v4.22-9634-beta

2026-04-20 13:59:26 +03:00 · 2016-11-27 17:43:14 +09:00
parent 0978e1a016
commit 4df2eb4f9c
122 changed files with 1265 additions and 562 deletions
@@ -385,6 +385,34 @@ bool FileCopyExW(wchar_t *src, wchar_t *dst, bool read_lock)

 	return ret;
 }
+bool FileCopyExWithEofW(wchar_t *src, wchar_t *dst, bool read_lock)
+{
+	BUF *b;
+	bool ret = false;
+	// Validate arguments
+	if (src == NULL || dst == NULL)
+	{
+		return false;
+	}
+
+	b = ReadDumpExW(src, false);
+	if (b == NULL)
+	{
+		return false;
+	}
+
+	SeekBuf(b, b->Size, 0);
+
+	WriteBufChar(b, 0x1A);
+
+	SeekBuf(b, 0, 0);
+
+	ret = DumpBufW(b, dst);
+
+	FreeBuf(b);
+
+	return ret;
+}

 // Save the settings to a file
 void CfgSave(FOLDER *f, char *name)
@@ -459,7 +487,8 @@ bool CfgSaveExW3(CFG_RW *rw, FOLDER *f, wchar_t *name, UINT *written_size, bool
 		// Generate a temporary file name
 		UniFormat(tmp, sizeof(tmp), L"%s.log", name);
 		// Copy the file that currently exist to a temporary file
-		FileCopyW(name, tmp);
+		// with appending the EOF
+		FileCopyExWithEofW(name, tmp, true);

 		// Save the new file
 		o = FileCreateW(name);
@@ -481,6 +510,7 @@ bool CfgSaveExW3(CFG_RW *rw, FOLDER *f, wchar_t *name, UINT *written_size, bool
 			{
 				// Successful saving file
 				FileClose(o);
+
 				// Delete the temporary file
 				FileDeleteW(tmp);
 			}
@@ -528,6 +558,7 @@ FOLDER *CfgReadW(wchar_t *name)
 	bool binary_file = false;
 	bool invalid_file = false;
 	UCHAR header[8];
+	bool has_eof = false;
 	// Validate arguments
 	if (name == NULL)
 	{
@@ -543,8 +574,31 @@ FOLDER *CfgReadW(wchar_t *name)
 	o = FileOpenW(newfile, false);
 	if (o == NULL)
 	{
+		UINT size;
 		// Read the temporary file
 		o = FileOpenW(tmp, false);
+
+		if (o != NULL)
+		{
+			// Check the EOF
+			size = FileSize(o);
+			if (size >= 2)
+			{
+				char c;
+
+				if (FileSeek(o, FILE_BEGIN, size - 1) && FileRead(o, &c, 1) && c == 0x1A && FileSeek(o, FILE_BEGIN, 0))
+				{
+					// EOF ok
+					has_eof = true;
+				}
+				else
+				{
+					// No EOF: file is corrupted
+					FileClose(o);
+					o = NULL;
+				}
+			}
+		}
 	}
 	else
 	{
@@ -577,6 +631,11 @@ FOLDER *CfgReadW(wchar_t *name)

 	// Read into the buffer
 	size = FileSize(o);
+	if (has_eof)
+	{
+		// Ignore EOF
+		size -= 1;
+	}
 	buf = Malloc(size);
 	FileRead(o, buf, size);
 	b = NewBuf();
@@ -1818,6 +1818,40 @@ UINT GetDaysUntil2038()
 		return (UINT)((target - now) / (UINT64)(1000 * 60 * 60 * 24));
 	}
 }
+UINT GetDaysUntil2038Ex()
+{
+	SYSTEMTIME now;
+
+	Zero(&now, sizeof(now));
+	SystemTime(&now);
+
+	if (now.wYear >= 2030)
+	{
+		UINT64 now = SystemTime64();
+		UINT64 target;
+		SYSTEMTIME st;
+
+		Zero(&st, sizeof(st));
+		st.wYear = 2049;
+		st.wMonth = 12;
+		st.wDay = 30;
+
+		target = SystemToUINT64(&st);
+
+		if (now >= target)
+		{
+			return 0;
+		}
+		else
+		{
+			return (UINT)((target - now) / (UINT64)(1000 * 60 * 60 * 24));
+		}
+	}
+	else
+	{
+		return GetDaysUntil2038();
+	}
+}

 // Issue an X509 certificate
 X *NewX(K *pub, K *priv, X *ca, NAME *name, UINT days, X_SERIAL *serial)
@@ -4885,6 +4919,22 @@ bool DhCompute(DH_CTX *dh, void *dst_priv_key, void *src_pub_key, UINT key_size)
 	return ret;
 }

+// Creating a DH 2048bit
+DH_CTX *DhNew2048()
+{
+	return DhNew(DH_SET_2048, 2);
+}
+// Creating a DH 3072bit
+DH_CTX *DhNew3072()
+{
+	return DhNew(DH_SET_3072, 2);
+}
+// Creating a DH 4096bit
+DH_CTX *DhNew4096()
+{
+	return DhNew(DH_SET_4096, 2);
+}
+
 // Creating a DH GROUP1
 DH_CTX *DhNewGroup1()
 {
@@ -170,6 +170,61 @@ void RAND_Free_For_SoftEther();

 #define	DH_SIMPLE_160	"AEE7561459353C95DDA966AE1FD25D95CD46E935"

+#define	DH_SET_2048 \
+	"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
+	"29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \
+	"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \
+	"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
+	"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \
+	"C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \
+	"83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
+	"670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \
+	"E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \
+	"DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \
+	"15728E5A8AACAA68FFFFFFFFFFFFFFFF"
+
+#define	DH_SET_3072	\
+	"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"\
+	"29024E088A67CC74020BBEA63B139B22514A08798E3404DD"\
+	"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"\
+	"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"\
+	"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"\
+	"C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"\
+	"83655D23DCA3AD961C62F356208552BB9ED529077096966D"\
+	"670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"\
+	"E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"\
+	"DE2BCBF6955817183995497CEA956AE515D2261898FA0510"\
+	"15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"\
+	"ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"\
+	"ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"\
+	"F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"\
+	"BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"\
+	"43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF"
+
+#define	DH_SET_4096 \
+	"FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" \
+	"29024E088A67CC74020BBEA63B139B22514A08798E3404DD" \
+	"EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" \
+	"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
+	"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" \
+	"C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" \
+	"83655D23DCA3AD961C62F356208552BB9ED529077096966D" \
+	"670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" \
+	"E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" \
+	"DE2BCBF6955817183995497CEA956AE515D2261898FA0510" \
+	"15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" \
+	"ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" \
+	"ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" \
+	"F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" \
+	"BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" \
+	"43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" \
+	"88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" \
+	"2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" \
+	"287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" \
+	"1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" \
+	"93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" \
+	"FFFFFFFFFFFFFFFF"
+
 // Macro
 #define	HASHED_DATA(p)			(((UCHAR *)p) + 15)

@@ -376,6 +431,7 @@ X *NewRootX(K *pub, K *priv, NAME *name, UINT days, X_SERIAL *serial);
 X509 *NewX509(K *pub, K *priv, X *ca, NAME *name, UINT days, X_SERIAL *serial);
 X *NewX(K *pub, K *priv, X *ca, NAME *name, UINT days, X_SERIAL *serial);
 UINT GetDaysUntil2038();
+UINT GetDaysUntil2038Ex();
 X_SERIAL *NewXSerial(void *data, UINT size);
 void FreeXSerial(X_SERIAL *serial);
 char *ByteToStr(BYTE *src, UINT src_size);
@@ -465,6 +521,9 @@ DH_CTX *DhNewGroup1();
 DH_CTX *DhNewGroup2();
 DH_CTX *DhNewGroup5();
 DH_CTX *DhNewSimple160();
+DH_CTX *DhNew2048();
+DH_CTX *DhNew3072();
+DH_CTX *DhNew4096();
 DH_CTX *DhNew(char *prime, UINT g);
 void DhFree(DH_CTX *dh);
 BUF *DhToBuf(DH_CTX *dh);
@@ -381,12 +381,15 @@ void ZipAddFileStart(ZIP_PACKER *p, char *name, UINT size, UINT64 dt, UINT attri
 UINT ZipAddFileData(ZIP_PACKER *p, void *data, UINT pos, UINT len)
 {
 	UINT ret;
+	UINT total_size;
 	// Validate arguments
 	if (p == NULL)
 	{
 		return 0;
 	}
-	UINT total_size = p->CurrentFile->CurrentSize + len;
+
+	total_size = p->CurrentFile->CurrentSize + len;
+
 	if (total_size > p->CurrentFile->Size)
 	{
 		return 0;
@@ -172,6 +172,109 @@ static LOCALE current_locale;
 LOCK *tick_manual_lock = NULL;
 UINT g_zero = 0;

+#define MONSPERYEAR 12
+#define DAYSPERNYEAR 365
+#define DAYSPERLYEAR 366
+#define SECSPERMIN 60
+#define SECSPERHOUR (60*60)
+#define SECSPERDAY (24*60*60)
+#define DAYSPERWEEK 7
+#define TM_SUNDAY	0
+#define TM_MONDAY	1
+#define TM_TUESDAY	2
+#define TM_WEDNESDAY	3
+#define TM_THURSDAY	4
+#define TM_FRIDAY	5
+#define TM_SATURDAY	6
+
+#define TM_YEAR_BASE	1900
+
+#define EPOCH_YEAR	1970
+#define EPOCH_WDAY	TM_THURSDAY
+
+#define isleap(y) (((y) % 4) == 0 && (((y) % 100) != 0 || ((y) % 400) == 0))
+
+static const int	mon_lengths[2][MONSPERYEAR] = {
+	{ 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 },
+	{ 31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 }
+};
+
+static const int	year_lengths[2] = {
+	DAYSPERNYEAR, DAYSPERLYEAR
+};
+
+
+/*
+ * Taken from FreeBSD src / lib / libc / stdtime / localtime.c 1.43 revision.
+ * localtime.c 7.78.
+ * tzfile.h 1.8
+ * adapted to be replacement gmtime_r.
+ */
+static void
+c_timesub(timep, offset, tmp)
+const time_64t * const			timep;
+const long				offset;
+struct tm * const		tmp;
+{
+	INT64			days;
+	INT64			rem;
+	INT64			y;
+	int			yleap;
+	const int *		ip;
+
+	days = *timep / SECSPERDAY;
+	rem = *timep % SECSPERDAY;
+	rem += (offset);
+	while (rem < 0) {
+		rem += SECSPERDAY;
+		--days;
+	}
+	while (rem >= SECSPERDAY) {
+		rem -= SECSPERDAY;
+		++days;
+	}
+	tmp->tm_hour = (int) (rem / SECSPERHOUR);
+	rem = rem % SECSPERHOUR;
+	tmp->tm_min = (int) (rem / SECSPERMIN);
+	/*
+	** A positive leap second requires a special
+	** representation.  This uses "... ??:59:60" et seq.
+	*/
+	tmp->tm_sec = (int) (rem % SECSPERMIN) ;
+	tmp->tm_wday = (int) ((EPOCH_WDAY + days) % DAYSPERWEEK);
+	if (tmp->tm_wday < 0)
+		tmp->tm_wday += DAYSPERWEEK;
+	y = EPOCH_YEAR;
+#define LEAPS_THRU_END_OF(y)	((y) / 4 - (y) / 100 + (y) / 400)
+	while (days < 0 || days >= (long) year_lengths[yleap = isleap(y)]) {
+		INT64	newy;
+
+		newy = y + days / DAYSPERNYEAR;
+		if (days < 0)
+			--newy;
+		days -= (newy - y) * DAYSPERNYEAR +
+			LEAPS_THRU_END_OF(newy - 1) -
+			LEAPS_THRU_END_OF(y - 1);
+		y = newy;
+	}
+	tmp->tm_year = (int)(y - TM_YEAR_BASE);
+	tmp->tm_yday = (int) days;
+	ip = mon_lengths[yleap];
+	for (tmp->tm_mon = 0; days >= (INT64) ip[tmp->tm_mon]; ++(tmp->tm_mon))
+		days = days - (INT64) ip[tmp->tm_mon];
+	tmp->tm_mday = (int) (days + 1);
+	tmp->tm_isdst = 0;
+}
+
+/*
+* Re-entrant version of gmtime.
+*/
+struct tm * c_gmtime_r(const time_64t* timep, struct tm *tm)
+{
+	c_timesub(timep, 0L, tm);
+	return tm;
+}
+
 // Get the real-time system timer
 UINT TickRealtime()
 {
@@ -219,7 +322,14 @@ UINT64 TickGetRealtimeTickValue64()

 	gettimeofday(&tv, &tz);

-	ret = (UINT64)tv.tv_sec * 1000ULL + (UINT64)tv.tv_usec / 1000ULL;
+	if (sizeof(tv.tv_sec) != 4)
+	{
+		ret = (UINT64)tv.tv_sec * 1000ULL + (UINT64)tv.tv_usec / 1000ULL;
+	}
+	else
+	{
+		ret = (UINT64)((UINT64)((UINT32)tv.tv_sec)) * 1000ULL + (UINT64)tv.tv_usec / 1000ULL;
+	}

 	return ret;
 }
@@ -815,7 +925,7 @@ void GetTimeStr64(char *str, UINT size, UINT64 sec64)
 // Convert to a time to be used safely in the current POSIX implementation
 UINT64 SafeTime64(UINT64 sec64)
 {
-	return MAKESURE(sec64, 0, 2115947647000ULL);
+	return MAKESURE(sec64, 0, 4102243323123ULL);
 }

 // Thread pool
@@ -1694,7 +1804,7 @@ void TmToSystem(SYSTEMTIME *st, struct tm *t)
 	NormalizeTm(&tmp);

 	Zero(st, sizeof(SYSTEMTIME));
-	st->wYear = MAKESURE(tmp.tm_year + 1900, 1970, 2037);
+	st->wYear = MAKESURE(tmp.tm_year + 1900, 1970, 2099);
 	st->wMonth = MAKESURE(tmp.tm_mon + 1, 1, 12);
 	st->wDay = MAKESURE(tmp.tm_mday, 1, 31);
 	st->wDayOfWeek = MAKESURE(tmp.tm_wday, 0, 6);
@@ -1714,7 +1824,7 @@ void SystemToTm(struct tm *t, SYSTEMTIME *st)
 	}

 	Zero(t, sizeof(struct tm));
-	t->tm_year = MAKESURE(st->wYear, 1970, 2037) - 1900;
+	t->tm_year = MAKESURE(st->wYear, 1970, 2099) - 1900;
 	t->tm_mon = MAKESURE(st->wMonth, 1, 12) - 1;
 	t->tm_mday = MAKESURE(st->wDay, 1, 31);
 	t->tm_hour = MAKESURE(st->wHour, 0, 23);
@@ -1726,7 +1836,7 @@ void SystemToTm(struct tm *t, SYSTEMTIME *st)
 }

 // Convert the time_t to SYSTEMTIME
-void TimeToSystem(SYSTEMTIME *st, time_t t)
+void TimeToSystem(SYSTEMTIME *st, time_64t t)
 {
 	struct tm tmp;
 	// Validate arguments
@@ -1740,7 +1850,7 @@ void TimeToSystem(SYSTEMTIME *st, time_t t)
 }

 // Convert the time_t to 64-bit SYSTEMTIME
-UINT64 TimeToSystem64(time_t t)
+UINT64 TimeToSystem64(time_64t t)
 {
 	SYSTEMTIME st;

@@ -1750,7 +1860,7 @@ UINT64 TimeToSystem64(time_t t)
 }

 // Convert the SYSTEMTIME to time_t
-time_t SystemToTime(SYSTEMTIME *st)
+time_64t SystemToTime(SYSTEMTIME *st)
 {
 	struct tm t;
 	// Validate arguments
@@ -1764,7 +1874,7 @@ time_t SystemToTime(SYSTEMTIME *st)
 }

 // Convert a 64-bit SYSTEMTIME to a time_t
-time_t System64ToTime(UINT64 i)
+time_64t System64ToTime(UINT64 i)
 {
 	SYSTEMTIME st;

@@ -1774,9 +1884,9 @@ time_t System64ToTime(UINT64 i)
 }

 // Convert the tm to time_t
-time_t TmToTime(struct tm *t)
+time_64t TmToTime(struct tm *t)
 {
-	time_t tmp;
+	time_64t tmp;
 	// Validate arguments
 	if (t == NULL)
 	{
@@ -1784,7 +1894,7 @@ time_t TmToTime(struct tm *t)
 	}

 	tmp = c_mkgmtime(t);
-	if (tmp == (time_t)-1)
+	if (tmp == (time_64t)-1)
 	{
 		return 0;
 	}
@@ -1792,42 +1902,22 @@ time_t TmToTime(struct tm *t)
 }

 // Convert time_t to tm
-void TimeToTm(struct tm *t, time_t time)
+void TimeToTm(struct tm *t, time_64t time)
 {
-	struct tm *ret;
 	// Validate arguments
 	if (t == NULL)
 	{
 		return;
 	}

-#ifndef	OS_UNIX
-	ret = gmtime(&time);
-#else	// OS_UNIX
-	ret = malloc(sizeof(struct tm));
-	memset(ret, 0, sizeof(struct tm));
-	gmtime_r(&time, ret);
-#endif	// OS_UNIX
-
-	if (ret == NULL)
-	{
-		Zero(t, sizeof(struct tm));
-	}
-	else
-	{
-		Copy(t, ret, sizeof(struct tm));
-	}
-
-#ifdef	OS_UNIX
-	free(ret);
-#endif	// OS_UNIX
+	Zero(t, sizeof(struct tm));
+	c_gmtime_r(&time, t);
 }

 // Normalize the tm
 void NormalizeTm(struct tm *t)
 {
-	struct tm *ret;
-	time_t tmp;
+	time_64t tmp;
 	// Validate arguments
 	if (t == NULL)
 	{
@@ -1835,31 +1925,12 @@ void NormalizeTm(struct tm *t)
 	}

 	tmp = c_mkgmtime(t);
-	if (tmp == (time_t)-1)
+	if (tmp == (time_64t)-1)
 	{
 		return;
 	}

-#ifndef	OS_UNIX
-	ret = gmtime(&tmp);
-#else	// OS_UNIX
-	ret = malloc(sizeof(struct tm));
-	memset(ret, 0, sizeof(struct tm));
-	gmtime_r(&tmp, ret);
-#endif	// OS_UNIX
-
-	if (ret == NULL)
-	{
-		Zero(t, sizeof(struct tm));
-	}
-	else
-	{
-		Copy(t, ret, sizeof(struct tm));
-	}
-
-#ifdef	OS_UNIX
-	free(ret);
-#endif	// OS_UNIX
+	c_gmtime_r(&tmp, t);
 }

 // Normalize the SYSTEMTIME
@@ -1934,10 +2005,19 @@ INT64 GetTimeDiffEx(SYSTEMTIME *basetime, bool local_time)

 	Copy(&snow, basetime, sizeof(SYSTEMTIME));

+	if (sizeof(time_t) == 4)
+	{
+		if (snow.wYear >= 2038)
+		{
+			// For old systems: avoid the 2038-year problem
+			snow.wYear = 2037;
+		}
+	}
+
 	SystemToTm(&now, &snow);
 	if (local_time == false)
 	{
-		tmp = c_mkgmtime(&now);
+		tmp = (time_t)c_mkgmtime(&now);
 	}
 	else
 	{
@@ -1965,54 +2045,12 @@ INT64 GetTimeDiffEx(SYSTEMTIME *basetime, bool local_time)
 	return ret;
 }

-// Get the time difference between the local time and system time
-INT64 GetTimeDiff()
-{
-	time_t tmp;
-	struct tm t1, t2;
-	SYSTEMTIME snow;
-	struct tm now;
-	SYSTEMTIME s1, s2;
-	INT64 ret;
-
-	static INT64 cache = INFINITE;
-
-	if (cache != INFINITE)
-	{
-		// Returns the cache data after measured once
-		return cache;
-	}
-
-	SystemTime(&snow);
-	SystemToTm(&now, &snow);
-	tmp = c_mkgmtime(&now);
-	if (tmp == (time_t)-1)
-	{
-		return 0;
-	}
-
-#ifndef	OS_UNIX
-	Copy(&t1, localtime(&tmp), sizeof(struct tm));
-	Copy(&t2, gmtime(&tmp), sizeof(struct tm));
-#else	// OS_UNIX
-	localtime_r(&tmp, &t1);
-	gmtime_r(&tmp, &t2);
-#endif	// OS_UNIX
-
-	TmToSystem(&s1, &t1);
-	TmToSystem(&s2, &t2);
-
-	cache = ret = (INT)SystemToUINT64(&s1) - (INT)SystemToUINT64(&s2);
-
-	return ret;
-}
-
 // Convert UINT64 to the SYSTEMTIME
 void UINT64ToSystem(SYSTEMTIME *st, UINT64 sec64)
 {
 	UINT64 tmp64;
 	UINT sec, millisec;
-	time_t time;
+	time_64t time;
 	// Validate arguments
 	if (st == NULL)
 	{
@@ -2023,7 +2061,7 @@ void UINT64ToSystem(SYSTEMTIME *st, UINT64 sec64)
 	tmp64 = sec64 / (UINT64)1000;
 	millisec = (UINT)(sec64 - tmp64 * (UINT64)1000);
 	sec = (UINT)tmp64;
-	time = (time_t)sec;
+	time = (time_64t)sec;
 	TimeToSystem(st, time);
 	st->wMilliseconds = (WORD)millisec;
 }
@@ -2032,7 +2070,7 @@ void UINT64ToSystem(SYSTEMTIME *st, UINT64 sec64)
 UINT64 SystemToUINT64(SYSTEMTIME *st)
 {
 	UINT64 sec64;
-	time_t time;
+	time_64t time;
 	// Validate arguments
 	if (st == NULL)
 	{
@@ -2091,7 +2129,7 @@ void SystemTime(SYSTEMTIME *st)
 	KS_INC(KS_GETTIME_COUNT);
 }

-time_t c_mkgmtime(struct tm *tm)
+time_64t c_mkgmtime(struct tm *tm)
 {
 	int years, months, days, hours, minutes, seconds;

@@ -2142,7 +2180,7 @@ time_t c_mkgmtime(struct tm *tm)
 		tm->tm_isdst = 0;

 		if (years < 1970)
-			return (time_t)-1;
+			return (time_64t)-1;

 #if (defined(TM_YEAR_MAX) && defined(TM_MON_MAX) && defined(TM_MDAY_MAX))
 #if (defined(TM_HOUR_MAX) && defined(TM_MIN_MAX) && defined(TM_SEC_MAX))
@@ -2156,11 +2194,11 @@ time_t c_mkgmtime(struct tm *tm)
 			(hours == TM_HOUR_MAX &&
 			(minutes > TM_MIN_MAX ||
 			(minutes == TM_MIN_MAX && seconds > TM_SEC_MAX) )))))))
-			return (time_t)-1;
+			return (time_64t)-1;
 #endif
 #endif

-		return (time_t)(86400L * (unsigned long)(unsigned)days +
+		return (time_64t)(86400L * (unsigned long)(unsigned)days +
 			3600L * (unsigned long)hours +
 			(unsigned long)(60 * minutes + seconds));
 }
@@ -194,15 +194,16 @@ void FreeThreading();
 void ThreadPoolProc(THREAD *t, void *param);
 void SetThreadName(UINT thread_id, char *name, void *param);

-time_t c_mkgmtime(struct tm *tm);
-time_t System64ToTime(UINT64 i);
+struct tm * c_gmtime_r(const time_64t* timep, struct tm *tm);
+time_64t c_mkgmtime(struct tm *tm);
+time_64t System64ToTime(UINT64 i);
 void TmToSystem(SYSTEMTIME *st, struct tm *t);
 void SystemToTm(struct tm *t, SYSTEMTIME *st);
-void TimeToSystem(SYSTEMTIME *st, time_t t);
-UINT64 TimeToSystem64(time_t t);
-time_t SystemToTime(SYSTEMTIME *st);
-time_t TmToTime(struct tm *t);
-void TimeToTm(struct tm *t, time_t time);
+void TimeToSystem(SYSTEMTIME *st, time_64t t);
+UINT64 TimeToSystem64(time_64t t);
+time_64t SystemToTime(SYSTEMTIME *st);
+time_64t TmToTime(struct tm *t);
+void TimeToTm(struct tm *t, time_64t time);
 void NormalizeTm(struct tm *t);
 void NormalizeSystem(SYSTEMTIME *st);
 void LocalToSystem(SYSTEMTIME *system, SYSTEMTIME *local);
@@ -145,7 +145,7 @@ typedef struct x509_crl_st X509_CRL;
 #define	BUF_SIZE			512

 // Support Windows OS list
-#define	SUPPORTED_WINDOWS_LIST		"Windows 98 / 98 SE / ME / NT 4.0 SP6a / 2000 SP4 / XP SP2, SP3 / Vista SP1, SP2 / 7 SP1 / 8 / 8.1 / 10 / Server 2003 SP2 / Server 2008 SP1, SP2 / Hyper-V Server 2008 / Server 2008 R2 SP1 / Hyper-V Server 2008 R2 / Server 2012 / Hyper-V Server 2012 / Server 2012 R2 / Hyper-V Server 2012 R2"
+#define	SUPPORTED_WINDOWS_LIST		"Windows 98 / 98 SE / ME / NT 4.0 SP6a / 2000 SP4 / XP SP2, SP3 / Vista SP1, SP2 / 7 SP1 / 8 / 8.1 / 10 / Server 2003 SP2 / Server 2008 SP1, SP2 / Hyper-V Server 2008 / Server 2008 R2 SP1 / Hyper-V Server 2008 R2 / Server 2012 / Hyper-V Server 2012 / Server 2012 R2 / Hyper-V Server 2012 R2 / Server 2016"

 // Infinite
 #ifndef	WINDOWS_H
@@ -299,6 +299,8 @@ typedef signed char			CHAR;
 typedef	unsigned long long	UINT64;
 typedef signed long long	INT64;

+typedef signed long long	time_64t;
+
 #ifdef	OS_UNIX
 // Avoiding compile error
 #define	__cdecl
@@ -523,6 +525,7 @@ typedef struct SAFE_BLOCK SAFE_BLOCK;
 typedef struct SAFE_REQUEST_LOG SAFE_REQUEST_LOG;
 typedef struct DYN_VALUE DYN_VALUE;
 typedef struct RELAY_PARAMETER RELAY_PARAMETER;
+typedef struct SSL_ACCEPT_SETTINGS SSL_ACCEPT_SETTINGS;

 // Tick64.h
 typedef struct ADJUST_TIME ADJUST_TIME;
@@ -46,7 +46,7 @@
 				Name="VCCLCompilerTool"
 				Optimization="0"
 				AdditionalIncludeDirectories="$(SolutionDir)Mayaqua\win32_inc;.;$(SolutionDir)"
-				PreprocessorDefinitions="WIN32;_DEBUG;_LIB;_USE_32BIT_TIME_T"
+				PreprocessorDefinitions="WIN32;_DEBUG;_LIB"
 				MinimalRebuild="true"
 				ExceptionHandling="0"
 				BasicRuntimeChecks="3"
@@ -188,7 +188,7 @@
 				EnableIntrinsicFunctions="false"
 				FavorSizeOrSpeed="0"
 				AdditionalIncludeDirectories="$(SolutionDir)Mayaqua\win32_inc;.;$(SolutionDir)"
-				PreprocessorDefinitions="WIN32;NDEBUG;_LIB;_USE_32BIT_TIME_T;VPN_SPEED"
+				PreprocessorDefinitions="WIN32;NDEBUG;_LIB;VPN_SPEED"
 				StringPooling="false"
 				ExceptionHandling="0"
 				RuntimeLibrary="0"
@@ -204,6 +204,7 @@ static SERVICE_FUNCTION *g_start, *g_stop;
 static bool exiting = false;
 static bool wnd_end;
 static bool is_usermode = false;
+static bool wts_is_locked_flag = false;
 static HICON tray_icon;
 static NOTIFYICONDATA nid;
 static NOTIFYICONDATAW nid_nt;
@@ -9193,6 +9194,11 @@ bool MsCloseWarningWindow(NO_WARNING *nw, UINT thread_id)
 	for (i = 0;i < LIST_NUM(o);i++)
 	{
 		HWND hWnd;
+
+		if (nw->Halt)
+		{
+			break;
+		}
 		
 		if (MsIsVista() == false)
 		{
@@ -12341,6 +12347,175 @@ bool MsIsPasswordEmpty(wchar_t *username)
 	return false;
 }

+// Determine if the workstation is locked by using WTS API
+bool MsDetermineIsLockedByWtsApi()
+{
+	return wts_is_locked_flag;
+}
+
+// IsLocked Window Proc
+LRESULT CALLBACK MsIsLockedWindowHandlerWindowProc(HWND hWnd, UINT msg, WPARAM wParam, LPARAM lParam)
+{
+	MS_ISLOCKED *d = NULL;
+	CREATESTRUCT *cs;
+	// Validate arguments
+	if (hWnd == NULL)
+	{
+		return 0;
+	}
+
+	d = (MS_ISLOCKED *)GetWindowLongPtrA(hWnd, GWLP_USERDATA);
+	if (d == NULL && msg != WM_CREATE)
+	{
+		goto LABEL_END;
+	}
+
+	switch (msg)
+	{
+	case WM_CREATE:
+		cs = (CREATESTRUCT *)lParam;
+		d = (MS_ISLOCKED *)cs->lpCreateParams;
+		SetWindowLongPtrA(hWnd, GWLP_USERDATA, (LONG_PTR)d);
+
+		ms->nt->WTSRegisterSessionNotification(hWnd, NOTIFY_FOR_THIS_SESSION);
+
+		wts_is_locked_flag = false;
+
+		break;
+
+	case WM_WTSSESSION_CHANGE:
+		{
+			char tmp[MAX_SIZE];
+
+			GetDateTimeStr64(tmp, sizeof(tmp), LocalTime64());
+
+			switch (wParam)
+			{
+			case WTS_SESSION_LOCK:
+				Debug("%s: Enter Lock\n", tmp);
+				d->IsLockedFlag = true;
+				wts_is_locked_flag = true;
+				break;
+
+			case WTS_SESSION_UNLOCK:
+				Debug("%s: Enter Unlock\n", tmp);
+				d->IsLockedFlag = false;
+				wts_is_locked_flag = false;
+				break;
+			}
+		}
+
+		break;
+
+	case WM_DESTROY:
+		Debug("Unregister\n");
+		ms->nt->WTSUnRegisterSessionNotification(hWnd);
+		PostQuitMessage(0);
+		break;
+	}
+
+LABEL_END:
+	return DefWindowProc(hWnd, msg, wParam, lParam);
+}
+
+// IsLocked thread proc
+void MsIsLockedThreadProc(THREAD *thread, void *param)
+{
+	MS_ISLOCKED *d = (MS_ISLOCKED *)param;
+	char wndclass_name[MAX_PATH];
+	WNDCLASS wc;
+	HWND hWnd;
+	MSG msg;
+	// Validate arguments
+	if (d == NULL || thread == NULL)
+	{
+		return;
+	}
+
+	Format(wndclass_name, sizeof(wndclass_name), "WNDCLASS_%X", Rand32());
+
+	Zero(&wc, sizeof(wc));
+	wc.hbrBackground = (HBRUSH)GetStockObject(WHITE_BRUSH);
+	wc.hCursor = LoadCursor(NULL, IDC_ARROW);
+	wc.hIcon = NULL;
+	wc.hInstance = ms->hInst;
+	wc.lpfnWndProc = MsIsLockedWindowHandlerWindowProc;
+	wc.lpszClassName = wndclass_name;
+	if (RegisterClassA(&wc) == 0)
+	{
+		NoticeThreadInit(thread);
+		return;
+	}
+
+	hWnd = CreateWindowA(wndclass_name, wndclass_name, WS_OVERLAPPEDWINDOW,
+		CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT, CW_USEDEFAULT,
+		NULL, NULL, ms->hInst, d);
+
+	d->hWnd = hWnd;
+
+	NoticeThreadInit(thread);
+
+	if (hWnd == NULL)
+	{
+		UnregisterClassA(wndclass_name, ms->hInst);
+		return;
+	}
+
+	while (GetMessage(&msg, NULL, 0, 0))
+	{
+		TranslateMessage(&msg);
+		DispatchMessage(&msg);
+	}
+
+	DestroyWindow(hWnd);
+
+	UnregisterClassA(wndclass_name, ms->hInst);
+}
+
+// Create new IsLocked thread
+MS_ISLOCKED *MsNewIsLocked()
+{
+	MS_ISLOCKED *d;
+	THREAD *t;
+
+	SleepThread(5000);
+
+	if (IsNt() == false || ms->nt->WTSRegisterSessionNotification == NULL ||
+		ms->nt->WTSUnRegisterSessionNotification == NULL)
+	{
+		return NULL;
+	}
+
+	d = ZeroMalloc(sizeof(MS_ISLOCKED));
+
+	t = NewThread(MsIsLockedThreadProc, d);
+
+	WaitThreadInit(t);
+
+	d->Thread = t;
+
+	return d;
+}
+
+// Stop and free the IsLocked thread
+void MsFreeIsLocked(MS_ISLOCKED *d)
+{
+	if (d == NULL)
+	{
+		return;
+	}
+
+	if (d->hWnd != NULL)
+	{
+		PostMessageA(d->hWnd, WM_CLOSE, 0, 0);
+	}
+
+	WaitThread(d->Thread, INFINITE);
+	ReleaseThread(d->Thread);
+
+	Free(d);
+}
+
 // Execution of shutdown (NT)
 bool MsShutdownEx(bool reboot, bool force, UINT time_limit, char *message)
 {
@@ -12689,6 +12864,12 @@ NT_API *MsLoadNtApiFunctions()
 		nt->WTSEnumerateSessionsA =
 			(BOOL (__stdcall *)(HANDLE,DWORD,DWORD,PWTS_SESSION_INFOA *,DWORD *))
 			GetProcAddress(nt->hWtsApi32, "WTSEnumerateSessionsA");
+		nt->WTSRegisterSessionNotification =
+			(BOOL (__stdcall *)(HWND,DWORD))
+			GetProcAddress(nt->hWtsApi32, "WTSRegisterSessionNotification");
+		nt->WTSUnRegisterSessionNotification =
+			(BOOL (__stdcall *)(HWND))
+			GetProcAddress(nt->hWtsApi32, "WTSUnRegisterSessionNotification");
 	}

 	// Service related API
@@ -431,6 +431,8 @@ typedef struct NT_API
 	void (WINAPI *WTSFreeMemory)(void *);
 	BOOL (WINAPI *WTSDisconnectSession)(HANDLE, DWORD, BOOL);
 	BOOL (WINAPI *WTSEnumerateSessions)(HANDLE, DWORD, DWORD, PWTS_SESSION_INFO *, DWORD *);
+	BOOL (WINAPI *WTSRegisterSessionNotification)(HWND, DWORD);
+	BOOL (WINAPI *WTSUnRegisterSessionNotification)(HWND);
 	SC_HANDLE (WINAPI *OpenSCManager)(LPCTSTR, LPCTSTR, DWORD);
 	SC_HANDLE (WINAPI *CreateServiceA)(SC_HANDLE, LPCTSTR, LPCTSTR, DWORD, DWORD, DWORD, DWORD, LPCTSTR, LPCTSTR, LPDWORD, LPCTSTR, LPCTSTR, LPCTSTR);
 	SC_HANDLE (WINAPI *CreateServiceW)(SC_HANDLE, LPCWSTR, LPCWSTR, DWORD, DWORD, DWORD, DWORD, LPCWSTR, LPCWSTR, LPDWORD, LPCWSTR, LPCWSTR, LPCWSTR);
@@ -590,6 +592,13 @@ typedef struct MS_ADAPTER_LIST
 	MS_ADAPTER **Adapters;			// Content
 } MS_ADAPTER_LIST;

+typedef struct MS_ISLOCKED
+{
+	HWND hWnd;
+	THREAD *Thread;
+	volatile bool IsLockedFlag;
+} MS_ISLOCKED;
+
 // TCP setting
 typedef struct MS_TCP
 {
@@ -741,6 +750,14 @@ char *MsGetExeFileName();
 char *MsGetExeDirName();
 wchar_t *MsGetExeDirNameW();

+void MsIsLockedThreadProc(THREAD *thread, void *param);
+MS_ISLOCKED *MsNewIsLocked();
+void MsFreeIsLocked(MS_ISLOCKED *d);
+void MsStartIsLockedThread();
+void MsStopIsLockedThread();
+bool MsDetermineIsLockedByWtsApi();
+
+
 bool MsShutdown(bool reboot, bool force);
 bool MsShutdownEx(bool reboot, bool force, UINT time_limit, char *message);
 bool MsCheckLogon(wchar_t *username, char *password);
@@ -155,7 +155,6 @@
 #ifdef	UNIX_MACOS
 #include <sys/event.h>
 #endif	// UNIX_MACOS
-#include <Cedar/Cedar.h>

 #ifdef	OS_WIN32
 NETWORK_WIN32_FUNCTIONS *w32net;
@@ -188,8 +187,6 @@ struct ROUTE_CHANGE_DATA


 // HTTP constant
-//static char http_301_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>301 Moved Permanently</TITLE>\r\n</HEAD><BODY>\r\n<H1>Moved</H1>\r\nThis páge has moved to <A HREF=\"https://$HOST$:4443$TARGET$\">new address</A>.<P>\r\n<HR>\r\n</BODY></HTML>\r\n";
-static char http_301_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>301 Moved Permanently</TITLE>\r\n</HEAD><BODY>\r\n<H1>Moved</H1>\r\nThis páge has moved to <A HREF=\"https://$HOSTNAME$:4443$TARGET$\">new address</A>.<P>\r\n<HR>\r\n</BODY></HTML>\r\n";
 static char http_404_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>404 Not Found</TITLE>\r\n</HEAD><BODY>\r\n<H1>Not Found</H1>\r\nThe requested URL $TARGET$ was not found on this server.<P>\r\n<HR>\r\n<ADDRESS>HTTP Server at $HOST$ Port $PORT$</ADDRESS>\r\n</BODY></HTML>\r\n";
 static char http_403_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>403 Forbidden</TITLE>\r\n</HEAD><BODY>\r\n<H1>Forbidden</H1>\r\nYou don't have permission to access $TARGET$\r\non this server.<P>\r\n<HR>\r\n<ADDRESS>HTTP Server at $HOST$ Port $PORT$</ADDRESS>\r\n</BODY></HTML>\r\n";
 static char http_500_str[] = "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<HTML><HEAD>\r\n<TITLE>500 Server Error</TITLE>\r\n</HEAD><BODY>\r\n<H1>Server Error</H1>\r\nServer Error<P>\r\n<HR>\r\n<ADDRESS>HTTP Server at $HOST$ Port $PORT$</ADDRESS>\r\n</BODY></HTML>\r\n";
@@ -236,7 +233,7 @@ static COUNTER *getip_thread_counter = NULL;
 static UINT max_getip_thread = 0;


-static char *cipher_list = "RC4-MD5 RC4-SHA AES128-SHA AES256-SHA DES-CBC-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA";
+static char *cipher_list = "RC4-MD5 RC4-SHA AES128-SHA AES256-SHA DES-CBC-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES256-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384";
 static LIST *ip_clients = NULL;

 static LIST *local_mac_list = NULL;
@@ -248,7 +245,7 @@ static UINT rand_port_numbers[256] = {0};
 static bool g_use_privateip_file = false;
 static bool g_source_ip_validation_force_disable = false;

-static DH_CTX *dh_1024 = NULL;
+static DH_CTX *dh_2048 = NULL;

 typedef struct PRIVATE_IP_SUBNET
 {
@@ -5824,7 +5821,8 @@ SSL_PIPE *NewSslPipe(bool server_mode, X *x, K *k, DH_CTX *dh)
 	{
 		if (server_mode)
 		{
-			SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_server_method());
+			SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());
+			SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);

 			AddChainSslCertOnDirectory(ssl_ctx);

@@ -5835,7 +5833,7 @@ SSL_PIPE *NewSslPipe(bool server_mode, X *x, K *k, DH_CTX *dh)
 		}
 		else
 		{
-			SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_client_method());
+			SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method());
 		}

 		//SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, cb_test);
@@ -12773,7 +12771,7 @@ bool SendAll(SOCK *sock, void *data, UINT size, bool secure)
 // Set the cipher algorithm name to want to use
 void SetWantToUseCipher(SOCK *sock, char *name)
 {
-	char tmp[254];
+	char tmp[1024];
 	// Validate arguments
 	if (sock == NULL || name == NULL)
 	{
@@ -12913,7 +12911,7 @@ bool AddChainSslCert(struct ssl_ctx_st *ctx, X *x)
 // Start a TCP-SSL communication
 bool StartSSL(SOCK *sock, X *x, K *priv)
 {
-	return StartSSLEx(sock, x, priv, false, 0, NULL);
+	return StartSSLEx(sock, x, priv, true, 0, NULL);
 }
 bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, char *sni_hostname)
 {
@@ -12976,23 +12974,39 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
 		if (sock->ServerMode)
 		{
 			SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_method());
-			long ssl_opt_flags=0x0L;
-			if (sock->DisableSslVersions & SSL_VERSION_SSL_V2) {
-				ssl_opt_flags |= SSL_OP_NO_SSLv2;
+
+#ifdef	SSL_OP_NO_SSLv2
+			SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
+#endif	// SSL_OP_NO_SSLv2
+
+			if (sock->SslAcceptSettings.AcceptOnlyTls)
+			{
+#ifdef	SSL_OP_NO_SSLv3
+				SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
+#endif	// SSL_OP_NO_SSLv3
 			}
-			if (sock->DisableSslVersions & SSL_VERSION_SSL_V3) {
-				ssl_opt_flags |= SSL_OP_NO_SSLv3;
+
+			if (sock->SslAcceptSettings.Tls_Disable1_0)
+			{
+#ifdef	SSL_OP_NO_TLSv1
+				SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
+#endif	// SSL_OP_NO_TLSv1
 			}
-			if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_0) {
-				ssl_opt_flags |= SSL_OP_NO_TLSv1;
+
+			if (sock->SslAcceptSettings.Tls_Disable1_1)
+			{
+#ifdef	SSL_OP_NO_TLSv1_1
+				SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
+#endif	// SSL_OP_NO_TLSv1_1
 			}
-			if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_1) {
-				ssl_opt_flags |= SSL_OP_NO_TLSv1_1;
+
+			if (sock->SslAcceptSettings.Tls_Disable1_2)
+			{
+#ifdef	SSL_OP_NO_TLSv1_2
+				SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
+#endif	// SSL_OP_NO_TLSv1_2
 			}
-			if (sock->DisableSslVersions & SSL_VERSION_TLS_V1_2) {
-				ssl_opt_flags |= SSL_OP_NO_TLSv1_2;
-			}
-			SSL_CTX_set_options(ssl_ctx, ssl_opt_flags);
+
 			Unlock(openssl_lock);
 			AddChainSslCertOnDirectory(ssl_ctx);
 			Lock(openssl_lock);
@@ -13005,7 +13019,7 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
 			}
 			else
 			{
-				SSL_CTX_set_ssl_version(ssl_ctx, TLSv1_client_method());
+				SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method());
 			}
 		}
 		sock->ssl = SSL_new(ssl_ctx);
@@ -13021,6 +13035,7 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
 			}
 		}
 #endif	// SSL_CTRL_SET_TLSEXT_HOSTNAME
+
 	}
 	Unlock(openssl_lock);

@@ -13206,6 +13221,8 @@ bool StartSSLEx(SOCK *sock, X *x, K *priv, bool client_tls, UINT ssl_timeout, ch
 	return true;
 }

+
+
 #ifdef	ENABLE_SSL_LOGGING

 // Enable SSL logging
@@ -13838,6 +13855,10 @@ void DisableGetHostNameWhenAcceptInit()

 // Initialize the connection acceptance
 void AcceptInit(SOCK *s)
+{
+	AcceptInitEx(s, false);
+}
+void AcceptInitEx(SOCK *s, bool no_lookup_hostname)
 {
 	char tmp[MAX_SIZE];
 	// Validate arguments
@@ -13848,7 +13869,7 @@ void AcceptInit(SOCK *s)

 	Zero(tmp, sizeof(tmp));

-	if (disable_gethostname_by_accept == false)
+	if (disable_gethostname_by_accept == false && no_lookup_hostname == false)
 	{
 		if (GetHostName(tmp, sizeof(tmp), &s->RemoteIP) == false ||
 			IsEmptyStr(tmp))
@@ -17760,9 +17781,9 @@ DH *TmpDhCallback(SSL *ssl, int is_export, int keylength)
 {
 	DH *ret = NULL;

-	if (dh_1024 != NULL)
+	if (dh_2048 != NULL)
 	{
-		ret = dh_1024->dh;
+		ret = dh_2048->dh;
 	}

 	return ret;
@@ -17786,6 +17807,10 @@ struct ssl_ctx_st *NewSSLCtx(bool server_mode)

 	SSL_CTX_set_tmp_dh_callback(ctx, TmpDhCallback);

+#ifdef	SSL_CTX_set_ecdh_auto
+	SSL_CTX_set_ecdh_auto(ctx, 1);
+#endif	// SSL_CTX_set_ecdh_auto
+
 	return ctx;
 }

@@ -17879,7 +17904,7 @@ void InitNetwork()
 	disable_cache = false;


-	dh_1024 = DhNewGroup2();
+	dh_2048 = DhNew2048();

 	Zero(rand_port_numbers, sizeof(rand_port_numbers));

@@ -18313,10 +18338,10 @@ void SetCurrentGlobalIP(IP *ip, bool ipv6)
 void FreeNetwork()
 {

-	if (dh_1024 != NULL)
+	if (dh_2048 != NULL)
 	{
-		DhFree(dh_1024);
-		dh_1024 = NULL;
+		DhFree(dh_2048);
+		dh_2048 = NULL;
 	}

 	// Release of thread-related
@@ -21875,69 +21900,6 @@ bool HttpSendNotImplemented(SOCK *s, char *method, char *target, char *version)
 	return ret;
 }

-// Sending the 301 Moved Permanently: Redirect
-bool HttpSendRedirect(SOCK *s, char *target, char *hostname)
-{
-        HTTP_HEADER *h;
-        char *str;
-	//char *redirect_to_static="https://$HOSTNAME$:4443$TARGET$";
-	char *redirect_to_static="https://%s:4443%s";
-	char *redirect_to;
-        UINT redir_size;
-        UINT str_size;
-        bool ret;
-        char host[MAX_SIZE];
-        UINT port;
-        // Validate arguments
-        if (s == NULL || target == NULL || hostname == NULL)
-        {
-                return false;
-        }
-
-        // Get the host name
-        //GetMachineName(host, MAX_SIZE);
-        Zero(host, sizeof(host));
-        IPToStr(host, sizeof(host), &s->LocalIP);
-
-        // Creating a header
-        h = NewHttpHeader("HTTP/1.1", "301", "Moved Permanently");
-
-        redir_size = strlen(redirect_to_static) * 2 + StrLen(target) + StrLen(hostname);
-	redirect_to = Malloc(redir_size);
-	snprintf(redirect_to, redir_size, redirect_to_static, hostname, target);
-        //StrCpy(redirect_to, redir_size, redirect_to_static);
-	//ReplaceStri(redirect_to, redir_size, redirect_to, "$TARGET$", target);
-	//ReplaceStri(redirect_to, redir_size, redirect_to, "$HOSTNAME$", hostname);
-
-        AddHttpValue(h, NewHttpValue("Location", redirect_to));
-        AddHttpValue(h, NewHttpValue("Content-Type", HTTP_CONTENT_TYPE));
-
-        // Creating a Data
-        str_size = sizeof(http_301_str) * 2 + StrLen(target) + StrLen(hostname);
-        str = Malloc(str_size);
-        StrCpy(str, str_size, http_301_str);
-
-        // TARGET
-        ReplaceUnsafeCharInTarget(target);
-        ReplaceStri(str, str_size, str, "$TARGET$", target);
-
-        // HOST
-        //ReplaceStri(str, str_size, str, "$HOST$", host);
-
-        // HOSTNAME
-        ReplaceStri(str, str_size, str, "$HOSTNAME$", hostname);
-
-        // Transmission
-        ret = PostHttp(s, h, str, StrLen(str));
-
-        FreeHttpHeader(h);
-        Free(redirect_to);
-        Free(str);
-
-        return ret;
-}
-
-
 // Sending a 404 Not Found error
 bool HttpSendNotFound(SOCK *s, char *target)
 {
@@ -22744,7 +22706,14 @@ bool GetSniNameFromSslPacket(UCHAR *packet_buf, UINT packet_size, char *sni, UIN
 	USHORT handshake_length;

 	// Validate arguments
-	if (packet_buf == NULL || packet_size == 0)
+	if (packet_buf == NULL || packet_size <= 11)
+	{
+		return false;
+	}
+
+	if (!(packet_buf[0] == 0x16 && packet_buf[1] >= 0x03 &&
+		packet_buf[5] == 0x01 && packet_buf[6] == 0x00 &&
+		packet_buf[9] >= 0x03))
 	{
 		return false;
 	}
@@ -22758,7 +22727,7 @@ bool GetSniNameFromSslPacket(UCHAR *packet_buf, UINT packet_size, char *sni, UIN
 		version = Endian16(version);
 		handshake_length = Endian16(handshake_length);

-		if (version >= 0x0301)
+		if (content_type == 0x16 && version >= 0x0301)
 		{
 			UCHAR *handshake_data = Malloc(handshake_length);

@@ -22875,9 +22844,12 @@ bool GetSniNameFromSslPacket(UCHAR *packet_buf, UINT packet_size, char *sni, UIN

 																							if (ReadBuf(dbuf, name_buf, name_len) == name_len)
 																							{
-																								ret = true;
+																								if (StrLen(name_buf) >= 1)
+																								{
+																									ret = true;

-																								StrCpy(sni, sni_size, name_buf);
+																									StrCpy(sni, sni_size, name_buf);
+																								}
 																							}

 																							Free(name_buf);
@@ -246,6 +246,15 @@ struct SOCK_EVENT
 #define	SOCK_RUDP_LISTEN		5
 #define	SOCK_REVERSE_LISTEN		6

+// SSL Accept Settings
+struct SSL_ACCEPT_SETTINGS
+{
+	bool AcceptOnlyTls;
+	bool Tls_Disable1_0;
+	bool Tls_Disable1_1;
+	bool Tls_Disable1_2;
+};
+
 // Socket
 struct SOCK
 {
@@ -312,8 +321,7 @@ struct SOCK
 	IP Reverse_MyServerGlobalIp;	// Self global IP address when using the reverse socket
 	UINT Reverse_MyServerPort;		// Self port number when using the reverse socket
 	UCHAR Ssl_Init_Async_SendAlert[2];	// Initial state of SSL send_alert
-	bool AcceptOnlyTls;			// Accept only TLS (disable SSLv3)
-	UINT DisableSslVersions;	// Bitmap of SSL Version to disable
+	SSL_ACCEPT_SETTINGS SslAcceptSettings;	// SSL Accept Settings
 	bool RawIP_HeaderIncludeFlag;

 #ifdef	ENABLE_SSL_LOGGING
@@ -1044,7 +1052,6 @@ char *HttpHeaderToStr(HTTP_HEADER *header);
 bool PostHttp(SOCK *s, HTTP_HEADER *header, void *post_data, UINT post_size);
 UINT GetContentLength(HTTP_HEADER *header);
 void GetHttpDateStr(char *str, UINT size, UINT64 t);
-bool HttpSendRedirect(SOCK *s, char *target, char* hostname);
 bool HttpSendForbidden(SOCK *s, char *target, char *server_id);
 bool HttpSendNotFound(SOCK *s, char *target);
 bool HttpSendNotImplemented(SOCK *s, char *method, char *target, char *version);
@@ -1370,6 +1377,7 @@ bool GetDomainName(char *name, UINT size);
 bool UnixGetDomainName(char *name, UINT size);
 void RenewDhcp();
 void AcceptInit(SOCK *s);
+void AcceptInitEx(SOCK *s, bool no_lookup_hostname);
 void DisableGetHostNameWhenAcceptInit();
 bool CheckCipherListName(char *name);
 TOKEN_LIST *GetCipherList();
@@ -424,12 +424,18 @@ bool SignSecByObject(SECURE *sec, SEC_OBJ *obj, void *dst, void *src, UINT size)

 	// Perform Signing
 	size = 128;
+	// First try with 1024 bit
 	ret = sec->Api->C_Sign(sec->SessionId, hash, sizeof(hash), dst, &size);
-	if (ret != CKR_OK || size != 128)
+	if (ret != CKR_OK && 128 < size && size <= 4096/8)
+	{
+		// Retry with expanded bits
+		ret = sec->Api->C_Sign(sec->SessionId, hash, sizeof(hash), dst, &size);
+	}
+	if (ret != CKR_OK || size == 0 || size > 4096/8)
 	{
 		// Failure
 		sec->Error = SEC_ERROR_HARDWARE_ERROR;
-		Debug("C_Sign Error: 0x%x\n", ret);
+		Debug("C_Sign Error: 0x%x  size:%d\n", ret, size);
 		return false;
 	}

@@ -782,6 +788,11 @@ bool WriteSecCert(SECURE *sec, bool private_obj, char *name, X *x)
 		b_private_obj = false;
 	}

+	// CryptoID PKCS#11 requires CKA_ID attiribute instead of CKA_LABEL.
+	if(sec->Dev->Id == 22) {
+		a[7].type = CKA_ID;
+	}
+
 	// Remove objects which have the same name
 	if (CheckSecObject(sec, name, SEC_X))
 	{
@@ -2007,7 +2018,7 @@ void TestSecMain(SECURE *sec)
 	}

 	Print("Generating Key...\n");
-	if (RsaGen(&private_key, &public_key, 1024) == false)
+	if (RsaGen(&private_key, &public_key, 2048) == false)
 	{
 		Print("RsaGen() Failed.\n");
 	}
@@ -2077,9 +2088,10 @@ void TestSecMain(SECURE *sec)
 						}
 						else
 						{
-							UCHAR sign_cpu[128];
-							UCHAR sign_sec[128];
+							UCHAR sign_cpu[512];
+							UCHAR sign_sec[512];
 							K *pub = GetKFromX(cert);
+							UINT keybtytes = (cert->bits)/8;
 							Print("Ok.\n");
 							Print("Signing Data by CPU...\n");
 							if (RsaSign(sign_cpu, test_str, StrLen(test_str), private_key) == false)
@@ -2090,7 +2102,7 @@ void TestSecMain(SECURE *sec)
 							{
 								Print("Ok.\n");
 								Print("sign_cpu: ");
-								PrintBin(sign_cpu, sizeof(sign_cpu));
+								PrintBin(sign_cpu, keybtytes);
 								Print("Signing Data by %s..\n", sec->Dev->DeviceName);
 								if (SignSec(sec, "test_key", sign_sec, test_str, StrLen(test_str)) == false)
 								{
@@ -2100,14 +2112,14 @@ void TestSecMain(SECURE *sec)
 								{
 									Print("Ok.\n");
 									Print("sign_sec: ");
-									PrintBin(sign_sec, sizeof(sign_sec));
+									PrintBin(sign_sec, keybtytes);
 									Print("Compare...");
-									if (Cmp(sign_sec, sign_cpu, sizeof(sign_cpu)) == 0)
+									if (Cmp(sign_sec, sign_cpu, keybtytes) == 0)
 									{
 										Print("Ok.\n");
 										Print("Verify...");
-										if (RsaVerify(test_str, StrLen(test_str),
-											sign_sec, pub) == false)
+										if (RsaVerifyEx(test_str, StrLen(test_str),
+											sign_sec, pub, cert->bits) == false)
 										{
 											Print("[FAILED]\n");
 										}
@@ -307,7 +307,8 @@ SECURE_DEVICE SupportedList[] =
 	{18,	SECURE_IC_CARD,		"Gemalto .NET",			"Gemalto",				"gtop11dotnet.dll"},
 	{19,	SECURE_IC_CARD,		"Gemalto .NET 64bit",	"Gemalto",				"gtop11dotnet64.dll"},
 	{20,	SECURE_USB_TOKEN,	"ePass 2003",			"Feitian Technologies",	"eps2003csp11.dll"},
-	{20,	SECURE_USB_TOKEN,	"ePass 1000ND/2000/3000",			"Feitian Technologies",	"ngp11v211.dll"},
+	{21,	SECURE_USB_TOKEN,	"ePass 1000ND/2000/3000",			"Feitian Technologies",	"ngp11v211.dll"},
+	{22,	SECURE_USB_TOKEN,	"CryptoID",				"Longmai Technology",	"cryptoida_pkcs11.dll"},
 };

 #ifdef	OS_WIN32
@@ -1829,19 +1829,26 @@ PKT *ParsePacketEx4(UCHAR *buf, UINT size, bool no_l3, UINT vlan_type_id, bool b
 	{
 		USHORT port_raw = Endian16(80);
 		USHORT port_raw2 = Endian16(8080);
+		USHORT port_raw3 = Endian16(443);

 		// Analyze if the packet is a part of HTTP
 		if ((p->TypeL3 == L3_IPV4 || p->TypeL3 == L3_IPV6) && p->TypeL4 == L4_TCP)
 		{
 			TCP_HEADER *tcp = p->L4.TCPHeader;
-			if (tcp != NULL && (!((tcp->Flag & TCP_SYN) || (tcp->Flag & TCP_RST) || (tcp->Flag & TCP_FIN))))
+			if (tcp != NULL && (tcp->DstPort == port_raw || tcp->DstPort == port_raw2) &&
+				(!((tcp->Flag & TCP_SYN) || (tcp->Flag & TCP_RST) || (tcp->Flag & TCP_FIN))))
 			{
-				if (tcp->DstPort == port_raw || tcp->DstPort == port_raw2)
+				if (p->PayloadSize >= 1)
 				{
-					if (p->PayloadSize >= 1)
-					{
-						p->HttpLog = ParseHttpAccessLog(p);
-					}
+					p->HttpLog = ParseHttpAccessLog(p);
+				}
+			}
+			if (tcp != NULL && tcp->DstPort == port_raw3 &&
+				(!((tcp->Flag & TCP_SYN) || (tcp->Flag & TCP_RST) || (tcp->Flag & TCP_FIN))))
+			{
+				if (p->PayloadSize >= 1)
+				{
+					p->HttpLog = ParseHttpsAccessLog(p);
 				}
 			}
 		}
@@ -2014,6 +2021,33 @@ void CorrectChecksum(PKT *p)
 }


+// Parse the HTTPS access log
+HTTPLOG *ParseHttpsAccessLog(PKT *pkt)
+{
+	HTTPLOG h;
+	char sni[MAX_PATH];
+	// Validate arguments
+	if (pkt == NULL)
+	{
+		return NULL;
+	}
+
+	if (GetSniNameFromSslPacket(pkt->Payload, pkt->PayloadSize, sni, sizeof(sni)) == false)
+	{
+		return NULL;
+	}
+
+	Zero(&h, sizeof(h));
+
+	StrCpy(h.Method, sizeof(h.Method), "SSL_Connect");
+	StrCpy(h.Hostname, sizeof(h.Hostname), sni);
+	h.Port = Endian16(pkt->L4.TCPHeader->DstPort);
+	StrCpy(h.Path, sizeof(h.Path), "/");
+	h.IsSsl = true;
+
+	return Clone(&h, sizeof(h));
+}
+
 // Parse the HTTP access log
 HTTPLOG *ParseHttpAccessLog(PKT *pkt)
 {
@@ -651,6 +651,7 @@ struct HTTPLOG
 	char Protocol[64];						// Protocol
 	char UserAgent[MAX_SIZE];				// User Agent value
 	char Referer[MAX_SIZE];					// Referer
+	bool IsSsl;								// Is SSL
 };

 // Packet
@@ -919,6 +920,7 @@ void FreeDhcpOptions(LIST *o);
 LIST *ParseDhcpOptions(void *data, UINT size);
 BUF *BuildDhcpOptionsBuf(LIST *o);
 HTTPLOG *ParseHttpAccessLog(PKT *pkt);
+HTTPLOG *ParseHttpsAccessLog(PKT *pkt);

 BUF *DhcpModify(DHCP_MODIFY_OPTION *m, void *data, UINT size);
 BUF *DhcpModifyIPv4(DHCP_MODIFY_OPTION *m, void *data, UINT size);
@@ -2031,6 +2031,7 @@ void UnixInc32(UINT *value)
 void UnixGetSystemTime(SYSTEMTIME *system_time)
 {
 	time_t now = 0;
+	time_64t now2 = 0;
 	struct tm tm;
 	struct timeval tv;
 	struct timezone tz;
@@ -2048,7 +2049,16 @@ void UnixGetSystemTime(SYSTEMTIME *system_time)

 	time(&now);

-	gmtime_r(&now, &tm);
+	if (sizeof(time_t) == 4)
+	{
+		now2 = (time_64t)((UINT64)((UINT32)now));
+	}
+	else
+	{
+		now2 = now;
+	}
+
+	c_gmtime_r(&now2, &tm);

 	TmToSystem(system_time, &tm);

@@ -2087,7 +2097,7 @@ UINT64 UnixGetTick64()
 #endif	// CLOCK_MONOTONIC
 #endif	// CLOCK_HIGHRES

-	ret = (UINT64)t.tv_sec * 1000LL + (UINT64)t.tv_nsec / 1000000LL;
+	ret = ((UINT64)((UINT32)t.tv_sec)) * 1000LL + (UINT64)t.tv_nsec / 1000000LL;

 	if (akirame == false && ret == 0)
 	{
@@ -2106,7 +2116,7 @@ UINT64 UnixGetTick64()
 		host_get_clock_service(mach_host_self(), SYSTEM_CLOCK, &clock_serv);
 	}
 	clock_get_time(clock_serv, &t);
-	ret = (UINT64)t.tv_sec * 1000LL + (UINT64)t.tv_nsec / 1000000LL;
+	ret = ((UINT64)((UINT32)t.tv_sec)) * 1000LL + (UINT64)t.tv_nsec / 1000000LL;
 	return ret;
 #else
 	return TickRealtimeManual();
@@ -1,4 +1,4 @@
-/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/aes/aes.h */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
@@ -291,7 +291,7 @@ void BIO_clear_flags(BIO *b, int flags);
 * BIO_CB_RETURN flag indicates if it is after the call
 */
 # define BIO_CB_RETURN   0x80
-# define BIO_CB_return(a) ((a)|BIO_CB_RETURN))
+# define BIO_CB_return(a) ((a)|BIO_CB_RETURN)
 # define BIO_cb_pre(a)   (!((a)&BIO_CB_RETURN))
 # define BIO_cb_post(a)  ((a)&BIO_CB_RETURN)

@@ -479,11 +479,11 @@ struct bio_dgram_sctp_prinfo {
 # define BIO_get_conn_hostname(b)  BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0)
 # define BIO_get_conn_port(b)      BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1)
 # define BIO_get_conn_ip(b)               BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2)
-# define BIO_get_conn_int_port(b) BIO_int_ctrl(b,BIO_C_GET_CONNECT,3,0)
+# define BIO_get_conn_int_port(b) BIO_ctrl(b,BIO_C_GET_CONNECT,3,NULL)

 # define BIO_set_nbio(b,n)       BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL)

-/* BIO_s_accept_socket() */
+/* BIO_s_accept() */
 # define BIO_set_accept_port(b,name) BIO_ctrl(b,BIO_C_SET_ACCEPT,0,(char *)name)
 # define BIO_get_accept_port(b)  BIO_ptr_ctrl(b,BIO_C_GET_ACCEPT,0)
 /* #define BIO_set_nbio(b,n)    BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL) */
@@ -496,6 +496,7 @@ struct bio_dgram_sctp_prinfo {
 # define BIO_set_bind_mode(b,mode) BIO_ctrl(b,BIO_C_SET_BIND_MODE,mode,NULL)
 # define BIO_get_bind_mode(b,mode) BIO_ctrl(b,BIO_C_GET_BIND_MODE,0,NULL)

+/* BIO_s_accept() and BIO_s_connect() */
 # define BIO_do_connect(b)       BIO_do_handshake(b)
 # define BIO_do_accept(b)        BIO_do_handshake(b)
 # define BIO_do_handshake(b)     BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL)
@@ -515,12 +516,15 @@ struct bio_dgram_sctp_prinfo {
 # define BIO_get_url(b,url)      BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,2,(char *)(url))
 # define BIO_get_no_connect_return(b)    BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,5,NULL)

+/* BIO_s_datagram(), BIO_s_fd(), BIO_s_socket(), BIO_s_accept() and BIO_s_connect() */
 # define BIO_set_fd(b,fd,c)      BIO_int_ctrl(b,BIO_C_SET_FD,c,fd)
 # define BIO_get_fd(b,c)         BIO_ctrl(b,BIO_C_GET_FD,0,(char *)c)

+/* BIO_s_file() */
 # define BIO_set_fp(b,fp,c)      BIO_ctrl(b,BIO_C_SET_FILE_PTR,c,(char *)fp)
 # define BIO_get_fp(b,fpp)       BIO_ctrl(b,BIO_C_GET_FILE_PTR,0,(char *)fpp)

+/* BIO_s_fd() and BIO_s_file() */
 # define BIO_seek(b,ofs) (int)BIO_ctrl(b,BIO_C_FILE_SEEK,ofs,NULL)
 # define BIO_tell(b)     (int)BIO_ctrl(b,BIO_C_FILE_TELL,0,NULL)

@@ -555,11 +559,11 @@ int BIO_read_filename(BIO *b, const char *name);
 # define BIO_get_ssl(b,sslp)     BIO_ctrl(b,BIO_C_GET_SSL,0,(char *)sslp)
 # define BIO_set_ssl_mode(b,client)      BIO_ctrl(b,BIO_C_SSL_MODE,client,NULL)
 # define BIO_set_ssl_renegotiate_bytes(b,num) \
-        BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL);
+        BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL)
 # define BIO_get_num_renegotiates(b) \
-        BIO_ctrl(b,BIO_C_GET_SSL_NUM_RENEGOTIATES,0,NULL);
+        BIO_ctrl(b,BIO_C_GET_SSL_NUM_RENEGOTIATES,0,NULL)
 # define BIO_set_ssl_renegotiate_timeout(b,seconds) \
-        BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL);
+        BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL)

 /* defined in evp.h */
 /* #define BIO_set_md(b,md)     BIO_ctrl(b,BIO_C_SET_MD,1,(char *)md) */
@@ -685,7 +689,7 @@ long BIO_debug_callback(BIO *bio, int cmd, const char *argp, int argi,
                        long argl, long ret);

 BIO_METHOD *BIO_s_mem(void);
-BIO *BIO_new_mem_buf(void *buf, int len);
+BIO *BIO_new_mem_buf(const void *buf, int len);
 BIO_METHOD *BIO_s_socket(void);
 BIO_METHOD *BIO_s_connect(void);
 BIO_METHOD *BIO_s_accept(void);
@@ -125,6 +125,7 @@
 #ifndef HEADER_BN_H
 # define HEADER_BN_H

+# include <limits.h>
 # include <openssl/e_os2.h>
 # ifndef OPENSSL_NO_FP_API
 #  include <stdio.h>            /* FILE */
@@ -721,8 +722,17 @@ const BIGNUM *BN_get0_nist_prime_521(void);

 /* library internal functions */

-# define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
-        (a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2))
+# define bn_expand(a,bits) \
+    ( \
+        bits > (INT_MAX - BN_BITS2 + 1) ? \
+            NULL \
+        : \
+            (((bits+BN_BITS2-1)/BN_BITS2) <= (a)->dmax) ? \
+                (a) \
+            : \
+                bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2) \
+    )
+
 # define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words)))
 BIGNUM *bn_expand2(BIGNUM *a, int words);
 # ifndef OPENSSL_NO_DEPRECATED
@@ -779,6 +789,7 @@ int RAND_pseudo_bytes(unsigned char *buf, int num);
                         * wouldn't be constructed with top!=dmax. */ \
                        BN_ULONG *_not_const; \
                        memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \
+                        /* Debug only - safe to ignore error return */ \
                        RAND_pseudo_bytes(&_tmp_char, 1); \
                        memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \
                                (_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \
@@ -831,6 +842,8 @@ int RAND_pseudo_bytes(unsigned char *buf, int num);
                        if (*(ftl--)) break; \
                (a)->top = tmp_top; \
                } \
+        if ((a)->top == 0) \
+            (a)->neg = 0; \
        bn_pollute(a); \
        }

@@ -892,6 +905,7 @@ void ERR_load_BN_strings(void);
 # define BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR                  135
 # define BN_F_BN_GF2M_MOD_SQR                             136
 # define BN_F_BN_GF2M_MOD_SQRT                            137
+# define BN_F_BN_LSHIFT                                   145
 # define BN_F_BN_MOD_EXP2_MONT                            118
 # define BN_F_BN_MOD_EXP_MONT                             109
 # define BN_F_BN_MOD_EXP_MONT_CONSTTIME                   124
@@ -907,12 +921,14 @@ void ERR_load_BN_strings(void);
 # define BN_F_BN_NEW                                      113
 # define BN_F_BN_RAND                                     114
 # define BN_F_BN_RAND_RANGE                               122
+# define BN_F_BN_RSHIFT                                   146
 # define BN_F_BN_USUB                                     115

 /* Reason codes. */
 # define BN_R_ARG2_LT_ARG3                                100
 # define BN_R_BAD_RECIPROCAL                              101
 # define BN_R_BIGNUM_TOO_LONG                             114
+# define BN_R_BITS_TOO_SMALL                              118
 # define BN_R_CALLED_WITH_EVEN_MODULUS                    102
 # define BN_R_DIV_BY_ZERO                                 103
 # define BN_R_ENCODING_ERROR                              104
@@ -920,6 +936,7 @@ void ERR_load_BN_strings(void);
 # define BN_R_INPUT_NOT_REDUCED                           110
 # define BN_R_INVALID_LENGTH                              106
 # define BN_R_INVALID_RANGE                               115
+# define BN_R_INVALID_SHIFT                               119
 # define BN_R_NOT_A_SQUARE                                111
 # define BN_R_NOT_INITIALIZED                             107
 # define BN_R_NO_INVERSE                                  108
@@ -86,7 +86,13 @@ int BUF_MEM_grow(BUF_MEM *str, size_t len);
 int BUF_MEM_grow_clean(BUF_MEM *str, size_t len);
 size_t BUF_strnlen(const char *str, size_t maxlen);
 char *BUF_strdup(const char *str);
+
+/*
+ * Like strndup, but in addition, explicitly guarantees to never read past the
+ * first |siz| bytes of |str|.
+ */
 char *BUF_strndup(const char *str, size_t siz);
+
 void *BUF_memdup(const void *data, size_t siz);
 void BUF_reverse(unsigned char *out, const unsigned char *in, size_t siz);

@@ -1,4 +1,4 @@
-/* crypto/camellia/camellia.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/camellia/camellia.h */
 /* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
 *
@@ -4,13 +4,17 @@

 # include <openssl/crypto.h>

+# ifdef OPENSSL_NO_COMP
+#  error COMP is disabled.
+# endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif

 typedef struct comp_ctx_st COMP_CTX;

-typedef struct comp_method_st {
+struct comp_method_st {
    int type;                   /* NID for compression library */
    const char *name;           /* A text string to identify the library */
    int (*init) (COMP_CTX *ctx);
@@ -26,7 +30,7 @@ typedef struct comp_method_st {
     */
    long (*ctrl) (void);
    long (*callback_ctrl) (void);
-} COMP_METHOD;
+};

 struct comp_ctx_st {
    COMP_METHOD *meth;
@@ -628,7 +628,7 @@ void OPENSSL_init(void);
 * into a defined order as the return value when a != b is undefined, other
 * than to be non-zero.
 */
-int CRYPTO_memcmp(const void *a, const void *b, size_t len);
+int CRYPTO_memcmp(const volatile void *a, const volatile void *b, size_t len);

 /* BEGIN ERROR CODES */
 /*
@@ -1,4 +1,4 @@
-/* crypto/des/des_old.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/des/des_old.h */

 /*-
 * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
@@ -142,7 +142,7 @@ struct dh_st {
    BIGNUM *p;
    BIGNUM *g;
    long length;                /* optional */
-    BIGNUM *pub_key;            /* g^x */
+    BIGNUM *pub_key;            /* g^x % p */
    BIGNUM *priv_key;           /* x */
    int flags;
    BN_MONT_CTX *method_mont_p;
@@ -174,6 +174,7 @@ struct dh_st {
 /* DH_check_pub_key error codes */
 # define DH_CHECK_PUBKEY_TOO_SMALL       0x01
 # define DH_CHECK_PUBKEY_TOO_LARGE       0x02
+# define DH_CHECK_PUBKEY_INVALID         0x04

 /*
 * primes p where (p-1)/2 is prime too are called "safe"; we define this for
@@ -1,4 +1,4 @@
-/* dso.h -*- mode:C; c-file-style: "eay" -*- */
+/* dso.h */
 /*
 * Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL project
 * 2000.
@@ -109,6 +109,12 @@ extern "C" {
 #    undef OPENSSL_SYS_UNIX
 #    define OPENSSL_SYS_WIN32
 #   endif
+#   if defined(_WIN64) || defined(OPENSSL_SYSNAME_WIN64)
+#    undef OPENSSL_SYS_UNIX
+#    if !defined(OPENSSL_SYS_WIN64)
+#     define OPENSSL_SYS_WIN64
+#    endif
+#   endif
 #   if defined(OPENSSL_SYSNAME_WINNT)
 #    undef OPENSSL_SYS_UNIX
 #    define OPENSSL_SYS_WINNT
@@ -121,7 +127,7 @@ extern "C" {
 # endif

 /* Anything that tries to look like Microsoft is "Windows" */
-# if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINNT) || defined(OPENSSL_SYS_WINCE)
+# if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN64) || defined(OPENSSL_SYS_WINNT) || defined(OPENSSL_SYS_WINCE)
 #  undef OPENSSL_SYS_UNIX
 #  define OPENSSL_SYS_WINDOWS
 #  ifndef OPENSSL_SYS_MSDOS
@@ -325,4 +331,3 @@ extern "C" {
 #undef	OPENSSL_SYS_WIN32
 #undef	OPENSSL_SYS_WINDOWS
 #endif	// _MSC_VER
-
@@ -106,7 +106,7 @@ typedef enum {
        /** the point is encoded as z||x, where the octet z specifies
         *  which solution of the quadratic equation y is  */
    POINT_CONVERSION_COMPRESSED = 2,
-        /** the point is encoded as z||x||y, where z is the octet 0x02  */
+        /** the point is encoded as z||x||y, where z is the octet 0x04  */
    POINT_CONVERSION_UNCOMPRESSED = 4,
        /** the point is encoded as z||x||y, where the octet z specifies
         *  which solution of the quadratic equation y is  */
@@ -1097,6 +1097,12 @@ void ERR_load_EC_strings(void);
 # define EC_F_ECPARAMETERS_PRINT_FP                       148
 # define EC_F_ECPKPARAMETERS_PRINT                        149
 # define EC_F_ECPKPARAMETERS_PRINT_FP                     150
+# define EC_F_ECP_NISTZ256_GET_AFFINE                     240
+# define EC_F_ECP_NISTZ256_MULT_PRECOMPUTE                243
+# define EC_F_ECP_NISTZ256_POINTS_MUL                     241
+# define EC_F_ECP_NISTZ256_PRE_COMP_NEW                   244
+# define EC_F_ECP_NISTZ256_SET_WORDS                      245
+# define EC_F_ECP_NISTZ256_WINDOWED_MUL                   242
 # define EC_F_ECP_NIST_MOD_192                            203
 # define EC_F_ECP_NIST_MOD_224                            204
 # define EC_F_ECP_NIST_MOD_256                            205
@@ -1208,11 +1214,6 @@ void ERR_load_EC_strings(void);
 # define EC_F_NISTP224_PRE_COMP_NEW                       227
 # define EC_F_NISTP256_PRE_COMP_NEW                       236
 # define EC_F_NISTP521_PRE_COMP_NEW                       237
-# define EC_F_ECP_NISTZ256_GET_AFFINE                     240
-# define EC_F_ECP_NISTZ256_POINTS_MUL                     241
-# define EC_F_ECP_NISTZ256_WINDOWED_MUL                   242
-# define EC_F_ECP_NISTZ256_MULT_PRECOMPUTE                243
-# define EC_F_ECP_NISTZ256_PRE_COMP_NEW                   244
 # define EC_F_O2I_ECPUBLICKEY                             152
 # define EC_F_OLD_EC_PRIV_DECODE                          222
 # define EC_F_PKEY_EC_CTRL                                197
@@ -233,7 +233,7 @@ void *ECDSA_get_ex_data(EC_KEY *d, int idx);
 *  \return pointer to a ECDSA_METHOD structure or NULL if an error occurred
 */

-ECDSA_METHOD *ECDSA_METHOD_new(ECDSA_METHOD *ecdsa_method);
+ECDSA_METHOD *ECDSA_METHOD_new(const ECDSA_METHOD *ecdsa_method);

 /** frees a ECDSA_METHOD structure
 *  \param  ecdsa_method  pointer to the ECDSA_METHOD structure
@@ -103,7 +103,6 @@
 # define EVP_PKS_RSA     0x0100
 # define EVP_PKS_DSA     0x0200
 # define EVP_PKS_EC      0x0400
-# define EVP_PKT_EXP     0x1000 /* <= 512 bit key */

 # define EVP_PKEY_NONE   NID_undef
 # define EVP_PKEY_RSA    NID_rsaEncryption
@@ -424,6 +423,9 @@ struct evp_cipher_st {
 # define         EVP_CTRL_TLS1_1_MULTIBLOCK_DECRYPT      0x1b
 # define         EVP_CTRL_TLS1_1_MULTIBLOCK_MAX_BUFSIZE  0x1c

+/* RFC 5246 defines additional data to be 13 bytes in length */
+# define         EVP_AEAD_TLS1_AAD_LEN           13
+
 typedef struct {
    unsigned char *out;
    const unsigned char *inp;
@@ -1121,6 +1123,19 @@ void EVP_PKEY_asn1_set_free(EVP_PKEY_ASN1_METHOD *ameth,
 void EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth,
                            int (*pkey_ctrl) (EVP_PKEY *pkey, int op,
                                              long arg1, void *arg2));
+void EVP_PKEY_asn1_set_item(EVP_PKEY_ASN1_METHOD *ameth,
+                            int (*item_verify) (EVP_MD_CTX *ctx,
+                                                const ASN1_ITEM *it,
+                                                void *asn,
+                                                X509_ALGOR *a,
+                                                ASN1_BIT_STRING *sig,
+                                                EVP_PKEY *pkey),
+                            int (*item_sign) (EVP_MD_CTX *ctx,
+                                              const ASN1_ITEM *it,
+                                              void *asn,
+                                              X509_ALGOR *alg1,
+                                              X509_ALGOR *alg2,
+                                              ASN1_BIT_STRING *sig));

 # define EVP_PKEY_OP_UNDEFINED           0
 # define EVP_PKEY_OP_PARAMGEN            (1<<1)
@@ -1,4 +1,4 @@
-/* ssl/kssl.h -*- mode: C; c-file-style: "eay" -*- */
+/* ssl/kssl.h */
 /*
 * Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project
 * 2000. project 2000.
@@ -41,12 +41,18 @@ extern "C" {
 #ifndef OPENSSL_NO_SSL_TRACE
 # define OPENSSL_NO_SSL_TRACE
 #endif
+#ifndef OPENSSL_NO_SSL2
+# define OPENSSL_NO_SSL2
+#endif
 #ifndef OPENSSL_NO_STORE
 # define OPENSSL_NO_STORE
 #endif
 #ifndef OPENSSL_NO_UNIT_TEST
 # define OPENSSL_NO_UNIT_TEST
 #endif
+#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
+# define OPENSSL_NO_WEAK_SSL_CIPHERS
+#endif

 #endif /* OPENSSL_DOING_MAKEDEPEND */

@@ -89,12 +95,18 @@ extern "C" {
 # if defined(OPENSSL_NO_SSL_TRACE) && !defined(NO_SSL_TRACE)
 #  define NO_SSL_TRACE
 # endif
+# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
+#  define NO_SSL2
+# endif
 # if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
 #  define NO_STORE
 # endif
 # if defined(OPENSSL_NO_UNIT_TEST) && !defined(NO_UNIT_TEST)
 #  define NO_UNIT_TEST
 # endif
+# if defined(OPENSSL_NO_WEAK_SSL_CIPHERS) && !defined(NO_WEAK_SSL_CIPHERS)
+#  define NO_WEAK_SSL_CIPHERS
+# endif
 #endif

 #define OPENSSL_CPUID_OBJ
@@ -203,7 +215,7 @@ extern "C" {
 #endif

 #if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
+#error YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
 #endif

 /* Unroll the inner loop, this sometimes helps, sometimes hinders.
@@ -222,7 +234,7 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
   optimization options.  Older Sparc's work better with only UNROLL, but
   there's no way to tell at compile time what it is you're running on */
 
-#if defined( sun )		/* Newer Sparc's */
+#if defined( __sun ) || defined ( sun )		/* Newer Sparc's */
 #  define DES_PTR
 #  define DES_RISC1
 #  define DES_UNROLL
@@ -30,11 +30,11 @@ extern "C" {
 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
 *  major minor fix final patch/beta)
 */
-# define OPENSSL_VERSION_NUMBER  0x1000201fL
+# define OPENSSL_VERSION_NUMBER  0x100020afL
 # ifdef OPENSSL_FIPS
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2a-fips 19 Mar 2015"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2j-fips  26 Sep 2016"
 # else
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2a 19 Mar 2015"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2j  26 Sep 2016"
 # endif
 # define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT

@@ -178,6 +178,8 @@ typedef struct engine_st ENGINE;
 typedef struct ssl_st SSL;
 typedef struct ssl_ctx_st SSL_CTX;

+typedef struct comp_method_st COMP_METHOD;
+
 typedef struct X509_POLICY_NODE_st X509_POLICY_NODE;
 typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL;
 typedef struct X509_POLICY_TREE_st X509_POLICY_TREE;
@@ -531,6 +531,7 @@ int i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel,
 * The following lines are auto generated by the script mkerr.pl. Any changes
 * made after this point may be overwritten when the script is next run.
 */
+
 void ERR_load_PEM_strings(void);

 /* Error codes for the PEM functions. */
@@ -592,6 +593,7 @@ void ERR_load_PEM_strings(void);
 # define PEM_R_ERROR_CONVERTING_PRIVATE_KEY               115
 # define PEM_R_EXPECTING_PRIVATE_KEY_BLOB                 119
 # define PEM_R_EXPECTING_PUBLIC_KEY_BLOB                  120
+# define PEM_R_HEADER_TOO_LONG                            128
 # define PEM_R_INCONSISTENT_HEADER                        121
 # define PEM_R_KEYBLOB_HEADER_PARSE_ERROR                 122
 # define PEM_R_KEYBLOB_TOO_SHORT                          123
@@ -609,7 +611,7 @@ void ERR_load_PEM_strings(void);
 # define PEM_R_UNSUPPORTED_ENCRYPTION                     114
 # define PEM_R_UNSUPPORTED_KEY_COMPONENTS                 126

-#ifdef  __cplusplus
+# ifdef  __cplusplus
 }
-#endif
+# endif
 #endif
@@ -270,7 +270,7 @@ int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12);
 int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12);
 PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12);
 PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12);
-int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass);
+int PKCS12_newpass(PKCS12 *p12, const char *oldpass, const char *newpass);

 /* BEGIN ERROR CODES */
 /*
@@ -82,16 +82,21 @@ typedef struct SRP_gN_cache_st {
 DECLARE_STACK_OF(SRP_gN_cache)

 typedef struct SRP_user_pwd_st {
+    /* Owned by us. */
    char *id;
    BIGNUM *s;
    BIGNUM *v;
+    /* Not owned by us. */
    const BIGNUM *g;
    const BIGNUM *N;
+    /* Owned by us. */
    char *info;
 } SRP_user_pwd;

 DECLARE_STACK_OF(SRP_user_pwd)

+void SRP_user_pwd_free(SRP_user_pwd *user_pwd);
+
 typedef struct SRP_VBASE_st {
    STACK_OF(SRP_user_pwd) *users_pwd;
    STACK_OF(SRP_gN_cache) *gN_cache;
@@ -115,7 +120,12 @@ DECLARE_STACK_OF(SRP_gN)
 SRP_VBASE *SRP_VBASE_new(char *seed_key);
 int SRP_VBASE_free(SRP_VBASE *vb);
 int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file);
+
+/* This method ignores the configured seed and fails for an unknown user. */
 SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username);
+/* NOTE: unlike in SRP_VBASE_get_by_user, caller owns the returned pointer.*/
+SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username);
+
 char *SRP_create_verifier(const char *user, const char *pass, char **salt,
                          char **verifier, const char *N, const char *g);
 int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt,
@@ -338,7 +338,7 @@ extern "C" {
 * The following cipher list is used by default. It also is substituted when
 * an application-defined cipher list string starts with 'DEFAULT'.
 */
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
 /*
 * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
 * starts with a reasonable order, and all we have to do for DEFAULT is
@@ -625,7 +625,7 @@ struct ssl_session_st {
 # define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION        0x00040000L
 /* If set, always create a new key when using tmp_ecdh parameters */
 # define SSL_OP_SINGLE_ECDH_USE                          0x00080000L
-/* If set, always create a new key when using tmp_dh parameters */
+/* Does nothing: retained for compatibility */
 # define SSL_OP_SINGLE_DH_USE                            0x00100000L
 /* Does nothing: retained for compatibiity */
 # define SSL_OP_EPHEMERAL_RSA                            0x0
@@ -1727,6 +1727,7 @@ extern "C" {
 # define SSL_ST_BEFORE                   0x4000
 # define SSL_ST_OK                       0x03
 # define SSL_ST_RENEGOTIATE              (0x04|SSL_ST_INIT)
+# define SSL_ST_ERR                      0x05

 # define SSL_CB_LOOP                     0x01
 # define SSL_CB_EXIT                     0x02
@@ -2091,7 +2092,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 # define SSL_CTX_set1_sigalgs_list(ctx, s) \
        SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)s)
 # define SSL_set1_sigalgs(ctx, slist, slistlen) \
-        SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS,clistlen,(int *)slist)
+        SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS,slistlen,(int *)slist)
 # define SSL_set1_sigalgs_list(ctx, s) \
        SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)s)
 # define SSL_CTX_set1_client_sigalgs(ctx, slist, slistlen) \
@@ -2344,7 +2345,7 @@ const char *SSL_get_version(const SSL *s);
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);

-# ifndef OPENSSL_NO_SSL2
+# ifndef OPENSSL_NO_SSL2_METHOD
 const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
 const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
 const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
@@ -2531,7 +2532,6 @@ void SSL_set_tmp_ecdh_callback(SSL *ssl,
                                                int keylength));
 # endif

-# ifndef OPENSSL_NO_COMP
 const COMP_METHOD *SSL_get_current_compression(SSL *s);
 const COMP_METHOD *SSL_get_current_expansion(SSL *s);
 const char *SSL_COMP_get_name(const COMP_METHOD *comp);
@@ -2540,13 +2540,6 @@ STACK_OF(SSL_COMP) *SSL_COMP_set0_compression_methods(STACK_OF(SSL_COMP)
                                                      *meths);
 void SSL_COMP_free_compression_methods(void);
 int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm);
-# else
-const void *SSL_get_current_compression(SSL *s);
-const void *SSL_get_current_expansion(SSL *s);
-const char *SSL_COMP_get_name(const void *comp);
-void *SSL_COMP_get_compression_methods(void);
-int SSL_COMP_add_compression_method(int id, void *cm);
-# endif

 const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr);

@@ -2622,6 +2615,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_DTLS1_HEARTBEAT                            305
 # define SSL_F_DTLS1_OUTPUT_CERT_CHAIN                    255
 # define SSL_F_DTLS1_PREPROCESS_FRAGMENT                  288
+# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS             424
 # define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE           256
 # define SSL_F_DTLS1_PROCESS_RECORD                       257
 # define SSL_F_DTLS1_READ_BYTES                           258
@@ -2640,6 +2634,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_GET_CLIENT_MASTER_KEY                      107
 # define SSL_F_GET_SERVER_FINISHED                        108
 # define SSL_F_GET_SERVER_HELLO                           109
+# define SSL_F_GET_SERVER_STATIC_DH_KEY                   340
 # define SSL_F_GET_SERVER_VERIFY                          110
 # define SSL_F_I2D_SSL_SESSION                            111
 # define SSL_F_READ_N                                     112
@@ -2670,6 +2665,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_SSL3_CHANGE_CIPHER_STATE                   129
 # define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM              130
 # define SSL_F_SSL3_CHECK_CLIENT_HELLO                    304
+# define SSL_F_SSL3_CHECK_FINISHED                        339
 # define SSL_F_SSL3_CLIENT_HELLO                          131
 # define SSL_F_SSL3_CONNECT                               132
 # define SSL_F_SSL3_CTRL                                  213
@@ -2678,6 +2674,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC                 292
 # define SSL_F_SSL3_ENC                                   134
 # define SSL_F_SSL3_GENERATE_KEY_BLOCK                    238
+# define SSL_F_SSL3_GENERATE_MASTER_SECRET                388
 # define SSL_F_SSL3_GET_CERTIFICATE_REQUEST               135
 # define SSL_F_SSL3_GET_CERT_STATUS                       289
 # define SSL_F_SSL3_GET_CERT_VERIFY                       136
@@ -2784,6 +2781,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_SSL_RSA_PUBLIC_ENCRYPT                     188
 # define SSL_F_SSL_SCAN_CLIENTHELLO_TLSEXT                320
 # define SSL_F_SSL_SCAN_SERVERHELLO_TLSEXT                321
+# define SSL_F_SSL_SESSION_DUP                            348
 # define SSL_F_SSL_SESSION_NEW                            189
 # define SSL_F_SSL_SESSION_PRINT_FP                       190
 # define SSL_F_SSL_SESSION_SET1_ID_CONTEXT                312
@@ -2842,8 +2840,11 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK              106
 # define SSL_R_BAD_DECOMPRESSION                          107
 # define SSL_R_BAD_DH_G_LENGTH                            108
+# define SSL_R_BAD_DH_G_VALUE                             375
 # define SSL_R_BAD_DH_PUB_KEY_LENGTH                      109
+# define SSL_R_BAD_DH_PUB_KEY_VALUE                       393
 # define SSL_R_BAD_DH_P_LENGTH                            110
+# define SSL_R_BAD_DH_P_VALUE                             395
 # define SSL_R_BAD_DIGEST_LENGTH                          111
 # define SSL_R_BAD_DSA_SIGNATURE                          112
 # define SSL_R_BAD_ECC_CERT                               304
@@ -2904,6 +2905,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_DATA_LENGTH_TOO_LONG                       146
 # define SSL_R_DECRYPTION_FAILED                          147
 # define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC        281
+# define SSL_R_DH_KEY_TOO_SMALL                           372
 # define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG            148
 # define SSL_R_DIGEST_CHECK_FAILED                        149
 # define SSL_R_DTLS_MESSAGE_TOO_BIG                       334
@@ -3047,6 +3049,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_SERVERHELLO_TLSEXT                         275
 # define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED           277
 # define SSL_R_SHORT_READ                                 219
+# define SSL_R_SHUTDOWN_WHILE_IN_INIT                     407
 # define SSL_R_SIGNATURE_ALGORITHMS_ERROR                 360
 # define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE      220
 # define SSL_R_SRP_A_CALC                                 361
@@ -3104,6 +3107,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST             157
 # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
 # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG    234
+# define SSL_R_TOO_MANY_WARN_ALERTS                       409
 # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER            235
 # define SSL_R_UNABLE_TO_DECODE_DH_CERTS                  236
 # define SSL_R_UNABLE_TO_DECODE_ECDH_CERTS                313
@@ -231,13 +231,12 @@ extern "C" {
 /* ExtensionType value from RFC5620 */
 # define TLSEXT_TYPE_heartbeat   15

-/* ExtensionType value from draft-ietf-tls-applayerprotoneg-00 */
+/* ExtensionType value from RFC7301 */
 # define TLSEXT_TYPE_application_layer_protocol_negotiation 16

 /*
 * ExtensionType value for TLS padding extension.
- * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
- * http://tools.ietf.org/html/draft-agl-tls-padding-03
+ * http://tools.ietf.org/html/draft-agl-tls-padding
 */
 # define TLSEXT_TYPE_padding     21

@@ -262,20 +261,19 @@ extern "C" {
 #  define TLSEXT_TYPE_next_proto_neg              13172
 # endif

-/* NameType value from RFC 3546 */
+/* NameType value from RFC3546 */
 # define TLSEXT_NAMETYPE_host_name 0
-/* status request value from RFC 3546 */
+/* status request value from RFC3546 */
 # define TLSEXT_STATUSTYPE_ocsp 1

-/* ECPointFormat values from draft-ietf-tls-ecc-12 */
+/* ECPointFormat values from RFC4492 */
 # define TLSEXT_ECPOINTFORMAT_first                      0
 # define TLSEXT_ECPOINTFORMAT_uncompressed               0
 # define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime  1
 # define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2  2
 # define TLSEXT_ECPOINTFORMAT_last                       2

-/* Signature and hash algorithms from RFC 5246 */
-
+/* Signature and hash algorithms from RFC5246 */
 # define TLSEXT_signature_anonymous                      0
 # define TLSEXT_signature_rsa                            1
 # define TLSEXT_signature_dsa                            2
@@ -430,7 +428,6 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 # define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA                0x03000066

 /* AES ciphersuites from RFC3268 */
-
 # define TLS1_CK_RSA_WITH_AES_128_SHA                    0x0300002F
 # define TLS1_CK_DH_DSS_WITH_AES_128_SHA                 0x03000030
 # define TLS1_CK_DH_RSA_WITH_AES_128_SHA                 0x03000031
@@ -595,7 +592,7 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 # define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA               "DHE-RSA-AES256-SHA"
 # define TLS1_TXT_ADH_WITH_AES_256_SHA                   "ADH-AES256-SHA"

-/* ECC ciphersuites from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) */
+/* ECC ciphersuites from RFC4492 */
 # define TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA               "ECDH-ECDSA-NULL-SHA"
 # define TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA            "ECDH-ECDSA-RC4-SHA"
 # define TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA       "ECDH-ECDSA-DES-CBC3-SHA"
@@ -565,6 +565,9 @@ int TS_RESP_CTX_set_clock_precision_digits(TS_RESP_CTX *ctx,
 /* At most we accept usec precision. */
 # define TS_MAX_CLOCK_PRECISION_DIGITS   6

+/* Maximum status message length */
+# define TS_MAX_STATUS_LENGTH   (1024 * 1024)
+
 /* No flags are set by default. */
 void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags);

@@ -1,4 +1,4 @@
-/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/ui/ui.h */
 /*
 * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project
 * 2001.
@@ -1,4 +1,4 @@
-/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/ui/ui.h */
 /*
 * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project
 * 2001.
@@ -1234,6 +1234,7 @@ int X509_TRUST_get_trust(X509_TRUST *xp);
 * The following lines are auto generated by the script mkerr.pl. Any changes
 * made after this point may be overwritten when the script is next run.
 */
+
 void ERR_load_X509_strings(void);

 /* Error codes for the X509 functions. */
@@ -1241,6 +1242,7 @@ void ERR_load_X509_strings(void);
 /* Function codes. */
 # define X509_F_ADD_CERT_DIR                              100
 # define X509_F_BY_FILE_CTRL                              101
+# define X509_F_CHECK_NAME_CONSTRAINTS                    106
 # define X509_F_CHECK_POLICY                              145
 # define X509_F_DIR_CTRL                                  102
 # define X509_F_GET_CERT_BY_SUBJECT                       103
@@ -1305,6 +1307,7 @@ void ERR_load_X509_strings(void);
 # define X509_R_LOADING_CERT_DIR                          103
 # define X509_R_LOADING_DEFAULTS                          104
 # define X509_R_METHOD_NOT_SUPPORTED                      124
+# define X509_R_NAME_TOO_LONG                             134
 # define X509_R_NEWER_CRL_NOT_NEWER                       132
 # define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY              105
 # define X509_R_NO_CRL_NUMBER                             130
@@ -1321,7 +1324,7 @@ void ERR_load_X509_strings(void);
 # define X509_R_WRONG_LOOKUP_TYPE                         112
 # define X509_R_WRONG_TYPE                                122

-#ifdef  __cplusplus
+# ifdef  __cplusplus
 }
-#endif
+# endif
 #endif
@@ -313,7 +313,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
                X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL)

 # define         X509_V_OK                                       0
-/* illegal error (for uninitialized values, to avoid X509_V_OK): 1 */
+# define         X509_V_ERR_UNSPECIFIED                          1

 # define         X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT            2
 # define         X509_V_ERR_UNABLE_TO_GET_CRL                    3
@@ -368,6 +368,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 # define         X509_V_ERR_PERMITTED_VIOLATION                  47
 # define         X509_V_ERR_EXCLUDED_VIOLATION                   48
 # define         X509_V_ERR_SUBTREE_MINMAX                       49
+# define         X509_V_ERR_APPLICATION_VERIFICATION             50
 # define         X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE          51
 # define         X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX        52
 # define         X509_V_ERR_UNSUPPORTED_NAME_SYNTAX              53
@@ -386,8 +387,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 # define         X509_V_ERR_EMAIL_MISMATCH                       63
 # define         X509_V_ERR_IP_ADDRESS_MISMATCH                  64

-/* The application is not happy */
-# define         X509_V_ERR_APPLICATION_VERIFICATION             50
+/* Caller error */
+# define         X509_V_ERR_INVALID_CALL                         65
+/* Issuer lookup error */
+# define         X509_V_ERR_STORE_LOOKUP                         66
+
+# define         X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION         67

 /* Certificate verify flags */

@@ -432,6 +437,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);

 /* Allow partial chains if at least one certificate is in trusted store */
 # define X509_V_FLAG_PARTIAL_CHAIN               0x80000
+/*
+ * If the initial chain is not trusted, do not attempt to build an alternative
+ * chain. Alternate chain checking was introduced in 1.0.2b. Setting this flag
+ * will force the behaviour to match that of previous versions.
+ */
+# define X509_V_FLAG_NO_ALT_CHAINS               0x100000

 # define X509_VP_FLAG_DEFAULT                    0x1
 # define X509_VP_FLAG_OVERWRITE                  0x2