Time for release of 0.9.7i.

The tag will be OpenSSL_0_9_7i

CHANGES

@@ -2,7 +2,26 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 0.9.7g and 0.9.7h  [XX xxx XXXX]
+ Changes between 0.9.7h and 0.9.7i  [14 Oct 2005]
+
+  *) Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS.
+     The value now differs depending on if you build for FIPS or not.
+     BEWARE!  A program linked with a shared FIPSed libcrypto can't be
+     safely run with a non-FIPSed libcrypto, as it may crash because of
+     the difference induced by this change.
+     [Andy Polyakov]
+
+ Changes between 0.9.7g and 0.9.7h  [11 Oct 2005]
+
+  *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
+     (part of SSL_OP_ALL).  This option used to disable the
+     countermeasure against man-in-the-middle protocol-version
+     rollback in the SSL 2.0 server implementation, which is a bad
+     idea.  (CAN-2005-2969)
+
+     [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
+     for Information Security, National Institute of Advanced Industrial
+     Science and Technology [AIST], Japan)]
 
   *) Minimal support for X9.31 signatures and PSS padding modes. This is
      mainly for FIPS compliance and not fully integrated at this stage.
@@ -53,6 +72,9 @@
 
  Changes between 0.9.7f and 0.9.7g  [11 Apr 2005]
 
+  [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after
+  OpenSSL 0.9.8.]
+
   *) Fixes for newer kerberos headers. NB: the casts are needed because
      the 'length' field is signed on one version and unsigned on another
      with no (?) obvious way to tell the difference, without these VC++

FAQ

@@ -70,7 +70,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.7g was released on April 11, 2005.
+OpenSSL 0.9.7i was released on October 14, 2005.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:

Makefile.org

@@ -325,7 +325,7 @@ do_darwin-shared:
 	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
-	( set -x; ${CC} ${SHARED_LDFLAGS}
+	( set -x; ${CC} ${SHARED_LDFLAGS} \
 		--verbose -dynamiclib -o lib$$i${SHLIB_EXT} \
 		lib$$i.a $$libs -all_load -current_version ${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-compatibility_version ${SHLIB_MAJOR}.`echo ${SHLIB_MINOR} | cut -d. -f1` \

NEWS

@@ -5,6 +5,16 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i:
+
+      o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build.
+
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h:
+
+      o Fix SSL 2.0 Rollback, CAN-2005-2969
+      o Allow use of fixed-length exponent on DSA signing
+      o Default fixed-window RSA, DSA, DH private-key operations
+
   Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g:
 
       o More compilation issues fixed.

README

@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.7h-dev XX xxx XXXX
+ OpenSSL 0.9.7i 14 Och 2005
 
  Copyright (c) 1998-2005 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

STATUS

@@ -1,10 +1,14 @@
 
   OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2005/04/11 15:10:06 $
+  ______________                           $Date: 2005/10/14 22:15:44 $
 
   DEVELOPMENT STATE
 
-    o  OpenSSL 0.9.8:  Under development...
+    o  OpenSSL 0.9.9:  Under development...
+    o  OpenSSL 0.9.8a: Released on October   11th, 2005
+    o  OpenSSL 0.9.8:  Released on July       5th, 2005
+    o  OpenSSL 0.9.7i: Released on October   14th, 2005
+    o  OpenSSL 0.9.7h: Released on October   11th, 2005
     o  OpenSSL 0.9.7g: Released on April     11th, 2005
     o  OpenSSL 0.9.7f: Released on March     22nd, 2005
     o  OpenSSL 0.9.7e: Released on October   25th, 2004

apps/CA.pl.in

@@ -66,19 +66,19 @@ foreach (@ARGV) {
 	    exit 0;
 	} elsif (/^-newcert$/) {
 	    # create a certificate
-	    system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
+	    system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS");
 	    $RET=$?;
-	    print "Certificate (and private key) is in newreq.pem\n"
+	    print "Certificate is in newcert.pem, private key is in newkey.pem\n"
 	} elsif (/^-newreq$/) {
 	    # create a certificate request
-	    system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
+	    system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
 	    $RET=$?;
-	    print "Request (and private key) is in newreq.pem\n";
+	    print "Request is in newreq.pem, private key is in newkey.pem\n";
 	} elsif (/^-newreq-nodes$/) {
 	    # create a certificate request
-	    system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
+	    system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS");
 	    $RET=$?;
-	    print "Request (and private key) is in newreq.pem\n";
+	    print "Request is in newreq.pem, private key is in newkey.pem\n";
 	} elsif (/^-newca$/) {
 		# if explicitly asked for or it doesn't exist then setup the
 		# directory structure that Eric likes to manage things 
@@ -118,10 +118,11 @@ foreach (@ARGV) {
 	} elsif (/^-pkcs12$/) {
 	    my $cname = $ARGV[1];
 	    $cname = "My Certificate" unless defined $cname;
-	    system ("$PKCS12 -in newcert.pem -inkey newreq.pem " .
+	    system ("$PKCS12 -in newcert.pem -inkey newkey.pem " .
 			"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
 			"-export -name \"$cname\"");
 	    $RET=$?;
+	    print "PKCS #12 file is in newcert.p12\n";
 	    exit $RET;
 	} elsif (/^-xsign$/) {
 	    system ("$CA -policy policy_anything -infiles newreq.pem");

apps/CA.sh

@@ -51,15 +51,15 @@ case $i in
     ;;
 -newcert) 
     # create a certificate
-    $REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS
+    $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
     RET=$?
-    echo "Certificate (and private key) is in newreq.pem"
+    echo "Certificate is in newcert.pem, private key is in newkey.pem"
     ;;
 -newreq) 
     # create a certificate request
-    $REQ -new -keyout newreq.pem -out newreq.pem $DAYS
+    $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
     RET=$?
-    echo "Request (and private key) is in newreq.pem"
+    echo "Request is in newreq.pem, private key is in newkey.pem"
     ;;
 -newca)     
     # if explicitly asked for or it doesn't exist then setup the directory

apps/apps.c

@@ -361,10 +361,17 @@ int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
 		/* The start of something good :-) */
 		if (num >= arg->count)
 			{
-			arg->count+=20;
-			arg->data=(char **)OPENSSL_realloc(arg->data,
-				sizeof(char *)*arg->count);
-			if (argc == 0) return(0);
+			char **tmp_p;
+			int tlen = arg->count + 20;
+			tmp_p = (char **)OPENSSL_realloc(arg->data,
+				sizeof(char *)*tlen);
+			if (tmp_p == NULL)
+				return 0;
+			arg->data  = tmp_p;
+			arg->count = tlen;
+			/* initialize newly allocated data */
+			for (i = num; i < arg->count; i++)
+				arg->data[i] = NULL;
 			}
 		arg->data[num++]=p;
 

apps/asn1pars.c

@@ -182,7 +182,7 @@ int MAIN(int argc, char **argv)
 bad:
 		BIO_printf(bio_err,"%s [options] <infile\n",prog);
 		BIO_printf(bio_err,"where options are\n");
-		BIO_printf(bio_err," -inform arg   input format - one of DER TXT PEM\n");
+		BIO_printf(bio_err," -inform arg   input format - one of DER PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file (output format is always DER\n");
 		BIO_printf(bio_err," -noout arg    don't produce any output\n");

apps/ca.c

@@ -943,7 +943,6 @@ bad:
 			if (verbose) BIO_printf(bio_err,
 				"Done. %d entries marked as expired\n",i); 
 	      		}
-			goto err;
 	  	}
 
  	/*****************************************************************/

crypto/bn/Makefile

@@ -329,3 +329,5 @@ bn_word.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bn_word.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 bn_word.o: ../cryptlib.h bn_lcl.h bn_word.c
+bn_x931p.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h
+bn_x931p.o: ../../include/openssl/opensslconf.h bn_x931p.c

crypto/bn/asm/ppc.pl

@@ -116,7 +116,7 @@ if ($opf =~ /32\.s/) {
 	$UDIV=	"divwu";	# unsigned divide
 	$UCMPI=	"cmplwi";	# unsigned compare with immediate
 	$UCMP=	"cmplw";	# unsigned compare
-	$COUNTZ="cntlzw";	# count leading zeros
+	$CNTLZ=	"cntlzw";	# count leading zeros
 	$SHL=	"slw";		# shift left
 	$SHR=	"srw";		# unsigned shift right
 	$SHRI=	"srwi";		# unsigned shift right by immediate	
@@ -124,6 +124,7 @@ if ($opf =~ /32\.s/) {
 	$CLRU=	"clrlwi";	# clear upper bits
 	$INSR=	"insrwi";	# insert right
 	$ROTL=	"rotlwi";	# rotate left by immediate
+	$TR=	"tw";		# conditional trap
 } elsif ($opf =~ /64\.s/) {
 	$BITS=	64;
 	$BNSZ=	$BITS/8;
@@ -139,7 +140,7 @@ if ($opf =~ /32\.s/) {
 	$UDIV=	"divdu";	# unsigned divide
 	$UCMPI=	"cmpldi";	# unsigned compare with immediate
 	$UCMP=	"cmpld";	# unsigned compare
-	$COUNTZ="cntlzd";	# count leading zeros
+	$CNTLZ=	"cntlzd";	# count leading zeros
 	$SHL=	"sld";		# shift left
 	$SHR=	"srd";		# unsigned shift right
 	$SHRI=	"srdi";		# unsigned shift right by immediate	
@@ -147,6 +148,7 @@ if ($opf =~ /32\.s/) {
 	$CLRU=	"clrldi";	# clear upper bits
 	$INSR=	"insrdi";	# insert right 
 	$ROTL=	"rotldi";	# rotate left by immediate
+	$TR=	"td";		# conditional trap
 } else { die "nonsense $opf"; }
 
 ( defined shift || open STDOUT,">$opf" ) || die "can't open $opf: $!";
@@ -1710,17 +1712,12 @@ Lppcasm_add_adios:
 	bclr	BO_ALWAYS,CR0_LT	
 Lppcasm_div1:
 	xor	r0,r0,r0		#r0=0
-	$COUNTZ	r7,r5			#r7 = num leading 0s in d.
-	subfic	r8,r7,$BITS		#r8 = BN_num_bits_word(d)
-	cmpi	0,0,r8,$BITS		#
-	bc	BO_IF,CR0_EQ,Lppcasm_div2	#proceed if (r8==$BITS)	
-	li	r9,1			# r9=1
-	$SHL	r10,r9,r8		# r9<<=r8
-	$UCMP	0,r3,r10		#	
-	bc	BO_IF,CR0_GT,Lppcasm_div2	#or if (h > (1<<r8))
-	$UDIV	r3,r3,r0		#if not assert(0) divide by 0!
-					#that's how we signal overflow
-	bclr	BO_ALWAYS,CR0_LT	#return. NEVER REACHED.
+	li	r8,$BITS
+	$CNTLZ.	r7,r5			#r7 = num leading 0s in d.
+	bc	BO_IF,CR0_EQ,Lppcasm_div2	#proceed if no leading zeros
+	subf	r8,r7,r8		#r8 = BN_num_bits_word(d)
+	$SHR.	r9,r3,r8		#are there any bits above r8'th?
+	$TR	16,r9,r0		#if there're, signal to dump core...
 Lppcasm_div2:
 	$UCMP	0,r3,r5			#h>=d?
 	bc	BO_IF,CR0_LT,Lppcasm_div3	#goto Lppcasm_div3 if not

crypto/conf/conf_def.c

@@ -613,13 +613,13 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
 				e++;
 				}
 			/* So at this point we have
-			 * ns which is the start of the name string which is
+			 * np which is the start of the name string which is
 			 *   '\0' terminated. 
-			 * cs which is the start of the section string which is
+			 * cp which is the start of the section string which is
 			 *   '\0' terminated.
 			 * e is the 'next point after'.
-			 * r and s are the chars replaced by the '\0'
-			 * rp and sp is where 'r' and 's' came from.
+			 * r and rr are the chars replaced by the '\0'
+			 * rp and rrp is where 'r' and 'rr' came from.
 			 */
 			p=_CONF_get_string(conf,cp,np);
 			if (rrp != NULL) *rrp=rr;
@@ -638,6 +638,11 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
 			   points at.  /RL */
 			len -= e-from;
 			from=e;
+
+			/* In case there were no braces or parenthesis around
+			   the variable reference, we have to put back the
+			   character that was replaced with a '\0'.  /RL */
+			*rp = r;
 			}
 		else
 			buf->data[to++]= *(from++);

crypto/engine/tb_dsa.c

@@ -94,7 +94,7 @@ int ENGINE_set_default_DSA(ENGINE *e)
 	{
 	if(e->dsa_meth)
 		return engine_table_register(&dsa_table,
-				engine_unregister_all_DSA, e, &dummy_nid, 1, 0);
+				engine_unregister_all_DSA, e, &dummy_nid, 1, 1);
 	return 1;
 	}
 

crypto/evp/evp.h

@@ -132,7 +132,11 @@
 #define EVP_CAST5_KEY_SIZE		16
 #define EVP_RC5_32_12_16_KEY_SIZE	16
 */
+#ifdef OPENSSL_FIPS
 #define EVP_MAX_MD_SIZE			64	/* longest known SHA512 */
+#else
+#define EVP_MAX_MD_SIZE			(16+20)	/* The SSLv3 md5+sha1 type */
+#endif
 #define EVP_MAX_KEY_LENGTH		32
 #define EVP_MAX_IV_LENGTH		16
 #define EVP_MAX_BLOCK_LENGTH		32

crypto/evp/m_dss1.c

@@ -67,7 +67,14 @@ static int init(EVP_MD_CTX *ctx)
 	{ return SHA1_Init(ctx->md_data); }
 
 static int update(EVP_MD_CTX *ctx,const void *data,unsigned long count)
+#ifndef OPENSSL_FIPS
 	{ return SHA1_Update(ctx->md_data,data,count); }
+#else
+	{
+	OPENSSL_assert(sizeof(count)<=sizeof(size_t));
+	return SHA1_Update(ctx->md_data,data,count);
+	}
+#endif
 
 static int final(EVP_MD_CTX *ctx,unsigned char *md)
 	{ return SHA1_Final(md,ctx->md_data); }
@@ -77,7 +84,7 @@ static const EVP_MD dss1_md=
 	NID_dsa,
 	NID_dsaWithSHA1,
 	SHA_DIGEST_LENGTH,
-	0,
+	EVP_MD_FLAG_FIPS,
 	init,
 	update,
 	final,

crypto/hmac/hmac.h

@@ -64,7 +64,11 @@
 
 #include <openssl/evp.h>
 
+#ifdef OPENSSL_FIPS
 #define HMAC_MAX_MD_CBLOCK	128
+#else
+#define HMAC_MAX_MD_CBLOCK	64
+#endif
 
 #ifdef  __cplusplus
 extern "C" {

crypto/objects/obj_dat.h

@@ -330,9 +330,9 @@ static unsigned char lvalues[4575]={
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x04,     /* [2092] OBJ_ac_auditEntity */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x05,     /* [2100] OBJ_ac_targeting */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x06,     /* [2108] OBJ_aaControls */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x07,     /* [2116] OBJ_sbqp_ipAddrBlock */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x08,     /* [2124] OBJ_sbqp_autonomousSysNum */
-0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x09,     /* [2132] OBJ_sbqp_routerIdentifier */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x07,     /* [2116] OBJ_sbgp_ipAddrBlock */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x08,     /* [2124] OBJ_sbgp_autonomousSysNum */
+0x2B,0x06,0x01,0x05,0x05,0x07,0x01,0x09,     /* [2132] OBJ_sbgp_routerIdentifier */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x02,0x03,     /* [2140] OBJ_textNotice */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x05,     /* [2148] OBJ_ipsecEndSystem */
 0x2B,0x06,0x01,0x05,0x05,0x07,0x03,0x06,     /* [2156] OBJ_ipsecTunnel */
@@ -1143,12 +1143,12 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 	&(lvalues[2092]),0},
 {"ac-targeting","ac-targeting",NID_ac_targeting,8,&(lvalues[2100]),0},
 {"aaControls","aaControls",NID_aaControls,8,&(lvalues[2108]),0},
-{"sbqp-ipAddrBlock","sbqp-ipAddrBlock",NID_sbqp_ipAddrBlock,8,
+{"sbgp-ipAddrBlock","sbgp-ipAddrBlock",NID_sbgp_ipAddrBlock,8,
 	&(lvalues[2116]),0},
-{"sbqp-autonomousSysNum","sbqp-autonomousSysNum",
-	NID_sbqp_autonomousSysNum,8,&(lvalues[2124]),0},
-{"sbqp-routerIdentifier","sbqp-routerIdentifier",
-	NID_sbqp_routerIdentifier,8,&(lvalues[2132]),0},
+{"sbgp-autonomousSysNum","sbgp-autonomousSysNum",
+	NID_sbgp_autonomousSysNum,8,&(lvalues[2124]),0},
+{"sbgp-routerIdentifier","sbgp-routerIdentifier",
+	NID_sbgp_routerIdentifier,8,&(lvalues[2132]),0},
 {"textNotice","textNotice",NID_textNotice,8,&(lvalues[2140]),0},
 {"ipsecEndSystem","IPSec End System",NID_ipsecEndSystem,8,
 	&(lvalues[2148]),0},
@@ -2285,9 +2285,9 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[ 1]),/* "rsadsi" */
 &(nid_objs[482]),/* "sOARecord" */
 &(nid_objs[155]),/* "safeContentsBag" */
-&(nid_objs[291]),/* "sbqp-autonomousSysNum" */
-&(nid_objs[290]),/* "sbqp-ipAddrBlock" */
-&(nid_objs[292]),/* "sbqp-routerIdentifier" */
+&(nid_objs[291]),/* "sbgp-autonomousSysNum" */
+&(nid_objs[290]),/* "sbgp-ipAddrBlock" */
+&(nid_objs[292]),/* "sbgp-routerIdentifier" */
 &(nid_objs[159]),/* "sdsiCertificate" */
 &(nid_objs[154]),/* "secretBag" */
 &(nid_objs[474]),/* "secretary" */
@@ -2962,9 +2962,9 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[124]),/* "run length compression" */
 &(nid_objs[482]),/* "sOARecord" */
 &(nid_objs[155]),/* "safeContentsBag" */
-&(nid_objs[291]),/* "sbqp-autonomousSysNum" */
-&(nid_objs[290]),/* "sbqp-ipAddrBlock" */
-&(nid_objs[292]),/* "sbqp-routerIdentifier" */
+&(nid_objs[291]),/* "sbgp-autonomousSysNum" */
+&(nid_objs[290]),/* "sbgp-ipAddrBlock" */
+&(nid_objs[292]),/* "sbgp-routerIdentifier" */
 &(nid_objs[159]),/* "sdsiCertificate" */
 &(nid_objs[154]),/* "secretBag" */
 &(nid_objs[474]),/* "secretary" */
@@ -3424,9 +3424,9 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[287]),/* OBJ_ac_auditEntity               1 3 6 1 5 5 7 1 4 */
 &(nid_objs[288]),/* OBJ_ac_targeting                 1 3 6 1 5 5 7 1 5 */
 &(nid_objs[289]),/* OBJ_aaControls                   1 3 6 1 5 5 7 1 6 */
-&(nid_objs[290]),/* OBJ_sbqp_ipAddrBlock             1 3 6 1 5 5 7 1 7 */
-&(nid_objs[291]),/* OBJ_sbqp_autonomousSysNum        1 3 6 1 5 5 7 1 8 */
-&(nid_objs[292]),/* OBJ_sbqp_routerIdentifier        1 3 6 1 5 5 7 1 9 */
+&(nid_objs[290]),/* OBJ_sbgp_ipAddrBlock             1 3 6 1 5 5 7 1 7 */
+&(nid_objs[291]),/* OBJ_sbgp_autonomousSysNum        1 3 6 1 5 5 7 1 8 */
+&(nid_objs[292]),/* OBJ_sbgp_routerIdentifier        1 3 6 1 5 5 7 1 9 */
 &(nid_objs[397]),/* OBJ_ac_proxying                  1 3 6 1 5 5 7 1 10 */
 &(nid_objs[398]),/* OBJ_sinfo_access                 1 3 6 1 5 5 7 1 11 */
 &(nid_objs[663]),/* OBJ_proxyCertInfo                1 3 6 1 5 5 7 1 14 */

crypto/objects/obj_mac.h

@@ -1068,17 +1068,17 @@
 #define NID_aaControls		289
 #define OBJ_aaControls		OBJ_id_pe,6L
 
-#define SN_sbqp_ipAddrBlock		"sbqp-ipAddrBlock"
-#define NID_sbqp_ipAddrBlock		290
-#define OBJ_sbqp_ipAddrBlock		OBJ_id_pe,7L
+#define SN_sbgp_ipAddrBlock		"sbgp-ipAddrBlock"
+#define NID_sbgp_ipAddrBlock		290
+#define OBJ_sbgp_ipAddrBlock		OBJ_id_pe,7L
 
-#define SN_sbqp_autonomousSysNum		"sbqp-autonomousSysNum"
-#define NID_sbqp_autonomousSysNum		291
-#define OBJ_sbqp_autonomousSysNum		OBJ_id_pe,8L
+#define SN_sbgp_autonomousSysNum		"sbgp-autonomousSysNum"
+#define NID_sbgp_autonomousSysNum		291
+#define OBJ_sbgp_autonomousSysNum		OBJ_id_pe,8L
 
-#define SN_sbqp_routerIdentifier		"sbqp-routerIdentifier"
-#define NID_sbqp_routerIdentifier		292
-#define OBJ_sbqp_routerIdentifier		OBJ_id_pe,9L
+#define SN_sbgp_routerIdentifier		"sbgp-routerIdentifier"
+#define NID_sbgp_routerIdentifier		292
+#define OBJ_sbgp_routerIdentifier		OBJ_id_pe,9L
 
 #define SN_ac_proxying		"ac-proxying"
 #define NID_ac_proxying		397

crypto/objects/obj_mac.num

@@ -287,9 +287,9 @@ qcStatements		286
 ac_auditEntity		287
 ac_targeting		288
 aaControls		289
-sbqp_ipAddrBlock		290
-sbqp_autonomousSysNum		291
-sbqp_routerIdentifier		292
+sbgp_ipAddrBlock		290
+sbgp_autonomousSysNum		291
+sbgp_routerIdentifier		292
 textNotice		293
 ipsecEndSystem		294
 ipsecTunnel		295

crypto/objects/objects.txt

@@ -346,9 +346,9 @@ id-pe 3			: qcStatements
 id-pe 4			: ac-auditEntity
 id-pe 5			: ac-targeting
 id-pe 6			: aaControls
-id-pe 7			: sbqp-ipAddrBlock
-id-pe 8			: sbqp-autonomousSysNum
-id-pe 9			: sbqp-routerIdentifier
+id-pe 7			: sbgp-ipAddrBlock
+id-pe 8			: sbgp-autonomousSysNum
+id-pe 9			: sbgp-routerIdentifier
 id-pe 10		: ac-proxying
 !Cname sinfo-access
 id-pe 11		: subjectInfoAccess	: Subject Information Access

crypto/opensslv.h

@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x00907080L
+#define OPENSSL_VERSION_NUMBER	0x0090709fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7h-fips-dev XX xxx XXXX"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7i-fips 14 Oct 2005"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7h-dev XX xxx XXXX"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7i 14 Oct 2005"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 

crypto/perlasm/x86nasm.pl

@@ -221,7 +221,15 @@ sub using486
 
 sub main'file
 	{
-	push(@out, "segment .text use32\n");
+	local $tmp;
+	$tmp=<<___;
+%ifdef __omf__
+section	code	use32 class=code
+%else
+section	.text
+%endif
+___
+	push(@out,$tmp);
 	}
 
 sub main'function_begin

crypto/pkcs12/p12_add.c

@@ -148,7 +148,11 @@ PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk)
 /* Unpack SAFEBAGS from PKCS#7 data ContentInfo */
 STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
 {
-	if(!PKCS7_type_is_data(p7)) return NULL;
+	if(!PKCS7_type_is_data(p7))
+		{
+		PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA,PKCS12_R_CONTENT_TYPE_NOT_DATA);
+		return NULL;
+		}
 	return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
 }
 
@@ -211,5 +215,10 @@ int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes)
 
 STACK_OF(PKCS7) *PKCS12_unpack_authsafes(PKCS12 *p12)
 {
+	if (!PKCS7_type_is_data(p12->authsafes))
+		{
+		PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES,PKCS12_R_CONTENT_TYPE_NOT_DATA);
+		return NULL;
+		}
 	return ASN1_item_unpack(p12->authsafes->d.data, ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
 }

crypto/pkcs12/p12_mutl.c

@@ -72,6 +72,12 @@ int PKCS12_gen_mac (PKCS12 *p12, const char *pass, int passlen,
 	unsigned char key[PKCS12_MAC_KEY_LENGTH], *salt;
 	int saltlen, iter;
 
+	if (!PKCS7_type_is_data(p12->authsafes))
+		{
+		PKCS12err(PKCS12_F_PKCS12_GEN_MAC,PKCS12_R_CONTENT_TYPE_NOT_DATA);
+		return 0;
+		}
+
 	salt = p12->mac->salt->data;
 	saltlen = p12->mac->salt->length;
 	if (!p12->mac->iter) iter = 1;

crypto/pkcs12/pk12err.c

@@ -93,6 +93,8 @@ static ERR_STRING_DATA PKCS12_str_functs[]=
 {ERR_FUNC(PKCS12_F_PKCS12_PBE_KEYIVGEN),	"PKCS12_PBE_keyivgen"},
 {ERR_FUNC(PKCS12_F_PKCS12_SETUP_MAC),	"PKCS12_setup_mac"},
 {ERR_FUNC(PKCS12_F_PKCS12_SET_MAC),	"PKCS12_set_mac"},
+{ERR_FUNC(PKCS12_F_PKCS12_UNPACK_AUTHSAFES),	"PKCS12_unpack_authsafes"},
+{ERR_FUNC(PKCS12_F_PKCS12_UNPACK_P7DATA),	"PKCS12_unpack_p7data"},
 {ERR_FUNC(PKCS12_F_PKCS8_ADD_KEYUSAGE),	"PKCS8_add_keyusage"},
 {ERR_FUNC(PKCS12_F_PKCS8_ENCRYPT),	"PKCS8_encrypt"},
 {ERR_FUNC(PKCS12_F_VERIFY_MAC),	"VERIFY_MAC"},
@@ -102,6 +104,7 @@ static ERR_STRING_DATA PKCS12_str_functs[]=
 static ERR_STRING_DATA PKCS12_str_reasons[]=
 	{
 {ERR_REASON(PKCS12_R_CANT_PACK_STRUCTURE),"cant pack structure"},
+{ERR_REASON(PKCS12_R_CONTENT_TYPE_NOT_DATA),"content type not data"},
 {ERR_REASON(PKCS12_R_DECODE_ERROR)       ,"decode error"},
 {ERR_REASON(PKCS12_R_ENCODE_ERROR)       ,"encode error"},
 {ERR_REASON(PKCS12_R_ENCRYPT_ERROR)      ,"encrypt error"},

crypto/pkcs12/pkcs12.h

@@ -287,12 +287,15 @@ void ERR_load_PKCS12_strings(void);
 #define PKCS12_F_PKCS12_PBE_KEYIVGEN			 120
 #define PKCS12_F_PKCS12_SETUP_MAC			 122
 #define PKCS12_F_PKCS12_SET_MAC				 123
+#define PKCS12_F_PKCS12_UNPACK_AUTHSAFES		 129
+#define PKCS12_F_PKCS12_UNPACK_P7DATA			 130
 #define PKCS12_F_PKCS8_ADD_KEYUSAGE			 124
 #define PKCS12_F_PKCS8_ENCRYPT				 125
 #define PKCS12_F_VERIFY_MAC				 126
 
 /* Reason codes. */
 #define PKCS12_R_CANT_PACK_STRUCTURE			 100
+#define PKCS12_R_CONTENT_TYPE_NOT_DATA			 121
 #define PKCS12_R_DECODE_ERROR				 101
 #define PKCS12_R_ENCODE_ERROR				 102
 #define PKCS12_R_ENCRYPT_ERROR				 103

crypto/x509/by_dir.c

@@ -114,7 +114,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
 	{
 	int ret=0;
 	BY_DIR *ld;
-	char *dir;
+	char *dir = NULL;
 
 	ld=(BY_DIR *)ctx->method_data;
 
@@ -122,19 +122,18 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
 		{
 	case X509_L_ADD_DIR:
 		if (argl == X509_FILETYPE_DEFAULT)
+			{
 			dir=(char *)Getenv(X509_get_default_cert_dir_env());
 			if (dir)
-			ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
+				ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
 			else
-			{
-			ret=add_cert_dir(ld,X509_get_default_cert_dir(),
-				X509_FILETYPE_PEM);
-			}
+				ret=add_cert_dir(ld,X509_get_default_cert_dir(),
+					X509_FILETYPE_PEM);
 			if (!ret)
 				{
 				X509err(X509_F_DIR_CTRL,X509_R_LOADING_CERT_DIR);
 				}
-
+			}
 		else
 			ret=add_cert_dir(ld,argp,(int)argl);
 		break;

crypto/x509v3/v3_cpols.c

@@ -137,7 +137,15 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
 	CONF_VALUE *cnf;
 	int i, ia5org;
 	pols = sk_POLICYINFO_new_null();
+	if (pols == NULL) {
+		X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
 	vals =  X509V3_parse_list(value);
+	if (vals == NULL) {
+		X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_X509V3_LIB);
+		goto err;
+	}
 	ia5org = 0;
 	for(i = 0; i < sk_CONF_VALUE_num(vals); i++) {
 		cnf = sk_CONF_VALUE_value(vals, i);
@@ -176,6 +184,7 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
 	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
 	return pols;
 	err:
+	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
 	sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
 	return NULL;
 }

doc/apps/enc.pod

@@ -191,12 +191,12 @@ Blowfish and RC5 algorithms use a 128 bit key.
  des-ecb            DES in ECB mode
 
  des-ede-cbc        Two key triple DES EDE in CBC mode
- des-ede            Alias for des-ede
+ des-ede            Two key triple DES EDE in ECB mode
  des-ede-cfb        Two key triple DES EDE in CFB mode
  des-ede-ofb        Two key triple DES EDE in OFB mode
 
  des-ede3-cbc       Three key triple DES EDE in CBC mode
- des-ede3           Alias for des-ede3-cbc
+ des-ede3           Three key triple DES EDE in ECB mode
  des3               Alias for des-ede3-cbc
  des-ede3-cfb       Three key triple DES EDE CFB mode
  des-ede3-ofb       Three key triple DES EDE in OFB mode

doc/ssl/SSL_CTX_set_options.pod

@@ -86,7 +86,7 @@ doing a re-connect, always takes the first cipher in the cipher list.
 
 =item SSL_OP_MSIE_SSLV2_RSA_PADDING
 
-...
+As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect.
 
 =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG
 

fips/dsa/Makefile

@@ -146,3 +146,4 @@ fips_dsatest.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 fips_dsatest.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 fips_dsatest.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 fips_dsatest.o: fips_dsatest.c
+fips_dssvs.o: ../../include/openssl/opensslconf.h fips_dssvs.c

fips/rand/Makefile

@@ -125,3 +125,4 @@ fips_randtest.o: ../../include/openssl/safestack.h
 fips_randtest.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 fips_randtest.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 fips_randtest.o: fips_randtest.c
+fips_rngvs.o: ../../include/openssl/opensslconf.h fips_rngvs.c

fips/rsa/Makefile

@@ -126,6 +126,40 @@ fips_rsa_selftest.o: ../../include/openssl/rsa.h
 fips_rsa_selftest.o: ../../include/openssl/safestack.h
 fips_rsa_selftest.o: ../../include/openssl/stack.h
 fips_rsa_selftest.o: ../../include/openssl/symhacks.h fips_rsa_selftest.c
+fips_rsa_x931g.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+fips_rsa_x931g.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+fips_rsa_x931g.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+fips_rsa_x931g.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+fips_rsa_x931g.o: ../../include/openssl/opensslconf.h
+fips_rsa_x931g.o: ../../include/openssl/opensslv.h
+fips_rsa_x931g.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h
+fips_rsa_x931g.o: ../../include/openssl/safestack.h
+fips_rsa_x931g.o: ../../include/openssl/stack.h
+fips_rsa_x931g.o: ../../include/openssl/symhacks.h fips_rsa_x931g.c
+fips_rsagtest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
+fips_rsagtest.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+fips_rsagtest.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+fips_rsagtest.o: ../../include/openssl/cast.h ../../include/openssl/conf.h
+fips_rsagtest.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+fips_rsagtest.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+fips_rsagtest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+fips_rsagtest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+fips_rsagtest.o: ../../include/openssl/hmac.h ../../include/openssl/idea.h
+fips_rsagtest.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+fips_rsagtest.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+fips_rsagtest.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+fips_rsagtest.o: ../../include/openssl/objects.h
+fips_rsagtest.o: ../../include/openssl/opensslconf.h
+fips_rsagtest.o: ../../include/openssl/opensslv.h
+fips_rsagtest.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+fips_rsagtest.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+fips_rsagtest.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+fips_rsagtest.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+fips_rsagtest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+fips_rsagtest.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+fips_rsagtest.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
+fips_rsagtest.o: ../../include/openssl/x509_vfy.h
+fips_rsagtest.o: ../../include/openssl/x509v3.h fips_rsagtest.c
 fips_rsastest.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
 fips_rsastest.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
 fips_rsastest.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h

fips/sha/Makefile

@@ -137,8 +137,7 @@ fips_sha256.o: ../../include/openssl/fips.h ../../include/openssl/fips_sha.h
 fips_sha256.o: ../../include/openssl/opensslconf.h
 fips_sha256.o: ../../include/openssl/opensslv.h
 fips_sha256.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-fips_sha256.o: ../../include/openssl/symhacks.h fips_md32_common.h
-fips_sha256.o: fips_sha256.c
+fips_sha256.o: ../../include/openssl/symhacks.h fips_sha256.c
 fips_sha512.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 fips_sha512.o: ../../include/openssl/fips.h ../../include/openssl/fips_sha.h
 fips_sha512.o: ../../include/openssl/opensslconf.h

openssl.spec

@@ -1,7 +1,7 @@
 %define libmaj 0
 %define libmin 9
 %define librel 7
-%define librev g
+%define librev i
 Release: 2
 
 %define openssldir /var/ssl

ssl/s23_srvr.c

@@ -268,9 +268,6 @@ int ssl23_get_client_hello(SSL *s)
 	int n=0,j;
 	int type=0;
 	int v[2];
-#ifndef OPENSSL_NO_RSA
-	int use_sslv2_strong=0;
-#endif
 
 	if (s->state ==	SSL23_ST_SR_CLNT_HELLO_A)
 		{
@@ -528,9 +525,7 @@ int ssl23_get_client_hello(SSL *s)
 			}
 
 		s->state=SSL2_ST_GET_CLIENT_HELLO_A;
-		if ((s->options & SSL_OP_MSIE_SSLV2_RSA_PADDING) ||
-			use_sslv2_strong ||
-			(s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3))
+		if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)
 			s->s2->ssl2_rollback=0;
 		else
 			/* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0

ssl/s3_lib.c

@@ -835,7 +835,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	    TLS1_TXT_RSA_WITH_AES_128_SHA,
 	    TLS1_CK_RSA_WITH_AES_128_SHA,
 	    SSL_kRSA|SSL_aRSA|SSL_AES|SSL_SHA |SSL_TLSV1,
-	    SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
+	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	    0,
 	    128,
 	    128,
@@ -848,7 +848,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	    TLS1_TXT_DH_DSS_WITH_AES_128_SHA,
 	    TLS1_CK_DH_DSS_WITH_AES_128_SHA,
 	    SSL_kDHd|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-	    SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
+	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	    0,
 	    128,
 	    128,
@@ -861,7 +861,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	    TLS1_TXT_DH_RSA_WITH_AES_128_SHA,
 	    TLS1_CK_DH_RSA_WITH_AES_128_SHA,
 	    SSL_kDHr|SSL_aDH|SSL_AES|SSL_SHA|SSL_TLSV1,
-	    SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
+	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	    0,
 	    128,
 	    128,
@@ -874,7 +874,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	    TLS1_TXT_DHE_DSS_WITH_AES_128_SHA,
 	    TLS1_CK_DHE_DSS_WITH_AES_128_SHA,
 	    SSL_kEDH|SSL_aDSS|SSL_AES|SSL_SHA|SSL_TLSV1,
-	    SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
+	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	    0,
 	    128,
 	    128,
@@ -887,7 +887,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	    TLS1_TXT_DHE_RSA_WITH_AES_128_SHA,
 	    TLS1_CK_DHE_RSA_WITH_AES_128_SHA,
 	    SSL_kEDH|SSL_aRSA|SSL_AES|SSL_SHA|SSL_TLSV1,
-	    SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
+	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	    0,
 	    128,
 	    128,
@@ -900,7 +900,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	    TLS1_TXT_ADH_WITH_AES_128_SHA,
 	    TLS1_CK_ADH_WITH_AES_128_SHA,
 	    SSL_kEDH|SSL_aNULL|SSL_AES|SSL_SHA|SSL_TLSV1,
-	    SSL_NOT_EXP|SSL_MEDIUM|SSL_FIPS,
+	    SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	    0,
 	    128,
 	    128,

ssl/ssl.h

@@ -467,7 +467,7 @@ typedef struct ssl_session_st
 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L
 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L
-#define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L
+#define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L /* no effect since 0.9.7h and 0.9.8b */
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG			0x00000080L
 #define SSL_OP_TLS_D5_BUG				0x00000100L
 #define SSL_OP_TLS_BLOCK_PADDING_BUG			0x00000200L

test/Makefile

@@ -613,6 +613,7 @@ fips_dsatest.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 fips_dsatest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 fips_dsatest.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 fips_dsatest.o: fips_dsatest.c
+fips_dssvs.o: ../include/openssl/opensslconf.h fips_dssvs.c
 fips_hmactest.o: ../include/openssl/aes.h ../include/openssl/asn1.h
 fips_hmactest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 fips_hmactest.o: ../include/openssl/bn.h ../include/openssl/buffer.h
@@ -644,6 +645,29 @@ fips_randtest.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
 fips_randtest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 fips_randtest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
 fips_randtest.o: ../include/openssl/ui_compat.h fips_randtest.c
+fips_rngvs.o: ../include/openssl/opensslconf.h fips_rngvs.c
+fips_rsagtest.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+fips_rsagtest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+fips_rsagtest.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+fips_rsagtest.o: ../include/openssl/cast.h ../include/openssl/conf.h
+fips_rsagtest.o: ../include/openssl/crypto.h ../include/openssl/des.h
+fips_rsagtest.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+fips_rsagtest.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+fips_rsagtest.o: ../include/openssl/err.h ../include/openssl/evp.h
+fips_rsagtest.o: ../include/openssl/hmac.h ../include/openssl/idea.h
+fips_rsagtest.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+fips_rsagtest.o: ../include/openssl/md4.h ../include/openssl/md5.h
+fips_rsagtest.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+fips_rsagtest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+fips_rsagtest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+fips_rsagtest.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+fips_rsagtest.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+fips_rsagtest.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+fips_rsagtest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+fips_rsagtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+fips_rsagtest.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+fips_rsagtest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+fips_rsagtest.o: ../include/openssl/x509v3.h fips_rsagtest.c
 fips_rsastest.o: ../include/openssl/aes.h ../include/openssl/asn1.h
 fips_rsastest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 fips_rsastest.o: ../include/openssl/bn.h ../include/openssl/buffer.h
@@ -710,6 +734,20 @@ fips_shatest.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
 fips_shatest.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
 fips_shatest.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h
 fips_shatest.o: fips_shatest.c
+fips_test_suite.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+fips_test_suite.o: ../include/openssl/bio.h ../include/openssl/bn.h
+fips_test_suite.o: ../include/openssl/crypto.h ../include/openssl/des.h
+fips_test_suite.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+fips_test_suite.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+fips_test_suite.o: ../include/openssl/err.h ../include/openssl/fips.h
+fips_test_suite.o: ../include/openssl/lhash.h ../include/openssl/md5.h
+fips_test_suite.o: ../include/openssl/opensslconf.h
+fips_test_suite.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+fips_test_suite.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+fips_test_suite.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+fips_test_suite.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+fips_test_suite.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+fips_test_suite.o: fips_test_suite.c
 hmactest.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 hmactest.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 hmactest.o: ../include/openssl/bn.h ../include/openssl/cast.h

util/pl/BC-32.pl

@@ -18,7 +18,7 @@ $out_def="out32";
 $tmp_def="tmp32";
 $inc_def="inc32";
 #enable max error messages, disable most common warnings
-$cflags="-DWIN32_LEAN_AND_MEAN -q -w-aus -w-par -w-inl  -c -tWC -tWM -DOPENSSL_SYSNAME_WIN32 -DL_ENDIAN -DDSO_WIN32 -D_stricmp=stricmp ";
+$cflags="-DWIN32_LEAN_AND_MEAN -q -w-ccc -w-rch -w-pia -w-aus -w-par -w-inl  -c -tWC -tWM -DOPENSSL_SYSNAME_WIN32 -DL_ENDIAN -DDSO_WIN32 -D_stricmp=stricmp -D_strnicmp=strnicmp ";
 if ($debug)
 {
     $cflags.="-Od -y -v -vi- -D_DEBUG";
@@ -51,7 +51,7 @@ $lfile='';
 $shlib_ex_obj="";
 $app_ex_obj="c0x32.obj"; 
 
-$asm='nasmw -f obj';
+$asm='nasmw -f obj -d__omf__';
 $asm.=" /Zi" if $debug;
 $afile='-o';
 
@@ -106,9 +106,13 @@ sub do_lib_rule
 	$ret.="$target: $objs\n";
 	if (!$shlib)
 		{
-		#		$ret.="\t\$(RM) \$(O_$Name)\n";
-		$ret.="\techo LIB $<\n";    
-                $ret.="\t&\$(MKLIB) $lfile$target -+\$**\n";
+		$ret.=<<___;
+	-\$(RM) $lfile$target
+	\$(MKLIB) $lfile$target \@&&!
++\$(**: = &^
++)
+!
+___
 		}
 	else
 		{

util/pl/VC-32.pl

@@ -12,6 +12,7 @@ $rm='del';
 # C compiler stuff
 $cc='cl';
 $cflags=' /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32';
+$cflags.=' -D_CRT_SECURE_NO_DEPRECATE';	# shut up VC8
 $lflags="/nologo /subsystem:console /machine:I386 /opt:ref";
 $mlflags='';