diff --git a/SOURCES/openssl-1.0.1e-3des-strength.patch b/SOURCES/openssl-1.0.1e-3des-strength.patch
index 7375b47..9fdefb6 100644
--- a/SOURCES/openssl-1.0.1e-3des-strength.patch
+++ b/SOURCES/openssl-1.0.1e-3des-strength.patch
@@ -1,27 +1,80 @@
-Although the real strength is rather 112 bits we use 128 here as
-we do not want to sort it behind more obscure ciphers.
-AES-128 is preferred anyway.
+We degrade all 64 bit block ciphers and RC4 to 112 bits.
diff -up openssl-1.0.1e/ssl/s2_lib.c.3des-strength openssl-1.0.1e/ssl/s2_lib.c
--- openssl-1.0.1e/ssl/s2_lib.c.3des-strength 2013-02-11 16:26:04.000000000 +0100
-+++ openssl-1.0.1e/ssl/s2_lib.c 2014-01-22 16:32:45.791700322 +0100
++++ openssl-1.0.1e/ssl/s2_lib.c 2016-09-21 11:37:22.729563320 +0200
+@@ -152,7 +152,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
+ SSL_SSLV2,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ 0,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -184,7 +184,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
+ SSL_SSLV2,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ 0,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -217,7 +217,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
+ SSL_SSLV2,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ 0,
+- 128,
++ 112,
+ 128,
+ },
+ #endif
+
@@ -250,7 +250,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
SSL_SSLV2,
SSL_NOT_EXP|SSL_HIGH,
0,
- 168,
-+ 128,
++ 112,
168,
},
diff -up openssl-1.0.1e/ssl/s3_lib.c.3des-strength openssl-1.0.1e/ssl/s3_lib.c
---- openssl-1.0.1e/ssl/s3_lib.c.3des-strength 2014-01-17 11:41:11.000000000 +0100
-+++ openssl-1.0.1e/ssl/s3_lib.c 2014-01-22 16:31:14.713666777 +0100
+--- openssl-1.0.1e/ssl/s3_lib.c.3des-strength 2013-02-11 16:26:04.000000000 +0100
++++ openssl-1.0.1e/ssl/s3_lib.c 2016-09-21 11:43:27.108247849 +0200
+@@ -230,7 +230,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_SSLV3,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -246,7 +246,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_SSLV3,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -279,7 +279,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_SSLV3,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+ #endif
@@ -328,7 +328,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
-+ 128,
++ 112,
168,
},
@@ -30,7 +83,7 @@ diff -up openssl-1.0.1e/ssl/s3_lib.c.3des-strength openssl-1.0.1e/ssl/s3_lib.c
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
-+ 128,
++ 112,
168,
},
@@ -39,7 +92,7 @@ diff -up openssl-1.0.1e/ssl/s3_lib.c.3des-strength openssl-1.0.1e/ssl/s3_lib.c
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
-+ 128,
++ 112,
168,
},
@@ -48,7 +101,7 @@ diff -up openssl-1.0.1e/ssl/s3_lib.c.3des-strength openssl-1.0.1e/ssl/s3_lib.c
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
-+ 128,
++ 112,
168,
},
@@ -57,16 +110,25 @@ diff -up openssl-1.0.1e/ssl/s3_lib.c.3des-strength openssl-1.0.1e/ssl/s3_lib.c
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
-+ 128,
++ 112,
168,
},
+@@ -554,7 +554,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_SSLV3,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
@@ -602,7 +602,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
-+ 128,
++ 112,
168,
},
@@ -75,70 +137,169 @@ diff -up openssl-1.0.1e/ssl/s3_lib.c.3des-strength openssl-1.0.1e/ssl/s3_lib.c
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
-+ 128,
++ 112,
168,
},
+@@ -703,7 +703,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_SSLV3,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -719,7 +719,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_SSLV3,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
@@ -751,7 +751,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_SSLV3,
SSL_NOT_EXP|SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
-+ 128,
++ 112,
168,
},
+@@ -767,7 +767,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_SSLV3,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -783,7 +783,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_SSLV3,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
+@@ -1380,7 +1380,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_TLSV1,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+ #endif
+@@ -1669,7 +1669,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_TLSV1,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
@@ -1685,7 +1685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
-+ 128,
++ 112,
168,
},
+@@ -2046,7 +2046,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_TLSV1,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
@@ -2062,7 +2062,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
-+ 128,
++ 112,
168,
},
+@@ -2126,7 +2126,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_TLSV1,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
@@ -2142,7 +2142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
-+ 128,
++ 112,
168,
},
+@@ -2206,7 +2206,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_TLSV1,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
@@ -2222,7 +2222,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
-+ 128,
++ 112,
168,
},
+@@ -2286,7 +2286,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_TLSV1,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
@@ -2302,7 +2302,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
-+ 128,
++ 112,
168,
},
+@@ -2366,7 +2366,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
+ SSL_TLSV1,
+ SSL_NOT_EXP|SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 128,
++ 112,
+ 128,
+ },
+
@@ -2382,7 +2382,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_TLSV1,
SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
-+ 128,
++ 112,
168,
},
@@ -147,7 +308,7 @@ diff -up openssl-1.0.1e/ssl/s3_lib.c.3des-strength openssl-1.0.1e/ssl/s3_lib.c
SSL_NOT_EXP|SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
-+ 128,
++ 112,
168,
},
@@ -156,7 +317,7 @@ diff -up openssl-1.0.1e/ssl/s3_lib.c.3des-strength openssl-1.0.1e/ssl/s3_lib.c
SSL_NOT_EXP|SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
-+ 128,
++ 112,
168,
},
@@ -165,7 +326,7 @@ diff -up openssl-1.0.1e/ssl/s3_lib.c.3des-strength openssl-1.0.1e/ssl/s3_lib.c
SSL_NOT_EXP|SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
- 168,
-+ 128,
++ 112,
168,
},
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2177.patch b/SOURCES/openssl-1.0.1e-cve-2016-2177.patch
new file mode 100644
index 0000000..00b100e
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2016-2177.patch
@@ -0,0 +1,181 @@
+diff -up openssl-1.0.1e/ssl/ssl_sess.c.pointer-arithmetic openssl-1.0.1e/ssl/ssl_sess.c
+diff -up openssl-1.0.1e/ssl/s3_srvr.c.pointer-arithmetic openssl-1.0.1e/ssl/s3_srvr.c
+--- openssl-1.0.1e/ssl/s3_srvr.c.pointer-aritmetic 2016-09-20 15:00:06.348015761 +0200
++++ openssl-1.0.1e/ssl/s3_srvr.c 2016-09-20 15:14:11.630423575 +0200
+@@ -973,6 +973,13 @@ int ssl3_get_client_hello(SSL *s)
+ unsigned int session_length, cookie_length;
+
+ session_length = *(p + SSL3_RANDOM_SIZE);
++
++ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p)
++ {
++ al = SSL_AD_DECODE_ERROR;
++ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
++ goto f_err;
++ }
+ cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1);
+
+ if (cookie_length == 0)
+@@ -986,6 +993,13 @@ int ssl3_get_client_hello(SSL *s)
+ /* get the session-id */
+ j= *(p++);
+
++ if ((d + n) - p < j)
++ {
++ al = SSL_AD_DECODE_ERROR;
++ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
++ goto f_err;
++ }
++
+ s->hit=0;
+ /* Versions before 0.9.7 always allow clients to resume sessions in renegotiation.
+ * 0.9.7 and later allow this by default, but optionally ignore resumption requests
+@@ -1024,8 +1038,21 @@ int ssl3_get_client_hello(SSL *s)
+ if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
+ {
+ /* cookie stuff */
++ if ((d + n) - p < 1)
++ {
++ al = SSL_AD_DECODE_ERROR;
++ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
++ goto f_err;
++ }
+ cookie_len = *(p++);
+
++ if ((d + n ) - p < cookie_len)
++ {
++ al = SSL_AD_DECODE_ERROR;
++ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
++ goto f_err;
++ }
++
+ /*
+ * The ClientHello may contain a cookie even if the
+ * HelloVerify message has not been sent--make sure that it
+@@ -1072,6 +1099,12 @@ int ssl3_get_client_hello(SSL *s)
+ p += cookie_len;
+ }
+
++ if ((d + n ) - p < 2)
++ {
++ al = SSL_AD_DECODE_ERROR;
++ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
++ goto f_err;
++ }
+ n2s(p,i);
+ if ((i == 0) && (j != 0))
+ {
+@@ -1080,7 +1113,9 @@ int ssl3_get_client_hello(SSL *s)
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_NO_CIPHERS_SPECIFIED);
+ goto f_err;
+ }
+- if ((p+i) >= (d+n))
++
++ /* i bytes of cipher data + 1 byte for compression length later */
++ if ((d + n) - p < i + 1)
+ {
+ /* not enough data */
+ al=SSL_AD_DECODE_ERROR;
+@@ -1147,7 +1182,7 @@ int ssl3_get_client_hello(SSL *s)
+
+ /* compression */
+ i= *(p++);
+- if ((p+i) > (d+n))
++ if ((d + n) - p < i)
+ {
+ /* not enough data */
+ al=SSL_AD_DECODE_ERROR;
+diff -up openssl-1.0.1e/ssl/t1_lib.c.pointer-arithmetic openssl-1.0.1e/ssl/t1_lib.c
+--- openssl-1.0.1e/ssl/t1_lib.c.pointer-aritmetic 2016-09-20 15:00:06.351015830 +0200
++++ openssl-1.0.1e/ssl/t1_lib.c 2016-09-20 15:37:34.660870014 +0200
+@@ -923,19 +923,19 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
+ #endif
+
+- if (data >= (d+n-2))
++ if ((d + n) - data < 2)
+ goto ri_check;
+ n2s(data,len);
+
+- if (data > (d+n-len))
++ if ((d + n) - data < len)
+ goto ri_check;
+
+- while (data <= (d+n-4))
++ while ((d + n) - data >= 4)
+ {
+ n2s(data,type);
+ n2s(data,size);
+
+- if (data+size > (d+n))
++ if ((d + n) - data < size)
+ goto ri_check;
+ #if 0
+ fprintf(stderr,"Received extension type %d size %d\n",type,size);
+@@ -1437,22 +1437,22 @@ int ssl_parse_serverhello_tlsext(SSL *s,
+ SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
+ #endif
+
+- if (data >= (d+n-2))
++ if ((d + n) - data <= 2)
+ goto ri_check;
+
+ n2s(data,length);
+- if (data+length != d+n)
++ if ((d + n) - data != length)
+ {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+
+- while(data <= (d+n-4))
++ while ((d + n) - data >= 4)
+ {
+ n2s(data,type);
+ n2s(data,size);
+
+- if (data+size > (d+n))
++ if ((d + n) - data < size)
+ goto ri_check;
+
+ if (s->tlsext_debug_cb)
+@@ -2139,30 +2139,30 @@ int tls1_process_ticket(SSL *s, unsigned
+ if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER)
+ {
+ i = *(p++);
+- p+= i;
+- if (p >= limit)
++ if (limit - p <= i)
+ return -1;
++ p += i;
+ }
+ /* Skip past cipher list */
+ n2s(p, i);
+- p+= i;
+- if (p >= limit)
++ if (limit - p <= i)
+ return -1;
++ p += i;
+ /* Skip past compression algorithm list */
+ i = *(p++);
+- p += i;
+- if (p > limit)
++ if (limit - p < i)
+ return -1;
++ p += i;
+ /* Now at start of extensions */
+- if ((p + 2) >= limit)
++ if (limit - p <= 2)
+ return 0;
+ n2s(p, i);
+- while ((p + 4) <= limit)
++ while (limit - p >= 4)
+ {
+ unsigned short type, size;
+ n2s(p, type);
+ n2s(p, size);
+- if (p + size > limit)
++ if (limit - p < size)
+ return 0;
+ if (type == TLSEXT_TYPE_session_ticket)
+ {
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2178.patch b/SOURCES/openssl-1.0.1e-cve-2016-2178.patch
new file mode 100644
index 0000000..4c6f142
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2016-2178.patch
@@ -0,0 +1,12 @@
+diff -up openssl-1.0.1e/crypto/dsa/dsa_ossl.c.dsa-consttime openssl-1.0.1e/crypto/dsa/dsa_ossl.c
+--- openssl-1.0.1e/crypto/dsa/dsa_ossl.c.dsa-consttime 2016-09-20 14:55:57.000000000 +0200
++++ openssl-1.0.1e/crypto/dsa/dsa_ossl.c 2016-09-20 15:46:32.608375100 +0200
+@@ -278,6 +278,8 @@ static int dsa_sign_setup(DSA *dsa, BN_C
+ {
+ if (!BN_copy(&kq, &k)) goto err;
+
++ BN_set_flags(&kq, BN_FLG_CONSTTIME);
++
+ /* We do not want timing information to leak the length of k,
+ * so we compute g^k using an equivalent exponent of fixed length.
+ *
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2179.patch b/SOURCES/openssl-1.0.1e-cve-2016-2179.patch
new file mode 100644
index 0000000..4ddb440
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2016-2179.patch
@@ -0,0 +1,218 @@
+diff -up openssl-1.0.1e/ssl/d1_both.c.dtls1-dos2 openssl-1.0.1e/ssl/d1_both.c
+--- openssl-1.0.1e/ssl/d1_both.c.dtls1-dos2 2016-09-20 15:53:03.748445806 +0200
++++ openssl-1.0.1e/ssl/d1_both.c 2016-09-20 16:12:01.422861505 +0200
+@@ -211,7 +211,7 @@ dtls1_hm_fragment_new(unsigned long frag
+ return frag;
+ }
+
+-static void
++void
+ dtls1_hm_fragment_free(hm_fragment *frag)
+ {
+
+@@ -544,11 +544,26 @@ dtls1_retrieve_buffered_fragment(SSL *s,
+ int al;
+
+ *ok = 0;
+- item = pqueue_peek(s->d1->buffered_messages);
+- if ( item == NULL)
+- return 0;
++ do
++ {
++ item = pqueue_peek(s->d1->buffered_messages);
++ if (item == NULL)
++ return 0;
++
++ frag = (hm_fragment *)item->data;
++
++ if (frag->msg_header.seq < s->d1->handshake_read_seq)
++ {
++ /* This is a stale message that has been buffered so clear it */
++ pqueue_pop(s->d1->buffered_messages);
++ dtls1_hm_fragment_free(frag);
++ pitem_free(item);
++ item = NULL;
++ frag = NULL;
++ }
++ }
++ while (item == NULL);
+
+- frag = (hm_fragment *)item->data;
+
+ /* Don't return if reassembly still in progress */
+ if (frag->reassembly != NULL)
+@@ -1339,21 +1354,6 @@ dtls1_retransmit_message(SSL *s, unsigne
+ return ret;
+ }
+
+-/* call this function when the buffered messages are no longer needed */
+-void
+-dtls1_clear_record_buffer(SSL *s)
+- {
+- pitem *item;
+-
+- for(item = pqueue_pop(s->d1->sent_messages);
+- item != NULL; item = pqueue_pop(s->d1->sent_messages))
+- {
+- dtls1_hm_fragment_free((hm_fragment *)item->data);
+- pitem_free(item);
+- }
+- }
+-
+-
+ unsigned char *
+ dtls1_set_message_header(SSL *s, unsigned char *p, unsigned char mt,
+ unsigned long len, unsigned long frag_off, unsigned long frag_len)
+diff -up openssl-1.0.1e/ssl/d1_clnt.c.dtls1-dos2 openssl-1.0.1e/ssl/d1_clnt.c
+--- openssl-1.0.1e/ssl/d1_clnt.c.dtls1-dos2 2016-09-20 15:53:03.748445806 +0200
++++ openssl-1.0.1e/ssl/d1_clnt.c 2016-09-20 15:58:38.292200957 +0200
+@@ -739,6 +739,7 @@ int dtls1_connect(SSL *s)
+ /* done with handshaking */
+ s->d1->handshake_read_seq = 0;
+ s->d1->next_handshake_write_seq = 0;
++ dtls1_clear_received_buffer(s);
+ goto end;
+ /* break; */
+
+diff -up openssl-1.0.1e/ssl/d1_lib.c.dtls1-dos2 openssl-1.0.1e/ssl/d1_lib.c
+--- openssl-1.0.1e/ssl/d1_lib.c.dtls1-dos2 2016-09-20 15:53:03.749445830 +0200
++++ openssl-1.0.1e/ssl/d1_lib.c 2016-09-20 16:18:10.046443374 +0200
+@@ -133,7 +133,6 @@ int dtls1_new(SSL *s)
+ static void dtls1_clear_queues(SSL *s)
+ {
+ pitem *item = NULL;
+- hm_fragment *frag = NULL;
+ DTLS1_RECORD_DATA *rdata;
+
+ while( (item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL)
+@@ -158,32 +157,45 @@ static void dtls1_clear_queues(SSL *s)
+ pitem_free(item);
+ }
+
+- while( (item = pqueue_pop(s->d1->buffered_messages)) != NULL)
+- {
++ while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL)
++ {
++ rdata = (DTLS1_RECORD_DATA *)item->data;
++ if (rdata->rbuf.buf)
++ {
++ OPENSSL_free(rdata->rbuf.buf);
++ }
++ OPENSSL_free(item->data);
++ pitem_free(item);
++ }
++
++ dtls1_clear_received_buffer(s);
++ dtls1_clear_sent_buffer(s);
++ }
++
++void dtls1_clear_received_buffer(SSL *s)
++ {
++ pitem *item = NULL;
++ hm_fragment *frag = NULL;
++
++ while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL)
++ {
+ frag = (hm_fragment *)item->data;
+- OPENSSL_free(frag->fragment);
+- OPENSSL_free(frag);
++ dtls1_hm_fragment_free(frag);
+ pitem_free(item);
+ }
++ }
+
+- while ( (item = pqueue_pop(s->d1->sent_messages)) != NULL)
+- {
++void dtls1_clear_sent_buffer(SSL *s)
++ {
++ pitem *item = NULL;
++ hm_fragment *frag = NULL;
++
++ while ((item = pqueue_pop(s->d1->sent_messages)) != NULL)
++ {
+ frag = (hm_fragment *)item->data;
+- OPENSSL_free(frag->fragment);
+- OPENSSL_free(frag);
++ dtls1_hm_fragment_free(frag);
+ pitem_free(item);
+ }
+-
+- while ( (item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL)
+- {
+- rdata = (DTLS1_RECORD_DATA *) item->data;
+- if (rdata->rbuf.buf)
+- {
+- OPENSSL_free(rdata->rbuf.buf);
+- }
+- OPENSSL_free(item->data);
+- pitem_free(item);
+- }
+ }
+
+ void dtls1_free(SSL *s)
+@@ -410,7 +422,7 @@ void dtls1_stop_timer(SSL *s)
+ s->d1->timeout_duration = 1;
+ BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &(s->d1->next_timeout));
+ /* Clear retransmission buffer */
+- dtls1_clear_record_buffer(s);
++ dtls1_clear_sent_buffer(s);
+ }
+
+ int dtls1_check_timeout_num(SSL *s)
+diff -up openssl-1.0.1e/ssl/d1_pkt.c.dtls1-dos2 openssl-1.0.1e/ssl/d1_pkt.c
+--- openssl-1.0.1e/ssl/d1_pkt.c.dtls1-dos2 2016-09-20 15:53:17.246758715 +0200
++++ openssl-1.0.1e/ssl/d1_pkt.c 2016-09-20 16:14:33.020390824 +0200
+@@ -1900,6 +1900,12 @@ dtls1_reset_seq_numbers(SSL *s, int rw)
+ s->d1->r_epoch++;
+ memcpy(&(s->d1->bitmap), &(s->d1->next_bitmap), sizeof(DTLS1_BITMAP));
+ memset(&(s->d1->next_bitmap), 0x00, sizeof(DTLS1_BITMAP));
++
++ /*
++ * We must not use any buffered messages received from the previous
++ * epoch
++ */
++ dtls1_clear_received_buffer(s);
+ }
+ else
+ {
+diff -up openssl-1.0.1e/ssl/d1_srvr.c.dtls1-dos2 openssl-1.0.1e/ssl/d1_srvr.c
+--- openssl-1.0.1e/ssl/d1_srvr.c.dtls1-dos2 2016-09-20 15:53:03.750445853 +0200
++++ openssl-1.0.1e/ssl/d1_srvr.c 2016-09-20 16:15:39.699943181 +0200
+@@ -276,7 +276,7 @@ int dtls1_accept(SSL *s)
+ case SSL3_ST_SW_HELLO_REQ_B:
+
+ s->shutdown=0;
+- dtls1_clear_record_buffer(s);
++ dtls1_clear_sent_buffer(s);
+ dtls1_start_timer(s);
+ ret=dtls1_send_hello_request(s);
+ if (ret <= 0) goto end;
+@@ -811,6 +811,7 @@ int dtls1_accept(SSL *s)
+ /* next message is server hello */
+ s->d1->handshake_write_seq = 0;
+ s->d1->next_handshake_write_seq = 0;
++ dtls1_clear_received_buffer(s);
+ goto end;
+ /* break; */
+
+diff -up openssl-1.0.1e/ssl/ssl_locl.h.dtls1-dos2 openssl-1.0.1e/ssl/ssl_locl.h
+--- openssl-1.0.1e/ssl/ssl_locl.h.dtls1-dos2 2016-09-20 15:53:03.751445876 +0200
++++ openssl-1.0.1e/ssl/ssl_locl.h 2016-09-20 16:11:36.288276350 +0200
+@@ -974,7 +974,8 @@ int dtls1_retransmit_message(SSL *s, uns
+ unsigned long frag_off, int *found);
+ int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
+ int dtls1_retransmit_buffered_messages(SSL *s);
+-void dtls1_clear_record_buffer(SSL *s);
++void dtls1_clear_received_buffer(SSL *s);
++void dtls1_clear_sent_buffer(SSL *s);
+ void dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr);
+ void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
+ void dtls1_reset_seq_numbers(SSL *s, int rw);
+@@ -989,6 +990,7 @@ int dtls1_is_timer_expired(SSL *s);
+ void dtls1_double_timeout(SSL *s);
+ int dtls1_send_newsession_ticket(SSL *s);
+ unsigned int dtls1_min_mtu(void);
++void dtls1_hm_fragment_free(hm_fragment *frag);
+
+ /* some client-only functions */
+ int ssl3_client_hello(SSL *s);
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2180.patch b/SOURCES/openssl-1.0.1e-cve-2016-2180.patch
new file mode 100644
index 0000000..183cd89
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2016-2180.patch
@@ -0,0 +1,15 @@
+diff -up openssl-1.0.1e/crypto/ts/ts_lib.c.ts-oob-read openssl-1.0.1e/crypto/ts/ts_lib.c
+--- openssl-1.0.1e/crypto/ts/ts_lib.c.ts-oob-read 2013-02-11 16:26:04.000000000 +0100
++++ openssl-1.0.1e/crypto/ts/ts_lib.c 2016-09-20 16:23:02.074244000 +0200
+@@ -90,9 +90,8 @@ int TS_OBJ_print_bio(BIO *bio, const ASN
+ {
+ char obj_txt[128];
+
+- int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
+- BIO_write(bio, obj_txt, len);
+- BIO_write(bio, "\n", 1);
++ OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
++ BIO_printf(bio, "%s\n", obj_txt);
+
+ return 1;
+ }
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2181.patch b/SOURCES/openssl-1.0.1e-cve-2016-2181.patch
new file mode 100644
index 0000000..e7bea7c
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2016-2181.patch
@@ -0,0 +1,214 @@
+diff -up openssl-1.0.1e/ssl/d1_pkt.c.dtls1-replay openssl-1.0.1e/ssl/d1_pkt.c
+--- openssl-1.0.1e/ssl/d1_pkt.c.dtls1-replay 2016-09-20 16:29:36.767447143 +0200
++++ openssl-1.0.1e/ssl/d1_pkt.c 2016-09-20 16:44:56.654893514 +0200
+@@ -178,7 +178,7 @@ static int dtls1_record_needs_buffering(
+ #endif
+ static int dtls1_buffer_record(SSL *s, record_pqueue *q,
+ unsigned char *priority);
+-static int dtls1_process_record(SSL *s);
++static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap);
+
+ /* copy buffered record into SSL structure */
+ static int
+@@ -304,32 +304,84 @@ static int
+ dtls1_process_buffered_records(SSL *s)
+ {
+ pitem *item;
+-
++ SSL3_BUFFER *rb;
++ SSL3_RECORD *rr;
++ DTLS1_BITMAP *bitmap;
++ unsigned int is_next_epoch;
++ int replayok = 1;
++
+ item = pqueue_peek(s->d1->unprocessed_rcds.q);
+ if (item)
+ {
+ /* Check if epoch is current. */
+ if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
+- return(1); /* Nothing to do. */
+-
++ return 1; /* Nothing to do. */
++
++ rr = &s->s3->rrec;
++ rb = &s->s3->rbuf;
++
++ if (rb->left > 0)
++ {
++ /*
++ * We've still got data from the current packet to read. There could
++ * be a record from the new epoch in it - so don't overwrite it
++ * with the unprocessed records yet (we'll do it when we've
++ * finished reading the current packet).
++ */
++ return 1;
++ }
++
++
+ /* Process all the records. */
+ while (pqueue_peek(s->d1->unprocessed_rcds.q))
+ {
+ dtls1_get_unprocessed_record(s);
+- if ( ! dtls1_process_record(s))
+- return(0);
+- if(dtls1_buffer_record(s, &(s->d1->processed_rcds),
+- s->s3->rrec.seq_num)<0)
+- return -1;
+- }
++ bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
++ if (bitmap == NULL)
++ {
++ /*
++ * Should not happen. This will only ever be NULL when the
++ * current record is from a different epoch. But that cannot
++ * be the case because we already checked the epoch above
++ */
++ SSLerr(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS,
++ ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++#ifndef OPENSSL_NO_SCTP
++ /* Only do replay check if no SCTP bio */
++ if (!BIO_dgram_is_sctp(SSL_get_rbio(s)))
++#endif
++ {
++ /*
++ * Check whether this is a repeat, or aged record. We did this
++ * check once already when we first received the record - but
++ * we might have updated the window since then due to
++ * records we subsequently processed.
++ */
++ replayok = dtls1_record_replay_check(s, bitmap);
++ }
++
++ if (!replayok || !dtls1_process_record(s, bitmap))
++ {
++ /* dump this record */
++ rr->length = 0;
++ s->packet_length = 0;
++ continue;
++ }
++
++ if (dtls1_buffer_record(s, &(s->d1->processed_rcds),
++ s->s3->rrec.seq_num) < 0)
++ return 0;
+ }
++ }
+
+ /* sync epoch numbers once all the unprocessed records
+ * have been processed */
+ s->d1->processed_rcds.epoch = s->d1->r_epoch;
+ s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
+
+- return(1);
++ return 1;
+ }
+
+
+@@ -379,7 +431,7 @@ dtls1_get_buffered_record(SSL *s)
+ #endif
+
+ static int
+-dtls1_process_record(SSL *s)
++dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
+ {
+ int i,al;
+ int enc_err;
+@@ -535,6 +587,10 @@ printf("\n");
+
+ /* we have pulled in a full packet so zero things */
+ s->packet_length=0;
++
++ /* Mark receipt of record. */
++ dtls1_record_bitmap_update(s, bitmap);
++
+ return(1);
+
+ f_err:
+@@ -565,9 +621,10 @@ int dtls1_get_record(SSL *s)
+
+ rr= &(s->s3->rrec);
+
++again:
+ /* The epoch may have changed. If so, process all the
+ * pending records. This is a non-blocking operation. */
+- if(dtls1_process_buffered_records(s)<0)
++ if(!dtls1_process_buffered_records(s))
+ return -1;
+
+ /* if we're renegotiating, then there may be buffered records */
+@@ -575,7 +632,6 @@ int dtls1_get_record(SSL *s)
+ return 1;
+
+ /* get something from the wire */
+-again:
+ /* check if we have the header */
+ if ( (s->rstate != SSL_ST_READ_BODY) ||
+ (s->packet_length < DTLS1_RT_HEADER_LENGTH))
+@@ -707,20 +763,18 @@ again:
+ {
+ if(dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num)<0)
+ return -1;
+- dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */
+ }
+ rr->length = 0;
+ s->packet_length = 0;
+ goto again;
+ }
+
+- if (!dtls1_process_record(s))
++ if (!dtls1_process_record(s, bitmap))
+ {
+ rr->length = 0;
+ s->packet_length = 0; /* dump this record */
+ goto again; /* get another record */
+ }
+- dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */
+
+ return(1);
+
+@@ -1811,8 +1865,13 @@ dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr
+ if (rr->epoch == s->d1->r_epoch)
+ return &s->d1->bitmap;
+
+- /* Only HM and ALERT messages can be from the next epoch */
++ /*
++ * Only HM and ALERT messages can be from the next epoch and only if we
++ * have already processed all of the unprocessed records from the last
++ * epoch
++ */
+ else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
++ s->d1->unprocessed_rcds.epoch != s->d1->r_epoch &&
+ (rr->type == SSL3_RT_HANDSHAKE ||
+ rr->type == SSL3_RT_ALERT))
+ {
+diff -up openssl-1.0.1e/ssl/ssl_err.c.dtls1-replay openssl-1.0.1e/ssl/ssl_err.c
+--- openssl-1.0.1e/ssl/ssl_err.c.dtls1-replay 2016-09-20 14:55:57.789311197 +0200
++++ openssl-1.0.1e/ssl/ssl_err.c 2016-09-20 16:45:49.827132881 +0200
+@@ -1,6 +1,6 @@
+ /* ssl/ssl_err.c */
+ /* ====================================================================
+- * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
++ * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+@@ -92,6 +92,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
+ {ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "DTLS1_HEARTBEAT"},
+ {ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "DTLS1_OUTPUT_CERT_CHAIN"},
+ {ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"},
++{ERR_FUNC(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS), "DTLS1_PROCESS_BUFFERED_RECORDS"},
+ {ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE), "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"},
+ {ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD), "DTLS1_PROCESS_RECORD"},
+ {ERR_FUNC(SSL_F_DTLS1_READ_BYTES), "DTLS1_READ_BYTES"},
+diff -up openssl-1.0.1e/ssl/ssl.h.dtls1-replay openssl-1.0.1e/ssl/ssl.h
+--- openssl-1.0.1e/ssl/ssl.h.dtls1-replay 2016-09-20 16:29:36.768447167 +0200
++++ openssl-1.0.1e/ssl/ssl.h 2016-09-20 16:30:42.981991082 +0200
+@@ -2023,6 +2023,7 @@ void ERR_load_SSL_strings(void);
+ #define SSL_F_DTLS1_HEARTBEAT 305
+ #define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255
+ #define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288
++#define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 424
+ #define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256
+ #define SSL_F_DTLS1_PROCESS_RECORD 257
+ #define SSL_F_DTLS1_READ_BYTES 258
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-2182.patch b/SOURCES/openssl-1.0.1e-cve-2016-2182.patch
new file mode 100644
index 0000000..092605e
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2016-2182.patch
@@ -0,0 +1,33 @@
+diff -up openssl-1.0.1e/crypto/bn/bn_print.c.bn-overflow openssl-1.0.1e/crypto/bn/bn_print.c
+--- openssl-1.0.1e/crypto/bn/bn_print.c.bn-overflow 2016-09-20 14:55:57.000000000 +0200
++++ openssl-1.0.1e/crypto/bn/bn_print.c 2016-09-20 16:53:29.825854773 +0200
+@@ -108,6 +108,7 @@ char *BN_bn2dec(const BIGNUM *a)
+ char *p;
+ BIGNUM *t=NULL;
+ BN_ULONG *bn_data=NULL,*lp;
++ int bn_data_num;
+
+ /* get an upper bound for the length of the decimal integer
+ * num <= (BN_num_bits(a) + 1) * log(2)
+@@ -116,7 +117,8 @@ char *BN_bn2dec(const BIGNUM *a)
+ */
+ i=BN_num_bits(a)*3;
+ num=(i/10+i/1000+1)+1;
+- bn_data=(BN_ULONG *)OPENSSL_malloc((num/BN_DEC_NUM+1)*sizeof(BN_ULONG));
++ bn_data_num=num/BN_DEC_NUM + 1;
++ bn_data=(BN_ULONG *)OPENSSL_malloc(bn_data_num*sizeof(BN_ULONG));
+ buf=(char *)OPENSSL_malloc(num+3);
+ if ((buf == NULL) || (bn_data == NULL))
+ {
+@@ -141,7 +143,11 @@ char *BN_bn2dec(const BIGNUM *a)
+ i=0;
+ while (!BN_is_zero(t))
+ {
++ if (lp - bn_data >= bn_data_num)
++ goto err;
+ *lp=BN_div_word(t,BN_DEC_CONV);
++ if (*lp == (BN_ULONG)-1)
++ goto err;
+ lp++;
+ }
+ lp--;
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-6302.patch b/SOURCES/openssl-1.0.1e-cve-2016-6302.patch
new file mode 100644
index 0000000..8b720da
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2016-6302.patch
@@ -0,0 +1,29 @@
+diff -up openssl-1.0.1e/ssl/t1_lib.c.ticket-length openssl-1.0.1e/ssl/t1_lib.c
+--- openssl-1.0.1e/ssl/t1_lib.c.ticket-length 2016-09-20 15:37:34.000000000 +0200
++++ openssl-1.0.1e/ssl/t1_lib.c 2016-09-20 18:09:26.057028290 +0200
+@@ -2230,9 +2230,7 @@ static int tls_decrypt_ticket(SSL *s, co
+ HMAC_CTX hctx;
+ EVP_CIPHER_CTX ctx;
+ SSL_CTX *tctx = s->initial_ctx;
+- /* Need at least keyname + iv + some encrypted data */
+- if (eticklen < 48)
+- return 2;
++
+ /* Initialize session ticket encryption and HMAC contexts */
+ HMAC_CTX_init(&hctx);
+ EVP_CIPHER_CTX_init(&ctx);
+@@ -2267,6 +2265,14 @@ static int tls_decrypt_ticket(SSL *s, co
+ EVP_CIPHER_CTX_cleanup(&ctx);
+ return -1;
+ }
++ /* Sanity check ticket length: must exceed keyname + IV + HMAC */
++ if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen)
++ {
++ HMAC_CTX_cleanup(&hctx);
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ return 2;
++ }
++
+ eticklen -= mlen;
+ /* Check HMAC of encrypted ticket */
+ HMAC_Update(&hctx, etick, eticklen);
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-6304.patch b/SOURCES/openssl-1.0.1e-cve-2016-6304.patch
new file mode 100644
index 0000000..e0dd777
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2016-6304.patch
@@ -0,0 +1,46 @@
+diff -up openssl-1.0.1e/ssl/t1_lib.c.ocsp-memgrowth openssl-1.0.1e/ssl/t1_lib.c
+--- openssl-1.0.1e/ssl/t1_lib.c.ocsp-memgrowth 2016-09-20 18:09:26.000000000 +0200
++++ openssl-1.0.1e/ssl/t1_lib.c 2016-09-22 10:57:23.195580623 +0200
+@@ -1239,6 +1239,27 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
++
++ /*
++ * We remove any OCSP_RESPIDs from a previous handshake
++ * to prevent unbounded memory growth - CVE-2016-6304
++ */
++ sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
++ OCSP_RESPID_free);
++ if (dsize > 0)
++ {
++ s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
++ if (s->tlsext_ocsp_ids == NULL)
++ {
++ *al = SSL_AD_INTERNAL_ERROR;
++ return 0;
++ }
++ }
++ else
++ {
++ s->tlsext_ocsp_ids = NULL;
++ }
++
+ while (dsize > 0)
+ {
+ OCSP_RESPID *id;
+@@ -1271,14 +1292,6 @@ int ssl_parse_clienthello_tlsext(SSL *s,
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+- if (!s->tlsext_ocsp_ids
+- && !(s->tlsext_ocsp_ids =
+- sk_OCSP_RESPID_new_null()))
+- {
+- OCSP_RESPID_free(id);
+- *al = SSL_AD_INTERNAL_ERROR;
+- return 0;
+- }
+ if (!sk_OCSP_RESPID_push(
+ s->tlsext_ocsp_ids, id))
+ {
diff --git a/SOURCES/openssl-1.0.1e-cve-2016-6306.patch b/SOURCES/openssl-1.0.1e-cve-2016-6306.patch
new file mode 100644
index 0000000..0c7d7f2
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-cve-2016-6306.patch
@@ -0,0 +1,78 @@
+diff -up openssl-1.0.1e/ssl/d1_both.c.certmsg-len openssl-1.0.1e/ssl/d1_both.c
+--- openssl-1.0.1e/ssl/d1_both.c.certmsg-len 2016-09-20 16:12:01.000000000 +0200
++++ openssl-1.0.1e/ssl/d1_both.c 2016-09-22 11:02:54.277707284 +0200
+@@ -506,8 +506,11 @@ static int dtls1_preprocess_fragment(SSL
+ if ( s->d1->r_msg_hdr.frag_off == 0) /* first fragment */
+ {
+ /* msg_len is limited to 2^24, but is effectively checked
+- * against max above */
+- if (!BUF_MEM_grow_clean(s->init_buf,msg_len+DTLS1_HM_HEADER_LENGTH))
++ * against max above
++ *
++ * Make buffer slightly larger than message length as
++ * a precaution against small OOB reads e.g. CVE-2016-6306 */
++ if (!BUF_MEM_grow_clean(s->init_buf,msg_len+DTLS1_HM_HEADER_LENGTH+16))
+ {
+ SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT,ERR_R_BUF_LIB);
+ return SSL_AD_INTERNAL_ERROR;
+diff -up openssl-1.0.1e/ssl/s3_both.c.certmsg-len openssl-1.0.1e/ssl/s3_both.c
+--- openssl-1.0.1e/ssl/s3_both.c.certmsg-len 2016-09-20 14:55:57.000000000 +0200
++++ openssl-1.0.1e/ssl/s3_both.c 2016-09-22 11:06:00.945725379 +0200
+@@ -518,7 +518,11 @@ long ssl3_get_message(SSL *s, int st1, i
+ SSLerr(SSL_F_SSL3_GET_MESSAGE,SSL_R_EXCESSIVE_MESSAGE_SIZE);
+ goto f_err;
+ }
+- if (l && !BUF_MEM_grow_clean(s->init_buf,(int)l+4))
++ /*
++ * Make buffer slightly larger than message length as a precaution
++ * against small OOB reads e.g. CVE-2016-6306
++ */
++ if (l && !BUF_MEM_grow_clean(s->init_buf,(int)l+4+16))
+ {
+ SSLerr(SSL_F_SSL3_GET_MESSAGE,ERR_R_BUF_LIB);
+ goto err;
+diff -up openssl-1.0.1e/ssl/s3_clnt.c.certmsg-len openssl-1.0.1e/ssl/s3_clnt.c
+--- openssl-1.0.1e/ssl/s3_clnt.c.certmsg-len 2016-09-20 14:55:57.000000000 +0200
++++ openssl-1.0.1e/ssl/s3_clnt.c 2016-09-20 18:27:22.683077436 +0200
+@@ -1128,6 +1128,12 @@ int ssl3_get_server_certificate(SSL *s)
+ }
+ for (nc=0; nc<llen; )
+ {
++ if (nc+3 > llen)
++ {
++ al = SSL_AD_DECODE_ERROR;
++ SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
++ goto f_err;
++ }
+ n2l3(p,l);
+ if ((l+nc+3) > llen)
+ {
+@@ -1979,6 +1985,12 @@ fclose(out);
+
+ for (nc=0; nc<llen; )
+ {
++ if (nc+2 > llen)
++ {
++ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
++ SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
++ goto err;
++ }
+ n2s(p,l);
+ if ((l+nc+2) > llen)
+ {
+diff -up openssl-1.0.1e/ssl/s3_srvr.c.certmsg-len openssl-1.0.1e/ssl/s3_srvr.c
+--- openssl-1.0.1e/ssl/s3_srvr.c.certmsg-len 2016-09-20 15:14:11.000000000 +0200
++++ openssl-1.0.1e/ssl/s3_srvr.c 2016-09-20 18:29:26.167950476 +0200
+@@ -3269,6 +3269,12 @@ int ssl3_get_client_certificate(SSL *s)
+ }
+ for (nc=0; nc<llen; )
+ {
++ if (nc+3 > llen)
++ {
++ al = SSL_AD_DECODE_ERROR;
++ SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_CERT_LENGTH_MISMATCH);
++ goto f_err;
++ }
+ n2l3(p,l);
+ if ((l+nc+3) > llen)
+ {
diff --git a/SOURCES/openssl-1.0.1e-update-test-certs.patch b/SOURCES/openssl-1.0.1e-update-test-certs.patch
new file mode 100644
index 0000000..e088eca
--- /dev/null
+++ b/SOURCES/openssl-1.0.1e-update-test-certs.patch
@@ -0,0 +1,803 @@
+From a0957d55059f0b6052235737f7441fc35da41afd Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve@openssl.org>
+Date: Wed, 17 Jul 2013 16:30:04 +0100
+Subject: [PATCH] Scripts to recreate S/MIME test certificates.
+
+Add a script to generate keys and certificates for the S/MIME and CMS
+tests.
+
+Update certificates and add EC examples.
+---
+ test/smime-certs/ca.cnf | 66 ++++++++++++++++++++++++++++++++++
+ test/smime-certs/mksmime-certs.sh | 61 +++++++++++++++++++++++++++++++
+ test/smime-certs/smdsa1.pem | 75 +++++++++++++++++++++++----------------
+ test/smime-certs/smdsa2.pem | 75 +++++++++++++++++++++++----------------
+ test/smime-certs/smdsa3.pem | 75 +++++++++++++++++++++++----------------
+ test/smime-certs/smec1.pem | 22 ++++++++++++
+ test/smime-certs/smec2.pem | 23 ++++++++++++
+ test/smime-certs/smroot.pem | 75 ++++++++++++++++++++++++---------------
+ test/smime-certs/smrsa1.pem | 74 +++++++++++++++++++++++---------------
+ test/smime-certs/smrsa2.pem | 74 +++++++++++++++++++++++---------------
+ test/smime-certs/smrsa3.pem | 74 +++++++++++++++++++++++---------------
+ 11 files changed, 489 insertions(+), 205 deletions(-)
+ create mode 100644 test/smime-certs/ca.cnf
+ create mode 100644 test/smime-certs/mksmime-certs.sh
+ create mode 100644 test/smime-certs/smec1.pem
+ create mode 100644 test/smime-certs/smec2.pem
+
+diff --git a/test/smime-certs/ca.cnf b/test/smime-certs/ca.cnf
+new file mode 100644
+index 0000000..5e8b108
+--- /dev/null
++++ b/test/smime-certs/ca.cnf
+@@ -0,0 +1,66 @@
++#
++# OpenSSL example configuration file for automated certificate creation.
++#
++
++# This definition stops the following lines choking if HOME or CN
++# is undefined.
++HOME = .
++RANDFILE = $ENV::HOME/.rnd
++CN = "Not Defined"
++default_ca = ca
++
++####################################################################
++[ req ]
++default_bits = 2048
++default_keyfile = privkey.pem
++# Don't prompt for fields: use those in section directly
++prompt = no
++distinguished_name = req_distinguished_name
++x509_extensions = v3_ca # The extentions to add to the self signed cert
++string_mask = utf8only
++
++# req_extensions = v3_req # The extensions to add to a certificate request
++
++[ req_distinguished_name ]
++countryName = UK
++
++organizationName = OpenSSL Group
++# Take CN from environment so it can come from a script.
++commonName = $ENV::CN
++
++[ usr_cert ]
++
++# These extensions are added when 'ca' signs a request for an end entity
++# certificate
++
++basicConstraints=critical, CA:FALSE
++keyUsage=critical, nonRepudiation, digitalSignature, keyEncipherment
++
++# PKIX recommendations harmless if included in all certificates.
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid
++
++[ dh_cert ]
++
++# These extensions are added when 'ca' signs a request for an end entity
++# DH certificate
++
++basicConstraints=critical, CA:FALSE
++keyUsage=critical, keyAgreement
++
++# PKIX recommendations harmless if included in all certificates.
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid
++
++[ v3_ca ]
++
++
++# Extensions for a typical CA
++
++# PKIX recommendation.
++
++subjectKeyIdentifier=hash
++authorityKeyIdentifier=keyid:always
++basicConstraints = critical,CA:true
++keyUsage = critical, cRLSign, keyCertSign
++
+diff --git a/test/smime-certs/mksmime-certs.sh b/test/smime-certs/mksmime-certs.sh
+new file mode 100644
+index 0000000..37c5633
+--- /dev/null
++++ b/test/smime-certs/mksmime-certs.sh
+@@ -0,0 +1,61 @@
++#!/bin/sh
++
++# Utility to recreate S/MIME certificates
++
++OPENSSL=../../apps/openssl
++OPENSSL_CONF=./ca.cnf
++export OPENSSL_CONF
++
++# Root CA: create certificate directly
++CN="Test S/MIME RSA Root" $OPENSSL req -config ca.cnf -x509 -nodes \
++ -keyout smroot.pem -out smroot.pem -newkey rsa:2048 -days 3650
++
++# EE RSA certificates: create request first
++CN="Test S/MIME EE RSA #1" $OPENSSL req -config ca.cnf -nodes \
++ -keyout smrsa1.pem -out req.pem -newkey rsa:2048
++# Sign request: end entity extensions
++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
++ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa1.pem
++
++CN="Test S/MIME EE RSA #2" $OPENSSL req -config ca.cnf -nodes \
++ -keyout smrsa2.pem -out req.pem -newkey rsa:2048
++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
++ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa2.pem
++
++CN="Test S/MIME EE RSA #3" $OPENSSL req -config ca.cnf -nodes \
++ -keyout smrsa3.pem -out req.pem -newkey rsa:2048
++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
++ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smrsa3.pem
++
++# Create DSA parameters
++
++$OPENSSL dsaparam -out dsap.pem 2048
++
++CN="Test S/MIME EE DSA #1" $OPENSSL req -config ca.cnf -nodes \
++ -keyout smdsa1.pem -out req.pem -newkey dsa:dsap.pem
++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
++ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa1.pem
++CN="Test S/MIME EE DSA #2" $OPENSSL req -config ca.cnf -nodes \
++ -keyout smdsa2.pem -out req.pem -newkey dsa:dsap.pem
++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
++ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa2.pem
++CN="Test S/MIME EE DSA #3" $OPENSSL req -config ca.cnf -nodes \
++ -keyout smdsa3.pem -out req.pem -newkey dsa:dsap.pem
++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
++ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smdsa3.pem
++
++# Create EC parameters
++
++$OPENSSL ecparam -out ecp.pem -name P-256
++$OPENSSL ecparam -out ecp2.pem -name K-283
++
++CN="Test S/MIME EE EC #1" $OPENSSL req -config ca.cnf -nodes \
++ -keyout smec1.pem -out req.pem -newkey ec:ecp.pem
++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
++ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec1.pem
++CN="Test S/MIME EE EC #2" $OPENSSL req -config ca.cnf -nodes \
++ -keyout smec2.pem -out req.pem -newkey ec:ecp2.pem
++$OPENSSL x509 -req -in req.pem -CA smroot.pem -days 3600 \
++ -extfile ca.cnf -extensions usr_cert -CAcreateserial >>smec2.pem
++# Remove temp files.
++rm -f req.pem ecp.pem ecp2.pem dsap.pem smroot.srl
+diff --git a/test/smime-certs/smdsa1.pem b/test/smime-certs/smdsa1.pem
+index d5677db..b424f67 100644
+--- a/test/smime-certs/smdsa1.pem
++++ b/test/smime-certs/smdsa1.pem
+@@ -1,34 +1,47 @@
+------BEGIN DSA PRIVATE KEY-----
+-MIIBuwIBAAKBgQDFJfsIPOIawMO5biw+AoYUhNVxReBOLQosU3Qv4B8krac0BNr3
+-OjSGLh1wZxHqhlAE0QmasTaKojuk20nNWeFnczSz6vDl0IVJEhS8VYor5kt9gLqt
+-GcoAgsf4gRDIutJyQDaNn3IVY89uXUVIoexvQeLQDBCgQPC5O8rJdqBwtwIVAK2J
+-jt+dqk07eQUE59koYUEKyNorAoGBAI4IEpusf8G14kCHmRtnHXM2tG5EWJDmW6Qt
+-wjqvWp1GKUx5WFy1tVWR9nl5rL0Di+kNdENo+SkKj7h3uDulGOI6T0mQYbV2h1IK
+-+FMOGnOqvZ8eNTE2n4PGTo5puZ63LBm+QYrQsrNiUY4vakLFQ2rEK/SLwdsDFK4Z
+-SJCBQw5zAoGATQlPPF+OeU8nu3rsdXGDiZdJzOkuCce3KQfTABA9C+Dk4CVcvBdd
+-YRLGpnykumkNTO1sTO+4/Gphsuje1ujK9td4UEhdYqylCe5QjEMrszDlJtelDQF9
+-C0yhdjKGTP0kxofLhsGckcuQvcKEKffT2pDDKJIy4vWQO0UyJl1vjLcCFG2uiGGx
+-9fMUZq1v0ePD4Wo0Xkxo
+------END DSA PRIVATE KEY-----
++-----BEGIN PRIVATE KEY-----
++MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
++k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
++zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
++wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
++v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
++0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
++rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
++zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
++DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
++xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
++ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
++Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
++TQMsxQQjAiEAkolGvb/76X3vm5Ov09ezqyBYt9cdj/FLH7DyMkxO7X0=
++-----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIIDpDCCAw2gAwIBAgIJAMtotfHYdEsWMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
++MIIFkDCCBHigAwIBAgIJANk5lu6mSyBDMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
++BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
++TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
+ CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
+-ZXN0IFMvTUlNRSBFRSBEU0EgIzEwggG3MIIBLAYHKoZIzjgEATCCAR8CgYEAxSX7
+-CDziGsDDuW4sPgKGFITVcUXgTi0KLFN0L+AfJK2nNATa9zo0hi4dcGcR6oZQBNEJ
+-mrE2iqI7pNtJzVnhZ3M0s+rw5dCFSRIUvFWKK+ZLfYC6rRnKAILH+IEQyLrSckA2
+-jZ9yFWPPbl1FSKHsb0Hi0AwQoEDwuTvKyXagcLcCFQCtiY7fnapNO3kFBOfZKGFB
+-CsjaKwKBgQCOCBKbrH/BteJAh5kbZx1zNrRuRFiQ5lukLcI6r1qdRilMeVhctbVV
+-kfZ5eay9A4vpDXRDaPkpCo+4d7g7pRjiOk9JkGG1dodSCvhTDhpzqr2fHjUxNp+D
+-xk6OabmetywZvkGK0LKzYlGOL2pCxUNqxCv0i8HbAxSuGUiQgUMOcwOBhAACgYBN
+-CU88X455Tye7eux1cYOJl0nM6S4Jx7cpB9MAED0L4OTgJVy8F11hEsamfKS6aQ1M
+-7WxM77j8amGy6N7W6Mr213hQSF1irKUJ7lCMQyuzMOUm16UNAX0LTKF2MoZM/STG
+-h8uGwZyRy5C9woQp99PakMMokjLi9ZA7RTImXW+Mt6OBgzCBgDAdBgNVHQ4EFgQU
+-4Qfbhpi5yqXaXuCLXj427mR25MkwHwYDVR0jBBgwFoAUE89Lp7uJLrM4Vxd2xput
+-aFvl7RcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBsAwIAYDVR0RBBkwF4EV
+-c21pbWVkc2ExQG9wZW5zc2wub3JnMA0GCSqGSIb3DQEBBQUAA4GBAFrdUzKK1pWO
+-kd02S423KUBc4GWWyiGlVoEO7WxVhHLJ8sm67X7OtJOwe0UGt+Nc5qLtyJYSirw8
+-phjiTdNpQCTJ8+Kc56tWkJ6H7NAI4vTJtPL5BM/EmeYrVSU9JI9xhqpyKw9IBD+n
+-hRJ79W9FaiJRvaAOX+TkyTukJrxAWRyv
++ZXN0IFMvTUlNRSBFRSBEU0EgIzEwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
++uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
++7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
++wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
+++Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
++Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
++AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
++0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
++g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
++0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
++yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
++7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
++aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAGXSQADbuRIZBjiQ6NikwZl+x
++EDEffIE0RWbvwf1tfWxw4ZvanO/djyz5FePO0AIJDBCLUjr9D32nkmIG1Hu3dWgV
++86knQsM6uFiMSzY9nkJGZOlH3w4NHLE78pk75xR1sg1MEZr4x/t+a/ea9Y4AXklE
++DCcaHtpMGeAx3ZAqSKec+zQOOA73JWP1/gYHGdYyTQpQtwRTsh0Gi5mOOdpoJ0vp
++O83xYbFCZ+ZZKX1RWOjJe2OQBRtw739q1nRga1VMLAT/LFSQsSE3IOp8hiWbjnit
++1SE6q3II2a/aHZH/x4OzszfmtQfmerty3eQSq3bgajfxCsccnRjSbLeNiazRSKNg
++MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFNHQYTOO
++xaZ/N68OpxqjHKuatw6sMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
++MA0GCSqGSIb3DQEBBQUAA4IBAQAAiLociMMXcLkO/uKjAjCIQMrsghrOrxn4ZGBx
++d/mCTeqPxhcrX2UorwxVCKI2+Dmz5dTC2xKprtvkiIadJamJmxYYzeF1pgRriFN3
++MkmMMkTbe/ekSvSeMtHQ2nHDCAJIaA/k9akWfA0+26Ec25/JKMrl3LttllsJMK1z
++Xj7TcQpAIWORKWSNxY/ezM34+9ABHDZB2waubFqS+irlZsn38aZRuUI0K67fuuIt
++17vMUBqQpe2hfNAjpZ8dIpEdAGjQ6izV2uwP1lXbiaK9U4dvUqmwyCIPniX7Hpaf
++0VnX0mEViXMT6vWZTjLBUv0oKmO7xBkWHIaaX6oyF32pK5AO
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smdsa2.pem b/test/smime-certs/smdsa2.pem
+index ef86c11..648447f 100644
+--- a/test/smime-certs/smdsa2.pem
++++ b/test/smime-certs/smdsa2.pem
+@@ -1,34 +1,47 @@
+------BEGIN DSA PRIVATE KEY-----
+-MIIBvAIBAAKBgQDFJfsIPOIawMO5biw+AoYUhNVxReBOLQosU3Qv4B8krac0BNr3
+-OjSGLh1wZxHqhlAE0QmasTaKojuk20nNWeFnczSz6vDl0IVJEhS8VYor5kt9gLqt
+-GcoAgsf4gRDIutJyQDaNn3IVY89uXUVIoexvQeLQDBCgQPC5O8rJdqBwtwIVAK2J
+-jt+dqk07eQUE59koYUEKyNorAoGBAI4IEpusf8G14kCHmRtnHXM2tG5EWJDmW6Qt
+-wjqvWp1GKUx5WFy1tVWR9nl5rL0Di+kNdENo+SkKj7h3uDulGOI6T0mQYbV2h1IK
+-+FMOGnOqvZ8eNTE2n4PGTo5puZ63LBm+QYrQsrNiUY4vakLFQ2rEK/SLwdsDFK4Z
+-SJCBQw5zAoGBAIPmO8BtJ+Yac58trrPwq9b/6VW3jQTWzTLWSH84/QQdqQa+Pz3v
+-It/+hHM0daNF5uls8ICsPL1aLXmRx0pHvIyb0aAzYae4T4Jv/COPDMTdKbA1uitJ
+-VbkGZrm+LIrs7I9lOkb4T0vI6kL/XdOCXY1469zsqCgJ/O2ibn6mq0nWAhR716o2
+-Nf8SimTZYB0/CKje6M5ufA==
+------END DSA PRIVATE KEY-----
++-----BEGIN PRIVATE KEY-----
++MIICZAIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
++k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
++zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
++wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
++v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
++0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
++rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
++zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
++DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
++xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
++ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
++Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
++TQMsxQQiAiAdCUJ5n2Q9hIynN8BMpnRcdfH696BKejGx+2Mr2kfnnA==
++-----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIIDpTCCAw6gAwIBAgIJAMtotfHYdEsXMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
++MIIFkDCCBHigAwIBAgIJANk5lu6mSyBEMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
++BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
++TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
+ CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
+-ZXN0IFMvTUlNRSBFRSBEU0EgIzIwggG4MIIBLAYHKoZIzjgEATCCAR8CgYEAxSX7
+-CDziGsDDuW4sPgKGFITVcUXgTi0KLFN0L+AfJK2nNATa9zo0hi4dcGcR6oZQBNEJ
+-mrE2iqI7pNtJzVnhZ3M0s+rw5dCFSRIUvFWKK+ZLfYC6rRnKAILH+IEQyLrSckA2
+-jZ9yFWPPbl1FSKHsb0Hi0AwQoEDwuTvKyXagcLcCFQCtiY7fnapNO3kFBOfZKGFB
+-CsjaKwKBgQCOCBKbrH/BteJAh5kbZx1zNrRuRFiQ5lukLcI6r1qdRilMeVhctbVV
+-kfZ5eay9A4vpDXRDaPkpCo+4d7g7pRjiOk9JkGG1dodSCvhTDhpzqr2fHjUxNp+D
+-xk6OabmetywZvkGK0LKzYlGOL2pCxUNqxCv0i8HbAxSuGUiQgUMOcwOBhQACgYEA
+-g+Y7wG0n5hpzny2us/Cr1v/pVbeNBNbNMtZIfzj9BB2pBr4/Pe8i3/6EczR1o0Xm
+-6WzwgKw8vVoteZHHSke8jJvRoDNhp7hPgm/8I48MxN0psDW6K0lVuQZmub4siuzs
+-j2U6RvhPS8jqQv9d04JdjXjr3OyoKAn87aJufqarSdajgYMwgYAwHQYDVR0OBBYE
+-FHsAGNfVltSYUq4hC+YVYwsYtA+dMB8GA1UdIwQYMBaAFBPPS6e7iS6zOFcXdsab
+-rWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgbAMCAGA1UdEQQZMBeB
+-FXNtaW1lZHNhMkBvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQCx9BtCbaYF
+-FXjLClkuKXbESaDZA1biPgY25i00FsUzARuhCpqD2v+0tu5c33ZzIhL6xlvBRU5l
+-6Atw/xpZhae+hdBEtxPJoGekLLrHOau7Md3XwDjV4lFgcEJkWZoaSOOIK+4D5jF0
+-jZWtHjnwEzuLYlo7ScHSsbcQfjH0M1TP5A==
++ZXN0IFMvTUlNRSBFRSBEU0EgIzIwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
++uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
++7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
++wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
+++Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
++Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
++AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
++0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
++g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
++0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
++yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
++7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
++aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAItQlFu0t7Mw1HHROuuwKLS+E
++h2WNNZP96MLQTygOVlqgaJY+1mJLzvl/51LLH6YezX0t89Z2Dm/3SOJEdNrdbIEt
++tbu5rzymXxFhc8uaIYZFhST38oQwJOjM8wFitAQESe6/9HZjkexMqSqx/r5aEKTa
++LBinqA1BJRI72So1/1dv8P99FavPADdj8V7fAccReKEQKnfnwA7mrnD+OlIqFKFn
++3wCGk8Sw7tSJ9g6jgCI+zFwrKn2w+w+iot/Ogxl9yMAtKmAd689IAZr5GPPvV2y0
++KOogCiUYgSTSawZhr+rjyFavfI5dBWzMq4tKx/zAi6MJ+6hGJjJ8jHoT9JAPmaNg
++MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFGaxw04k
++qpufeGZC+TTBq8oMnXyrMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
++MA0GCSqGSIb3DQEBBQUAA4IBAQCk2Xob1ICsdHYx/YsBzY6E1eEwcI4RZbZ3hEXp
++VA72/Mbz60gjv1OwE5Ay4j+xG7IpTio6y2A9ZNepGpzidYcsL/Lx9Sv1LlN0Ukzb
++uk6Czd2sZJp+PFMTTrgCd5rXKnZs/0D84Vci611vGMA1hnUnbAnBBmgLXe9pDNRV
++6mhmCLLjJ4GOr5Wxt/hhknr7V2e1VMx3Q47GZhc0o/gExfhxXA8+gicM0nEYNakD
++2A1F0qDhQGakjuofANHhjdUDqKJ1sxurAy80fqb0ddzJt2el89iXKN+aXx/zEX96
++GI5ON7z/bkVwIi549lUOpWb2Mved61NBzCLKVP7HSuEIsC/I
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smdsa3.pem b/test/smime-certs/smdsa3.pem
+index eeb848d..77acc5e 100644
+--- a/test/smime-certs/smdsa3.pem
++++ b/test/smime-certs/smdsa3.pem
+@@ -1,34 +1,47 @@
+------BEGIN DSA PRIVATE KEY-----
+-MIIBvAIBAAKBgQDFJfsIPOIawMO5biw+AoYUhNVxReBOLQosU3Qv4B8krac0BNr3
+-OjSGLh1wZxHqhlAE0QmasTaKojuk20nNWeFnczSz6vDl0IVJEhS8VYor5kt9gLqt
+-GcoAgsf4gRDIutJyQDaNn3IVY89uXUVIoexvQeLQDBCgQPC5O8rJdqBwtwIVAK2J
+-jt+dqk07eQUE59koYUEKyNorAoGBAI4IEpusf8G14kCHmRtnHXM2tG5EWJDmW6Qt
+-wjqvWp1GKUx5WFy1tVWR9nl5rL0Di+kNdENo+SkKj7h3uDulGOI6T0mQYbV2h1IK
+-+FMOGnOqvZ8eNTE2n4PGTo5puZ63LBm+QYrQsrNiUY4vakLFQ2rEK/SLwdsDFK4Z
+-SJCBQw5zAoGAYzOpPmh8Je1IDauEXhgaLz14wqYUHHcrj2VWVJ6fRm8GhdQFJSI7
+-GUk08pgKZSKic2lNqxuzW7/vFxKQ/nvzfytY16b+2i+BR4Q6yvMzCebE1hHVg0Ju
+-TwfUMwoFEOhYP6ZwHSUiQl9IBMH9TNJCMwYMxfY+VOrURFsjGTRUgpwCFQCIGt5g
+-Y+XZd0Sv69CatDIRYWvaIA==
+------END DSA PRIVATE KEY-----
++-----BEGIN PRIVATE KEY-----
++MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
++k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
++zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
++wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
++v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
++0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
++rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
++zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
++DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
++xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
++ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
++Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
++TQMsxQQjAiEArJr6p2zTbhRppQurHGTdmdYHqrDdZH4MCsD9tQCw1xY=
++-----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIIDpDCCAw2gAwIBAgIJAMtotfHYdEsYMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
++MIIFkDCCBHigAwIBAgIJANk5lu6mSyBFMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
++BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
++TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
+ CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
+-ZXN0IFMvTUlNRSBFRSBEU0EgIzMwggG3MIIBLAYHKoZIzjgEATCCAR8CgYEAxSX7
+-CDziGsDDuW4sPgKGFITVcUXgTi0KLFN0L+AfJK2nNATa9zo0hi4dcGcR6oZQBNEJ
+-mrE2iqI7pNtJzVnhZ3M0s+rw5dCFSRIUvFWKK+ZLfYC6rRnKAILH+IEQyLrSckA2
+-jZ9yFWPPbl1FSKHsb0Hi0AwQoEDwuTvKyXagcLcCFQCtiY7fnapNO3kFBOfZKGFB
+-CsjaKwKBgQCOCBKbrH/BteJAh5kbZx1zNrRuRFiQ5lukLcI6r1qdRilMeVhctbVV
+-kfZ5eay9A4vpDXRDaPkpCo+4d7g7pRjiOk9JkGG1dodSCvhTDhpzqr2fHjUxNp+D
+-xk6OabmetywZvkGK0LKzYlGOL2pCxUNqxCv0i8HbAxSuGUiQgUMOcwOBhAACgYBj
+-M6k+aHwl7UgNq4ReGBovPXjCphQcdyuPZVZUnp9GbwaF1AUlIjsZSTTymAplIqJz
+-aU2rG7Nbv+8XEpD+e/N/K1jXpv7aL4FHhDrK8zMJ5sTWEdWDQm5PB9QzCgUQ6Fg/
+-pnAdJSJCX0gEwf1M0kIzBgzF9j5U6tREWyMZNFSCnKOBgzCBgDAdBgNVHQ4EFgQU
+-VhpVXqQ/EzUMdxLvP7o9EhJ8h70wHwYDVR0jBBgwFoAUE89Lp7uJLrM4Vxd2xput
+-aFvl7RcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBsAwIAYDVR0RBBkwF4EV
+-c21pbWVkc2EzQG9wZW5zc2wub3JnMA0GCSqGSIb3DQEBBQUAA4GBACM9e75EQa8m
+-k/AZkH/tROqf3yeqijULl9x8FjFatqoY+29OM6oMGM425IqSkKd2ipz7OxO0SShu
+-rE0O3edS7DvYBwvhWPviRaYBMyZ4iFJVup+fOzoYK/j/bASxS3BHQBwb2r4rhe25
+-OlTyyFEk7DJyW18YFOG97S1P52oQ5f5x
++ZXN0IFMvTUlNRSBFRSBEU0EgIzMwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
++uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
++7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
++wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
+++Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
++Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
++AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
++0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
++g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
++0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
++yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
++7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
++aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAcXvtfiJfIZ0wgGpN72ZeGrJ9
++msUXOxow7w3fDbP8r8nfVkBNbfha8rx0eY6fURFVZzIOd8EHGKypcH1gS6eZNucf
++zgsH1g5r5cRahMZmgGXBEBsWrh2IaDG7VSKt+9ghz27EKgjAQCzyHQL5FCJgR2p7
++cv0V4SRqgiAGYlJ191k2WtLOsVd8kX//jj1l8TUgE7TqpuSEpaSyQ4nzJROpZWZp
++N1RwFmCURReykABU/Nzin/+rZnvZrp8WoXSXEqxeB4mShRSaH57xFnJCpRwKJ4qS
++2uhATzJaKH7vu63k3DjftbSBVh+32YXwtHc+BGjs8S2aDtCW3FtDA7Z6J8BIxaNg
++MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFMJxatDE
++FCEFGl4uoiQQ1050Ju9RMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
++MA0GCSqGSIb3DQEBBQUAA4IBAQBGZD1JnMep39KMOhD0iBTmyjhtcnRemckvRask
++pS/CqPwo+M+lPNdxpLU2w9b0QhPnj0yAS/BS1yBjsLGY4DP156k4Q3QOhwsrTmrK
++YOxg0w7DOpkv5g11YLJpHsjSOwg5uIMoefL8mjQK6XOFOmQXHJrUtGulu+fs6FlM
++khGJcW4xYVPK0x/mHvTT8tQaTTkgTdVHObHF5Dyx/F9NMpB3RFguQPk2kT4lJc4i
++Up8T9mLzaxz6xc4wwh8h70Zw81lkGYhX+LRk3sfd/REq9x4QXQNP9t9qU1CgrBzv
++4orzt9cda4r+rleSg2XjWnXzMydE6DuwPVPZlqnLbSYUy660
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smec1.pem b/test/smime-certs/smec1.pem
+new file mode 100644
+index 0000000..75a8626
+--- /dev/null
++++ b/test/smime-certs/smec1.pem
+@@ -0,0 +1,22 @@
++-----BEGIN PRIVATE KEY-----
++MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgXzBRX9Z5Ib4LAVAS
++DMlYvkj0SmLmYvWULe2LfyXRmpWhRANCAAS+SIj2FY2DouPRuNDp9WVpsqef58tV
++3gIwV0EOV/xyYTzZhufZi/aBcXugWR1x758x4nHus2uEuEFi3Mr3K3+x
++-----END PRIVATE KEY-----
++-----BEGIN CERTIFICATE-----
++MIICoDCCAYigAwIBAgIJANk5lu6mSyBGMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
++BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
++TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEQx
++CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
++ZXN0IFMvTUlNRSBFRSBFQyAjMTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL5I
++iPYVjYOi49G40On1ZWmyp5/ny1XeAjBXQQ5X/HJhPNmG59mL9oFxe6BZHXHvnzHi
++ce6za4S4QWLcyvcrf7GjYDBeMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXg
++MB0GA1UdDgQWBBR/ybxC2DI+Jydhx1FMgPbMTmLzRzAfBgNVHSMEGDAWgBTJkVMK
++Y3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEAdk9si83JjtgHHHGy
++WcgWDfM0jzlWBsgFNQ9DwAuB7gJd/LG+5Ocajg5XdA5FXAdKkfwI6be3PdcVs3Bt
++7f/fdKfBxfr9/SvFHnK7PVAX2x1wwS4HglX1lfoyq1boSvsiJOnAX3jsqXJ9TJiV
++FlgRVnhnrw6zz3Xs/9ZDMTENUrqDHPNsDkKEi+9SqIsqDXpMCrGHP4ic+S8Rov1y
++S+0XioMxVyXDp6XcL4PQ/NgHbw5/+UcS0me0atZ6pW68C0vi6xeU5vxojyuZxMI1
++DXXwMhOXWaKff7KNhXDUN0g58iWlnyaCz4XQwFsbbFs88TQ1+e/aj3bbwTxUeyN7
++qtcHJA==
++-----END CERTIFICATE-----
+diff --git a/test/smime-certs/smec2.pem b/test/smime-certs/smec2.pem
+new file mode 100644
+index 0000000..457297a
+--- /dev/null
++++ b/test/smime-certs/smec2.pem
+@@ -0,0 +1,23 @@
++-----BEGIN PRIVATE KEY-----
++MIGPAgEAMBAGByqGSM49AgEGBSuBBAAQBHgwdgIBAQQjhHaq507MOBznelrLG/pl
++brnnJi/iEJUUp+Pm3PEiteXqckmhTANKAAQF2zs6vobmoT+M+P2+9LZ7asvFBNi7
++uCzLYF/8j1Scn/spczoC9vNzVhNw+Lg7dnjNL4EDIyYZLl7E0v69luzbvy+q44/8
++6bQ=
++-----END PRIVATE KEY-----
++-----BEGIN CERTIFICATE-----
++MIICpTCCAY2gAwIBAgIJANk5lu6mSyBHMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
++BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
++TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEQx
++CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
++ZXN0IFMvTUlNRSBFRSBFQyAjMjBeMBAGByqGSM49AgEGBSuBBAAQA0oABAXbOzq+
++huahP4z4/b70tntqy8UE2Lu4LMtgX/yPVJyf+ylzOgL283NWE3D4uDt2eM0vgQMj
++JhkuXsTS/r2W7Nu/L6rjj/zptKNgMF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8E
++BAMCBeAwHQYDVR0OBBYEFGf+QSQlkN20PsNN7x+jmQIJBDcXMB8GA1UdIwQYMBaA
++FMmRUwpjexZbi71E8HaIqSTm5bZsMA0GCSqGSIb3DQEBBQUAA4IBAQBaBBryl2Ez
++ftBrGENXMKQP3bBEw4n9ely6HvYQi9IC7HyK0ktz7B2FcJ4z96q38JN3cLxV0DhK
++xT/72pFmQwZVJngvRaol0k1B+bdmM03llxCw/uNNZejixDjHUI9gEfbigehd7QY0
++uYDu4k4O35/z/XPQ6O5Kzw+J2vdzU8GXlMBbWeZWAmEfLGbk3Ux0ouITnSz0ty5P
++rkHTo0uprlFcZAsrsNY5v5iuomYT7ZXAR3sqGZL1zPOKBnyfXeNFUfnKsZW7Fnlq
++IlYBQIjqR1HGxxgCSy66f1oplhxSch4PUpk5tqrs6LeOqc2+xROy1T5YrB3yjVs0
++4ZdCllHZkhop
++-----END CERTIFICATE-----
+diff --git a/test/smime-certs/smroot.pem b/test/smime-certs/smroot.pem
+index a59eb26..d1a253f 100644
+--- a/test/smime-certs/smroot.pem
++++ b/test/smime-certs/smroot.pem
+@@ -1,30 +1,49 @@
+------BEGIN RSA PRIVATE KEY-----
+-MIICXAIBAAKBgQDBV1Z/Q5gPF7lojc8pKUdyz5+Jf2B3vs4he6egekugWnoJduki
+-9Lnae/JchB/soIX0co3nLc11NuFFlnAWJNMDJr08l5AHAJLYNHevF5l/f9oDQwvZ
+-speKh1xpIAJNqCTzVeQ/ZLx6/GccIXV/xDuKIiovqJTPgR5WPkYKaw++lQIDAQAB
+-AoGALXnUj5SflJU4+B2652ydMKUjWl0KnL/VjkyejgGV/j6py8Ybaixz9q8Gv7oY
+-JDlRqMC1HfZJCFQDQrHy5VJ+CywA/H9WrqKo/Ch9U4tJAZtkig1Cmay/BAYixVu0
+-xBeim10aKF6hxHH4Chg9We+OCuzWBWJhqveNjuDedL/i7JUCQQDlejovcwBUCbhJ
+-U12qKOwlaboolWbl7yF3XdckTJZg7+1UqQHZH5jYZlLZyZxiaC92SNV0SyTLJZnS
+-Jh5CO+VDAkEA16/pPcuVtMMz/R6SSPpRSIAa1stLs0mFSs3NpR4pdm0n42mu05pO
+-1tJEt3a1g7zkreQBf53+Dwb+lA841EkjRwJBAIFmt0DifKDnCkBu/jZh9SfzwsH3
+-3Zpzik+hXxxdA7+ODCrdUul449vDd5zQD5t+XKU61QNLDGhxv5e9XvrCg7kCQH/a
+-3ldsVF0oDaxxL+QkxoREtCQ5tLEd1u7F2q6Tl56FDE0pe6Ih6bQ8RtG+g9EI60IN
+-U7oTrOO5kLWx5E0q4ccCQAZVgoenn9MhRU1agKOCuM6LT2DxReTu4XztJzynej+8
+-0J93n3ebanB1MlRpn1XJwhQ7gAC8ImaQKLJK5jdJzFc=
+------END RSA PRIVATE KEY-----
++-----BEGIN PRIVATE KEY-----
++MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyyQXED5HyVWwq
++nXyzmY317yMUJrIfsKvREG2C691dJNHgNg+oq5sjt/fzkyS84AvdOiicAsao4cYL
++DulthaLpbC7msEBhvwAil0FNb5g3ERupe1KuTdUV1UuD/i6S2VoaNXUBBn1rD9Wc
++BBc0lnx/4Wt92eQTI6925pt7ZHPQw2Olp7TQDElyi5qPxCem4uT0g3zbZsWqmmsI
++MXbu+K3dEprzqA1ucKXbxUmZNkMwVs2XCmlLxrRUj8C3/zENtH17HWCznhR/IVcV
++kgIuklkeiDsEhbWvUQumVXR7oPh/CPZAbjGqq5mVueHSHrp7brBVZKHZvoUka28Q
++LWitq1W5AgMBAAECggEASkRnOMKfBeOmQy2Yl6K57eeg0sYgSDnDpd0FINWJ5x9c
++b58FcjOXBodtYKlHIY6QXx3BsM0WaSEge4d+QBi7S+u8r+eXVwNYswXSArDQsk9R
++Bl5MQkvisGciL3pvLmFLpIeASyS/BLJXMbAhU58PqK+jT2wr6idwxBuXivJ3ichu
++ISdT1s2aMmnD86ulCD2DruZ4g0mmk5ffV+Cdj+WWkyvEaJW2GRYov2qdaqwSOxV4
++Yve9qStvEIWAf2cISQjbnw2Ww6Z5ebrqlOz9etkmwIly6DTbrIneBnoqJlFFWGlF
++ghuzc5RE2w1GbcKSOt0qXH44MTf/j0r86dlu7UIxgQKBgQDq0pEaiZuXHi9OQAOp
++PsDEIznCU1bcTDJewANHag5DPEnMKLltTNyLaBRulMypI+CrDbou0nDr29VOzfXx
++mNvi/c7RttOBOx7kXKvu0JUFKe2oIWRsg0KsyMX7UFMVaHFgrW+8DhQc7HK7URiw
++nitOnA7YwIHRF9BMmcWcLFEYBQKBgQDC6LPbXV8COKO0YCfGXPnE7EZGD/p0Q92Z
++8CoSefphEScSdO1IpxFXG7fOZ4x2GQb9q7D3IvaeKAqNjUjkuyxdB30lIWDBwSWw
++fFgsa2SZwD5P60G/ar50YJr6LiF333aUMDVmC9swFfZERAEmGUz2NTrPWQdIx/lu
++PyDtUR75JQKBgHaoCCJ8vl5SJl1IA5GV4Bo8IoeLTSzsY9d09zMy6BoZcMD1Ix2T
++5S2cXhayoegl9PT6bsYSGHVWFCdJ86ktMI826TcXRzDaCvYhzc9THroJQcnfdbtP
++aHWezkv7fsAmkoPjn75K7ubeo+r7Q5qbkg6a1PW58N8TRXIvkackzaVxAoGBALAq
++qh3U+AHG9dgbrPeyo6KkuCOtX39ks8/mbfCDRZYkbb9V5f5r2tVz3R93IlK/7jyr
++yWimtmde46Lrl33922w+T5OW5qBZllo9GWkUrDn3s5qClcuQjJIdmxYTSfbSCJiK
++NkmE39lHkG5FVRB9f71tgTlWS6ox7TYDYxx83NTtAoGAUJPAkGt4yGAN4Pdebv53
++bSEpAAULBHntiqDEOu3lVColHuZIucml/gbTpQDruE4ww4wE7dOhY8Q4wEBVYbRI
++vHkSiWpJUvZCuKG8Foh5pm9hU0qb+rbQV7NhLJ02qn1AMGO3F/WKrHPPY8/b9YhQ
++KfvPCYimQwBjVrEnSntLPR0=
++-----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIICaTCCAdKgAwIBAgIJAP6VN47boiXRMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDdaFw0xNjA1MTExMzUzMDdaMEQx
+-CzAJBgNVBAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRU
+-ZXN0IFMvTUlNRSBSU0EgUm9vdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+-wVdWf0OYDxe5aI3PKSlHcs+fiX9gd77OIXunoHpLoFp6CXbpIvS52nvyXIQf7KCF
+-9HKN5y3NdTbhRZZwFiTTAya9PJeQBwCS2DR3rxeZf3/aA0ML2bKXiodcaSACTagk
+-81XkP2S8evxnHCF1f8Q7iiIqL6iUz4EeVj5GCmsPvpUCAwEAAaNjMGEwHQYDVR0O
+-BBYEFBPPS6e7iS6zOFcXdsabrWhb5e0XMB8GA1UdIwQYMBaAFBPPS6e7iS6zOFcX
+-dsabrWhb5e0XMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqG
+-SIb3DQEBBQUAA4GBAIECprq5viDvnDbkyOaiSr9ubMUmWqvycfAJMdPZRKcOZczS
+-l+L9R9lF3JSqbt3knOe9u6bGDBOTY2285PdCCuHRVMk2Af1f6El1fqAlRUwNqipp
+-r68sWFuRqrcRNtk6QQvXfkOhrqQBuDa7te/OVQLa2lGN9Dr2mQsD8ijctatG
++MIIDbjCCAlagAwIBAgIJAMc+8VKBJ/S9MA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
++BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
++TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MjlaFw0yMzA3MTUxNzI4MjlaMEQx
++CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
++ZXN0IFMvTUlNRSBSU0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
++ggEBALLJBcQPkfJVbCqdfLOZjfXvIxQmsh+wq9EQbYLr3V0k0eA2D6irmyO39/OT
++JLzgC906KJwCxqjhxgsO6W2FoulsLuawQGG/ACKXQU1vmDcRG6l7Uq5N1RXVS4P+
++LpLZWho1dQEGfWsP1ZwEFzSWfH/ha33Z5BMjr3bmm3tkc9DDY6WntNAMSXKLmo/E
++J6bi5PSDfNtmxaqaawgxdu74rd0SmvOoDW5wpdvFSZk2QzBWzZcKaUvGtFSPwLf/
++MQ20fXsdYLOeFH8hVxWSAi6SWR6IOwSFta9RC6ZVdHug+H8I9kBuMaqrmZW54dIe
++untusFVkodm+hSRrbxAtaK2rVbkCAwEAAaNjMGEwHQYDVR0OBBYEFMmRUwpjexZb
++i71E8HaIqSTm5bZsMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA8G
++A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IB
++AQAwpIVWQey2u/XoQSMSu0jd0EZvU+lhLaFrDy/AHQeG3yX1+SAOM6f6w+efPvyb
++Op1NPI9UkMPb4PCg9YC7jgYokBkvAcI7J4FcuDKMVhyCD3cljp0ouuKruvEf4FBl
++zyQ9pLqA97TuG8g1hLTl8G90NzTRcmKpmhs18BmCxiqHcTfoIpb3QvPkDX8R7LVt
++9BUGgPY+8ELCgw868TuHh/Cnc67gBtRjBp0sCYVzGZmKsO5f1XdHrAZKYN5mEp0C
++7/OqcDoFqORTquLeycg1At/9GqhDEgxNrqA+YEsPbLGAfsNuXUsXs2ubpGsOZxKt
++Emsny2ah6fU2z7PztrUy/A80
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smrsa1.pem b/test/smime-certs/smrsa1.pem
+index 2cf3148..d0d0b9e 100644
+--- a/test/smime-certs/smrsa1.pem
++++ b/test/smime-certs/smrsa1.pem
+@@ -1,31 +1,49 @@
+------BEGIN RSA PRIVATE KEY-----
+-MIICXgIBAAKBgQC6A978j4pmPgUtUQqF+bjh6vdhwGOGZSD7xXgFTMjm88twfv+E
+-ixkq2KXSDjD0ZXoQbdOaSbvGRQrIJpG2NGiKAFdYNrP025kCCdh5wF/aEI7KLEm7
+-JlHwXpQsuj4wkMgmkFjL3Ty4Z55aNH+2pPQIa0k+ENJXm2gDuhqgBmduAwIDAQAB
+-AoGBAJMuYu51aO2THyeHGwt81uOytcCbqGP7eoib62ZOJhxPRGYjpmuqX+R9/V5i
+-KiwGavm63JYUx0WO9YP+uIZxm1BUATzkgkS74u5LP6ajhkZh6/Bck1oIYYkbVOXl
+-JVrdENuH6U7nupznsyYgONByo+ykFPVUGmutgiaC7NMVo/MxAkEA6KLejWXdCIEn
+-xr7hGph9NlvY9xuRIMexRV/WrddcFfCdjI1PciIupgrIkR65M9yr7atm1iU6/aRf
+-KOr8rLZsSQJBAMyyXN71NsDNx4BP6rtJ/LJMP0BylznWkA7zWfGCbAYn9VhZVlSY
+-Eu9Gyr7quD1ix7G3kInKVYOEEOpockBLz+sCQQCedyMmKjcQLfpMVYW8uhbAynvW
+-h36qV5yXZxszO7nMcCTBsxhk5IfmLv5EbCs3+p9avCDGyoGOeUMg+kC33WORAkAg
+-oUIarH4o5+SoeJTTfCzTA0KF9H5U0vYt2+73h7HOnWoHxl3zqDZEfEVvf50U8/0f
+-QELDJETTbScBJtsnkq43AkEA38etvoZ2i4FJvvo7R/9gWBHVEcrGzcsCBYrNnIR1
+-SZLRwHEGaiOK1wxMsWzqp7PJwL9z/M8A8DyOFBx3GPOniA==
+------END RSA PRIVATE KEY-----
++-----BEGIN PRIVATE KEY-----
++MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDXr9uzB/20QXKC
++xhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK2bcj54XB26i1kXuOrxID
++3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt+W6lSd6Hmfrk4GmE9LTU
++/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JFYg4c7qt5RCk/w8kwrQ0D
++orQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSebvt0APeqgRxSpCxqYnHs
++CoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxMkjpJSv3/ekDG2CHYxXSH
++XxpJstxZAgMBAAECggEASY4xsJaTEPwY3zxLqPdag2/yibBBW7ivz/9p80HQTlXp
++KnbxXj8nNXLjCytAZ8A3P2t316PrrTdLP4ML5lGwkM4MNPhek00GY79syhozTa0i
++cPHVJt+5Kwee/aVI9JmCiGAczh0yHyOM3+6ttIZvvXMVaSl4BUHvJ0ikQBc5YdzL
++s6VM2gCOR6K6n+39QHDI/T7WwO9FFSNnpWFOCHwAWtyBMlleVj+xeZX8OZ/aT+35
++27yjsGNBftWKku29VDineiQC+o+fZGJs6w4JZHoBSP8TfxP8fRCFVNA281G78Xak
++cEnKXwZ54bpoSa3ThKl+56J6NHkkfRGb8Rgt/ipJYQKBgQD5DKb82mLw85iReqsT
++8bkp408nPOBGz7KYnQsZqAVNGfehM02+dcN5z+w0jOj6GMPLPg5whlEo/O+rt9ze
++j6c2+8/+B4Bt5oqCKoOCIndH68jl65+oUxFkcHYxa3zYKGC9Uvb+x2BtBmYgvDRG
++ew6I2Q3Zyd2ThZhJygUZpsjsbQKBgQDdtNiGTkgWOm+WuqBI1LT5cQfoPfgI7/da
++ZA+37NBUQRe0cM7ddEcNqx7E3uUa1JJOoOYv65VyGI33Ul+evI8h5WE5bupcCEFk
++LolzbMc4YQUlsySY9eUXM8jQtfVtaWhuQaABt97l+9oADkrhA+YNdEu2yiz3T6W+
++msI5AnvkHQKBgDEjuPMdF/aY6dqSjJzjzfgg3KZOUaZHJuML4XvPdjRPUlfhKo7Q
++55/qUZ3Qy8tFBaTderXjGrJurc+A+LiFOaYUq2ZhDosguOWUA9yydjyfnkUXZ6or
++sbvSoM+BeOGhnezdKNT+e90nLRF6cQoTD7war6vwM6L+8hxlGvqDuRNFAoGAD4K8
++d0D4yB1Uez4ZQp8m/iCLRhM3zCBFtNw1QU/fD1Xye5w8zL96zRkAsRNLAgKHLdsR
++355iuTXAkOIBcJCOjveGQsdgvAmT0Zdz5FBi663V91o+IDlryqDD1t40CnCKbtRG
++hng/ruVczg4x7OYh7SUKuwIP/UlkNh6LogNreX0CgYBQF9troLex6X94VTi1V5hu
++iCwzDT6AJj63cS3VRO2ait3ZiLdpKdSNNW2WrlZs8FZr/mVutGEcWho8BugGMWST
++1iZkYwly9Xfjnpd0I00ZIlr2/B3+ZsK8w5cOW5Lpb7frol6+BkDnBjbNZI5kQndn
++zQpuMJliRlrq/5JkIbH6SA==
++-----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIICizCCAfSgAwIBAgIJAMtotfHYdEsTMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDhaFw0xNjA1MTAxMzUzMDhaMEUx
++MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBAMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
++BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
++TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
+ CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
+-ZXN0IFMvTUlNRSBFRSBSU0EgIzEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+-ALoD3vyPimY+BS1RCoX5uOHq92HAY4ZlIPvFeAVMyObzy3B+/4SLGSrYpdIOMPRl
+-ehBt05pJu8ZFCsgmkbY0aIoAV1g2s/TbmQIJ2HnAX9oQjsosSbsmUfBelCy6PjCQ
+-yCaQWMvdPLhnnlo0f7ak9AhrST4Q0lebaAO6GqAGZ24DAgMBAAGjgYMwgYAwHQYD
+-VR0OBBYEFE2vMvKz5jrC7Lbdg68XwZ95iL/QMB8GA1UdIwQYMBaAFBPPS6e7iS6z
+-OFcXdsabrWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMCAGA1Ud
+-EQQZMBeBFXNtaW1lcnNhMUBvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQAi
+-O3GOkUl646oLnOimc36i9wxZ1tejsqs8vMjJ0Pym6Uq9FE2JoGzJ6OhB1GOsEVmj
+-9cQ5UNQcRYL3cqOFtl6f4Dpu/lhzfbaqgmLjv29G1mS0uuTZrixhlyCXjwcbOkNC
+-I/+wvHHENYIK5+T/79M9LaZ2Qk4F9MNE1VMljdz9Qw==
++ZXN0IFMvTUlNRSBFRSBSU0EgIzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
++AoIBAQDXr9uzB/20QXKCxhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK
++2bcj54XB26i1kXuOrxID3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt
+++W6lSd6Hmfrk4GmE9LTU/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JF
++Yg4c7qt5RCk/w8kwrQ0DorQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSe
++bvt0APeqgRxSpCxqYnHsCoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxM
++kjpJSv3/ekDG2CHYxXSHXxpJstxZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
++VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBTmjc+lrTQuYx/VBOBGjMvufajvhDAfBgNV
++HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
++dr2IRXcFtlF16kKWs1VTaFIHHNQrfSVHBkhKblPX3f/0s/i3eXgwKUu7Hnb6T3/o
++E8L+e4ioQNhahTLt9ruJNHWA/QDwOfkqM3tshCs2xOD1Cpy7Bd3Dn0YBrHKyNXRK
++WelGp+HetSXJGW4IZJP7iES7Um0DGktLabhZbe25EnthRDBjNnaAmcofHECWESZp
++lEHczGZfS9tRbzOCofxvgLbF64H7wYSyjAe6R8aain0VRbIusiD4tCHX/lOMh9xT
++GNBW8zTL+tV9H1unjPMORLnT0YQ3oAyEND0jCu0ACA1qGl+rzxhF6bQcTUNEbRMu
++9Hjq6s316fk4Ne0EUF3PbA==
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smrsa2.pem b/test/smime-certs/smrsa2.pem
+index d41f69c..2f17cb2 100644
+--- a/test/smime-certs/smrsa2.pem
++++ b/test/smime-certs/smrsa2.pem
+@@ -1,31 +1,49 @@
+------BEGIN RSA PRIVATE KEY-----
+-MIICWwIBAAKBgQCwBfryW4Vu5U9wNIDKspJO/N9YF4CcTlrCUyzVlKgb+8urHlSe
+-59i5verR9IOCCXkemjOzZ/3nALTGqYZlnEvHp0Rjk+KdKXnKBIB+SRPpeu3LcXMT
+-WPgsThPa0UQxedNKG0g6aG+kLhsDlFBCoxd09jJtSpb9jmroJOq0ZYEHLwIDAQAB
+-AoGAKa/w4677Je1W5+r3SYoLDnvi5TkDs4D3C6ipKJgBTEdQz+DqB4w/DpZE4551
+-+rkFn1LDxcxuHGRVa+tAMhZW97fwq9YUbjVZEyOz79qrX+BMyl/NbHkf1lIKDo3q
+-dWalzQvop7nbzeLC+VmmviwZfLQUbA61AQl3jm4dswT4XykCQQDloDadEv/28NTx
+-bvvywvyGuvJkCkEIycm4JrIInvwsd76h/chZ3oymrqzc7hkEtK6kThqlS5y+WXl6
+-QzPruTKTAkEAxD2ro/VUoN+scIVaLmn0RBmZ67+9Pdn6pNSfjlK3s0T0EM6/iUWS
+-M06l6L9wFS3/ceu1tIifsh9BeqOGTa+udQJARIFnybTBaIqw/NZ/lA1YCVn8tpvY
+-iyaoZ6gjtS65TQrsdKeh/i3HCHNUXxUpoZ3F/H7QtD+6o49ODou+EbVOwQJAVmex
+-A2gp8wuJKaINqxIL81AybZLnCCzKJ3lXJ5tUNyLNM/lUbGStktm2Q1zHRQwTxV07
+-jFn7trn8YrtNjzcjYQJAUKIJRt38A8Jw3HoPT+D0WS2IgxjVL0eYGsZX1lyeammG
+-6rfnQ3u5uP7mEK2EH2o8mDUpAE0gclWBU9UkKxJsGA==
+------END RSA PRIVATE KEY-----
++-----BEGIN PRIVATE KEY-----
++MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDcYC4tS2Uvn1Z2
++iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iFAzAnwqR/UB1R67ETrsWq
++V8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFpcXepPWQacpuBq2VvcKRD
++lDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS0PZ9EZB63T1gmwaK1Rd5
++U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1NcojhptIWyI0r7dgn5J3
++NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0EFWyQf7iDxGaA93Y9ePB
++Jv5iFZVZAgMBAAECggEBAILIPX856EHb0KclbhlpfY4grFcdg9LS04grrcTISQW1
++J3p9nBpZ+snKe6I8Yx6lf5PiipPsSLlCliHiWpIzJZVQCkAQiSPiHttpEYgP2IYI
++dH8dtznkdVbLRthZs0bnnPmpHCpW+iqpcYJ9eqkz0cvUNUGOjjWmwWmoRqwp/8CW
++3S1qbkQiCh0Mk2fQeGar76R06kXQ9MKDEj14zyS3rJX+cokjEoMSlH8Sbmdh2mJz
++XlNZcvqmeGJZwQWgbVVHOMUuZaKJiFa+lqvOdppbqSx0AsCRq6vjmjEYQEoOefYK
++3IJM9IvqW5UNx0Cy4kQdjhZFFwMO/ALD3QyF21iP4gECgYEA+isQiaWdaY4UYxwK
++Dg+pnSCKD7UGZUaCUIv9ds3CbntMOONFe0FxPsgcc4jRYQYj1rpQiFB8F11+qXGa
++P/IHcnjr2+mTrNY4I9Bt1Lg+pHSS8QCgzeueFybYMLaSsXUo7tGwpvw6UUb6/YWI
++LNCzZbrCLg1KZjGODhhxtvN45ZkCgYEA4YNSe+GMZlxgsvxbLs86WOm6DzJUPvxN
++bWmni0+Oe0cbevgGEUjDVc895uMFnpvlgO49/C0AYJ+VVbStjIMgAeMnWj6OZoSX
++q49rI8KmKUxKgORZiiaMqGWQ7Rxv68+4S8WANsjFxoUrE6dNV3uYDIUsiSLbZeI8
++38KVTcLohcECgYEAiOdyWHGq0G4xl/9rPUCzCMsa4velNV09yYiiwBZgVgfhsawm
++hQpOSBZJA60XMGqkyEkT81VgY4UF4QLLcD0qeCnWoXWVHFvrQyY4RNZDacpl87/t
++QGO2E2NtolL3umesa+2TJ/8Whw46Iu2llSjtVDm9NGiPk5eA7xPPf1iEi9kCgYAb
++0EmVE91wJoaarLtGS7LDkpgrFacEWbPnAbfzW62UENIX2Y1OBm5pH/Vfi7J+vHWS
++8E9e0eIRCL2vY2hgQy/oa67H151SkZnvQ/IP6Ar8Xvd1bDSK8HQ6tMQqKm63Y9g0
++KDjHCP4znOsSMnk8h/bZ3HcAtvbeWwftBR/LBnYNQQKBgA1leIXLLHRoX0VtS/7e
++y7Xmn7gepj+gDbSuCs5wGtgw0RB/1z/S3QoS2TCbZzKPBo20+ivoRP7gcuFhduFR
++hT8V87esr/QzLVpjLedQDW8Xb7GiO3BsU/gVC9VcngenbL7JObl3NgvdreIYo6+n
++yrLyf+8hjm6H6zkjqiOkHAl+
++-----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIICizCCAfSgAwIBAgIJAMtotfHYdEsUMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDhaFw0xNjA1MTAxMzUzMDhaMEUx
++MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBBMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
++BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
++TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
+ CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
+-ZXN0IFMvTUlNRSBFRSBSU0EgIzIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+-ALAF+vJbhW7lT3A0gMqykk7831gXgJxOWsJTLNWUqBv7y6seVJ7n2Lm96tH0g4IJ
+-eR6aM7Nn/ecAtMaphmWcS8enRGOT4p0pecoEgH5JE+l67ctxcxNY+CxOE9rRRDF5
+-00obSDpob6QuGwOUUEKjF3T2Mm1Klv2Oaugk6rRlgQcvAgMBAAGjgYMwgYAwHQYD
+-VR0OBBYEFIL/u+mEvaw7RuKLRuElfVkxSQjYMB8GA1UdIwQYMBaAFBPPS6e7iS6z
+-OFcXdsabrWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMCAGA1Ud
+-EQQZMBeBFXNtaW1lcnNhMkBvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQC2
+-rXR5bm/9RtOMQPleNpd3y6uUX3oy+0CafK5Yl3PMnItjjnKJ0l1/DbLbDj2twehe
+-ewaB8CROcBCA3AMLSmGvPKgUCFMGtWam3328M4fBHzon5ka7qDXzM+imkAly/Yx2
+-YNdR/aNOug+5sXygHmTSKqiCpQjOIClzXoPVVeEVHw==
++ZXN0IFMvTUlNRSBFRSBSU0EgIzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
++AoIBAQDcYC4tS2Uvn1Z2iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iF
++AzAnwqR/UB1R67ETrsWqV8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFp
++cXepPWQacpuBq2VvcKRDlDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS
++0PZ9EZB63T1gmwaK1Rd5U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1
++NcojhptIWyI0r7dgn5J3NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0
++EFWyQf7iDxGaA93Y9ePBJv5iFZVZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
++VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBT0arpyYMHXDPVL7MvzE+lx71L7sjAfBgNV
++HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
++I8nM42am3aImkZyrw8iGkaGhKyi/dfajSWx6B9izBUh+3FleBnUxxOA+mn7M8C47
++Ne18iaaWK8vEux9KYTIY8BzXQZL1AuZ896cXEc6bGKsME37JSsocfuB5BIGWlYLv
++/ON5/SJ0iVFj4fAp8z7Vn5qxRJj9BhZDxaO1Raa6cz6pm0imJy9v8y01TI6HsK8c
++XJQLs7/U4Qb91K+IDNX/lgW3hzWjifNpIpT5JyY3DUgbkD595LFV5DDMZd0UOqcv
++6cyN42zkX8a0TWr3i5wu7pw4k1oD19RbUyljyleEp0DBauIct4GARdBGgi5y1H2i
++NzYzLAPBkHCMY0Is3KKIBw==
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smrsa3.pem b/test/smime-certs/smrsa3.pem
+index c8cbe55..14c27f6 100644
+--- a/test/smime-certs/smrsa3.pem
++++ b/test/smime-certs/smrsa3.pem
+@@ -1,31 +1,49 @@
+------BEGIN RSA PRIVATE KEY-----
+-MIICXAIBAAKBgQC6syTZtZNe1hRScFc4PUVyVLsr7+C1HDIZnOHmwFoLayX6RHwy
+-ep/TkdwiPHnemVLuwvpSjLMLZkXy/J764kSHJrNeVl3UvmCVCOm40hAtK1+F39pM
+-h8phkbPPD7i+hwq4/Vs79o46nzwbVKmzgoZBJhZ+codujUSYM3LjJ4aq+wIDAQAB
+-AoGAE1Zixrnr3bLGwBMqtYSDIOhtyos59whImCaLr17U9MHQWS+mvYO98if1aQZi
+-iQ/QazJ+wvYXxWJ+dEB+JvYwqrGeuAU6He/rAb4OShG4FPVU2D19gzRnaButWMeT
+-/1lgXV08hegGBL7RQNaN7b0viFYMcKnSghleMP0/q+Y/oaECQQDkXEwDYJW13X9p
+-ijS20ykWdY5lLknjkHRhhOYux0rlhOqsyMZjoUmwI2m0qj9yrIysKhrk4MZaM/uC
+-hy0xp3hdAkEA0Uv/UY0Kwsgc+W6YxeypECtg1qCE6FBib8n4iFy/6VcWqhvE5xrs
+-OdhKv9/p6aLjLneGd1sU+F8eS9LGyKIbNwJBAJPgbNzXA7uUZriqZb5qeTXxBDfj
+-RLfXSHYKAKEULxz3+JvRHB9SR4yHMiFrCdExiZrHXUkPgYLSHLGG5a4824UCQD6T
+-9XvhquUARkGCAuWy0/3Eqoihp/t6BWSdQ9Upviu7YUhtUxsyXo0REZB7F4pGrJx5
+-GlhXgFaewgUzuUHFzlMCQCzJMMWslWpoLntnR6sMhBMhBFHSw+Y5CbxBmFrdtSkd
+-VdtNO1VuDCTxjjW7W3Khj7LX4KZ1ye/5jfAgnnnXisc=
+------END RSA PRIVATE KEY-----
++-----BEGIN PRIVATE KEY-----
++MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyK+BTAOJKJjji
++OhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVCFoVBz5doMf3M6QIS2jL3
++Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsFSTxytUVpfcByrubWiLKX
++63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuWm/gavozkK103gQ+dUq4H
++XamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enhav2sXDfOmZp/DYf9IqS7l
++vFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p1diWRpaSn62bbkRN49j6
++L2dVb+DfAgMBAAECggEAciwDl6zdVT6g/PbT/+SMA+7qgYHSN+1koEQaJpgjzGEP
++lUUfj8TewCtzXaIoyj9IepBuXryBg6snNXpT/w3bqgYon/7zFBvxkUpDj4A5tvKf
++BuY2fZFlpBvUu1Ju1eKrFCptBBBoA9mc+BUB/ze4ktrAdJFcxZoMlVScjqGB3GdR
++OHw2x9BdWGCJBhiu9VHhAAb/LVWi6xgDumYSWZwN2yovg+7J91t5bsENeBRHycK+
++i5dNFh1umIK9N0SH6bpHPnLHrCRchrQ6ZRRxL4ZBKA9jFRDeI7OOsJuCvhGyJ1se
++snsLjr/Ahg00aiHCcC1SPQ6pmXAVBCG7hf4AX82V4QKBgQDaFDE+Fcpv84mFo4s9
++wn4CZ8ymoNIaf5zPl/gpH7MGots4NT5+Ns+6zzJQ6TEpDjTPx+vDaabP7QGXwVZn
++8NAHYvCQK37b+u9HrOt256YYRDOmnJFSbsJdmqzMEzpTNmQ8GuI37cZCS9CmSMv+
++ab/plcwuv0cJRSC83NN2AFyu1QKBgQDRJzKIBQlpprF9rA0D5ZjLVW4OH18A0Mmm
++oanw7qVutBaM4taFN4M851WnNIROyYIlkk2fNgW57Y4M8LER4zLrjU5HY4lB0BMX
++LQWDbyz4Y7L4lVnnEKfQxWFt9avNZwiCxCxEKy/n/icmVCzc91j9uwKcupdzrN6E
++yzPd1s5y4wKBgQCkJvzmAdsOp9/Fg1RFWcgmIWHvrzBXl+U+ceLveZf1j9K5nYJ7
++2OBGer4iH1XM1I+2M4No5XcWHg3L4FEdDixY0wXHT6Y/CcThS+015Kqmq3fBmyrc
++RNjzQoF9X5/QkSmkAIx1kvpgXtcgw70htRIrToGSUpKzDKDW6NYXhbA+PQKBgDJK
++KH5IJ8E9kYPUMLT1Kc4KVpISvPcnPLVSPdhuqVx69MkfadFSTb4BKbkwiXegQCjk
++isFzbeEM25EE9q6EYKP+sAm+RyyJ6W0zKBY4TynSXyAiWSGUAaXTL+AOqCaVVZiL
++rtEdSUGQ/LzclIT0/HLV2oTw4KWxtTdc3LXEhpNdAoGBAM3LckiHENqtoeK2gVNw
++IPeEuruEqoN4n+XltbEEv6Ymhxrs6T6HSKsEsLhqsUiIvIzH43KMm45SNYTn5eZh
++yzYMXLmervN7c1jJe2Y2MYv6hE+Ypj1xGW4w7s8WNKmVzLv97beisD9AZrS7sXfF
++RvOAi5wVkYylDxV4238MAZIq
++-----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIICizCCAfSgAwIBAgIJAMtotfHYdEsVMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
++MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBCMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
++BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
++TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
+ CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
+-ZXN0IFMvTUlNRSBFRSBSU0EgIzMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+-ALqzJNm1k17WFFJwVzg9RXJUuyvv4LUcMhmc4ebAWgtrJfpEfDJ6n9OR3CI8ed6Z
+-Uu7C+lKMswtmRfL8nvriRIcms15WXdS+YJUI6bjSEC0rX4Xf2kyHymGRs88PuL6H
+-Crj9Wzv2jjqfPBtUqbOChkEmFn5yh26NRJgzcuMnhqr7AgMBAAGjgYMwgYAwHQYD
+-VR0OBBYEFDsSFjNtYZzd0tTHafNS7tneQQj6MB8GA1UdIwQYMBaAFBPPS6e7iS6z
+-OFcXdsabrWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMCAGA1Ud
+-EQQZMBeBFXNtaW1lcnNhM0BvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQBE
+-tUDB+1Dqigu4p1xtdq7JRK6S+gfA7RWmhz0j2scb2zhpS12h37JLHsidGeKAzZYq
+-jUjOrH/j3xcV5AnuJoqImJaN23nzzxtR4qGGX2mrq6EtObzdEGgCUaizsGM+0slJ
+-PYxcy8KeY/63B1BpYhj2RjGkL6HrvuAaxVORa3acoA==
++ZXN0IFMvTUlNRSBFRSBSU0EgIzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
++AoIBAQCyK+BTAOJKJjjiOhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVC
++FoVBz5doMf3M6QIS2jL3Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsF
++STxytUVpfcByrubWiLKX63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuW
++m/gavozkK103gQ+dUq4HXamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enha
++v2sXDfOmZp/DYf9IqS7lvFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p
++1diWRpaSn62bbkRN49j6L2dVb+DfAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
++VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBQ6CkW5sa6HrBsWvuPOvMjyL5AnsDAfBgNV
++HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
++JhcrD7AKafVzlncA3cZ6epAruj1xwcfiE+EbuAaeWEGjoSltmevcjgoIxvijRVcp
++sCbNmHJZ/siQlqzWjjf3yoERvLDqngJZZpQeocMIbLRQf4wgLAuiBcvT52wTE+sa
++VexeETDy5J1OW3wE4A3rkdBp6hLaymlijFNnd5z/bP6w3AcIMWm45yPm0skM8RVr
++O3UstEFYD/iy+p+Y/YZDoxYQSW5Vl+NkpGmc5bzet8gQz4JeXtH3z5zUGoDM4XK7
++tXP3yUi2eecCbyjh/wgaQiVdylr1Kv3mxXcTl+cFO22asDkh0R/y72nTCu5fSILY
++CscFo2Z2pYROGtZDmYqhRw==
+ -----END CERTIFICATE-----
+--
+1.9.1
+
diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec
index 519977a..9fc07d6 100644
--- a/SPECS/openssl.spec
+++ b/SPECS/openssl.spec
@@ -23,7 +23,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.1e
-Release: 51%{?dist}.5
+Release: 51%{?dist}.7
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -155,6 +155,16 @@ Patch151: openssl-1.0.1e-cve-2016-2106.patch
Patch152: openssl-1.0.1e-cve-2016-2107.patch
Patch153: openssl-1.0.1e-cve-2016-2108.patch
Patch154: openssl-1.0.1e-cve-2016-2109.patch
+Patch155: openssl-1.0.1e-update-test-certs.patch
+Patch156: openssl-1.0.1e-cve-2016-2177.patch
+Patch157: openssl-1.0.1e-cve-2016-2178.patch
+Patch158: openssl-1.0.1e-cve-2016-2179.patch
+Patch159: openssl-1.0.1e-cve-2016-2180.patch
+Patch160: openssl-1.0.1e-cve-2016-2181.patch
+Patch161: openssl-1.0.1e-cve-2016-2182.patch
+Patch162: openssl-1.0.1e-cve-2016-6302.patch
+Patch163: openssl-1.0.1e-cve-2016-6304.patch
+Patch164: openssl-1.0.1e-cve-2016-6306.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -340,6 +350,16 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch152 -p1 -b .padding-check
%patch153 -p1 -b .asn1-negative
%patch154 -p1 -b .asn1-bio-dos
+%patch155 -p1 -b .update-certs
+%patch156 -p1 -b .pointer-arithmetic
+%patch157 -p1 -b .dsa-consttime
+%patch158 -p1 -b .dtls1-dos2
+%patch159 -p1 -b .ts-oob-read
+%patch160 -p1 -b .dtls1-replay
+%patch161 -p1 -b .bn-overflow
+%patch162 -p1 -b .ticket-length
+%patch163 -p1 -b .ocsp-memgrowth
+%patch164 -p1 -b .certmsg-len
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
@@ -606,6 +626,20 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
+* Thu Sep 22 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.7
+- fix CVE-2016-2177 - possible integer overflow
+- fix CVE-2016-2178 - non-constant time DSA operations
+- fix CVE-2016-2179 - further DoS issues in DTLS
+- fix CVE-2016-2180 - OOB read in TS_OBJ_print_bio()
+- fix CVE-2016-2181 - DTLS1 replay protection and unprocessed records issue
+- fix CVE-2016-2182 - possible buffer overflow in BN_bn2dec()
+- fix CVE-2016-6302 - insufficient TLS session ticket HMAC length check
+- fix CVE-2016-6304 - unbound memory growth with OCSP status request
+- fix CVE-2016-6306 - certificate message OOB reads
+- mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to
+ 112 bit effective strength
+- replace expired testing certificates
+
* Fri Apr 29 2016 Tomáš Mráz <tmraz@redhat.com> 1.0.1e-51.5
- fix CVE-2016-2105 - possible overflow in base64 encoding
- fix CVE-2016-2106 - possible overflow in EVP_EncryptUpdate()