP_PKEY_verify_recover_init() and EVP_PKEY_verify_recover() return 1 for success
+and 0 or a negative value for failure. In particular a return value of -2
+indicates the operation is not supported by the public key algorithm.
+
+=head1 EXAMPLE
+
+Recover digest originally signed using PKCS#1 and SHA256 digest:
+
+ #include <openssl/evp.h>
+ #include <openssl/rsa.h>
+
+ EVP_PKEY_CTX *ctx;
+ unsigned char *rout, *sig;
+ size_t routlen, siglen; 
+ EVP_PKEY *verify_key;
+ /* NB: assumes verify_key, sig and siglen are already set up
+  * and that verify_key is an RSA public key
+  */
+ ctx = EVP_PKEY_CTX_new(verify_key);
+ if (!ctx)
+        /* Error occurred */
+ if (EVP_PKEY_verify_recover_init(ctx) <= 0)
+        /* Error */
+ if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
+        /* Error */
+ if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)
+        /* Error */
+
+ /* Determine buffer length */
+ if (EVP_PKEY_verify_recover(ctx, NULL, &routlen, sig, siglen) <= 0)
+        /* Error */
+
+ rout = OPENSSL_malloc(routlen);
+
+ if (!rout)
+        /* malloc failure */
+ 
+ if (EVP_PKEY_verify_recover(ctx, rout, &routlen, sig, siglen) <= 0)
+        /* Error */
+
+ /* Recovered data is routlen bytes written to buffer rout */
+
+=head1 SEE ALSO
+
+L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
+L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
+L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
+L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
+L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
+L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 
+
+=head1 HISTORY
+
+These functions were first added to OpenSSL 1.0.0.
+
+=cut
diff --git a/src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod b/src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod
index b68eece033..46cac2bea2 100644
--- a/src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod
+++ b/src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod
@@ -113,7 +113,7 @@ a special status code is set to the verification callback. This permits it
 to examine the valid policy tree and perform additional checks or simply
 log it for debugging purposes.
 
-By default some addtional features such as indirect CRLs and CRLs signed by
+By default some additional features such as indirect CRLs and CRLs signed by
 different keys are disabled. If B<X509_V_FLAG_EXTENDED_CRL_SUPPORT> is set
 they are enabled.
 
diff --git a/src/lib/libcrypto/ec/ec2_mult.c b/src/lib/libcrypto/ec/ec2_mult.c
index 26f4a783fc..1c575dc47a 100644
--- a/src/lib/libcrypto/ec/ec2_mult.c
+++ b/src/lib/libcrypto/ec/ec2_mult.c
@@ -208,11 +208,15 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG
         return ret;
         }
 
+
 /* Computes scalar*point and stores the result in r.
  * point can not equal r.
- * Uses algorithm 2P of
+ * Uses a modified algorithm 2P of
  *     Lopez, J. and Dahab, R.  "Fast multiplication on elliptic curves over 
  *     GF(2^m) without precomputation" (CHES '99, LNCS 1717).
+ *
+ * To protect against side-channel attack the function uses constant time swap,
+ * avoiding conditional branches.
  */
 static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
         const EC_POINT *point, BN_CTX *ctx)
@@ -246,6 +250,11 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
         x2 = &r->X;
         z2 = &r->Y;
 
+        bn_wexpand(x1, group->field.top);
+        bn_wexpand(z1, group->field.top);
+        bn_wexpand(x2, group->field.top);
+        bn_wexpand(z2, group->field.top);
+
         if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */
         if (!BN_one(z1)) goto err; /* z1 = 1 */
         if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */
@@ -270,16 +279,12 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
                 word = scalar->d[i];
                 while (mask)
                         {
-                        if (word & mask)
-                                {
-                                if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err;
-                                if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err;
-                                }
-                        else
-                                {
-                                if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
-                                if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
-                                }
+                        BN_consttime_swap(word & mask, x1, x2, group->field.top);
+                        BN_consttime_swap(word & mask, z1, z2, group->field.top);
+                        if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
+                        if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
+                        BN_consttime_swap(word & mask, x1, x2, group->field.top);
+                        BN_consttime_swap(word & mask, z1, z2, group->field.top);
                         mask >>= 1;
                         }
                 mask = BN_TBIT;
diff --git a/src/lib/libcrypto/ec/ec_ameth.c b/src/lib/libcrypto/ec/ec_ameth.c
index 83909c1853..0ce4524076 100644
--- a/src/lib/libcrypto/ec/ec_ameth.c
+++ b/src/lib/libcrypto/ec/ec_ameth.c
@@ -88,7 +88,7 @@ static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key)
                 if (!pstr)
                         return 0;
                 pstr->length = i2d_ECParameters(ec_key, &pstr->data);
-                if (pstr->length < 0)
+                if (pstr->length <= 0)
                         {
                         ASN1_STRING_free(pstr);
                         ECerr(EC_F_ECKEY_PARAM2TYPE, ERR_R_EC_LIB);
diff --git a/src/lib/libcrypto/ec/ec_asn1.c b/src/lib/libcrypto/ec/ec_asn1.c
index 175eec5342..145807b611 100644
--- a/src/lib/libcrypto/ec/ec_asn1.c
+++ b/src/lib/libcrypto/ec/ec_asn1.c
@@ -89,7 +89,8 @@ int EC_GROUP_get_trinomial_basis(const EC_GROUP *group, unsigned int *k)
         if (group == NULL)
                 return 0;
 
-        if (EC_GROUP_method_of(group)->group_set_curve != ec_GF2m_simple_group_set_curve
+        if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
+            NID_X9_62_characteristic_two_field
             || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] == 0)))
                 {
                 ECerr(EC_F_EC_GROUP_GET_TRINOMIAL_BASIS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
@@ -107,7 +108,8 @@ int EC_GROUP_get_pentanomial_basis(const EC_GROUP *group, unsigned int *k1,
         if (group == NULL)
                 return 0;
 
-        if (EC_GROUP_method_of(group)->group_set_curve != ec_GF2m_simple_group_set_curve
+        if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
+            NID_X9_62_characteristic_two_field
             || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] != 0) && (group->poly[3] != 0) && (group->poly[4] == 0)))
                 {
                 ECerr(EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
diff --git a/src/lib/libcrypto/ec/ec_key.c b/src/lib/libcrypto/ec/ec_key.c
index bf9fd2dc2c..7fa247593d 100644
--- a/src/lib/libcrypto/ec/ec_key.c
+++ b/src/lib/libcrypto/ec/ec_key.c
@@ -520,18 +520,27 @@ void EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform)
 void *EC_KEY_get_key_method_data(EC_KEY *key,
         void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
         {
-        return EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
+        void *ret;
+
+        CRYPTO_r_lock(CRYPTO_LOCK_EC);
+        ret = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
+        CRYPTO_r_unlock(CRYPTO_LOCK_EC);
+
+        return ret;
         }
 
-void EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
+void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
         void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
         {
         EC_EXTRA_DATA *ex_data;
+
         CRYPTO_w_lock(CRYPTO_LOCK_EC);
         ex_data = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
         if (ex_data == NULL)
                 EC_EX_DATA_set_data(&key->method_data, data, dup_func, free_func, clear_free_func);
         CRYPTO_w_unlock(CRYPTO_LOCK_EC);
+
+        return ex_data;
         }
 
 void EC_KEY_set_asn1_flag(EC_KEY *key, int flag)
diff --git a/src/lib/libcrypto/ec/ec_pmeth.c b/src/lib/libcrypto/ec/ec_pmeth.c
index d1ed66c37e..66ee397d86 100644
--- a/src/lib/libcrypto/ec/ec_pmeth.c
+++ b/src/lib/libcrypto/ec/ec_pmeth.c
@@ -188,7 +188,7 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
 
         pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec);
 
-        /* NB: unlike PKS#3 DH, if *outlen is less than maximum size this is
+        /* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is
          * not an error, the result is truncated.
          */
 
diff --git a/src/lib/libcrypto/ecdh/ech_key.c b/src/lib/libcrypto/ecdh/ech_key.c
index f44da9298b..2988899ea2 100644
--- a/src/lib/libcrypto/ecdh/ech_key.c
+++ b/src/lib/libcrypto/ecdh/ech_key.c
@@ -68,9 +68,6 @@
  */
 
 #include "ech_locl.h"
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
 
 int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
         EC_KEY *eckey,
diff --git a/src/lib/libcrypto/ecdh/ech_lib.c b/src/lib/libcrypto/ecdh/ech_lib.c
index dadbfd3c49..0644431b75 100644
--- a/src/lib/libcrypto/ecdh/ech_lib.c
+++ b/src/lib/libcrypto/ecdh/ech_lib.c
@@ -222,8 +222,15 @@ ECDH_DATA *ecdh_check(EC_KEY *key)
                 ecdh_data = (ECDH_DATA *)ecdh_data_new();
                 if (ecdh_data == NULL)
                         return NULL;
-                EC_KEY_insert_key_method_data(key, (void *)ecdh_data,
-                        ecdh_data_dup, ecdh_data_free, ecdh_data_free);
+                data = EC_KEY_insert_key_method_data(key, (void *)ecdh_data,
+                           ecdh_data_dup, ecdh_data_free, ecdh_data_free);
+                if (data != NULL)
+                        {
+                        /* Another thread raced us to install the key_method
+                         * data and won. */
+                        ecdh_data_free(ecdh_data);
+                        ecdh_data = (ECDH_DATA *)data;
+                        }
         }
         else
                 ecdh_data = (ECDH_DATA *)data;
diff --git a/src/lib/libcrypto/ecdsa/ecs_lib.c b/src/lib/libcrypto/ecdsa/ecs_lib.c
index e477da430b..814a6bf404 100644
--- a/src/lib/libcrypto/ecdsa/ecs_lib.c
+++ b/src/lib/libcrypto/ecdsa/ecs_lib.c
@@ -200,8 +200,15 @@ ECDSA_DATA *ecdsa_check(EC_KEY *key)
                 ecdsa_data = (ECDSA_DATA *)ecdsa_data_new();
                 if (ecdsa_data == NULL)
                         return NULL;
-                EC_KEY_insert_key_method_data(key, (void *)ecdsa_data,
-                        ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free);
+                data = EC_KEY_insert_key_method_data(key, (void *)ecdsa_data,
+                           ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free);
+                if (data != NULL)
+                        {
+                        /* Another thread raced us to install the key_method
+                         * data and won. */
+                        ecdsa_data_free(ecdsa_data);
+                        ecdsa_data = (ECDSA_DATA *)data;
+                        }
         }
         else
                 ecdsa_data = (ECDSA_DATA *)data;
diff --git a/src/lib/libcrypto/md5/asm/md5-x86_64.pl b/src/lib/libcrypto/md5/asm/md5-x86_64.pl
index 867885435e..f11224d172 100755
--- a/src/lib/libcrypto/md5/asm/md5-x86_64.pl
+++ b/src/lib/libcrypto/md5/asm/md5-x86_64.pl
@@ -120,7 +120,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; my $dir=$1; my $xlate;
 die "can't locate x86_64-xlate.pl";
 
 no warnings qw(uninitialized);
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 $code .= <<EOF;
 .text
diff --git a/src/lib/libcrypto/modes/asm/ghash-alpha.pl b/src/lib/libcrypto/modes/asm/ghash-alpha.pl
index 6358b2750f..aa36029386 100644
--- a/src/lib/libcrypto/modes/asm/ghash-alpha.pl
+++ b/src/lib/libcrypto/modes/asm/ghash-alpha.pl
@@ -266,8 +266,8 @@ gcm_gmult_4bit:
         ldq     $Xlo,8($Xi)
         ldq     $Xhi,0($Xi)
 
-        br      $rem_4bit,.Lpic1
-.Lpic1: lda     $rem_4bit,rem_4bit-.Lpic1($rem_4bit)
+        bsr     $t0,picmeup
+        nop
 ___
 
         &loop();
@@ -341,8 +341,8 @@ gcm_ghash_4bit:
         ldq     $Xhi,0($Xi)
         ldq     $Xlo,8($Xi)
 
-        br      $rem_4bit,.Lpic2
-.Lpic2: lda     $rem_4bit,rem_4bit-.Lpic2($rem_4bit)
+        bsr     $t0,picmeup
+        nop
 
 .Louter:
         extql   $inhi,$inp,$inhi
@@ -436,11 +436,20 @@ $code.=<<___;
 .end    gcm_ghash_4bit
 
 .align  4
+.ent    picmeup
+picmeup:
+        .frame  sp,0,$t0
+        .prologue 0
+        br      $rem_4bit,.Lpic
+.Lpic:  lda     $rem_4bit,12($rem_4bit)
+        ret     ($t0)
+.end    picmeup
+        nop
 rem_4bit:
-        .quad   0x0000<<48, 0x1C20<<48, 0x3840<<48, 0x2460<<48
-        .quad   0x7080<<48, 0x6CA0<<48, 0x48C0<<48, 0x54E0<<48
-        .quad   0xE100<<48, 0xFD20<<48, 0xD940<<48, 0xC560<<48
-        .quad   0x9180<<48, 0x8DA0<<48, 0xA9C0<<48, 0xB5E0<<48
+        .long   0,0x0000<<16, 0,0x1C20<<16, 0,0x3840<<16, 0,0x2460<<16
+        .long   0,0x7080<<16, 0,0x6CA0<<16, 0,0x48C0<<16, 0,0x54E0<<16
+        .long   0,0xE100<<16, 0,0xFD20<<16, 0,0xD940<<16, 0,0xC560<<16
+        .long   0,0x9180<<16, 0,0x8DA0<<16, 0,0xA9C0<<16, 0,0xB5E0<<16
 .ascii  "GHASH for Alpha, CRYPTOGAMS by <appro\@openssl.org>"
 .align  4
 
diff --git a/src/lib/libcrypto/modes/asm/ghash-parisc.pl b/src/lib/libcrypto/modes/asm/ghash-parisc.pl
index 8c7454ee93..d5ad96b403 100644
--- a/src/lib/libcrypto/modes/asm/ghash-parisc.pl
+++ b/src/lib/libcrypto/modes/asm/ghash-parisc.pl
@@ -724,6 +724,7 @@ foreach (split("\n",$code)) {
                 s/cmpb,\*/comb,/;
                 s/,\*/,/;
         }
+        s/\bbv\b/bve/   if ($SIZE_T==8);
         print $_,"\n";
 }
 
diff --git a/src/lib/libcrypto/modes/asm/ghash-x86.pl b/src/lib/libcrypto/modes/asm/ghash-x86.pl
index 6b09669d47..83c727e07f 100644
--- a/src/lib/libcrypto/modes/asm/ghash-x86.pl
+++ b/src/lib/libcrypto/modes/asm/ghash-x86.pl
@@ -635,7 +635,7 @@ sub mmx_loop() {
     { my @lo  = ("mm0","mm1","mm2");
       my @hi  = ("mm3","mm4","mm5");
       my @tmp = ("mm6","mm7");
-      my $off1=0,$off2=0,$i;
+      my ($off1,$off2,$i) = (0,0,);
 
       &add      ($Htbl,128);                    # optimize for size
       &lea      ("edi",&DWP(16+128,"esp"));
@@ -883,7 +883,7 @@ sub reduction_alg9 {	# 17/13 times faster than Intel version
 my ($Xhi,$Xi) = @_;
 
         # 1st phase
-        &movdqa         ($T1,$Xi)               #
+        &movdqa         ($T1,$Xi);              #
         &psllq          ($Xi,1);
         &pxor           ($Xi,$T1);              #
         &psllq          ($Xi,5);                #
@@ -1019,7 +1019,7 @@ my ($Xhi,$Xi) = @_;
         &movdqa         ($Xhn,$Xn);
          &pxor          ($Xhi,$T1);             # "Ii+Xi", consume early
 
-          &movdqa       ($T1,$Xi)               #&reduction_alg9($Xhi,$Xi); 1st phase
+          &movdqa       ($T1,$Xi);              #&reduction_alg9($Xhi,$Xi); 1st phase
           &psllq        ($Xi,1);
           &pxor         ($Xi,$T1);              #
           &psllq        ($Xi,5);                #
diff --git a/src/lib/libcrypto/modes/asm/ghash-x86_64.pl b/src/lib/libcrypto/modes/asm/ghash-x86_64.pl
index a5ae180882..38d779edbc 100644
--- a/src/lib/libcrypto/modes/asm/ghash-x86_64.pl
+++ b/src/lib/libcrypto/modes/asm/ghash-x86_64.pl
@@ -50,7 +50,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 # common register layout
 $nlo="%rax";
diff --git a/src/lib/libcrypto/modes/cbc128.c b/src/lib/libcrypto/modes/cbc128.c
index 3d3782cbe1..0e54f75470 100644
--- a/src/lib/libcrypto/modes/cbc128.c
+++ b/src/lib/libcrypto/modes/cbc128.c
@@ -117,7 +117,7 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
                         unsigned char ivec[16], block128_f block)
 {
         size_t n;
-        union { size_t align; unsigned char c[16]; } tmp;
+        union { size_t t[16/sizeof(size_t)]; unsigned char c[16]; } tmp;
 
         assert(in && out && key && ivec);
 
@@ -137,11 +137,13 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
                                 out += 16;
                         }
                 }
-                else {
+                else  if (16%sizeof(size_t) == 0) { /* always true */
                         while (len>=16) {
+                                size_t *out_t=(size_t *)out, *iv_t=(size_t *)iv;
+
                                 (*block)(in, out, key);
-                                for(n=0; n<16; n+=sizeof(size_t))
-                                        *(size_t *)(out+n) ^= *(size_t *)(iv+n);
+                                for(n=0; n<16/sizeof(size_t); n++)
+                                        out_t[n] ^= iv_t[n];
                                 iv = in;
                                 len -= 16;
                                 in  += 16;
@@ -165,15 +167,16 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
                                 out += 16;
                         }
                 }
-                else {
-                        size_t c;
+                else if (16%sizeof(size_t) == 0) { /* always true */
                         while (len>=16) {
+                                size_t c, *out_t=(size_t *)out, *ivec_t=(size_t *)ivec;
+                                const size_t *in_t=(const size_t *)in;
+
                                 (*block)(in, tmp.c, key);
-                                for(n=0; n<16; n+=sizeof(size_t)) {
-                                        c = *(size_t *)(in+n);
-                                        *(size_t *)(out+n) =
-                                        *(size_t *)(tmp.c+n) ^ *(size_t *)(ivec+n);
-                                        *(size_t *)(ivec+n) = c;
+                                for(n=0; n<16/sizeof(size_t); n++) {
+                                        c = in_t[n];
+                                        out_t[n] = tmp.t[n] ^ ivec_t[n];
+                                        ivec_t[n] = c;
                                 }
                                 len -= 16;
                                 in  += 16;
diff --git a/src/lib/libcrypto/modes/ccm128.c b/src/lib/libcrypto/modes/ccm128.c
index c9b35e5b35..3ce11d0d98 100644
--- a/src/lib/libcrypto/modes/ccm128.c
+++ b/src/lib/libcrypto/modes/ccm128.c
@@ -87,7 +87,7 @@ int CRYPTO_ccm128_setiv(CCM128_CONTEXT *ctx,
                 ctx->nonce.c[11] = (u8)(mlen>>(32%(sizeof(mlen)*8)));
         }
         else
-                *(u32*)(&ctx->nonce.c[8]) = 0;
+                ctx->nonce.u[1] = 0;
 
         ctx->nonce.c[12] = (u8)(mlen>>24);
         ctx->nonce.c[13] = (u8)(mlen>>16);
diff --git a/src/lib/libcrypto/modes/cts128.c b/src/lib/libcrypto/modes/cts128.c
index c0e1f3696c..2d583de6f6 100644
--- a/src/lib/libcrypto/modes/cts128.c
+++ b/src/lib/libcrypto/modes/cts128.c
@@ -108,12 +108,8 @@ size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,
         (*cbc)(in,out-16,residue,key,ivec,1);
         memcpy(out,tmp.c,residue);
 #else
-        {
-        size_t n;
-        for (n=0; n<16; n+=sizeof(size_t))
-                *(size_t *)(tmp.c+n) = 0;
+        memset(tmp.c,0,sizeof(tmp));
         memcpy(tmp.c,in,residue);
-        }
         memcpy(out,out-16,residue);
         (*cbc)(tmp.c,out-16,16,key,ivec,1);
 #endif
@@ -144,12 +140,8 @@ size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out,
 #if defined(CBC_HANDLES_TRUNCATED_IO)
         (*cbc)(in,out-16+residue,residue,key,ivec,1);
 #else
-        {
-        size_t n;
-        for (n=0; n<16; n+=sizeof(size_t))
-                *(size_t *)(tmp.c+n) = 0;
+        memset(tmp.c,0,sizeof(tmp));
         memcpy(tmp.c,in,residue);
-        }
         (*cbc)(tmp.c,out-16+residue,16,key,ivec,1);
 #endif
         return len+residue;
@@ -177,8 +169,7 @@ size_t CRYPTO_cts128_decrypt_block(const unsigned char *in, unsigned char *out,
 
         (*block)(in,tmp.c+16,key);
 
-        for (n=0; n<16; n+=sizeof(size_t))
-                *(size_t *)(tmp.c+n) = *(size_t *)(tmp.c+16+n);
+        memcpy(tmp.c,tmp.c+16,16);
         memcpy(tmp.c,in+16,residue);
         (*block)(tmp.c,tmp.c,key);
 
@@ -220,8 +211,7 @@ size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in, unsigned char *o
 
         (*block)(in+residue,tmp.c+16,key);
 
-        for (n=0; n<16; n+=sizeof(size_t))
-                *(size_t *)(tmp.c+n) = *(size_t *)(tmp.c+16+n);
+        memcpy(tmp.c,tmp.c+16,16);
         memcpy(tmp.c,in,residue);
         (*block)(tmp.c,tmp.c,key);
 
@@ -240,7 +230,7 @@ size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in, unsigned char *o
 size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
                         size_t len, const void *key,
                         unsigned char ivec[16], cbc128_f cbc)
-{       size_t residue, n;
+{       size_t residue;
         union { size_t align; unsigned char c[32]; } tmp;
 
         assert (in && out && key && ivec);
@@ -257,8 +247,7 @@ size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
                 out += len;
         }
 
-        for (n=16; n<32; n+=sizeof(size_t))
-                *(size_t *)(tmp.c+n) = 0;
+        memset(tmp.c,0,sizeof(tmp));
         /* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] */
         (*cbc)(in,tmp.c,16,key,tmp.c+16,0);
 
@@ -275,7 +264,7 @@ size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
 size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
                         size_t len, const void *key,
                         unsigned char ivec[16], cbc128_f cbc)
-{       size_t residue, n;
+{       size_t residue;
         union { size_t align; unsigned char c[32]; } tmp;
 
         assert (in && out && key && ivec);
@@ -297,8 +286,7 @@ size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
                 out += len;
         }
 
-        for (n=16; n<32; n+=sizeof(size_t))
-                *(size_t *)(tmp.c+n) = 0;
+        memset(tmp.c,0,sizeof(tmp));
         /* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] */
         (*cbc)(in+residue,tmp.c,16,key,tmp.c+16,0);
 
diff --git a/src/lib/libcrypto/modes/gcm128.c b/src/lib/libcrypto/modes/gcm128.c
index 7d6d034970..e1dc2b0f47 100644
--- a/src/lib/libcrypto/modes/gcm128.c
+++ b/src/lib/libcrypto/modes/gcm128.c
@@ -723,7 +723,7 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx,void *key,block128_f block)
 #  endif
         gcm_init_4bit(ctx->Htable,ctx->H.u);
 #  if   defined(GHASH_ASM_X86)                  /* x86 only */
-#   if defined(OPENSSL_IA32_SSE2)
+#   if  defined(OPENSSL_IA32_SSE2)
         if (OPENSSL_ia32cap_P[0]&(1<<25)) {     /* check SSE bit */
 #   else
         if (OPENSSL_ia32cap_P[0]&(1<<23)) {     /* check MMX bit */
@@ -810,7 +810,11 @@ void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx,const unsigned char *iv,size_t len)
                 GCM_MUL(ctx,Yi);
 
                 if (is_endian.little)
+#ifdef BSWAP4
+                        ctr = BSWAP4(ctx->Yi.d[3]);
+#else
                         ctr = GETU32(ctx->Yi.c+12);
+#endif
                 else
                         ctr = ctx->Yi.d[3];
         }
@@ -818,7 +822,11 @@ void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx,const unsigned char *iv,size_t len)
         (*ctx->block)(ctx->Yi.c,ctx->EK0.c,ctx->key);
         ++ctr;
         if (is_endian.little)
+#ifdef BSWAP4
+                ctx->Yi.d[3] = BSWAP4(ctr);
+#else
                 PUTU32(ctx->Yi.c+12,ctr);
+#endif
         else
                 ctx->Yi.d[3] = ctr;
 }
@@ -913,7 +921,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
         }
 
         if (is_endian.little)
+#ifdef BSWAP4
+                ctr = BSWAP4(ctx->Yi.d[3]);
+#else
                 ctr = GETU32(ctx->Yi.c+12);
+#endif
         else
                 ctr = ctx->Yi.d[3];
 
@@ -941,15 +953,21 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
                     size_t j=GHASH_CHUNK;
 
                     while (j) {
+                        size_t *out_t=(size_t *)out;
+                        const size_t *in_t=(const size_t *)in;
+
                         (*block)(ctx->Yi.c,ctx->EKi.c,key);
                         ++ctr;
                         if (is_endian.little)
+#ifdef BSWAP4
+                                ctx->Yi.d[3] = BSWAP4(ctr);
+#else
                                 PUTU32(ctx->Yi.c+12,ctr);
+#endif
                         else
                                 ctx->Yi.d[3] = ctr;
-                        for (i=0; i<16; i+=sizeof(size_t))
-                                *(size_t *)(out+i) =
-                                *(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
+                        for (i=0; i<16/sizeof(size_t); ++i)
+                                out_t[i] = in_t[i] ^ ctx->EKi.t[i];
                         out += 16;
                         in  += 16;
                         j   -= 16;
@@ -961,15 +979,21 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
                     size_t j=i;
 
                     while (len>=16) {
+                        size_t *out_t=(size_t *)out;
+                        const size_t *in_t=(const size_t *)in;
+
                         (*block)(ctx->Yi.c,ctx->EKi.c,key);
                         ++ctr;
                         if (is_endian.little)
+#ifdef BSWAP4
+                                ctx->Yi.d[3] = BSWAP4(ctr);
+#else
                                 PUTU32(ctx->Yi.c+12,ctr);
+#endif
                         else
                                 ctx->Yi.d[3] = ctr;
-                        for (i=0; i<16; i+=sizeof(size_t))
-                                *(size_t *)(out+i) =
-                                *(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
+                        for (i=0; i<16/sizeof(size_t); ++i)
+                                out_t[i] = in_t[i] ^ ctx->EKi.t[i];
                         out += 16;
                         in  += 16;
                         len -= 16;
@@ -978,16 +1002,22 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
                 }
 #else
                 while (len>=16) {
+                        size_t *out_t=(size_t *)out;
+                        const size_t *in_t=(const size_t *)in;
+
                         (*block)(ctx->Yi.c,ctx->EKi.c,key);
                         ++ctr;
                         if (is_endian.little)
+#ifdef BSWAP4
+                                ctx->Yi.d[3] = BSWAP4(ctr);
+#else
                                 PUTU32(ctx->Yi.c+12,ctr);
+#endif
                         else
                                 ctx->Yi.d[3] = ctr;
-                        for (i=0; i<16; i+=sizeof(size_t))
-                                *(size_t *)(ctx->Xi.c+i) ^=
-                                *(size_t *)(out+i) =
-                                *(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
+                        for (i=0; i<16/sizeof(size_t); ++i)
+                                ctx->Xi.t[i] ^=
+                                out_t[i] = in_t[i]^ctx->EKi.t[i];
                         GCM_MUL(ctx,Xi);
                         out += 16;
                         in  += 16;
@@ -998,7 +1028,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
                         (*block)(ctx->Yi.c,ctx->EKi.c,key);
                         ++ctr;
                         if (is_endian.little)
+#ifdef BSWAP4
+                                ctx->Yi.d[3] = BSWAP4(ctr);
+#else
                                 PUTU32(ctx->Yi.c+12,ctr);
+#endif
                         else
                                 ctx->Yi.d[3] = ctr;
                         while (len--) {
@@ -1016,7 +1050,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
                         (*block)(ctx->Yi.c,ctx->EKi.c,key);
                         ++ctr;
                         if (is_endian.little)
+#ifdef BSWAP4
+                                ctx->Yi.d[3] = BSWAP4(ctr);
+#else
                                 PUTU32(ctx->Yi.c+12,ctr);
+#endif
                         else
                                 ctx->Yi.d[3] = ctr;
                 }
@@ -1060,7 +1098,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
         }
 
         if (is_endian.little)
+#ifdef BSWAP4
+                ctr = BSWAP4(ctx->Yi.d[3]);
+#else
                 ctr = GETU32(ctx->Yi.c+12);
+#endif
         else
                 ctr = ctx->Yi.d[3];
 
@@ -1091,15 +1133,21 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
 
                     GHASH(ctx,in,GHASH_CHUNK);
                     while (j) {
+                        size_t *out_t=(size_t *)out;
+                        const size_t *in_t=(const size_t *)in;
+
                         (*block)(ctx->Yi.c,ctx->EKi.c,key);
                         ++ctr;
                         if (is_endian.little)
+#ifdef BSWAP4
+                                ctx->Yi.d[3] = BSWAP4(ctr);
+#else
                                 PUTU32(ctx->Yi.c+12,ctr);
+#endif
                         else
                                 ctx->Yi.d[3] = ctr;
-                        for (i=0; i<16; i+=sizeof(size_t))
-                                *(size_t *)(out+i) =
-                                *(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
+                        for (i=0; i<16/sizeof(size_t); ++i)
+                                out_t[i] = in_t[i]^ctx->EKi.t[i];
                         out += 16;
                         in  += 16;
                         j   -= 16;
@@ -1109,15 +1157,21 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
                 if ((i = (len&(size_t)-16))) {
                     GHASH(ctx,in,i);
                     while (len>=16) {
+                        size_t *out_t=(size_t *)out;
+                        const size_t *in_t=(const size_t *)in;
+
                         (*block)(ctx->Yi.c,ctx->EKi.c,key);
                         ++ctr;
                         if (is_endian.little)
+#ifdef BSWAP4
+                                ctx->Yi.d[3] = BSWAP4(ctr);
+#else
                                 PUTU32(ctx->Yi.c+12,ctr);
+#endif
                         else
                                 ctx->Yi.d[3] = ctr;
-                        for (i=0; i<16; i+=sizeof(size_t))
-                                *(size_t *)(out+i) =
-                                *(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
+                        for (i=0; i<16/sizeof(size_t); ++i)
+                                out_t[i] = in_t[i]^ctx->EKi.t[i];
                         out += 16;
                         in  += 16;
                         len -= 16;
@@ -1125,16 +1179,23 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
                 }
 #else
                 while (len>=16) {
+                        size_t *out_t=(size_t *)out;
+                        const size_t *in_t=(const size_t *)in;
+
                         (*block)(ctx->Yi.c,ctx->EKi.c,key);
                         ++ctr;
                         if (is_endian.little)
+#ifdef BSWAP4
+                                ctx->Yi.d[3] = BSWAP4(ctr);
+#else
                                 PUTU32(ctx->Yi.c+12,ctr);
+#endif
                         else
                                 ctx->Yi.d[3] = ctr;
-                        for (i=0; i<16; i+=sizeof(size_t)) {
-                                size_t c = *(size_t *)(in+i);
-                                *(size_t *)(out+i) = c^*(size_t *)(ctx->EKi.c+i);
-                                *(size_t *)(ctx->Xi.c+i) ^= c;
+                        for (i=0; i<16/sizeof(size_t); ++i) {
+                                size_t c = in[i];
+                                out[i] = c^ctx->EKi.t[i];
+                                ctx->Xi.t[i] ^= c;
                         }
                         GCM_MUL(ctx,Xi);
                         out += 16;
@@ -1146,7 +1207,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
                         (*block)(ctx->Yi.c,ctx->EKi.c,key);
                         ++ctr;
                         if (is_endian.little)
+#ifdef BSWAP4
+                                ctx->Yi.d[3] = BSWAP4(ctr);
+#else
                                 PUTU32(ctx->Yi.c+12,ctr);
+#endif
                         else
                                 ctx->Yi.d[3] = ctr;
                         while (len--) {
@@ -1167,7 +1232,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
                         (*block)(ctx->Yi.c,ctx->EKi.c,key);
                         ++ctr;
                         if (is_endian.little)
+#ifdef BSWAP4
+                                ctx->Yi.d[3] = BSWAP4(ctr);
+#else
                                 PUTU32(ctx->Yi.c+12,ctr);
+#endif
                         else
                                 ctx->Yi.d[3] = ctr;
                 }
@@ -1212,7 +1281,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
         }
 
         if (is_endian.little)
+#ifdef BSWAP4
+                ctr = BSWAP4(ctx->Yi.d[3]);
+#else
                 ctr = GETU32(ctx->Yi.c+12);
+#endif
         else
                 ctr = ctx->Yi.d[3];
 
@@ -1234,7 +1307,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
                 (*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c);
                 ctr += GHASH_CHUNK/16;
                 if (is_endian.little)
+#ifdef BSWAP4
+                        ctx->Yi.d[3] = BSWAP4(ctr);
+#else
                         PUTU32(ctx->Yi.c+12,ctr);
+#endif
                 else
                         ctx->Yi.d[3] = ctr;
                 GHASH(ctx,out,GHASH_CHUNK);
@@ -1249,7 +1326,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
                 (*stream)(in,out,j,key,ctx->Yi.c);
                 ctr += (unsigned int)j;
                 if (is_endian.little)
+#ifdef BSWAP4
+                        ctx->Yi.d[3] = BSWAP4(ctr);
+#else
                         PUTU32(ctx->Yi.c+12,ctr);
+#endif
                 else
                         ctx->Yi.d[3] = ctr;
                 in  += i;
@@ -1269,7 +1350,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
                 (*ctx->block)(ctx->Yi.c,ctx->EKi.c,key);
                 ++ctr;
                 if (is_endian.little)
+#ifdef BSWAP4
+                        ctx->Yi.d[3] = BSWAP4(ctr);
+#else
                         PUTU32(ctx->Yi.c+12,ctr);
+#endif
                 else
                         ctx->Yi.d[3] = ctr;
                 while (len--) {
@@ -1311,7 +1396,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
         }
 
         if (is_endian.little)
+#ifdef BSWAP4
+                ctr = BSWAP4(ctx->Yi.d[3]);
+#else
                 ctr = GETU32(ctx->Yi.c+12);
+#endif
         else
                 ctr = ctx->Yi.d[3];
 
@@ -1336,7 +1425,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
                 (*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c);
                 ctr += GHASH_CHUNK/16;
                 if (is_endian.little)
+#ifdef BSWAP4
+                        ctx->Yi.d[3] = BSWAP4(ctr);
+#else
                         PUTU32(ctx->Yi.c+12,ctr);
+#endif
                 else
                         ctx->Yi.d[3] = ctr;
                 out += GHASH_CHUNK;
@@ -1362,7 +1455,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
                 (*stream)(in,out,j,key,ctx->Yi.c);
                 ctr += (unsigned int)j;
                 if (is_endian.little)
+#ifdef BSWAP4
+                        ctx->Yi.d[3] = BSWAP4(ctr);
+#else
                         PUTU32(ctx->Yi.c+12,ctr);
+#endif
                 else
                         ctx->Yi.d[3] = ctr;
                 out += i;
@@ -1373,7 +1470,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
                 (*ctx->block)(ctx->Yi.c,ctx->EKi.c,key);
                 ++ctr;
                 if (is_endian.little)
+#ifdef BSWAP4
+                        ctx->Yi.d[3] = BSWAP4(ctr);
+#else
                         PUTU32(ctx->Yi.c+12,ctr);
+#endif
                 else
                         ctx->Yi.d[3] = ctr;
                 while (len--) {
@@ -1398,7 +1499,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx,const unsigned char *tag,
         void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16])    = ctx->gmult;
 #endif
 
-        if (ctx->mres)
+        if (ctx->mres || ctx->ares)
                 GCM_MUL(ctx,Xi);
 
         if (is_endian.little) {
@@ -1669,6 +1770,46 @@ static const u8	IV18[]={0x93,0x13,0x22,0x5d,0xf8,0x84,0x06,0xe5,0x55,0x90,0x9c,0
                         0xa2,0x41,0x89,0x97,0x20,0x0e,0xf8,0x2e,0x44,0xae,0x7e,0x3f},
                 T18[]= {0xa4,0x4a,0x82,0x66,0xee,0x1c,0x8e,0xb0,0xc8,0xb5,0xd4,0xcf,0x5a,0xe9,0xf1,0x9a};
 
+/* Test Case 19 */
+#define K19 K1
+#define P19 P1
+#define IV19 IV1
+#define C19 C1
+static const u8 A19[]= {0xd9,0x31,0x32,0x25,0xf8,0x84,0x06,0xe5,0xa5,0x59,0x09,0xc5,0xaf,0xf5,0x26,0x9a,
+                        0x86,0xa7,0xa9,0x53,0x15,0x34,0xf7,0xda,0x2e,0x4c,0x30,0x3d,0x8a,0x31,0x8a,0x72,
+                        0x1c,0x3c,0x0c,0x95,0x95,0x68,0x09,0x53,0x2f,0xcf,0x0e,0x24,0x49,0xa6,0xb5,0x25,
+                        0xb1,0x6a,0xed,0xf5,0xaa,0x0d,0xe6,0x57,0xba,0x63,0x7b,0x39,0x1a,0xaf,0xd2,0x55,
+                        0x52,0x2d,0xc1,0xf0,0x99,0x56,0x7d,0x07,0xf4,0x7f,0x37,0xa3,0x2a,0x84,0x42,0x7d,
+                        0x64,0x3a,0x8c,0xdc,0xbf,0xe5,0xc0,0xc9,0x75,0x98,0xa2,0xbd,0x25,0x55,0xd1,0xaa,
+                        0x8c,0xb0,0x8e,0x48,0x59,0x0d,0xbb,0x3d,0xa7,0xb0,0x8b,0x10,0x56,0x82,0x88,0x38,
+                        0xc5,0xf6,0x1e,0x63,0x93,0xba,0x7a,0x0a,0xbc,0xc9,0xf6,0x62,0x89,0x80,0x15,0xad},
+                T19[]= {0x5f,0xea,0x79,0x3a,0x2d,0x6f,0x97,0x4d,0x37,0xe6,0x8e,0x0c,0xb8,0xff,0x94,0x92};
+
+/* Test Case 20 */
+#define K20 K1
+#define A20 A1
+static const u8 IV20[64]={0xff,0xff,0xff,0xff}, /* this results in 0xff in counter LSB */
+                P20[288],
+                C20[]= {0x56,0xb3,0x37,0x3c,0xa9,0xef,0x6e,0x4a,0x2b,0x64,0xfe,0x1e,0x9a,0x17,0xb6,0x14,
+                        0x25,0xf1,0x0d,0x47,0xa7,0x5a,0x5f,0xce,0x13,0xef,0xc6,0xbc,0x78,0x4a,0xf2,0x4f,
+                        0x41,0x41,0xbd,0xd4,0x8c,0xf7,0xc7,0x70,0x88,0x7a,0xfd,0x57,0x3c,0xca,0x54,0x18,
+                        0xa9,0xae,0xff,0xcd,0x7c,0x5c,0xed,0xdf,0xc6,0xa7,0x83,0x97,0xb9,0xa8,0x5b,0x49,
+                        0x9d,0xa5,0x58,0x25,0x72,0x67,0xca,0xab,0x2a,0xd0,0xb2,0x3c,0xa4,0x76,0xa5,0x3c,
+                        0xb1,0x7f,0xb4,0x1c,0x4b,0x8b,0x47,0x5c,0xb4,0xf3,0xf7,0x16,0x50,0x94,0xc2,0x29,
+                        0xc9,0xe8,0xc4,0xdc,0x0a,0x2a,0x5f,0xf1,0x90,0x3e,0x50,0x15,0x11,0x22,0x13,0x76,
+                        0xa1,0xcd,0xb8,0x36,0x4c,0x50,0x61,0xa2,0x0c,0xae,0x74,0xbc,0x4a,0xcd,0x76,0xce,
+                        0xb0,0xab,0xc9,0xfd,0x32,0x17,0xef,0x9f,0x8c,0x90,0xbe,0x40,0x2d,0xdf,0x6d,0x86,
+                        0x97,0xf4,0xf8,0x80,0xdf,0xf1,0x5b,0xfb,0x7a,0x6b,0x28,0x24,0x1e,0xc8,0xfe,0x18,
+                        0x3c,0x2d,0x59,0xe3,0xf9,0xdf,0xff,0x65,0x3c,0x71,0x26,0xf0,0xac,0xb9,0xe6,0x42,
+                        0x11,0xf4,0x2b,0xae,0x12,0xaf,0x46,0x2b,0x10,0x70,0xbe,0xf1,0xab,0x5e,0x36,0x06,
+                        0x87,0x2c,0xa1,0x0d,0xee,0x15,0xb3,0x24,0x9b,0x1a,0x1b,0x95,0x8f,0x23,0x13,0x4c,
+                        0x4b,0xcc,0xb7,0xd0,0x32,0x00,0xbc,0xe4,0x20,0xa2,0xf8,0xeb,0x66,0xdc,0xf3,0x64,
+                        0x4d,0x14,0x23,0xc1,0xb5,0x69,0x90,0x03,0xc1,0x3e,0xce,0xf4,0xbf,0x38,0xa3,0xb6,
+                        0x0e,0xed,0xc3,0x40,0x33,0xba,0xc1,0x90,0x27,0x83,0xdc,0x6d,0x89,0xe2,0xe7,0x74,
+                        0x18,0x8a,0x43,0x9c,0x7e,0xbc,0xc0,0x67,0x2d,0xbd,0xa4,0xdd,0xcf,0xb2,0x79,0x46,
+                        0x13,0xb0,0xbe,0x41,0x31,0x5e,0xf7,0x78,0x70,0x8a,0x70,0xee,0x7d,0x75,0x16,0x5c},
+                T20[]= {0x8b,0x30,0x7f,0x6b,0x33,0x28,0x6d,0x0a,0xb0,0x26,0xa9,0xed,0x3f,0xe1,0xe8,0x5f};
+
 #define TEST_CASE(n)    do {                                    \
         u8 out[sizeof(P##n)];                                   \
         AES_set_encrypt_key(K##n,sizeof(K##n)*8,&key);          \
@@ -1713,6 +1854,8 @@ int main()
         TEST_CASE(16);
         TEST_CASE(17);
         TEST_CASE(18);
+        TEST_CASE(19);
+        TEST_CASE(20);
 
 #ifdef OPENSSL_CPUID_OBJ
         {
@@ -1743,11 +1886,16 @@ int main()
                         ctr_t/(double)sizeof(buf),
                         (gcm_t-ctr_t)/(double)sizeof(buf));
 #ifdef GHASH
-        GHASH(&ctx,buf.c,sizeof(buf));
+        {
+        void (*gcm_ghash_p)(u64 Xi[2],const u128 Htable[16],
+                                const u8 *inp,size_t len)       = ctx.ghash;
+
+        GHASH((&ctx),buf.c,sizeof(buf));
         start = OPENSSL_rdtsc();
-        for (i=0;i<100;++i) GHASH(&ctx,buf.c,sizeof(buf));
+        for (i=0;i<100;++i) GHASH((&ctx),buf.c,sizeof(buf));
         gcm_t = OPENSSL_rdtsc() - start;
         printf("%.2f\n",gcm_t/(double)sizeof(buf)/(double)i);
+        }
 #endif
         }
 #endif
diff --git a/src/lib/libcrypto/modes/modes_lcl.h b/src/lib/libcrypto/modes/modes_lcl.h
index b6dc3c336f..9d83e12844 100644
--- a/src/lib/libcrypto/modes/modes_lcl.h
+++ b/src/lib/libcrypto/modes/modes_lcl.h
@@ -29,10 +29,7 @@ typedef unsigned char u8;
 #if defined(__i386)     || defined(__i386__)    || \
     defined(__x86_64)   || defined(__x86_64__)  || \
     defined(_M_IX86)    || defined(_M_AMD64)    || defined(_M_X64) || \
-    defined(__s390__)   || defined(__s390x__)   || \
-    ( (defined(__arm__) || defined(__arm)) && \
-      (defined(__ARM_ARCH_7__)  || defined(__ARM_ARCH_7A__) || \
-       defined(__ARM_ARCH_7R__) || defined(__ARM_ARCH_7M__)) )
+    defined(__s390__)   || defined(__s390x__)
 # undef STRICT_ALIGNMENT
 #endif
 
@@ -101,8 +98,8 @@ typedef struct { u64 hi,lo; } u128;
 
 struct gcm128_context {
         /* Following 6 names follow names in GCM specification */
-        union { u64 u[2]; u32 d[4]; u8 c[16]; } Yi,EKi,EK0,len,
-                                                Xi,H;
+        union { u64 u[2]; u32 d[4]; u8 c[16]; size_t t[16/sizeof(size_t)]; }
+          Yi,EKi,EK0,len,Xi,H;
         /* Relative position of Xi, H and pre-computed Htable is used
          * in some assembler modules, i.e. don't change the order! */
 #if TABLE_BITS==8
diff --git a/src/lib/libcrypto/pariscid.pl b/src/lib/libcrypto/pariscid.pl
index 477ec9b87d..bfc56fdc7f 100644
--- a/src/lib/libcrypto/pariscid.pl
+++ b/src/lib/libcrypto/pariscid.pl
@@ -97,33 +97,33 @@ OPENSSL_cleanse
         .PROC
         .CALLINFO       NO_CALLS
         .ENTRY
-        cmpib,*=        0,$len,Ldone
+        cmpib,*=        0,$len,L\$done
         nop
-        cmpib,*>>=      15,$len,Little
+        cmpib,*>>=      15,$len,L\$ittle
         ldi             $SIZE_T-1,%r1
 
-Lalign
+L\$align
         and,*<>         $inp,%r1,%r28
-        b,n             Laligned
+        b,n             L\$aligned
         stb             %r0,0($inp)
         ldo             -1($len),$len
-        b               Lalign
+        b               L\$align
         ldo             1($inp),$inp
 
-Laligned
+L\$aligned
         andcm           $len,%r1,%r28
-Lot
+L\$ot
         $ST             %r0,0($inp)
-        addib,*<>       -$SIZE_T,%r28,Lot
+        addib,*<>       -$SIZE_T,%r28,L\$ot
         ldo             $SIZE_T($inp),$inp
 
         and,*<>         $len,%r1,$len
-        b,n             Ldone
-Little
+        b,n             L\$done
+L\$ittle
         stb             %r0,0($inp)
-        addib,*<>       -1,$len,Little
+        addib,*<>       -1,$len,L\$ittle
         ldo             1($inp),$inp
-Ldone
+L\$done
         bv              ($rp)
         .EXIT
         nop
@@ -151,7 +151,7 @@ OPENSSL_instrument_bus
         ldw             0($out),$tick
         add             $diff,$tick,$tick
         stw             $tick,0($out)
-Loop
+L\$oop
         mfctl           %cr16,$tick
         sub             $tick,$lasttick,$diff
         copy            $tick,$lasttick
@@ -161,7 +161,7 @@ Loop
         add             $diff,$tick,$tick
         stw             $tick,0($out)
 
-        addib,<>        -1,$cnt,Loop
+        addib,<>        -1,$cnt,L\$oop
         addi            4,$out,$out
 
         bv              ($rp)
@@ -190,14 +190,14 @@ OPENSSL_instrument_bus2
         mfctl           %cr16,$tick
         sub             $tick,$lasttick,$diff
         copy            $tick,$lasttick
-Loop2
+L\$oop2
         copy            $diff,$lastdiff
         fdc             0($out)
         ldw             0($out),$tick
         add             $diff,$tick,$tick
         stw             $tick,0($out)
 
-        addib,=         -1,$max,Ldone2
+        addib,=         -1,$max,L\$done2
         nop
 
         mfctl           %cr16,$tick
@@ -208,17 +208,18 @@ Loop2
 
         ldi             1,%r1
         xor             %r1,$tick,$tick
-        addb,<>         $tick,$cnt,Loop2
+        addb,<>         $tick,$cnt,L\$oop2
         shladd,l        $tick,2,$out,$out
-Ldone2
+L\$done2
         bv              ($rp)
         .EXIT
         add             $rv,$cnt,$rv
         .PROCEND
 ___
 }
-$code =~ s/cmpib,\*/comib,/gm if ($SIZE_T==4);
-$code =~ s/,\*/,/gm if ($SIZE_T==4);
+$code =~ s/cmpib,\*/comib,/gm   if ($SIZE_T==4);
+$code =~ s/,\*/,/gm             if ($SIZE_T==4);
+$code =~ s/\bbv\b/bve/gm        if ($SIZE_T==8);
 print $code;
 close STDOUT;
 
diff --git a/src/lib/libcrypto/pkcs7/bio_pk7.c b/src/lib/libcrypto/pkcs7/bio_pk7.c
index c8d06d6cdc..0fd31e730f 100644
--- a/src/lib/libcrypto/pkcs7/bio_pk7.c
+++ b/src/lib/libcrypto/pkcs7/bio_pk7.c
@@ -56,7 +56,7 @@
 #include <openssl/pkcs7.h>
 #include <openssl/bio.h>
 
-#ifndef OPENSSL_SYSNAME_NETWARE
+#if !defined(OPENSSL_SYSNAME_NETWARE) && !defined(OPENSSL_SYSNAME_VXWORKS)
 #include <memory.h>
 #endif
 #include <stdio.h>
diff --git a/src/lib/libcrypto/ppccap.c b/src/lib/libcrypto/ppccap.c
index ab89ccaa12..f71ba66aa3 100644
--- a/src/lib/libcrypto/ppccap.c
+++ b/src/lib/libcrypto/ppccap.c
@@ -3,6 +3,7 @@
 #include <string.h>
 #include <setjmp.h>
 #include <signal.h>
+#include <unistd.h>
 #include <crypto.h>
 #include <openssl/bn.h>
 
@@ -53,6 +54,7 @@ static sigjmp_buf ill_jmp;
 static void ill_handler (int sig) { siglongjmp(ill_jmp,sig); }
 
 void OPENSSL_ppc64_probe(void);
+void OPENSSL_altivec_probe(void);
 
 void OPENSSL_cpuid_setup(void)
         {
@@ -82,6 +84,15 @@ void OPENSSL_cpuid_setup(void)
 
         OPENSSL_ppccap_P = 0;
 
+#if defined(_AIX)
+        if (sizeof(size_t)==4
+# if defined(_SC_AIX_KERNEL_BITMODE)
+            && sysconf(_SC_AIX_KERNEL_BITMODE)!=64
+# endif
+           )
+                return;
+#endif
+
         memset(&ill_act,0,sizeof(ill_act));
         ill_act.sa_handler = ill_handler;
         ill_act.sa_mask    = all_masked;
diff --git a/src/lib/libcrypto/rc4/asm/rc4-md5-x86_64.pl b/src/lib/libcrypto/rc4/asm/rc4-md5-x86_64.pl
index 7f684092d4..272fa91e1a 100644
--- a/src/lib/libcrypto/rc4/asm/rc4-md5-x86_64.pl
+++ b/src/lib/libcrypto/rc4/asm/rc4-md5-x86_64.pl
@@ -51,7 +51,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; my $dir=$1; my $xlate;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 my ($dat,$in0,$out,$ctx,$inp,$len, $func,$nargs);
 
diff --git a/src/lib/libcrypto/rc4/asm/rc4-parisc.pl b/src/lib/libcrypto/rc4/asm/rc4-parisc.pl
index 9165067080..ad7e65651c 100644
--- a/src/lib/libcrypto/rc4/asm/rc4-parisc.pl
+++ b/src/lib/libcrypto/rc4/asm/rc4-parisc.pl
@@ -307,7 +307,8 @@ L\$opts
         .STRINGZ "RC4 for PA-RISC, CRYPTOGAMS by <appro\@openssl.org>"
 ___
 $code =~ s/\`([^\`]*)\`/eval $1/gem;
-$code =~ s/cmpib,\*/comib,/gm if ($SIZE_T==4);
+$code =~ s/cmpib,\*/comib,/gm   if ($SIZE_T==4);
+$code =~ s/\bbv\b/bve/gm        if ($SIZE_T==8);
 
 print $code;
 close STDOUT;
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
index 2460910ab2..5a2062f903 100644
--- a/src/lib/libcrypto/rsa/rsa_ameth.c
+++ b/src/lib/libcrypto/rsa/rsa_ameth.c
@@ -351,27 +351,27 @@ static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss,
 
         if (!BIO_indent(bp, indent, 128))
                 goto err;
-        if (BIO_puts(bp, "Salt Length: ") <= 0)
+        if (BIO_puts(bp, "Salt Length: 0x") <= 0)
                         goto err;
         if (pss->saltLength)
                 {
                 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
                         goto err;
                 }
-        else if (BIO_puts(bp, "20 (default)") <= 0)
+        else if (BIO_puts(bp, "0x14 (default)") <= 0)
                 goto err;
         BIO_puts(bp, "\n");
 
         if (!BIO_indent(bp, indent, 128))
                 goto err;
-        if (BIO_puts(bp, "Trailer Field: ") <= 0)
+        if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
                         goto err;
         if (pss->trailerField)
                 {
                 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
                         goto err;
                 }
-        else if (BIO_puts(bp, "0xbc (default)") <= 0)
+        else if (BIO_puts(bp, "BC (default)") <= 0)
                 goto err;
         BIO_puts(bp, "\n");
         
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
index 5b2ecf56ad..157aa5c41d 100644
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -611,6 +611,8 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
                         pm = RSA_NO_PADDING;
                 else if (!strcmp(value, "oeap"))
                         pm = RSA_PKCS1_OAEP_PADDING;
+                else if (!strcmp(value, "oaep"))
+                        pm = RSA_PKCS1_OAEP_PADDING;
                 else if (!strcmp(value, "x931"))
                         pm = RSA_X931_PADDING;
                 else if (!strcmp(value, "pss"))
diff --git a/src/lib/libcrypto/sha/asm/sha1-armv4-large.pl b/src/lib/libcrypto/sha/asm/sha1-armv4-large.pl
index fe8207f77f..33da3e0e3c 100644
--- a/src/lib/libcrypto/sha/asm/sha1-armv4-large.pl
+++ b/src/lib/libcrypto/sha/asm/sha1-armv4-large.pl
@@ -177,6 +177,7 @@ for($i=0;$i<5;$i++) {
 $code.=<<___;
         teq     $Xi,sp
         bne     .L_00_15                @ [((11+4)*5+2)*3]
+        sub     sp,sp,#25*4
 ___
         &BODY_00_15(@V);        unshift(@V,pop(@V));
         &BODY_16_19(@V);        unshift(@V,pop(@V));
@@ -186,7 +187,6 @@ ___
 $code.=<<___;
 
         ldr     $K,.LK_20_39            @ [+15+16*4]
-        sub     sp,sp,#25*4
         cmn     sp,#0                   @ [+3], clear carry to denote 20_39
 .L_20_39_or_60_79:
 ___
diff --git a/src/lib/libcrypto/sha/asm/sha1-ia64.pl b/src/lib/libcrypto/sha/asm/sha1-ia64.pl
index db28f0805a..02d35d1614 100644
--- a/src/lib/libcrypto/sha/asm/sha1-ia64.pl
+++ b/src/lib/libcrypto/sha/asm/sha1-ia64.pl
@@ -271,7 +271,8 @@ tmp6=loc13;
 
 ___
 
-{ my $i,@V=($A,$B,$C,$D,$E);
+{ my $i;
+  my @V=($A,$B,$C,$D,$E);
 
         for($i=0;$i<16;$i++)    { &BODY_00_15(\$code,$i,@V); unshift(@V,pop(@V)); }
         for(;$i<20;$i++)        { &BODY_16_19(\$code,$i,@V); unshift(@V,pop(@V)); }
diff --git a/src/lib/libcrypto/sha/asm/sha1-parisc.pl b/src/lib/libcrypto/sha/asm/sha1-parisc.pl
index 6d7bf495b2..6e5a328a6f 100644
--- a/src/lib/libcrypto/sha/asm/sha1-parisc.pl
+++ b/src/lib/libcrypto/sha/asm/sha1-parisc.pl
@@ -254,6 +254,7 @@ $code.=<<___;
 ___
 
 $code =~ s/\`([^\`]*)\`/eval $1/gem;
-$code =~ s/,\*/,/gm if ($SIZE_T==4);
+$code =~ s/,\*/,/gm             if ($SIZE_T==4);
+$code =~ s/\bbv\b/bve/gm        if ($SIZE_T==8);
 print $code;
 close STDOUT;
diff --git a/src/lib/libcrypto/sha/asm/sha1-sparcv9a.pl b/src/lib/libcrypto/sha/asm/sha1-sparcv9a.pl
index 85e8d68086..e65291bbd9 100644
--- a/src/lib/libcrypto/sha/asm/sha1-sparcv9a.pl
+++ b/src/lib/libcrypto/sha/asm/sha1-sparcv9a.pl
@@ -549,7 +549,7 @@ ___
 # programmer detect if current CPU is VIS capable at run-time.
 sub unvis {
 my ($mnemonic,$rs1,$rs2,$rd)=@_;
-my $ref,$opf;
+my ($ref,$opf);
 my %visopf = (  "fmul8ulx16"    => 0x037,
                 "faligndata"    => 0x048,
                 "fpadd32"       => 0x052,
diff --git a/src/lib/libcrypto/sha/asm/sha1-x86_64.pl b/src/lib/libcrypto/sha/asm/sha1-x86_64.pl
index f27c1e3fb0..f15c7ec39b 100755
--- a/src/lib/libcrypto/sha/asm/sha1-x86_64.pl
+++ b/src/lib/libcrypto/sha/asm/sha1-x86_64.pl
@@ -82,7 +82,8 @@ $avx=1 if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
            `ml64 2>&1` =~ /Version ([0-9]+)\./ &&
            $1>=10);
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 $ctx="%rdi";    # 1st arg
 $inp="%rsi";    # 2nd arg
@@ -744,7 +745,7 @@ $code.=<<___;
         mov     %rdi,$ctx       # reassigned argument
         mov     %rsi,$inp       # reassigned argument
         mov     %rdx,$num       # reassigned argument
-        vzeroall
+        vzeroupper
 
         shl     \$6,$num
         add     $inp,$num
@@ -1037,7 +1038,7 @@ ___
         &Xtail_avx(\&body_20_39);
 
 $code.=<<___;
-        vzeroall
+        vzeroupper
 
         add     0($ctx),$A                      # update context
         add     4($ctx),@T[0]
diff --git a/src/lib/libcrypto/sha/asm/sha512-586.pl b/src/lib/libcrypto/sha/asm/sha512-586.pl
index 5b9f3337ad..7eab6a5b88 100644
--- a/src/lib/libcrypto/sha/asm/sha512-586.pl
+++ b/src/lib/libcrypto/sha/asm/sha512-586.pl
@@ -142,9 +142,9 @@ sub BODY_00_15_x86 {
         &mov    ("edx",$Ehi);
         &mov    ("esi","ecx");
 
-        &shr    ("ecx",9)       # lo>>9
+        &shr    ("ecx",9);      # lo>>9
         &mov    ("edi","edx");
-        &shr    ("edx",9)       # hi>>9
+        &shr    ("edx",9);      # hi>>9
         &mov    ("ebx","ecx");
         &shl    ("esi",14);     # lo<<14
         &mov    ("eax","edx");
@@ -207,9 +207,9 @@ sub BODY_00_15_x86 {
         &mov    ($Dhi,"ebx");
         &mov    ("esi","ecx");
 
-        &shr    ("ecx",2)       # lo>>2
+        &shr    ("ecx",2);      # lo>>2
         &mov    ("edi","edx");
-        &shr    ("edx",2)       # hi>>2
+        &shr    ("edx",2);      # hi>>2
         &mov    ("ebx","ecx");
         &shl    ("esi",4);      # lo<<4
         &mov    ("eax","edx");
@@ -452,9 +452,9 @@ if ($sse2) {
         &mov    ("edx",&DWP(8*(9+15+16-1)+4,"esp"));
         &mov    ("esi","ecx");
 
-        &shr    ("ecx",1)       # lo>>1
+        &shr    ("ecx",1);      # lo>>1
         &mov    ("edi","edx");
-        &shr    ("edx",1)       # hi>>1
+        &shr    ("edx",1);      # hi>>1
         &mov    ("eax","ecx");
         &shl    ("esi",24);     # lo<<24
         &mov    ("ebx","edx");
@@ -488,9 +488,9 @@ if ($sse2) {
         &mov    ("edx",&DWP(8*(9+15+16-14)+4,"esp"));
         &mov    ("esi","ecx");
 
-        &shr    ("ecx",6)       # lo>>6
+        &shr    ("ecx",6);      # lo>>6
         &mov    ("edi","edx");
-        &shr    ("edx",6)       # hi>>6
+        &shr    ("edx",6);      # hi>>6
         &mov    ("eax","ecx");
         &shl    ("esi",3);      # lo<<3
         &mov    ("ebx","edx");
diff --git a/src/lib/libcrypto/sha/asm/sha512-mips.pl b/src/lib/libcrypto/sha/asm/sha512-mips.pl
index ba5b250890..ffa053bb7d 100644
--- a/src/lib/libcrypto/sha/asm/sha512-mips.pl
+++ b/src/lib/libcrypto/sha/asm/sha512-mips.pl
@@ -351,7 +351,7 @@ $code.=<<___;
         $ST     $G,6*$SZ($ctx)
         $ST     $H,7*$SZ($ctx)
 
-        bnel    $inp,@X[15],.Loop
+        bne     $inp,@X[15],.Loop
         $PTR_SUB $Ktbl,`($rounds-16)*$SZ`       # rewind $Ktbl
 
         $REG_L  $ra,$FRAMESIZE-1*$SZREG($sp)
diff --git a/src/lib/libcrypto/sha/asm/sha512-parisc.pl b/src/lib/libcrypto/sha/asm/sha512-parisc.pl
index e24ee58ae9..fc0e15b3c0 100755
--- a/src/lib/libcrypto/sha/asm/sha512-parisc.pl
+++ b/src/lib/libcrypto/sha/asm/sha512-parisc.pl
@@ -785,6 +785,8 @@ foreach (split("\n",$code)) {
 
         s/cmpb,\*/comb,/ if ($SIZE_T==4);
 
+        s/\bbv\b/bve/    if ($SIZE_T==8);
+
         print $_,"\n";
 }
 
diff --git a/src/lib/libcrypto/sha/asm/sha512-x86_64.pl b/src/lib/libcrypto/sha/asm/sha512-x86_64.pl
index f611a2d898..8d51678557 100755
--- a/src/lib/libcrypto/sha/asm/sha512-x86_64.pl
+++ b/src/lib/libcrypto/sha/asm/sha512-x86_64.pl
@@ -51,7 +51,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 if ($output =~ /512/) {
         $func="sha512_block_data_order";
diff --git a/src/lib/libcrypto/sha/sha256.c b/src/lib/libcrypto/sha/sha256.c
index f88d3d6dad..4eae074849 100644
--- a/src/lib/libcrypto/sha/sha256.c
+++ b/src/lib/libcrypto/sha/sha256.c
@@ -88,17 +88,17 @@ int SHA224_Final (unsigned char *md, SHA256_CTX *c)
         switch ((c)->md_len)            \
         {   case SHA224_DIGEST_LENGTH:  \
                 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++)       \
-                {   ll=(c)->h[nn]; HOST_l2c(ll,(s));   }        \
+                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                 break;                  \
             case SHA256_DIGEST_LENGTH:  \
                 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++)       \
-                {   ll=(c)->h[nn]; HOST_l2c(ll,(s));   }        \
+                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                 break;                  \
             default:                    \
                 if ((c)->md_len > SHA256_DIGEST_LENGTH) \
                     return 0;                           \
                 for (nn=0;nn<(c)->md_len/4;nn++)                \
-                {   ll=(c)->h[nn]; HOST_l2c(ll,(s));   }        \
+                {   ll=(c)->h[nn]; (void)HOST_l2c(ll,(s));   }  \
                 break;                  \
         }                               \
         } while (0)
diff --git a/src/lib/libcrypto/sparccpuid.S b/src/lib/libcrypto/sparccpuid.S
index ae61f7f5ce..0cc247e489 100644
--- a/src/lib/libcrypto/sparccpuid.S
+++ b/src/lib/libcrypto/sparccpuid.S
@@ -235,10 +235,10 @@ _sparcv9_rdtick:
 .global _sparcv9_vis1_probe
 .align  8
 _sparcv9_vis1_probe:
-        .word   0x81b00d80      !fxor   %f0,%f0,%f0
         add     %sp,BIAS+2,%o1
-        retl
         .word   0xc19a5a40      !ldda   [%o1]ASI_FP16_P,%f0
+        retl
+        .word   0x81b00d80      !fxor   %f0,%f0,%f0
 .type   _sparcv9_vis1_probe,#function
 .size   _sparcv9_vis1_probe,.-_sparcv9_vis1_probe
 
diff --git a/src/lib/libcrypto/whrlpool/asm/wp-mmx.pl b/src/lib/libcrypto/whrlpool/asm/wp-mmx.pl
index 32cf16380b..cb2381c22b 100644
--- a/src/lib/libcrypto/whrlpool/asm/wp-mmx.pl
+++ b/src/lib/libcrypto/whrlpool/asm/wp-mmx.pl
@@ -119,7 +119,7 @@ $tbl="ebp";
         &mov    ("eax",&DWP(0,"esp"));
         &mov    ("ebx",&DWP(4,"esp"));
 for($i=0;$i<8;$i++) {
-    my $func = ($i==0)? movq : pxor;
+    my $func = ($i==0)? \&movq : \&pxor;
         &movb   (&LB("ecx"),&LB("eax"));
         &movb   (&LB("edx"),&HB("eax"));
         &scale  ("esi","ecx");
diff --git a/src/lib/libcrypto/whrlpool/asm/wp-x86_64.pl b/src/lib/libcrypto/whrlpool/asm/wp-x86_64.pl
index 87c0843dc1..24b2ff60c3 100644
--- a/src/lib/libcrypto/whrlpool/asm/wp-x86_64.pl
+++ b/src/lib/libcrypto/whrlpool/asm/wp-x86_64.pl
@@ -41,7 +41,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; my $dir=$1; my $xlate;
 ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
 die "can't locate x86_64-xlate.pl";
 
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
 
 sub L() { $code.=".byte ".join(',',@_)."\n"; }
 sub LL(){ $code.=".byte ".join(',',@_).",".join(',',@_)."\n"; }
diff --git a/src/lib/libcrypto/x86cpuid.pl b/src/lib/libcrypto/x86cpuid.pl
index 39fd8f2293..b270b44337 100644
--- a/src/lib/libcrypto/x86cpuid.pl
+++ b/src/lib/libcrypto/x86cpuid.pl
@@ -67,6 +67,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
         &inc    ("esi");                # number of cores
 
         &mov    ("eax",1);
+        &xor    ("ecx","ecx");
         &cpuid  ();
         &bt     ("edx",28);
         &jnc    (&label("generic"));
@@ -91,6 +92,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
 
 &set_label("nocacheinfo");
         &mov    ("eax",1);
+        &xor    ("ecx","ecx");
         &cpuid  ();
         &and    ("edx",0xbfefffff);     # force reserved bits #20, #30 to 0
         &cmp    ("ebp",0);
@@ -165,7 +167,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
         &jnz    (&label("nohalt"));     # not enough privileges
 
         &pushf  ();
-        &pop    ("eax")
+        &pop    ("eax");
         &bt     ("eax",9);
         &jnc    (&label("nohalt"));     # interrupts are disabled
 
@@ -280,7 +282,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
 #       arguments is 1 or 2!
 &function_begin_B("OPENSSL_indirect_call");
         {
-        my $i,$max=7;           # $max has to be chosen as 4*n-1
+        my ($max,$i)=(7,);      # $max has to be chosen as 4*n-1
                                 # in order to preserve eventual
                                 # stack alignment
         &push   ("ebp");
diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c
index f61f718183..106939f241 100644
--- a/src/lib/libssl/d1_lib.c
+++ b/src/lib/libssl/d1_lib.c
@@ -196,6 +196,7 @@ void dtls1_free(SSL *s)
         pqueue_free(s->d1->buffered_app_data.q);
 
         OPENSSL_free(s->d1);
+        s->d1 = NULL;
         }
 
 void dtls1_clear(SSL *s)
diff --git a/src/lib/libssl/d1_srtp.c b/src/lib/libssl/d1_srtp.c
index 928935bd8b..ab9c41922c 100644
--- a/src/lib/libssl/d1_srtp.c
+++ b/src/lib/libssl/d1_srtp.c
@@ -115,11 +115,12 @@
   Copyright (C) 2011, RTFM, Inc.
 */
 
-#ifndef OPENSSL_NO_SRTP
-
 #include <stdio.h>
 #include <openssl/objects.h>
 #include "ssl_locl.h"
+
+#ifndef OPENSSL_NO_SRTP
+
 #include "srtp.h"
 
 
diff --git a/src/lib/libssl/test/cms-test.pl b/src/lib/libssl/test/cms-test.pl
index c938bcf00d..dfef799be2 100644
--- a/src/lib/libssl/test/cms-test.pl
+++ b/src/lib/libssl/test/cms-test.pl
@@ -415,8 +415,10 @@ sub run_smime_tests {
 }
 
 sub cmp_files {
+    use FileHandle;
     my ( $f1, $f2 ) = @_;
-    my ( $fp1, $fp2 );
+    my $fp1 = FileHandle->new();
+    my $fp2 = FileHandle->new();
 
     my ( $rd1, $rd2 );