From 4f86a4185e0e3fa9f0232325e33b0b14025b7d6d Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Wed, 28 Jan 2026 11:03:02 +0000
Subject: [PATCH] import UBI openssl-3.5.1-7.el10_1

---
 0058-Fix-PPC-register-processing.patch | 2258 ++++++++++++++++++++++++
 0059-CVE-2025-11187.patch              |  485 +++++
 0060-CVE-2025-15467.patch              |  207 +++
 0061-CVE-2025-15468.patch              |   24 +
 0062-CVE-2025-15469.patch              |  266 +++
 0063-CVE-2025-66199.patch              |   30 +
 0064-CVE-2025-68160.patch              |   64 +
 0065-CVE-2025-69418.patch              |   67 +
 0066-CVE-2025-69420.patch              |   37 +
 0067-CVE-2025-69421.patch              |   28 +
 0068-CVE-2025-69419.patch              |  136 ++
 0069-CVE-2026-22795.patch              |   52 +
 openssl.spec                           |   35 +-
 13 files changed, 3688 insertions(+), 1 deletion(-)
 create mode 100644 0058-Fix-PPC-register-processing.patch
 create mode 100644 0059-CVE-2025-11187.patch
 create mode 100644 0060-CVE-2025-15467.patch
 create mode 100644 0061-CVE-2025-15468.patch
 create mode 100644 0062-CVE-2025-15469.patch
 create mode 100644 0063-CVE-2025-66199.patch
 create mode 100644 0064-CVE-2025-68160.patch
 create mode 100644 0065-CVE-2025-69418.patch
 create mode 100644 0066-CVE-2025-69420.patch
 create mode 100644 0067-CVE-2025-69421.patch
 create mode 100644 0068-CVE-2025-69419.patch
 create mode 100644 0069-CVE-2026-22795.patch

diff --git a/0058-Fix-PPC-register-processing.patch b/0058-Fix-PPC-register-processing.patch
new file mode 100644
index 0000000..10681c5
--- /dev/null
+++ b/0058-Fix-PPC-register-processing.patch
@@ -0,0 +1,2258 @@
+diff --git a/crypto/modes/asm/aes-gcm-ppc.pl b/crypto/modes/asm/aes-gcm-ppc.pl
+index e8a215027e..68918a9305 100644
+--- a/crypto/modes/asm/aes-gcm-ppc.pl
++++ b/crypto/modes/asm/aes-gcm-ppc.pl
+@@ -1,6 +1,6 @@
+ #! /usr/bin/env perl
+ # Copyright 2014-2022 The OpenSSL Project Authors. All Rights Reserved.
+-# Copyright 2021- IBM Inc. All rights reserved
++# Copyright 2025- IBM Corp. All rights reserved
+ #
+ # Licensed under the Apache License 2.0 (the "License").  You may not use
+ # this file except in compliance with the License.  You can obtain a copy
+@@ -8,7 +8,9 @@
+ # https://www.openssl.org/source/license.html
+ #
+ #===================================================================================
+-# Written by Danny Tsen <dtsen@us.ibm.com> for OpenSSL Project,
++# Accelerated AES-GCM stitched implementation for ppc64le.
++#
++# Written by Danny Tsen <dtsen@us.ibm.com>
+ #
+ # GHASH is based on the Karatsuba multiplication method.
+ #
+@@ -32,420 +34,521 @@
+ # v31 - counter 1
+ #
+ # AES used,
+-#     vs0 - vs14 for round keys
++#     vs0 - round key 0
+ #     v15, v16, v17, v18, v19, v20, v21, v22 for 8 blocks (encrypted)
+ #
+ # This implementation uses stitched AES-GCM approach to improve overall performance.
+ # AES is implemented with 8x blocks and GHASH is using 2 4x blocks.
+ #
+-# Current large block (16384 bytes) performance per second with 128 bit key --
+-#
+-#                        Encrypt  Decrypt
+-# Power10[le] (3.5GHz)   5.32G    5.26G
+-#
+ # ===================================================================================
+ #
++use strict;
++use warnings;
++
+ # $output is the last argument if it looks like a file (it has an extension)
+ # $flavour is the first argument if it doesn't look like a file
+-$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
+-$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
+-
+-if ($flavour =~ /64/) {
+-	$SIZE_T=8;
+-	$LRSAVE=2*$SIZE_T;
+-	$STU="stdu";
+-	$POP="ld";
+-	$PUSH="std";
+-	$UCMP="cmpld";
+-	$SHRI="srdi";
+-} elsif ($flavour =~ /32/) {
+-	$SIZE_T=4;
+-	$LRSAVE=$SIZE_T;
+-	$STU="stwu";
+-	$POP="lwz";
+-	$PUSH="stw";
+-	$UCMP="cmplw";
+-	$SHRI="srwi";
+-} else { die "nonsense $flavour"; }
+-
+-$sp="r1";
+-$FRAME=6*$SIZE_T+13*16;	# 13*16 is for v20-v31 offload
+-
+-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
+-( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
+-( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
+-die "can't locate ppc-xlate.pl";
+-
+-open STDOUT,"| $^X $xlate $flavour \"$output\""
+-    or die "can't call $xlate: $!";
+-
+-$code=<<___;
+-.machine        "any"
+-.text
+-
+-# 4x loops
+-# v15 - v18 - input states
+-# vs1 - vs9 - round keys
+-#
+-.macro Loop_aes_middle4x
+-	xxlor	19+32, 1, 1
+-	xxlor	20+32, 2, 2
+-	xxlor	21+32, 3, 3
+-	xxlor	22+32, 4, 4
+-
+-	vcipher	15, 15, 19
+-	vcipher	16, 16, 19
+-	vcipher	17, 17, 19
+-	vcipher	18, 18, 19
++my $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
++my $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
+ 
+-	vcipher	15, 15, 20
+-	vcipher	16, 16, 20
+-	vcipher	17, 17, 20
+-	vcipher	18, 18, 20
+-
+-	vcipher	15, 15, 21
+-	vcipher	16, 16, 21
+-	vcipher	17, 17, 21
+-	vcipher	18, 18, 21
++$output and open STDOUT,">$output";
+ 
+-	vcipher	15, 15, 22
+-	vcipher	16, 16, 22
+-	vcipher	17, 17, 22
+-	vcipher	18, 18, 22
+-
+-	xxlor	19+32, 5, 5
+-	xxlor	20+32, 6, 6
+-	xxlor	21+32, 7, 7
+-	xxlor	22+32, 8, 8
++my $code.=<<___;
++.machine        "any"
++.text
+ 
+-	vcipher	15, 15, 19
+-	vcipher	16, 16, 19
+-	vcipher	17, 17, 19
+-	vcipher	18, 18, 19
++.macro SAVE_REGS
++	mflr 0
++	std 0, 16(1)
++	stdu 1,-512(1)
+ 
+-	vcipher	15, 15, 20
+-	vcipher	16, 16, 20
+-	vcipher	17, 17, 20
+-	vcipher	18, 18, 20
++	std	14, 112(1)
++	std	15, 120(1)
++	std	16, 128(1)
++	std	17, 136(1)
++	std	18, 144(1)
++	std	19, 152(1)
++	std	20, 160(1)
++	std	21, 168(1)
++	std	22, 176(1)
++	std	23, 184(1)
++	std	24, 192(1)
++
++	stxv	32+20, 256(1)
++	stxv	32+21, 256+16(1)
++	stxv	32+22, 256+32(1)
++	stxv	32+23, 256+48(1)
++	stxv	32+24, 256+64(1)
++	stxv	32+25, 256+80(1)
++	stxv	32+26, 256+96(1)
++	stxv	32+27, 256+112(1)
++	stxv	32+28, 256+128(1)
++	stxv	32+29, 256+144(1)
++	stxv	32+30, 256+160(1)
++	stxv	32+31, 256+176(1)
++.endm # SAVE_REGS
++
++.macro RESTORE_REGS
++	lxv	32+20, 256(1)
++	lxv	32+21, 256+16(1)
++	lxv	32+22, 256+32(1)
++	lxv	32+23, 256+48(1)
++	lxv	32+24, 256+64(1)
++	lxv	32+25, 256+80(1)
++	lxv	32+26, 256+96(1)
++	lxv	32+27, 256+112(1)
++	lxv	32+28, 256+128(1)
++	lxv	32+29, 256+144(1)
++	lxv	32+30, 256+160(1)
++	lxv	32+31, 256+176(1)
++
++	ld	14, 112(1)
++	ld	15, 120(1)
++	ld	16, 128(1)
++	ld	17, 136(1)
++	ld	18, 144(1)
++	ld	19, 152(1)
++	ld	20, 160(1)
++	ld	21, 168(1)
++	ld	22, 176(1)
++	ld	23, 184(1)
++	ld	24, 192(1)
++
++	addi    1, 1, 512
++	ld 0, 16(1)
++	mtlr 0
++.endm # RESTORE_REGS
+ 
+-	vcipher	15, 15, 21
+-	vcipher	16, 16, 21
+-	vcipher	17, 17, 21
+-	vcipher	18, 18, 21
+-
+-	vcipher	15, 15, 22
+-	vcipher	16, 16, 22
+-	vcipher	17, 17, 22
+-	vcipher	18, 18, 22
+-
+-	xxlor	23+32, 9, 9
+-	vcipher	15, 15, 23
+-	vcipher	16, 16, 23
+-	vcipher	17, 17, 23
+-	vcipher	18, 18, 23
++# 4x loops
++.macro AES_CIPHER_4x r
++	vcipher	15, 15, \\r
++	vcipher	16, 16, \\r
++	vcipher	17, 17, \\r
++	vcipher	18, 18, \\r
+ .endm
+ 
+ # 8x loops
+-# v15 - v22 - input states
+-# vs1 - vs9 - round keys
+-#
+-.macro Loop_aes_middle8x
+-	xxlor	23+32, 1, 1
+-	xxlor	24+32, 2, 2
+-	xxlor	25+32, 3, 3
+-	xxlor	26+32, 4, 4
+-
+-	vcipher	15, 15, 23
+-	vcipher	16, 16, 23
+-	vcipher	17, 17, 23
+-	vcipher	18, 18, 23
+-	vcipher	19, 19, 23
+-	vcipher	20, 20, 23
+-	vcipher	21, 21, 23
+-	vcipher	22, 22, 23
+-
+-	vcipher	15, 15, 24
+-	vcipher	16, 16, 24
+-	vcipher	17, 17, 24
+-	vcipher	18, 18, 24
+-	vcipher	19, 19, 24
+-	vcipher	20, 20, 24
+-	vcipher	21, 21, 24
+-	vcipher	22, 22, 24
+-
+-	vcipher	15, 15, 25
+-	vcipher	16, 16, 25
+-	vcipher	17, 17, 25
+-	vcipher	18, 18, 25
+-	vcipher	19, 19, 25
+-	vcipher	20, 20, 25
+-	vcipher	21, 21, 25
+-	vcipher	22, 22, 25
+-
+-	vcipher	15, 15, 26
+-	vcipher	16, 16, 26
+-	vcipher	17, 17, 26
+-	vcipher	18, 18, 26
+-	vcipher	19, 19, 26
+-	vcipher	20, 20, 26
+-	vcipher	21, 21, 26
+-	vcipher	22, 22, 26
+-
+-	xxlor	23+32, 5, 5
+-	xxlor	24+32, 6, 6
+-	xxlor	25+32, 7, 7
+-	xxlor	26+32, 8, 8
+-
+-	vcipher	15, 15, 23
+-	vcipher	16, 16, 23
+-	vcipher	17, 17, 23
+-	vcipher	18, 18, 23
+-	vcipher	19, 19, 23
+-	vcipher	20, 20, 23
+-	vcipher	21, 21, 23
+-	vcipher	22, 22, 23
+-
+-	vcipher	15, 15, 24
+-	vcipher	16, 16, 24
+-	vcipher	17, 17, 24
+-	vcipher	18, 18, 24
+-	vcipher	19, 19, 24
+-	vcipher	20, 20, 24
+-	vcipher	21, 21, 24
+-	vcipher	22, 22, 24
+-
+-	vcipher	15, 15, 25
+-	vcipher	16, 16, 25
+-	vcipher	17, 17, 25
+-	vcipher	18, 18, 25
+-	vcipher	19, 19, 25
+-	vcipher	20, 20, 25
+-	vcipher	21, 21, 25
+-	vcipher	22, 22, 25
+-
+-	vcipher	15, 15, 26
+-	vcipher	16, 16, 26
+-	vcipher	17, 17, 26
+-	vcipher	18, 18, 26
+-	vcipher	19, 19, 26
+-	vcipher	20, 20, 26
+-	vcipher	21, 21, 26
+-	vcipher	22, 22, 26
+-
+-	xxlor	23+32, 9, 9
+-	vcipher	15, 15, 23
+-	vcipher	16, 16, 23
+-	vcipher	17, 17, 23
+-	vcipher	18, 18, 23
+-	vcipher	19, 19, 23
+-	vcipher	20, 20, 23
+-	vcipher	21, 21, 23
+-	vcipher	22, 22, 23
++.macro AES_CIPHER_8x r
++	vcipher	15, 15, \\r
++	vcipher	16, 16, \\r
++	vcipher	17, 17, \\r
++	vcipher	18, 18, \\r
++	vcipher	19, 19, \\r
++	vcipher	20, 20, \\r
++	vcipher	21, 21, \\r
++	vcipher	22, 22, \\r
++.endm
++
++.macro LOOP_8AES_STATE
++	AES_CIPHER_8x 23
++	AES_CIPHER_8x 24
++	AES_CIPHER_8x 25
++	AES_CIPHER_8x 26
++	AES_CIPHER_8x 27
++	AES_CIPHER_8x 28
++	AES_CIPHER_8x 29
++	AES_CIPHER_8x 1
+ .endm
+ 
+ #
+-# Compute 4x hash values based on Karatsuba method.
++# PPC_GFMUL128_8x: Compute hash values of 8 blocks based on Karatsuba method.
+ #
+-ppc_aes_gcm_ghash:
+-	vxor		15, 15, 0
+-
+-	xxlxor		29, 29, 29
++# S1 should xor with the previous digest
++#
++# Xi = v0
++# H Poly = v2
++# Hash keys = v3 - v14
++# vs10: vpermxor vector
++# Scratch: v23 - v29
++#
++.macro PPC_GFMUL128_8x
+ 
+-	vpmsumd		23, 12, 15		# H4.L * X.L
+-	vpmsumd		24, 9, 16
+-	vpmsumd		25, 6, 17
+-	vpmsumd		26, 3, 18
++	vpmsumd	23, 12, 15		# H4.L * X.L
++	vpmsumd	24, 9, 16
++	vpmsumd	25, 6, 17
++	vpmsumd	26, 3, 18
+ 
+-	vxor		23, 23, 24
+-	vxor		23, 23, 25
+-	vxor		23, 23, 26		# L
++	vxor	23, 23, 24
++	vxor	23, 23, 25
++	vxor	23, 23, 26		# L
+ 
+-	vpmsumd		24, 13, 15		# H4.L * X.H + H4.H * X.L
+-	vpmsumd		25, 10, 16		# H3.L * X1.H + H3.H * X1.L
+-	vpmsumd		26, 7, 17
+-	vpmsumd		27, 4, 18
++	vpmsumd	27, 13, 15		# H4.L * X.H + H4.H * X.L
++	vpmsumd	28, 10, 16		# H3.L * X1.H + H3.H * X1.L
++	vpmsumd	25, 7, 17
++	vpmsumd	26, 4, 18
+ 
+-	vxor		24, 24, 25
+-	vxor		24, 24, 26
+-	vxor		24, 24, 27		# M
++	vxor	24, 27, 28
++	vxor	24, 24, 25
++	vxor	24, 24, 26		# M
+ 
+-	# sum hash and reduction with H Poly
+-	vpmsumd		28, 23, 2		# reduction
++	vpmsumd	26, 14, 15		# H4.H * X.H
++	vpmsumd	27, 11, 16
++	vpmsumd	28, 8, 17
++	vpmsumd	29, 5, 18
+ 
+-	xxlor		29+32, 29, 29
+-	vsldoi		26, 24, 29, 8		# mL
+-	vsldoi		29, 29, 24, 8		# mH
+-	vxor		23, 23, 26		# mL + L
++	vxor	26, 26, 27
++	vxor	26, 26, 28
++	vxor	26, 26, 29
+ 
+-	vsldoi		23, 23, 23, 8		# swap
+-	vxor		23, 23, 28
++	# sum hash and reduction with H Poly
++	vpmsumd	28, 23, 2		# reduction
+ 
+-	vpmsumd		24, 14, 15		# H4.H * X.H
+-	vpmsumd		25, 11, 16
+-	vpmsumd		26, 8, 17
+-	vpmsumd		27, 5, 18
++	vxor	1, 1, 1
++	vsldoi	25, 24, 1, 8		# mL
++	vsldoi	1, 1, 24, 8		# mH
++	vxor	23, 23, 25		# mL + L
+ 
+-	vxor		24, 24, 25
+-	vxor		24, 24, 26
+-	vxor		24, 24, 27
++	# This performs swap and xor like,
++	#   vsldoi	23, 23, 23, 8		# swap
++	#   vxor	23, 23, 28
++	xxlor	32+29, 10, 10
++	vpermxor 23, 23, 28, 29
+ 
+-	vxor		24, 24, 29
++	vxor	24, 26, 1		# H
+ 
+ 	# sum hash and reduction with H Poly
+-	vsldoi		27, 23, 23, 8		# swap
+-	vpmsumd		23, 23, 2
+-	vxor		27, 27, 24
+-	vxor		23, 23, 27
+-
+-	xxlor		32, 23+32, 23+32		# update hash
++	#
++	#  vsldoi 25, 23, 23, 8		# swap
++	#  vpmsumd 23, 23, 2
++	#  vxor	27, 25, 24
++	#
++	vpermxor 27, 23, 24, 29
++	vpmsumd	23, 23, 2
++	vxor	0, 23, 27		# Digest of 4 blocks
+ 
+-	blr
++	vxor	19, 19, 0
+ 
+-#
+-# Combine two 4x ghash
+-# v15 - v22 - input blocks
+-#
+-.macro ppc_aes_gcm_ghash2_4x
+-	# first 4x hash
+-	vxor		15, 15, 0		# Xi + X
++	# Compute digest for the next 4 blocks
++	vpmsumd	24, 9, 20
++	vpmsumd	25, 6, 21
++	vpmsumd	26, 3, 22
++	vpmsumd	23, 12, 19		# H4.L * X.L
+ 
+-	xxlxor		29, 29, 29
++	vxor	23, 23, 24
++	vxor	23, 23, 25
++	vxor	23, 23, 26		# L
+ 
+-	vpmsumd		23, 12, 15		# H4.L * X.L
+-	vpmsumd		24, 9, 16
+-	vpmsumd		25, 6, 17
+-	vpmsumd		26, 3, 18
++	vpmsumd	27, 13, 19		# H4.L * X.H + H4.H * X.L
++	vpmsumd	28, 10, 20		# H3.L * X1.H + H3.H * X1.L
++	vpmsumd	25, 7, 21
++	vpmsumd	26, 4, 22
+ 
+-	vxor		23, 23, 24
+-	vxor		23, 23, 25
+-	vxor		23, 23, 26		# L
++	vxor	24, 27, 28
++	vxor	24, 24, 25
++	vxor	24, 24, 26		# M
+ 
+-	vpmsumd		24, 13, 15		# H4.L * X.H + H4.H * X.L
+-	vpmsumd		25, 10, 16		# H3.L * X1.H + H3.H * X1.L
+-	vpmsumd		26, 7, 17
+-	vpmsumd		27, 4, 18
++	vpmsumd	26, 14, 19		# H4.H * X.H
++	vpmsumd	27, 11, 20
++	vpmsumd	28, 8, 21
++	vpmsumd	29, 5, 22
+ 
+-	vxor		24, 24, 25
+-	vxor		24, 24, 26
++	vxor	26, 26, 27
++	vxor	26, 26, 28
++	vxor	26, 26, 29
+ 
+ 	# sum hash and reduction with H Poly
+-	vpmsumd		28, 23, 2		# reduction
++	vpmsumd	28, 23, 2		# reduction
+ 
+-	xxlor		29+32, 29, 29
++	vxor	1, 1, 1
++	vsldoi	25, 24, 1, 8		# mL
++	vsldoi	1, 1, 24, 8		# mH
++	vxor	23, 23, 25		# mL + L
+ 
+-	vxor		24, 24, 27		# M
+-	vsldoi		26, 24, 29, 8		# mL
+-	vsldoi		29, 29, 24, 8		# mH
+-	vxor		23, 23, 26		# mL + L
++	# This performs swap and xor like,
++	#   vsldoi	23, 23, 23, 8		# swap
++	#   vxor	23, 23, 28
++	xxlor	32+29, 10, 10
++	vpermxor 23, 23, 28, 29
+ 
+-	vsldoi		23, 23, 23, 8		# swap
+-	vxor		23, 23, 28
++	vxor	24, 26, 1		# H
+ 
+-	vpmsumd		24, 14, 15		# H4.H * X.H
+-	vpmsumd		25, 11, 16
+-	vpmsumd		26, 8, 17
+-	vpmsumd		27, 5, 18
++	# sum hash and reduction with H Poly
++	#
++	#  vsldoi 25, 23, 23, 8		# swap
++	#  vpmsumd 23, 23, 2
++	#  vxor	27, 25, 24
++	#
++	vpermxor 27, 23, 24, 29
++	vpmsumd	23, 23, 2
++	vxor	0, 23, 27		# Digest of 8 blocks
++.endm
+ 
+-	vxor		24, 24, 25
+-	vxor		24, 24, 26
+-	vxor		24, 24, 27		# H
++#
++# Compute update single ghash
++# vs10: vpermxor vector
++# scratch: v1, v22..v27
++#
++.macro PPC_GHASH1x H S1
+ 
+-	vxor		24, 24, 29		# H + mH
++	vxor	1, 1, 1
+ 
+-	# sum hash and reduction with H Poly
+-	vsldoi		27, 23, 23, 8		# swap
+-	vpmsumd		23, 23, 2
+-	vxor		27, 27, 24
+-	vxor		27, 23, 27		# 1st Xi
+-
+-	# 2nd 4x hash
+-	vpmsumd		24, 9, 20
+-	vpmsumd		25, 6, 21
+-	vpmsumd		26, 3, 22
+-	vxor		19, 19, 27		# Xi + X
+-	vpmsumd		23, 12, 19		# H4.L * X.L
+-
+-	vxor		23, 23, 24
+-	vxor		23, 23, 25
+-	vxor		23, 23, 26		# L
+-
+-	vpmsumd		24, 13, 19		# H4.L * X.H + H4.H * X.L
+-	vpmsumd		25, 10, 20		# H3.L * X1.H + H3.H * X1.L
+-	vpmsumd		26, 7, 21
+-	vpmsumd		27, 4, 22
+-
+-	vxor		24, 24, 25
+-	vxor		24, 24, 26
++	vpmsumd	22, 3, \\S1		# L
++	vpmsumd	23, 4, \\S1		# M
++	vpmsumd	24, 5, \\S1		# H
+ 
+-	# sum hash and reduction with H Poly
+-	vpmsumd		28, 23, 2		# reduction
++	vpmsumd	27, 22, 2		# reduction
+ 
+-	xxlor		29+32, 29, 29
++	vsldoi	25, 23, 1, 8		# mL
++	vsldoi	26, 1, 23, 8		# mH
++	vxor	22, 22, 25		# LL + LL
++	vxor	24, 24, 26		# HH + HH
+ 
+-	vxor		24, 24, 27		# M
+-	vsldoi		26, 24, 29, 8		# mL
+-	vsldoi		29, 29, 24, 8		# mH
+-	vxor		23, 23, 26		# mL + L
++	xxlor	32+25, 10, 10
++	vpermxor 22, 22, 27, 25
+ 
+-	vsldoi		23, 23, 23, 8		# swap
+-	vxor		23, 23, 28
++	#  vsldoi 23, 22, 22, 8		# swap
++	#  vpmsumd 22, 22, 2		# reduction
++	#  vxor	23, 23, 24
++	vpermxor 23, 22, 24, 25
++	vpmsumd	22, 22, 2		# reduction
+ 
+-	vpmsumd		24, 14, 19		# H4.H * X.H
+-	vpmsumd		25, 11, 20
+-	vpmsumd		26, 8, 21
+-	vpmsumd		27, 5, 22
++	vxor	\\H, 22, 23
++.endm
+ 
+-	vxor		24, 24, 25
+-	vxor		24, 24, 26
+-	vxor		24, 24, 27		# H
++#
++# LOAD_HASH_TABLE
++# Xi = v0
++# H Poly = v2
++# Hash keys = v3 - v14
++#
++.macro LOAD_HASH_TABLE
++	# Load Xi
++	lxvb16x	32, 0, 8	# load Xi
+ 
+-	vxor		24, 24, 29		# H + mH
++	vxor	1, 1, 1
+ 
+-	# sum hash and reduction with H Poly
+-	vsldoi		27, 23, 23, 8		# swap
+-	vpmsumd		23, 23, 2
+-	vxor		27, 27, 24
+-	vxor		23, 23, 27
++	li	10, 32
++	lxvd2x	2+32, 10, 8	# H Poli
++
++	# load Hash - h^4, h^3, h^2, h
++	li	10, 64
++	lxvd2x	4+32, 10, 8	# H
++	vsldoi	3, 1, 4, 8	# l
++	vsldoi	5, 4, 1, 8	# h
++	li	10, 112
++	lxvd2x	7+32, 10, 8	# H^2
++	vsldoi	6, 1, 7, 8	# l
++	vsldoi	8, 7, 1, 8	# h
++	li	10, 160
++	lxvd2x	10+32, 10, 8	# H^3
++	vsldoi	9, 1, 10, 8	# l
++	vsldoi	11, 10, 1, 8	# h
++	li	10, 208
++	lxvd2x	13+32, 10, 8	# H^4
++	vsldoi	12, 1, 13, 8	# l
++	vsldoi	14, 13, 1, 8	# h
++.endm
+ 
+-	xxlor		32, 23+32, 23+32		# update hash
++.macro PROCESS_8X_AES_STATES
++	vcipherlast     15, 15, 1
++	vcipherlast     16, 16, 1
++	vcipherlast     17, 17, 1
++	vcipherlast     18, 18, 1
++	vcipherlast     19, 19, 1
++	vcipherlast     20, 20, 1
++	vcipherlast     21, 21, 1
++	vcipherlast     22, 22, 1
++
++	lxvb16x	32+23, 0, 14	# load block
++	lxvb16x	32+24, 15, 14	# load block
++	lxvb16x	32+25, 16, 14	# load block
++	lxvb16x	32+26, 17, 14	# load block
++	lxvb16x	32+27, 18, 14	# load block
++	lxvb16x	32+28, 19, 14	# load block
++	lxvb16x	32+29, 20, 14	# load block
++	lxvb16x	32+30, 21, 14	# load block
++	addi	14, 14, 128
++
++	vxor	15, 15, 23
++	vxor	16, 16, 24
++	vxor	17, 17, 25
++	vxor	18, 18, 26
++	vxor	19, 19, 27
++	vxor	20, 20, 28
++	vxor	21, 21, 29
++	vxor	22, 22, 30
++
++	stxvb16x 47, 0, 9	# store output
++	stxvb16x 48, 15, 9	# store output
++	stxvb16x 49, 16, 9	# store output
++	stxvb16x 50, 17, 9	# store output
++	stxvb16x 51, 18, 9	# store output
++	stxvb16x 52, 19, 9	# store output
++	stxvb16x 53, 20, 9	# store output
++	stxvb16x 54, 21, 9	# store output
++	addi	9, 9, 128
++.endm
+ 
++.macro COMPUTE_STATES
++	xxlor	32+15, 9, 9		# last state
++	vadduwm 15, 15, 31		# state + counter
++	vadduwm 16, 15, 31
++	vadduwm 17, 16, 31
++	vadduwm 18, 17, 31
++	vadduwm 19, 18, 31
++	vadduwm 20, 19, 31
++	vadduwm 21, 20, 31
++	vadduwm 22, 21, 31
++	xxlor	9, 32+22, 32+22		# save last state
++
++        xxlxor	32+15, 32+15, 0		# IV + round key - add round key 0
++	xxlxor	32+16, 32+16, 0
++	xxlxor	32+17, 32+17, 0
++	xxlxor	32+18, 32+18, 0
++	xxlxor	32+19, 32+19, 0
++	xxlxor	32+20, 32+20, 0
++	xxlxor	32+21, 32+21, 0
++	xxlxor	32+22, 32+22, 0
+ .endm
+ 
++################################################################################
++# Compute AES and ghash one block at a time.
++# r23: AES rounds
++# v30: current IV
++# vs0: roundkey 0
+ #
+-# Compute update single hash
+-#
+-.macro ppc_update_hash_1x
+-	vxor		28, 28, 0
++################################################################################
++.align 4
++aes_gcm_crypt_1x:
++.localentry	aes_gcm_crypt_1x,0
+ 
+-	vxor		19, 19, 19
++	cmpdi	5, 16
++	bge	__More_1x
++	blr
++__More_1x:
++	li      10, 16
++	divdu   12, 5, 10
+ 
+-	vpmsumd		22, 3, 28		# L
+-	vpmsumd		23, 4, 28		# M
+-	vpmsumd		24, 5, 28		# H
++	xxlxor	32+15, 32+30, 0
+ 
+-	vpmsumd		27, 22, 2		# reduction
++	# Pre-load 8 AES rounds to scratch vectors.
++	lxv	32+16, 16(6)		# round key 1
++	lxv	32+17, 32(6)		# round key 2
++	lxv	32+18, 48(6)		# round key 3
++	lxv	32+19, 64(6)		# round key 4
++	lxv	32+20, 80(6)		# round key 5
++	lxv	32+21, 96(6)		# round key 6
++	lxv	32+28, 112(6)		# round key 7
++	lxv	32+29, 128(6)		# round key 8
+ 
+-	vsldoi		25, 23, 19, 8		# mL
+-	vsldoi		26, 19, 23, 8		# mH
+-	vxor		22, 22, 25		# LL + LL
+-	vxor		24, 24, 26		# HH + HH
++	lwz	23, 240(6)	# n rounds
++	addi	22, 23, -9	# remaining AES rounds
+ 
+-	vsldoi		22, 22, 22, 8		# swap
+-	vxor		22, 22, 27
++	cmpdi	12, 0
++	bgt	__Loop_1x
++	blr
++
++__Loop_1x:
++	mtctr	22
++	addi	10, 6, 144
++	vcipher	15, 15, 16
++	vcipher	15, 15, 17
++	vcipher	15, 15, 18
++	vcipher	15, 15, 19
++	vcipher	15, 15, 20
++	vcipher	15, 15, 21
++	vcipher	15, 15, 28
++	vcipher	15, 15, 29
+ 
+-	vsldoi		20, 22, 22, 8		# swap
+-	vpmsumd		22, 22, 2		# reduction
+-	vxor		20, 20, 24
+-	vxor		22, 22, 20
++__Loop_aes_1state:
++	lxv	32+1, 0(10)
++	vcipher	15, 15, 1
++	addi	10, 10, 16
++	bdnz	__Loop_aes_1state
++	lxv	32+1, 0(10)		# last round key
++	lxvb16x 11, 0, 14		# load input block
++	vcipherlast 15, 15, 1
+ 
+-	vmr		0, 22			# update hash
++	xxlxor	32+15, 32+15, 11
++	stxvb16x 32+15, 0, 9	# store output
++	addi	14, 14, 16
++	addi	9, 9, 16
+ 
+-.endm
++	cmpdi	24, 0	# decrypt?
++	bne	__Encrypt_1x
++	xxlor	15+32, 11, 11
++__Encrypt_1x:
++	vxor	15, 15, 0
++	PPC_GHASH1x 0, 15
++
++	addi	5, 5, -16
++	addi	11, 11, 16
+ 
++	vadduwm 30, 30, 31		# IV + counter
++	xxlxor	32+15, 32+30, 0
++	addi	12, 12, -1
++	cmpdi	12, 0
++	bgt	__Loop_1x
++
++	stxvb16x 32+0, 0, 8		# update Xi
++	blr
++.size   aes_gcm_crypt_1x,.-aes_gcm_crypt_1x
++
++################################################################################
++# Process a normal partial block when we come here.
++#  Compute partial mask, Load and store partial block to stack.
++#  Compute AES state.
++#   Compute ghash.
+ #
++################################################################################
++.align 4
++__Process_partial:
++.localentry	__Process_partial,0
++
++	# create partial mask
++	vspltisb 16, -1
++	li	12, 16
++	sub	12, 12, 5
++	sldi	12, 12, 3
++	mtvsrdd	32+17, 0, 12
++	vslo	16, 16, 17		# partial block mask
++
++	lxvb16x 11, 0, 14		# load partial block
++	xxland	11, 11, 32+16
++
++	# AES crypt partial
++	xxlxor	32+15, 32+30, 0
++	lwz	23, 240(6)		# n rounds
++	addi	22, 23, -1		# loop - 1
++	mtctr	22
++	addi	10, 6, 16
++
++__Loop_aes_pstate:
++	lxv	32+1, 0(10)
++	vcipher	15, 15, 1
++	addi	10, 10, 16
++	bdnz	__Loop_aes_pstate
++	lxv	32+1, 0(10)		# last round key
++	vcipherlast 15, 15, 1
++
++	xxlxor	32+15, 32+15, 11
++	vand	15, 15, 16
++
++	# AES crypt output v15
++	# Write partial
++	li	10, 224
++	stxvb16x 15+32, 10, 1		# write v15 to stack
++	addi	10, 1, 223
++	addi	12, 9, -1
++        mtctr	5			# partial block len
++__Write_partial:
++        lbzu	22, 1(10)
++	stbu	22, 1(12)
++        bdnz	__Write_partial
++
++	cmpdi	24, 0			# decrypt?
++	bne	__Encrypt_partial
++	xxlor	32+15, 11, 11		# decrypt using the input block
++__Encrypt_partial:
++	vxor	15, 15, 0		# ^ previous hash
++	PPC_GHASH1x 0, 15
++	li	5, 0			# done last byte
++	stxvb16x 32+0, 0, 8		# Update X1
++	blr
++.size   __Process_partial,.-__Process_partial
++
++################################################################################
+ # ppc_aes_gcm_encrypt (const void *inp, void *out, size_t len,
+-#               const AES_KEY *key, unsigned char iv[16],
+-#               void *Xip);
++#               const char *rk, unsigned char iv[16], void *Xip);
+ #
+ #    r3 - inp
+ #    r4 - out
+@@ -454,159 +557,85 @@ ppc_aes_gcm_ghash:
+ #    r7 - iv
+ #    r8 - Xi, HPoli, hash keys
+ #
++#    rounds is at offset 240 in rk
++#    Xi is at 0 in gcm_table (Xip).
++#
++################################################################################
+ .global ppc_aes_gcm_encrypt
+ .align 5
+ ppc_aes_gcm_encrypt:
+-_ppc_aes_gcm_encrypt:
++.localentry     ppc_aes_gcm_encrypt,0
+ 
+-	stdu 1,-512(1)
+-	mflr 0
+-
+-	std	14,112(1)
+-	std	15,120(1)
+-	std	16,128(1)
+-	std	17,136(1)
+-	std	18,144(1)
+-	std	19,152(1)
+-	std	20,160(1)
+-	std	21,168(1)
+-	li	9, 256
+-	stvx	20, 9, 1
+-	addi	9, 9, 16
+-	stvx	21, 9, 1
+-	addi	9, 9, 16
+-	stvx	22, 9, 1
+-	addi	9, 9, 16
+-	stvx	23, 9, 1
+-	addi	9, 9, 16
+-	stvx	24, 9, 1
+-	addi	9, 9, 16
+-	stvx	25, 9, 1
+-	addi	9, 9, 16
+-	stvx	26, 9, 1
+-	addi	9, 9, 16
+-	stvx	27, 9, 1
+-	addi	9, 9, 16
+-	stvx	28, 9, 1
+-	addi	9, 9, 16
+-	stvx	29, 9, 1
+-	addi	9, 9, 16
+-	stvx	30, 9, 1
+-	addi	9, 9, 16
+-	stvx	31, 9, 1
+-	std	0, 528(1)
+-
+-	# Load Xi
+-	lxvb16x	32, 0, 8	# load Xi
+-
+-	# load Hash - h^4, h^3, h^2, h
+-	li	10, 32
+-	lxvd2x	2+32, 10, 8	# H Poli
+-	li	10, 48
+-	lxvd2x	3+32, 10, 8	# Hl
+-	li	10, 64
+-	lxvd2x	4+32, 10, 8	# H
+-	li	10, 80
+-	lxvd2x	5+32, 10, 8	# Hh
+-
+-	li	10, 96
+-	lxvd2x	6+32, 10, 8	# H^2l
+-	li	10, 112
+-	lxvd2x	7+32, 10, 8	# H^2
+-	li	10, 128
+-	lxvd2x	8+32, 10, 8	# H^2h
+-
+-	li	10, 144
+-	lxvd2x	9+32, 10, 8	# H^3l
+-	li	10, 160
+-	lxvd2x	10+32, 10, 8	# H^3
+-	li	10, 176
+-	lxvd2x	11+32, 10, 8	# H^3h
+-
+-	li	10, 192
+-	lxvd2x	12+32, 10, 8	# H^4l
+-	li	10, 208
+-	lxvd2x	13+32, 10, 8	# H^4
+-	li	10, 224
+-	lxvd2x	14+32, 10, 8	# H^4h
++	SAVE_REGS
++	LOAD_HASH_TABLE
+ 
+ 	# initialize ICB: GHASH( IV ), IV - r7
+ 	lxvb16x	30+32, 0, 7	# load IV  - v30
+ 
+-	mr	12, 5		# length
+-	li	11, 0		# block index
++	mr	14, 3
++	mr	9, 4
+ 
+ 	# counter 1
+ 	vxor	31, 31, 31
+ 	vspltisb 22, 1
+ 	vsldoi	31, 31, 22,1	# counter 1
+ 
+-	# load round key to VSR
+-	lxv	0, 0(6)
+-	lxv	1, 0x10(6)
+-	lxv	2, 0x20(6)
+-	lxv	3, 0x30(6)
+-	lxv	4, 0x40(6)
+-	lxv	5, 0x50(6)
+-	lxv	6, 0x60(6)
+-	lxv	7, 0x70(6)
+-	lxv	8, 0x80(6)
+-	lxv	9, 0x90(6)
+-	lxv	10, 0xa0(6)
++	addis	11, 2, permx\@toc\@ha
++	addi	11, 11, permx\@toc\@l
++	lxv	10, 0(11)	# vs10: vpermxor vector
++	li	11, 0
+ 
+-	# load rounds - 10 (128), 12 (192), 14 (256)
+-	lwz	9,240(6)
++	lxv	0, 0(6)			# round key 0
+ 
+ 	#
+-	# vxor	state, state, w # addroundkey
+-	xxlor	32+29, 0, 0
+-	vxor	15, 30, 29	# IV + round key - add round key 0
+-
+-	cmpdi	9, 10
+-	beq	Loop_aes_gcm_8x
+-
+-	# load 2 more round keys (v11, v12)
+-	lxv	11, 0xb0(6)
+-	lxv	12, 0xc0(6)
+-
+-	cmpdi	9, 12
+-	beq	Loop_aes_gcm_8x
+-
+-	# load 2 more round keys (v11, v12, v13, v14)
+-	lxv	13, 0xd0(6)
+-	lxv	14, 0xe0(6)
+-	cmpdi	9, 14
+-	beq	Loop_aes_gcm_8x
+-
+-	b	aes_gcm_out
++	# Process different blocks
++	#
++	cmpdi	5, 128
++	blt	__Process_more_enc
++
++	# load 9 round keys
++	lxv	32+23, 16(6)		# round key 1
++	lxv	32+24, 32(6)		# round key 2
++	lxv	32+25, 48(6)		# round key 3
++	lxv	32+26, 64(6)		# round key 4
++	lxv	32+27, 80(6)		# round key 5
++	lxv	32+28, 96(6)		# round key 6
++	lxv	32+29, 112(6)		# round key 7
++	lxv	32+1, 128(6)		# round key 8
+ 
+-.align 5
+-Loop_aes_gcm_8x:
+-	mr	14, 3
+-	mr	9, 4
++	# load rounds - 10 (128), 12 (192), 14 (256)
++	lwz	23, 240(6)		# n rounds
+ 
+-	# n blocks
++__Process_encrypt:
++#
++# Process 8x AES/GCM blocks
++#
++__Process_8x_enc:
++	# 8x blocks
+ 	li	10, 128
+-	divdu	10, 5, 10	# n 128 bytes-blocks
+-	cmpdi	10, 0
+-	beq	Loop_last_block
+-
+-	vaddudm	30, 30, 31	# IV + counter
+-	vxor	16, 30, 29
+-	vaddudm	30, 30, 31
+-	vxor	17, 30, 29
+-	vaddudm	30, 30, 31
+-	vxor	18, 30, 29
+-	vaddudm	30, 30, 31
+-	vxor	19, 30, 29
+-	vaddudm	30, 30, 31
+-	vxor	20, 30, 29
+-	vaddudm	30, 30, 31
+-	vxor	21, 30, 29
+-	vaddudm	30, 30, 31
+-	vxor	22, 30, 29
+-
+-	mtctr	10
++	divdu	12, 5, 10	# n 128 bytes-blocks
++
++	addi	12, 12, -1	# loop - 1
++
++	vmr	15, 30		# first state: IV
++	vadduwm	16, 15, 31	# state + counter
++	vadduwm	17, 16, 31
++	vadduwm	18, 17, 31
++	vadduwm	19, 18, 31
++	vadduwm	20, 19, 31
++	vadduwm	21, 20, 31
++	vadduwm	22, 21, 31
++	xxlor	9, 32+22, 32+22	# save last state
++
++	# vxor  state, state, w # addroundkey
++	xxlxor	32+15, 32+15, 0      # IV + round key - add round key 0
++	xxlxor	32+16, 32+16, 0
++	xxlxor	32+17, 32+17, 0
++	xxlxor	32+18, 32+18, 0
++	xxlxor	32+19, 32+19, 0
++	xxlxor	32+20, 32+20, 0
++	xxlxor	32+21, 32+21, 0
++	xxlxor	32+22, 32+22, 0
+ 
+ 	li	15, 16
+ 	li	16, 32
+@@ -616,523 +645,185 @@ Loop_aes_gcm_8x:
+ 	li	20, 96
+ 	li	21, 112
+ 
+-	lwz	10, 240(6)
+-
+-Loop_8x_block:
+-
+-	lxvb16x		15, 0, 14	# load block
+-	lxvb16x		16, 15, 14	# load block
+-	lxvb16x		17, 16, 14	# load block
+-	lxvb16x		18, 17, 14	# load block
+-	lxvb16x		19, 18, 14	# load block
+-	lxvb16x		20, 19, 14	# load block
+-	lxvb16x		21, 20, 14	# load block
+-	lxvb16x		22, 21, 14	# load block
+-	addi		14, 14, 128
+-
+-	Loop_aes_middle8x
+-
+-	xxlor	23+32, 10, 10
+-
+-	cmpdi	10, 10
+-	beq	Do_next_ghash
+-
+-	# 192 bits
+-	xxlor	24+32, 11, 11
+-
+-	vcipher	15, 15, 23
+-	vcipher	16, 16, 23
+-	vcipher	17, 17, 23
+-	vcipher	18, 18, 23
+-	vcipher	19, 19, 23
+-	vcipher	20, 20, 23
+-	vcipher	21, 21, 23
+-	vcipher	22, 22, 23
+-
+-	vcipher	15, 15, 24
+-	vcipher	16, 16, 24
+-	vcipher	17, 17, 24
+-	vcipher	18, 18, 24
+-	vcipher	19, 19, 24
+-	vcipher	20, 20, 24
+-	vcipher	21, 21, 24
+-	vcipher	22, 22, 24
+-
+-	xxlor	23+32, 12, 12
+-
+-	cmpdi	10, 12
+-	beq	Do_next_ghash
+-
+-	# 256 bits
+-	xxlor	24+32, 13, 13
+-
+-	vcipher	15, 15, 23
+-	vcipher	16, 16, 23
+-	vcipher	17, 17, 23
+-	vcipher	18, 18, 23
+-	vcipher	19, 19, 23
+-	vcipher	20, 20, 23
+-	vcipher	21, 21, 23
+-	vcipher	22, 22, 23
+-
+-	vcipher	15, 15, 24
+-	vcipher	16, 16, 24
+-	vcipher	17, 17, 24
+-	vcipher	18, 18, 24
+-	vcipher	19, 19, 24
+-	vcipher	20, 20, 24
+-	vcipher	21, 21, 24
+-	vcipher	22, 22, 24
+-
+-	xxlor	23+32, 14, 14
+-
+-	cmpdi	10, 14
+-	beq	Do_next_ghash
+-	b	aes_gcm_out
+-
+-Do_next_ghash:
+-
+ 	#
+-	# last round
+-	vcipherlast     15, 15, 23
+-	vcipherlast     16, 16, 23
+-
+-	xxlxor		47, 47, 15
+-	stxvb16x        47, 0, 9	# store output
+-	xxlxor		48, 48, 16
+-	stxvb16x        48, 15, 9	# store output
+-
+-	vcipherlast     17, 17, 23
+-	vcipherlast     18, 18, 23
++	# Pre-compute first 8 AES state and leave 1/3/5 more rounds
++	# for the loop.
++	#
++	addi	22, 23, -9		# process 8 keys
++	mtctr	22			# AES key loop
++	addi	10, 6, 144
+ 
+-	xxlxor		49, 49, 17
+-	stxvb16x        49, 16, 9	# store output
+-	xxlxor		50, 50, 18
+-	stxvb16x        50, 17, 9	# store output
++	LOOP_8AES_STATE			# process 8 AES keys
+ 
+-	vcipherlast     19, 19, 23
+-	vcipherlast     20, 20, 23
++__PreLoop_aes_state:
++	lxv	32+1, 0(10)		# round key
++	AES_CIPHER_8x 1
++	addi	10, 10, 16
++	bdnz	__PreLoop_aes_state
++	lxv	32+1, 0(10)		# last round key (v1)
+ 
+-	xxlxor		51, 51, 19
+-	stxvb16x        51, 18, 9	# store output
+-	xxlxor		52, 52, 20
+-	stxvb16x        52, 19, 9	# store output
++	cmpdi	12, 0			# Only one loop (8 block)
++	beq	__Finish_ghash
+ 
+-	vcipherlast     21, 21, 23
+-	vcipherlast     22, 22, 23
++#
++# Loop 8x blocks and compute ghash
++#
++__Loop_8x_block_enc:
++	PROCESS_8X_AES_STATES
+ 
+-	xxlxor		53, 53, 21
+-	stxvb16x        53, 20, 9	# store output
+-	xxlxor		54, 54, 22
+-	stxvb16x        54, 21, 9	# store output
++	# Compute ghash here
++	vxor	15, 15, 0
++	PPC_GFMUL128_8x
+ 
+-	addi		9, 9, 128
++	COMPUTE_STATES
+ 
+-	# ghash here
+-	ppc_aes_gcm_ghash2_4x
+-
+-	xxlor	27+32, 0, 0
+-	vaddudm 30, 30, 31		# IV + counter
+-	vmr	29, 30
+-	vxor    15, 30, 27		# add round key
+-	vaddudm 30, 30, 31
+-	vxor    16, 30, 27
+-	vaddudm 30, 30, 31
+-	vxor    17, 30, 27
+-	vaddudm 30, 30, 31
+-	vxor    18, 30, 27
+-	vaddudm 30, 30, 31
+-	vxor    19, 30, 27
+-	vaddudm 30, 30, 31
+-	vxor    20, 30, 27
+-	vaddudm 30, 30, 31
+-	vxor    21, 30, 27
+-	vaddudm 30, 30, 31
+-	vxor    22, 30, 27
+-
+-	addi    12, 12, -128
++	addi    5, 5, -128
+ 	addi    11, 11, 128
+ 
+-	bdnz	Loop_8x_block
+-
+-	vmr	30, 29
+-
+-Loop_last_block:
+-	cmpdi   12, 0
+-	beq     aes_gcm_out
+-
+-	# loop last few blocks
+-	li      10, 16
+-	divdu   10, 12, 10
+-
+-	mtctr   10
+-
+-	lwz	10, 240(6)
+-
+-	cmpdi   12, 16
+-	blt     Final_block
+-
+-.macro Loop_aes_middle_1x
+-	xxlor	19+32, 1, 1
+-	xxlor	20+32, 2, 2
+-	xxlor	21+32, 3, 3
+-	xxlor	22+32, 4, 4
+-
+-	vcipher 15, 15, 19
+-	vcipher 15, 15, 20
+-	vcipher 15, 15, 21
+-	vcipher 15, 15, 22
+-
+-	xxlor	19+32, 5, 5
+-	xxlor	20+32, 6, 6
+-	xxlor	21+32, 7, 7
+-	xxlor	22+32, 8, 8
+-
+-	vcipher 15, 15, 19
+-	vcipher 15, 15, 20
+-	vcipher 15, 15, 21
+-	vcipher 15, 15, 22
+-
+-	xxlor	19+32, 9, 9
+-	vcipher 15, 15, 19
+-.endm
+-
+-Next_rem_block:
+-	lxvb16x 15, 0, 14		# load block
+-
+-	Loop_aes_middle_1x
+-
+-	xxlor	23+32, 10, 10
+-
+-	cmpdi	10, 10
+-	beq	Do_next_1x
+-
+-	# 192 bits
+-	xxlor	24+32, 11, 11
+-
+-	vcipher	15, 15, 23
+-	vcipher	15, 15, 24
+-
+-	xxlor	23+32, 12, 12
+-
+-	cmpdi	10, 12
+-	beq	Do_next_1x
+-
+-	# 256 bits
+-	xxlor	24+32, 13, 13
+-
+-	vcipher	15, 15, 23
+-	vcipher	15, 15, 24
+-
+-	xxlor	23+32, 14, 14
+-
+-	cmpdi	10, 14
+-	beq	Do_next_1x
+-
+-Do_next_1x:
+-	vcipherlast     15, 15, 23
+-
+-	xxlxor		47, 47, 15
+-	stxvb16x	47, 0, 9	# store output
+-	addi		14, 14, 16
+-	addi		9, 9, 16
+-
+-	vmr		28, 15
+-	ppc_update_hash_1x
+-
+-	addi		12, 12, -16
+-	addi		11, 11, 16
+-	xxlor		19+32, 0, 0
+-	vaddudm		30, 30, 31		# IV + counter
+-	vxor		15, 30, 19		# add round key
++	lxv	32+23, 16(6)		# round key 1
++	lxv	32+24, 32(6)		# round key 2
++	lxv	32+25, 48(6)		# round key 3
++	lxv	32+26, 64(6)		# round key 4
++	lxv	32+27, 80(6)		# round key 5
++	lxv	32+28, 96(6)		# round key 6
++	lxv	32+29, 112(6)		# round key 7
++	lxv	32+1, 128(6)		# round key 8
++
++	# Compute first 8 AES state and leave 1/3/5 more rounds
++	# for the loop.
++	LOOP_8AES_STATE			# process 8 AES keys
++	mtctr	22			# AES key loop
++	addi	10, 6, 144
++
++__LastLoop_aes_state:
++	lxv	32+1, 0(10)		# round key
++	AES_CIPHER_8x 1
++	addi	10, 10, 16
++	bdnz	__LastLoop_aes_state
+ 
+-	bdnz	Next_rem_block
++	lxv	32+1, 0(10)		# last round key (v1)
+ 
++	addi	12, 12, -1
+ 	cmpdi	12, 0
+-	beq	aes_gcm_out
+-
+-Final_block:
+-	Loop_aes_middle_1x
+-
+-	xxlor	23+32, 10, 10
+-
+-	cmpdi	10, 10
+-	beq	Do_final_1x
+-
+-	# 192 bits
+-	xxlor	24+32, 11, 11
+-
+-	vcipher	15, 15, 23
+-	vcipher	15, 15, 24
++	bne	__Loop_8x_block_enc
+ 
+-	xxlor	23+32, 12, 12
+-
+-	cmpdi	10, 12
+-	beq	Do_final_1x
+-
+-	# 256 bits
+-	xxlor	24+32, 13, 13
+-
+-	vcipher	15, 15, 23
+-	vcipher	15, 15, 24
+-
+-	xxlor	23+32, 14, 14
+-
+-	cmpdi	10, 14
+-	beq	Do_final_1x
+-
+-Do_final_1x:
+-	vcipherlast     15, 15, 23
+-
+-	lxvb16x	15, 0, 14		# load last block
+-	xxlxor	47, 47, 15
+-
+-	# create partial block mask
+-	li	15, 16
+-	sub	15, 15, 12		# index to the mask
+-
+-	vspltisb	16, -1		# first 16 bytes - 0xffff...ff
+-	vspltisb	17, 0		# second 16 bytes - 0x0000...00
+-	li	10, 192
+-	stvx	16, 10, 1
+-	addi	10, 10, 16
+-	stvx	17, 10, 1
+-
+-	addi	10, 1, 192
+-	lxvb16x	16, 15, 10		# load partial block mask
+-	xxland	47, 47, 16
+-
+-	vmr	28, 15
+-	ppc_update_hash_1x
++	#
++	# Remainng blocks
++	#
++__Finish_ghash:
++	PROCESS_8X_AES_STATES
+ 
+-	# * should store only the remaining bytes.
+-	bl	Write_partial_block
++	# Compute ghash here
++	vxor	15, 15, 0
++	PPC_GFMUL128_8x
+ 
+-	b aes_gcm_out
++	# Update IV and Xi
++	xxlor	30+32, 9, 9		# last ctr
++	vadduwm	30, 30, 31		# increase ctr
++	stxvb16x 32+0, 0, 8		# update Xi
+ 
+-#
+-# Write partial block
+-# r9 - output
+-# r12 - remaining bytes
+-# v15 - partial input data
+-#
+-Write_partial_block:
+-	li		10, 192
+-	stxvb16x	15+32, 10, 1		# last block
++	addi    5, 5, -128
++	addi    11, 11, 128
+ 
+-	#add		10, 9, 11		# Output
+-	addi		10, 9, -1
+-	addi		16, 1, 191
++	#
++	# Done 8x blocks
++	#
+ 
+-        mtctr		12			# remaining bytes
+-	li		15, 0
++	cmpdi   5, 0
++	beq     aes_gcm_out
+ 
+-Write_last_byte:
+-        lbzu		14, 1(16)
+-	stbu		14, 1(10)
+-        bdnz		Write_last_byte
+-	blr
++__Process_more_enc:
++	li	24, 1			# encrypt
++	bl	aes_gcm_crypt_1x
++	cmpdi   5, 0
++	beq     aes_gcm_out
+ 
+-aes_gcm_out:
+-	# out = state
+-	stxvb16x	32, 0, 8		# write out Xi
+-	add	3, 11, 12		# return count
++	bl	__Process_partial
++	b	aes_gcm_out
+ 
+-	li	9, 256
+-	lvx	20, 9, 1
+-	addi	9, 9, 16
+-	lvx	21, 9, 1
+-	addi	9, 9, 16
+-	lvx	22, 9, 1
+-	addi	9, 9, 16
+-	lvx	23, 9, 1
+-	addi	9, 9, 16
+-	lvx	24, 9, 1
+-	addi	9, 9, 16
+-	lvx	25, 9, 1
+-	addi	9, 9, 16
+-	lvx	26, 9, 1
+-	addi	9, 9, 16
+-	lvx	27, 9, 1
+-	addi	9, 9, 16
+-	lvx	28, 9, 1
+-	addi	9, 9, 16
+-	lvx	29, 9, 1
+-	addi	9, 9, 16
+-	lvx	30, 9, 1
+-	addi	9, 9, 16
+-	lvx	31, 9, 1
+-
+-	ld	0, 528(1)
+-	ld      14,112(1)
+-	ld      15,120(1)
+-	ld      16,128(1)
+-	ld      17,136(1)
+-	ld      18,144(1)
+-	ld      19,152(1)
+-	ld      20,160(1)
+-	ld	21,168(1)
+-
+-	mtlr	0
+-	addi	1, 1, 512
+-	blr
++.size   ppc_aes_gcm_encrypt,.-ppc_aes_gcm_encrypt
+ 
+-#
++################################################################################
++# ppc_aes_gcm_decrypt (const void *inp, void *out, size_t len,
++#               const char *rk, unsigned char iv[16], void *Xip);
+ # 8x Decrypt
+ #
++################################################################################
+ .global ppc_aes_gcm_decrypt
+ .align 5
+ ppc_aes_gcm_decrypt:
+-_ppc_aes_gcm_decrypt:
+-
+-	stdu 1,-512(1)
+-	mflr 0
+-
+-	std	14,112(1)
+-	std	15,120(1)
+-	std	16,128(1)
+-	std	17,136(1)
+-	std	18,144(1)
+-	std	19,152(1)
+-	std	20,160(1)
+-	std	21,168(1)
+-	li	9, 256
+-	stvx	20, 9, 1
+-	addi	9, 9, 16
+-	stvx	21, 9, 1
+-	addi	9, 9, 16
+-	stvx	22, 9, 1
+-	addi	9, 9, 16
+-	stvx	23, 9, 1
+-	addi	9, 9, 16
+-	stvx	24, 9, 1
+-	addi	9, 9, 16
+-	stvx	25, 9, 1
+-	addi	9, 9, 16
+-	stvx	26, 9, 1
+-	addi	9, 9, 16
+-	stvx	27, 9, 1
+-	addi	9, 9, 16
+-	stvx	28, 9, 1
+-	addi	9, 9, 16
+-	stvx	29, 9, 1
+-	addi	9, 9, 16
+-	stvx	30, 9, 1
+-	addi	9, 9, 16
+-	stvx	31, 9, 1
+-	std	0, 528(1)
+-
+-	# Load Xi
+-	lxvb16x	32, 0, 8	# load Xi
+-
+-	# load Hash - h^4, h^3, h^2, h
+-	li	10, 32
+-	lxvd2x	2+32, 10, 8	# H Poli
+-	li	10, 48
+-	lxvd2x	3+32, 10, 8	# Hl
+-	li	10, 64
+-	lxvd2x	4+32, 10, 8	# H
+-	li	10, 80
+-	lxvd2x	5+32, 10, 8	# Hh
+-
+-	li	10, 96
+-	lxvd2x	6+32, 10, 8	# H^2l
+-	li	10, 112
+-	lxvd2x	7+32, 10, 8	# H^2
+-	li	10, 128
+-	lxvd2x	8+32, 10, 8	# H^2h
++.localentry	ppc_aes_gcm_decrypt, 0
+ 
+-	li	10, 144
+-	lxvd2x	9+32, 10, 8	# H^3l
+-	li	10, 160
+-	lxvd2x	10+32, 10, 8	# H^3
+-	li	10, 176
+-	lxvd2x	11+32, 10, 8	# H^3h
+-
+-	li	10, 192
+-	lxvd2x	12+32, 10, 8	# H^4l
+-	li	10, 208
+-	lxvd2x	13+32, 10, 8	# H^4
+-	li	10, 224
+-	lxvd2x	14+32, 10, 8	# H^4h
++	SAVE_REGS
++	LOAD_HASH_TABLE
+ 
+ 	# initialize ICB: GHASH( IV ), IV - r7
+ 	lxvb16x	30+32, 0, 7	# load IV  - v30
+ 
+-	mr	12, 5		# length
+-	li	11, 0		# block index
++	mr	14, 3
++	mr	9, 4
+ 
+ 	# counter 1
+ 	vxor	31, 31, 31
+ 	vspltisb 22, 1
+ 	vsldoi	31, 31, 22,1	# counter 1
+ 
+-	# load round key to VSR
+-	lxv	0, 0(6)
+-	lxv	1, 0x10(6)
+-	lxv	2, 0x20(6)
+-	lxv	3, 0x30(6)
+-	lxv	4, 0x40(6)
+-	lxv	5, 0x50(6)
+-	lxv	6, 0x60(6)
+-	lxv	7, 0x70(6)
+-	lxv	8, 0x80(6)
+-	lxv	9, 0x90(6)
+-	lxv	10, 0xa0(6)
++	addis	11, 2, permx\@toc\@ha
++	addi	11, 11, permx\@toc\@l
++	lxv	10, 0(11)	# vs10: vpermxor vector
++	li	11, 0
+ 
+-	# load rounds - 10 (128), 12 (192), 14 (256)
+-	lwz	9,240(6)
++	lxv	0, 0(6)			# round key 0
+ 
+ 	#
+-	# vxor	state, state, w # addroundkey
+-	xxlor	32+29, 0, 0
+-	vxor	15, 30, 29	# IV + round key - add round key 0
+-
+-	cmpdi	9, 10
+-	beq	Loop_aes_gcm_8x_dec
+-
+-	# load 2 more round keys (v11, v12)
+-	lxv	11, 0xb0(6)
+-	lxv	12, 0xc0(6)
+-
+-	cmpdi	9, 12
+-	beq	Loop_aes_gcm_8x_dec
+-
+-	# load 2 more round keys (v11, v12, v13, v14)
+-	lxv	13, 0xd0(6)
+-	lxv	14, 0xe0(6)
+-	cmpdi	9, 14
+-	beq	Loop_aes_gcm_8x_dec
+-
+-	b	aes_gcm_out
++	# Process different blocks
++	#
++	cmpdi	5, 128
++	blt	__Process_more_dec
++
++	# load 9 round keys
++	lxv	32+23, 16(6)		# round key 1
++	lxv	32+24, 32(6)		# round key 2
++	lxv	32+25, 48(6)		# round key 3
++	lxv	32+26, 64(6)		# round key 4
++	lxv	32+27, 80(6)		# round key 5
++	lxv	32+28, 96(6)		# round key 6
++	lxv	32+29, 112(6)		# round key 7
++	lxv	32+1, 128(6)		# round key 8
+ 
+-.align 5
+-Loop_aes_gcm_8x_dec:
+-	mr	14, 3
+-	mr	9, 4
++	# load rounds - 10 (128), 12 (192), 14 (256)
++	lwz	23, 240(6)		# n rounds
+ 
+-	# n blocks
++__Process_decrypt:
++#
++# Process 8x AES/GCM blocks
++#
++__Process_8x_dec:
++	# 8x blocks
+ 	li	10, 128
+-	divdu	10, 5, 10	# n 128 bytes-blocks
+-	cmpdi	10, 0
+-	beq	Loop_last_block_dec
+-
+-	vaddudm	30, 30, 31	# IV + counter
+-	vxor	16, 30, 29
+-	vaddudm	30, 30, 31
+-	vxor	17, 30, 29
+-	vaddudm	30, 30, 31
+-	vxor	18, 30, 29
+-	vaddudm	30, 30, 31
+-	vxor	19, 30, 29
+-	vaddudm	30, 30, 31
+-	vxor	20, 30, 29
+-	vaddudm	30, 30, 31
+-	vxor	21, 30, 29
+-	vaddudm	30, 30, 31
+-	vxor	22, 30, 29
+-
+-	mtctr	10
++	divdu	12, 5, 10	# n 128 bytes-blocks
++
++	addi	12, 12, -1	# loop - 1
++
++	vmr	15, 30		# first state: IV
++	vadduwm	16, 15, 31	# state + counter
++	vadduwm	17, 16, 31
++	vadduwm	18, 17, 31
++	vadduwm	19, 18, 31
++	vadduwm	20, 19, 31
++	vadduwm	21, 20, 31
++	vadduwm	22, 21, 31
++	xxlor	9, 32+22, 32+22	# save last state
++
++	# vxor  state, state, w # addroundkey
++	xxlxor	32+15, 32+15, 0      # IV + round key - add round key 0
++	xxlxor	32+16, 32+16, 0
++	xxlxor	32+17, 32+17, 0
++	xxlxor	32+18, 32+18, 0
++	xxlxor	32+19, 32+19, 0
++	xxlxor	32+20, 32+20, 0
++	xxlxor	32+21, 32+21, 0
++	xxlxor	32+22, 32+22, 0
+ 
+ 	li	15, 16
+ 	li	16, 32
+@@ -1142,297 +833,219 @@ Loop_aes_gcm_8x_dec:
+ 	li	20, 96
+ 	li	21, 112
+ 
+-	lwz	10, 240(6)
+-
+-Loop_8x_block_dec:
+-
+-	lxvb16x		15, 0, 14	# load block
+-	lxvb16x		16, 15, 14	# load block
+-	lxvb16x		17, 16, 14	# load block
+-	lxvb16x		18, 17, 14	# load block
+-	lxvb16x		19, 18, 14	# load block
+-	lxvb16x		20, 19, 14	# load block
+-	lxvb16x		21, 20, 14	# load block
+-	lxvb16x		22, 21, 14	# load block
+-	addi		14, 14, 128
+-
+-	Loop_aes_middle8x
+-
+-	xxlor	23+32, 10, 10
+-
+-	cmpdi	10, 10
+-	beq	Do_last_aes_dec
+-
+-	# 192 bits
+-	xxlor	24+32, 11, 11
+-
+-	vcipher	15, 15, 23
+-	vcipher	16, 16, 23
+-	vcipher	17, 17, 23
+-	vcipher	18, 18, 23
+-	vcipher	19, 19, 23
+-	vcipher	20, 20, 23
+-	vcipher	21, 21, 23
+-	vcipher	22, 22, 23
+-
+-	vcipher	15, 15, 24
+-	vcipher	16, 16, 24
+-	vcipher	17, 17, 24
+-	vcipher	18, 18, 24
+-	vcipher	19, 19, 24
+-	vcipher	20, 20, 24
+-	vcipher	21, 21, 24
+-	vcipher	22, 22, 24
+-
+-	xxlor	23+32, 12, 12
+-
+-	cmpdi	10, 12
+-	beq	Do_last_aes_dec
+-
+-	# 256 bits
+-	xxlor	24+32, 13, 13
+-
+-	vcipher	15, 15, 23
+-	vcipher	16, 16, 23
+-	vcipher	17, 17, 23
+-	vcipher	18, 18, 23
+-	vcipher	19, 19, 23
+-	vcipher	20, 20, 23
+-	vcipher	21, 21, 23
+-	vcipher	22, 22, 23
+-
+-	vcipher	15, 15, 24
+-	vcipher	16, 16, 24
+-	vcipher	17, 17, 24
+-	vcipher	18, 18, 24
+-	vcipher	19, 19, 24
+-	vcipher	20, 20, 24
+-	vcipher	21, 21, 24
+-	vcipher	22, 22, 24
+-
+-	xxlor	23+32, 14, 14
+-
+-	cmpdi	10, 14
+-	beq	Do_last_aes_dec
+-	b	aes_gcm_out
+-
+-Do_last_aes_dec:
+-
+ 	#
+-	# last round
+-	vcipherlast     15, 15, 23
+-	vcipherlast     16, 16, 23
+-
+-	xxlxor		47, 47, 15
+-	stxvb16x        47, 0, 9	# store output
+-	xxlxor		48, 48, 16
+-	stxvb16x        48, 15, 9	# store output
+-
+-	vcipherlast     17, 17, 23
+-	vcipherlast     18, 18, 23
+-
+-	xxlxor		49, 49, 17
+-	stxvb16x        49, 16, 9	# store output
+-	xxlxor		50, 50, 18
+-	stxvb16x        50, 17, 9	# store output
+-
+-	vcipherlast     19, 19, 23
+-	vcipherlast     20, 20, 23
+-
+-	xxlxor		51, 51, 19
+-	stxvb16x        51, 18, 9	# store output
+-	xxlxor		52, 52, 20
+-	stxvb16x        52, 19, 9	# store output
+-
+-	vcipherlast     21, 21, 23
+-	vcipherlast     22, 22, 23
+-
+-	xxlxor		53, 53, 21
+-	stxvb16x        53, 20, 9	# store output
+-	xxlxor		54, 54, 22
+-	stxvb16x        54, 21, 9	# store output
+-
+-	addi		9, 9, 128
+-
+-	xxlor		15+32, 15, 15
+-	xxlor		16+32, 16, 16
+-	xxlor		17+32, 17, 17
+-	xxlor		18+32, 18, 18
+-	xxlor		19+32, 19, 19
+-	xxlor		20+32, 20, 20
+-	xxlor		21+32, 21, 21
+-	xxlor		22+32, 22, 22
+-
+-	# ghash here
+-	ppc_aes_gcm_ghash2_4x
+-
+-	xxlor	27+32, 0, 0
+-	vaddudm 30, 30, 31		# IV + counter
+-	vmr	29, 30
+-	vxor    15, 30, 27		# add round key
+-	vaddudm 30, 30, 31
+-	vxor    16, 30, 27
+-	vaddudm 30, 30, 31
+-	vxor    17, 30, 27
+-	vaddudm 30, 30, 31
+-	vxor    18, 30, 27
+-	vaddudm 30, 30, 31
+-	vxor    19, 30, 27
+-	vaddudm 30, 30, 31
+-	vxor    20, 30, 27
+-	vaddudm 30, 30, 31
+-	vxor    21, 30, 27
+-	vaddudm 30, 30, 31
+-	vxor    22, 30, 27
+-	addi    12, 12, -128
+-	addi    11, 11, 128
+-
+-	bdnz	Loop_8x_block_dec
+-
+-	vmr	30, 29
+-
+-Loop_last_block_dec:
+-	cmpdi   12, 0
+-	beq     aes_gcm_out
+-
+-	# loop last few blocks
+-	li      10, 16
+-	divdu   10, 12, 10
+-
+-	mtctr   10
+-
+-	lwz	10,240(6)
+-
+-	cmpdi   12, 16
+-	blt     Final_block_dec
+-
+-Next_rem_block_dec:
+-	lxvb16x 15, 0, 14		# load block
+-
+-	Loop_aes_middle_1x
+-
+-	xxlor	23+32, 10, 10
+-
+-	cmpdi	10, 10
+-	beq	Do_next_1x_dec
+-
+-	# 192 bits
+-	xxlor	24+32, 11, 11
+-
+-	vcipher	15, 15, 23
+-	vcipher	15, 15, 24
+-
+-	xxlor	23+32, 12, 12
+-
+-	cmpdi	10, 12
+-	beq	Do_next_1x_dec
+-
+-	# 256 bits
+-	xxlor	24+32, 13, 13
+-
+-	vcipher	15, 15, 23
+-	vcipher	15, 15, 24
++	# Pre-compute first 8 AES state and leave 1/3/5 more rounds
++	# for the loop.
++	#
++	addi	22, 23, -9		# process 8 keys
++	mtctr	22			# AES key loop
++	addi	10, 6, 144
+ 
+-	xxlor	23+32, 14, 14
++	LOOP_8AES_STATE			# process 8 AES keys
+ 
+-	cmpdi	10, 14
+-	beq	Do_next_1x_dec
++__PreLoop_aes_state_dec:
++	lxv	32+1, 0(10)		# round key
++	AES_CIPHER_8x 1
++	addi	10, 10, 16
++	bdnz	__PreLoop_aes_state_dec
++	lxv	32+1, 0(10)		# last round key (v1)
+ 
+-Do_next_1x_dec:
+-	vcipherlast     15, 15, 23
++	cmpdi	12, 0			# Only one loop (8 block)
++	beq	__Finish_ghash_dec
+ 
+-	xxlxor  47, 47, 15
+-	stxvb16x        47, 0, 9	# store output
+-	addi	14, 14, 16
+-	addi	9, 9, 16
+-
+-	xxlor	28+32, 15, 15
+-	ppc_update_hash_1x
++#
++# Loop 8x blocks and compute ghash
++#
++__Loop_8x_block_dec:
++	vcipherlast     15, 15, 1
++	vcipherlast     16, 16, 1
++	vcipherlast     17, 17, 1
++	vcipherlast     18, 18, 1
++	vcipherlast     19, 19, 1
++	vcipherlast     20, 20, 1
++	vcipherlast     21, 21, 1
++	vcipherlast     22, 22, 1
++
++	lxvb16x	32+23, 0, 14	# load block
++	lxvb16x	32+24, 15, 14	# load block
++	lxvb16x	32+25, 16, 14	# load block
++	lxvb16x	32+26, 17, 14	# load block
++	lxvb16x	32+27, 18, 14	# load block
++	lxvb16x	32+28, 19, 14	# load block
++	lxvb16x	32+29, 20, 14	# load block
++	lxvb16x	32+30, 21, 14	# load block
++	addi	14, 14, 128
++
++	vxor	15, 15, 23
++	vxor	16, 16, 24
++	vxor	17, 17, 25
++	vxor	18, 18, 26
++	vxor	19, 19, 27
++	vxor	20, 20, 28
++	vxor	21, 21, 29
++	vxor	22, 22, 30
++
++	stxvb16x 47, 0, 9	# store output
++	stxvb16x 48, 15, 9	# store output
++	stxvb16x 49, 16, 9	# store output
++	stxvb16x 50, 17, 9	# store output
++	stxvb16x 51, 18, 9	# store output
++	stxvb16x 52, 19, 9	# store output
++	stxvb16x 53, 20, 9	# store output
++	stxvb16x 54, 21, 9	# store output
++
++	addi	9, 9, 128
++
++	vmr	15, 23
++	vmr	16, 24
++	vmr	17, 25
++	vmr	18, 26
++	vmr	19, 27
++	vmr	20, 28
++	vmr	21, 29
++	vmr	22, 30
+ 
+-	addi    12, 12, -16
+-	addi    11, 11, 16
+-	xxlor	19+32, 0, 0
+-	vaddudm 30, 30, 31		# IV + counter
+-	vxor	15, 30, 19		# add round key
++	# ghash here
++	vxor	15, 15, 0
++	PPC_GFMUL128_8x
++
++	xxlor	32+15, 9, 9		# last state
++	vadduwm 15, 15, 31		# state + counter
++	vadduwm 16, 15, 31
++	vadduwm 17, 16, 31
++	vadduwm 18, 17, 31
++	vadduwm 19, 18, 31
++	vadduwm 20, 19, 31
++	vadduwm 21, 20, 31
++	vadduwm 22, 21, 31
++	xxlor	9, 32+22, 32+22		# save last state
++
++	xxlor	32+27, 0, 0		# restore roundkey 0
++        vxor    15, 15, 27		# IV + round key - add round key 0
++	vxor	16, 16, 27
++	vxor	17, 17, 27
++	vxor	18, 18, 27
++	vxor	19, 19, 27
++	vxor	20, 20, 27
++	vxor	21, 21, 27
++	vxor	22, 22, 27
++
++	addi    5, 5, -128
++	addi    11, 11, 128
+ 
+-	bdnz	Next_rem_block_dec
++	lxv	32+23, 16(6)		# round key 1
++	lxv	32+24, 32(6)		# round key 2
++	lxv	32+25, 48(6)		# round key 3
++	lxv	32+26, 64(6)		# round key 4
++	lxv	32+27, 80(6)		# round key 5
++	lxv	32+28, 96(6)		# round key 6
++	lxv	32+29, 112(6)		# round key 7
++	lxv	32+1, 128(6)		# round key 8
++
++	LOOP_8AES_STATE			# process 8 AES keys
++	mtctr	22			# AES key loop
++	addi	10, 6, 144
++__LastLoop_aes_state_dec:
++	lxv	32+1, 0(10)		# round key
++	AES_CIPHER_8x 1
++	addi	10, 10, 16
++	bdnz	__LastLoop_aes_state_dec
++	lxv	32+1, 0(10)		# last round key (v1)
+ 
++	addi	12, 12, -1
+ 	cmpdi	12, 0
+-	beq	aes_gcm_out
+-
+-Final_block_dec:
+-	Loop_aes_middle_1x
+-
+-	xxlor	23+32, 10, 10
+-
+-	cmpdi	10, 10
+-	beq	Do_final_1x_dec
+-
+-	# 192 bits
+-	xxlor	24+32, 11, 11
+-
+-	vcipher	15, 15, 23
+-	vcipher	15, 15, 24
+-
+-	xxlor	23+32, 12, 12
+-
+-	cmpdi	10, 12
+-	beq	Do_final_1x_dec
+-
+-	# 256 bits
+-	xxlor	24+32, 13, 13
+-
+-	vcipher	15, 15, 23
+-	vcipher	15, 15, 24
+-
+-	xxlor	23+32, 14, 14
+-
+-	cmpdi	10, 14
+-	beq	Do_final_1x_dec
+-
+-Do_final_1x_dec:
+-	vcipherlast     15, 15, 23
+-
+-	lxvb16x	15, 0, 14		# load block
+-	xxlxor	47, 47, 15
++	bne	__Loop_8x_block_dec
++
++__Finish_ghash_dec:
++	vcipherlast     15, 15, 1
++	vcipherlast     16, 16, 1
++	vcipherlast     17, 17, 1
++	vcipherlast     18, 18, 1
++	vcipherlast     19, 19, 1
++	vcipherlast     20, 20, 1
++	vcipherlast     21, 21, 1
++	vcipherlast     22, 22, 1
++
++	lxvb16x	32+23, 0, 14	# load block
++	lxvb16x	32+24, 15, 14	# load block
++	lxvb16x	32+25, 16, 14	# load block
++	lxvb16x	32+26, 17, 14	# load block
++	lxvb16x	32+27, 18, 14	# load block
++	lxvb16x	32+28, 19, 14	# load block
++	lxvb16x	32+29, 20, 14	# load block
++	lxvb16x	32+30, 21, 14	# load block
++	addi	14, 14, 128
++
++	vxor	15, 15, 23
++	vxor	16, 16, 24
++	vxor	17, 17, 25
++	vxor	18, 18, 26
++	vxor	19, 19, 27
++	vxor	20, 20, 28
++	vxor	21, 21, 29
++	vxor	22, 22, 30
++
++	stxvb16x 47, 0, 9	# store output
++	stxvb16x 48, 15, 9	# store output
++	stxvb16x 49, 16, 9	# store output
++	stxvb16x 50, 17, 9	# store output
++	stxvb16x 51, 18, 9	# store output
++	stxvb16x 52, 19, 9	# store output
++	stxvb16x 53, 20, 9	# store output
++	stxvb16x 54, 21, 9	# store output
++	addi	9, 9, 128
++
++	vxor	15, 23, 0
++	vmr	16, 24
++	vmr	17, 25
++	vmr	18, 26
++	vmr	19, 27
++	vmr	20, 28
++	vmr	21, 29
++	vmr	22, 30
++
++	#vxor	15, 15, 0
++	PPC_GFMUL128_8x
++
++	xxlor	30+32, 9, 9		# last ctr
++	vadduwm	30, 30, 31		# increase ctr
++	stxvb16x 32+0, 0, 8		# update Xi
++
++	addi    5, 5, -128
++	addi    11, 11, 128
+ 
+-	# create partial block mask
+-	li	15, 16
+-	sub	15, 15, 12		# index to the mask
++	#
++	# Done 8x blocks
++	#
+ 
+-	vspltisb	16, -1		# first 16 bytes - 0xffff...ff
+-	vspltisb	17, 0		# second 16 bytes - 0x0000...00
+-	li	10, 192
+-	stvx	16, 10, 1
+-	addi	10, 10, 16
+-	stvx	17, 10, 1
++	cmpdi   5, 0
++	beq     aes_gcm_out
+ 
+-	addi	10, 1, 192
+-	lxvb16x	16, 15, 10		# load block mask
+-	xxland	47, 47, 16
++__Process_more_dec:
++	li	24, 0			# decrypt
++	bl	aes_gcm_crypt_1x
++	cmpdi   5, 0
++	beq     aes_gcm_out
+ 
+-	xxlor	28+32, 15, 15
+-	ppc_update_hash_1x
++	bl	__Process_partial
++	b	aes_gcm_out
++.size   ppc_aes_gcm_decrypt,.-ppc_aes_gcm_decrypt
+ 
+-	# * should store only the remaining bytes.
+-	bl	Write_partial_block
++aes_gcm_out:
++.localentry	aes_gcm_out,0
+ 
+-	b aes_gcm_out
++	mr	3, 11			# return count
+ 
++	RESTORE_REGS
++	blr
++.size	aes_gcm_out,.-aes_gcm_out
+ 
++.rodata
++.align 4
++# for vector permute and xor
++permx:
++.long 0x4c5d6e7f, 0x08192a3b, 0xc4d5e6f7, 0x8091a2b3
+ ___
+ 
+-foreach (split("\n",$code)) {
+-	s/\`([^\`]*)\`/eval $1/geo;
+-
+-	if ($flavour =~ /le$/o) {	# little-endian
+-	    s/le\?//o		or
+-	    s/be\?/#be#/o;
+-	} else {
+-	    s/le\?/#le#/o	or
+-	    s/be\?//o;
+-	}
+-	print $_,"\n";
+-}
+-
+-close STDOUT or die "error closing STDOUT: $!"; # enforce flush
++print $code;
++close STDOUT or die "error closing STDOUT: $!";
diff --git a/0059-CVE-2025-11187.patch b/0059-CVE-2025-11187.patch
new file mode 100644
index 0000000..66bf760
--- /dev/null
+++ b/0059-CVE-2025-11187.patch
@@ -0,0 +1,485 @@
+From a26d82c5b141c706bc97455cde511e710c2510a9 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Thu, 8 Jan 2026 14:31:19 +0100
+Subject: [PATCH 1/3] pkcs12: Validate salt and keylength in PBMAC1
+
+The keylength value must be present and we accept
+EVP_MAX_MD_SIZE at maximum.
+
+The salt ASN.1 type must be OCTET STRING.
+
+Fixes CVE-2025-11187
+
+Reported by Stanislav Fort (Aisle Research) and Petr Simecek (Aisle Research).
+Reported independently also by Hamza (Metadust).
+---
+ crypto/pkcs12/p12_mutl.c | 18 ++++++++++++++++--
+ 1 file changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
+index f8d0bbd109b..8bb4e30529d 100644
+--- a/crypto/pkcs12/p12_mutl.c
++++ b/crypto/pkcs12/p12_mutl.c
+@@ -123,8 +123,6 @@ static int PBMAC1_PBKDF2_HMAC(OSSL_LIB_CTX *ctx, const char *propq,
+         ERR_raise(ERR_LIB_PKCS12, ERR_R_UNSUPPORTED);
+         goto err;
+     }
+-    keylen = ASN1_INTEGER_get(pbkdf2_param->keylength);
+-    pbkdf2_salt = pbkdf2_param->salt->value.octet_string;
+ 
+     if (pbkdf2_param->prf == NULL) {
+         kdf_hmac_nid = NID_hmacWithSHA1;
+@@ -139,6 +137,22 @@ static int PBMAC1_PBKDF2_HMAC(OSSL_LIB_CTX *ctx, const char *propq,
+         goto err;
+     }
+ 
++    /* Validate salt is an OCTET STRING choice */
++    if (pbkdf2_param->salt == NULL
++        || pbkdf2_param->salt->type != V_ASN1_OCTET_STRING) {
++        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR);
++        goto err;
++    }
++    pbkdf2_salt = pbkdf2_param->salt->value.octet_string;
++
++    /* RFC 9579 specifies missing key length as invalid */
++    if (pbkdf2_param->keylength != NULL)
++        keylen = ASN1_INTEGER_get(pbkdf2_param->keylength);
++    if (keylen <= 0 || keylen > EVP_MAX_MD_SIZE) {
++        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR);
++        goto err;
++    }
++
+     if (PKCS5_PBKDF2_HMAC(pass, passlen, pbkdf2_salt->data, pbkdf2_salt->length,
+                           ASN1_INTEGER_get(pbkdf2_param->iter), kdf_md, keylen, key) <= 0) {
+         ERR_raise(ERR_LIB_PKCS12, ERR_R_INTERNAL_ERROR);
+
+From a749dcdb7c944c18af8bf1ce3bd2dbe38e5dcb68 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Thu, 8 Jan 2026 15:25:18 +0100
+Subject: [PATCH 2/3] Add testcase for PKCS12 with invalid PBMAC1 key length
+
+---
+ test/recipes/80-test_pkcs12.t                    |  10 +++++++---
+ .../pbmac1_256_256.bad-len.p12                   | Bin 0 -> 2702 bytes
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+ create mode 100644 test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-len.p12
+
+diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
+index 06fa85af0f3..ff720894c9b 100644
+--- a/test/recipes/80-test_pkcs12.t
++++ b/test/recipes/80-test_pkcs12.t
+@@ -56,7 +56,7 @@ $ENV{OPENSSL_WIN32_UTF8}=1;
+ 
+ my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+ 
+-plan tests => $no_fips ? 47 : 53;
++plan tests => $no_fips ? 53 : 59;
+ 
+ # Test different PKCS#12 formats
+ ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
+@@ -235,8 +235,12 @@ unless ($no_fips) {
+     }
+ }
+ 
+-# Test pbmac1 pkcs12 bad files, RFC 9579
+-for my $file ("pbmac1_256_256.bad-iter.p12", "pbmac1_256_256.bad-salt.p12", "pbmac1_256_256.no-len.p12")
++# Test pbmac1 pkcs12 bad files, RFC 9579 and CVE-2025-11187
++for my $file ("pbmac1_256_256.bad-iter.p12", "pbmac1_256_256.bad-salt.p12",
++              "pbmac1_256_256.no-len.p12", "pbmac1_256_256.bad-len.p12",
++              "pbmac1_256_256.bad-salt-type.p12", "pbmac1_256_256.negative-len.p12",
++              "pbmac1_256_256.no-salt.p12", "pbmac1_256_256.very-big-len.p12",
++              "pbmac1_256_256.zero-len.p12")
+ {
+     my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
+     with({ exit_checker => sub { return shift == 1; } },
+diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-len.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-len.p12
+new file mode 100644
+index 0000000000000000000000000000000000000000..7548d0f29edd967854aa1a7c9e3a02a09e856f6d
+GIT binary patch
+literal 2702
+zcmai$c{J3E8^+C;8AJBv7GZ2dCiJym#=eYw$r87k$i6e#qGSx&MQ--p#B?!e2-&G<
+zp(ytbWy`*f>?7g!TTY$d@1Og}d*1Ur&wI}M-{(94fh8FXVgv{*P#7~R-Z*}r4a5X0
+zB{1(n2+UgmftdynATB>6SSbNw``xkvgBZRq<DUr#aQGphY=9{s{Zq06f)KbSiEq=@
+zuO=7_hBE-HF!+DIftjHUfDnw?Io=rL&IkdaAe^;Z*UPNgWxZXY4F$u|ci!O%jMKbv
+zd)TTQUXF~FIe~IUfnL~tCys`6g@O$(y^Yd!JG#AvyAj7SobrxH(aw3j4Y*<mEpVN)
+zUuI%gw=XA=D5VjU0kva;PX~&ebGvUcsE=UIkzh(O|GS}F5$g_6mv7~9QAl<HkGD2$
+zccY^y&pT#|iCfA9`is_q3gv9>Xe=Ok_$P-58ZhTOj;RPgnc~Asj^9XnM>Zbjxjl1v
+zTWKuNs=~osbADcuy<wzs&A`5C=UjntFnJndgs3^x4=)${T=?m&W?W~dwppSlnZYl)
+zJ!>F~B4YfJ!@QNQ7C%(T8gn*2<tnJu2S~Zor%>OE7SD5(lUfA5d6HUYRDPNJ>XlkS
+zE5yBqF@qG8hu7%^5ia-{oQQ)0<4*IPPArQcpNH7!q-Tn(ie<QL_chg_OEP+nCZ@~z
+z(`oxWgBl?Psa?-cC^3;sw-`U?(pPv&W<o1{-oEsS!~419;N#m+T=ymE#OH&5sYMAq
+z8tvL_@q8hIzAc^j=6H!D6LFDX=;&;d8@&6FtLKv6EzlG<xI0SzylBy5q5x82Mu;<L
+zscC;(^9snFm{NW7TjH0krm8=6@-z0y3iA{%MZ!YlP6y{VQM;%%pZcDV0FYclKO%WQ
+zlr2UFVip>U3g|}4vOGkCZZs9K+`IQ2{Nn0S%KLUD)mZQ9j!kRiu(}Gx;=~>?WJBgK
+zf-0wOM=&W1cXFYP*Sf@flg_hXs><Bc5`6W%4pLP+<vf^nL0K4w!EN+|!*r-?H@<B8
+zn(!SRhJ%WsJq~-5^(p$0s#6_ZvP{`VOSTR*LM46Gyf_=5Kbp36oF&q%JltJJ)@rxa
+zecU*u%e!bZDj6-1yIWau8$F-N0OV7Dn<367T%*wxL(L#i>!y~szt+SIeCct0g$G>v
+zDes%5hnH)71wYo&#u#f?AE=-1+-X*+ma@Q&mxLTO=?|AJwqB_JJSEH?K3Rbi6bX$x
+zU}8;JU#DkH@>!T9`N^Z!5;sZ+rgaeJ1UtP`3(;!LbEncCg9G|LVC5#+G@c7_wyI-e
+z<J;`tWY@_+gImm0s%yQjp-NS<dhYfkZq_<gBBhSjk`xM@kq#OdONMT%y^GOmmS3%V
+zb#<sCAI?1MU+=za=v?Sapm-q9m+`Qdpwu$sUtw8lM&g^wHz#LB!yBGk%y$AE>uel5
+zPSk<>eMTwxrl^P|A*U5zPfXky`aLD3YeL>-mX*)F_v9BQKXR@?^CVz-i?qy^?vp?N
+z2)DLkiEI7VC-}s${yd(IrsQVr(I_yrVGdi*W8XybZx-%~Mje}3w8XX(bx+rw)I?g2
+z0R(8=4_^EWK+sSK0gC%>`+pyA*s1@riIoKe{vOJIH)a0`IJW&7T9*oZo&OOyb)Kdq
+zWpUq|jW00%*O$XaAOy(JfDD|bNykfU+|eSn%#lLi@8f(Ab0>)Fu6*wcke2yPfkU2?
+z2fMC%=IxyjTJNf@qTL4{tXh9>p{Y4vKU<eCXH9Ep?sRhB274MR!L60Wu7gYM3jgK@
+z2%Iv5SF@5nllk)T`J8LA+)wByDsvYrQVnLCwsfypv=!+0ofEdR>+Q{^a!+^A8)Nuk
+zC-PLo9j3JCZ_4KbX?*jM{D<HCnmCDT29B4*0%xp)5V_(K3ZM_R0U8npQD1MJ&Zb7}
+zL?_-<cRj{zdM;cLPSwO>Oxp(A!-F}COwBy4og}=>A-h5T_Kb{a;3Nk75EQI&>xPfb
+z-nIbucoba5n$*Ksy|T{K>yRd~nNZ!uWGng=!RncS*;z=7ob0SOzvMapjJ+>=?FfxM
+z3|Z~-8LgPeDW3DV6)xpX2oY&p4n7f<X}o3p=$RGax~Fk8^FH60dtLkkIRZwh!e@-G
+z$67QU8k!Nc;$nY+r<|J39&t`==uqD6nTzw_K3P3TSL@QFRme*XUcJ1@`7V~sskJrz
+z5SiaSwZ%*fI?Qemi|QU7FDKt`+-vjw_=_Y_@TuZ)Kuw=P?w#?Vd0s&kSM{hQQsDF-
+zF{1;YP2Z1{%ch#57mH1V=9-HrFLlBz3Zyr0Wz;k2gwVlqMSy+_=N}L|CllDXo)N*I
+zq_pEpt26zn7I_bi4=(XM>&$Nu6cge&Q9eQ*IhfBZ{T(N7N8C=iFB+C1&_*$h|GoZY
+zl_I$0t+Xp!omN>{Ta*0LU8Wg^RZ~A_+~(^b=lc5_>u!?%iMJ7=CBo1^FAixpNmT!t
+zWjUoJG6DqKFxuzmNuX3DoH-v6c7gf{fBlKjex4u^;W9{yv^!Yp1la`6R)))^OE9FT
+zKQg>Rd=;?BF&w*$HuS$dBII5)5pBD3w|J$!hF!y23twq-!x#mU+9HS_IfPx^QV{D^
+z3@%kv(baxnomrmfaT=-1jvmDgT$~rsI@nQV!w5L%WQZ6QFWrud-4_XfgB>+FKDq_J
+zc*?tqyVz`4eijaCo5U#=*4*`K$cfe{dG)aJ^;xD*Me8MEyYfrDhaSV+rrNI^ocYWH
+zZ8MDz*j`JO0_n4hVV|k}9R{Dxxm(vCV`HWJLIClq)iRdfpwTMA0;NGuZjYZJNlJj`
+z@GPQmj>w-KBCC~VwT@#N#3q}BqXeAV^z$5$a)QXc0&VnL<%cP3GFdsj-!MyvW|^tE
+zXK~`)6H(J&r4y$Qzv34by!;z!-&pE>jkpFljyS7s=B3uWcVEF}<#$STg|)p|SGd(M
+za1Pg|<1|h;#`ap^9D{5=?z|**sm=zTGV>q}C?s3;WQXHasmcB$Z&Uo>DYc?wp!ULL
+z^;L+rrWms;%zb%!kPFg)IPy3nHKG^FLwy21F3E^lo?1GUPr9C+eaKuROgk<lzpM3a
+zLPwXcsEY~5_4w4=U&dfFc4*K`2)*K?%U``V(>nFW^A4?ARQyUtXOh{bTTfqm#pguT
+ze>_#^ChZB^$Zw+w8i*@3a3GP8zZS~_ZN$*z$*wB<r0ie+BA=@2n%0ERx-6zmOz=qJ
+zXle<Q9PdXVsi&2z_X?=NWbEVEhoQwB*XtZKF}SOjN<Ch4k7NC8yQ1g>ds{QTp&of8
+zApQfe%zW~{KzMsxpRy-!*n2?7`5xr5Dv@;s(xiaffIndJ;}FUYXaF)lB`bh{zypmm
+zeyx|2|96oCgRK6q%l%KYgNQ^{_}^8df>pH9gK{m(hJ91zPrZW{dBbJJEOn!kU=t9y
+PrInqCy{(}E7zFwoSH0HC
+
+literal 0
+HcmV?d00001
+
+
+From ed778fcfb24d7623e7b2ce9beee4af9243767402 Mon Sep 17 00:00:00 2001
+From: Alicja Kario <hkario@redhat.com>
+Date: Thu, 8 Jan 2026 19:31:42 +0100
+Subject: [PATCH 3/3] Additional PKCS12 PBMAC1 malformed testcase files
+
+---
+ .../pbmac1_256_256.bad-len.p12                | Bin 2702 -> 2703 bytes
+ .../pbmac1_256_256.bad-salt-type.p12          | Bin 0 -> 2702 bytes
+ .../pbmac1_256_256.negative-len.p12           | Bin 0 -> 2703 bytes
+ .../pbmac1_256_256.no-salt.p12                | Bin 0 -> 2692 bytes
+ .../pbmac1_256_256.very-big-len.p12           | Bin 0 -> 2711 bytes
+ .../pbmac1_256_256.zero-len.p12               | Bin 0 -> 2702 bytes
+ 6 files changed, 0 insertions(+), 0 deletions(-)
+ create mode 100644 test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-salt-type.p12
+ create mode 100644 test/recipes/80-test_pkcs12_data/pbmac1_256_256.negative-len.p12
+ create mode 100644 test/recipes/80-test_pkcs12_data/pbmac1_256_256.no-salt.p12
+ create mode 100644 test/recipes/80-test_pkcs12_data/pbmac1_256_256.very-big-len.p12
+ create mode 100644 test/recipes/80-test_pkcs12_data/pbmac1_256_256.zero-len.p12
+
+diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-len.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-len.p12
+index 7548d0f29edd967854aa1a7c9e3a02a09e856f6d..a1acf2fc21b1cb17b40911f7dd126b48c91d50a7 100644
+GIT binary patch
+delta 69
+zcmeAZ?H6S+XyWSL$imBITx*bL;KjzN)#lOmotKf7&%o9|7s2H*P+;N6cek<Fpl4Xj
+Q#KghC#Kg!j*_q2508~8>eE<Le
+
+delta 68
+zcmeAd?Gt4&XyWSH$imBIRAZ29;K|0R)#lOmotKf7&%nk&2f^hrkZ0k@cek<Fpl4Xj
+P#KghC#OOcSh07ZNMgtGS
+
+diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-salt-type.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-salt-type.p12
+new file mode 100644
+index 0000000000000000000000000000000000000000..7f4e1e89ca5c24de74e601dea8f62f68d43c33f8
+GIT binary patch
+literal 2702
+zcmai$c{J3E8^+C;8AJBvTEdKFh|t&CW$ZEbB}?3DkbP%DN@NV#mE7#R30({tLdIUv
+zLLv7KWy>y%>?7Olx12h^-#_<{_q^wMp7)&hzt4F90!uO&#0U^rpfG0Hc;omzHV_l2
+zguuKDAuw+O1ZEmQfVlpQU?l{I?RU!x3}X1cjDIE|z~P60vH_-m%umS*2t(jnm3$j+
+z{xu<BFq{Ekg~9*x4a^K>07PKSF7d`74@L+`7Q$J(d9Bo%UEaqH+K@jKedj%%z&Ont
+zw~MX1?(N7}ksYL96y%NVbLMEcuav*erN3UXW=FTT@G#<7hLhhD$vW9@wg5K_p#`pc
+z`s+;W%GTwiN^;39a=-eq!KZy?&bghp>D0$Cmk2PqNbvn&4$`_E)ah4oTo{^_&*P&*
+z+gWcf%=L-cWa5@Kf&QYsuSPzdGa3s>9sJ3GL<8o0$1&yMCsTZQsqyPc?@7i(Jdrb(
+zw^YW0tjZnCwdUug*c(PFRt@Z%w$J1nhmfW*Mu?h&3*lwrp9?;{(~9fp&@oH&A~E<U
+zw`KNcl99$AIm}z>>hXgGtTCtKQ?7zae1ViZy-M{xXo*}$1?ff5+o!3eMrD_|uU@GY
+zwnE%%7&Azb_4MXnKytwaa7YIw#_i@i9at7&K2Pz{Nv{-nHOp}ME~oQ@m*n&vO-z^b
+zrqlL#1~fzSQ#)UrkYgg2ZZm$)p?~2io(Ze)efP>Y4)5=pjgP0uay^iu6JHGcr5+{p
+zc(ik)#p@*!9VwIe_IRmM?$$+up`(jUPRPz9uI@|zw?R|f;I1gevtor$h(ajI84=Fl
+zrKY_ttt%i8VoLSR!^E$fO;vyD=B4kEl;+9a%7lf8?RL&XF}o;=Z+&-YAV?vh50ShV
+z#ulRsF$;^84eUb6vphnBt~V93+`IPz{POBi%5a;?`B<Oo_6=*)kcJxB;=~>?XhY&K
+zf~ux&-C|M|?chQiuXc+2C7or#RF!(9CHU!k@28&cQ1E2h0cBzw2DZ=-5AH+Vy6~mb
+zPNH{o8TQKucRB1$)~4u#=bh{5Ql+Xk+VXX>Bh<=oS{G;I^G4G)k28_YszY6MB<(g^
+zy(f)Rdc2D^qf*gAIXe}_k?8ph1|X06+YE6w!HGsw4l{#5t(#ij{aO>#|FzrgH6C#7
+zBM&#r3@z9A34g4kjWO1)Jk;Rt*lt#<mbSo+7l$4-T^K4|Y&}>1c}kQ$e6k!Tj0}t0
+zXJSoQTcc-A@>!T9`76q<CaxC~OzR-b33mFY7NXUg=T4<P0SESez$#3#X}%EQY}LTV
+z##8LyX4T0-Lt4z#s%yQSWJ}aCyYKcPZq_<iprnshla%sZP!5_HONK71-HXxcmfx&<
+z^mM5s9|WHFt##csbSdy7kUddnOL^FfWz{p{Ut?KnM&g^wHYR7q!W&*#%y$6oYiu0b
+z&eZ+~y+$ecrl?y>BF<m@yfASB^m{5QP9i>~mK862b`=*UKXR@@b0uN9i?ocEu9H9i
+z2)DLkiEBOV6@F@1e-_V1Q*pQUY!sSWH;1j|vTvXSHwt#dqK?fhT4LLXdi-@KH4&C$
+z00A2JgBSk-5Ht)zfa1Q}0pG_5cIv-uVr2n=zlVz7P5FNUj%}Z&_N9D3mwyCKotJ5)
+zs)XOo#+R6YYs)uAAOy%@zZ{&VMaN67-_fpYnX3$i56Af(<V+CP-1vs`QI>g4L4#hC
+z`#Wy>=4~AiTF;8DvfT$?ta@KhfvGuPA6us%XH9EZ&UA9`I(wRIf_p2AT|1Zh6~T=U
+z5IA`TuWltHkn!rt*=#3y?x*w<wYiJssRpx6n|fC)DESw9&xqRD_4H&>xu@IdjWL3-
+z6Gf`wHd9*kq3YQn8sB_`;K8AP6DM)i!13~ppc(66M2>`{66k|%pr)ij)VJIGS=3wG
+z(TO)T+>S9DUJK_$Q?;-dQ_4VFcnD{qshO9xv!u5<WG6Vlo{=#PoWx)sDhq4eyzXnW
+zyCuXu9tD@PuIy&4{<6l@<B%q~kx<>qWGnU!!RnQO*<MJCnCz%GzvMOloV_<|^$3kU
+z2wmy*9W9^8E}HYa9WL!d2t`tsLrz5H8gCmver`p$=4BksyvH}@Q5XMEfq+pd_Z_3_
+zvldQ=g{4P*akW3kQ%1ede(Q|*;DMt1b61yvJ(5PSp7y23E09;3y!yG5^PMaiQ>&{N
+zLgjw<(h)Z?Xg9k~EUbHcyqx@?ahKxv@fRtg@H6G(z?xozoIB&e^Sr`pZW>WZl|j>g
+z#EkZTHXR-*lTS58FBX}I%rzI1U+IRI=gVx|POoRu4W)w>3V{nPoPR*<oK0Zk`bGqU
+z;*$2StuFLu+N51HKBU;|w2PoYa7?J<MA-;wWPd)R<aeB+9dRq=f!K|7Aqv?v{`dM<
+zRm$MvcQS5lb=sw+lqSVzJ4`bSE2jP~xQ#c#F7*%A*W9H75+e~}#iGz4Zw?uEDcL@O
+zWd)Ta5&{HUH`){ANg$Ue2%Noj;~e!9{@PQKy<A};!gZiB!ft=517s64TM@2sUy|Ye
+z{l|t^h_3?|Ifi1F(S`w+M?^ddC!%e)?-qS&t6|r)*2Y)ZTsM{lNpBJ)jvQ`W-Bc3q
+zQ4T3lR@2jYXq{1(=*f@LV@HqT`Y+B4Y42~JXTu1&WTzvIik2edV)u}NaIm8m$4B>&
+zm(O@ta2J~m%TB`~lu4X&LCsz7hU{p~;@6KV-kfIoRJc|wzN5I*bKp6|ZL0Ie!G+H}
+z$Tq`xpY4rw32=XQ@y2IrU%SC)bMDr)C)ik--cUfIYNeFrH)yn)s8C7p)5!4?RHX`_
+zH8hJTm?H{ih01HES*_ui2C&H{;j%)`lnc2IC<S5EZoUrso$8|$Ho45~o<qzMqFHWg
+z?s=R<*F@CxH<`rggKzkS1@C}H+96B5pAlC-#}Q}M&D_+QVUI7k%)Aci&Ks1sYf85p
+z`p@7fy3XTtV{DHF&N0~L<Myk{&hxWDr_4Mn`<0Tdy0gM@=c&m7BkxlD;VHFZW1zNz
+zWsMbxj+QvH8_Z*QdVmYkfH?9LkRH(w<DotU9~Y;`EKe<+%B#GVm36>eBT73iAib~k
+zYeGktebEpXjqCQUx4(?Rrf<`rmk|0zN0+~OZ=`kTkLMm(wW#?QkIp2sO}Fwpz2<YK
+zUU)K9=Pu&~ThF7=gbgHA8aPlW$X|<PK{n!O(qw0qeNxu1f00gAbxv!+XI&T5CMI~K
+za5VLVNsi%BNGiW-^=>{jgoJ$(`zWl4<651A76y0qQi<mq?s2TYZD$mnU~g-tKiI8^
+z0wjI_mYGlS7YJ{++cWm$b$d_fIN!q@Ruz(-P?|Il2?PKpKMtYnfF>aKQ?ddGFg(ae
+z^VfO>#eWw$FbMg7UG9IH9RwLs9&lHk3RcrW4=A*#8um_=J@W}(<PDb>x73SHf=xi+
+PmR5F1ds{;TFbMQFNfFkW
+
+literal 0
+HcmV?d00001
+
+diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.negative-len.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.negative-len.p12
+new file mode 100644
+index 0000000000000000000000000000000000000000..9a4fd459227c52b3c4a5618b874afd717de2afb7
+GIT binary patch
+literal 2703
+zcmai$XEfXi7skz)8AJ54N_2*(`RmK*W%Lq#C4=ali55gKL>FSCcY-WN8G`5}A%z67
+zJ0x24I-(DP&09`#-uKIXxaXeddG0y)+wVL8mMR4dA_uTkP#C3Xyk7h<4Tu6%ilsb)
+zU@7+iEF}@ZLY#g^uu?3<;=5%E29bSVdOs5oVDm#jX#fL2<fo(tI3aMAYL;DRpSnOW
+z7)}OI!{Gn<2Bw6P0bDRj$9O%ED>(!t3ZbvxyIp2RE8*!3Z7vv#y8j^>OFqvWcZ9CF
+z<6%o)mE$j|>+gXca-eHYmoC_0(A+8Awj@~@yXw-d!|@*~@M<}4_W@@VwjHj1_3J|H
+z=DuB0HNG?qKdgA6{rN<Oe(CUC2H`2pF&vC9X8$mn%WKvR>h-R=C<@9hVDeNW9`1A(
+z<$1>JQ7{VYLw`{{k;h-nos0#9&i<t1MFK`F7crHgmvb!9LeqDWKH&7mnC>mu?aNO2
+zn^xKwsVpxG(Kb(1ZE0Jz9$YKX3&hQ%bb0E|v_i}IzZ8CcuM*eOqh^@sjwAC)?#dd@
+z!t?5VqBH6sDaMZ$Qpa44Pq_su^#W4v4@x%<AO-SlC52Z(@1CWW>6Y6u-nv=OY0C4k
+zc}hD))Xjr+g_i-&hT*l5CO>Gq--D*&WO3u4oOMr;kT(gH=(ATCwHDX3)i+qrpHDkx
+z8c_}^NbP-jiH`|iiy;4!OWI&6SqQH3djHxhF51T_Cpx}Ul;M#Osp93xUy6|&PbYhK
+z+udLBBJYVLzPnhf77x3D)v<Ln&ka0$!q9K+69JlI1ouTsiSZRRRd65#7r5vH)>@DE
+zRc?Y@D^hCjeoOqi*IM(ZdVa<+PI?*dA%k5BKj^0a#%CGX>DAaD<Oh;W7~)Aj4yK7w
+zhZqLOiu&~-B&ePsL3dh<s2)Ci34V3!JY~E~Rw352wtLqMF{UJsH@>vu88yez=|bgF
+z_roaUxO*6odRx8x-brFqsG2g@v;=QWkCRk|9!WQfLr@mVW@I1v_$(dj+!tLoZ_j;S
+zo$RD?^oY(%e|wHJs^HK-5-O83SCwcGogh@7s@zzN&!0@&yU5~glN;-6z^QgwXf(CV
+zX)v#vPYOkG<Q`U)+(RyBk^%XI-xews6YPmZnP5W*)U37r{jYT~!(aQI-$VmWL-_GF
+zk+JnUZ_ZB*#3}On&BsctJqK;_wZg`j>5`!HR;{tJ)sE|pU*@=JLuV^7oV>wtClu5P
+z+uNk9Sr%jcBp)f!t;C%YtU&{WGQm>w%1V@C+tQV^Ca~Y&N3`TDjq*z_`VJ*@Y<#EH
+zyX*#WXkfdcd~Lmly=bX?R{w(`p1bu9RS4nptt9CJM}&<s%7m=X^yo&EqRFY*fQC9@
+z;v?IOq3ym0I*x_jSiBoTtc;1aL{u>|{tcR{ZX&+5e0O${FSPlk@p2E)y-h=R;6NCD
+zG^m>r-5MFT#^tc#?T(6LBR!Orwde9IGpTy%c_g(m`-y%FnkNX$TP0?;_g((^N2r-8
+zRb0onLC$A7jbhO>L|GRzw-%1M9V6Iw9_=oIeYfzCFY?0BxIMP3LW8y8vM$_Y3cy0+
+ze(>U70D=ZXuu#l*+xPo;!mj+6P1IB%@b^&ayD9Ncz_A!oR<$nhcKk=+G`Jg7%L#bj
+zZFz<Ay}ceX0l`8>hsEJU6;ia|&VAMD_ND3|_;{T6S?)~5wlm9k0m3A|)qm7|_T<o6
+z)2OQlLLAt%kg@#eg;pFIC^Rr)8KUX+rmyP=&Ye#l+@VbqO>pU;vg~G1yve@%5dz0A
+zL@Sz#uw}k(63eldV0=cplwZ10nX0|mx~Fl|xU)cO@EW(J<-kBTfpNZ@)DpuEyObj6
+z98jc1eUlUOC$cPuv!8wQX{E2&(zdk=@n0|t;K>yblm>mY@KYAljy#QE%_f8$L?zx;
+za=t+Ay02X4PE|pp3_3@;LIdfG3=G}P90Wa#Acq0IR^;Sq;3P7uAW>M$-W@OVqkRs>
+z=}5S^S#>{o?Z!66fK8g<ZbEG@g$3U!54C#&>R=@;e72|2$l87R1?^z=);SV=7PL9&
+zHCZ{6Q@rFB5i0D74dU%w54_|SZ;8-*`oa`@+g&e;@|b1HwITkoBo-xG=`}^tq%N8d
+z4$g?&aI(72R8B~z4ZFradM4%a!pU*u7^f7Vp=$kf6Y^S_Su<~TxtA()Zfi>`Nc?wq
+zHGX~VZo@kjMGa3c){`H#9Cdns`bDUM^SR80U)`W~?)~Y2WoAx!XQjxbYXA8^VkU>b
+z7>rMpOQaegSBv$zmfDK&uhl~<3q*D!G8!q=gGgY>B0#I1{tt+ygFb9pQx~gUQri8s
+z!;$n{6?cS;4lHrM>d3Ag5EEoOQ$B&4I9bjt{T(A^S+Sq;h%Y3AqZ4ls|9j)>8X0iO
+zdl6@v2Gz2%&Q_`ChZGBBn+86PnBBJlj*X9Ywq1mL6Yufxm2gA-J?KPSghYqf)+J?=
+za6BN`j_xr#Qv$v+flVwd<T~MV^zCO{$9bF;JWeCk;g%<BJs@-c#i~%rbV0K8^rt#E
+zE8h66(v8KgBXxZ3Cb(RSW}++(9u#kM)zK=OsYX|s-_a8V3GZPA&TT?&?Md?w$OM+k
+z$ZM!QHp?tebYn$m&>|->!#9>WR8I~RXiyxEIT^gV#cTKCVvl+K;9y%7x=${Fubwk+
+zVs5nQlwXBII%hF5g>?@+nscI*OWr)GdV7`PbJ2DQ|Dn{{z?s_^qk-C68%Gu+e~V1L
+z6PmZer9k@PYRDJDP`CCMBgT&HCUmUGU=Scsvsp&<8#GFuo1-+~*}dsYM71oSGPcN5
+zxKzQO9VDTeX1a}`7(plNhl+AIbZX_<AS5{vM+Iug_i|5CXvDK}2EL)zc-qA0mR`gO
+z^vy)hpNb^TpPfdpta$jg5Wi71dh0R_)1A}T+|5g^8+YBnWaak=_l9)7+m?=K9=?X@
+zRCkyr>7fUVF}4BbpAKGE_bM#<Uomv69+plv?avOyC=il;C*G&{z*Fk^ra)bV>q?st
+zH5GnJXPE2y{0IZ2ndjV%O?W~xn2GQVd{L4Svp%<WCBOQ1cJ>)%9XIi!5ci?pyA>H#
+zzM;g=9oO&GXk~{&XB-fr);yZU=XR$ayJ<a|(|Kp6?eab)lMBf-^Bt`AZ&(}%T1|5e
+zE+X!*o%~KBr?!A>GaUi}`D?Y@-<%(bo9(T!O3MEAFWi-y-gy=HqSI>H%nXwdhNze@
+zOE*3VNoAF*Jt`ms;?Pa8PlAi-Za3JdpfI<rOWocwPNRJ+dLv0#D+@!-(S9ieAn*gQ
+zlq^!eK$!cTpVKDqSh+!`Ssv$7%i=UR(u9FXzz;C^aR{XaQ~-&ek{aNJ!2NZVe{GbM
+z`gf57gUK%cugv{VwS(}6SNc9sB!K1BkRy`qayo-^<<C6>R+&R3_)RpTl3+6sxQVGH
+Mua$+4HW&o@8(GQMf&c&j
+
+literal 0
+HcmV?d00001
+
+diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.no-salt.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.no-salt.p12
+new file mode 100644
+index 0000000000000000000000000000000000000000..c43b4be04307a8c5d2c002d4a31cfdf0ac9217cd
+GIT binary patch
+literal 2692
+zcmai$c{J1u8^_I<8AJBvhA_4vLO*MlvB%h#EOD!e5@U@C3CS3;E4kTs6Vt_@A!O_o
+zEfjL^sBGEAjO=5--SfVu&inpz|9H-GzTfY2&hy{rd;tOn9t>gy2pmutyJEa~{5BVe
+z4OBv4-+~a>*8l=L10X=I{)}KH1c>8z%MJ`;`M%75CLqA&hk$YcmVm-f$q9%-;CdvX
+zRS*B_U@#cY0&v3M|M>=Hhq3_TFn0HNbC4%11f&Szty#NLYR|3g;{mPDAB?{99#3GM
+z6pY)#RNnA*Wv$2#R51(m#`L=J)ZbUjU*R)eDWN+toozhLcoyN5_e6?8_M3IU15Id#
+z8=m+!6}z;4A&EpO38(aFADVpLQRki6e49>t40DeFQ;J0159CPNw}CqRDh>-nvhoFd
+z3>cd$ZH2i$F>7r6@)pov^mnu<Cvrw&0lB?Dc_dMQwa{TqdDzi}5MFNdM$&t-`Jlk<
+zsSE2G9|P^mU99zHXXUu-hbxv%oEtYz=9>qTC(&kz>b<jJWzt^?KEKn8Yi~EOO2m>`
+z{F7TV`!Xq#=AU@1TbSDM0|lHhC*o5sfl7RVlsi3Yb=@eLTvrwOdC=RZsikIR7x*t-
+ztP!(A+^hd+lA`G4eSA)m4=#+8bWvm7Xu8vm;Sdw@k{%hyrYLLKhADSmJ~MD$$=KDx
+zaxrf*ZCjvUHzYr`<HZprCSoCy^-B)(t3dHoXoc^)SH5w0|Et;fc&Z}b134z~MgL#g
+zQKFAWI#!#pFC|g86%yYbE|8SM&k;;r-5qj*Hy`nJo%fFfP4I&|qf}2x6+R(~B4ww<
+zd4m=jx7YP9f;@>SRk!vNzpXV^{%M$(zD-t}rFg3o<{~!Qc=x58qNu)gT_M*&Dha)a
+z<n2(d7(<9vXsqJ(PNXu&BNXUHV<E@AdoRE*FCC-|wQ8J+^{HxGwMP!>Xi;pAoDl;K
+zWF9l9X6kx4o2EoNAIf~WL)tIt6bHJp)H5x?&)9n>^-Q~p7uzN%6YbK!j(WIvAL`MG
+zFP*$BamSElr+i?G$Jv5D!5lc_R?Czt)pXETu2meSk#_aYO~>brq^%uhN;YW@cGi;h
+zTOEy_G)x!?&O40AMT_QaRutbx&1SFwd9>fAh|>v|84UGMD+tuSvH9Jv)iHhFx;$Rv
+zfvdfgp(cgF#cDsXPqmDXtTjsyb&j`hG-*}I+u%lvLk=3x4wlZhoUZ#aA;BFsUXBx!
+z42|1i<4mB_nVI84HWo?#s*1~rE5!uMS_pfBlku^+Xziw%V`)#o*Lyx-RK~e<Ux@Rz
+z=wM>wsm^b+YL%eD%~o1fHQtvMOSCe(?)D;X)woq4<qwvV)bibtF1l!2mQK5^bJ5zi
+zyY}5ihP2@i!q0o@op(*$3;YNaFXX9G0q$Z&?Tq->7>?@U_{Or;@oA~B`WH5{?LZry
+zi)X`)*7u;tECt^f6}}+u_SFxIjuU3y)6lpq?o(=8@xo_Ib#D9<?=m!37M45D$Y}07
+z`ty%4dpnM}mi->Fr>1qM@LUXyYxZ6Zq7y6DFnTWcDpF*%U{fmU(8{Jcwv}jfy!NO%
+z!uBITfX4mc#XkUohC&EX+;=<R`}n|){g+Lg93b%bQ1!d1{BOW<?A6sjpYP}XufVCr
+zT9Pzn{BAY8L<d}1yg3XZKnD7h;0!$`UUub<KB;+z6apWL^V`cABho#DhVqfNd5wVs
+z*zuiB4`b`rb_k<;$x+?ugD*zAx4Xd7TBw(+!;iPRB{XL;xo3qtO)=qG3x`u1pY}zO
+z)ejIjWeTrtry!j1>dC3>%gX#unMYbP=gLz}rW@CcF4|D@&-R>@aB}MI&Z6;8wlN!G
+zL|{j%G}8^XwCH`!Q-KVj*$9!neg8&Y;<AbBg`0s>_Cbgo8Cf;Z2gmEWvL;cxk;k)W
+z;TzG3w{$!X(W}_G(-NtA7_=p|zcnnFx6slGYwsrOZ4KEB3UFp+O#>&fIEN_08rE+3
+zI&7_r@{dNrmF!7ftW{s>Y~3ztva1PI9c+$Ly9iEf0(xUEEn>XA&iXud_BnS?*75-g
+zvlp_|<2zD5mR&UC6&WV)LkN+iE(RY-C^bZyKYngUxPmp0X5SY2=vf>8P=$cjDEIxy
+zH0CUv3=K_>`g+y*v_Ki{K6m&@>481fYtOH`_ivMRf{gUfKVE{o(iJq$9iQ#s$e37O
+zJ{zL+JJvwj!lcdW2C=aA@!?|fgN7}t-=|;Xh+@yw53g7EnB?3U4Vo1c)AG=XN+JbL
+z{t+|M_r-E(xJ)_K5;b3BAwJVoNO@%#R-Ui08kt_lW*EW*s}urfn|c3$IJsHCMvct~
+zCdDOf-&)+6&-BS#D12}+_Jq5LNl;9P>sZ+^d3a|wqvUs-suOWN<$=`AbWtkBGXD3v
+zSC#7E;&%!jT($b8rPM~%XPazOEK8RD?zq)ALGE=AR_NE{0upZ{q>3e=f!;g{*W?s?
+zg%?#clE?@UY{hI_L?D4uo*;ZG{N`!eXZ)3?;@i1mM8ws8QiRjaLOaMIaJnK)<-RP-
+z{ritiFA`s0pXV8jT|}7%To@MjEF6n=+_+oxwY8dC*IplA;c&xT5hTAxkU4O<d1*~e
+zx?4TCL|x0s;Gum+S)$i*q!Bl21lM<NR#bmy;|v#C)IB?0(yVCVc3kYX<aIdMRgdS>
+zwcwY}1eb8<noP@1z#-IeoO(g^UGMtrXx-x1k1F1rVEbH1FP7d^UFhEP8sxV$c;n(O
+zWF6?3VZOulM!p2NKRti*3$3@!<cl?b3;hWuR-q>Zkf~fM<@gO6ttBB^67=-;=n;~n
+z0q6}*BMN4SB3U8I`e}A_99uso*&<9))Qx&J*9EB}hTO_GK)us^l)|NynccmQUO+S{
+zP0T!xlj$6bn%q@LoZQ>R&&_!UG%)r#>io?3`gjg_D{tkdRu6f8#bxHT%Xi$QzNM>0
+z*7u#nQ4QTjndX>o8=Py9!>5f`q>eMwfyb=8NPTL_c3oLvxHGimfZ=y3{_vC<sgI!6
+zf<>Jrh=HCoy9dm3ak8HeQja+B5|$q}4i%t11s@it$1F}P9LpnJ$;#Seua;mO7Lec9
+z_%))U%f9MJOT=~g);V85W70Pm(DMl6qJs;&-m7Wt#-q7=cFkJ;#UoS6T$3%wFTWOY
+zqn&*+QF~1R3tP#fGQ><|H0pVfNXTFFWq}UTDDrqmrE^l&uYZw`Rd!73!Kbgzr;UvX
+z$l(~;3FACNBaqbNnpIo*v|uvkN$jK0BAzR?E_!I(rSm0TZ}>+s{*E0{OoFqcmGMBA
+zDiV<S0a$h+)n6cjT^`T4lUJO*prb+$b2v4~Mxtr*zzx6yF!*r@<p$IM>7SAl5c-Fv
+zV36ehHMsxja}ddh@_@VAG_aNds$Zp9)3j%z?3qu{ykMBJw5?He5^M|tx3zPUbapf~
+I0fRt)19nW)od5s;
+
+literal 0
+HcmV?d00001
+
+diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.very-big-len.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.very-big-len.p12
+new file mode 100644
+index 0000000000000000000000000000000000000000..6920b89a6c7f1cb9294b399d50ac2d4d6202e25e
+GIT binary patch
+literal 2711
+zcmai$c{J2}AIHs@8AJBvhA_4v6Z+XNV>iaW6StZuG1i!DQ8I??B4yuAD4A#o*{Nuu
+zkb6gE%f626BjM?Jo_p#%&p-Ej&gXp3`~Ci$^ZD;}-T;a1E*QiNkl3IwR#cp6+%5-*
+z1yn*}-GPu;HvkeV9Uwt2{fb~EB#6Tg%LWW$`th0mN<e_~PXXls%mKMyk{u9%z;!AG
+z*4_Q8gTP=o6Tl9G|Mwc070LvN!dTtnOhF#Z5D*H&{dnVIsV%31w>z{he=zFidm@Q>
+zl0S9_S9R6Pg}EX-K+z<?3)kz)RhOomzs6&@R<i2IaI*3+;aY@K-;=3&*>5%hcPyz1
+zu7Bd|RLt_`*~Cg}NjSAn^APiSPlbDC`)xYy0n9A|Of3?6KaeAC+Xm|JtvD<U&dTTW
+z)}wE)wH4-iM{lt3%9=rc)7?|2p2!)A0c7_7<Pt{%mI8;-<zYt?0z{e7tBLO^rh|Mp
+zrp|7vehjcFced1-ot5FN8?IQvI5ljY%r_09OkzzC)%!+aWs+YCKEKn6ZEx4JNWfE=
+z{E}KT`!cEGrk}Vhn;DvM0|o5SC*qRNgGzjW<eNRpwcTi`To*;zdC=RZDWxW5XL-+`
+zdn{suxLx-VlZ^88IzA`P0~aKSJ1aA9HQsE;v55$HN{)=<lNHph!xTC%XbhZ@H*_&G
+zU(B0K-R0}o4$e>McyUCHj##+P{3VC6#8*5OQsMLNl}{|u?@~4~t_8(&M}|Ru(f^lb
+zr0|20j`b$|OL6oKxrDce3zhQWb|hmLH~XBR?fX1kXZ)^%CV0V}kxHi|3ZIaLk<wG5
+z+<^-XyPG=aKpy1eN7ue5eBEfM`cpqIeV3v<OZ8GA%|&draetR^jBN3#?FzmEQjG6K
+zB<+T9MC(H=LSj%?I*|%&_tBuM4TWsCZ@&P)Jb#cp)T*ix<Nc^@-4;2hrB1avazYH)
+zQ@Bi^YAKuHENWuyJZRIE4oTm{Q*79(QjgSlUqi3G6peO8PnK;^Cf2!s6Mb(#4eH)W
+zES<a{c2l2euY6#K%gJnYf-#`sTEmbjRkPPss6h?WD!=L2O~>Vpq;4E$iZ`kacGggI
+zTOACZ)K3`j&)bj4L<#3?R}|ks&t@<Id9**K$kXu`=ya733kcM<q3PZ4)zN)lyWC$B
+zflIyAp+>pE#cE%XPc`(9%#WAvX&rChYE*wDYeg6>4nAlw8Z4b}K3)4|LX0zPyqq8+
+z9um99!XCf6%E%lSurf>ZQ$npItQC{YYap!gj)uqPqBI+4j-@^UU+MXPQyk~eej&=;
+ztc8n-YjJv;RU;1#YO+v&^w{eHszg1r>sBw~+GE!Wr0l^;qH?|)(pej8&D3eLV;7}q
+z{mr)9K%X}JLGXF+YUeFuw*p@h)f0KDl#jC*rI``;8pl>W9M@2`K0YlGR`<ecwjF3&
+z<>1<KrS;wEF-ayiM20Vjx-R+Rv9W@T+p4M;M7>L`D_(f-D9w$3;$DH~O2cyJ=^0I(
+zM}IyHv$bK1ZT{XP^3=HY6p@3jdfC>qUU*{761JMlxsDWCFW8odJhZTCifJVq9IrX5
+zj<Eg+kf5<YdGT)mK|>%UDB*|g|6{yi$Npv$I~xf6BUJifD*O|09D22N&*b~M{UdN{
+z@aC0jQoh&fUt;|)E`|<6NRWX(c{p8%L6ly*sax4JQyB~&iuK*k86&T{3k>BWt@9cJ
+z2Jqv1+wO*zt?dwc_p*bE;|Cv{W^Z?axurlaM~5$Wb#qA0WKz!>XDTZGax<G_8;|BW
+zq4f_CICYAsX(K0?@#@K`><bFKPZ>w*Gj`=EnCXTMgL76b`9?h_#T*^GyR&G#lWmOp
+zXd&2<63uvvB{k~1+Nl7#z-)xj{&&9yZt@Do<!orclx-j)M@m{5^ughZwlpU4+x6pF
+zwD7H{glk&vhuC%e+-b2C9URuYrN1>Sh`Z3-0&nXo?PUqs4)k|oW=;hsGC2jKVD%eU
+zee8EOg?UFK;qtbXUCfV`R$028Q>EAAA9b)eNPI)E<KwYgbEy&I?X{L?@Uzc3d$Lvz
+z(765J<sP4r^0Dlq8PDrsvfiX%@s`D)BQg2<>!uH$+mJ5eO`}+M1wMMz#NAUQVO7h0
+zJ~9m13nxQD(j%8HIi2P!qor|%pOhTfSGxTCl3V{SMJv!i_soN3$SZAr!`$)N4z`Sm
+zl@+64`MY>MNi$5F#Z_`)&4a_mq&xLHExw<AlOc;dQ#rg+-Gj-wIT|?2FQV?Q6`5EW
+zF!?Zgr0<LQ&~TYTiaC0|$V_ymv5@*oKdd}oZvA?CEsK6I1FTpG7&UP}ggCmI!A1>D
+zNSNZ1wy(`@jAy!(9W*hh7=OY|2oo3`>@rq1Oc~yr%_zA`P;w-1Cf|_=O&4yVn#bL(
+zeO09bE`BHH&QYUVTH4Z}^lY1DifP&0&yBGDCeW?+&f4l_8UKVE2#I1bXn+@&++`V5
+zui&DhY9a*zf~}eC3h~8L%i{%4g@>M|eI{OfD!Q91LPlKbuZ(cqTWAN_2TWIlDW*v?
+zrKLSEK1Y6iWu9v=W)W@de|A{Zqi`(BVe3}WQfoD*wyiF)!v3l$3M9Khk~(k>J-?wW
+z*{u>(qM~k~ch5GXEWz_Q(tr~^Lg=%b71rI`(%`@fyJe?~n-neFh>h75zXAul=x}|y
+z9Q5)T|1!a@(YWjc9MUpQP${Us<yDs*rCt2`e#M&;ET0QkizT;}7P|L62YJo)-Z;An
+zSOz#`nC@}Bku3qzrsqSy(0bc2Uo3f>SD)Zw<a&YusjB5twm+az>SDqrflqIY9w94L
+z0iD5VM8OPMC@WY&H`Qj9z|xOPG7CcqyS5nRIwKWDkURN$=yz)OlR4xwv%9}z7Z8o|
+z6En|ar8>tVC%?%hOzwXp&dquG*VDhV)%u$7^l=?<S6$0ZsUGrJB4p;Z%XWmeyj@kk
+zUe|Y$(4y};$}q)sTM=9W?LTe3s_f914mf7vS=pzYWYd)uM$n)o`47KK_Jb!smiP#2
+zEm+iAhUn=?vbw`O7AO08Aa#fXPeIvX!w^2&Q}AJNdi3JN!m+%{i&<Iwtkq)l!vf0t
+z$G#2dsInz3NwL^2pIWE0SX}xR9eM^~Safjqo7Z}3yWwc=zD<+5U-8IP631lo@e8j7
+zTxmv6CTcFr;bCieEp!o#lxiIp5()WhzAV6A5=|NJsB%io`u#7;v8s+q9r*O6`P8v7
+zJ{baCGk%<FXatgST<y_LJ}roXdlGX$q=@Tcjk6AxaQ;k*=NsNpoS#ESB!lGSU|~4W
+zrGx~eegc+NK<PIKf0z3+&ZIRbPw1$?y&QH`ih*#dED#+FgaCFwH=&#W22lMa*#TJy
+zJitWz_gY1z|1>!;E9mI&_kX4Ce<~hCJfhtHmL?6Xu7~bdY*I7snJ9ba9XQV)rXXo;
+V5S0iUgTSqA9L1d+j4@yk=wB`Z-!=dM
+
+literal 0
+HcmV?d00001
+
+diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.zero-len.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.zero-len.p12
+new file mode 100644
+index 0000000000000000000000000000000000000000..0e63eb6077fd94da26ba86f1b6230daab5f5ea3d
+GIT binary patch
+literal 2702
+zcmai$XEfXi7skz)8AJ54LNMA8HGehB=w<X0eI<kForxAL7@`ZY(K|sFqYOcGl8{0|
+zVs}Wi=z<Y_^f&vy?@7*n+7I{K^E}Tz=YIR02f)!JgF%!4js^;&7LC`9KcoXufl6`I
+z2M`?f4uGR30XT@`&j?nEgP4D}Ou!(D?@RY*0s^dm2q+z(4~YDfv;Y?bu3XKw?c`k-
+z00zS;09qLQf8W5=Pzrz>M(q%<3v!`^fJ7mT^*guAOz9;&oS@AGV^R0sN8>2xSmO>b
+zHFw-?D64Y(Bz64UF+=tY&FRtwTTB{TrJELHOCuK@hBY|heFZ@^=gltQgvPbQ)vkP-
+zk6qujO{yl8h7yJq&b2-t$uKVNzs(>%fjNYM3B?@mM{{{iyFtBPRp&*4*##^fs-*p`
+z?xH-8m>nu+VLj+CDo65!E4dS~fY8aG47@17knKFCGUQ^GEm~;mPSSh4?ifqNyzQ>+
+zq@PKpwW0FTk`R6Kc-4lMW$WJ60^I=o99joaccK|m&i|$G^E>6Zo*q?$L^nKzcXC(O
+za2A1A_Y;F*2U#J0w2(IDN_@&KP^l-7a&J(&aR4QdXCo=R0($#2wM?hnmigArdM*>h
+zgXT%C6j4`q_GMls_+>1wwKU~k+r1tP4Hug$|HO=2iiEszh(w>=^-(Kv4I4fEwfwoX
+zLzWSxz=G7?7Z-$>u+?zNFS+EeEG6?nRi5u&dB#P1JLW{kcZxDS6e3r=82L*flJm(#
+z?{>S}OI}ojNaEY`)oSt38#rwn2eaIO{l`rGR^H*DS!Qrwq?8z6QBwscQgEJ|(SNn|
+za98;z$fY8s_U>uox1H9SKh^Rx4)M}U1a}$Sa@bxs<0+p-WT$6if1oc&GGPdjd>BL*
+zqXsbuiWT+kLrTy*MuG0M7STL-@B;ku)>+DjF4^m`9<|-urpPfxd4kb}C1TVJ&!7X9
+zOWh5nlH=)NLg{Yw@_QwT(V%O}T+$M}G~AC;ulGp0QtgAX(AFcns7EL1P^Z4=vN=1R
+zdukL%m7@m?mU^4B<k9Q)4P>D*IWrZB2GMb1^|A7eh4}o5w4L)T-Zr_hz6QKXm$`aV
+z%d9%<irIuv6ld;!RY?SDDU$-oC;m2Hv5;U#BFO|9K%l0r?eBiAiy8jb@ANtva2z6h
+zXcHM*tMlUe)Ige~tY3em$lkNpCSNOTgq<o0JZse)D_iNf*7#+XhdyMc63fLK6n8{L
+zo3Ob_&YEE}(o6D|65UALD#7VDK&TTeG%hViDYPwKN^1i94t~T)&d@2n;AZSl#KgvT
+zTE5M05Qhe|8_3tzyW5GD%4hZ8A41%%x35A9pKT;b7dRlTmC(i%eI^Gtq7;meO$XG~
+zh~pnGKOfrcyRYp~=!GM=BE`yB=u1QuGUH!kXzIq}Tg$g+7WhJ%Ul=X*0NtB(414y(
+z;fI4dDbcNwp{v~XU%lMWahJ&tWM%ERJ<5!$UU(cxEzf*n+<@i@!tz!~neBZSfBq3-
+zYC;p&aXQHLRJ&0unvNvvZ0g#=IlE;D+svciMsjQy?(;>S8yL06c2%geH(b<(8BYQ@
+zXxtB8{0$&z5CjLsez$$Tj|c41|Jg)K0|I{!rM{aI{{|fMAte>70xySu1x|yTezlx{
+z*WH$vXrJ3_!Q&7dWOP^@PEsaE3vS(0scv7a4upS*^E%0$uGn;9`%r*1&TsV_b(=Zb
+zchWHI>Vc33*3D%sK6+vlh6W1t4cUh1dc7FyI)ZZNk_Wfw(?k=TJ7_GrnG|kvY=4Bn
+z3G>kkCL)(JUp0y4*hw%yC11!d-l$B~T4>!-ziHH2pgDMz$HHP@Ae+cM*G+DT;ecI8
+z5w-WI(xOh~#QaEXOJN)*r{1lM6&qSMw!wb$rv8Xr0YPcdM{{2#L9NK+aQ19s=w4Lf
+zT}7vJ^tRjbHJ(&u3|hZ)q$?zVu}I&*&D37d-4L?x?_)_xnFdaxunZK1wd~ySG&|Vk
+zWS)wIi<?&WQ`Uanq#CeJ6WmUy?WHp3J4VpDC7}0~)52zY8V#-7mY&lOW^bIKFeicQ
+zgPs$W(>cY9uHhlV9=Jf>&b5FG9`TlN-6zjYaJSubqo@zrCS4lhA4%fSvX!2bWDVM)
+zxuBqo$ghr;*I3Gl>GYvj`A1KroS!>7j2z+>{nb^ho~%P&DY0tg%`ElOWX^7EXa<V^
+z?xxDGr`2t6r=qCg$@yCH!<K_iuTQ@SRd79%Irps_)XKd#<-f$rCGVsdnN;mJ_eadc
+z@E83L<K+^m`lyv+J?_P}BEl=Rkjes)?eL67Dz!i|Sh5JvY-jufVqvcbo6^w1X_b_A
+zf9r4{KU2XUprQjx+^#rqX!*wk+Dw;^<HwJdGE0BQN?BCwraa^e&fx4M=*R!w_^L(*
+zT=GuDiLODVtgN$D>e)WkJjJ@cw*z+jjlV<V!>vtcA)mwu1YZdc)X$wk#92sm=<=GR
+zY!V&;f^F#>a<C*2Dibb?g$7?EevZEVl>0D`s{-LTQXOV-wAuqQ^IND2kxUn)NKb#F
+zeY4`V?+U|M>>5hj$9A0CrD!_JeD8ko*RDExB~z8?DziJfq9EZNoWPlN@U0zb{sEbQ
+zQW<%5)kmh8<%zEBNOgMD1a|nw5~s@1-gP=Or$bH#uTJr5L|p74uP+>Iqs;KhIpF0p
+z)^+TSHtq5&a7gD2R;IA-zI$^{lv2s-$5n5xP<<}iEaBgmS{*oX9b?v4ePivwX6R?0
+zse45CMz|D6UswtLLLBPW`eMl3vDt))6&VZ!1ZvjHXnuo6$@6fQ`ag}Bx<FRT0?K0x
+zh{DARj_g1Ql{Ax0EY%1mSuaGC)4o$P&l)Mog*+%wMZJ@IoI)p_l{0XPUPZKt&n`ZX
+z6X=_coI4gtoI5#=US4+hX(64`G<xYU4KtiE*4)iYt^45e6`PgcBitL@`F2w}ym|O4
+zwo}c1imZznFv8mSn|<1QRo#1i!S9lRYxS^nvPpk-2=+QL*=PJ+iZ?u^o^KM=Rk)_O
+z4pCL+r*?w5tj&!uL7EX~u9t<!HG)`(Pr>IU88K_KtC#YtZ)azpP}lL0&I|GH>%Cf0
+zQRQD1`FY~{JsT};(U^=q64VNzQG8~5?7p4WqcN3tV$v?}T{1DBOgGoTZugqao~YS0
+z+u$tX2HVQ-Bynj8$Tl+|k&wSu%KgmvQTUnO8q1{YU;n~is_C6mhA%j-q)kt=2w_PI
+z2{Q~ICLpQoa<vBq!~i^|DfV$tF~jW!Yh^U{mQ|_i8|EpDw|Q?Q8E0v3pfTDng#-kC
+z0G66f>K6!Wztc1N<Sk2A=oH(dTv}PYI%k?N5CQlAdOr@K^nel|{!`Kd2ngIyN9or_
+zNvZ!9xxZ`RKfByN6ofad(&xSc5iGBY8j)<5(;l2Hf9B!8!WtsMZ>%1b1e=DyjZG|g
+MEzPyHz#!0n06<CBdjJ3c
+
+literal 0
+HcmV?d00001
+
diff --git a/0060-CVE-2025-15467.patch b/0060-CVE-2025-15467.patch
new file mode 100644
index 0000000..4e72b62
--- /dev/null
+++ b/0060-CVE-2025-15467.patch
@@ -0,0 +1,207 @@
+From 190ba58c0a1d995d4da8b017054d4b74d138291c Mon Sep 17 00:00:00 2001
+From: Igor Ustinov <igus68@gmail.com>
+Date: Mon, 12 Jan 2026 12:13:35 +0100
+Subject: [PATCH 1/3] Correct handling of AEAD-encrypted CMS with inadmissibly
+ long IV
+
+Fixes CVE-2025-15467
+---
+ crypto/evp/evp_lib.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
+index 9eae1d421c2..58fa7ce43b4 100644
+--- a/crypto/evp/evp_lib.c
++++ b/crypto/evp/evp_lib.c
+@@ -228,10 +228,9 @@ int evp_cipher_get_asn1_aead_params(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
+     if (type == NULL || asn1_params == NULL)
+         return 0;
+ 
+-    i = ossl_asn1_type_get_octetstring_int(type, &tl, NULL, EVP_MAX_IV_LENGTH);
+-    if (i <= 0)
++    i = ossl_asn1_type_get_octetstring_int(type, &tl, iv, EVP_MAX_IV_LENGTH);
++    if (i <= 0 || i > EVP_MAX_IV_LENGTH)
+         return -1;
+-    ossl_asn1_type_get_octetstring_int(type, &tl, iv, i);
+ 
+     memcpy(asn1_params->iv, iv, i);
+     asn1_params->iv_len = i;
+
+From 6fb47957bfb0aef2deaa7df7aebd4eb52ffe20ce Mon Sep 17 00:00:00 2001
+From: Igor Ustinov <igus68@gmail.com>
+Date: Mon, 12 Jan 2026 12:15:42 +0100
+Subject: [PATCH 2/3] Some comments to clarify functions usage
+
+---
+ crypto/asn1/evp_asn1.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/crypto/asn1/evp_asn1.c b/crypto/asn1/evp_asn1.c
+index 382576364be..e73bda64e3d 100644
+--- a/crypto/asn1/evp_asn1.c
++++ b/crypto/asn1/evp_asn1.c
+@@ -60,6 +60,12 @@ static ossl_inline void asn1_type_init_oct(ASN1_OCTET_STRING *oct,
+     oct->flags = 0;
+ }
+ 
++/*
++ * This function copies 'anum' to 'num' and the data of 'oct' to 'data'.
++ * If the length of 'data' > 'max_len', copies only the first 'max_len'
++ * bytes, but returns the full length of 'oct'; this allows distinguishing
++ * whether all the data was copied.
++ */
+ static int asn1_type_get_int_oct(ASN1_OCTET_STRING *oct, int32_t anum,
+                                  long *num, unsigned char *data, int max_len)
+ {
+@@ -106,6 +112,13 @@ int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data,
+     return 0;
+ }
+ 
++/*
++ * This function decodes an int-octet sequence and copies the integer to 'num'
++ * and the data of octet to 'data'.
++ * If the length of 'data' > 'max_len', copies only the first 'max_len'
++ * bytes, but returns the full length of 'oct'; this allows distinguishing
++ * whether all the data was copied.
++ */
+ int ASN1_TYPE_get_int_octetstring(const ASN1_TYPE *a, long *num,
+                                   unsigned char *data, int max_len)
+ {
+@@ -162,6 +175,13 @@ int ossl_asn1_type_set_octetstring_int(ASN1_TYPE *a, long num,
+     return 0;
+ }
+ 
++/*
++ * This function decodes an octet-int sequence and copies the data of octet
++ * to 'data' and the integer to 'num'.
++ * If the length of 'data' > 'max_len', copies only the first 'max_len'
++ * bytes, but returns the full length of 'oct'; this allows distinguishing
++ * whether all the data was copied.
++ */
+ int ossl_asn1_type_get_octetstring_int(const ASN1_TYPE *a, long *num,
+                                        unsigned char *data, int max_len)
+ {
+
+From 1e8f5c7cd2c46b25a2877e8f3f4bbf954fbcdf77 Mon Sep 17 00:00:00 2001
+From: Igor Ustinov <igus68@gmail.com>
+Date: Sun, 11 Jan 2026 11:35:15 +0100
+Subject: [PATCH 3/3] Test for handling of AEAD-encrypted CMS with inadmissibly
+ long IV
+
+---
+ test/cmsapitest.c                             | 39 ++++++++++++++++++-
+ test/recipes/80-test_cmsapi.t                 |  3 +-
+ .../encDataWithTooLongIV.pem                  | 11 ++++++
+ 3 files changed, 50 insertions(+), 3 deletions(-)
+ create mode 100644 test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem
+
+diff --git a/test/cmsapitest.c b/test/cmsapitest.c
+index 88d519fd148..472d30c9e5d 100644
+--- a/test/cmsapitest.c
++++ b/test/cmsapitest.c
+@@ -9,10 +9,10 @@
+ 
+ #include <string.h>
+ 
++#include <openssl/pem.h>
+ #include <openssl/cms.h>
+ #include <openssl/bio.h>
+ #include <openssl/x509.h>
+-#include <openssl/pem.h>
+ #include "../crypto/cms/cms_local.h" /* for d.signedData and d.envelopedData */
+ 
+ #include "testutil.h"
+@@ -20,6 +20,7 @@
+ static X509 *cert = NULL;
+ static EVP_PKEY *privkey = NULL;
+ static char *derin = NULL;
++static char *too_long_iv_cms_in = NULL;
+ 
+ static int test_encrypt_decrypt(const EVP_CIPHER *cipher)
+ {
+@@ -479,6 +480,38 @@ static int test_encrypted_data_aead(void)
+     return ret;
+ }
+ 
++static int test_cms_aesgcm_iv_too_long(void)
++{
++    int ret = 0;
++    BIO *cmsbio = NULL, *out = NULL;
++    CMS_ContentInfo *cms = NULL;
++    unsigned long err = 0;
++
++    if (!TEST_ptr(cmsbio = BIO_new_file(too_long_iv_cms_in, "r")))
++        goto end;
++
++    if (!TEST_ptr(cms = PEM_read_bio_CMS(cmsbio, NULL, NULL, NULL)))
++        goto end;
++
++    /* Must fail cleanly (no crash) */
++    if (!TEST_false(CMS_decrypt(cms, privkey, cert, NULL, out, 0)))
++        goto end;
++    err = ERR_peek_last_error();
++    if (!TEST_ulong_ne(err, 0))
++        goto end;
++    if (!TEST_int_eq(ERR_GET_LIB(err), ERR_LIB_CMS))
++        goto end;
++    if (!TEST_int_eq(ERR_GET_REASON(err), CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR))
++        goto end;
++
++    ret = 1;
++end:
++    CMS_ContentInfo_free(cms);
++    BIO_free(cmsbio);
++    BIO_free(out);
++    return ret;
++}
++
+ OPT_TEST_DECLARE_USAGE("certfile privkeyfile derfile\n")
+ 
+ int setup_tests(void)
+@@ -493,7 +526,8 @@ int setup_tests(void)
+ 
+     if (!TEST_ptr(certin = test_get_argument(0))
+             || !TEST_ptr(privkeyin = test_get_argument(1))
+-            || !TEST_ptr(derin = test_get_argument(2)))
++        || !TEST_ptr(derin = test_get_argument(2))
++        || !TEST_ptr(too_long_iv_cms_in = test_get_argument(3)))
+         return 0;
+ 
+     certbio = BIO_new_file(certin, "r");
+@@ -529,6 +563,7 @@ int setup_tests(void)
+     ADD_TEST(test_CMS_add1_cert);
+     ADD_TEST(test_d2i_CMS_bio_NULL);
+     ADD_ALL_TESTS(test_d2i_CMS_decode, 2);
++    ADD_TEST(test_cms_aesgcm_iv_too_long);
+     return 1;
+ }
+ 
+diff --git a/test/recipes/80-test_cmsapi.t b/test/recipes/80-test_cmsapi.t
+index af00355a9d6..182629e71a0 100644
+--- a/test/recipes/80-test_cmsapi.t
++++ b/test/recipes/80-test_cmsapi.t
+@@ -18,5 +18,6 @@ plan tests => 1;
+ 
+ ok(run(test(["cmsapitest", srctop_file("test", "certs", "servercert.pem"),
+              srctop_file("test", "certs", "serverkey.pem"),
+-             srctop_file("test", "recipes", "80-test_cmsapi_data", "encryptedData.der")])),
++             srctop_file("test", "recipes", "80-test_cmsapi_data", "encryptedData.der"),
++             srctop_file("test", "recipes", "80-test_cmsapi_data", "encDataWithTooLongIV.pem")])),
+              "running cmsapitest");
+diff --git a/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem b/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem
+new file mode 100644
+index 00000000000..4323cd2fb0c
+--- /dev/null
++++ b/test/recipes/80-test_cmsapi_data/encDataWithTooLongIV.pem
+@@ -0,0 +1,11 @@
++-----BEGIN CMS-----
++MIIBmgYLKoZIhvcNAQkQARegggGJMIIBhQIBADGCATMwggEvAgEAMBcwEjEQMA4G
++A1UEAwwHUm9vdCBDQQIBAjANBgkqhkiG9w0BAQEFAASCAQC8ZqP1OqbletcUre1V
++b4XOobZzQr6wKMSsdjtGzVbZowUVv5DkOn9VOefrpg4HxMq/oi8IpzVYj8ZiKRMV
++NTJ+/d8FwwBwUUNNP/IDnfEpX+rT1+pGS5zAa7NenLoZgGBNjPy5I2OHP23fPnEd
++sm8YkFjzubkhAD1lod9pEOEqB3V2kTrTTiwzSNtMHggna1zPox6TkdZwFmMnp8d2
++CVa6lIPGx26gFwCuIDSaavmQ2URJ615L8gAvpYUlpsDqjFsabWsbaOFbMz3bIGJu
++GkrX2ezX7CpuC1wjix26ojlTySJHv+L0IrpcaIzLlC5lB1rqtuija8dGm3rBNm/P
++AAUNMDcGCSqGSIb3DQEHATAjBglghkgBZQMEAQYwFgQRzxwoRQzOHVooVn3CpaWl
++paUCARCABUNdolo6BBA55E9hYaYO2S8C/ZnD8dRO
++-----END CMS-----
diff --git a/0061-CVE-2025-15468.patch b/0061-CVE-2025-15468.patch
new file mode 100644
index 0000000..0e0cf21
--- /dev/null
+++ b/0061-CVE-2025-15468.patch
@@ -0,0 +1,24 @@
+From 7da6afe3dac7d65b30f87f2c5d305b6e699bc5dc Mon Sep 17 00:00:00 2001
+From: Daniel Kubec <kubec@openssl.org>
+Date: Fri, 9 Jan 2026 14:33:24 +0100
+Subject: [PATCH] ossl_quic_get_cipher_by_char(): Add a NULL guard before
+ dereferencing SSL_CIPHER
+
+Fixes CVE-2025-15468
+---
+ ssl/quic/quic_impl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
+index 87c1370a8d6..89c108a9734 100644
+--- a/ssl/quic/quic_impl.c
++++ b/ssl/quic/quic_impl.c
+@@ -5222,6 +5222,8 @@ const SSL_CIPHER *ossl_quic_get_cipher_by_char(const unsigned char *p)
+ {
+     const SSL_CIPHER *ciph = ssl3_get_cipher_by_char(p);
+ 
++    if (ciph == NULL)
++        return NULL;
+     if ((ciph->algorithm2 & SSL_QUIC) == 0)
+         return NULL;
+ 
diff --git a/0062-CVE-2025-15469.patch b/0062-CVE-2025-15469.patch
new file mode 100644
index 0000000..37f113c
--- /dev/null
+++ b/0062-CVE-2025-15469.patch
@@ -0,0 +1,266 @@
+From ef48810aafdc3b8c6c4a85e52314caeec0cb596c Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <openssl-users@dukhovni.org>
+Date: Wed, 7 Jan 2026 01:21:58 +1100
+Subject: [PATCH] Report truncation in oneshot `openssl dgst -sign`
+
+Previously input was silently truncated at 16MB, now if the input is
+longer than limit, an error is reported.
+
+The bio_to_mem() apps helper function was changed to return 0 or 1,
+and return the size of the result via an output size_t pointer.
+
+Fixes  CVE-2025-15469
+---
+ apps/dgst.c         |  7 +++---
+ apps/include/apps.h |  2 +-
+ apps/lib/apps.c     | 55 +++++++++++++++++++++++----------------------
+ apps/pkeyutl.c      | 36 ++++++++++++++---------------
+ 4 files changed, 50 insertions(+), 50 deletions(-)
+
+diff --git a/apps/dgst.c b/apps/dgst.c
+index 94415128d7f..7168b5f8b84 100644
+--- a/apps/dgst.c
++++ b/apps/dgst.c
+@@ -721,12 +721,11 @@ static int do_fp_oneshot_sign(BIO *out, EVP_MD_CTX *ctx, BIO *in, int sep, int b
+ {
+     int res, ret = EXIT_FAILURE;
+     size_t len = 0;
+-    int buflen = 0;
+-    int maxlen = 16 * 1024 * 1024;
++    size_t buflen = 0;
++    size_t maxlen = 16 * 1024 * 1024;
+     uint8_t *buf = NULL, *sig = NULL;
+ 
+-    buflen = bio_to_mem(&buf, maxlen, in);
+-    if (buflen <= 0) {
++    if (!bio_to_mem(&buf, &buflen, maxlen, in)) {
+         BIO_printf(bio_err, "Read error in %s\n", file);
+         return ret;
+     }
+diff --git a/apps/include/apps.h b/apps/include/apps.h
+index 6a23dbbb131..c9471ddc4ed 100644
+--- a/apps/include/apps.h
++++ b/apps/include/apps.h
+@@ -253,7 +253,7 @@ int parse_yesno(const char *str, int def);
+ X509_NAME *parse_name(const char *str, int chtype, int multirdn,
+                       const char *desc);
+ void policies_print(X509_STORE_CTX *ctx);
+-int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
++int bio_to_mem(unsigned char **out, size_t *outlen, size_t maxlen, BIO *in);
+ int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value);
+ int x509_ctrl_string(X509 *x, const char *value);
+ int x509_req_ctrl_string(X509_REQ *x, const char *value);
+diff --git a/apps/lib/apps.c b/apps/lib/apps.c
+index 0e436582030..76f3c1683b2 100644
+--- a/apps/lib/apps.c
++++ b/apps/lib/apps.c
+@@ -49,6 +49,7 @@
+ #include "apps.h"
+ 
+ #include "internal/sockets.h" /* for openssl_fdset() */
++#include "internal/numbers.h" /* for LONG_MAX */
+ #include "internal/e_os.h"
+ 
+ #ifdef _WIN32
+@@ -2010,45 +2011,45 @@ X509_NAME *parse_name(const char *cp, int chtype, int canmulti,
+ }
+ 
+ /*
+- * Read whole contents of a BIO into an allocated memory buffer and return
+- * it.
++ * Read whole contents of a BIO into an allocated memory buffer.
++ * The return value is one on success, zero on error.
++ * If `maxlen` is non-zero, at most `maxlen` bytes are returned, or else, if
++ * the input is longer than `maxlen`, an error is returned.
++ * If `maxlen` is zero, the limit is effectively `SIZE_MAX`.
+  */
+-
+-int bio_to_mem(unsigned char **out, int maxlen, BIO *in)
++int bio_to_mem(unsigned char **out, size_t *outlen, size_t maxlen, BIO *in)
+ {
++    unsigned char tbuf[4096];
+     BIO *mem;
+-    int len, ret;
+-    unsigned char tbuf[1024];
++    BUF_MEM *bufm;
++    size_t sz = 0;
++    int len;
+ 
+     mem = BIO_new(BIO_s_mem());
+     if (mem == NULL)
+-        return -1;
++        return 0;
+     for (;;) {
+-        if ((maxlen != -1) && maxlen < 1024)
+-            len = maxlen;
+-        else
+-            len = 1024;
+-        len = BIO_read(in, tbuf, len);
+-        if (len < 0) {
+-            BIO_free(mem);
+-            return -1;
+-        }
+-        if (len == 0)
++        if ((len = BIO_read(in, tbuf, 4096)) == 0)
+             break;
+-        if (BIO_write(mem, tbuf, len) != len) {
++        if (len < 0
++            || BIO_write(mem, tbuf, len) != len
++            || sz > SIZE_MAX - len
++            || ((sz += len) > maxlen && maxlen != 0)) {
+             BIO_free(mem);
+-            return -1;
++            return 0;
+         }
+-        if (maxlen != -1)
+-            maxlen -= len;
+-
+-        if (maxlen == 0)
+-            break;
+     }
+-    ret = BIO_get_mem_data(mem, (char **)out);
+-    BIO_set_flags(mem, BIO_FLAGS_MEM_RDONLY);
++
++    /* So BIO_free orphans BUF_MEM */
++    (void)BIO_set_close(mem, BIO_NOCLOSE);
++    BIO_get_mem_ptr(mem, &bufm);
+     BIO_free(mem);
+-    return ret;
++    *out = (unsigned char *)bufm->data;
++    *outlen = bufm->length;
++    /* Tell BUF_MEM to orphan data */
++    bufm->data = NULL;
++    BUF_MEM_free(bufm);
++    return 1;
+ }
+ 
+ int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value)
+diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
+index deecec6bcd7..2681114fba1 100644
+--- a/apps/pkeyutl.c
++++ b/apps/pkeyutl.c
+@@ -40,7 +40,7 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
+ 
+ static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
+                         EVP_PKEY *pkey, BIO *in,
+-                        int filesize, unsigned char *sig, int siglen,
++                        int filesize, unsigned char *sig, size_t siglen,
+                         unsigned char **out, size_t *poutlen);
+ 
+ static int only_nomd(EVP_PKEY *pkey)
+@@ -158,7 +158,7 @@ int pkeyutl_main(int argc, char **argv)
+     char hexdump = 0, asn1parse = 0, rev = 0, *prog;
+     unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL, *secret = NULL;
+     OPTION_CHOICE o;
+-    int buf_inlen = 0, siglen = -1;
++    size_t buf_inlen = 0, siglen = 0;
+     int keyform = FORMAT_UNDEF, peerform = FORMAT_UNDEF;
+     int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
+     int engine_impl = 0;
+@@ -508,31 +508,31 @@ int pkeyutl_main(int argc, char **argv)
+ 
+     if (sigfile != NULL) {
+         BIO *sigbio = BIO_new_file(sigfile, "rb");
++        size_t maxsiglen = 16 * 1024 * 1024;
+ 
+         if (sigbio == NULL) {
+             BIO_printf(bio_err, "Can't open signature file %s\n", sigfile);
+             goto end;
+         }
+-        siglen = bio_to_mem(&sig, keysize * 10, sigbio);
+-        BIO_free(sigbio);
+-        if (siglen < 0) {
++        if (!bio_to_mem(&sig, &siglen, maxsiglen, sigbio)) {
++            BIO_free(sigbio);
+             BIO_printf(bio_err, "Error reading signature data\n");
+             goto end;
+         }
++        BIO_free(sigbio);
+     }
+ 
+     /* Raw input data is handled elsewhere */
+     if (in != NULL && !rawin) {
+         /* Read the input data */
+-        buf_inlen = bio_to_mem(&buf_in, -1, in);
+-        if (buf_inlen < 0) {
++        if (!bio_to_mem(&buf_in, &buf_inlen, 0, in)) {
+             BIO_printf(bio_err, "Error reading input Data\n");
+             goto end;
+         }
+         if (rev) {
+             size_t i;
+             unsigned char ctmp;
+-            size_t l = (size_t)buf_inlen;
++            size_t l = buf_inlen;
+ 
+             for (i = 0; i < l / 2; i++) {
+                 ctmp = buf_in[i];
+@@ -547,7 +547,8 @@ int pkeyutl_main(int argc, char **argv)
+         && (pkey_op == EVP_PKEY_OP_SIGN || pkey_op == EVP_PKEY_OP_VERIFY)) {
+         if (buf_inlen > EVP_MAX_MD_SIZE) {
+             BIO_printf(bio_err,
+-                       "Error: The non-raw input data length %d is too long - max supported hashed size is %d\n",
++                       "Error: The non-raw input data length %zd is too long - "
++                       "max supported hashed size is %d\n",
+                        buf_inlen, EVP_MAX_MD_SIZE);
+             goto end;
+         }
+@@ -558,8 +559,7 @@ int pkeyutl_main(int argc, char **argv)
+             rv = do_raw_keyop(pkey_op, mctx, pkey, in, filesize, sig, siglen,
+                               NULL, 0);
+         } else {
+-            rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen,
+-                                 buf_in, (size_t)buf_inlen);
++            rv = EVP_PKEY_verify(ctx, sig, siglen, buf_in, buf_inlen);
+         }
+         if (rv == 1) {
+             BIO_puts(out, "Signature Verified Successfully\n");
+@@ -578,8 +578,8 @@ int pkeyutl_main(int argc, char **argv)
+             buf_outlen = kdflen;
+             rv = 1;
+         } else {
+-            rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
+-                          buf_in, (size_t)buf_inlen, NULL, (size_t *)&secretlen);
++            rv = do_keyop(ctx, pkey_op, NULL, &buf_outlen,
++                buf_in, buf_inlen, NULL, &secretlen);
+         }
+         if (rv > 0
+             && (secretlen > 0 || (pkey_op != EVP_PKEY_OP_ENCAPSULATE
+@@ -589,8 +589,8 @@ int pkeyutl_main(int argc, char **argv)
+             if (secretlen > 0)
+                 secret = app_malloc(secretlen, "secret output");
+             rv = do_keyop(ctx, pkey_op,
+-                          buf_out, (size_t *)&buf_outlen,
+-                          buf_in, (size_t)buf_inlen, secret, (size_t *)&secretlen);
++                          buf_out, &buf_outlen,
++                          buf_in, buf_inlen, secret, &secretlen);
+         }
+     }
+     if (rv <= 0) {
+@@ -857,7 +857,7 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
+ 
+ static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
+                         EVP_PKEY *pkey, BIO *in,
+-                        int filesize, unsigned char *sig, int siglen,
++                        int filesize, unsigned char *sig, size_t siglen,
+                         unsigned char **out, size_t *poutlen)
+ {
+     int rv = 0;
+@@ -880,7 +880,7 @@ static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
+                 BIO_printf(bio_err, "Error reading raw input data\n");
+                 goto end;
+             }
+-            rv = EVP_DigestVerify(mctx, sig, (size_t)siglen, mbuf, buf_len);
++            rv = EVP_DigestVerify(mctx, sig, siglen, mbuf, buf_len);
+             break;
+         case EVP_PKEY_OP_SIGN:
+             buf_len = BIO_read(in, mbuf, filesize);
+@@ -914,7 +914,7 @@ static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx,
+                 goto end;
+             }
+         }
+-        rv = EVP_DigestVerifyFinal(mctx, sig, (size_t)siglen);
++        rv = EVP_DigestVerifyFinal(mctx, sig, siglen);
+         break;
+     case EVP_PKEY_OP_SIGN:
+         for (;;) {
diff --git a/0063-CVE-2025-66199.patch b/0063-CVE-2025-66199.patch
new file mode 100644
index 0000000..0b9aa1f
--- /dev/null
+++ b/0063-CVE-2025-66199.patch
@@ -0,0 +1,30 @@
+From 04a93ac145041e3ef0121a2688cf7c1b23780519 Mon Sep 17 00:00:00 2001
+From: Igor Ustinov <igus68@gmail.com>
+Date: Thu, 8 Jan 2026 14:02:54 +0100
+Subject: [PATCH] Check the received uncompressed certificate length to prevent
+ excessive pre-decompression allocation.
+
+The patch was proposed by Tomas Dulka and Stanislav Fort (Aisle Research).
+
+Fixes: CVE-2025-66199
+---
+ ssl/statem/statem_lib.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
+index 9e0c853c0d2..f82d8dcdac1 100644
+--- a/ssl/statem/statem_lib.c
++++ b/ssl/statem/statem_lib.c
+@@ -2877,6 +2877,12 @@ MSG_PROCESS_RETURN tls13_process_compressed_certificate(SSL_CONNECTION *sc,
+         goto err;
+     }
+ 
++    /* Prevent excessive pre-decompression allocation */
++    if (expected_length > sc->max_cert_list) {
++        SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_EXCESSIVE_MESSAGE_SIZE);
++        goto err;
++    }
++
+     if (PACKET_remaining(pkt) != comp_length || comp_length == 0) {
+         SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_DECOMPRESSION);
+         goto err;
diff --git a/0064-CVE-2025-68160.patch b/0064-CVE-2025-68160.patch
new file mode 100644
index 0000000..cd57ed1
--- /dev/null
+++ b/0064-CVE-2025-68160.patch
@@ -0,0 +1,64 @@
+From 701aa270db8ad424cece68702b9bb2e05290af9b Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@openssl.org>
+Date: Wed, 7 Jan 2026 11:52:09 -0500
+Subject: [PATCH] Fix heap buffer overflow in BIO_f_linebuffer
+
+When a FIO_f_linebuffer is part of a bio chain, and the next BIO
+preforms short writes, the remainder of the unwritten buffer is copied
+unconditionally to the internal buffer ctx->obuf, which may not be
+sufficiently sized to handle the remaining data, resulting in a buffer
+overflow.
+
+Fix it by only copying data when ctx->obuf has space, flushing to the
+next BIO to increase available storage if needed.
+
+Fixes CVE-2025-68160
+---
+ crypto/bio/bf_lbuf.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/crypto/bio/bf_lbuf.c b/crypto/bio/bf_lbuf.c
+index 1dfcac8f2ea..e4af2a8c4ff 100644
+--- a/crypto/bio/bf_lbuf.c
++++ b/crypto/bio/bf_lbuf.c
+@@ -187,14 +187,34 @@ static int linebuffer_write(BIO *b, const char *in, int inl)
+     while (foundnl && inl > 0);
+     /*
+      * We've written as much as we can.  The rest of the input buffer, if
+-     * any, is text that doesn't and with a NL and therefore needs to be
+-     * saved for the next trip.
++     * any, is text that doesn't end with a NL and therefore we need to try
++     * free up some space in our obuf so we can make forward progress.
+      */
+-    if (inl > 0) {
+-        memcpy(&(ctx->obuf[ctx->obuf_len]), in, inl);
+-        ctx->obuf_len += inl;
+-        num += inl;
++    while (inl > 0) {
++        size_t avail = (size_t)ctx->obuf_size - (size_t)ctx->obuf_len;
++        size_t to_copy;
++
++        if (avail == 0) {
++            /* Flush buffered data to make room */
++            i = BIO_write(b->next_bio, ctx->obuf, ctx->obuf_len);
++            if (i <= 0) {
++                BIO_copy_next_retry(b);
++                return num > 0 ? num : i;
++            }
++            if (i < ctx->obuf_len)
++                memmove(ctx->obuf, ctx->obuf + i, ctx->obuf_len - i);
++            ctx->obuf_len -= i;
++            continue;
++        }
++
++        to_copy = inl > (int)avail ? avail : (size_t)inl;
++        memcpy(&(ctx->obuf[ctx->obuf_len]), in, to_copy);
++        ctx->obuf_len += (int)to_copy;
++        in += to_copy;
++        inl -= (int)to_copy;
++        num += (int)to_copy;
+     }
++
+     return num;
+ }
+ 
diff --git a/0065-CVE-2025-69418.patch b/0065-CVE-2025-69418.patch
new file mode 100644
index 0000000..733af4c
--- /dev/null
+++ b/0065-CVE-2025-69418.patch
@@ -0,0 +1,67 @@
+From 1a556ff619473af9e179b202284a961590d5a2bd Mon Sep 17 00:00:00 2001
+From: Norbert Pocs <norbertp@openssl.org>
+Date: Thu, 8 Jan 2026 15:04:54 +0100
+Subject: [PATCH] Fix OCB AES-NI/HW stream path unauthenticated/unencrypted
+ trailing bytes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When ctx->stream (e.g., AES‑NI or ARMv8 CE) is available, the fast path
+encrypts/decrypts full blocks but does not advance in/out pointers. The
+tail-handling code then operates on the base pointers, effectively reprocessing
+the beginning of the buffer while leaving the actual trailing bytes
+unencrypted (encryption) or using the wrong plaintext (decryption). The
+authentication checksum excludes the true tail.
+
+CVE-2025-69418
+
+Fixes: https://github.com/openssl/srt/issues/58
+
+Signed-off-by: Norbert Pocs <norbertp@openssl.org>
+---
+ crypto/modes/ocb128.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/modes/ocb128.c b/crypto/modes/ocb128.c
+index ce72baf6da5..8a5d7c7db00 100644
+--- a/crypto/modes/ocb128.c
++++ b/crypto/modes/ocb128.c
+@@ -337,7 +337,7 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx,
+ 
+     if (num_blocks && all_num_blocks == (size_t)all_num_blocks
+         && ctx->stream != NULL) {
+-        size_t max_idx = 0, top = (size_t)all_num_blocks;
++        size_t max_idx = 0, top = (size_t)all_num_blocks, processed_bytes = 0;
+ 
+         /*
+          * See how many L_{i} entries we need to process data at hand
+@@ -351,6 +351,9 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx,
+         ctx->stream(in, out, num_blocks, ctx->keyenc,
+                     (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c,
+                     (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c);
++        processed_bytes = num_blocks * 16;
++        in += processed_bytes;
++        out += processed_bytes;
+     } else {
+         /* Loop through all full blocks to be encrypted */
+         for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) {
+@@ -429,7 +432,7 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx,
+ 
+     if (num_blocks && all_num_blocks == (size_t)all_num_blocks
+         && ctx->stream != NULL) {
+-        size_t max_idx = 0, top = (size_t)all_num_blocks;
++        size_t max_idx = 0, top = (size_t)all_num_blocks, processed_bytes = 0;
+ 
+         /*
+          * See how many L_{i} entries we need to process data at hand
+@@ -443,6 +446,9 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx,
+         ctx->stream(in, out, num_blocks, ctx->keydec,
+                     (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c,
+                     (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c);
++        processed_bytes = num_blocks * 16;
++        in += processed_bytes;
++        out += processed_bytes;
+     } else {
+         OCB_BLOCK tmp;
+ 
diff --git a/0066-CVE-2025-69420.patch b/0066-CVE-2025-69420.patch
new file mode 100644
index 0000000..bc4e420
--- /dev/null
+++ b/0066-CVE-2025-69420.patch
@@ -0,0 +1,37 @@
+From 6453d278557c8719233793730ec500c84aea55d9 Mon Sep 17 00:00:00 2001
+From: Bob Beck <beck@openssl.org>
+Date: Wed, 7 Jan 2026 11:29:48 -0700
+Subject: [PATCH] Verify ASN1 object's types before attempting to access them
+ as a particular type
+
+Issue was reported in ossl_ess_get_signing_cert but is also present in
+ossl_ess_get_signing_cert_v2.
+
+Fixes: https://github.com/openssl/srt/issues/61
+Fixes CVE-2025-69420
+---
+ crypto/ts/ts_rsp_verify.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
+index 3876e30f47b..40dab687d1c 100644
+--- a/crypto/ts/ts_rsp_verify.c
++++ b/crypto/ts/ts_rsp_verify.c
+@@ -209,7 +209,7 @@ static ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si)
+     const unsigned char *p;
+ 
+     attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate);
+-    if (attr == NULL)
++    if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
+         return NULL;
+     p = attr->value.sequence->data;
+     return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
+@@ -221,7 +221,7 @@ static ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO
+     const unsigned char *p;
+ 
+     attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2);
+-    if (attr == NULL)
++    if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
+         return NULL;
+     p = attr->value.sequence->data;
+     return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length);
diff --git a/0067-CVE-2025-69421.patch b/0067-CVE-2025-69421.patch
new file mode 100644
index 0000000..aead141
--- /dev/null
+++ b/0067-CVE-2025-69421.patch
@@ -0,0 +1,28 @@
+From 0a2ecb95993b588d2156dd6527459cc3983aabd5 Mon Sep 17 00:00:00 2001
+From: Andrew Dinh <andrewd@openssl.org>
+Date: Thu, 8 Jan 2026 01:24:30 +0900
+Subject: [PATCH] Add NULL check to PKCS12_item_decrypt_d2i_ex
+
+Address CVE-2025-69421
+
+Add NULL check for oct parameter
+---
+ crypto/pkcs12/p12_decr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c
+index 606713b9ee9..1614da44042 100644
+--- a/crypto/pkcs12/p12_decr.c
++++ b/crypto/pkcs12/p12_decr.c
+@@ -146,6 +146,11 @@ void *PKCS12_item_decrypt_d2i_ex(const X509_ALGOR *algor, const ASN1_ITEM *it,
+     void *ret;
+     int outlen = 0;
+ 
++    if (oct == NULL) {
++        ERR_raise(ERR_LIB_PKCS12, ERR_R_PASSED_NULL_PARAMETER);
++        return NULL;
++    }
++
+     if (!PKCS12_pbe_crypt_ex(algor, pass, passlen, oct->data, oct->length,
+                              &out, &outlen, 0, libctx, propq))
+         return NULL;
diff --git a/0068-CVE-2025-69419.patch b/0068-CVE-2025-69419.patch
new file mode 100644
index 0000000..367debc
--- /dev/null
+++ b/0068-CVE-2025-69419.patch
@@ -0,0 +1,136 @@
+diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c
+index b7a5284fa59fa..7be233db5e0b2 100644
+--- a/crypto/asn1/a_mbstr.c
++++ b/crypto/asn1/a_mbstr.c
+@@ -123,7 +123,10 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
+         return -1;
+     }
+ 
+-    /* Now work out output format and string type */
++    /*
++     * Now work out output format and string type.
++     * These checks should be in sync with the checks in type_str.
++     */
+     outform = MBSTRING_ASC;
+     if (mask & B_ASN1_NUMERICSTRING)
+         str_type = V_ASN1_NUMERICSTRING;
+@@ -191,7 +194,11 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
+ 
+     case MBSTRING_UTF8:
+         outlen = 0;
+-        traverse_string(in, len, inform, out_utf8, &outlen);
++        ret = traverse_string(in, len, inform, out_utf8, &outlen);
++        if (ret < 0) {
++            ERR_raise(ERR_LIB_ASN1, ASN1_R_INVALID_UTF8STRING);
++            return -1;
++        }
+         cpyfunc = cpy_utf8;
+         break;
+     }
+@@ -286,9 +293,29 @@ static int out_utf8(unsigned long value, void *arg)
+ 
+ static int type_str(unsigned long value, void *arg)
+ {
+-    unsigned long types = *((unsigned long *)arg);
++    unsigned long usable_types = *((unsigned long *)arg);
++    unsigned long types = usable_types;
+     const int native = value > INT_MAX ? INT_MAX : ossl_fromascii(value);
+ 
++    /*
++     * Clear out all the types which are not checked later. If any of those
++     * is present in the mask, then the UTF8 type will be added and checked
++     * below.
++     */
++    types &= B_ASN1_NUMERICSTRING | B_ASN1_PRINTABLESTRING
++        | B_ASN1_IA5STRING | B_ASN1_T61STRING | B_ASN1_BMPSTRING
++        | B_ASN1_UNIVERSALSTRING | B_ASN1_UTF8STRING;
++
++    /*
++     * If any other types were in the input mask, they're effectively treated
++     * as UTF8
++     */
++    if (types != usable_types)
++        types |= B_ASN1_UTF8STRING;
++
++    /*
++     * These checks should be in sync with ASN1_mbstring_ncopy.
++     */
+     if ((types & B_ASN1_NUMERICSTRING) && !(ossl_isdigit(native)
+                                             || native == ' '))
+         types &= ~B_ASN1_NUMERICSTRING;
+@@ -356,6 +383,8 @@ static int cpy_utf8(unsigned long value, void *arg)
+     p = arg;
+     /* We already know there is enough room so pass 0xff as the length */
+     ret = UTF8_putc(*p, 0xff, value);
++    if (ret < 0)
++        return ret;
+     *p += ret;
+     return 1;
+ }
+diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c
+index 17f7372026c3b..01e2269444cba 100644
+--- a/crypto/asn1/a_strex.c
++++ b/crypto/asn1/a_strex.c
+@@ -198,8 +198,10 @@ static int do_buf(unsigned char *buf, int buflen,
+             orflags = CHARTYPE_LAST_ESC_2253;
+         if (type & BUF_TYPE_CONVUTF8) {
+             unsigned char utfbuf[6];
+-            int utflen;
+-            utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c);
++            int utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c);
++
++            if (utflen < 0)
++                return -1; /* error happened with UTF8 */
+             for (i = 0; i < utflen; i++) {
+                 /*
+                  * We don't need to worry about setting orflags correctly
+diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c
+index 50adce6b26fd2..8b5f2909e8d96 100644
+--- a/crypto/pkcs12/p12_utl.c
++++ b/crypto/pkcs12/p12_utl.c
+@@ -213,6 +213,11 @@ char *OPENSSL_uni2utf8(const unsigned char *uni, int unilen)
+     /* re-run the loop emitting UTF-8 string */
+     for (asclen = 0, i = 0; i < unilen; ) {
+         j = bmp_to_utf8(asctmp+asclen, uni+i, unilen-i);
++        /* when UTF8_putc fails */
++        if (j < 0) {
++            OPENSSL_free(asctmp);
++            return NULL;
++        }
+         if (j == 4) i += 4;
+         else        i += 2;
+         asclen += j;
+diff --git a/test/asn1_internal_test.c b/test/asn1_internal_test.c
+index e08e2a11be9b7..56af2b369b4dd 100644
+--- a/test/asn1_internal_test.c
++++ b/test/asn1_internal_test.c
+@@ -554,6 +554,22 @@ static int posix_time_test(void)
+     return 1;
+ }
+ 
++static int test_mbstring_ncopy(void)
++{
++    ASN1_STRING *str = NULL;
++    const unsigned char in[] = { 0xFF, 0xFE, 0xFF, 0xFE };
++    int inlen = 4;
++    int inform = MBSTRING_UNIV;
++
++    if (!TEST_int_eq(ASN1_mbstring_ncopy(&str, in, inlen, inform, B_ASN1_GENERALSTRING, 0, 0), -1)
++        || !TEST_int_eq(ASN1_mbstring_ncopy(&str, in, inlen, inform, B_ASN1_VISIBLESTRING, 0, 0), -1)
++        || !TEST_int_eq(ASN1_mbstring_ncopy(&str, in, inlen, inform, B_ASN1_VIDEOTEXSTRING, 0, 0), -1)
++        || !TEST_int_eq(ASN1_mbstring_ncopy(&str, in, inlen, inform, B_ASN1_GENERALIZEDTIME, 0, 0), -1))
++        return 0;
++
++    return 1;
++}
++
+ int setup_tests(void)
+ {
+     ADD_TEST(test_tbl_standard);
+@@ -565,5 +581,6 @@ int setup_tests(void)
+     ADD_TEST(test_unicode_range);
+     ADD_TEST(test_obj_create);
+     ADD_TEST(test_obj_nid_undef);
++    ADD_TEST(test_mbstring_ncopy);
+     return 1;
+ }
diff --git a/0069-CVE-2026-22795.patch b/0069-CVE-2026-22795.patch
new file mode 100644
index 0000000..a0703aa
--- /dev/null
+++ b/0069-CVE-2026-22795.patch
@@ -0,0 +1,52 @@
+diff --git a/apps/s_client.c b/apps/s_client.c
+index 7b2cabdc428a9..d0611433261dc 100644
+--- a/apps/s_client.c
++++ b/apps/s_client.c
+@@ -2847,8 +2847,9 @@ int s_client_main(int argc, char **argv)
+                 goto end;
+             }
+             atyp = ASN1_generate_nconf(genstr, cnf);
+-            if (atyp == NULL) {
++            if (atyp == NULL || atyp->type != V_ASN1_SEQUENCE) {
+                 NCONF_free(cnf);
++                ASN1_TYPE_free(atyp);
+                 BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
+                 goto end;
+             }
+diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c
+index 10b581612dbb2..d0236e34fe9df 100644
+--- a/crypto/pkcs12/p12_kiss.c
++++ b/crypto/pkcs12/p12_kiss.c
+@@ -196,11 +196,17 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
+     ASN1_BMPSTRING *fname = NULL;
+     ASN1_OCTET_STRING *lkid = NULL;
+ 
+-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
++    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) {
++        if (attrib->type != V_ASN1_BMPSTRING)
++            return 0;
+         fname = attrib->value.bmpstring;
++    }
+ 
+-    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)))
++    if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) {
++        if (attrib->type != V_ASN1_OCTET_STRING)
++            return 0;
+         lkid = attrib->value.octet_string;
++    }
+ 
+     switch (PKCS12_SAFEBAG_get_nid(bag)) {
+     case NID_keyBag:
+diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
+index 02444d983c476..7798846b16ec1 100644
+--- a/crypto/pkcs7/pk7_doit.c
++++ b/crypto/pkcs7/pk7_doit.c
+@@ -1229,6 +1229,8 @@ ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk)
+     ASN1_TYPE *astype;
+     if ((astype = get_attribute(sk, NID_pkcs9_messageDigest)) == NULL)
+         return NULL;
++    if (astype->type != V_ASN1_OCTET_STRING)
++        return NULL;
+     return astype->value.octet_string;
+ }
+ 
diff --git a/openssl.spec b/openssl.spec
index b8082e7..156e2e8 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.5.1
-Release: 5%{?dist}
+Release: 7%{?dist}
 Epoch: 1
 Source0: openssl-%{version}.tar.gz
 Source1: fips-hmacify.sh
@@ -99,6 +99,18 @@ Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
 Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch
 Patch0056: 0056-Fix-incorrect-check-of-unwrapped-key-size.patch
 Patch0057: 0057-Do-not-make-key-share-choice-in-tls1_set_groups.patch
+Patch0058: 0058-Fix-PPC-register-processing.patch
+Patch0059: 0059-CVE-2025-11187.patch
+Patch0060: 0060-CVE-2025-15467.patch
+Patch0061: 0061-CVE-2025-15468.patch
+Patch0062: 0062-CVE-2025-15469.patch
+Patch0063: 0063-CVE-2025-66199.patch
+Patch0064: 0064-CVE-2025-68160.patch
+Patch0065: 0065-CVE-2025-69418.patch
+Patch0066: 0066-CVE-2025-69420.patch
+Patch0067: 0067-CVE-2025-69421.patch
+Patch0068: 0068-CVE-2025-69419.patch
+Patch0069: 0069-CVE-2026-22795.patch
 
 License: Apache-2.0
 URL: http://www.openssl.org/
@@ -455,6 +467,27 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
 %ldconfig_scriptlets libs
 
 %changelog
+* Fri Jan 16 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.1-7
+- Fix CVE-2025-11187 CVE-2025-15467 CVE-2025-15468 CVE-2025-15469
+  CVE-2025-66199 CVE-2025-68160 CVE-2025-69418 CVE-2025-69419 CVE-2025-69420
+  CVE-2025-69421 CVE-2026-22795 CVE-2026-22796
+  Resolves: RHEL-142062
+  Resolves: RHEL-141985
+  Resolves: RHEL-142053
+  Resolves: RHEL-142049
+  Resolves: RHEL-142045
+  Resolves: RHEL-142041
+  Resolves: RHEL-142037
+  Resolves: RHEL-142033
+  Resolves: RHEL-142029
+  Resolves: RHEL-142008
+  Resolves: RHEL-142025
+  Resolves: RHEL-142021
+
+* Wed Jan 07 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.1-6
+- Fix AES/GCM ppc64le encrypt/decrypt
+  Resolves: RHEL-139108
+
 * Thu Dec 11 2025 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.1-5
 - Do not make key share choice in tls1_set_groups()
   Resolves: RHEL-130992