Updates for 0.9.7e release.

Fix race condition.
make update
2004-10-25 11:24:39 +00:00 · 2004-10-25 11:15:49 +00:00 · 2004-10-25 00:04:22 +00:00 · 2004-10-20 17:24:06 +00:00 · 2004-10-20 00:54:27 +00:00 · 2004-10-20 00:48:15 +00:00
727 changed files with 4437 additions and 248689 deletions
--- a/15
+++ b/15
@@ -2,7 +2,20 @@
 OpenSSL CHANGES
 _______________

- Changes between 0.9.7d and 0.9.7e  [XX xxx XXXX]
+ Changes between 0.9.7d and 0.9.7e  [25 Oct 2004]
+
+  *) Avoid a race condition when CRLs are checked in a multi threaded 
+     environment. This would happen due to the reordering of the revoked
+     entries during signature checking and serial number lookup. Now the
+     encoding is cached and the serial number sort performed under a lock.
+     Add new STACK function sk_is_sorted().
+     [Steve Henson]
+
+  *) Add Delta CRL to the extension code.
+     [Steve Henson]
+
+  *) Various fixes to s3_pkt.c so alerts are sent properly.
+     [David Holmes <d.holmes@f5.com>]

  *) Reduce the chances of duplicate issuer name and serial numbers (in
     violation of RFC3280) using the OpenSSL certificate creation utilities.
--- a/27
+++ b/27
@@ -144,7 +144,7 @@ my %table=(
 "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-bodo",	"gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-ulf",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT:::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
+"debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-steve-linux-pseudo64",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn",
 "debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -156,6 +156,12 @@ my %table=(
 "gcc",		"gcc:-O3::(unknown):::BN_LLONG:::",
 "cc",		"cc:-O::(unknown)::::::",

+####VOS Configurations
+"vos-gcc","gcc:-b hppa1.1-stratus-vos -O3 -Wall -Wuninitialized -D_POSIX_C_SOURCE=200112L -D_BSD::(unknown):VOS:-Wl,-map:BN_LLONG:::::::::::::.so:",
+"debug-vos-gcc","gcc:-b hppa1.1-stratus-vos -O0 -g -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map:BN_LLONG:::::::::::::.so:",
+"vos-vcc","vcc:-b i386-stratus-vos -O3 -D_POSIX_C_SOURCE=200112L -D_BSD::(unknown):VOS:-Wl,-map::::::::::::::.so:",
+"debug-vos-vcc","vcc:-b i386-stratus-vos -O0 -g -D_POSIX_C_SOURCE=200112L -D_BSD -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map::::::::::::::.so:",
+
 #### Solaris x86 with GNU C setups
 # -DOPENSSL_NO_INLINE_ASM switches off inline assembler. We have to do it
 # here because whenever GNU C instantiates an assembler template it
@@ -383,7 +389,7 @@ my %table=(
 "debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
+"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
 "linux-mipsel",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-mips",   "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -416,7 +422,7 @@ my %table=(
 "qnx6",	"cc:-DL_ENDIAN -DTERMIOS::(unknown)::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:",

 # Linux on ARM
-"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 # SCO/Caldera targets.
 #
@@ -644,10 +650,6 @@ my $no_sha=0;
 my $no_rsa=0;
 my $no_dh=0;

-$default_ranlib= &which("ranlib") or $default_ranlib="true";
-$perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl")
-  or $perl="perl";
-
 &usage if ($#ARGV < 0);

 my $flags;
@@ -936,9 +938,14 @@ my $IsWindows=scalar grep /^$target$/,@WinTargets;

 $exe_ext=".exe" if ($target eq "Cygwin");
 $exe_ext=".exe" if ($target eq "DJGPP");
+$exe_ext=".pm" if ($target eq "vos-gcc" or $target eq "debug-vos-gcc" or $target eq "vos-vcc" or $target eq "debug-vos-vcc");
 $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq "");
 $prefix=$openssldir if $prefix eq "";

+$default_ranlib= &which("ranlib") or $default_ranlib="true";
+$perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl")
+  or $perl="perl";
+
 chop $openssldir if $openssldir =~ /\/$/;
 chop $prefix if $prefix =~ /\/$/;

@@ -1599,10 +1606,10 @@ sub which
 	my $path;
 	foreach $path (split /:/, $ENV{PATH})
 		{
-		if (-f "$path/$name" and -x _)
+		if (-f "$path/$name$exe_ext" and -x _)
 			{
-			return "$path/$name" unless ($name eq "perl" and
-			 system("$path/$name -e " . '\'exit($]<5.0);\''));
+			return "$path/$name$exe_ext" unless ($name eq "perl" and
+			 system("$path/$name$exe_ext -e " . '\'exit($]<5.0);\''));
 			}
 		}
 	}
--- a/30
+++ b/30
@@ -52,6 +52,7 @@ OpenSSL  -  Frequently Asked Questions
 * Is OpenSSL thread-safe?
 * I've compiled a program under Windows and it crashes: why?
 * How do I read or write a DER encoded buffer using the ASN1 functions?
+* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
 * I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
 * I've called <some function> and it fails, why?
 * I just get a load of numbers for the error output, what do they mean?
@@ -60,6 +61,7 @@ OpenSSL  -  Frequently Asked Questions
 * Can I use OpenSSL's SSL library with non-blocking I/O?
 * Why doesn't my server application receive a client certificate?
 * Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
+* I think I've detected a memory leak, is this a bug?

 ===============================================================================

@@ -68,7 +70,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?

 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.7d was released on March 17, 2004.
+OpenSSL 0.9.7e was released on October 25, 2004.

 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -683,6 +685,20 @@ and attempts to free the buffer will have unpredictable results
 because it no longer points to the same address.


+* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
+
+The short answer is yes, because DER is a special case of BER and OpenSSL
+ASN1 decoders can process BER.
+
+The longer answer is that ASN1 structures can be encoded in a number of
+different ways. One set of ways is the Basic Encoding Rules (BER) with various
+permissible encodings. A restriction of BER is the Distinguished Encoding
+Rules (DER): these uniquely specify how a given structure is encoded.
+
+Therefore, because DER is a special case of BER, DER is an acceptable encoding
+for BER.
+
+
 * I've tried using <M_some_evil_pkcs12_macro> and I get errors why?

 This usually happens when you try compiling something using the PKCS#12
@@ -765,5 +781,17 @@ The correct name according to RFC2256 (LDAP) is x500UniqueIdentifier.
 Change your code to use the new name when compiling against OpenSSL 0.9.7.


+* I think I've detected a memory leak, is this a bug?
+
+In most cases the cause of an apparent memory leak is an OpenSSL internal table
+that is allocated when an application starts up. Since such tables do not grow
+in size over time they are harmless.
+
+These internal tables can be freed up when an application closes using various
+functions.  Currently these include: EVP_cleanup(), ERR_remove_state(),
+ERR_free_strings(), ENGINE_cleanup(), CONF_modules_unload() and
+CRYPTO_cleanup_all_ex_data().
+
+
 ===============================================================================

--- a/Makefile.org
+++ b/Makefile.org
@@ -186,7 +186,7 @@ SDIRS=  objects \
 	buffer bio stack lhash rand err \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5

-FDIRS=	sha1 rand des aes dsa rsa
+FDIRS=	sha1 rand des aes dsa rsa dh

 # tests to perform.  "alltests" is a special word indicating that all tests
 # should be performed.
@@ -205,7 +205,7 @@ ONEDIRS=out tmp
 EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
 WDIRS=  windows
 LIBS=   libcrypto.a libssl.a
-SIGS=	libcrypto.sha1
+SIGS=	libcrypto.a.sha1
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
 SHARED_LIBS=
@@ -226,10 +226,10 @@ HEADER=         e_os.h
 all: Makefile sub_all openssl.pc

 sigs:	$(SIGS)
-libcrypto.sha1: libcrypto.a
+libcrypto.a.sha1: libcrypto.a
 	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
 		$(RANLIB) libcrypto.a; \
-		fips/sha1/fips_standalone_sha1 libcrypto.a > libcrypto.sha1; \
+		fips/sha1/fips_standalone_sha1 libcrypto.a > libcrypto.a.sha1; \
 	fi

 sub_all:
@@ -414,6 +414,7 @@ do_solaris-shared:
 		  set -x; ${CC} ${SHARED_LDFLAGS} -G -dy -z text \
 			-o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+			-Wl,-Bsymbolic \
 			$${MINUSZ}allextract lib$$i.a $${MINUSZ}defaultextract \
 			$$libs ${EX_LIBS} -lc ) || exit 1; \
 		libs="-l$$i $$libs"; \
@@ -678,7 +679,7 @@ dclean:

 rehash: rehash.time
 rehash.time: certs
-	@(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \
+	@(OPENSSL="`pwd`/apps/openssl$(EXE_EXT)"; OPENSSL_DEBUG_MEMORY=on; \
 		export OPENSSL OPENSSL_DEBUG_MEMORY; \
 		LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
 		DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
@@ -724,13 +725,8 @@ lint:
 	done;

 tags:
-	@for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making tags $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' tags ) || exit 1; \
-	fi; \
-	done;
+	rm -f TAGS
+	find . -name '[^.]*.[ch]' | xargs etags -a

 errors:
 	$(PERL) util/mkerr.pl -recurse -write
@@ -750,11 +746,14 @@ crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h
 crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num
 	$(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h

+apps/openssl-vms.cnf: apps/openssl.cnf
+	$(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf
+
 TABLE: Configure
 	(echo 'Output of `Configure TABLE'"':"; \
 	$(PERL) Configure TABLE) > TABLE

-update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE
+update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h apps/openssl-vms.cnf TABLE

 # Build distribution tar-file. As the list of files returned by "find" is
 # pretty long, on several platforms a "too many arguments" error or similar
@@ -791,7 +790,9 @@ dist:
 dist_pem_h:
 	(cd crypto/pem; $(MAKE) CC='${CC}' SDIRS='${SDIRS}' CFLAG='${CFLAG}' pem.h; $(MAKE) clean)

-install: all install_docs
+install: all install_docs install_sw
+
+install_sw:
 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/lib \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \
@@ -816,7 +817,9 @@ install: all install_docs
 		if [ -f "$$i" ]; then \
 		(       echo installing $$i; \
 			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			if ! egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
+			if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
+				: ; \
+			else \
 				$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
 			fi; \
 			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
--- a/7
+++ b/7
@@ -5,12 +5,17 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.

+  Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e:
+
+      o Fix race condition in CRL checking code.
+      o Fixes to PKCS#7 (S/MIME) code.
+
  Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d:

      o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
      o Security: Fix null-pointer assignment in do_change_cipher_spec()
      o Allow multiple active certificates with same subject in CA index
-      o Multiple X590 verification fixes
+      o Multiple X509 verification fixes
      o Speed up HMAC and other operations

  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c:
--- a/16
+++ b/16
@@ -1,5 +1,5 @@

- OpenSSL 0.9.7d 17 Mar 2004
+ OpenSSL 0.9.7e 25 Oct 2004

 Copyright (c) 1998-2004 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -173,11 +173,17 @@
 textual explanation of what your patch does.

 Note: For legal reasons, contributions from the US can be accepted only
- if a TSA notification and a copy of the patch is sent to crypt@bis.doc.gov;
- see http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic]
- and http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e)).
+ if a TSU notification and a copy of the patch are sent to crypt@bis.doc.gov
+ (formerly BXA) with a copy to the ENC Encryption Request Coordinator;
+ please take some time to look at
+    http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic]
+ and
+    http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e))
+ for the details. If "your encryption source code is too large to serve as
+ an email attachment", they are glad to receive it by fax instead; hope you
+ have a cheap long-distance plan.

- The preferred format for changes is "diff -u" output. You might
+ Our preferred format for changes is "diff -u" output. You might
 generate it like this:

 # cd openssl-work
--- a/2
+++ b/2
@@ -1,6 +1,6 @@

  OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2004/03/23 15:00:59 $
+  ______________                           $Date: 2004/03/17 12:01:16 $

  DEVELOPMENT STATE

--- a/114
+++ b/114
@@ -1818,10 +1818,10 @@ $rc4_obj      = asm/rx86-elf.o
 $rmd160_obj   = asm/rm86-elf.o
 $rc5_obj      = asm/r586-elf.o
 $dso_scheme   = dlfcn
-$shared_target= 
-$shared_cflag = 
+$shared_target= linux-shared
+$shared_cflag = -fPIC
 $shared_ldflag = 
-$shared_extension = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 

@@ -2002,12 +2002,12 @@ $arflags      =

 *** debug-steve
 $cc           = gcc
-$cflags       = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe
+$cflags       = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = -rdynamic -ldl
-$bn_ops       = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$lflags       = -ldl
+$bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
 $bn_obj       = asm/bn86-elf.o asm/co86-elf.o
 $des_obj      = asm/dx86-elf.o asm/yx86-elf.o
 $bf_obj       = asm/bx86-elf.o
@@ -2075,6 +2075,56 @@ $shared_extension =
 $ranlib       = 
 $arflags      = 

+*** debug-vos-gcc
+$cc           = gcc
+$cflags       = -b hppa1.1-stratus-vos -O0 -g -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG
+$unistd       = 
+$thread_cflag = (unknown)
+$sys_id       = VOS
+$lflags       = -Wl,-map
+$bn_ops       = BN_LLONG
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = .so
+$shared_extension = 
+$ranlib       = 
+$arflags      = 
+
+*** debug-vos-vcc
+$cc           = vcc
+$cflags       = -b i386-stratus-vos -O0 -g -D_POSIX_C_SOURCE=200112L -D_BSD -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG
+$unistd       = 
+$thread_cflag = (unknown)
+$sys_id       = VOS
+$lflags       = -Wl,-map
+$bn_ops       = 
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = .so
+$shared_extension = 
+$ranlib       = 
+$arflags      = 
+
 *** dgux-R3-gcc
 $cc           = gcc
 $cflags       = -O3 -fomit-frame-pointer
@@ -3031,7 +3081,7 @@ $cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = 
+$lflags       = -ldl
 $bn_ops       = BN_LLONG
 $bn_obj       = 
 $des_obj      = 
@@ -4300,6 +4350,56 @@ $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 

+*** vos-gcc
+$cc           = gcc
+$cflags       = -b hppa1.1-stratus-vos -O3 -Wall -Wuninitialized -D_POSIX_C_SOURCE=200112L -D_BSD
+$unistd       = 
+$thread_cflag = (unknown)
+$sys_id       = VOS
+$lflags       = -Wl,-map
+$bn_ops       = BN_LLONG
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = .so
+$shared_extension = 
+$ranlib       = 
+$arflags      = 
+
+*** vos-vcc
+$cc           = vcc
+$cflags       = -b i386-stratus-vos -O3 -D_POSIX_C_SOURCE=200112L -D_BSD
+$unistd       = 
+$thread_cflag = (unknown)
+$sys_id       = VOS
+$lflags       = -Wl,-map
+$bn_ops       = 
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = .so
+$shared_extension = 
+$ranlib       = 
+$arflags      = 
+
 *** vxworks-mipsle
 $cc           = ccmips
 $cflags       = -B$(WIND_BASE)/host/$(WIND_HOST_TYPE)/lib/gcc-lib/ -DL_ENDIAN -EL -Wl,-EL -mips2 -mno-branch-likely -G 0 -fno-builtin -msoft-float -DCPU=MIPS32 -DMIPSEL -DNO_STRINGS_H -I$(WIND_BASE)/target/h
--- a/VMS/VMSify-conf.pl
+++ b/VMS/VMSify-conf.pl
@@ -0,0 +1,34 @@
+#! /usr/bin/perl
+
+use strict;
+use warnings;
+
+my @directory_vars = ( "dir", "certs", "crl_dir", "new_certs_dir" );
+my @file_vars = ( "database", "certificate", "serial", "crlnumber",
+		  "crl", "private_key", "RANDFILE" );
+while(<STDIN>) {
+    chomp;
+    foreach my $d (@directory_vars) {
+	if (/^(\s*\#?\s*${d}\s*=\s*)\.\/([^\s\#]*)([\s\#].*)$/) {
+	    $_ = "$1sys\\\$disk:\[.$2$3";
+	} elsif (/^(\s*\#?\s*${d}\s*=\s*)(\w[^\s\#]*)([\s\#].*)$/) {
+	    $_ = "$1sys\\\$disk:\[.$2$3";
+	}
+	s/^(\s*\#?\s*${d}\s*=\s*\$\w+)\/([^\s\#]*)([\s\#].*)$/$1.$2\]$3/;
+	while(/^(\s*\#?\s*${d}\s*=\s*(\$\w+\.|sys\\\$disk:\[\.)[\w\.]+)\/([^\]]*)\](.*)$/) {
+	    $_ = "$1.$3]$4";
+	}
+    }
+    foreach my $f (@file_vars) {
+	s/^(\s*\#?\s*${f}\s*=\s*)\.\/(.*)$/$1sys\\\$disk:\[\/$2/;
+	while(/^(\s*\#?\s*${f}\s*=\s*(\$\w+|sys\\\$disk:\[)[^\/]*)\/(\w+\/[^\s\#]*)([\s\#].*)$/) {
+	    $_ = "$1.$3$4";
+	}
+	if (/^(\s*\#?\s*${f}\s*=\s*(\$\w+|sys\\\$disk:\[)[^\/]*)\/(\w+)([\s\#].*)$/) {
+	    $_ = "$1]$3.$4";
+	} elsif  (/^(\s*\#?\s*${f}\s*=\s*(\$\w+|sys\\\$disk:\[)[^\/]*)\/([^\s\#]*)([\s\#].*)$/) {
+	    $_ = "$1]$3$4";
+	}
+   }
+    print $_,"\n";
+}
--- a/VMS/mkshared.com
+++ b/VMS/mkshared.com
@@ -266,6 +266,14 @@ $             falsesum = falsesum + 1
 $         endif
 $         if plat_entry .eqs. "VMS" then truesum = truesum + 1
 $         if plat_entry .eqs. "!VMS" then falsesum = falsesum + 1
+$         if f$trnlnm("OPENSSL_FIPS") .nes. ""
+$         then
+$           if plat_entry .eqs. "OPENSSL_FIPS" then truesum = truesum + 1
+$           if plat_entry .eqs. "!OPENSSL_FIPS" then falsesum = falsesum + 1
+$         else
+$           if plat_entry .eqs. "OPENSSL_FIPS" then falsesum = falsesum + 1
+$           if plat_entry .eqs. "!OPENSSL_FIPS" then truesum = truesum + 1
+$         endif
 $	  goto loop1
 $       endif
 $     endloop1:
--- a/apps/.cvsignore
+++ b/apps/.cvsignore
@@ -3,3 +3,4 @@ Makefile.save
 der_chop
 der_chop.bak
 CA.pl
+openssl.sha1
--- a/apps/Makefile
+++ b/apps/Makefile
@@ -44,7 +44,7 @@ E_EXE=	verify asn1pars req dgst dh dhparam enc passwd gendh errstr \
 	ca crl rsa rsautl dsa dsaparam \
 	x509 genrsa gendsa s_server s_client speed \
 	s_time version pkcs7 crl2pkcs7 sess_id ciphers nseq pkcs12 \
-	pkcs8 spkac smime rand engine ocsp
+	pkcs8 spkac smime rand engine ocsp prime

 PROGS= $(PROGRAM).c

@@ -60,14 +60,14 @@ E_OBJ=	verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o er
 	rsa.o rsautl.o dsa.o dsaparam.o \
 	x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o \
 	s_time.o $(A_OBJ) $(S_OBJ) $(RAND_OBJ) version.o sess_id.o \
-	ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o
+	ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o prime.o

 E_SRC=	verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca.c \
 	pkcs7.c crl2p7.c crl.c \
 	rsa.c rsautl.c dsa.c dsaparam.c \
 	x509.c genrsa.c gendsa.c s_server.c s_client.c speed.c \
 	s_time.c $(A_SRC) $(S_SRC) $(RAND_SRC) version.c sess_id.c \
-	ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c rand.c engine.c ocsp.c
+	ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c rand.c engine.c ocsp.c prime.c

 SRC=$(E_SRC)

@@ -83,7 +83,7 @@ top:

 all:	exe

-exe:	$(PROGRAM)
+exe:	$(EXE)

 req: sreq.o $(A_OBJ) $(DLIBCRYPTO)
 	LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
@@ -141,16 +141,18 @@ $(DLIBSSL):
 $(DLIBCRYPTO):
 	(cd ..; $(MAKE) DIRS=crypto all)

-$(PROGRAM): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
-	$(RM) $(PROGRAM)
+$(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
+	$(RM) $(EXE)
 	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \
+	  $(CC) -o $(EXE) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \
 	else \
 	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-	  $(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
+	  $(CC) -o $(EXE) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
 	fi
-	TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(PROGRAM)
-	-(cd ..; OPENSSL="`pwd`/apps/openssl"; export OPENSSL; \
+	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
+		TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(EXE); \
+	fi
+	-(cd ..; OPENSSL="`pwd`/apps/$(EXE)"; export OPENSSL; \
 		LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
 		DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
 		SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
@@ -750,6 +752,28 @@ pkcs8.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 pkcs8.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
 pkcs8.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
 pkcs8.o: ../include/openssl/x509_vfy.h apps.h pkcs8.c
+prime.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+prime.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+prime.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+prime.o: ../include/openssl/cast.h ../include/openssl/conf.h
+prime.o: ../include/openssl/crypto.h ../include/openssl/des.h
+prime.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+prime.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+prime.o: ../include/openssl/engine.h ../include/openssl/err.h
+prime.o: ../include/openssl/evp.h ../include/openssl/idea.h
+prime.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+prime.o: ../include/openssl/md4.h ../include/openssl/md5.h
+prime.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+prime.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+prime.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+prime.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+prime.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+prime.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+prime.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+prime.o: ../include/openssl/sha.h ../include/openssl/stack.h
+prime.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+prime.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+prime.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h prime.c
 rand.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 rand.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 rand.o: ../include/openssl/bn.h ../include/openssl/buffer.h
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -148,9 +148,11 @@ int WIN32_rename(char *oldname,char *newname);
 #ifndef NON_MAIN
 CONF *config=NULL;
 BIO *bio_err=NULL;
+int in_FIPS_mode=0;
 #else
 extern CONF *config;
 extern BIO *bio_err;
+extern int in_FIPS_mode;
 #endif

 #else
@@ -159,6 +161,7 @@ extern BIO *bio_err;
 extern CONF *config;
 extern char *default_config_file;
 extern BIO *bio_err;
+extern int in_FIPS_mode;

 #endif

--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -278,6 +278,7 @@ bad:
 		tmplen=num;
 		for (i=0; i<sk_num(osk); i++)
 			{
+			int typ;
 			ASN1_TYPE *atmp;
 			j=atoi(sk_value(osk,i));
 			if (j == 0)
@@ -296,6 +297,15 @@ bad:
 				ERR_print_errors(bio_err);
 				goto end;
 				}
+			typ = ASN1_TYPE_get(at);
+			if ((typ == V_ASN1_OBJECT)
+				|| (typ == V_ASN1_NULL))
+				{
+				BIO_printf(bio_err, "Can't parse %s type\n",
+					typ == V_ASN1_NULL ? "NULL" : "OBJECT");
+				ERR_print_errors(bio_err);
+				goto end;
+				}
 			/* hmm... this is a little evil but it works */
 			tmpbuf=at->value.asn1_string->data;
 			tmplen=at->value.asn1_string->length;
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -538,10 +538,6 @@ bad:

 	ERR_load_crypto_strings();

-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, engine, 0);
-#endif
-
 	/*****************************************************************/
 	tofree=NULL;
 	if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
@@ -586,6 +582,10 @@ bad:
 	if (!load_config(bio_err, conf))
 		goto err;

+#ifndef OPENSSL_NO_ENGINE
+	e = setup_engine(bio_err, engine, 0);
+#endif
+
 	/* Lets get the config section we are using */
 	if (section == NULL)
 		{
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -330,7 +330,13 @@ int MAIN(int argc, char **argv)
 	}

 	/* we use md as a filter, reading from 'in' */
-	BIO_set_md(bmd,md);
+	if (!BIO_set_md(bmd,md))
+		{
+		BIO_printf(bio_err, "Error setting digest %s\n", pname);
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+		
 	inp=BIO_push(bmd,in);

 	if (argc == 0)
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -114,6 +114,7 @@ int MAIN(int argc, char **argv)
 	unsigned char salt[PKCS5_SALT_LEN];
 	char *str=NULL, *passarg = NULL, *pass = NULL;
 	char *hkey=NULL,*hiv=NULL,*hsalt = NULL;
+	char *md=NULL;
 	int enc=1,printkey=0,i,base64=0;
 	int debug=0,olb64=0,nosalt=0;
 	const EVP_CIPHER *cipher=NULL,*c;
@@ -124,6 +125,7 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_ENGINE
 	char *engine = NULL;
 #endif
+	const EVP_MD *dgst=NULL;

 	apps_startup();

@@ -253,6 +255,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			hiv= *(++argv);
 			}
+		else if (strcmp(*argv,"-md") == 0)
+			{
+			if (--argc < 1) goto bad;
+			md= *(++argv);
+			}
 		else if	((argv[0][0] == '-') &&
 			((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL))
 			{
@@ -271,8 +278,10 @@ bad:
 			BIO_printf(bio_err,"%-14s encrypt\n","-e");
 			BIO_printf(bio_err,"%-14s decrypt\n","-d");
 			BIO_printf(bio_err,"%-14s base64 encode/decode, depending on encryption flag\n","-a/-base64");
-			BIO_printf(bio_err,"%-14s key is the next argument\n","-k");
-			BIO_printf(bio_err,"%-14s key is the first line of the file argument\n","-kfile");
+			BIO_printf(bio_err,"%-14s passphrase is the next argument\n","-k");
+			BIO_printf(bio_err,"%-14s passphrase is the first line of the file argument\n","-kfile");
+			BIO_printf(bio_err,"%-14s the next argument is the md to use to create a key\n","-md");
+			BIO_printf(bio_err,"%-14s   from a passphrase.  One of md2, md5, sha or sha1\n","");
 			BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv");
 			BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]");
 			BIO_printf(bio_err,"%-14s buffer size\n","-bufsize <n>");
@@ -296,6 +305,20 @@ bad:
        e = setup_engine(bio_err, engine, 0);
 #endif

+	if (md && (dgst=EVP_get_digestbyname(md)) == NULL)
+		{
+		BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
+		goto end;
+		}
+
+	if (dgst == NULL)
+		{
+		if (in_FIPS_mode)
+			dgst = EVP_sha1();
+		else
+			dgst = EVP_md5();
+		}
+
 	if (bufsize != NULL)
 		{
 		unsigned long n;
@@ -483,7 +506,7 @@ bad:
 				sptr = salt;
 			}

-			EVP_BytesToKey(cipher,EVP_md5(),sptr,
+			EVP_BytesToKey(cipher,dgst,sptr,
 				(unsigned char *)str,
 				strlen(str),1,key,iv);
 			/* zero the complete buffer or the string
--- a/apps/makeapps.com
+++ b/apps/makeapps.com
@@ -142,13 +142,13 @@ $ LIB_FILES = "VERIFY;ASN1PARS;REQ;DGST;DH;DHPARAM;ENC;PASSWD;GENDH;ERRSTR;"+-
 	      "RSA;RSAUTL;DSA;DSAPARAM;"+-
 	      "X509;GENRSA;GENDSA;S_SERVER;S_CLIENT;SPEED;"+-
 	      "S_TIME;APPS;S_CB;S_SOCKET;APP_RAND;VERSION;SESS_ID;"+-
-	      "CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME;RAND;ENGINE;OCSP"
+	      "CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME;RAND;ENGINE;OCSP;PRIME"
 $ APP_FILES := OPENSSL,'OBJ_DIR'VERIFY.OBJ,ASN1PARS.OBJ,REQ.OBJ,DGST.OBJ,DH.OBJ,DHPARAM.OBJ,ENC.OBJ,PASSWD.OBJ,GENDH.OBJ,ERRSTR.OBJ,-
 	       CA.OBJ,PKCS7.OBJ,CRL2P7.OBJ,CRL.OBJ,-
 	       RSA.OBJ,RSAUTL.OBJ,DSA.OBJ,DSAPARAM.OBJ,-
 	       X509.OBJ,GENRSA.OBJ,GENDSA.OBJ,S_SERVER.OBJ,S_CLIENT.OBJ,SPEED.OBJ,-
 	       S_TIME.OBJ,APPS.OBJ,S_CB.OBJ,S_SOCKET.OBJ,APP_RAND.OBJ,VERSION.OBJ,SESS_ID.OBJ,-
-	       CIPHERS.OBJ,NSEQ.OBJ,PKCS12.OBJ,PKCS8.OBJ,SPKAC.OBJ,SMIME.OBJ,RAND.OBJ,ENGINE.OBJ,OCSP.OBJ
+	       CIPHERS.OBJ,NSEQ.OBJ,PKCS12.OBJ,PKCS8.OBJ,SPKAC.OBJ,SMIME.OBJ,RAND.OBJ,ENGINE.OBJ,OCSP.OBJ,PRIME.OBJ
 $ TCPIP_PROGRAMS = ",,"
 $ IF COMPILER .EQS. "VAXC" THEN -
     TCPIP_PROGRAMS = ",OPENSSL,"
@@ -679,7 +679,7 @@ $     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
 	 THEN CC = "CC/DECC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
           "/NOLIST/PREFIX=ALL" + -
-	   "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS
+	   "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
@@ -711,7 +711,7 @@ $	EXIT
 $     ENDIF
 $     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-	   "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS
+	   "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
 $     CCDEFS = CCDEFS + ",""VAXC"""
 $!
 $!    Define <sys> As SYS$COMMON:[SYSLIB]
@@ -743,7 +743,7 @@ $!    Use GNU C...
 $!
 $     IF F$TYPE(GCC) .EQS. "" THEN GCC := GCC
 $     CC = GCC+"/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-	   "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS
+	   "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -3,8 +3,13 @@
 # This is mostly being used for generation of certificate requests.
 #

+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
 RANDFILE		= $ENV::HOME/.rnd
-oid_file		= $ENV::HOME/.oid
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
 oid_section		= new_oids

 # To use this configuration file with the "-extfile" option of the
@@ -29,22 +34,35 @@ default_ca	= CA_default		# The default ca section
 ####################################################################
 [ CA_default ]

-dir		= sys\$disk:[.demoCA	# Where everything is kept
+dir		= sys\$disk:[.demoCA		# Where everything is kept
 certs		= $dir.certs]		# Where the issued certs are kept
 crl_dir		= $dir.crl]		# Where the issued crl are kept
 database	= $dir]index.txt	# database index file.
-new_certs_dir	= $dir.newcerts]	# default place for new certs.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir.newcerts]		# default place for new certs.

 certificate	= $dir]cacert.pem 	# The CA certificate
-serial		= $dir]serial.		# The current serial number
+serial		= $dir]serial. 		# The current serial number
+#crlnumber	= $dir]crlnumber.	# the current crl number must be
+					# commented out to leave a V1 CRL
 crl		= $dir]crl.pem 		# The current CRL
 private_key	= $dir.private]cakey.pem# The private key
 RANDFILE	= $dir.private].rand	# private random number file

 x509_extensions	= usr_cert		# The extentions to add to the cert

+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 # so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
 # crl_extensions	= crl_ext

 default_days	= 365			# how long to certify for
@@ -86,16 +104,19 @@ distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions	= v3_ca	# The extentions to add to the self signed cert

-# This sets the permitted types in a DirectoryString. There are several
-# options. 
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
 # default: PrintableString, T61String, BMPString.
 # pkix	 : PrintableString, BMPString.
 # utf8only: only UTF8Strings.
-# nobmp : PrintableString, T61String (no BMPStrings).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
 # MASK:XXXX a literal mask value.
 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
 # so use this option with caution!
-dirstring_type = nobmp
+string_mask = nombstr

 # req_extensions = v3_req # The extensions to add to a certificate request

@@ -124,7 +145,7 @@ commonName			= Common Name (eg, YOUR name)
 commonName_max			= 64

 emailAddress			= Email Address
-emailAddress_max		= 40
+emailAddress_max		= 64

 # SET-ex3			= SET extension number 3

@@ -172,6 +193,9 @@ authorityKeyIdentifier=keyid,issuer:always
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
 # subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move

 # Copy subject details
 # issuerAltName=issuer:copy
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -148,6 +148,7 @@ char *default_config_file=NULL;
 #ifdef MONOLITH
 CONF *config=NULL;
 BIO *bio_err=NULL;
+int in_FIPS_mode=0;
 #endif


@@ -228,10 +229,12 @@ int main(int Argc, char *Argv[])
 	char **argv,*p;
 	LHASH *prog=NULL;
 	long errline;
- 
+
 	arg.data=NULL;
 	arg.count=0;

+	in_FIPS_mode = 0;
+
 #ifdef OPENSSL_FIPS
 	if(getenv("OPENSSL_FIPS")) {
 #if defined(_WIN32)
@@ -242,10 +245,11 @@ int main(int Argc, char *Argv[])
 		p = Argv[0];
 #endif
 		if (!FIPS_mode_set(1,p)) {
-		ERR_load_crypto_strings();
-		ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
-		exit(1);
-			}
+			ERR_load_crypto_strings();
+			ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+			exit(1);
+		}
+		in_FIPS_mode = 1;
 		if (getenv("OPENSSL_FIPS_MD5"))
 			FIPS_allow_md5(1);
 		}
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -44,8 +44,8 @@ new_certs_dir	= $dir/newcerts		# default place for new certs.

 certificate	= $dir/cacert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
-#crlnumber	= $dir/crlnumber	# the current crl number
-					# must be commented out to leave a V1 CRL
+#crlnumber	= $dir/crlnumber	# the current crl number must be
+					# commented out to leave a V1 CRL
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem# The private key
 RANDFILE	= $dir/private/.rand	# private random number file
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -1,6 +1,6 @@
 /* pkcs8.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project 1999-2004.
 */
 /* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
@@ -68,7 +68,7 @@
 int MAIN(int, char **);

 int MAIN(int argc, char **argv)
-{
+	{
 	ENGINE *e = NULL;
 	char **args, *infile = NULL, *outfile = NULL;
 	char *passargin = NULL, *passargout = NULL;
@@ -100,43 +100,70 @@ int MAIN(int argc, char **argv)
 	ERR_load_crypto_strings();
 	OpenSSL_add_all_algorithms();
 	args = argv + 1;
-	while (!badarg && *args && *args[0] == '-') {
-		if (!strcmp(*args,"-v2")) {
-			if (args[1]) {
+	while (!badarg && *args && *args[0] == '-')
+		{
+		if (!strcmp(*args,"-v2"))
+			{
+			if (args[1])
+				{
 				args++;
 				cipher=EVP_get_cipherbyname(*args);
-				if(!cipher) {
+				if (!cipher)
+					{
 					BIO_printf(bio_err,
 						 "Unknown cipher %s\n", *args);
 					badarg = 1;
+					}
 				}
-			} else badarg = 1;
-		} else if (!strcmp(*args,"-v1")) {
-			if (args[1]) {
+			else
+				badarg = 1;
+			}
+		else if (!strcmp(*args,"-v1"))
+			{
+			if (args[1])
+				{
 				args++;
 				pbe_nid=OBJ_txt2nid(*args);
-				if(pbe_nid == NID_undef) {
+				if (pbe_nid == NID_undef)
+					{
 					BIO_printf(bio_err,
 						 "Unknown PBE algorithm %s\n", *args);
 					badarg = 1;
+					}
 				}
-			} else badarg = 1;
-		} else if (!strcmp(*args,"-inform")) {
-			if (args[1]) {
+			else
+				badarg = 1;
+			}
+		else if (!strcmp(*args,"-inform"))
+			{
+			if (args[1])
+				{
 				args++;
 				informat=str2fmt(*args);
-			} else badarg = 1;
-		} else if (!strcmp(*args,"-outform")) {
-			if (args[1]) {
+				}
+			else badarg = 1;
+			}
+		else if (!strcmp(*args,"-outform"))
+			{
+			if (args[1])
+				{
 				args++;
 				outformat=str2fmt(*args);
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-topk8")) topk8 = 1;
-		else if (!strcmp (*args, "-noiter")) iter = 1;
-		else if (!strcmp (*args, "-nocrypt")) nocrypt = 1;
-		else if (!strcmp (*args, "-nooct")) p8_broken = PKCS8_NO_OCTET;
-		else if (!strcmp (*args, "-nsdb")) p8_broken = PKCS8_NS_DB;
-		else if (!strcmp (*args, "-embed")) p8_broken = PKCS8_EMBEDDED_PARAM;
+				}
+			else badarg = 1;
+			}
+		else if (!strcmp (*args, "-topk8"))
+			topk8 = 1;
+		else if (!strcmp (*args, "-noiter"))
+			iter = 1;
+		else if (!strcmp (*args, "-nocrypt"))
+			nocrypt = 1;
+		else if (!strcmp (*args, "-nooct"))
+			p8_broken = PKCS8_NO_OCTET;
+		else if (!strcmp (*args, "-nsdb"))
+			p8_broken = PKCS8_NS_DB;
+		else if (!strcmp (*args, "-embed"))
+			p8_broken = PKCS8_EMBEDDED_PARAM;
 		else if (!strcmp(*args,"-passin"))
 			{
 			if (!args[1]) goto bad;
@@ -154,21 +181,30 @@ int MAIN(int argc, char **argv)
 			engine= *(++args);
 			}
 #endif
-		else if (!strcmp (*args, "-in")) {
-			if (args[1]) {
+		else if (!strcmp (*args, "-in"))
+			{
+			if (args[1])
+				{
 				args++;
 				infile = *args;
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-out")) {
-			if (args[1]) {
+				}
+			else badarg = 1;
+			}
+		else if (!strcmp (*args, "-out"))
+			{
+			if (args[1])
+				{
 				args++;
 				outfile = *args;
-			} else badarg = 1;
-		} else badarg = 1;
+				}
+			else badarg = 1;
+			}
+		else badarg = 1;
 		args++;
-	}
+		}

-	if (badarg) {
+	if (badarg)
+		{
 		bad:
 		BIO_printf(bio_err, "Usage pkcs8 [options]\n");
 		BIO_printf(bio_err, "where options are\n");
@@ -189,147 +225,199 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 #endif
-		return (1);
-	}
+		return 1;
+		}

 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif

-	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+	if (!app_passwd(bio_err, passargin, passargout, &passin, &passout))
+		{
 		BIO_printf(bio_err, "Error getting passwords\n");
-		return (1);
-	}
+		return 1;
+		}

-	if ((pbe_nid == -1) && !cipher) pbe_nid = NID_pbeWithMD5AndDES_CBC;
+	if ((pbe_nid == -1) && !cipher)
+		pbe_nid = NID_pbeWithMD5AndDES_CBC;

-	if (infile) {
-		if (!(in = BIO_new_file(infile, "rb"))) {
+	if (infile)
+		{
+		if (!(in = BIO_new_file(infile, "rb")))
+			{
 			BIO_printf(bio_err,
 				 "Can't open input file %s\n", infile);
 			return (1);
+			}
 		}
-	} else in = BIO_new_fp (stdin, BIO_NOCLOSE);
+	else
+		in = BIO_new_fp (stdin, BIO_NOCLOSE);

-	if (outfile) {
-		if (!(out = BIO_new_file (outfile, "wb"))) {
+	if (outfile)
+		{
+		if (!(out = BIO_new_file (outfile, "wb")))
+			{
 			BIO_printf(bio_err,
 				 "Can't open output file %s\n", outfile);
 			return (1);
+			}
 		}
-	} else {
+	else
+		{
 		out = BIO_new_fp (stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
-		{
+			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
-		}
+			}
 #endif
-	}
+		}
 	if (topk8)
 		{
 		BIO_free(in); /* Not needed in this section */
 		pkey = load_key(bio_err, infile, informat, 1,
 			passin, e, "key");
-		if (!pkey) {
-			return (1);
-		}
-		if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) {
+		if (!pkey)
+			{
+			BIO_free_all(out);
+			return 1;
+			}
+		if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken)))
+			{
 			BIO_printf(bio_err, "Error converting key\n");
 			ERR_print_errors(bio_err);
-			return (1);
-		}
-		if(nocrypt) {
-			if(outformat == FORMAT_PEM) 
-				PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
-			else if(outformat == FORMAT_ASN1)
-				i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf);
-			else {
-				BIO_printf(bio_err, "Bad format specified for key\n");
-				return (1);
+			EVP_PKEY_free(pkey);
+			BIO_free_all(out);
+			return 1;
 			}
-		} else {
-			if(passout) p8pass = passout;
-			else {
+		if (nocrypt)
+			{
+			if (outformat == FORMAT_PEM) 
+				PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
+			else if (outformat == FORMAT_ASN1)
+				i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf);
+			else
+				{
+				BIO_printf(bio_err, "Bad format specified for key\n");
+				PKCS8_PRIV_KEY_INFO_free(p8inf);
+				EVP_PKEY_free(pkey);
+				BIO_free_all(out);
+				return (1);
+				}
+			}
+		else
+			{
+			if (passout)
+				p8pass = passout;
+			else
+				{
 				p8pass = pass;
 				if (EVP_read_pw_string(pass, sizeof pass, "Enter Encryption Password:", 1))
+					{
+					PKCS8_PRIV_KEY_INFO_free(p8inf);
+					EVP_PKEY_free(pkey);
+					BIO_free_all(out);
 					return (1);
-			}
+					}
+				}
 			app_RAND_load_file(NULL, bio_err, 0);
 			if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
 					p8pass, strlen(p8pass),
-					NULL, 0, iter, p8inf))) {
+					NULL, 0, iter, p8inf)))
+				{
 				BIO_printf(bio_err, "Error encrypting key\n");
 				ERR_print_errors(bio_err);
+				PKCS8_PRIV_KEY_INFO_free(p8inf);
+				EVP_PKEY_free(pkey);
+				BIO_free_all(out);
 				return (1);
-			}
+				}
 			app_RAND_write_file(NULL, bio_err);
-			if(outformat == FORMAT_PEM) 
+			if (outformat == FORMAT_PEM) 
 				PEM_write_bio_PKCS8(out, p8);
-			else if(outformat == FORMAT_ASN1)
+			else if (outformat == FORMAT_ASN1)
 				i2d_PKCS8_bio(out, p8);
-			else {
+			else
+				{
 				BIO_printf(bio_err, "Bad format specified for key\n");
+				PKCS8_PRIV_KEY_INFO_free(p8inf);
+				EVP_PKEY_free(pkey);
+				BIO_free_all(out);
 				return (1);
-			}
+				}
 			X509_SIG_free(p8);
-		}
+			}
+
 		PKCS8_PRIV_KEY_INFO_free (p8inf);
 		EVP_PKEY_free(pkey);
 		BIO_free_all(out);
-		if(passin) OPENSSL_free(passin);
-		if(passout) OPENSSL_free(passout);
+		if (passin)
+			OPENSSL_free(passin);
+		if (passout)
+			OPENSSL_free(passout);
 		return (0);
-	}
+		}

-	if(nocrypt) {
-		if(informat == FORMAT_PEM) 
+	if (nocrypt)
+		{
+		if (informat == FORMAT_PEM) 
 			p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in,NULL,NULL, NULL);
-		else if(informat == FORMAT_ASN1)
+		else if (informat == FORMAT_ASN1)
 			p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL);
-		else {
+		else
+			{
 			BIO_printf(bio_err, "Bad format specified for key\n");
 			return (1);
+			}
 		}
-	} else {
-		if(informat == FORMAT_PEM) 
+	else
+		{
+		if (informat == FORMAT_PEM) 
 			p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL);
-		else if(informat == FORMAT_ASN1)
+		else if (informat == FORMAT_ASN1)
 			p8 = d2i_PKCS8_bio(in, NULL);
-		else {
+		else
+			{
 			BIO_printf(bio_err, "Bad format specified for key\n");
 			return (1);
-		}
+			}

-		if (!p8) {
+		if (!p8)
+			{
 			BIO_printf (bio_err, "Error reading key\n");
 			ERR_print_errors(bio_err);
 			return (1);
-		}
-		if(passin) p8pass = passin;
-		else {
+			}
+		if (passin)
+			p8pass = passin;
+		else
+			{
 			p8pass = pass;
 			EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0);
-		}
+			}
 		p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass));
 		X509_SIG_free(p8);
-	}
+		}

-	if (!p8inf) {
+	if (!p8inf)
+		{
 		BIO_printf(bio_err, "Error decrypting key\n");
 		ERR_print_errors(bio_err);
 		return (1);
-	}
+		}

-	if (!(pkey = EVP_PKCS82PKEY(p8inf))) {
+	if (!(pkey = EVP_PKCS82PKEY(p8inf)))
+		{
 		BIO_printf(bio_err, "Error converting key\n");
 		ERR_print_errors(bio_err);
 		return (1);
-	}
+		}
 	
-	if (p8inf->broken) {
+	if (p8inf->broken)
+		{
 		BIO_printf(bio_err, "Warning: broken key encoding: ");
-		switch (p8inf->broken) {
+		switch (p8inf->broken)
+			{
 			case PKCS8_NO_OCTET:
 			BIO_printf(bio_err, "No Octet String in PrivateKey\n");
 			break;
@@ -349,21 +437,24 @@ int MAIN(int argc, char **argv)
 	}
 	
 	PKCS8_PRIV_KEY_INFO_free(p8inf);
-	if(outformat == FORMAT_PEM) 
+	if (outformat == FORMAT_PEM) 
 		PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);
-	else if(outformat == FORMAT_ASN1)
+	else if (outformat == FORMAT_ASN1)
 		i2d_PrivateKey_bio(out, pkey);
-	else {
+	else
+		{
 		BIO_printf(bio_err, "Bad format specified for key\n");
 			return (1);
-	}
+		}

 	end:
 	EVP_PKEY_free(pkey);
 	BIO_free_all(out);
 	BIO_free(in);
-	if(passin) OPENSSL_free(passin);
-	if(passout) OPENSSL_free(passout);
+	if (passin)
+		OPENSSL_free(passin);
+	if (passout)
+		OPENSSL_free(passout);

 	return (0);
-}
+	}
--- a/apps/prime.c
+++ b/apps/prime.c
@@ -0,0 +1,118 @@
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+
+#include "apps.h"
+#include <openssl/bn.h>
+
+
+#undef PROG
+#define PROG prime_main
+
+int MAIN(int argc, char **argv)
+    {
+    int hex=0;
+    int checks=20;
+    BIGNUM *bn=NULL;
+    BIO *bio_out=NULL;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+	if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+	    BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+    if (bio_out == NULL)
+	if ((bio_out=BIO_new(BIO_s_file())) != NULL)
+	    {
+	    BIO_set_fp(bio_out,stdout,BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+	    {
+	    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+	    bio_out = BIO_push(tmpbio, bio_out);
+	    }
+#endif
+	    }
+
+    --argc;
+    ++argv;
+    while (argc >= 1 && **argv == '-')
+	{
+	if(!strcmp(*argv,"-hex"))
+	    hex=1;
+	else if(!strcmp(*argv,"-checks"))
+	    if(--argc < 1)
+		goto bad;
+	    else
+		checks=atoi(*++argv);
+	else
+	    {
+	    BIO_printf(bio_err,"Unknown option '%s'\n",*argv);
+	bad:
+	    BIO_printf(bio_err,"options are\n");
+	    BIO_printf(bio_err,"%-14s hex\n","-hex");
+	    BIO_printf(bio_err,"%-14s number of checks\n","-checks <n>");
+	    exit(1);
+	    }
+	--argc;
+	++argv;
+	}
+
+    if(hex)
+	BN_hex2bn(&bn,argv[0]);
+    else
+	BN_dec2bn(&bn,argv[0]);
+
+    BN_print(bio_out,bn);
+    BIO_printf(bio_out," is %sprime\n",
+	       BN_is_prime(bn,checks,NULL,NULL,NULL) ? "" : "not ");
+
+    return 0;
+    }
--- a/apps/progs.h
+++ b/apps/progs.h
@@ -35,6 +35,7 @@ extern int pkcs8_main(int argc,char *argv[]);
 extern int spkac_main(int argc,char *argv[]);
 extern int smime_main(int argc,char *argv[]);
 extern int rand_main(int argc,char *argv[]);
+extern int prime_main(int argc,char *argv[]);
 #ifndef OPENSSL_NO_ENGINE
 extern int engine_main(int argc,char *argv[]);
 #endif
@@ -115,6 +116,7 @@ FUNCTION functions[] = {
 	{FUNC_TYPE_GENERAL,"spkac",spkac_main},
 	{FUNC_TYPE_GENERAL,"smime",smime_main},
 	{FUNC_TYPE_GENERAL,"rand",rand_main},
+	{FUNC_TYPE_GENERAL,"prime",prime_main},
 #ifndef OPENSSL_NO_ENGINE
 	{FUNC_TYPE_GENERAL,"engine",engine_main},
 #endif
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -1395,6 +1395,7 @@ int MAIN(int argc, char **argv)
 					EVP_DecryptInit_ex(&ctx,evp_cipher,NULL,key16,iv);
 				else
 					EVP_EncryptInit_ex(&ctx,evp_cipher,NULL,key16,iv);
+				EVP_CIPHER_CTX_set_padding(&ctx, 0);

 				Time_F(START);
 				if(decrypt)
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -593,12 +593,16 @@ bad:
 		if ((x=X509_new()) == NULL) goto end;
 		ci=x->cert_info;

-		if (sno)
+		if (sno == NULL)
 			{
-			if (!X509_set_serialNumber(x, sno))
+			sno = ASN1_INTEGER_new();
+			if (!sno || !rand_serial(NULL, sno))
 				goto end;
 			}
-		else if (!ASN1_INTEGER_set(X509_get_serialNumber(x),0)) goto end;
+
+		if (!X509_set_serialNumber(x, sno)) 
+			goto end;
+
 		if (!X509_set_issuer_name(x,req->req_info->subject)) goto end;
 		if (!X509_set_subject_name(x,req->req_info->subject)) goto end;

@@ -1067,13 +1071,6 @@ static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, int create
 		}
 	else
 		BUF_strlcpy(buf,serialfile,len);
-	serial=BN_new();
-	bs=ASN1_INTEGER_new();
-	if ((serial == NULL) || (bs == NULL))
-		{
-		ERR_print_errors(bio_err);
-		goto end;
-		}

 	serial = load_serial(buf, create, NULL);
 	if (serial == NULL) goto end;
--- a/23
+++ b/23
@@ -23,6 +23,7 @@
 PREFIX=""
 SUFFIX=""
 TEST="false"
+EXE=""

 # pick up any command line args to config
 for i
@@ -288,6 +289,14 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "${MACHINE}-whatever-sysv4"; exit 0
 	;;

+    VOS:*:*:i786)
+     echo "i386-stratus-vos"; exit 0
+     ;;
+
+    VOS:*:*:*)
+     echo "hppa1.1-stratus-vos"; exit 0
+     ;;
+
    *:4*:R4*:m88k)
 	echo "${MACHINE}-whatever-sysv4"; exit 0
 	;;
@@ -679,6 +688,10 @@ EOF
  *-*-UnixWare21*) OUT="unixware-2.1" ;;
  *-*-Unixware20*) OUT="unixware-2.0" ;;
  *-*-Unixware21*) OUT="unixware-2.1" ;;
+  *-*-vos)
+	options="$options no-threads no-shared no-asm no-dso"
+	EXE=".pm"
+	OUT="vos-$CC" ;;
  BS2000-siemens-sysv4) OUT="BS2000-OSD" ;;
  RM*-siemens-sysv4) OUT="ReliantUNIX" ;;
  *-siemens-sysv4) OUT="SINIX" ;;
@@ -806,8 +819,8 @@ fi

 if [ ".$PERL" = . ] ; then
 	for i in . `echo $PATH | sed 's/:/ /g'`; do
-		if [ -f "$i/perl5" ] ; then
-			PERL="$i/perl5"
+		if [ -f "$i/perl5$EXE" ] ; then
+			PERL="$i/perl5$EXE"
 			break;
 		fi;
 	done
@@ -815,9 +828,9 @@ fi

 if [ ".$PERL" = . ] ; then
 	for i in . `echo $PATH | sed 's/:/ /g'`; do
-		if [ -f "$i/perl" ] ; then
-			if "$i/perl" -e 'exit($]<5.0)'; then
-				PERL="$i/perl"
+		if [ -f "$i/perl$EXE" ] ; then
+			if "$i/perl$EXE" -e 'exit($]<5.0)'; then
+				PERL="$i/perl$EXE"
 				break;
 			fi;
 		fi;
--- a/crypto/aes/aes.h
+++ b/crypto/aes/aes.h
@@ -52,6 +52,8 @@
 #ifndef HEADER_AES_H
 #define HEADER_AES_H

+#include <openssl/e_os2.h>
+
 #ifdef OPENSSL_NO_AES
 #error AES is disabled.
 #endif
@@ -64,6 +66,10 @@
 #define AES_MAXNR 14
 #define AES_BLOCK_SIZE 16

+#if defined(OPENSSL_FIPS)
+#define FIPS_AES_SIZE_T	int
+#endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
--- a/crypto/aes/aes_ctr.c
+++ b/crypto/aes/aes_ctr.c
@@ -59,7 +59,7 @@
 #include <openssl/aes.h>
 #include "aes_locl.h"

-/* NOTE: CTR mode is big-endian.  The rest of the AES code
+/* NOTE: the IV/counter CTR mode is big-endian.  The rest of the AES code
 * is endian-neutral. */

 /* increment counter (128-bit int) by 1 */
@@ -67,61 +67,36 @@ static void AES_ctr128_inc(unsigned char *counter) {
 	unsigned long c;

 	/* Grab bottom dword of counter and increment */
-#ifdef L_ENDIAN
-	c = GETU32(counter +  0);
-	c++;
-	PUTU32(counter +  0, c);
-#else
 	c = GETU32(counter + 12);
-	c++;
+	c++;	c &= 0xFFFFFFFF;
 	PUTU32(counter + 12, c);
-#endif

 	/* if no overflow, we're done */
 	if (c)
 		return;

 	/* Grab 1st dword of counter and increment */
-#ifdef L_ENDIAN
-	c = GETU32(counter +  4);
-	c++;
-	PUTU32(counter +  4, c);
-#else
 	c = GETU32(counter +  8);
-	c++;
+	c++;	c &= 0xFFFFFFFF;
 	PUTU32(counter +  8, c);
-#endif

 	/* if no overflow, we're done */
 	if (c)
 		return;

 	/* Grab 2nd dword of counter and increment */
-#ifdef L_ENDIAN
-	c = GETU32(counter +  8);
-	c++;
-	PUTU32(counter +  8, c);
-#else
 	c = GETU32(counter +  4);
-	c++;
+	c++;	c &= 0xFFFFFFFF;
 	PUTU32(counter +  4, c);
-#endif

 	/* if no overflow, we're done */
 	if (c)
 		return;

 	/* Grab top dword of counter and increment */
-#ifdef L_ENDIAN
-	c = GETU32(counter + 12);
-	c++;
-	PUTU32(counter + 12, c);
-#else
 	c = GETU32(counter +  0);
-	c++;
+	c++;	c &= 0xFFFFFFFF;
 	PUTU32(counter +  0, c);
-#endif
-
 }

 /* The input encrypted as though 128bit counter mode is being
--- a/crypto/aes/aes_locl.h
+++ b/crypto/aes/aes_locl.h
@@ -62,7 +62,7 @@
 #include <stdlib.h>
 #include <string.h>

-#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE)
+#if defined(_MSC_VER) && !defined(_M_IA64) && !defined(OPENSSL_SYS_WINCE)
 # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
 # define GETU32(p) SWAP(*((u32 *)(p)))
 # define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
--- a/crypto/asn1/a_gentm.c
+++ b/crypto/asn1/a_gentm.c
@@ -115,7 +115,7 @@ err:

 #endif

-int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *d)
+int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d)
 	{
 	static int min[9]={ 0, 0, 1, 1, 0, 0, 0, 0, 0};
 	static int max[9]={99, 99,12,31,23,59,59,12,59};
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@@ -64,7 +64,26 @@ ASN1_INTEGER *ASN1_INTEGER_dup(ASN1_INTEGER *x)
 { return M_ASN1_INTEGER_dup(x);}

 int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y)
-{ return M_ASN1_INTEGER_cmp(x,y);}
+	{ 
+	int neg, ret;
+	/* Compare signs */
+	neg = x->type & V_ASN1_NEG;
+	if (neg != (y->type & V_ASN1_NEG))
+		{
+		if (neg)
+			return -1;
+		else
+			return 1;
+		}
+
+	ret = ASN1_STRING_cmp(x, y);
+
+	if (neg)
+		return -ret;
+	else
+		return ret;
+	}
+	

 /* 
 * This converts an ASN1 INTEGER into its content encoding.
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -3,7 +3,7 @@
 * project 2000.
 */
 /* ====================================================================
- * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2000-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -553,7 +553,12 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
 	if((type < 0) || (type > 30)) return -1;
 	mbflag = tag2nbyte[type];
 	if(mbflag == -1) return -1;
-	mbflag |= MBSTRING_FLAG;
+	if (mbflag == 0)
+		mbflag = MBSTRING_UTF8;
+	else if (mbflag == 4)
+		mbflag = MBSTRING_UNIV;
+	else		
+		mbflag |= MBSTRING_FLAG;
 	stmp.data = NULL;
 	ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
 	if(ret < 0) return ret;
--- a/crypto/asn1/a_time.c
+++ b/crypto/asn1/a_time.c
@@ -114,7 +114,7 @@ ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t)
 	return ASN1_GENERALIZEDTIME_set(s,t);
 	}

-int ASN1_TIME_check(const ASN1_TIME *t)
+int ASN1_TIME_check(ASN1_TIME *t)
 	{
 	if (t->type == V_ASN1_GENERALIZEDTIME)
 		return ASN1_GENERALIZEDTIME_check(t);
@@ -124,8 +124,7 @@ int ASN1_TIME_check(const ASN1_TIME *t)
 	}

 /* Convert an ASN1_TIME structure to GeneralizedTime */
-ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(const ASN1_TIME *t,
-						   ASN1_GENERALIZEDTIME **out)
+ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out)
 	{
 	ASN1_GENERALIZEDTIME *ret;
 	char *str;
--- a/crypto/asn1/a_utctm.c
+++ b/crypto/asn1/a_utctm.c
@@ -112,7 +112,7 @@ err:

 #endif

-int ASN1_UTCTIME_check(const ASN1_UTCTIME *d)
+int ASN1_UTCTIME_check(ASN1_UTCTIME *d)
 	{
 	static int min[8]={ 0, 1, 1, 0, 0, 0, 0, 0};
 	static int max[8]={99,12,31,23,59,59,12,59};
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -754,7 +754,7 @@ int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y);

 DECLARE_ASN1_FUNCTIONS(ASN1_ENUMERATED)

-int ASN1_UTCTIME_check(const ASN1_UTCTIME *a);
+int ASN1_UTCTIME_check(ASN1_UTCTIME *a);
 ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s,time_t t);
 int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str); 
 int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t);
@@ -762,7 +762,7 @@ int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t);
 time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s);
 #endif

-int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *a);
+int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *a);
 ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,time_t t);
 int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str); 

@@ -793,8 +793,8 @@ DECLARE_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME)
 DECLARE_ASN1_FUNCTIONS(ASN1_TIME)

 ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s,time_t t);
-int ASN1_TIME_check(const ASN1_TIME *t);
-ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(const ASN1_TIME *t, ASN1_GENERALIZEDTIME **out);
+int ASN1_TIME_check(ASN1_TIME *t);
+ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out);

 int		i2d_ASN1_SET(STACK *a, unsigned char **pp,
 			int (*func)(), int ex_tag, int ex_class, int is_set);
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@@ -1,6 +1,6 @@
 /* p5_pbev2.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project 1999-2004.
 */
 /* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
@@ -113,7 +113,8 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
 	if(!(scheme->parameter = ASN1_TYPE_new())) goto merr;

 	/* Create random IV */
-	if (RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0)
+	if (EVP_CIPHER_iv_length(cipher) &&
+		RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0)
 		goto err;

 	EVP_CIPHER_CTX_init(&ctx);
@@ -123,6 +124,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
 	if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
 		ASN1err(ASN1_F_PKCS5_PBE2_SET,
 					ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
+		EVP_CIPHER_CTX_cleanup(&ctx);
 		goto err;
 	}
 	EVP_CIPHER_CTX_cleanup(&ctx);
--- a/crypto/asn1/x_crl.c
+++ b/crypto/asn1/x_crl.c
@@ -63,8 +63,6 @@

 static int X509_REVOKED_cmp(const X509_REVOKED * const *a,
 				const X509_REVOKED * const *b);
-static int X509_REVOKED_seq_cmp(const X509_REVOKED * const *a,
-				const X509_REVOKED * const *b);

 ASN1_SEQUENCE(X509_REVOKED) = {
 	ASN1_SIMPLE(X509_REVOKED,serialNumber, ASN1_INTEGER),
@@ -72,43 +70,28 @@ ASN1_SEQUENCE(X509_REVOKED) = {
 	ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION)
 } ASN1_SEQUENCE_END(X509_REVOKED)

-/* The X509_CRL_INFO structure needs a bit of customisation. This is actually
- * mirroring the old behaviour: its purpose is to allow the use of
- * sk_X509_REVOKED_find to lookup revoked certificates. Unfortunately
- * this will zap the original order and the signature so we keep a copy
- * of the original positions and reorder appropriately before encoding.
- *
- * Might want to see if there's a better way of doing this later...
+/* The X509_CRL_INFO structure needs a bit of customisation.
+ * Since we cache the original encoding the signature wont be affected by
+ * reordering of the revoked field.
 */
 static int crl_inf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
 	X509_CRL_INFO *a = (X509_CRL_INFO *)*pval;
-	int i;
-	int (*old_cmp)(const X509_REVOKED * const *,
-			const X509_REVOKED * const *);

 	if(!a || !a->revoked) return 1;
 	switch(operation) {
-
-		/* Save original order */
+		/* Just set cmp function here. We don't sort because that
+		 * would affect the output of X509_CRL_print().
+		 */
 		case ASN1_OP_D2I_POST:
-		for (i=0; i<sk_X509_REVOKED_num(a->revoked); i++)
-			sk_X509_REVOKED_value(a->revoked,i)->sequence=i;
 		sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_cmp);
 		break;
-
-		/* Restore original order */
-		case ASN1_OP_I2D_PRE:
-		old_cmp=sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_seq_cmp);
-		sk_X509_REVOKED_sort(a->revoked);
-		sk_X509_REVOKED_set_cmp_func(a->revoked,old_cmp);
-		break;
 	}
 	return 1;
 }


-ASN1_SEQUENCE_cb(X509_CRL_INFO, crl_inf_cb) = {
+ASN1_SEQUENCE_enc(X509_CRL_INFO, enc, crl_inf_cb) = {
 	ASN1_OPT(X509_CRL_INFO, version, ASN1_INTEGER),
 	ASN1_SIMPLE(X509_CRL_INFO, sig_alg, X509_ALGOR),
 	ASN1_SIMPLE(X509_CRL_INFO, issuer, X509_NAME),
@@ -116,7 +99,7 @@ ASN1_SEQUENCE_cb(X509_CRL_INFO, crl_inf_cb) = {
 	ASN1_OPT(X509_CRL_INFO, nextUpdate, ASN1_TIME),
 	ASN1_SEQUENCE_OF_OPT(X509_CRL_INFO, revoked, X509_REVOKED),
 	ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0)
-} ASN1_SEQUENCE_END_cb(X509_CRL_INFO, X509_CRL_INFO)
+} ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO)

 ASN1_SEQUENCE_ref(X509_CRL, 0, CRYPTO_LOCK_X509_CRL) = {
 	ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO),
@@ -137,12 +120,6 @@ static int X509_REVOKED_cmp(const X509_REVOKED * const *a,
 		(ASN1_STRING *)(*b)->serialNumber));
 	}

-static int X509_REVOKED_seq_cmp(const X509_REVOKED * const *a,
-				const X509_REVOKED * const *b)
-	{
-	return((*a)->sequence-(*b)->sequence);
-	}
-
 int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
 {
 	X509_CRL_INFO *inf;
--- a/crypto/bn/asm/ia64.S
+++ b/crypto/bn/asm/ia64.S
@@ -1,6 +1,6 @@
 .explicit
 .text
-.ident	"ia64.S, Version 2.0"
+.ident	"ia64.S, Version 2.1"
 .ident	"IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"

 //
@@ -35,7 +35,7 @@
 // What does it mean? You might ratiocinate that the original code
 // should run just faster... Because sum of latencies is smaller...
 // Wrong! Note that getf latency increased. This means that if a loop is
-// scheduled for lower latency (and they are), then it will suffer from
+// scheduled for lower latency (as they were), then it will suffer from
 // stall condition and the code will therefore turn anti-scalable, e.g.
 // original bn_mul_words spun at 5*n or 2.5 times slower than expected
 // on Itanium2! What to do? Reschedule loops for Itanium2? But then
@@ -145,6 +145,12 @@
 //	-Drum=nop.m in command line.
 //

+#if defined(_HPUX_SOURCE) && !defined(_LP64)
+#define	ADDP	addp4
+#else
+#define	ADDP	add
+#endif
+
 #if 1
 //
 // bn_[add|sub]_words routines.
@@ -178,27 +184,12 @@ bn_add_words:
 	brp.loop.imp	.L_bn_add_words_ctop,.L_bn_add_words_cend-16
 					}
 	.body
-{ .mib;
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-	addp4		r14=0,r32		// rp
-#else
-	mov		r14=r32			// rp
-#endif
+{ .mib;	ADDP		r14=0,r32		// rp
 	mov		r9=pr		};;
-{ .mii;
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-	addp4		r15=0,r33		// ap
-#else
-	mov		r15=r33			// ap
-#endif
+{ .mii;	ADDP		r15=0,r33		// ap
 	mov		ar.lc=r10
 	mov		ar.ec=6		}
-{ .mib;
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-	addp4		r16=0,r34		// bp
-#else
-	mov		r16=r34			// bp
-#endif
+{ .mib;	ADDP		r16=0,r34		// bp
 	mov		pr.rot=1<<16	};;

 .L_bn_add_words_ctop:
@@ -246,27 +237,12 @@ bn_sub_words:
 	brp.loop.imp	.L_bn_sub_words_ctop,.L_bn_sub_words_cend-16
 					}
 	.body
-{ .mib;
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-	addp4		r14=0,r32		// rp
-#else
-	mov		r14=r32			// rp
-#endif
+{ .mib;	ADDP		r14=0,r32		// rp
 	mov		r9=pr		};;
-{ .mii;
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-	addp4		r15=0,r33		// ap
-#else
-	mov		r15=r33			// ap
-#endif
+{ .mii;	ADDP		r15=0,r33		// ap
 	mov		ar.lc=r10
 	mov		ar.ec=6		}
-{ .mib;
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-	addp4		r16=0,r34		// bp
-#else
-	mov		r16=r34			// bp
-#endif
+{ .mib;	ADDP		r16=0,r34		// bp
 	mov		pr.rot=1<<16	};;

 .L_bn_sub_words_ctop:
@@ -332,16 +308,10 @@ bn_mul_words:

 #ifndef XMA_TEMPTATION

-{ .mii;
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-	addp4		r14=0,r32	// rp
-	addp4		r15=0,r33	// ap
-#else
-	mov		r14=r32		// rp
-	mov		r15=r33		// ap
-#endif
+{ .mmi;	ADDP		r14=0,r32	// rp
+	ADDP		r15=0,r33	// ap
 	mov		ar.lc=r10	}
-{ .mii;	mov		r40=0	// serves as r35 at first (p27)
+{ .mmi;	mov		r40=0		// serves as r35 at first (p27)
 	mov		ar.ec=13	};;

 // This loop spins in 2*(n+12) ticks. It's scheduled for data in Itanium
@@ -424,89 +394,64 @@ bn_mul_words:
 .global	bn_mul_add_words#
 .proc	bn_mul_add_words#
 .align	64
-//.skip	0	// makes the loop split at 64-byte boundary
+.skip	48	// makes the loop body aligned at 64-byte boundary
 bn_mul_add_words:
 	.prologue
 	.fframe	0
 	.save	ar.pfs,r2
-{ .mii;	alloc		r2=ar.pfs,4,12,0,16
-	cmp4.le		p6,p0=r34,r0	};;
-{ .mfb;	mov		r8=r0			// return value
+	.save	ar.lc,r3
+	.save	pr,r9
+{ .mmi;	alloc		r2=ar.pfs,4,4,0,8
+	cmp4.le		p6,p0=r34,r0
+	mov		r3=ar.lc	};;
+{ .mib;	mov		r8=r0		// return value
+	sub		r10=r34,r0,1
 (p6)	br.ret.spnt.many	b0	};;

-	.save	ar.lc,r3
-{ .mii;	sub	r10=r34,r0,1
-	mov	r3=ar.lc
-	mov	r9=pr			};;
-
 	.body
-{ .mib;	setf.sig	f8=r35	// w
-	mov		pr.rot=0x800001<<16
-			// ------^----- serves as (p50) at first (p27)
+{ .mib;	setf.sig	f8=r35		// w
+	mov		r9=pr
 	brp.loop.imp	.L_bn_mul_add_words_ctop,.L_bn_mul_add_words_cend-16
 					}
-{ .mii;
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-	addp4		r14=0,r32	// rp
-	addp4		r15=0,r33	// ap
-#else
-	mov		r14=r32		// rp
-	mov		r15=r33		// ap
-#endif
+{ .mmi;	ADDP		r14=0,r32	// rp
+	ADDP		r15=0,r33	// ap
 	mov		ar.lc=r10	}
-{ .mii;	mov		r40=0	// serves as r35 at first (p27)
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-	addp4		r18=0,r32	// rp copy
-#else
-	mov		r18=r32		// rp copy
-#endif
-	mov		ar.ec=15	};;
+{ .mii;	ADDP		r16=0,r32	// rp copy
+	mov		pr.rot=0x2001<<16
+			// ------^----- serves as (p40) at first (p27)
+	mov		ar.ec=11	};;

-// This loop spins in 3*(n+14) ticks on Itanium and should spin in
-// 2*(n+14) on "wider" IA-64 implementations (to be verified with new
-// <EFBFBD>-architecture manuals as they become available). As usual it's
-// possible to compress the epilogue, down to 10 in this case, at the
-// cost of scalability. Compressed (and therefore non-scalable) loop
-// running at 3*(n+11) would buy you ~10% on Itanium but take ~35%
-// from "wider" IA-64 so let it be scalable! Special attention was
-// paid for having the loop body split at 64-byte boundary. ld8 is
-// scheduled for L1 cache as the data is more than likely there.
-// Indeed, bn_mul_words has put it there a moment ago:-)
+// This loop spins in 3*(n+10) ticks on Itanium and in 2*(n+10) on
+// Itanium 2. Yes, unlike previous versions it scales:-) Previous
+// version was peforming *all* additions in IALU and was starving
+// for those even on Itanium 2. In this version one addition is
+// moved to FPU and is folded with multiplication. This is at cost
+// of propogating the result from previous call to this subroutine
+// to L2 cache... In other words negligible even for shorter keys.
+// *Overall* performance improvement [over previous version] varies
+// from 11 to 22 percent depending on key length.
 .L_bn_mul_add_words_ctop:
-{ .mfi;	(p25)	getf.sig	r36=f52			// low
-	(p21)	xmpy.lu		f48=f37,f8
-	(p28)	cmp.ltu		p54,p50=r41,r39	}
-{ .mfi;	(p16)	ldf8		f32=[r15],8
-	(p21)	xmpy.hu		f40=f37,f8
-	(p28)	add		r45=r45,r41	};;
-{ .mii;	(p25)	getf.sig	r32=f44			// high
-	.pred.rel	"mutex",p50,p54
-	(p50)	add		r40=r38,r35		// (p27)
-	(p54)	add		r40=r38,r35,1	}	// (p27)
-{ .mfb;	(p28)	cmp.ltu.unc	p60,p0=r45,r41
-	(p0)	nop.f		0x0
-	(p0)	nop.b		0x0		}
-{ .mii;	(p27)	ld8		r44=[r18],8
-	(p62)	cmp.eq.or	p61,p0=-1,r46
-	(p62)	add		r46=1,r46	}
-{ .mfb;	(p30)	st8		[r14]=r47,8
-	(p0)	nop.f		0x0
+.pred.rel	"mutex",p40,p42
+{ .mfi;	(p23)	getf.sig	r36=f45			// low
+	(p20)	xma.lu		f42=f36,f8,f50		// low
+	(p40)	add		r39=r39,r35	}	// (p27)
+{ .mfi;	(p16)	ldf8		f32=[r15],8		// *(ap++)
+	(p20)	xma.hu		f36=f36,f8,f50		// high
+	(p42)	add		r39=r39,r35,1	};;	// (p27)
+{ .mmi;	(p24)	getf.sig	r32=f40			// high
+	(p16)	ldf8		f46=[r16],8		// *(rp1++)
+	(p40)	cmp.ltu		p41,p39=r39,r35	}	// (p27)
+{ .mib;	(p26)	st8		[r14]=r39,8		// *(rp2++)
+	(p42)	cmp.leu		p41,p39=r39,r35		// (p27)
 	br.ctop.sptk	.L_bn_mul_add_words_ctop};;
 .L_bn_mul_add_words_cend:

-{ .mii;	nop.m		0x0
-.pred.rel	"mutex",p53,p57
-(p53)	add		r8=r38,r0
-(p57)	add		r8=r38,r0,1	}
-{ .mfb;	nop.m	0x0
-	nop.f	0x0
-	nop.b	0x0			};;
-{ .mii;
-(p63)	add		r8=1,r8
-	mov		pr=r9,0x1ffff
-	mov		ar.lc=r3	}
-{ .mfb;	rum		1<<5		// clear um.mfh
-	nop.f		0x0
+{ .mmi;	.pred.rel	"mutex",p40,p42
+(p40)	add		r8=r35,r0
+(p42)	add		r8=r35,r0,1
+	mov		pr=r9,0x1ffff	}
+{ .mib;	rum		1<<5		// clear um.mfh
+	mov		ar.lc=r3
 	br.ret.sptk.many	b0	};;
 .endp	bn_mul_add_words#
 #endif
@@ -527,7 +472,8 @@ bn_sqr_words:
 	sxt4		r34=r34		};;
 { .mii;	cmp.le		p6,p0=r34,r0
 	mov		r8=r0		}	// return value
-{ .mfb;	nop.f		0x0
+{ .mfb;	ADDP		r32=0,r32
+	nop.f		0x0
 (p6)	br.ret.spnt.many	b0	};;

 	.save	ar.lc,r3
@@ -536,11 +482,7 @@ bn_sqr_words:
 	mov	r9=pr			};;

 	.body
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-{ .mii; addp4		r32=0,r32
-	addp4		r33=0,r33	};;
-#endif
-{ .mib;
+{ .mib;	ADDP		r33=0,r33
 	mov		pr.rot=1<<16
 	brp.loop.imp	.L_bn_sqr_words_ctop,.L_bn_sqr_words_cend-16
 					}
@@ -605,7 +547,7 @@ bn_sqr_comba8:
 	.prologue
 	.fframe	0
 	.save	ar.pfs,r2
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
 { .mii;	alloc	r2=ar.pfs,2,1,0,0
 	addp4	r33=0,r33
 	addp4	r32=0,r32		};;
@@ -631,6 +573,10 @@ bn_sqr_comba8:
 // clause in Itanium <EFBFBD>-architecture manual? Comments are welcomed and
 // highly appreciated.
 //
+// On Itanium 2 it takes ~190 ticks. This is because of stalls on
+// result from getf.sig. I do nothing about it at this point for
+// reasons depicted below.
+//
 // However! It should be noted that even 160 ticks is darn good result
 // as it's over 10 (yes, ten, spelled as t-e-n) times faster than the
 // C version (compiled with gcc with inline assembler). I really
@@ -673,7 +619,7 @@ bn_mul_comba8:
 	.prologue
 	.fframe	0
 	.save	ar.pfs,r2
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
 { .mii;	alloc	r2=ar.pfs,3,0,0,0
 	addp4	r33=0,r33
 	addp4	r34=0,r34		};;
@@ -1231,7 +1177,7 @@ bn_sqr_comba4:
 	.prologue
 	.fframe	0
 	.save	ar.pfs,r2
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
 { .mii;	alloc   r2=ar.pfs,2,1,0,0
 	addp4	r32=0,r32
 	addp4	r33=0,r33		};;
@@ -1264,7 +1210,7 @@ bn_mul_comba4:
 	.prologue
 	.fframe	0
 	.save	ar.pfs,r2
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
 { .mii;	alloc   r2=ar.pfs,3,0,0,0
 	addp4	r33=0,r33
 	addp4	r34=0,r34		};;
@@ -1448,8 +1394,8 @@ bn_mul_comba4:
 #define	I	r21

 #if 0
-// Some preprocessors (most notably HP-UX) apper to be allergic to
-// macros enclosed to parenthesis as these three will be.
+// Some preprocessors (most notably HP-UX) appear to be allergic to
+// macros enclosed to parenthesis [as these three were].
 #define	cont	p16
 #define	break	p0	// p20
 #define	equ	p24
@@ -1581,9 +1527,18 @@ bn_div_words:
 // output:	f8 = (int)(a/b)
 // clobbered:	f8,f9,f10,f11,pred
 pred=p15
-// This procedure is essentially Intel code and therefore is
-// copyrighted to Intel Corporation (I suppose...). It's sligtly
-// modified for specific needs.
+// One can argue that this snippet is copyrighted to Intel
+// Corporation, as it's essentially identical to one of those
+// found in "Divide, Square Root and Remainder" section at
+// http://www.intel.com/software/products/opensource/libraries/num.htm.
+// Yes, I admit that the referred code was used as template,
+// but after I realized that there hardly is any other instruction
+// sequence which would perform this operation. I mean I figure that
+// any independent attempt to implement high-performance division
+// will result in code virtually identical to the Intel code. It
+// should be noted though that below division kernel is 1 cycle
+// faster than Intel one (note commented splits:-), not to mention
+// original prologue (rather lack of one) and epilogue.
 .align	32
 .skip	16
 .L_udiv64_32_b6:
--- a/crypto/comp/c_zlib.c
+++ b/crypto/comp/c_zlib.c
@@ -189,7 +189,17 @@ COMP_METHOD *COMP_zlib(void)
 	if (!zlib_loaded)
 		{
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
-		zlib_dso = DSO_load(NULL, "ZLIB", NULL, 0);
+		zlib_dso = DSO_load(NULL, "ZLIB1", NULL, 0);
+		if (!zlib_dso)
+			{
+			zlib_dso = DSO_load(NULL, "ZLIB", NULL, 0);
+			if (zlib_dso)
+				{
+				/* Clear the errors from the first failed
+				   DSO_load() */
+				ERR_clear_error();
+				}
+			}
 #else
 		zlib_dso = DSO_load(NULL, "z", NULL, 0);
 #endif
--- a/crypto/cryptlib.c
+++ b/crypto/cryptlib.c
@@ -66,11 +66,6 @@
 static double SSLeay_MSVC5_hack=0.0; /* and for VC1.5 */
 #endif

-#ifdef OPENSSL_FIPS
-int FIPS_mode;
-void *FIPS_rand_check;
-#endif /* def OPENSSL_FIPS */
-
 DECLARE_STACK_OF(CRYPTO_dynlock)
 IMPLEMENT_STACK_OF(CRYPTO_dynlock)

@@ -110,7 +105,9 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
 	"engine",
 	"ui",
 	"hwcrhk",		/* This is a HACK which will disappear in 0.9.8 */
-#if CRYPTO_NUM_LOCKS != 33
+	"fips",
+	"fips2",
+#if CRYPTO_NUM_LOCKS != 35
 # error "Inconsistency between crypto.h and cryptlib.c"
 #endif
 	};
@@ -517,3 +514,122 @@ void OpenSSLDie(const char *file,int line,const char *assertion)
 		file,line,assertion);
 	abort();
 	}
+
+#ifdef OPENSSL_FIPS
+static int fips_started = 0;
+static int fips_mode = 0;
+static void *fips_rand_check = 0;
+static unsigned long fips_thread = 0;
+
+void fips_set_started(void)
+	{
+	fips_started = 1;
+	}
+
+int fips_is_started(void)
+	{
+	return fips_started;
+	}
+
+int fips_is_owning_thread(void)
+	{
+	int ret = 0;
+
+	if (fips_is_started())
+		{
+		CRYPTO_r_lock(CRYPTO_LOCK_FIPS2);
+		if (fips_thread != 0 && fips_thread == CRYPTO_thread_id())
+			ret = 1;
+		CRYPTO_r_unlock(CRYPTO_LOCK_FIPS2);
+		}
+	return ret;
+	}
+
+int fips_set_owning_thread(void)
+	{
+	int ret = 0;
+
+	if (fips_is_started())
+		{
+		CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
+		if (fips_thread == 0)
+			{
+			fips_thread = CRYPTO_thread_id();
+			ret = 1;
+			}
+		CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
+		}
+	return ret;
+	}
+
+int fips_clear_owning_thread(void)
+	{
+	int ret = 0;
+
+	if (fips_is_started())
+		{
+		CRYPTO_w_lock(CRYPTO_LOCK_FIPS2);
+		if (fips_thread == CRYPTO_thread_id())
+			{
+			fips_thread = 0;
+			ret = 1;
+			}
+		CRYPTO_w_unlock(CRYPTO_LOCK_FIPS2);
+		}
+	return ret;
+	}
+
+void fips_set_mode(int onoff)
+	{
+	int owning_thread = fips_is_owning_thread();
+
+	if (fips_is_started())
+		{
+		if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS);
+		fips_mode = onoff;
+		if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS);
+		}
+	}
+
+void fips_set_rand_check(void *rand_check)
+	{
+	int owning_thread = fips_is_owning_thread();
+
+	if (fips_is_started())
+		{
+		if (!owning_thread) CRYPTO_w_lock(CRYPTO_LOCK_FIPS);
+		fips_rand_check = rand_check;
+		if (!owning_thread) CRYPTO_w_unlock(CRYPTO_LOCK_FIPS);
+		}
+	}
+
+int FIPS_mode(void)
+	{
+	int ret = 0;
+	int owning_thread = fips_is_owning_thread();
+
+	if (fips_is_started())
+		{
+		if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS);
+		ret = fips_mode;
+		if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS);
+		}
+	return ret;
+	}
+
+void *FIPS_rand_check(void)
+	{
+	void *ret = 0;
+	int owning_thread = fips_is_owning_thread();
+
+	if (fips_is_started())
+		{
+		if (!owning_thread) CRYPTO_r_lock(CRYPTO_LOCK_FIPS);
+		ret = fips_rand_check;
+		if (!owning_thread) CRYPTO_r_unlock(CRYPTO_LOCK_FIPS);
+		}
+	return ret;
+	}
+
+#endif /* OPENSSL_FIPS */
+
--- a/crypto/crypto-lib.com
+++ b/crypto/crypto-lib.com
@@ -752,8 +752,8 @@ $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "    ALL      :  Just Build Everything."
-$     WRITE SYS$OUTPUT "    LIBRARY  :  To Compile Just The [.xxx.EXE.SSL]LIBCRYPTO.OLB Library."
-$     WRITE SYS$OUTPUT "    APPS     :  To Compile Just The [.xxx.EXE.SSL]*.EXE Programs."
+$     WRITE SYS$OUTPUT "    LIBRARY  :  To Compile Just The [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library."
+$     WRITE SYS$OUTPUT "    APPS     :  To Compile Just The [.xxx.EXE.CRYPTO]*.EXE Programs."
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT " Where 'xxx' Stands For:"
 $     WRITE SYS$OUTPUT ""
--- a/crypto/crypto.h
+++ b/crypto/crypto.h
@@ -128,7 +128,9 @@ extern "C" {
 #define CRYPTO_LOCK_ENGINE		30
 #define CRYPTO_LOCK_UI			31
 #define CRYPTO_LOCK_HWCRHK		32 /* This is a HACK which will disappear in 0.9.8 */
-#define CRYPTO_NUM_LOCKS		33
+#define CRYPTO_LOCK_FIPS		33
+#define CRYPTO_LOCK_FIPS2		34
+#define CRYPTO_NUM_LOCKS		35

 #define CRYPTO_LOCK		1
 #define CRYPTO_UNLOCK		2
@@ -434,6 +436,11 @@ void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb);
 void OpenSSLDie(const char *file,int line,const char *assertion);
 #define OPENSSL_assert(e)	((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e))

+#ifdef OPENSSL_FIPS
+int FIPS_mode(void);
+void *FIPS_rand_check(void);
+#endif /* def OPENSSL_FIPS */
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
 * made after this point may be overwritten when the script is next run.
--- a/crypto/des/Makefile
+++ b/crypto/des/Makefile
@@ -168,7 +168,7 @@ des_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
 des_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 des_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 des_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-des_enc.o: ../../include/openssl/ui_compat.h des_enc.c des_locl.h
+des_enc.o: ../../include/openssl/ui_compat.h des_enc.c des_locl.h ncbc_enc.c
 des_old.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 des_old.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
 des_old.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -70,6 +70,8 @@
 * should hold.
 */

+#ifndef OPENSSL_FIPS
+
 int DH_check(const DH *dh, int *ret)
 	{
 	int ok=0;
@@ -118,3 +120,5 @@ err:
 	if (q != NULL) BN_free(q);
 	return(ok);
 	}
+
+#endif
--- a/crypto/dh/dh_err.c
+++ b/crypto/dh/dh_err.c
@@ -1,6 +1,6 @@
 /* crypto/dh/dh_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
--- a/crypto/dh/dh_gen.c
+++ b/crypto/dh/dh_gen.c
@@ -86,6 +86,9 @@
 * It's just as OK (and in some sense better) to use a generator of the
 * order-q subgroup.
 */
+
+#ifndef OPENSSL_FIPS
+
 DH *DH_generate_parameters(int prime_len, int generator,
 	     void (*callback)(int,int,void *), void *cb_arg)
 	{
@@ -167,3 +170,5 @@ err:
 		}
 	return(ret);
 	}
+
+#endif
--- a/crypto/dh/dh_key.c
+++ b/crypto/dh/dh_key.c
@@ -62,6 +62,8 @@
 #include <openssl/rand.h>
 #include <openssl/dh.h>

+#ifndef OPENSSL_FIPS
+
 static int generate_key(DH *dh);
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
@@ -220,3 +222,5 @@ static int dh_finish(DH *dh)
 		BN_MONT_CTX_free((BN_MONT_CTX *)dh->method_mont_p);
 	return(1);
 	}
+
+#endif
--- a/crypto/dsa/dsa.h
+++ b/crypto/dsa/dsa.h
@@ -81,6 +81,10 @@

 #define DSA_FLAG_CACHE_MONT_P	0x01

+#if defined(OPENSSL_FIPS)
+#define FIPS_DSA_SIZE_T	int
+#endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
--- a/crypto/dsa/dsa_sign.c
+++ b/crypto/dsa/dsa_sign.c
@@ -72,7 +72,7 @@
 DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 	{
 #ifdef OPENSSL_FIPS
-	if(FIPS_mode && !FIPS_dsa_check(dsa))
+	if(FIPS_mode() && !FIPS_dsa_check(dsa))
 		return NULL;
 #endif
 	return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
@@ -96,7 +96,7 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 	{
 #ifdef OPENSSL_FIPS
-	if(FIPS_mode && !FIPS_dsa_check(dsa))
+	if(FIPS_mode() && !FIPS_dsa_check(dsa))
 		return 0;
 #endif
 	return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
--- a/crypto/dsa/dsa_vrf.c
+++ b/crypto/dsa/dsa_vrf.c
@@ -74,7 +74,7 @@ int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 		  DSA *dsa)
 	{
 #ifdef OPENSSL_FIPS
-	if(FIPS_mode && !FIPS_dsa_check(dsa))
+	if(FIPS_mode() && !FIPS_dsa_check(dsa))
 		return -1;
 #endif
 	return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
--- a/crypto/engine/hw_cryptodev.c
+++ b/crypto/engine/hw_cryptodev.c
@@ -260,7 +260,7 @@ get_cryptodev_ciphers(const int **cnids)
 	int fd, i, count = 0;

 	if ((fd = get_dev_crypto()) < 0) {
-		*nids = NULL;
+		*cnids = NULL;
 		return (0);
 	}
 	memset(&sess, 0, sizeof(sess));
@@ -300,7 +300,7 @@ get_cryptodev_digests(const int **cnids)
 	int fd, i, count = 0;

 	if ((fd = get_dev_crypto()) < 0) {
-		*nids = NULL;
+		*cnids = NULL;
 		return (0);
 	}
 	memset(&sess, 0, sizeof(sess));
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -149,6 +149,7 @@ static ERR_STRING_DATA ERR_str_libraries[]=
 {ERR_PACK(ERR_LIB_DSO,0,0)		,"DSO support routines"},
 {ERR_PACK(ERR_LIB_ENGINE,0,0)		,"engine routines"},
 {ERR_PACK(ERR_LIB_OCSP,0,0)		,"OCSP routines"},
+{ERR_PACK(ERR_LIB_FIPS,0,0)		,"FIPS routines"},
 {0,NULL},
 	};

--- a/crypto/evp/Makefile
+++ b/crypto/evp/Makefile
@@ -32,7 +32,8 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c \
 	p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
 	bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
 	c_all.c c_allc.c c_alld.c evp_lib.c bio_ok.c \
-	evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c
+	evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \
+	e_old.c

 LIBOBJ=	encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \
 	e_des.o e_bf.o e_idea.o e_des3.o \
@@ -43,7 +44,8 @@ LIBOBJ=	encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \
 	p_open.o p_seal.o p_sign.o p_verify.o p_lib.o p_enc.o p_dec.o \
 	bio_md.o bio_b64.o bio_enc.o evp_err.o e_null.o \
 	c_all.o c_allc.o c_alld.o evp_lib.o bio_ok.o \
-	evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o
+	evp_pkey.o evp_pbe.o p5_crpt.o p5_crpt2.o \
+	e_old.o

 SRC= $(LIBSRC)

@@ -392,6 +394,23 @@ e_null.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 e_null.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 e_null.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 e_null.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_null.c
+e_old.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
+e_old.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+e_old.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
+e_old.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+e_old.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+e_old.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+e_old.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+e_old.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+e_old.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+e_old.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+e_old.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+e_old.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
+e_old.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+e_old.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+e_old.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+e_old.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+e_old.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h e_old.c
 e_rc2.o: ../../e_os.h ../../include/openssl/aes.h ../../include/openssl/asn1.h
 e_rc2.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
 e_rc2.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
--- a/crypto/evp/bio_md.c
+++ b/crypto/evp/bio_md.c
@@ -176,10 +176,11 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
 		{
 	case BIO_CTRL_RESET:
 		if (b->init)
-			EVP_DigestInit_ex(ctx,ctx->digest, NULL);
+			ret = EVP_DigestInit_ex(ctx,ctx->digest, NULL);
 		else
 			ret=0;
-		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
+		if (ret > 0)
+			ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
 		break;
 	case BIO_C_GET_MD:
 		if (b->init)
@@ -213,8 +214,9 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)

 	case BIO_C_SET_MD:
 		md=ptr;
-		EVP_DigestInit_ex(ctx,md, NULL);
-		b->init=1;
+		ret = EVP_DigestInit_ex(ctx,md, NULL);
+		if (ret > 0)
+			b->init=1;
 		break;
 	case BIO_CTRL_DUP:
 		dbio=ptr;
--- a/crypto/evp/e_old.c
+++ b/crypto/evp/e_old.c
@@ -0,0 +1,108 @@
+/* crypto/evp/e_old.c -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/evp.h>
+
+/* Define some deprecated functions, so older programs
+   don't crash and burn too quickly.  On Windows and VMS,
+   these will never be used, since functions and variables
+   in shared libraries are selected by entry point location,
+   not by name.  */
+
+#ifndef OPENSSL_NO_BF
+#undef EVP_bf_cfb
+const EVP_CIPHER *EVP_bf_cfb(void) { return EVP_bf_cfb64(); }
+#endif
+
+#ifndef OPENSSL_NO_DES
+#undef EVP_des_cfb
+const EVP_CIPHER *EVP_des_cfb(void) { return EVP_des_cfb64(); }
+#undef EVP_des_ede3_cfb
+const EVP_CIPHER *EVP_des_ede3_cfb(void) { return EVP_des_ede3_cfb64(); }
+#undef EVP_des_ede_cfb
+const EVP_CIPHER *EVP_des_ede_cfb(void) { return EVP_des_ede_cfb64(); }
+#endif
+
+#ifndef OPENSSL_NO_IDEA
+#undef EVP_idea_cfb
+const EVP_CIPHER *EVP_idea_cfb(void) { return EVP_idea_cfb64(); }
+#endif
+
+#ifndef OPENSSL_NO_RC2
+#undef EVP_rc2_cfb
+const EVP_CIPHER *EVP_rc2_cfb(void) { return EVP_rc2_cfb64(); }
+#endif
+
+#ifndef OPENSSL_NO_CAST5
+#undef EVP_cast5_cfb
+const EVP_CIPHER *EVP_cast5_cfb(void) { return EVP_cast5_cfb64(); }
+#endif
+
+#ifndef OPENSSL_NO_RC5
+#undef EVP_rc5_32_12_16_cfb
+const EVP_CIPHER *EVP_rc5_32_12_16_cfb(void) { return EVP_rc5_32_12_16_cfb64(); }
+#endif
+
+#ifndef OPENSSL_NO_AES
+#undef EVP_aes_128_cfb
+const EVP_CIPHER *EVP_aes_128_cfb(void) { return EVP_aes_128_cfb128(); }
+#undef EVP_aes_192_cfb
+const EVP_CIPHER *EVP_aes_192_cfb(void) { return EVP_aes_192_cfb128(); }
+#undef EVP_aes_256_cfb
+const EVP_CIPHER *EVP_aes_256_cfb(void) { return EVP_aes_256_cfb128(); }
+#endif
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -68,7 +68,7 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
 	if (c->cipher->set_asn1_parameters != NULL)
 		ret=c->cipher->set_asn1_parameters(c,type);
 	else
-		ret=1;
+		return -1;
 	return(ret);
 	}

@@ -79,7 +79,7 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
 	if (c->cipher->get_asn1_parameters != NULL)
 		ret=c->cipher->get_asn1_parameters(c,type);
 	else
-		ret=1;
+		return -1;
 	return(ret);
 	}

--- a/crypto/evp/evp_test.c
+++ b/crypto/evp/evp_test.c
@@ -162,6 +162,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
 	if(!EVP_EncryptInit_ex(&ctx,c,NULL,key,iv))
 	    {
 	    fprintf(stderr,"EncryptInit failed\n");
+	    ERR_print_errors_fp(stderr);
 	    test1_exit(10);
 	    }
 	EVP_CIPHER_CTX_set_padding(&ctx,0);
@@ -169,11 +170,13 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
 	if(!EVP_EncryptUpdate(&ctx,out,&outl,plaintext,pn*multiplier))
 	    {
 	    fprintf(stderr,"Encrypt failed\n");
+	    ERR_print_errors_fp(stderr);
 	    test1_exit(6);
 	    }
 	if(!EVP_EncryptFinal_ex(&ctx,out+outl,&outl2))
 	    {
 	    fprintf(stderr,"EncryptFinal failed\n");
+	    ERR_print_errors_fp(stderr);
 	    test1_exit(7);
 	    }

@@ -198,6 +201,7 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
 	if(!EVP_DecryptInit_ex(&ctx,c,NULL,key,iv))
 	    {
 	    fprintf(stderr,"DecryptInit failed\n");
+	    ERR_print_errors_fp(stderr);
 	    test1_exit(11);
 	    }
 	EVP_CIPHER_CTX_set_padding(&ctx,0);
@@ -205,11 +209,13 @@ static void test1(const EVP_CIPHER *c,const unsigned char *key,int kn,
 	if(!EVP_DecryptUpdate(&ctx,out,&outl,ciphertext,cn*multiplier))
 	    {
 	    fprintf(stderr,"Decrypt failed\n");
+	    ERR_print_errors_fp(stderr);
 	    test1_exit(6);
 	    }
 	if(!EVP_DecryptFinal_ex(&ctx,out+outl,&outl2))
 	    {
 	    fprintf(stderr,"DecryptFinal failed\n");
+	    ERR_print_errors_fp(stderr);
 	    test1_exit(7);
 	    }

@@ -272,16 +278,19 @@ static int test_digest(const char *digest,
    if(!EVP_DigestInit_ex(&ctx,d, NULL))
 	{
 	fprintf(stderr,"DigestInit failed\n");
+	ERR_print_errors_fp(stderr);
 	EXIT(100);
 	}
    if(!EVP_DigestUpdate(&ctx,plaintext,pn))
 	{
 	fprintf(stderr,"DigestUpdate failed\n");
+	ERR_print_errors_fp(stderr);
 	EXIT(101);
 	}
    if(!EVP_DigestFinal_ex(&ctx,md,&mdn))
 	{
 	fprintf(stderr,"DigestFinal failed\n");
+	ERR_print_errors_fp(stderr);
 	EXIT(101);
 	}
    EVP_MD_CTX_cleanup(&ctx);
--- a/crypto/md32_common.h
+++ b/crypto/md32_common.h
@@ -128,9 +128,9 @@
 *					<appro@fy.chalmers.se>
 */

+#include <openssl/crypto.h>
 #include <openssl/fips.h>
 #include <openssl/err.h>
-#include "../fips/fips_locl.h"

 #if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
 #error "DATA_ORDER must be defined!"
@@ -560,7 +560,7 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c)
 	const unsigned char *cp=end;

 #ifdef OPENSSL_FIPS
-	if(FIPS_mode && !FIPS_md5_allowed)
+	if(FIPS_mode() && !FIPS_md5_allowed())
 	    {
 	    FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD);
 	    return 0;
--- a/crypto/md4/Makefile
+++ b/crypto/md4/Makefile
@@ -78,11 +78,10 @@ clean:

 # DO NOT DELETE THIS LINE -- make depend depends on it.

-md4_dgst.o: ../../fips/fips_locl.h ../../include/openssl/bio.h
-md4_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-md4_dgst.o: ../../include/openssl/err.h ../../include/openssl/fips.h
-md4_dgst.o: ../../include/openssl/lhash.h ../../include/openssl/md4.h
-md4_dgst.o: ../../include/openssl/opensslconf.h
+md4_dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+md4_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+md4_dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+md4_dgst.o: ../../include/openssl/md4.h ../../include/openssl/opensslconf.h
 md4_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 md4_dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 md4_dgst.o: ../md32_common.h md4_dgst.c md4_locl.h
--- a/crypto/md5/Makefile
+++ b/crypto/md5/Makefile
@@ -114,11 +114,10 @@ clean:

 # DO NOT DELETE THIS LINE -- make depend depends on it.

-md5_dgst.o: ../../fips/fips_locl.h ../../include/openssl/bio.h
-md5_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-md5_dgst.o: ../../include/openssl/err.h ../../include/openssl/fips.h
-md5_dgst.o: ../../include/openssl/lhash.h ../../include/openssl/md5.h
-md5_dgst.o: ../../include/openssl/opensslconf.h
+md5_dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+md5_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+md5_dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+md5_dgst.o: ../../include/openssl/md5.h ../../include/openssl/opensslconf.h
 md5_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 md5_dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 md5_dgst.o: ../md32_common.h md5_dgst.c md5_locl.h
--- a/crypto/o_str.c
+++ b/crypto/o_str.c
@@ -56,8 +56,17 @@
 *
 */

-#include <o_str.h>
+#include <ctype.h>
 #include <openssl/e_os2.h>
+#ifdef OPENSSL_SYS_WINDOWS
+# include <string.h>
+#else
+# include <strings.h>
+#endif
+#include "o_str.h"
+
+#undef strncasecmp
+#undef strcasecmp

 int OPENSSL_strncasecmp(const char *str1, const char *str2, size_t n)
 	{
@@ -86,7 +95,7 @@ int OPENSSL_strncasecmp(const char *str1, const char *str2, size_t n)
 int OPENSSL_strcasecmp(const char *str1, const char *str2)
 	{
 #if defined(OPENSSL_SYS_VMS)
-	return OSSL_strncasecmp(str1, str2, (size_t)-1);
+	return OPENSSL_strncasecmp(str1, str2, (size_t)-1);
 #elif defined(OPENSSL_SYS_WINDOWS)
 	return _stricmp(str1, str2);
 #else
--- a/crypto/o_str.h
+++ b/crypto/o_str.h
@@ -59,7 +59,7 @@
 #ifndef HEADER_O_STR_H
 #define HEADER_O_STR_H

-#include <string.h>
+#include <stddef.h>		/* to get size_t */

 int OPENSSL_strcasecmp(const char *str1, const char *str2);
 int OPENSSL_strncasecmp(const char *str1, const char *str2, size_t n);
--- a/crypto/o_time.c
+++ b/crypto/o_time.c
@@ -114,16 +114,28 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
 			return NULL;
 		logvalue[reslen] = '\0';

+		t = *timer;
+
+/* The following is extracted from the DEC C header time.h */
+/*
+**  Beginning in OpenVMS Version 7.0 mktime, time, ctime, strftime
+**  have two implementations.  One implementation is provided
+**  for compatibility and deals with time in terms of local time,
+**  the other __utc_* deals with time in terms of UTC.
+*/
+/* We use the same conditions as in said time.h to check if we should
+   assume that t contains local time (and should therefore be adjusted)
+   or UTC (and should therefore be left untouched). */
+#if __CRTL_VER < 70000000 || defined _VMS_V6_SOURCE
 		/* Get the numerical value of the equivalence string */
 		status = atoi(logvalue);

 		/* and use it to move time to GMT */
-		t = *timer - status;
+		t -= status;
+#endif

 		/* then convert the result to the time structure */
-#ifndef OPENSSL_THREADS
-		ts=(struct tm *)localtime(&t);
-#else
+
 		/* Since there was no gmtime_r() to do this stuff for us,
 		   we have to do it the hard way. */
 		{
@@ -198,7 +210,6 @@ struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result)
 		result->tm_isdst = 0; /* There's no way to know... */

 		ts = result;
-#endif
 		}
 		}
 #endif
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -25,8 +25,12 @@
 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
 *  major minor fix final patch/beta)
 */
-#define OPENSSL_VERSION_NUMBER	0x00907050L
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7e-dev [fips] XX xxx XXXX"
+#define OPENSSL_VERSION_NUMBER	0x0090705FL
+#ifdef OPENSSL_FIPS
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7e-fips 25 Oct 2004"
+#else
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7e 25 Oct 2004"
+#endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT


--- a/crypto/pem/Makefile
+++ b/crypto/pem/Makefile
@@ -88,20 +88,21 @@ pem_all.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 pem_all.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
 pem_all.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 pem_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-pem_all.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-pem_all.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-pem_all.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-pem_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-pem_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-pem_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
-pem_all.o: ../../include/openssl/pem2.h ../../include/openssl/pkcs7.h
-pem_all.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
-pem_all.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
-pem_all.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-pem_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-pem_all.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-pem_all.o: ../../include/openssl/ui_compat.h ../../include/openssl/x509.h
-pem_all.o: ../../include/openssl/x509_vfy.h ../cryptlib.h pem_all.c
+pem_all.o: ../../include/openssl/fips.h ../../include/openssl/idea.h
+pem_all.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
+pem_all.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
+pem_all.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
+pem_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+pem_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+pem_all.o: ../../include/openssl/pem.h ../../include/openssl/pem2.h
+pem_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
+pem_all.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+pem_all.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+pem_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+pem_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+pem_all.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+pem_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+pem_all.o: ../cryptlib.h pem_all.c
 pem_err.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
 pem_err.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
 pem_err.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
--- a/crypto/pem/pem_all.c
+++ b/crypto/pem/pem_all.c
@@ -64,6 +64,7 @@
 #include <openssl/x509.h>
 #include <openssl/pkcs7.h>
 #include <openssl/pem.h>
+#include <openssl/fips.h>

 #ifndef OPENSSL_NO_RSA
 static RSA *pkey_get_rsa(EVP_PKEY *key, RSA **rsa);
@@ -128,7 +129,49 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb,

 #endif

+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+	EVP_PKEY *k;
+	int ret;
+	k = EVP_PKEY_new();
+	if (!k)
+		return 0;
+	EVP_PKEY_set1_RSA(k, x);
+
+	ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+	EVP_PKEY_free(k);
+	return ret;
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+	EVP_PKEY *k;
+	int ret;
+	k = EVP_PKEY_new();
+	if (!k)
+		return 0;
+
+	EVP_PKEY_set1_RSA(k, x);
+
+	ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+	EVP_PKEY_free(k);
+	return ret;
+}
+#endif
+
+#else
+
 IMPLEMENT_PEM_write_cb(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
+
+#endif
+
 IMPLEMENT_PEM_rw(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
 IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)

@@ -158,7 +201,48 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb,
 	return pkey_get_dsa(pktmp, dsa);
 }

+
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+	EVP_PKEY *k;
+	int ret;
+	k = EVP_PKEY_new();
+	if (!k)
+		return 0;
+	EVP_PKEY_set1_DSA(k, x);
+
+	ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+	EVP_PKEY_free(k);
+	return ret;
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+	EVP_PKEY *k;
+	int ret;
+	k = EVP_PKEY_new();
+	if (!k)
+		return 0;
+	EVP_PKEY_set1_DSA(k, x);
+	ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+	EVP_PKEY_free(k);
+	return ret;
+}
+#endif
+
+#else
+
 IMPLEMENT_PEM_write_cb(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
+
+#endif
+
 IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)

 #ifndef OPENSSL_NO_FP_API
@@ -190,7 +274,42 @@ IMPLEMENT_PEM_rw(DHparams, DH, PEM_STRING_DHPARAMS, DHparams)
 * (When reading, parameter PEM_STRING_EVP_PKEY is a wildcard for anything
 * appropriate.)
 */
+
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+	{
+		if (FIPS_mode())
+			return PEM_write_bio_PKCS8PrivateKey(bp, x, enc,
+						(char *)kstr, klen, cb, u);
+		else
+                	return PEM_ASN1_write_bio((int (*)())i2d_PrivateKey,
+                (((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA),
+                        bp,(char *)x,enc,kstr,klen,cb,u);
+	}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+	{
+		if (FIPS_mode())
+			return PEM_write_PKCS8PrivateKey(fp, x, enc,
+						(char *)kstr, klen, cb, u);
+		else
+                	return PEM_ASN1_write((int (*)())i2d_PrivateKey,
+                (((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA),
+                        fp,(char *)x,enc,kstr,klen,cb,u);
+	}
+#endif
+
+#else
+
 IMPLEMENT_PEM_write_cb(PrivateKey, EVP_PKEY, ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA), PrivateKey)

+#endif
+
 IMPLEMENT_PEM_rw(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY)

--- a/crypto/pkcs7/pk7_attr.c
+++ b/crypto/pkcs7/pk7_attr.c
@@ -3,7 +3,7 @@
 * project 2001.
 */
 /* ====================================================================
- * Copyright (c) 2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2001-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -94,17 +94,18 @@ int PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK_OF(X509_ALGOR) *cap)
 }

 STACK_OF(X509_ALGOR) *PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si)
-{
+	{
 	ASN1_TYPE *cap;
 	unsigned char *p;
 	cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities);
-	if (!cap) return NULL;
+	if (!cap || (cap->type != V_ASN1_SEQUENCE))
+		return NULL;
 	p = cap->value.sequence->data;
 	return d2i_ASN1_SET_OF_X509_ALGOR(NULL, &p,
 					  cap->value.sequence->length,
 					  d2i_X509_ALGOR, X509_ALGOR_free,
 					  V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-}
+	}

 /* Basic smime-capabilities OID and optional integer arg */
 int PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int arg)
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -334,7 +334,7 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 	int do_stir_pool = 0;

 #ifdef OPENSSL_FIPS
-	if(FIPS_mode)
+	if(FIPS_mode())
 	    {
 	    FIPSerr(FIPS_F_SSLEAY_RAND_BYTES,FIPS_R_NON_FIPS_METHOD);
 	    return 0;
--- a/crypto/rand/rand.h
+++ b/crypto/rand/rand.h
@@ -71,6 +71,10 @@
 extern "C" {
 #endif

+#if defined(OPENSSL_FIPS)
+#define FIPS_RAND_SIZE_T int
+#endif
+
 typedef struct rand_meth_st
 	{
 	void (*seed)(const void *buf, int num);
@@ -127,6 +131,9 @@ void ERR_load_RAND_strings(void);

 /* Reason codes. */
 #define RAND_R_NON_FIPS_METHOD				 101
+#define RAND_R_PRNG_ASKING_FOR_TOO_MUCH			 105
+#define RAND_R_PRNG_NOT_REKEYED				 103
+#define RAND_R_PRNG_NOT_RESEEDED			 104
 #define RAND_R_PRNG_NOT_SEEDED				 100
 #define RAND_R_PRNG_STUCK				 102

--- a/crypto/rand/rand_egd.c
+++ b/crypto/rand/rand_egd.c
@@ -95,7 +95,7 @@
 *   RAND_egd() is a wrapper for RAND_egd_bytes() with numbytes=255.
 */

-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS)
+#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VXWORKS) || defined(OPENSSL_SYS_VOS)
 int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes)
 	{
 	return(-1);
--- a/crypto/rand/rand_err.c
+++ b/crypto/rand/rand_err.c
@@ -75,6 +75,9 @@ static ERR_STRING_DATA RAND_str_functs[]=
 static ERR_STRING_DATA RAND_str_reasons[]=
 	{
 {RAND_R_NON_FIPS_METHOD                  ,"non fips method"},
+{RAND_R_PRNG_ASKING_FOR_TOO_MUCH         ,"prng asking for too much"},
+{RAND_R_PRNG_NOT_REKEYED                 ,"prng not rekeyed"},
+{RAND_R_PRNG_NOT_RESEEDED                ,"prng not reseeded"},
 {RAND_R_PRNG_NOT_SEEDED                  ,"PRNG not seeded"},
 {RAND_R_PRNG_STUCK                       ,"prng stuck"},
 {0,NULL}
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -88,7 +88,8 @@ int RAND_set_rand_method(const RAND_METHOD *meth)
 const RAND_METHOD *RAND_get_rand_method(void)
 	{
 #ifdef OPENSSL_FIPS
-	if(FIPS_mode && default_RAND_meth != FIPS_rand_check)
+	if(FIPS_mode()
+		&& default_RAND_meth != FIPS_rand_check())
 	    {
 	    RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD);
 	    return 0;
--- a/crypto/rand/rand_win.c
+++ b/crypto/rand/rand_win.c
@@ -125,7 +125,7 @@
 * http://developer.intel.com/design/security/rng/redist_license.htm
 */
 #define PROV_INTEL_SEC 22
-#define INTEL_DEF_PROV TEXT("Intel Hardware Cryptographic Service Provider")
+#define INTEL_DEF_PROV L"Intel Hardware Cryptographic Service Provider"

 static void readtimer(void);
 static void readscreen(void);
@@ -152,7 +152,7 @@ typedef struct tagCURSORINFO
 #define CURSOR_SHOWING     0x00000001
 #endif /* CURSOR_SHOWING */

-typedef BOOL (WINAPI *CRYPTACQUIRECONTEXT)(HCRYPTPROV *, LPCTSTR, LPCTSTR,
+typedef BOOL (WINAPI *CRYPTACQUIRECONTEXTW)(HCRYPTPROV *, LPCWSTR, LPCWSTR,
 				    DWORD, DWORD);
 typedef BOOL (WINAPI *CRYPTGENRANDOM)(HCRYPTPROV, DWORD, BYTE *);
 typedef BOOL (WINAPI *CRYPTRELEASECONTEXT)(HCRYPTPROV, DWORD);
@@ -194,7 +194,7 @@ int RAND_poll(void)
 	HWND h;

 	HMODULE advapi, kernel, user, netapi;
-	CRYPTACQUIRECONTEXT acquire = 0;
+	CRYPTACQUIRECONTEXTW acquire = 0;
 	CRYPTGENRANDOM gen = 0;
 	CRYPTRELEASECONTEXT release = 0;
 #if 1 /* There was previously a problem with NETSTATGET.  Currently, this
@@ -213,6 +213,9 @@ int RAND_poll(void)
        GetVersionEx( &osverinfo ) ;

 #if defined(OPENSSL_SYS_WINCE) && WCEPLATFORM!=MS_HPC_PRO
+#ifndef CryptAcquireContext
+#define CryptAcquireContext CryptAcquireContextW
+#endif
 	/* poll the CryptoAPI PRNG */
 	/* The CryptoAPI returns sizeof(buf) bytes of randomness */
 	if (CryptAcquireContext(&hProvider, 0, 0, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT))
@@ -223,21 +226,35 @@ int RAND_poll(void)
 		}
 #endif

+#ifndef OPENSSL_SYS_WINCE
+	/*
+	 * None of below libraries are present on Windows CE, which is
+	 * why we #ifndef the whole section. This also excuses us from
+	 * handling the GetProcAddress issue. The trouble is that in
+	 * real Win32 API GetProcAddress is available in ANSI flavor
+	 * only. In WinCE on the other hand GetProcAddress is a macro
+	 * most commonly defined as GetProcAddressW, which accepts
+	 * Unicode argument. If we were to call GetProcAddress under
+	 * WinCE, I'd recommend to either redefine GetProcAddress as
+	 * GetProcAddressA (there seem to be one in common CE spec) or
+	 * implement own shim routine, which would accept ANSI argument
+	 * and expand it to Unicode.
+	 */
+
 	/* load functions dynamically - not available on all systems */
 	advapi = LoadLibrary(TEXT("ADVAPI32.DLL"));
 	kernel = LoadLibrary(TEXT("KERNEL32.DLL"));
 	user = LoadLibrary(TEXT("USER32.DLL"));
 	netapi = LoadLibrary(TEXT("NETAPI32.DLL"));

-#ifndef OPENSSL_SYS_WINCE
 #if 1 /* There was previously a problem with NETSTATGET.  Currently, this
       * section is still experimental, but if all goes well, this conditional
       * will be removed
       */
 	if (netapi)
 		{
-		netstatget = (NETSTATGET) GetProcAddress(netapi,TEXT("NetStatisticsGet"));
-		netfree = (NETFREE) GetProcAddress(netapi,TEXT("NetApiBufferFree"));
+		netstatget = (NETSTATGET) GetProcAddress(netapi,"NetStatisticsGet");
+		netfree = (NETFREE) GetProcAddress(netapi,"NetApiBufferFree");
 		}

 	if (netstatget && netfree)
@@ -264,9 +281,7 @@ int RAND_poll(void)
 	if (netapi)
 		FreeLibrary(netapi);
 #endif /* 1 */
-#endif /* !OPENSSL_SYS_WINCE */
- 
-#ifndef OPENSSL_SYS_WINCE
+
        /* It appears like this can cause an exception deep within ADVAPI32.DLL
         * at random times on Windows 2000.  Reported by Jeffrey Altman.  
         * Only use it on NT.
@@ -321,16 +336,20 @@ int RAND_poll(void)
 			free(buf);
 		}
 #endif
-#endif /* !OPENSSL_SYS_WINCE */

 	if (advapi)
 		{
-		acquire = (CRYPTACQUIRECONTEXT) GetProcAddress(advapi,
-			TEXT("CryptAcquireContextA"));
+		/*
+		 * If it's available, then it's available in both ANSI
+		 * and UNICODE flavors even in Win9x, documentation says.
+		 * We favor Unicode...
+		 */
+		acquire = (CRYPTACQUIRECONTEXTW) GetProcAddress(advapi,
+			"CryptAcquireContextW");
 		gen = (CRYPTGENRANDOM) GetProcAddress(advapi,
-			TEXT("CryptGenRandom"));
+			"CryptGenRandom");
 		release = (CRYPTRELEASECONTEXT) GetProcAddress(advapi,
-			TEXT("CryptReleaseContext"));
+			"CryptReleaseContext");
 		}

 	if (acquire && gen && release)
@@ -367,26 +386,15 @@ int RAND_poll(void)
        if (advapi)
 		FreeLibrary(advapi);

-	/* timer data */
-	readtimer();
-	
-	/* memory usage statistics */
-	GlobalMemoryStatus(&m);
-	RAND_add(&m, sizeof(m), 1);
-
-	/* process ID */
-	w = GetCurrentProcessId();
-	RAND_add(&w, sizeof(w), 1);
-
 	if (user)
 		{
 		GETCURSORINFO cursor;
 		GETFOREGROUNDWINDOW win;
 		GETQUEUESTATUS queue;

-		win = (GETFOREGROUNDWINDOW) GetProcAddress(user, TEXT("GetForegroundWindow"));
-		cursor = (GETCURSORINFO) GetProcAddress(user, TEXT("GetCursorInfo"));
-		queue = (GETQUEUESTATUS) GetProcAddress(user, TEXT("GetQueueStatus"));
+		win = (GETFOREGROUNDWINDOW) GetProcAddress(user, "GetForegroundWindow");
+		cursor = (GETCURSORINFO) GetProcAddress(user, "GetCursorInfo");
+		queue = (GETQUEUESTATUS) GetProcAddress(user, "GetQueueStatus");

 		if (win)
 			{
@@ -458,19 +466,19 @@ int RAND_poll(void)
 		MODULEENTRY32 m;

 		snap = (CREATETOOLHELP32SNAPSHOT)
-			GetProcAddress(kernel, TEXT("CreateToolhelp32Snapshot"));
+			GetProcAddress(kernel, "CreateToolhelp32Snapshot");
 		close_snap = (CLOSETOOLHELP32SNAPSHOT)
-			GetProcAddress(kernel, TEXT("CloseToolhelp32Snapshot"));
-		heap_first = (HEAP32FIRST) GetProcAddress(kernel, TEXT("Heap32First"));
-		heap_next = (HEAP32NEXT) GetProcAddress(kernel, TEXT("Heap32Next"));
-		heaplist_first = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListFirst"));
-		heaplist_next = (HEAP32LIST) GetProcAddress(kernel, TEXT("Heap32ListNext"));
-		process_first = (PROCESS32) GetProcAddress(kernel, TEXT("Process32First"));
-		process_next = (PROCESS32) GetProcAddress(kernel, TEXT("Process32Next"));
-		thread_first = (THREAD32) GetProcAddress(kernel, TEXT("Thread32First"));
-		thread_next = (THREAD32) GetProcAddress(kernel, TEXT("Thread32Next"));
-		module_first = (MODULE32) GetProcAddress(kernel, TEXT("Module32First"));
-		module_next = (MODULE32) GetProcAddress(kernel, TEXT("Module32Next"));
+			GetProcAddress(kernel, "CloseToolhelp32Snapshot");
+		heap_first = (HEAP32FIRST) GetProcAddress(kernel, "Heap32First");
+		heap_next = (HEAP32NEXT) GetProcAddress(kernel, "Heap32Next");
+		heaplist_first = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListFirst");
+		heaplist_next = (HEAP32LIST) GetProcAddress(kernel, "Heap32ListNext");
+		process_first = (PROCESS32) GetProcAddress(kernel, "Process32First");
+		process_next = (PROCESS32) GetProcAddress(kernel, "Process32Next");
+		thread_first = (THREAD32) GetProcAddress(kernel, "Thread32First");
+		thread_next = (THREAD32) GetProcAddress(kernel, "Thread32Next");
+		module_first = (MODULE32) GetProcAddress(kernel, "Module32First");
+		module_next = (MODULE32) GetProcAddress(kernel, "Module32Next");

 		if (snap && heap_first && heap_next && heaplist_first &&
 			heaplist_next && process_first && process_next &&
@@ -546,6 +554,18 @@ int RAND_poll(void)

 		FreeLibrary(kernel);
 		}
+#endif /* !OPENSSL_SYS_WINCE */
+
+	/* timer data */
+	readtimer();
+	
+	/* memory usage statistics */
+	GlobalMemoryStatus(&m);
+	RAND_add(&m, sizeof(m), 1);
+
+	/* process ID */
+	w = GetCurrentProcessId();
+	RAND_add(&w, sizeof(w), 1);

 #if 0
 	printf("Exiting RAND_poll\n");
@@ -607,7 +627,7 @@ static void readtimer(void)
 	DWORD w;
 	LARGE_INTEGER l;
 	static int have_perfc = 1;
-#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE)
+#if defined(_MSC_VER) && defined(_M_X86)
 	static int have_tsc = 1;
 	DWORD cyclecount;

--- a/crypto/ripemd/Makefile
+++ b/crypto/ripemd/Makefile
@@ -96,10 +96,10 @@ clean:

 # DO NOT DELETE THIS LINE -- make depend depends on it.

-rmd_dgst.o: ../../fips/fips_locl.h ../../include/openssl/bio.h
-rmd_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-rmd_dgst.o: ../../include/openssl/err.h ../../include/openssl/fips.h
-rmd_dgst.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+rmd_dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+rmd_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rmd_dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+rmd_dgst.o: ../../include/openssl/opensslconf.h
 rmd_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ripemd.h
 rmd_dgst.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rmd_dgst.o: ../../include/openssl/symhacks.h ../md32_common.h rmd_dgst.c
--- a/crypto/rsa/rsa.h
+++ b/crypto/rsa/rsa.h
@@ -72,6 +72,10 @@
 #error RSA is disabled.
 #endif

+#if defined(OPENSSL_FIPS)
+#define FIPS_RSA_SIZE_T	int
+#endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
--- a/crypto/sha/Makefile
+++ b/crypto/sha/Makefile
@@ -101,12 +101,18 @@ sha1_one.o: ../../include/openssl/opensslconf.h
 sha1_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 sha1_one.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 sha1_one.o: ../../include/openssl/symhacks.h sha1_one.c
+sha1dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+sha1dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+sha1dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
 sha1dgst.o: ../../include/openssl/opensslconf.h
-sha1dgst.o: ../../include/openssl/opensslv.h sha1dgst.c
-sha_dgst.o: ../../fips/fips_locl.h ../../include/openssl/bio.h
-sha_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-sha_dgst.o: ../../include/openssl/err.h ../../include/openssl/fips.h
-sha_dgst.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+sha1dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+sha1dgst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+sha1dgst.o: ../../include/openssl/symhacks.h ../md32_common.h sha1dgst.c
+sha1dgst.o: sha_locl.h
+sha_dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+sha_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+sha_dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+sha_dgst.o: ../../include/openssl/opensslconf.h
 sha_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 sha_dgst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 sha_dgst.o: ../../include/openssl/symhacks.h ../md32_common.h sha_dgst.c
--- a/crypto/sha/sha.h
+++ b/crypto/sha/sha.h
@@ -69,6 +69,10 @@ extern "C" {
 #error SHA is disabled.
 #endif

+#if defined(OPENSSL_FIPS)
+#define FIPS_SHA_SIZE_T unsigned long
+#endif
+
 /*
 * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 * ! SHA_LONG has to be at least 32 bits wide. If it's wider, then !
--- a/crypto/stack/safestack.h
+++ b/crypto/stack/safestack.h
@@ -113,6 +113,8 @@ STACK_OF(type) \
 	((type * (*)(STACK_OF(type) *))sk_pop)(st)
 #define SKM_sk_sort(type, st) \
 	((void (*)(STACK_OF(type) *))sk_sort)(st)
+#define SKM_sk_is_sorted(type, st) \
+	((int (*)(const STACK_OF(type) *))sk_is_sorted)(st)

 #define	SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
 	((STACK_OF(type) * (*) (STACK_OF(type) **,unsigned char **, long , \
@@ -187,6 +189,8 @@ STACK_OF(type) \
 	((type *)sk_pop(st))
 #define SKM_sk_sort(type, st) \
 	sk_sort(st)
+#define SKM_sk_is_sorted(type, st) \
+	sk_is_sorted(st)

 #define	SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
 	d2i_ASN1_SET(st,pp,length, (char *(*)())d2i_func, (void (*)(void *))free_func, ex_tag,ex_class)
@@ -223,6 +227,7 @@ STACK_OF(type) \
 #define sk_ACCESS_DESCRIPTION_shift(st) SKM_sk_shift(ACCESS_DESCRIPTION, (st))
 #define sk_ACCESS_DESCRIPTION_pop(st) SKM_sk_pop(ACCESS_DESCRIPTION, (st))
 #define sk_ACCESS_DESCRIPTION_sort(st) SKM_sk_sort(ACCESS_DESCRIPTION, (st))
+#define sk_ACCESS_DESCRIPTION_is_sorted(st) SKM_sk_is_sorted(ACCESS_DESCRIPTION, (st))

 #define sk_ASN1_GENERALSTRING_new(st) SKM_sk_new(ASN1_GENERALSTRING, (st))
 #define sk_ASN1_GENERALSTRING_new_null() SKM_sk_new_null(ASN1_GENERALSTRING)
@@ -243,6 +248,7 @@ STACK_OF(type) \
 #define sk_ASN1_GENERALSTRING_shift(st) SKM_sk_shift(ASN1_GENERALSTRING, (st))
 #define sk_ASN1_GENERALSTRING_pop(st) SKM_sk_pop(ASN1_GENERALSTRING, (st))
 #define sk_ASN1_GENERALSTRING_sort(st) SKM_sk_sort(ASN1_GENERALSTRING, (st))
+#define sk_ASN1_GENERALSTRING_is_sorted(st) SKM_sk_is_sorted(ASN1_GENERALSTRING, (st))

 #define sk_ASN1_INTEGER_new(st) SKM_sk_new(ASN1_INTEGER, (st))
 #define sk_ASN1_INTEGER_new_null() SKM_sk_new_null(ASN1_INTEGER)
@@ -263,6 +269,7 @@ STACK_OF(type) \
 #define sk_ASN1_INTEGER_shift(st) SKM_sk_shift(ASN1_INTEGER, (st))
 #define sk_ASN1_INTEGER_pop(st) SKM_sk_pop(ASN1_INTEGER, (st))
 #define sk_ASN1_INTEGER_sort(st) SKM_sk_sort(ASN1_INTEGER, (st))
+#define sk_ASN1_INTEGER_is_sorted(st) SKM_sk_is_sorted(ASN1_INTEGER, (st))

 #define sk_ASN1_OBJECT_new(st) SKM_sk_new(ASN1_OBJECT, (st))
 #define sk_ASN1_OBJECT_new_null() SKM_sk_new_null(ASN1_OBJECT)
@@ -283,6 +290,7 @@ STACK_OF(type) \
 #define sk_ASN1_OBJECT_shift(st) SKM_sk_shift(ASN1_OBJECT, (st))
 #define sk_ASN1_OBJECT_pop(st) SKM_sk_pop(ASN1_OBJECT, (st))
 #define sk_ASN1_OBJECT_sort(st) SKM_sk_sort(ASN1_OBJECT, (st))
+#define sk_ASN1_OBJECT_is_sorted(st) SKM_sk_is_sorted(ASN1_OBJECT, (st))

 #define sk_ASN1_STRING_TABLE_new(st) SKM_sk_new(ASN1_STRING_TABLE, (st))
 #define sk_ASN1_STRING_TABLE_new_null() SKM_sk_new_null(ASN1_STRING_TABLE)
@@ -303,6 +311,7 @@ STACK_OF(type) \
 #define sk_ASN1_STRING_TABLE_shift(st) SKM_sk_shift(ASN1_STRING_TABLE, (st))
 #define sk_ASN1_STRING_TABLE_pop(st) SKM_sk_pop(ASN1_STRING_TABLE, (st))
 #define sk_ASN1_STRING_TABLE_sort(st) SKM_sk_sort(ASN1_STRING_TABLE, (st))
+#define sk_ASN1_STRING_TABLE_is_sorted(st) SKM_sk_is_sorted(ASN1_STRING_TABLE, (st))

 #define sk_ASN1_TYPE_new(st) SKM_sk_new(ASN1_TYPE, (st))
 #define sk_ASN1_TYPE_new_null() SKM_sk_new_null(ASN1_TYPE)
@@ -323,6 +332,7 @@ STACK_OF(type) \
 #define sk_ASN1_TYPE_shift(st) SKM_sk_shift(ASN1_TYPE, (st))
 #define sk_ASN1_TYPE_pop(st) SKM_sk_pop(ASN1_TYPE, (st))
 #define sk_ASN1_TYPE_sort(st) SKM_sk_sort(ASN1_TYPE, (st))
+#define sk_ASN1_TYPE_is_sorted(st) SKM_sk_is_sorted(ASN1_TYPE, (st))

 #define sk_ASN1_VALUE_new(st) SKM_sk_new(ASN1_VALUE, (st))
 #define sk_ASN1_VALUE_new_null() SKM_sk_new_null(ASN1_VALUE)
@@ -343,6 +353,7 @@ STACK_OF(type) \
 #define sk_ASN1_VALUE_shift(st) SKM_sk_shift(ASN1_VALUE, (st))
 #define sk_ASN1_VALUE_pop(st) SKM_sk_pop(ASN1_VALUE, (st))
 #define sk_ASN1_VALUE_sort(st) SKM_sk_sort(ASN1_VALUE, (st))
+#define sk_ASN1_VALUE_is_sorted(st) SKM_sk_is_sorted(ASN1_VALUE, (st))

 #define sk_BIO_new(st) SKM_sk_new(BIO, (st))
 #define sk_BIO_new_null() SKM_sk_new_null(BIO)
@@ -363,6 +374,7 @@ STACK_OF(type) \
 #define sk_BIO_shift(st) SKM_sk_shift(BIO, (st))
 #define sk_BIO_pop(st) SKM_sk_pop(BIO, (st))
 #define sk_BIO_sort(st) SKM_sk_sort(BIO, (st))
+#define sk_BIO_is_sorted(st) SKM_sk_is_sorted(BIO, (st))

 #define sk_CONF_IMODULE_new(st) SKM_sk_new(CONF_IMODULE, (st))
 #define sk_CONF_IMODULE_new_null() SKM_sk_new_null(CONF_IMODULE)
@@ -383,6 +395,7 @@ STACK_OF(type) \
 #define sk_CONF_IMODULE_shift(st) SKM_sk_shift(CONF_IMODULE, (st))
 #define sk_CONF_IMODULE_pop(st) SKM_sk_pop(CONF_IMODULE, (st))
 #define sk_CONF_IMODULE_sort(st) SKM_sk_sort(CONF_IMODULE, (st))
+#define sk_CONF_IMODULE_is_sorted(st) SKM_sk_is_sorted(CONF_IMODULE, (st))

 #define sk_CONF_MODULE_new(st) SKM_sk_new(CONF_MODULE, (st))
 #define sk_CONF_MODULE_new_null() SKM_sk_new_null(CONF_MODULE)
@@ -403,6 +416,7 @@ STACK_OF(type) \
 #define sk_CONF_MODULE_shift(st) SKM_sk_shift(CONF_MODULE, (st))
 #define sk_CONF_MODULE_pop(st) SKM_sk_pop(CONF_MODULE, (st))
 #define sk_CONF_MODULE_sort(st) SKM_sk_sort(CONF_MODULE, (st))
+#define sk_CONF_MODULE_is_sorted(st) SKM_sk_is_sorted(CONF_MODULE, (st))

 #define sk_CONF_VALUE_new(st) SKM_sk_new(CONF_VALUE, (st))
 #define sk_CONF_VALUE_new_null() SKM_sk_new_null(CONF_VALUE)
@@ -423,6 +437,7 @@ STACK_OF(type) \
 #define sk_CONF_VALUE_shift(st) SKM_sk_shift(CONF_VALUE, (st))
 #define sk_CONF_VALUE_pop(st) SKM_sk_pop(CONF_VALUE, (st))
 #define sk_CONF_VALUE_sort(st) SKM_sk_sort(CONF_VALUE, (st))
+#define sk_CONF_VALUE_is_sorted(st) SKM_sk_is_sorted(CONF_VALUE, (st))

 #define sk_CRYPTO_EX_DATA_FUNCS_new(st) SKM_sk_new(CRYPTO_EX_DATA_FUNCS, (st))
 #define sk_CRYPTO_EX_DATA_FUNCS_new_null() SKM_sk_new_null(CRYPTO_EX_DATA_FUNCS)
@@ -443,6 +458,7 @@ STACK_OF(type) \
 #define sk_CRYPTO_EX_DATA_FUNCS_shift(st) SKM_sk_shift(CRYPTO_EX_DATA_FUNCS, (st))
 #define sk_CRYPTO_EX_DATA_FUNCS_pop(st) SKM_sk_pop(CRYPTO_EX_DATA_FUNCS, (st))
 #define sk_CRYPTO_EX_DATA_FUNCS_sort(st) SKM_sk_sort(CRYPTO_EX_DATA_FUNCS, (st))
+#define sk_CRYPTO_EX_DATA_FUNCS_is_sorted(st) SKM_sk_is_sorted(CRYPTO_EX_DATA_FUNCS, (st))

 #define sk_CRYPTO_dynlock_new(st) SKM_sk_new(CRYPTO_dynlock, (st))
 #define sk_CRYPTO_dynlock_new_null() SKM_sk_new_null(CRYPTO_dynlock)
@@ -463,6 +479,7 @@ STACK_OF(type) \
 #define sk_CRYPTO_dynlock_shift(st) SKM_sk_shift(CRYPTO_dynlock, (st))
 #define sk_CRYPTO_dynlock_pop(st) SKM_sk_pop(CRYPTO_dynlock, (st))
 #define sk_CRYPTO_dynlock_sort(st) SKM_sk_sort(CRYPTO_dynlock, (st))
+#define sk_CRYPTO_dynlock_is_sorted(st) SKM_sk_is_sorted(CRYPTO_dynlock, (st))

 #define sk_DIST_POINT_new(st) SKM_sk_new(DIST_POINT, (st))
 #define sk_DIST_POINT_new_null() SKM_sk_new_null(DIST_POINT)
@@ -483,6 +500,7 @@ STACK_OF(type) \
 #define sk_DIST_POINT_shift(st) SKM_sk_shift(DIST_POINT, (st))
 #define sk_DIST_POINT_pop(st) SKM_sk_pop(DIST_POINT, (st))
 #define sk_DIST_POINT_sort(st) SKM_sk_sort(DIST_POINT, (st))
+#define sk_DIST_POINT_is_sorted(st) SKM_sk_is_sorted(DIST_POINT, (st))

 #define sk_ENGINE_new(st) SKM_sk_new(ENGINE, (st))
 #define sk_ENGINE_new_null() SKM_sk_new_null(ENGINE)
@@ -503,6 +521,7 @@ STACK_OF(type) \
 #define sk_ENGINE_shift(st) SKM_sk_shift(ENGINE, (st))
 #define sk_ENGINE_pop(st) SKM_sk_pop(ENGINE, (st))
 #define sk_ENGINE_sort(st) SKM_sk_sort(ENGINE, (st))
+#define sk_ENGINE_is_sorted(st) SKM_sk_is_sorted(ENGINE, (st))

 #define sk_ENGINE_CLEANUP_ITEM_new(st) SKM_sk_new(ENGINE_CLEANUP_ITEM, (st))
 #define sk_ENGINE_CLEANUP_ITEM_new_null() SKM_sk_new_null(ENGINE_CLEANUP_ITEM)
@@ -523,6 +542,7 @@ STACK_OF(type) \
 #define sk_ENGINE_CLEANUP_ITEM_shift(st) SKM_sk_shift(ENGINE_CLEANUP_ITEM, (st))
 #define sk_ENGINE_CLEANUP_ITEM_pop(st) SKM_sk_pop(ENGINE_CLEANUP_ITEM, (st))
 #define sk_ENGINE_CLEANUP_ITEM_sort(st) SKM_sk_sort(ENGINE_CLEANUP_ITEM, (st))
+#define sk_ENGINE_CLEANUP_ITEM_is_sorted(st) SKM_sk_is_sorted(ENGINE_CLEANUP_ITEM, (st))

 #define sk_GENERAL_NAME_new(st) SKM_sk_new(GENERAL_NAME, (st))
 #define sk_GENERAL_NAME_new_null() SKM_sk_new_null(GENERAL_NAME)
@@ -543,6 +563,7 @@ STACK_OF(type) \
 #define sk_GENERAL_NAME_shift(st) SKM_sk_shift(GENERAL_NAME, (st))
 #define sk_GENERAL_NAME_pop(st) SKM_sk_pop(GENERAL_NAME, (st))
 #define sk_GENERAL_NAME_sort(st) SKM_sk_sort(GENERAL_NAME, (st))
+#define sk_GENERAL_NAME_is_sorted(st) SKM_sk_is_sorted(GENERAL_NAME, (st))

 #define sk_KRB5_APREQBODY_new(st) SKM_sk_new(KRB5_APREQBODY, (st))
 #define sk_KRB5_APREQBODY_new_null() SKM_sk_new_null(KRB5_APREQBODY)
@@ -563,6 +584,7 @@ STACK_OF(type) \
 #define sk_KRB5_APREQBODY_shift(st) SKM_sk_shift(KRB5_APREQBODY, (st))
 #define sk_KRB5_APREQBODY_pop(st) SKM_sk_pop(KRB5_APREQBODY, (st))
 #define sk_KRB5_APREQBODY_sort(st) SKM_sk_sort(KRB5_APREQBODY, (st))
+#define sk_KRB5_APREQBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_APREQBODY, (st))

 #define sk_KRB5_AUTHDATA_new(st) SKM_sk_new(KRB5_AUTHDATA, (st))
 #define sk_KRB5_AUTHDATA_new_null() SKM_sk_new_null(KRB5_AUTHDATA)
@@ -583,6 +605,7 @@ STACK_OF(type) \
 #define sk_KRB5_AUTHDATA_shift(st) SKM_sk_shift(KRB5_AUTHDATA, (st))
 #define sk_KRB5_AUTHDATA_pop(st) SKM_sk_pop(KRB5_AUTHDATA, (st))
 #define sk_KRB5_AUTHDATA_sort(st) SKM_sk_sort(KRB5_AUTHDATA, (st))
+#define sk_KRB5_AUTHDATA_is_sorted(st) SKM_sk_is_sorted(KRB5_AUTHDATA, (st))

 #define sk_KRB5_AUTHENTBODY_new(st) SKM_sk_new(KRB5_AUTHENTBODY, (st))
 #define sk_KRB5_AUTHENTBODY_new_null() SKM_sk_new_null(KRB5_AUTHENTBODY)
@@ -603,6 +626,7 @@ STACK_OF(type) \
 #define sk_KRB5_AUTHENTBODY_shift(st) SKM_sk_shift(KRB5_AUTHENTBODY, (st))
 #define sk_KRB5_AUTHENTBODY_pop(st) SKM_sk_pop(KRB5_AUTHENTBODY, (st))
 #define sk_KRB5_AUTHENTBODY_sort(st) SKM_sk_sort(KRB5_AUTHENTBODY, (st))
+#define sk_KRB5_AUTHENTBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_AUTHENTBODY, (st))

 #define sk_KRB5_CHECKSUM_new(st) SKM_sk_new(KRB5_CHECKSUM, (st))
 #define sk_KRB5_CHECKSUM_new_null() SKM_sk_new_null(KRB5_CHECKSUM)
@@ -623,6 +647,7 @@ STACK_OF(type) \
 #define sk_KRB5_CHECKSUM_shift(st) SKM_sk_shift(KRB5_CHECKSUM, (st))
 #define sk_KRB5_CHECKSUM_pop(st) SKM_sk_pop(KRB5_CHECKSUM, (st))
 #define sk_KRB5_CHECKSUM_sort(st) SKM_sk_sort(KRB5_CHECKSUM, (st))
+#define sk_KRB5_CHECKSUM_is_sorted(st) SKM_sk_is_sorted(KRB5_CHECKSUM, (st))

 #define sk_KRB5_ENCDATA_new(st) SKM_sk_new(KRB5_ENCDATA, (st))
 #define sk_KRB5_ENCDATA_new_null() SKM_sk_new_null(KRB5_ENCDATA)
@@ -643,6 +668,7 @@ STACK_OF(type) \
 #define sk_KRB5_ENCDATA_shift(st) SKM_sk_shift(KRB5_ENCDATA, (st))
 #define sk_KRB5_ENCDATA_pop(st) SKM_sk_pop(KRB5_ENCDATA, (st))
 #define sk_KRB5_ENCDATA_sort(st) SKM_sk_sort(KRB5_ENCDATA, (st))
+#define sk_KRB5_ENCDATA_is_sorted(st) SKM_sk_is_sorted(KRB5_ENCDATA, (st))

 #define sk_KRB5_ENCKEY_new(st) SKM_sk_new(KRB5_ENCKEY, (st))
 #define sk_KRB5_ENCKEY_new_null() SKM_sk_new_null(KRB5_ENCKEY)
@@ -663,6 +689,7 @@ STACK_OF(type) \
 #define sk_KRB5_ENCKEY_shift(st) SKM_sk_shift(KRB5_ENCKEY, (st))
 #define sk_KRB5_ENCKEY_pop(st) SKM_sk_pop(KRB5_ENCKEY, (st))
 #define sk_KRB5_ENCKEY_sort(st) SKM_sk_sort(KRB5_ENCKEY, (st))
+#define sk_KRB5_ENCKEY_is_sorted(st) SKM_sk_is_sorted(KRB5_ENCKEY, (st))

 #define sk_KRB5_PRINCNAME_new(st) SKM_sk_new(KRB5_PRINCNAME, (st))
 #define sk_KRB5_PRINCNAME_new_null() SKM_sk_new_null(KRB5_PRINCNAME)
@@ -683,6 +710,7 @@ STACK_OF(type) \
 #define sk_KRB5_PRINCNAME_shift(st) SKM_sk_shift(KRB5_PRINCNAME, (st))
 #define sk_KRB5_PRINCNAME_pop(st) SKM_sk_pop(KRB5_PRINCNAME, (st))
 #define sk_KRB5_PRINCNAME_sort(st) SKM_sk_sort(KRB5_PRINCNAME, (st))
+#define sk_KRB5_PRINCNAME_is_sorted(st) SKM_sk_is_sorted(KRB5_PRINCNAME, (st))

 #define sk_KRB5_TKTBODY_new(st) SKM_sk_new(KRB5_TKTBODY, (st))
 #define sk_KRB5_TKTBODY_new_null() SKM_sk_new_null(KRB5_TKTBODY)
@@ -703,6 +731,7 @@ STACK_OF(type) \
 #define sk_KRB5_TKTBODY_shift(st) SKM_sk_shift(KRB5_TKTBODY, (st))
 #define sk_KRB5_TKTBODY_pop(st) SKM_sk_pop(KRB5_TKTBODY, (st))
 #define sk_KRB5_TKTBODY_sort(st) SKM_sk_sort(KRB5_TKTBODY, (st))
+#define sk_KRB5_TKTBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_TKTBODY, (st))

 #define sk_MIME_HEADER_new(st) SKM_sk_new(MIME_HEADER, (st))
 #define sk_MIME_HEADER_new_null() SKM_sk_new_null(MIME_HEADER)
@@ -723,6 +752,7 @@ STACK_OF(type) \
 #define sk_MIME_HEADER_shift(st) SKM_sk_shift(MIME_HEADER, (st))
 #define sk_MIME_HEADER_pop(st) SKM_sk_pop(MIME_HEADER, (st))
 #define sk_MIME_HEADER_sort(st) SKM_sk_sort(MIME_HEADER, (st))
+#define sk_MIME_HEADER_is_sorted(st) SKM_sk_is_sorted(MIME_HEADER, (st))

 #define sk_MIME_PARAM_new(st) SKM_sk_new(MIME_PARAM, (st))
 #define sk_MIME_PARAM_new_null() SKM_sk_new_null(MIME_PARAM)
@@ -743,6 +773,7 @@ STACK_OF(type) \
 #define sk_MIME_PARAM_shift(st) SKM_sk_shift(MIME_PARAM, (st))
 #define sk_MIME_PARAM_pop(st) SKM_sk_pop(MIME_PARAM, (st))
 #define sk_MIME_PARAM_sort(st) SKM_sk_sort(MIME_PARAM, (st))
+#define sk_MIME_PARAM_is_sorted(st) SKM_sk_is_sorted(MIME_PARAM, (st))

 #define sk_NAME_FUNCS_new(st) SKM_sk_new(NAME_FUNCS, (st))
 #define sk_NAME_FUNCS_new_null() SKM_sk_new_null(NAME_FUNCS)
@@ -763,6 +794,7 @@ STACK_OF(type) \
 #define sk_NAME_FUNCS_shift(st) SKM_sk_shift(NAME_FUNCS, (st))
 #define sk_NAME_FUNCS_pop(st) SKM_sk_pop(NAME_FUNCS, (st))
 #define sk_NAME_FUNCS_sort(st) SKM_sk_sort(NAME_FUNCS, (st))
+#define sk_NAME_FUNCS_is_sorted(st) SKM_sk_is_sorted(NAME_FUNCS, (st))

 #define sk_OCSP_CERTID_new(st) SKM_sk_new(OCSP_CERTID, (st))
 #define sk_OCSP_CERTID_new_null() SKM_sk_new_null(OCSP_CERTID)
@@ -783,6 +815,7 @@ STACK_OF(type) \
 #define sk_OCSP_CERTID_shift(st) SKM_sk_shift(OCSP_CERTID, (st))
 #define sk_OCSP_CERTID_pop(st) SKM_sk_pop(OCSP_CERTID, (st))
 #define sk_OCSP_CERTID_sort(st) SKM_sk_sort(OCSP_CERTID, (st))
+#define sk_OCSP_CERTID_is_sorted(st) SKM_sk_is_sorted(OCSP_CERTID, (st))

 #define sk_OCSP_ONEREQ_new(st) SKM_sk_new(OCSP_ONEREQ, (st))
 #define sk_OCSP_ONEREQ_new_null() SKM_sk_new_null(OCSP_ONEREQ)
@@ -803,6 +836,7 @@ STACK_OF(type) \
 #define sk_OCSP_ONEREQ_shift(st) SKM_sk_shift(OCSP_ONEREQ, (st))
 #define sk_OCSP_ONEREQ_pop(st) SKM_sk_pop(OCSP_ONEREQ, (st))
 #define sk_OCSP_ONEREQ_sort(st) SKM_sk_sort(OCSP_ONEREQ, (st))
+#define sk_OCSP_ONEREQ_is_sorted(st) SKM_sk_is_sorted(OCSP_ONEREQ, (st))

 #define sk_OCSP_SINGLERESP_new(st) SKM_sk_new(OCSP_SINGLERESP, (st))
 #define sk_OCSP_SINGLERESP_new_null() SKM_sk_new_null(OCSP_SINGLERESP)
@@ -823,6 +857,7 @@ STACK_OF(type) \
 #define sk_OCSP_SINGLERESP_shift(st) SKM_sk_shift(OCSP_SINGLERESP, (st))
 #define sk_OCSP_SINGLERESP_pop(st) SKM_sk_pop(OCSP_SINGLERESP, (st))
 #define sk_OCSP_SINGLERESP_sort(st) SKM_sk_sort(OCSP_SINGLERESP, (st))
+#define sk_OCSP_SINGLERESP_is_sorted(st) SKM_sk_is_sorted(OCSP_SINGLERESP, (st))

 #define sk_PKCS12_SAFEBAG_new(st) SKM_sk_new(PKCS12_SAFEBAG, (st))
 #define sk_PKCS12_SAFEBAG_new_null() SKM_sk_new_null(PKCS12_SAFEBAG)
@@ -843,6 +878,7 @@ STACK_OF(type) \
 #define sk_PKCS12_SAFEBAG_shift(st) SKM_sk_shift(PKCS12_SAFEBAG, (st))
 #define sk_PKCS12_SAFEBAG_pop(st) SKM_sk_pop(PKCS12_SAFEBAG, (st))
 #define sk_PKCS12_SAFEBAG_sort(st) SKM_sk_sort(PKCS12_SAFEBAG, (st))
+#define sk_PKCS12_SAFEBAG_is_sorted(st) SKM_sk_is_sorted(PKCS12_SAFEBAG, (st))

 #define sk_PKCS7_new(st) SKM_sk_new(PKCS7, (st))
 #define sk_PKCS7_new_null() SKM_sk_new_null(PKCS7)
@@ -863,6 +899,7 @@ STACK_OF(type) \
 #define sk_PKCS7_shift(st) SKM_sk_shift(PKCS7, (st))
 #define sk_PKCS7_pop(st) SKM_sk_pop(PKCS7, (st))
 #define sk_PKCS7_sort(st) SKM_sk_sort(PKCS7, (st))
+#define sk_PKCS7_is_sorted(st) SKM_sk_is_sorted(PKCS7, (st))

 #define sk_PKCS7_RECIP_INFO_new(st) SKM_sk_new(PKCS7_RECIP_INFO, (st))
 #define sk_PKCS7_RECIP_INFO_new_null() SKM_sk_new_null(PKCS7_RECIP_INFO)
@@ -883,6 +920,7 @@ STACK_OF(type) \
 #define sk_PKCS7_RECIP_INFO_shift(st) SKM_sk_shift(PKCS7_RECIP_INFO, (st))
 #define sk_PKCS7_RECIP_INFO_pop(st) SKM_sk_pop(PKCS7_RECIP_INFO, (st))
 #define sk_PKCS7_RECIP_INFO_sort(st) SKM_sk_sort(PKCS7_RECIP_INFO, (st))
+#define sk_PKCS7_RECIP_INFO_is_sorted(st) SKM_sk_is_sorted(PKCS7_RECIP_INFO, (st))

 #define sk_PKCS7_SIGNER_INFO_new(st) SKM_sk_new(PKCS7_SIGNER_INFO, (st))
 #define sk_PKCS7_SIGNER_INFO_new_null() SKM_sk_new_null(PKCS7_SIGNER_INFO)
@@ -903,6 +941,7 @@ STACK_OF(type) \
 #define sk_PKCS7_SIGNER_INFO_shift(st) SKM_sk_shift(PKCS7_SIGNER_INFO, (st))
 #define sk_PKCS7_SIGNER_INFO_pop(st) SKM_sk_pop(PKCS7_SIGNER_INFO, (st))
 #define sk_PKCS7_SIGNER_INFO_sort(st) SKM_sk_sort(PKCS7_SIGNER_INFO, (st))
+#define sk_PKCS7_SIGNER_INFO_is_sorted(st) SKM_sk_is_sorted(PKCS7_SIGNER_INFO, (st))

 #define sk_POLICYINFO_new(st) SKM_sk_new(POLICYINFO, (st))
 #define sk_POLICYINFO_new_null() SKM_sk_new_null(POLICYINFO)
@@ -923,6 +962,7 @@ STACK_OF(type) \
 #define sk_POLICYINFO_shift(st) SKM_sk_shift(POLICYINFO, (st))
 #define sk_POLICYINFO_pop(st) SKM_sk_pop(POLICYINFO, (st))
 #define sk_POLICYINFO_sort(st) SKM_sk_sort(POLICYINFO, (st))
+#define sk_POLICYINFO_is_sorted(st) SKM_sk_is_sorted(POLICYINFO, (st))

 #define sk_POLICYQUALINFO_new(st) SKM_sk_new(POLICYQUALINFO, (st))
 #define sk_POLICYQUALINFO_new_null() SKM_sk_new_null(POLICYQUALINFO)
@@ -943,6 +983,7 @@ STACK_OF(type) \
 #define sk_POLICYQUALINFO_shift(st) SKM_sk_shift(POLICYQUALINFO, (st))
 #define sk_POLICYQUALINFO_pop(st) SKM_sk_pop(POLICYQUALINFO, (st))
 #define sk_POLICYQUALINFO_sort(st) SKM_sk_sort(POLICYQUALINFO, (st))
+#define sk_POLICYQUALINFO_is_sorted(st) SKM_sk_is_sorted(POLICYQUALINFO, (st))

 #define sk_SSL_CIPHER_new(st) SKM_sk_new(SSL_CIPHER, (st))
 #define sk_SSL_CIPHER_new_null() SKM_sk_new_null(SSL_CIPHER)
@@ -963,6 +1004,7 @@ STACK_OF(type) \
 #define sk_SSL_CIPHER_shift(st) SKM_sk_shift(SSL_CIPHER, (st))
 #define sk_SSL_CIPHER_pop(st) SKM_sk_pop(SSL_CIPHER, (st))
 #define sk_SSL_CIPHER_sort(st) SKM_sk_sort(SSL_CIPHER, (st))
+#define sk_SSL_CIPHER_is_sorted(st) SKM_sk_is_sorted(SSL_CIPHER, (st))

 #define sk_SSL_COMP_new(st) SKM_sk_new(SSL_COMP, (st))
 #define sk_SSL_COMP_new_null() SKM_sk_new_null(SSL_COMP)
@@ -983,6 +1025,7 @@ STACK_OF(type) \
 #define sk_SSL_COMP_shift(st) SKM_sk_shift(SSL_COMP, (st))
 #define sk_SSL_COMP_pop(st) SKM_sk_pop(SSL_COMP, (st))
 #define sk_SSL_COMP_sort(st) SKM_sk_sort(SSL_COMP, (st))
+#define sk_SSL_COMP_is_sorted(st) SKM_sk_is_sorted(SSL_COMP, (st))

 #define sk_SXNETID_new(st) SKM_sk_new(SXNETID, (st))
 #define sk_SXNETID_new_null() SKM_sk_new_null(SXNETID)
@@ -1003,6 +1046,7 @@ STACK_OF(type) \
 #define sk_SXNETID_shift(st) SKM_sk_shift(SXNETID, (st))
 #define sk_SXNETID_pop(st) SKM_sk_pop(SXNETID, (st))
 #define sk_SXNETID_sort(st) SKM_sk_sort(SXNETID, (st))
+#define sk_SXNETID_is_sorted(st) SKM_sk_is_sorted(SXNETID, (st))

 #define sk_UI_STRING_new(st) SKM_sk_new(UI_STRING, (st))
 #define sk_UI_STRING_new_null() SKM_sk_new_null(UI_STRING)
@@ -1023,6 +1067,7 @@ STACK_OF(type) \
 #define sk_UI_STRING_shift(st) SKM_sk_shift(UI_STRING, (st))
 #define sk_UI_STRING_pop(st) SKM_sk_pop(UI_STRING, (st))
 #define sk_UI_STRING_sort(st) SKM_sk_sort(UI_STRING, (st))
+#define sk_UI_STRING_is_sorted(st) SKM_sk_is_sorted(UI_STRING, (st))

 #define sk_X509_new(st) SKM_sk_new(X509, (st))
 #define sk_X509_new_null() SKM_sk_new_null(X509)
@@ -1043,6 +1088,7 @@ STACK_OF(type) \
 #define sk_X509_shift(st) SKM_sk_shift(X509, (st))
 #define sk_X509_pop(st) SKM_sk_pop(X509, (st))
 #define sk_X509_sort(st) SKM_sk_sort(X509, (st))
+#define sk_X509_is_sorted(st) SKM_sk_is_sorted(X509, (st))

 #define sk_X509V3_EXT_METHOD_new(st) SKM_sk_new(X509V3_EXT_METHOD, (st))
 #define sk_X509V3_EXT_METHOD_new_null() SKM_sk_new_null(X509V3_EXT_METHOD)
@@ -1063,6 +1109,7 @@ STACK_OF(type) \
 #define sk_X509V3_EXT_METHOD_shift(st) SKM_sk_shift(X509V3_EXT_METHOD, (st))
 #define sk_X509V3_EXT_METHOD_pop(st) SKM_sk_pop(X509V3_EXT_METHOD, (st))
 #define sk_X509V3_EXT_METHOD_sort(st) SKM_sk_sort(X509V3_EXT_METHOD, (st))
+#define sk_X509V3_EXT_METHOD_is_sorted(st) SKM_sk_is_sorted(X509V3_EXT_METHOD, (st))

 #define sk_X509_ALGOR_new(st) SKM_sk_new(X509_ALGOR, (st))
 #define sk_X509_ALGOR_new_null() SKM_sk_new_null(X509_ALGOR)
@@ -1083,6 +1130,7 @@ STACK_OF(type) \
 #define sk_X509_ALGOR_shift(st) SKM_sk_shift(X509_ALGOR, (st))
 #define sk_X509_ALGOR_pop(st) SKM_sk_pop(X509_ALGOR, (st))
 #define sk_X509_ALGOR_sort(st) SKM_sk_sort(X509_ALGOR, (st))
+#define sk_X509_ALGOR_is_sorted(st) SKM_sk_is_sorted(X509_ALGOR, (st))

 #define sk_X509_ATTRIBUTE_new(st) SKM_sk_new(X509_ATTRIBUTE, (st))
 #define sk_X509_ATTRIBUTE_new_null() SKM_sk_new_null(X509_ATTRIBUTE)
@@ -1103,6 +1151,7 @@ STACK_OF(type) \
 #define sk_X509_ATTRIBUTE_shift(st) SKM_sk_shift(X509_ATTRIBUTE, (st))
 #define sk_X509_ATTRIBUTE_pop(st) SKM_sk_pop(X509_ATTRIBUTE, (st))
 #define sk_X509_ATTRIBUTE_sort(st) SKM_sk_sort(X509_ATTRIBUTE, (st))
+#define sk_X509_ATTRIBUTE_is_sorted(st) SKM_sk_is_sorted(X509_ATTRIBUTE, (st))

 #define sk_X509_CRL_new(st) SKM_sk_new(X509_CRL, (st))
 #define sk_X509_CRL_new_null() SKM_sk_new_null(X509_CRL)
@@ -1123,6 +1172,7 @@ STACK_OF(type) \
 #define sk_X509_CRL_shift(st) SKM_sk_shift(X509_CRL, (st))
 #define sk_X509_CRL_pop(st) SKM_sk_pop(X509_CRL, (st))
 #define sk_X509_CRL_sort(st) SKM_sk_sort(X509_CRL, (st))
+#define sk_X509_CRL_is_sorted(st) SKM_sk_is_sorted(X509_CRL, (st))

 #define sk_X509_EXTENSION_new(st) SKM_sk_new(X509_EXTENSION, (st))
 #define sk_X509_EXTENSION_new_null() SKM_sk_new_null(X509_EXTENSION)
@@ -1143,6 +1193,7 @@ STACK_OF(type) \
 #define sk_X509_EXTENSION_shift(st) SKM_sk_shift(X509_EXTENSION, (st))
 #define sk_X509_EXTENSION_pop(st) SKM_sk_pop(X509_EXTENSION, (st))
 #define sk_X509_EXTENSION_sort(st) SKM_sk_sort(X509_EXTENSION, (st))
+#define sk_X509_EXTENSION_is_sorted(st) SKM_sk_is_sorted(X509_EXTENSION, (st))

 #define sk_X509_INFO_new(st) SKM_sk_new(X509_INFO, (st))
 #define sk_X509_INFO_new_null() SKM_sk_new_null(X509_INFO)
@@ -1163,6 +1214,7 @@ STACK_OF(type) \
 #define sk_X509_INFO_shift(st) SKM_sk_shift(X509_INFO, (st))
 #define sk_X509_INFO_pop(st) SKM_sk_pop(X509_INFO, (st))
 #define sk_X509_INFO_sort(st) SKM_sk_sort(X509_INFO, (st))
+#define sk_X509_INFO_is_sorted(st) SKM_sk_is_sorted(X509_INFO, (st))

 #define sk_X509_LOOKUP_new(st) SKM_sk_new(X509_LOOKUP, (st))
 #define sk_X509_LOOKUP_new_null() SKM_sk_new_null(X509_LOOKUP)
@@ -1183,6 +1235,7 @@ STACK_OF(type) \
 #define sk_X509_LOOKUP_shift(st) SKM_sk_shift(X509_LOOKUP, (st))
 #define sk_X509_LOOKUP_pop(st) SKM_sk_pop(X509_LOOKUP, (st))
 #define sk_X509_LOOKUP_sort(st) SKM_sk_sort(X509_LOOKUP, (st))
+#define sk_X509_LOOKUP_is_sorted(st) SKM_sk_is_sorted(X509_LOOKUP, (st))

 #define sk_X509_NAME_new(st) SKM_sk_new(X509_NAME, (st))
 #define sk_X509_NAME_new_null() SKM_sk_new_null(X509_NAME)
@@ -1203,6 +1256,7 @@ STACK_OF(type) \
 #define sk_X509_NAME_shift(st) SKM_sk_shift(X509_NAME, (st))
 #define sk_X509_NAME_pop(st) SKM_sk_pop(X509_NAME, (st))
 #define sk_X509_NAME_sort(st) SKM_sk_sort(X509_NAME, (st))
+#define sk_X509_NAME_is_sorted(st) SKM_sk_is_sorted(X509_NAME, (st))

 #define sk_X509_NAME_ENTRY_new(st) SKM_sk_new(X509_NAME_ENTRY, (st))
 #define sk_X509_NAME_ENTRY_new_null() SKM_sk_new_null(X509_NAME_ENTRY)
@@ -1223,6 +1277,7 @@ STACK_OF(type) \
 #define sk_X509_NAME_ENTRY_shift(st) SKM_sk_shift(X509_NAME_ENTRY, (st))
 #define sk_X509_NAME_ENTRY_pop(st) SKM_sk_pop(X509_NAME_ENTRY, (st))
 #define sk_X509_NAME_ENTRY_sort(st) SKM_sk_sort(X509_NAME_ENTRY, (st))
+#define sk_X509_NAME_ENTRY_is_sorted(st) SKM_sk_is_sorted(X509_NAME_ENTRY, (st))

 #define sk_X509_OBJECT_new(st) SKM_sk_new(X509_OBJECT, (st))
 #define sk_X509_OBJECT_new_null() SKM_sk_new_null(X509_OBJECT)
@@ -1243,6 +1298,7 @@ STACK_OF(type) \
 #define sk_X509_OBJECT_shift(st) SKM_sk_shift(X509_OBJECT, (st))
 #define sk_X509_OBJECT_pop(st) SKM_sk_pop(X509_OBJECT, (st))
 #define sk_X509_OBJECT_sort(st) SKM_sk_sort(X509_OBJECT, (st))
+#define sk_X509_OBJECT_is_sorted(st) SKM_sk_is_sorted(X509_OBJECT, (st))

 #define sk_X509_PURPOSE_new(st) SKM_sk_new(X509_PURPOSE, (st))
 #define sk_X509_PURPOSE_new_null() SKM_sk_new_null(X509_PURPOSE)
@@ -1263,6 +1319,7 @@ STACK_OF(type) \
 #define sk_X509_PURPOSE_shift(st) SKM_sk_shift(X509_PURPOSE, (st))
 #define sk_X509_PURPOSE_pop(st) SKM_sk_pop(X509_PURPOSE, (st))
 #define sk_X509_PURPOSE_sort(st) SKM_sk_sort(X509_PURPOSE, (st))
+#define sk_X509_PURPOSE_is_sorted(st) SKM_sk_is_sorted(X509_PURPOSE, (st))

 #define sk_X509_REVOKED_new(st) SKM_sk_new(X509_REVOKED, (st))
 #define sk_X509_REVOKED_new_null() SKM_sk_new_null(X509_REVOKED)
@@ -1283,6 +1340,7 @@ STACK_OF(type) \
 #define sk_X509_REVOKED_shift(st) SKM_sk_shift(X509_REVOKED, (st))
 #define sk_X509_REVOKED_pop(st) SKM_sk_pop(X509_REVOKED, (st))
 #define sk_X509_REVOKED_sort(st) SKM_sk_sort(X509_REVOKED, (st))
+#define sk_X509_REVOKED_is_sorted(st) SKM_sk_is_sorted(X509_REVOKED, (st))

 #define sk_X509_TRUST_new(st) SKM_sk_new(X509_TRUST, (st))
 #define sk_X509_TRUST_new_null() SKM_sk_new_null(X509_TRUST)
@@ -1303,6 +1361,7 @@ STACK_OF(type) \
 #define sk_X509_TRUST_shift(st) SKM_sk_shift(X509_TRUST, (st))
 #define sk_X509_TRUST_pop(st) SKM_sk_pop(X509_TRUST, (st))
 #define sk_X509_TRUST_sort(st) SKM_sk_sort(X509_TRUST, (st))
+#define sk_X509_TRUST_is_sorted(st) SKM_sk_is_sorted(X509_TRUST, (st))

 #define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
 	SKM_ASN1_SET_OF_d2i(ACCESS_DESCRIPTION, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) 
--- a/crypto/stack/stack.c
+++ b/crypto/stack/stack.c
@@ -331,3 +331,10 @@ void sk_sort(STACK *st)
 		st->sorted=1;
 		}
 	}
+
+int sk_is_sorted(const STACK *st)
+	{
+	if (!st)
+		return 1;
+	return st->sorted;
+	}
--- a/crypto/stack/stack.h
+++ b/crypto/stack/stack.h
@@ -99,6 +99,7 @@ int (*sk_set_cmp_func(STACK *sk, int (*c)(const char * const *,
 			(const char * const *, const char * const *);
 STACK *sk_dup(STACK *st);
 void sk_sort(STACK *st);
+int sk_is_sorted(const STACK *st);

 #ifdef  __cplusplus
 }
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -410,6 +410,7 @@ typedef struct X509_crl_info_st
 	ASN1_TIME *nextUpdate;
 	STACK_OF(X509_REVOKED) *revoked;
 	STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
+	ASN1_ENCODING enc;
 	} X509_CRL_INFO;

 struct X509_crl_st
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -118,7 +118,7 @@ EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req)
 * used and there may be more: so the list is configurable.
 */

-static int ext_nid_list[] = { NID_ms_ext_req, NID_ext_req, NID_undef};
+static int ext_nid_list[] = { NID_ext_req, NID_ms_ext_req, NID_undef};

 static int *ext_nids = ext_nid_list;

@@ -143,32 +143,33 @@ void X509_REQ_set_extension_nids(int *nids)
 }

 STACK_OF(X509_EXTENSION) *X509_REQ_get_extensions(X509_REQ *req)
-{
+	{
 	X509_ATTRIBUTE *attr;
-	STACK_OF(X509_ATTRIBUTE) *sk;
 	ASN1_TYPE *ext = NULL;
-	int i;
+	int idx, *pnid;
 	unsigned char *p;
-	if ((req == NULL) || (req->req_info == NULL))
+
+	if ((req == NULL) || (req->req_info == NULL) || !ext_nids)
 		return(NULL);
-	sk=req->req_info->attributes;
-        if (!sk) return NULL;
-	for(i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
-		attr = sk_X509_ATTRIBUTE_value(sk, i);
-		if(X509_REQ_extension_nid(OBJ_obj2nid(attr->object))) {
-			if(attr->single) ext = attr->value.single;
-			else if(sk_ASN1_TYPE_num(attr->value.set))
-				ext = sk_ASN1_TYPE_value(attr->value.set, 0);
-			break;
+	for (pnid = ext_nids; *pnid != NID_undef; pnid++)
+		{
+		idx = X509_REQ_get_attr_by_NID(req, *pnid, -1);
+		if (idx == -1)
+			continue;
+		attr = X509_REQ_get_attr(req, idx);
+		if(attr->single) ext = attr->value.single;
+		else if(sk_ASN1_TYPE_num(attr->value.set))
+			ext = sk_ASN1_TYPE_value(attr->value.set, 0);
+		break;
 		}
-	}
-	if(!ext || (ext->type != V_ASN1_SEQUENCE)) return NULL;
+	if(!ext || (ext->type != V_ASN1_SEQUENCE))
+		return NULL;
 	p = ext->value.sequence->data;
 	return d2i_ASN1_SET_OF_X509_EXTENSION(NULL, &p,
 			ext->value.sequence->length,
 			d2i_X509_EXTENSION, X509_EXTENSION_free,
 			V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL);
-}
+	}

 /* Add a STACK_OF extensions to a certificate request: allow alternative OIDs
 * in case we want to create a non standard one.
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -627,6 +627,15 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
 	X509_EXTENSION *ext;
 	/* Look for serial number of certificate in CRL */
 	rtmp.serialNumber = X509_get_serialNumber(x);
+	/* Sort revoked into serial number order if not already sorted.
+	 * Do this under a lock to avoid race condition.
+ 	 */
+	if (!sk_X509_REVOKED_is_sorted(crl->crl->revoked))
+		{
+		CRYPTO_w_lock(CRYPTO_LOCK_X509_CRL);
+		sk_X509_REVOKED_sort(crl->crl->revoked);
+		CRYPTO_w_unlock(CRYPTO_LOCK_X509_CRL);
+		}
 	idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
 	/* If found assume revoked: want something cleverer than
 	 * this to handle entry extensions in V2 CRLs.
--- a/crypto/x509v3/ext_dat.h
+++ b/crypto/x509v3/ext_dat.h
@@ -3,7 +3,7 @@
 * project 1999.
 */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -60,7 +60,8 @@
 extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
 extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
 extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
-extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate, v3_cpols, v3_crld;
+extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
+extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld;
 extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
 extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
 extern X509V3_EXT_METHOD v3_crl_hold;
@@ -89,6 +90,7 @@ static X509V3_EXT_METHOD *standard_exts[] = {
 &v3_akey_id,
 &v3_crld,
 &v3_ext_ku,
+&v3_delta_crl,
 &v3_crl_reason,
 #ifndef OPENSSL_NO_OCSP
 &v3_crl_invdate,
--- a/crypto/x509v3/v3_int.c
+++ b/crypto/x509v3/v3_int.c
@@ -3,7 +3,7 @@
 * project 1999.
 */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -61,9 +61,16 @@
 #include <openssl/x509v3.h>

 X509V3_EXT_METHOD v3_crl_num = { 
-NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
-0,0,0,0,
-(X509V3_EXT_I2S)i2s_ASN1_INTEGER,
-0,
-0,0,0,0, NULL};
+	NID_crl_number, 0, ASN1_ITEM_ref(ASN1_INTEGER),
+	0,0,0,0,
+	(X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+	0,
+	0,0,0,0, NULL};
+
+X509V3_EXT_METHOD v3_delta_crl = { 
+	NID_delta_crl, 0, ASN1_ITEM_ref(ASN1_INTEGER),
+	0,0,0,0,
+	(X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+	0,
+	0,0,0,0, NULL};

--- a/demos/engines/rsaref/rsaref.c
+++ b/demos/engines/rsaref/rsaref.c
@@ -426,7 +426,7 @@ static int rsaref_private_encrypt(int len, const unsigned char *from, unsigned c
 	}
 	if (!RSAref_Private_eay2ref(rsa,&RSAkey))
 		goto err;
-	if ((i=RSAPrivateEncrypt(to,(unsigned int)&outlen,(unsigned char *)from,len,&RSAkey)) != 0)
+	if ((i=RSAPrivateEncrypt(to,(unsigned int *)&outlen,(unsigned char *)from,len,&RSAkey)) != 0)
 		{
 		RSAREFerr(RSAREF_F_RSAREF_PRIVATE_ENCRYPT,i);
 		outlen= -1;
@@ -444,7 +444,7 @@ static int rsaref_public_decrypt(int len, const unsigned char *from, unsigned ch

 	if (!RSAref_Public_eay2ref(rsa,&RSAkey))
 		goto err;
-	if ((i=RSAPublicDecrypt(to,(unsigned int)&outlen,(unsigned char *)from,len,&RSAkey)) != 0)
+	if ((i=RSAPublicDecrypt(to,(unsigned int *)&outlen,(unsigned char *)from,len,&RSAkey)) != 0)
 		{
 		RSAREFerr(RSAREF_F_RSAREF_PUBLIC_DECRYPT,i);
 		outlen= -1;
@@ -481,7 +481,7 @@ static int rsaref_public_encrypt(int len, const unsigned char *from, unsigned ch

 	if (!RSAref_Public_eay2ref(rsa,&RSAkey))
 		goto err;
-	if ((i=RSAPublicEncrypt(to,(unsigned int)&outlen,(unsigned char *)from,len,&RSAkey,&rnd)) != 0)
+	if ((i=RSAPublicEncrypt(to,(unsigned int *)&outlen,(unsigned char *)from,len,&RSAkey,&rnd)) != 0)
 		{
 		RSAREFerr(RSAREF_F_RSAREF_PUBLIC_ENCRYPT,i);
 		outlen= -1;
--- a/doc/apps/enc.pod
+++ b/doc/apps/enc.pod
@@ -86,7 +86,7 @@ versions of OpenSSL. Superseded by the B<-pass> argument.
 =item B<-kfile filename>

 read the password to derive the key from the first line of B<filename>.
-This is for computability with previous versions of OpenSSL. Superseded by
+This is for compatibility with previous versions of OpenSSL. Superseded by
 the B<-pass> argument.

 =item B<-S salt>
--- a/doc/crypto/BN_num_bytes.pod
+++ b/doc/crypto/BN_num_bytes.pod
@@ -16,8 +16,14 @@ BN_num_bits, BN_num_bytes, BN_num_bits_word - get BIGNUM size

 =head1 DESCRIPTION

-These functions return the size of a B<BIGNUM> in bytes or bits,
-and the size of an unsigned integer in bits.
+BN_num_bytes() returns the size of a B<BIGNUM> in bytes.
+
+BN_num_bits_word() returns the number of significant bits in a word.
+If we take 0x00000432 as an example, it returns 11, not 16, not 32.
+Basically, except for a zero, it returns I<floor(log2(w))+1>.
+
+BN_num_bits() returns the number of significant bits in a B<BIGNUM>,
+following the same principle as BN_num_bits_word().

 BN_num_bytes() is a macro.

@@ -25,9 +31,23 @@ BN_num_bytes() is a macro.

 The size.

+=head1 NOTES
+
+Some have tried using BN_num_bits() on individual numbers in RSA keys,
+DH keys and DSA keys, and found that they don't always come up with
+the number of bits they expected (something like 512, 1024, 2048,
+...).  This is because generating a number with some specific number
+of bits doesn't always set the highest bits, thereby making the number
+of I<significant> bits a little lower.  If you want to know the "key
+size" of such a key, either use functions like RSA_size(), DH_size()
+and DSA_size(), or use BN_num_bytes() and multiply with 8 (although
+there's no real guarantee that will match the "key size", just a lot
+more probability).
+
 =head1 SEE ALSO

-L<bn(3)|bn(3)>
+L<bn(3)|bn(3)>, L<DH_size(3)|DH_size(3)>, L<DSA_size(3)|DSA_size(3)>,
+L<RSA_size(3)|RSA_size(3)>

 =head1 HISTORY

--- a/doc/ssl/SSL_CTX_set_session_id_context.pod
+++ b/doc/ssl/SSL_CTX_set_session_id_context.pod
@@ -46,7 +46,8 @@ B<SSL_MAX_SSL_SESSION_ID_LENGTH>.

 =head1 WARNINGS

-If the session id context is not set on an SSL/TLS server, stored sessions
+If the session id context is not set on an SSL/TLS server and client
+certificates are used, stored sessions
 will not be reused but a fatal error will be flagged and the handshake
 will fail.

--- a/e_os.h
+++ b/e_os.h
@@ -515,7 +515,7 @@ extern char *sys_errlist[]; extern int sys_nerr;
 #  define strncasecmp _strnicmp
 #elif defined(OPENSSL_SYS_VMS)
 /* VMS below version 7.0 doesn't have strcasecmp() */
-#  include <openssl/o_str.h>
+#  include "o_str.h"
 #  define strcasecmp OPENSSL_strcasecmp
 #  define strncasecmp OPENSSL_strncasecmp
 #elif defined(OPENSSL_SYS_OS2) && defined(__EMX__)
--- a/e_os2.h
+++ b/e_os2.h
@@ -189,6 +189,11 @@ extern "C" {
 # endif
 #endif

+/* --------------------------------- VOS ----------------------------------- */
+#ifdef OPENSSL_SYSNAME_VOS
+# define OPENSSL_SYS_VOS
+#endif
+
 /* ------------------------------- VxWorks --------------------------------- */
 #ifdef OPENSSL_SYSNAME_VXWORKS
 # define OPENSSL_SYS_VXWORKS
@@ -243,7 +248,7 @@ extern "C" {
 #define OPENSSL_EXTERN OPENSSL_IMPORT

 /* Macros to allow global variables to be reached through function calls when
-   required (if a shared library version requvres it, for example.
+   required (if a shared library version requires it, for example.
   The way it's done allows definitions like this:

 	// in foobar.c
@@ -253,9 +258,10 @@ extern "C" {
 	#define foobar OPENSSL_GLOBAL_REF(foobar)
 */
 #ifdef OPENSSL_EXPORT_VAR_AS_FUNCTION
-# define OPENSSL_IMPLEMENT_GLOBAL(type,name) static type _hide_##name; \
-        type *_shadow_##name(void) { return &_hide_##name; } \
-        static type _hide_##name
+# define OPENSSL_IMPLEMENT_GLOBAL(type,name)			     \
+	extern type _hide_##name;				     \
+	type *_shadow_##name(void) { return &_hide_##name; }	     \
+	static type _hide_##name
 # define OPENSSL_DECLARE_GLOBAL(type,name) type *_shadow_##name(void)
 # define OPENSSL_GLOBAL_REF(name) (*(_shadow_##name()))
 #else
--- a/fips/.cvsignore
+++ b/fips/.cvsignore
@@ -1 +1,4 @@
+lib
 Makefile.save
+fips_test_suite
+fips_test_suite.sha1
--- a/fips/Makefile
+++ b/fips/Makefile
@@ -25,7 +25,7 @@ CFLAGS= $(INCLUDE) $(CFLAG)

 LIBS=

-FDIRS=sha1 rand des aes dsa rsa
+FDIRS=sha1 rand des aes dsa rsa dh

 GENERAL=Makefile README fips-lib.com install.com

@@ -193,10 +193,4 @@ fips.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 fips.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 fips.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h fips.c
 fips.o: fips_locl.h
-fips_err_wrapper.o: ../include/openssl/bio.h ../include/openssl/crypto.h
-fips_err_wrapper.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-fips_err_wrapper.o: ../include/openssl/fips.h ../include/openssl/lhash.h
-fips_err_wrapper.o: ../include/openssl/opensslconf.h
-fips_err_wrapper.o: ../include/openssl/opensslv.h
-fips_err_wrapper.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-fips_err_wrapper.o: ../include/openssl/symhacks.h fips_err.h fips_err_wrapper.c
+fips_err_wrapper.o: ../include/openssl/opensslconf.h fips_err_wrapper.c
--- a/fips/aes/.cvsignore
+++ b/fips/aes/.cvsignore
@@ -1,5 +1,2 @@
 lib
-fips_aesavs
-fips_aesavs.sha1
-testlist
 Makefile.save
--- a/fips/aes/Makefile
+++ b/fips/aes/Makefile
@@ -56,11 +56,13 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS)

 install:
-	@for i in $(EXHEADER) ; \
-	do  \
-	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
-	done;
+	@if test -n "$(EXHEADER)"; then \
+	  for i in $(EXHEADER) ; \
+	  do  \
+	    (cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+	    chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+	  done; \
+	fi

 tags:
 	ctags $(SRC)
--- a/fips/aes/fingerprint.sha1
+++ b/fips/aes/fingerprint.sha1
@@ -1,3 +1,3 @@
-HMAC-SHA1(fips_aes_core.c)= 979e9a3084dc8e15d9f222bf721e6faccf6bcd18
+HMAC-SHA1(fips_aes_core.c)= b70bbbd675efe0613da0d57055310926a0104d55
 HMAC-SHA1(fips_aes_selftest.c)= 98b01502221e7fe529fd981222f2cbb52eb4cbe0
 HMAC-SHA1(fips_aes_locl.h)= ded58f0cda8cb967dc5f5f3a860601c0b8744623
--- a/fips/aes/fips_aes_core.c
+++ b/fips/aes/fips_aes_core.c
@@ -727,18 +727,18 @@ static const u32 rcon[] = {
 /**
 * Expand the cipher key into the encryption key schedule.
 */
-int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
-			AES_KEY *key) {
+int AES_set_encrypt_key(const unsigned char *userKey,
+			const FIPS_AES_SIZE_T bits, AES_KEY *key) {

 	u32 *rk;
-   	int i = 0;
+	int i = 0;
 	u32 temp;

 	if (!userKey || !key)
 		return -1;
 	if (bits != 128 && bits != 192 && bits != 256)
 		return -2;
-	if(FIPS_selftest_fail)
+	if(FIPS_selftest_failed())
 		return -3;

 	rk = key->rd_key;
@@ -830,8 +830,8 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
 /**
 * Expand the cipher key into the decryption key schedule.
 */
-int AES_set_decrypt_key(const unsigned char *userKey, const int bits,
-			 AES_KEY *key) {
+int AES_set_decrypt_key(const unsigned char *userKey,
+	const FIPS_AES_SIZE_T bits, AES_KEY *key) {

        u32 *rk;
 	int i, j, status;
--- a/fips/aes/fips_aes_data/.cvsignore
+++ b/fips/aes/fips_aes_data/.cvsignore
@@ -1 +0,0 @@
-rsp
--- a/fips/aes/fips_aesavs.c
+++ b/fips/aes/fips_aesavs.c
@@ -1,8 +1,56 @@
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
 /*---------------------------------------------
  NIST AES Algorithm Validation Suite
  Test Program

-  Copyright
+  Donated to OpenSSL by:
  V-ONE Corporation
  20250 Century Blvd, Suite 300
  Germantown, MD 20874
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Dr. Stephen Henson	bfb7bac83b	Updates for 0.9.7e release.	2004-10-25 11:24:39 +00:00
Dr. Stephen Henson	ac4fb4a138	Fix race condition.	2004-10-25 11:15:49 +00:00
Dr. Stephen Henson	75f7141ab4	make update	2004-10-25 00:04:22 +00:00
Dr. Stephen Henson	23a6dd83b5	Stop VC++ complaining...	2004-10-20 17:24:06 +00:00
Dr. Stephen Henson	450b38c05b	Update NEWS file.	2004-10-20 00:54:27 +00:00
Dr. Stephen Henson	0286cccbc1	Typo.	2004-10-20 00:48:15 +00:00
Richard Levitte	dc26d1193a	make update	2004-10-14 05:52:07 +00:00
Richard Levitte	64892df03e	We need to check for OPENSSL_FIPS when building shared libraries, so we get correct transfer vectors for those functions when required.	2004-10-14 05:51:15 +00:00
Richard Levitte	9e57ab615c	Because libraries on Windows lack useful version information, the zlib guys had to change the name to differentiate with older versions when a backward incompatibility came up. Of course, we need to adapt. This change simply tries to load the library through the newer name (ZLIB1) first, and if that fails, it tries the good old ZLIB.	2004-10-14 05:49:01 +00:00
Ben Laurie	b16fee0aa7	Update fingerprints.	2004-10-08 10:03:57 +00:00
Dr. Stephen Henson	70bfcc895e	Oops..	2004-10-04 17:28:57 +00:00
Dr. Stephen Henson	8de8bcbe2c	Fix race condition when CRL checking is enabled.	2004-10-04 16:27:36 +00:00
Dr. Stephen Henson	14e21742d5	Update debug-steve	2004-10-01 11:34:28 +00:00
Andy Polyakov	44963e4af7	Fix Solaris 10_x86 shared build. -Bsymbolic is required to avoid "remaining relocations" in assembler modules. The latter seems to be new behaviour, elder as/ld managed to resolve this relocations as internal. It's possible to address this problem differently, but I settle for -Bsymbolic... PR: 946	2004-09-28 20:52:14 +00:00
Richard Levitte	125a86113f	usr/doc has recently changed to usr/share/doc on Cygwin. Notified by Corinna Vinschen <vinschen@redhat.com>	2004-09-28 11:25:11 +00:00
Dr. Stephen Henson	d06db8ad9e	Check ASN1_TYPE structure type is a SEQUENCE in PKCS7_get_smimecap().	2004-09-15 23:38:45 +00:00
Dr. Stephen Henson	ffa8e7b74c	Oops, forgot to reorder extension request nids.	2004-09-13 22:39:49 +00:00
Dr. Stephen Henson	85e8decc16	ASN1_STRING_to_UTF8() assumed that the MBSTRING_* flags were of the form MBSTRING_FLAG\|nbyte where "nbyte" is the number of bytes per character. Unfortunately this isn't so and we can't change the #defines because this would break binary compatibility, so for 0.9.7X only translate between the two.	2004-09-13 22:30:31 +00:00
Richard Levitte	3216de1ee5	Makefile.ssl changed name to Makefile...	2004-09-11 09:45:41 +00:00
Dr. Stephen Henson	8f349c58f7	Stop warning.	2004-09-10 20:27:45 +00:00
Dr. Stephen Henson	cfafb6a73d	When looking for request extensions in a certificate look first for the PKCS#9 OID then the non standard MS OID.	2004-09-10 20:26:30 +00:00
Richard Levitte	818c0b2e42	num is an unsigned long, but since it was transfered from crypto/sha/sha_locl.h, where it is in fact an int, we need to check for less-than-zero as if it was an int...	2004-09-06 14:21:14 +00:00
Richard Levitte	aef8807e76	Replace the bogus checks of n with proper uses of feof(), ferror() and clearerr().	2004-09-06 14:19:59 +00:00
Andy Polyakov	4157fae6fe	Sync aes_ctr.c with HEAD.	2004-08-23 22:28:27 +00:00
Richard Levitte	15902f8341	'compatibility', not 'computability' :-)...	2004-08-18 15:48:22 +00:00
Richard Levitte	8bcd746e84	Another missing module in the VMS build files. I believe this is the last, though...	2004-08-11 20:34:12 +00:00
Richard Levitte	56fe40191d	Stupid casts...	2004-08-11 17:41:17 +00:00
Dr. Stephen Henson	97c802588c	Update FAQ.	2004-08-11 17:24:42 +00:00
Dr. Stephen Henson	8c172bce1c	Make ASN1_INTEGER_cmp() work as expected with negative integers.	2004-08-10 17:40:31 +00:00
Richard Levitte	4fa9664f5e	With DEC C in ANSI C mode, we need to define _XOPEN_SOURCE_EXTENDED to get struct timeval and gettimeofday().	2004-08-10 10:04:13 +00:00
Richard Levitte	483b312391	Update the VMS fips library builder with the DH library.	2004-08-10 09:11:07 +00:00
Richard Levitte	1033449613	make update	2004-08-10 09:09:08 +00:00
Richard Levitte	f992081682	Correct typos and include directory specifications.	2004-08-09 12:14:08 +00:00
Richard Levitte	5ad93a12b2	In the fips directory, we use FIPS-LIB.COM, not CRYPTO-LIB.COM...	2004-08-09 12:13:36 +00:00
Dr. Stephen Henson	efeb352163	In ca.c setup engine after autoconfig so any dynamic engines are visible.	2004-08-06 12:43:54 +00:00
Dr. Stephen Henson	44dd6865b9	Stop compiler giving bogus shadow warning.	2004-08-05 18:11:43 +00:00
Dr. Stephen Henson	bb82123707	Don't ignore return values of EVP_DigestInit_ex() in md BIOs and dgst.	2004-08-05 18:10:46 +00:00
Richard Levitte	eb7bb58471	Let's lock a write lock when changing values, shall we? Thanks to Dr Stephen Henson <shenson@drh-consultancy.co.uk> for making me aware of this error.	2004-08-02 14:15:07 +00:00
Richard Levitte	7f9c37457a	To protect FIPS-related global variables, add locking mechanisms around them. NOTE: because two new locks are added, this adds potential binary incompatibility with earlier versions in the 0.9.7 series. However, those locks will only ever be touched when FIPS_mode_set() is called and after, thanks to a variable that's only changed from 0 to 1 once (when FIPS_mode_set() is called). So basically, as long as FIPS mode hasn't been engaged explicitely by the calling application, the new locks are treated as if they didn't exist at all, thus not becoming a problem. Applications that are built or rebuilt to use FIPS functionality will need to be recompiled in any case, thus not being a problem either.	2004-07-30 14:38:02 +00:00
Richard Levitte	86022a79a5	We're building crypto stuff, not ssl stuff. Additionally, we're in the fips subdirectory, not the crypto one...	2004-07-29 22:26:57 +00:00
Richard Levitte	88a8ae6aee	We build the crypto stuff, not the ssl stuff, in this command procedure...	2004-07-29 22:26:03 +00:00
Richard Levitte	b58e24ac57	Define OPENSSL_FIPS in opensslconf.h if a logical name with the same name is defined. Go up one directory level before dealing with FIPS stuff.	2004-07-28 13:47:58 +00:00
Richard Levitte	496c4e1033	From the FIPS directory, darnit!	2004-07-28 02:24:48 +00:00
Dr. Stephen Henson	0b948f3677	New cipher "strength" FIPS which specifies that a cipher suite is FIPS compatible. New cipherstring "FIPS" is all FIPS compatible ciphersuites except eNULL. Only allow FIPS ciphersuites in FIPS mode.	2004-07-27 18:28:49 +00:00
Richard Levitte	7f911c668d	Typo	2004-07-27 14:09:13 +00:00
Richard Levitte	e81ef01a0a	The compiler may complain about what looks like a double definition of a static variable	2004-07-27 13:58:25 +00:00
Dr. Stephen Henson	d2033156c5	Rename libcrypto.sha1 to libcrypto.a.sha1	2004-07-27 12:22:08 +00:00
Dr. Stephen Henson	e4c1c03c5b	Add FIPS name to error library.	2004-07-27 00:20:41 +00:00
Dr. Stephen Henson	5edd0f51e3	Stop compiler warnings.	2004-07-27 00:17:46 +00:00
Andy Polyakov	1ecb88b95a	Add casts where casts due. It's "safe" to cast, because "wrong" casts will either be optimized away or never performed. The trouble is that compiler first parses code, then optimizes, not both at once...	2004-07-24 13:40:47 +00:00
Ben Laurie	03ecfadf3d	Convert to X9.31.	2004-07-23 13:20:32 +00:00
Andy Polyakov	64c6865427	Proper WinCE support for listing files. "Backported" from HEAD.	2004-07-22 16:39:48 +00:00
Dr. Stephen Henson	43894f9c0d	When in FIPS mode write private keys in PKCS#8 and PBES2 format to avoid use of prohibited MD5 algorithm.	2004-07-21 17:41:26 +00:00
Dr. Stephen Henson	40007ad24d	Avoid compiler warnings.	2004-07-21 17:35:49 +00:00
Andy Polyakov	c6e27dcf31	Make rand_win.c UNICODE savvy. "Backport" from HEAD.	2004-07-21 17:18:53 +00:00
Richard Levitte	a47e836efe	Since version 7.0, The C RTL in VMS handles time in terms of UTC instead of local time.	2004-07-19 07:49:47 +00:00
Andy Polyakov	370358dfb4	Sync with HEAD. Up to >20% overall performance improvement.	2004-07-17 13:27:38 +00:00
Andy Polyakov	a77b16abd4	IA-64 is intolerant to misaligned access. It was a problem on Win64 as we were mislead by _MSC_VER macro, which is defined by all Windows Microsoft compilers.	2004-07-17 12:54:54 +00:00
Andy Polyakov	061c8f977d	Eliminate enforced -g from CFLAGS. It switches off optimization with some compilers, e.g. DEC C.	2004-07-17 12:48:35 +00:00
Ben Laurie	d70f5891da	Corrected test program.	2004-07-12 17:59:50 +00:00
Richard Levitte	901959c945	I think it could be a good thing to know what went wrong with the tests...	2004-07-12 12:25:56 +00:00
Bodo Möller	a857495d17	improve wording	2004-07-12 06:24:21 +00:00
Bodo Möller	b1640e47e4	BIS correction/addition	2004-07-11 09:29:41 +00:00
Richard Levitte	5358bc44f4	o_str.c: Windows doesn't have <strings.h>, and since we use _strnicmp() and _stricmp() on that platform, use the appropriate header file for it, <string.h>. o_str.h: we only want to get size_t, which is defined in <stddef.h>. Philippe Bougeret <philippe.bougeret@freesbee.fr> notified us about Windows not having a <strings.h>	2004-07-08 08:32:51 +00:00
Dr. Stephen Henson	a7f14cb4c6	Delta CRL support in extension code.	2004-07-06 17:26:33 +00:00
Dr. Stephen Henson	531b538df5	Ooops, missed part of PKCS#8 patch.	2004-07-06 17:25:11 +00:00
Dr. Stephen Henson	49ede900fa	Fix memory leak.	2004-07-04 16:36:58 +00:00
Dr. Stephen Henson	7c6cf1b176	Don't try to parse none string types.	2004-07-01 18:50:12 +00:00
Richard Levitte	fa5cea169a	Explain a little better what BN_num_bits() and BN_num_bits_word() do. Add a note as to how these functions do not always return the key size, and how one can deal with that. PR: 907	2004-07-01 12:33:44 +00:00
Richard Levitte	83f22920c2	Changes for VOS, submitted by Paul Green <Paul.Green@stratus.com>. PR: 499	2004-06-28 22:01:07 +00:00
Richard Levitte	bec15f2109	Make sure the FIPS stuff is only really compiled when in FIPS mode.	2004-06-28 20:33:35 +00:00
Richard Levitte	43c0d77296	Make the tests of EVP operations without padding. As a consequence, there's no need for a larger BUFSIZE any more... PR: 904	2004-06-28 16:32:14 +00:00
Richard Levitte	46b7624b8e	Make sure that the buffers are large enough to contain padding. PR: 904	2004-06-28 12:23:40 +00:00
Richard Levitte	9e356100d0	Linux on ARM needs -ldl PR: 905	2004-06-28 10:31:09 +00:00
Dr. Stephen Henson	7ca482062f	Memory leak fixes from main branch.	2004-06-24 13:05:50 +00:00
Dr. Stephen Henson	ef4c5802ec	Reformat source for pkcs8.c	2004-06-24 12:54:38 +00:00
Dr. Stephen Henson	fee38dcb9a	Return an error if an attempt is made to encode or decode cipher ASN1 parameters and the cipher doesn't support it.	2004-06-24 12:31:48 +00:00
Dr. Stephen Henson	c116de76ad	Include <string.h> to get definition of strcmp.	2004-06-24 12:12:43 +00:00
Richard Levitte	6069bdbe27	Standard sh doesn't tolerate ! as part of the conditional command. PR: 900	2004-06-21 18:05:53 +00:00
Richard Levitte	871fe9107d	Make sure we don't try to loop over an empty EXHEADER. In the Makefiles where this was fixed by commenting away code, change it to check for an empty EXHEADER instead, so we have less hassle in a future where EXHEADER changes. PR: 900	2004-06-21 09:07:41 +00:00
Ben Laurie	2663f39ff9	Add primality tester.	2004-06-19 13:54:59 +00:00
Ben Laurie	9f0856208b	Make make tags make tags.	2004-06-19 13:32:28 +00:00
Ben Laurie	fb4de3deed	Update ignores.	2004-06-19 13:18:01 +00:00
Ben Laurie	4d4716dc03	Add Diffie-Hellman to FIPS.	2004-06-19 13:16:51 +00:00
Ben Laurie	b5e4469150	The version that was actually submitted for FIPS testing.	2004-06-19 13:15:35 +00:00
Richard Levitte	3e00d6c4bb	Typo, setting the first element of nids[] to NULL instead of setting *cnids.	2004-06-15 11:46:06 +00:00
Lutz Jänicke	5e86220660	More precise explanation of session id context requirements.	2004-06-14 13:26:47 +00:00
Richard Levitte	4313847660	Make sure o_str.h is reachable.	2004-05-27 10:19:04 +00:00
Richard Levitte	3844adbf58	Run an installation of FIPS stuff as well.	2004-05-27 10:07:04 +00:00
Richard Levitte	d8e2073449	Compile the FIPS directory on VMS as well. fips-lib.com is essentially a copy of crypto-lib.com, with just a few edits.	2004-05-27 10:04:40 +00:00
Richard Levitte	e9f7ebd674	Copy the FIPS files to the temporary openssl include directory.	2004-05-27 09:33:10 +00:00
Richard Levitte	5affe206e1	Define FIPS_*_SIZE_T for AES, DSA and RSA as well, in preparation for size_t-ification of those algorithms in future version of OpenSSL...	2004-05-19 14:16:33 +00:00
Andy Polyakov	1f4eccaaa5	Make reservations in FIPS code for upcoming size_t-fication of OpenSSL API. And couple of bug-fixes in fips/rand code [return without lock release and incorrect return value in fips_rand_bytes].	2004-05-17 15:37:26 +00:00
Richard Levitte	07bf82a71d	Typo corretced.	2004-05-17 04:47:26 +00:00
Richard Levitte	43d6233a22	Rewrite the usage to avoid confusion.	2004-05-17 04:40:49 +00:00
Richard Levitte	736ce650c6	Make it possible for the user to choose the digest used to create the key.	2004-05-17 04:39:00 +00:00
Richard Levitte	a8bb3d0e15	When in FIPS mode, use SHA1 to digest the key, rather than MD5, as MD5 isn't a FIPS-approved algorithm. Note: this means the user needs to keep track of this, and we need to add support for that...	2004-05-17 04:31:14 +00:00
Richard Levitte	f27a152f69	Make sure the applications know when we are running in FIPS mode. We can't use the variable in libcrypto, since it's supposedly unknown. Note: currently only supported in MONOLITH mode.	2004-05-17 04:30:06 +00:00
Richard Levitte	63d494b22c	Generate SHA1 files on Windows and other platforms supported by mk1mf.pl, when building in FIPS mode. Note: UNTESTED!	2004-05-17 04:28:31 +00:00
Ben Laurie	9ac9a29407	Fix self-tests, ban some things in FIPS mode, fix copyrights.	2004-05-15 17:51:26 +00:00
Dr. Stephen Henson	bdb4a7e092	Fixes so alerts are sent properly in s3_pkt.c PR: 851	2004-05-15 17:46:50 +00:00
Ben Laurie	0163602573	Check error returns.	2004-05-15 16:39:23 +00:00
Richard Levitte	bac2e26a9e	Reimplement old functions, so older software that link to libcrypto don't crash and burn.	2004-05-14 17:55:59 +00:00
Richard Levitte	10eae14f9b	All EVP__cfb functions have changed names to EVP__cfb64 or EVP_*_cfb128.	2004-05-14 17:54:18 +00:00
Richard Levitte	745c7356c2	make update	2004-05-13 22:41:01 +00:00
Richard Levitte	e31c121315	o_str.h is not an exported header.	2004-05-13 22:40:40 +00:00
Richard Levitte	dbf2ac31c9	Synchronise o_str.c between 0.9.8-dev and 0.9.7-stable.	2004-05-13 22:40:08 +00:00
Richard Levitte	4108d365bf	make update	2004-05-13 21:38:37 +00:00
Richard Levitte	03ef2c333c	Let's make life easier and have the VMS version of the configuration be generated from the Unixly configuration file.	2004-05-13 21:38:23 +00:00
Dr. Stephen Henson	7922ba2feb	Make self signing option of 'x509' use random serial numbers too.	2004-05-12 18:20:57 +00:00
Dr. Stephen Henson	d94b22235f	Fix memory leak.	2004-05-12 17:53:22 +00:00
Ben Laurie	72d75ee206	Blow up in people's faces if they don't reseed.	2004-05-12 14:11:10 +00:00
Richard Levitte	49bc4c1023	make update	2004-05-12 10:17:15 +00:00
Richard Levitte	0e92f7738a	Forgot to update the Makefile with the o_str stuff...	2004-05-12 10:17:02 +00:00
Richard Levitte	d529f2a8f7	The functions OPENSSL_strcasen?cmp() were forgotten when merging the FIPS branch into this. It's needed at least for certain OpenVMS versions, and should really be used in a more general way.	2004-05-12 10:09:00 +00:00
Richard Levitte	141a64faff	Ignore 'Makefile.save'	2004-05-12 10:07:20 +00:00
Richard Levitte	035dcd3724	Ignore the 'lib' timestamp file.	2004-05-12 08:46:43 +00:00
Richard Levitte	3e9c37a386	I forgot to modify the signature for fips_rand.c...	2004-05-12 08:42:55 +00:00
Richard Levitte	00a59641ee	Only really build this file when OPENSSL_FIPS is defined. And oh, let's keep internal variables static.	2004-05-12 08:28:51 +00:00
Richard Levitte	90cce79346	Makefile.ssl changed name to Makefile.	2004-05-12 08:28:00 +00:00
Richard Levitte	4eeaf52ed9	Only check for FIPS signatures when FIPS is enabled.	2004-05-12 08:27:38 +00:00
Ben Laurie	3642f632d3	Pull FIPS back into stable.	2004-05-11 12:46:24 +00:00
Richard Levitte	aaa16d0001	Remove the creation of $(INSTALL_PREFIX)$(OPENSSLDIR)/lib, since we don't use it. Notified by Frédéric L. W. Meunier <0@pervalidus.tk> in PR 713	2004-05-06 09:46:48 +00:00
Richard Levitte	3b8ba6b610	When the pointer 'from' changes, it's stored length needs to change as well. Notified by Frank Kardel <kardel@acm.org> in PR 879.	2004-05-06 09:31:31 +00:00
Bodo Möller	535aef9def	update from current 0.9.6-stable CHANGES file	2004-05-04 01:08:33 +00:00
Dr. Stephen Henson	6e308baf5a	Fix memory leak. PR:870	2004-04-22 12:33:03 +00:00
Dr. Stephen Henson	5a9d2d9081	Port the random serial number generation to 0.9.7-stable. Due to the changes in CA.pl in 0.9.8 (use of -self_sign) a slightly different technique is used to ensure that 'ca' uses the next serial number. It now initializes the serial number using 'openssl x509 -next_serial'.	2004-04-22 12:19:48 +00:00
Geoff Thorpe	688791b22b	Extend the index parameter checking from sk_value to sk_set(). Also tidy up some similar code elsewhere. Thanks to Francesco Petruzzi for bringing this to my attention.	2004-04-21 15:09:25 +00:00
Dr. Stephen Henson	8e94e99ccb	Clear error if unique_subject lookup fails.	2004-04-15 00:33:24 +00:00
Dr. Stephen Henson	e20db94948	Add some root CAs.	2004-04-13 17:49:05 +00:00