This commit was manufactured by cvs2svn to create tag 'OpenSSL_0_9_7m'.

Use date in README.
Update to next dev version.
2007-02-23 12:49:10 +00:00 · 2007-02-23 12:49:09 +00:00 · 2007-02-23 12:35:48 +00:00 · 2007-02-23 12:17:03 +00:00 · 2007-02-23 12:07:21 +00:00 · 2007-02-23 00:59:28 +00:00
51 changed files with 902 additions and 1843 deletions
--- a/.cvsignore
+++ b/.cvsignore
@@ -13,7 +13,6 @@ cctest
 cctest.c
 cctest.a
 libcrypto.so.*
-libfips.so.*
 libssl.so.*
 libcrypto.sha1
 libcrypto.a.sha1
--- a/28
+++ b/28
@@ -2,33 +2,7 @@
 OpenSSL CHANGES
 _______________

- Changes between 0.9.7l and 0.9.7m-fips2 [xx XXX xxxx]
-
-  *) Replace FIPS PRNG with AES based version based on ANSI X9.31 A.2.4 .
-     This supports larger keys (up to 256 bits) and large seeding and DT
-     vectors (128 bits each). Update tests for modified PRNG.
-     [Steve Henson]
-
-  *) FIPS portability patches.
-     [Brad House <brad@mainstreetsoftworks.com>]
-
-  *) Move error strings for remaing libraries into separate files to avoid 
-     unnecessary dependencies for fipscanister.o which doesn't require the
-     loading of error strings.
-     [Steve Henson]
-
-  *) New build option fipsdso to link fipscanister.o into a DSO called 
-     libfips.so and modify build system to link against it. Preliminary changes
-     to VC++ build system to accomodate fipsdso.
-     [Steve Henson]
-
-  *) New version of RSA_{sign,verify} for FIPS code. This uses pregenerated
-     DigestInfo encodings and thus avoids all ASN1 library dependencies. Update
-     FIPS digests to use new functions. Remove large numbers of obsolete 
-     dependencies from fipscanister.o
-     [Steve Henson]
-
- Changes between 0.9.7l and 0.9.7m  [xx XXX xxxx]
+ Changes between 0.9.7l and 0.9.7m  [23 Feb 2007]

  *) Cleanse PEM buffers before freeing them since they may contain 
     sensitive data.
--- a/32
+++ b/32
@@ -460,14 +460,13 @@ my %table=(
 # SCO 5 - Ben Laurie <ben@algroup.co.uk> says the -O breaks the SCO cc.
 "sco5-cc",  "cc:-belf::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"sco6-cc",  "cc:-O::-Kpthread::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+

 # IBM's AIX.
 "aix3-cc",    "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
 "aix-gcc",    "gcc:-O3 -DB_ENDIAN::-D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR:asm/aix_ppc32.o:::::::::dlfcn:",
 "aix-cc",     "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384::-qthreaded:AIX::BN_LLONG RC4_CHAR:asm/aix_ppc32.o:::::::::dlfcn:aix-shared::-q32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
 "aix64-cc",   "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384::-qthreaded:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:asm/aix_ppc64.o:::::::::dlfcn:aix-shared::-q64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
-"aix64-gcc",   "gcc:-maix64 -O -DB_ENDIAN::-D_THREAD_SAFE:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:asm/aix_ppc64.o:::::::::dlfcn:aix-shared::-maix64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",

 #
 # Cray T90 and similar (SDSC)
@@ -624,7 +623,6 @@ my $exe_ext="";
 my $install_prefix="";
 my $fipslibdir="/usr/local/ssl/lib/";
 my $nofipscanistercheck=0;
-my $fipsdso=0;
 my $fipscanisterinternal="n";
 my $baseaddr="0xFB00000";
 my $no_threads=0;
@@ -847,25 +845,15 @@ PROCESS_ARGS:
 			}
 		elsif (/^nofipscanistercheck$/)
 			{
-			$fips = 1;
 			$nofipscanistercheck = 1;
 			}
 		elsif (/^fipscanisterbuild$/)
 			{
-			$fips = 1;
+			$fips=1;
 			$nofipscanistercheck = 1;
 			$fipslibdir="";
 			$fipscanisterinternal="y";
 			}
-		elsif (/^fipsdso$/)
-			{
-			$fips = 1;
-			$nofipscanistercheck = 1;
-			$fipslibdir="";
-			$fipscanisterinternal="y";
-			$fipsdso = 1;
-			$no_shared = 0;
-			}
 		elsif (/^[-+]/)
 			{
 			if (/^-[lL](.*)$/)
@@ -992,8 +980,6 @@ print "Configuring for $target\n";

 my $IsWindows=scalar grep /^$target$/,@WinTargets;

-$no_shared = 1 if ($IsWindows && $fipsdso);
-
 $exe_ext=".exe" if ($target eq "Cygwin" || $target eq "DJGPP" || $target eq "mingw");
 $exe_ext=".pm" if ($target eq "vos-gcc" or $target eq "debug-vos-gcc" or $target eq "vos-vcc" or $target eq "debug-vos-vcc");
 $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq "");
@@ -1371,24 +1357,12 @@ while (<IN>)
 	s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
 	s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
 	s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
-	if ($fipsdso)
-		{
-		s/^FIPSCANLIB=.*/FIPSCANLIB=libfips/;
-		s/^SHARED_FIPS=.*/SHARED_FIPS=libfips\$(SHLIB_EXT)/;
-		s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl fips/;
-		}
-	else
-		{
-		s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/;
-		s/^SHARED_FIPS=.*/SHARED_FIPS=/;
-		s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl/;
-		}
 	s/^FIPSCANISTERINTERNAL=.*/FIPSCANISTERINTERNAL=$fipscanisterinternal/;
 	s/^BASEADDR=.*/BASEADDR=$baseaddr/;
 	s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
 	s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
 	s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
-	s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL) \$(SHARED_FIPS)/ if (!$no_shared);
+	s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
 	if ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*$/)
 		{
 		my $sotmp = $1;
--- a/2
+++ b/2
@@ -70,7 +70,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?

 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.7l was released on September 28, 2006.
+OpenSSL 0.9.7m was released on Feb 23rd, 2007.

 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
--- a/Makefile.org
+++ b/Makefile.org
@@ -66,7 +66,6 @@ EX_LIBS=
 EXE_EXT= 
 ARFLAGS=
 AR=ar $(ARFLAGS) r
-ARD=ar $(ARFLAGS) d
 RANLIB= ranlib
 PERL= perl
 TAR= tar
@@ -186,7 +185,6 @@ LIBZLIB=

 FIPSLIBDIR=/usr/local/ssl/lib/
 FIPSCANISTERINTERNAL=n
-FIPSCANLIB=

 # Shared library base address. Currently only used on Windows.
 #
@@ -198,7 +196,7 @@ BASEADDR=
 SHLIB_MARK=

 DIRS=   crypto fips-1.0 ssl $(SHLIB_MARK) apps test tools
-SHLIBDIRS= crypto ssl fips
+SHLIBDIRS= crypto ssl

 # dirs in crypto to build
 SDIRS=  objects \
@@ -229,7 +227,6 @@ WDIRS=  windows
 LIBS=   libcrypto.a libssl.a
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
-SHARED_FIPS=
 SHARED_LIBS=
 SHARED_LIBS_LINK_EXTS=
 SHARED_LDFLAGS=
@@ -252,7 +249,7 @@ sub_all:
 	do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making all in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' FIPSLIBDIR='${FIPSLIBDIR}' FIPSCANLIB='${FIPSCANLIB}' all ) || exit 1; \
+		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' FIPSLIBDIR='${FIPSLIBDIR}' all ) || exit 1; \
 	else \
 		$(MAKE) $$i; \
 	fi; \
@@ -269,15 +266,9 @@ sub_target:
 	fi; \
 	done;

-libcrypto$(SHLIB_EXT): libcrypto.a $(SHARED_FIPS)
+libcrypto$(SHLIB_EXT): libcrypto.a
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
-		if [ "$(FIPSCANLIB)" = "libfips" ]; then \
-			$(ARD) libcrypto.a fipscanister.o ; \
-			$(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
-			$(AR) libcrypto.a fips-1.0/fipscanister.o ; \
-		else \
-			$(MAKE) SHLIBDIRS='crypto' build-shared; \
-		fi \
+		$(MAKE) SHLIBDIRS=crypto build-shared; \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 	fi
@@ -289,13 +280,6 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
 		echo "There's no support for shared libraries on this platform" >&2; \
 	fi

-libfips$(SHLIB_EXT):
-	@if [ "$(SHLIB_TARGET)" != "" ]; then \
-		$(MAKE) SHLIBDIRS=fips build-shared; \
-	else \
-		echo "There's no support for shared libraries on this platform" >&2; \
-	fi
-
 clean-shared:
 	@for i in $(SHLIBDIRS); do \
 		if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
--- a/5
+++ b/5
@@ -5,6 +5,11 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.

+  Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m:
+
+      o FIPS 1.1.1 module linking.
+      o Various ciphersuite selection fixes.
+
  Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l:

      o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
--- a/2
+++ b/2
@@ -1,5 +1,5 @@

- OpenSSL 0.9.7m-dev xx XXX xxxx
+ OpenSSL 0.9.7m 23 Feb 2007

 Copyright (c) 1998-2007 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
--- a/4
+++ b/4
@@ -1,15 +1,17 @@

  OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2006/09/28 11:56:56 $
+  ______________                           $Date: 2007/02/23 12:07:19 $

  DEVELOPMENT STATE

    o  OpenSSL 0.9.9:  Under development...
+    o  OpenSSL 0.9.8e: Released on February  23rd, 2007
    o  OpenSSL 0.9.8d: Released on September 28th, 2006
    o  OpenSSL 0.9.8c: Released on September  5th, 2006
    o  OpenSSL 0.9.8b: Released on May        4th, 2006
    o  OpenSSL 0.9.8a: Released on October   11th, 2005
    o  OpenSSL 0.9.8:  Released on July       5th, 2005
+    o  OpenSSL 0.9.7m: Released on February  23rd, 2007
    o  OpenSSL 0.9.7l: Released on September 28th, 2006
    o  OpenSSL 0.9.7k: Released on September  5th, 2006
    o  OpenSSL 0.9.7j: Released on May        4th, 2006
--- a/34
+++ b/34
@@ -1652,7 +1652,7 @@ $arflags      =

 *** debug-levitte-linux-elf
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe
+$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -march=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1677,7 +1677,7 @@ $arflags      =

 *** debug-levitte-linux-elf-extreme
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe
+$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -march=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1702,7 +1702,7 @@ $arflags      =

 *** debug-levitte-linux-noasm
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe
+$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -march=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1727,7 +1727,7 @@ $arflags      =

 *** debug-levitte-linux-noasm-extreme
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe
+$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -march=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1802,7 +1802,7 @@ $arflags      =

 *** debug-linux-pentium
 $cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=pentium -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1827,7 +1827,7 @@ $arflags      =

 *** debug-linux-ppro
 $cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=pentiumpro -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1952,7 +1952,7 @@ $arflags      =

 *** debug-solaris-sparcv9-gcc
 $cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -march=ultrasparc -Wall -DB_ENDIAN
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1977,7 +1977,7 @@ $arflags      =

 *** debug-steve
 $cc           = gcc
-$cflags       = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe
+$cflags       = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -march=i486 -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -2002,7 +2002,7 @@ $arflags      =

 *** debug-steve-linux-pseudo64
 $cc           = gcc
-$cflags       = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe
+$cflags       = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -march=i486 -Wall -Werror -Wshadow -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -3127,7 +3127,7 @@ $arflags      =

 *** linux-k6
 $cc           = gcc
-$cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=k6 -Wall
+$cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=k6 -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -3252,7 +3252,7 @@ $arflags      =

 *** linux-pentium
 $cc           = gcc
-$cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentium -Wall
+$cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=pentium -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -3327,7 +3327,7 @@ $arflags      =

 *** linux-ppro
 $cc           = gcc
-$cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentiumpro -Wall
+$cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=pentiumpro -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -3452,7 +3452,7 @@ $arflags      =

 *** linux-sparcv9
 $cc           = gcc
-$cflags       = -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W
+$cflags       = -march=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = ULTRASPARC
@@ -3502,7 +3502,7 @@ $arflags      =

 *** linux64-sparcv9
 $cc           = gcc
-$cflags       = -m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
+$cflags       = -m64 -march=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = ULTRASPARC
@@ -3977,7 +3977,7 @@ $arflags      =

 *** solaris-sparcv9-gcc
 $cc           = gcc
-$cflags       = -m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W
+$cflags       = -m32 -march=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = ULTRASPARC
@@ -4102,7 +4102,7 @@ $arflags      =

 *** solaris64-sparcv9-gcc
 $cc           = gcc
-$cflags       = -m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN
+$cflags       = -m64 -march=ultrasparc -O3 -Wall -DB_ENDIAN
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = ULTRASPARC
@@ -4127,7 +4127,7 @@ $arflags      =

 *** solaris64-sparcv9-gcc31
 $cc           = gcc
-$cflags       = -mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN
+$cflags       = -march=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = ULTRASPARC
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -35,8 +35,8 @@ GENERAL=Makefile README crypto-lib.com install.com

 LIB= $(TOP)/libcrypto.a
 SHARED_LIB= libcrypto$(SHLIB_EXT)
-LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c fips_err.c
-LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o fips_err.o
+LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c
+LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o

 SRC= $(LIBSRC)

@@ -185,7 +185,6 @@ ex_data.o: ../include/openssl/err.h ../include/openssl/lhash.h
 ex_data.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 ex_data.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 ex_data.o: ../include/openssl/symhacks.h cryptlib.h ex_data.c
-fips_err.o: ../include/openssl/opensslconf.h fips_err.c
 mem.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 mem.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 mem.o: ../include/openssl/err.h ../include/openssl/lhash.h
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -170,7 +170,7 @@ static int do_buf(unsigned char *buf, int buflen,
 	q = buf + buflen;
 	outlen = 0;
 	while(p != q) {
-		if(p == buf) orflags = CHARTYPE_FIRST_ESC_2253;
+		if(p == buf && flags & ASN1_STRFLGS_ESC_2253) orflags = CHARTYPE_FIRST_ESC_2253;
 		else orflags = 0;
 		switch(type & BUF_TYPE_WIDTH_MASK) {
 			case 4:
@@ -195,7 +195,7 @@ static int do_buf(unsigned char *buf, int buflen,
 			p += i;
 			break;
 		}
-		if (p == q) orflags = CHARTYPE_LAST_ESC_2253;
+		if (p == q && flags & ASN1_STRFLGS_ESC_2253) orflags = CHARTYPE_LAST_ESC_2253;
 		if(type & BUF_TYPE_CONVUTF8) {
 			unsigned char utfbuf[6];
 			int utflen;
--- a/crypto/dh/dh.h
+++ b/crypto/dh/dh.h
@@ -210,8 +210,8 @@ void ERR_load_DH_strings(void);

 /* Reason codes. */
 #define DH_R_BAD_GENERATOR				 101
-#define DH_R_MODULUS_TOO_LARGE				 103
 #define DH_R_NO_PRIVATE_VALUE				 100
+#define DH_R_MODULUS_TOO_LARGE                           103

 #ifdef  __cplusplus
 }
--- a/crypto/dh/dh_err.c
+++ b/crypto/dh/dh_err.c
@@ -82,7 +82,7 @@ static ERR_STRING_DATA DH_str_functs[]=
 static ERR_STRING_DATA DH_str_reasons[]=
 	{
 {ERR_REASON(DH_R_BAD_GENERATOR)          ,"bad generator"},
-{ERR_REASON(DH_R_MODULUS_TOO_LARGE)      ,"modulus too large"},
+{ERR_REASON(DH_R_MODULUS_TOO_LARGE)      ,"modulus too large"},               
 {ERR_REASON(DH_R_NO_PRIVATE_VALUE)       ,"no private value"},
 {0,NULL}
 	};
--- a/crypto/dso/dso_dlfcn.c
+++ b/crypto/dso/dso_dlfcn.c
@@ -294,15 +294,6 @@ static char *dlfcn_name_converter(DSO *dso, const char *filename)
 	return(translated);
 	}

-/* This section uses dladdr() which appears to be a GNU extension, though
- * some other OS's have adopted it.  Specifically, AIX4, AIX5, and SCO5
- * do not support dladdr().
- * No reference to DSO_pathbyaddr() is made, and appears to be a function
- * which was added during construction of FIPS support in OpenSSL.  It appears
- * that it has been replaced by FIPS_ref_point() in fipscanister.c
- * Removing the below code fixes compile-time issues on the afore-mentioned
- * OS's */
-#ifdef DEADBEEF_0
 #ifdef OPENSSL_FIPS
 static void dlfcn_ref_point(){}

@@ -331,6 +322,4 @@ int DSO_pathbyaddr(void *addr,char *path,int sz)
 	return -1;
 	}
 #endif
-#endif /* DEADBEEF_0 */
-
 #endif /* DSO_DLFCN */
--- a/crypto/err/Makefile
+++ b/crypto/err/Makefile
@@ -22,8 +22,8 @@ TEST=
 APPS=

 LIB=$(TOP)/libcrypto.a
-LIBSRC=err.c err_all.c err_prn.c err_str.c
-LIBOBJ=err.o err_all.o err_prn.o err_str.o
+LIBSRC=err.c err_all.c err_prn.c
+LIBOBJ=err.o err_all.o err_prn.o

 SRC= $(LIBSRC)

@@ -116,10 +116,3 @@ err_prn.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 err_prn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 err_prn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 err_prn.o: ../cryptlib.h err_prn.c
-err_str.o: ../../e_os.h ../../include/openssl/bio.h
-err_str.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-err_str.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-err_str.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-err_str.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-err_str.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-err_str.o: ../cryptlib.h err_str.c
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -122,6 +122,99 @@
 static void err_load_strings(int lib, ERR_STRING_DATA *str);

 static void ERR_STATE_free(ERR_STATE *s);
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA ERR_str_libraries[]=
+	{
+{ERR_PACK(ERR_LIB_NONE,0,0)		,"unknown library"},
+{ERR_PACK(ERR_LIB_SYS,0,0)		,"system library"},
+{ERR_PACK(ERR_LIB_BN,0,0)		,"bignum routines"},
+{ERR_PACK(ERR_LIB_RSA,0,0)		,"rsa routines"},
+{ERR_PACK(ERR_LIB_DH,0,0)		,"Diffie-Hellman routines"},
+{ERR_PACK(ERR_LIB_EVP,0,0)		,"digital envelope routines"},
+{ERR_PACK(ERR_LIB_BUF,0,0)		,"memory buffer routines"},
+{ERR_PACK(ERR_LIB_OBJ,0,0)		,"object identifier routines"},
+{ERR_PACK(ERR_LIB_PEM,0,0)		,"PEM routines"},
+{ERR_PACK(ERR_LIB_DSA,0,0)		,"dsa routines"},
+{ERR_PACK(ERR_LIB_X509,0,0)		,"x509 certificate routines"},
+{ERR_PACK(ERR_LIB_ASN1,0,0)		,"asn1 encoding routines"},
+{ERR_PACK(ERR_LIB_CONF,0,0)		,"configuration file routines"},
+{ERR_PACK(ERR_LIB_CRYPTO,0,0)		,"common libcrypto routines"},
+{ERR_PACK(ERR_LIB_EC,0,0)		,"elliptic curve routines"},
+{ERR_PACK(ERR_LIB_SSL,0,0)		,"SSL routines"},
+{ERR_PACK(ERR_LIB_BIO,0,0)		,"BIO routines"},
+{ERR_PACK(ERR_LIB_PKCS7,0,0)		,"PKCS7 routines"},
+{ERR_PACK(ERR_LIB_X509V3,0,0)		,"X509 V3 routines"},
+{ERR_PACK(ERR_LIB_PKCS12,0,0)		,"PKCS12 routines"},
+{ERR_PACK(ERR_LIB_RAND,0,0)		,"random number generator"},
+{ERR_PACK(ERR_LIB_DSO,0,0)		,"DSO support routines"},
+{ERR_PACK(ERR_LIB_ENGINE,0,0)		,"engine routines"},
+{ERR_PACK(ERR_LIB_OCSP,0,0)		,"OCSP routines"},
+{ERR_PACK(ERR_LIB_FIPS,0,0)		,"FIPS routines"},
+{0,NULL},
+	};
+
+static ERR_STRING_DATA ERR_str_functs[]=
+	{
+	{ERR_PACK(0,SYS_F_FOPEN,0),     	"fopen"},
+	{ERR_PACK(0,SYS_F_CONNECT,0),		"connect"},
+	{ERR_PACK(0,SYS_F_GETSERVBYNAME,0),	"getservbyname"},
+	{ERR_PACK(0,SYS_F_SOCKET,0),		"socket"}, 
+	{ERR_PACK(0,SYS_F_IOCTLSOCKET,0),	"ioctlsocket"},
+	{ERR_PACK(0,SYS_F_BIND,0),		"bind"},
+	{ERR_PACK(0,SYS_F_LISTEN,0),		"listen"},
+	{ERR_PACK(0,SYS_F_ACCEPT,0),		"accept"},
+#ifdef OPENSSL_SYS_WINDOWS
+	{ERR_PACK(0,SYS_F_WSASTARTUP,0),	"WSAstartup"},
+#endif
+	{ERR_PACK(0,SYS_F_OPENDIR,0),		"opendir"},
+	{ERR_PACK(0,SYS_F_FREAD,0),		"fread"},
+	{ERR_PACK(0,SYS_F_GETADDRINFO,0),	"getaddrinfo"},
+	{0,NULL},
+	};
+
+static ERR_STRING_DATA ERR_str_reasons[]=
+	{
+{ERR_R_SYS_LIB				,"system lib"},
+{ERR_R_BN_LIB				,"BN lib"},
+{ERR_R_RSA_LIB				,"RSA lib"},
+{ERR_R_DH_LIB				,"DH lib"},
+{ERR_R_EVP_LIB				,"EVP lib"},
+{ERR_R_BUF_LIB				,"BUF lib"},
+{ERR_R_OBJ_LIB				,"OBJ lib"},
+{ERR_R_PEM_LIB				,"PEM lib"},
+{ERR_R_DSA_LIB				,"DSA lib"},
+{ERR_R_X509_LIB				,"X509 lib"},
+{ERR_R_ASN1_LIB				,"ASN1 lib"},
+{ERR_R_CONF_LIB				,"CONF lib"},
+{ERR_R_CRYPTO_LIB			,"CRYPTO lib"},
+{ERR_R_EC_LIB				,"EC lib"},
+{ERR_R_SSL_LIB				,"SSL lib"},
+{ERR_R_BIO_LIB				,"BIO lib"},
+{ERR_R_PKCS7_LIB			,"PKCS7 lib"},
+{ERR_R_X509V3_LIB			,"X509V3 lib"},
+{ERR_R_PKCS12_LIB			,"PKCS12 lib"},
+{ERR_R_RAND_LIB				,"RAND lib"},
+{ERR_R_DSO_LIB				,"DSO lib"},
+{ERR_R_ENGINE_LIB			,"ENGINE lib"},
+{ERR_R_OCSP_LIB				,"OCSP lib"},
+
+{ERR_R_NESTED_ASN1_ERROR		,"nested asn1 error"},
+{ERR_R_BAD_ASN1_OBJECT_HEADER		,"bad asn1 object header"},
+{ERR_R_BAD_GET_ASN1_OBJECT_CALL		,"bad get asn1 object call"},
+{ERR_R_EXPECTING_AN_ASN1_SEQUENCE	,"expecting an asn1 sequence"},
+{ERR_R_ASN1_LENGTH_MISMATCH		,"asn1 length mismatch"},
+{ERR_R_MISSING_ASN1_EOS			,"missing asn1 eos"},
+
+{ERR_R_FATAL                            ,"fatal"},
+{ERR_R_MALLOC_FAILURE			,"malloc failure"},
+{ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED	,"called a function you should not call"},
+{ERR_R_PASSED_NULL_PARAMETER		,"passed a null parameter"},
+{ERR_R_INTERNAL_ERROR			,"internal error"},
+
+{0,NULL},
+	};
+#endif
+

 /* Define the predeclared (but externally opaque) "ERR_FNS" type */
 struct st_ERR_FNS
@@ -435,6 +528,71 @@ static int int_err_get_next_lib(void)
 	}


+#ifndef OPENSSL_NO_ERR
+#define NUM_SYS_STR_REASONS 127
+#define LEN_SYS_STR_REASON 32
+
+static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
+/* SYS_str_reasons is filled with copies of strerror() results at
+ * initialization.
+ * 'errno' values up to 127 should cover all usual errors,
+ * others will be displayed numerically by ERR_error_string.
+ * It is crucial that we have something for each reason code
+ * that occurs in ERR_str_reasons, or bogus reason strings
+ * will be returned for SYSerr(), which always gets an errno
+ * value and never one of those 'standard' reason codes. */
+
+static void build_SYS_str_reasons()
+	{
+	/* OPENSSL_malloc cannot be used here, use static storage instead */
+	static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON];
+	int i;
+	static int init = 1;
+
+	CRYPTO_r_lock(CRYPTO_LOCK_ERR);
+	if (!init)
+		{
+		CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
+		return;
+		}
+	
+	CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
+	CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+	if (!init)
+		{
+		CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+		return;
+		}
+
+	for (i = 1; i <= NUM_SYS_STR_REASONS; i++)
+		{
+		ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
+
+		str->error = (unsigned long)i;
+		if (str->string == NULL)
+			{
+			char (*dest)[LEN_SYS_STR_REASON] = &(strerror_tab[i - 1]);
+			char *src = strerror(i);
+			if (src != NULL)
+				{
+				strncpy(*dest, src, sizeof *dest);
+				(*dest)[sizeof *dest - 1] = '\0';
+				str->string = *dest;
+				}
+			}
+		if (str->string == NULL)
+			str->string = "unknown";
+		}
+
+	/* Now we still have SYS_str_reasons[NUM_SYS_STR_REASONS] = {0, NULL},
+	 * as required by ERR_load_strings. */
+
+	init = 0;
+	
+	CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+	}
+#endif
+
 #define err_clear_data(p,i) \
 	if (((p)->err_data[i] != NULL) && \
 		(p)->err_data_flags[i] & ERR_TXT_MALLOCED) \
@@ -458,6 +616,18 @@ static void ERR_STATE_free(ERR_STATE *s)
 	OPENSSL_free(s);
 	}

+void ERR_load_ERR_strings(void)
+	{
+	err_fns_check();
+#ifndef OPENSSL_NO_ERR
+	err_load_strings(0,ERR_str_libraries);
+	err_load_strings(0,ERR_str_reasons);
+	err_load_strings(ERR_LIB_SYS,ERR_str_functs);
+	build_SYS_str_reasons();
+	err_load_strings(ERR_LIB_SYS,SYS_str_reasons);
+#endif
+	}
+
 static void err_load_strings(int lib, ERR_STRING_DATA *str)
 	{
 	while (str->error)
@@ -471,7 +641,7 @@ static void err_load_strings(int lib, ERR_STRING_DATA *str)

 void ERR_load_strings(int lib, ERR_STRING_DATA *str)
 	{
-	err_fns_check();
+	ERR_load_ERR_strings();
 	err_load_strings(lib, str);
 	}

--- a/crypto/err/err_str.c
+++ b/crypto/err/err_str.c
@@ -1,296 +0,0 @@
-/* crypto/err/err_str.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <stdarg.h>
-#include <string.h>
-#include <openssl/lhash.h>
-#include <openssl/crypto.h>
-#include "cryptlib.h"
-#include <openssl/buffer.h>
-#include <openssl/bio.h>
-#include <openssl/err.h>
-
-
-#ifndef OPENSSL_NO_ERR
-static ERR_STRING_DATA ERR_str_libraries[]=
-	{
-{ERR_PACK(ERR_LIB_NONE,0,0)		,"unknown library"},
-{ERR_PACK(ERR_LIB_SYS,0,0)		,"system library"},
-{ERR_PACK(ERR_LIB_BN,0,0)		,"bignum routines"},
-{ERR_PACK(ERR_LIB_RSA,0,0)		,"rsa routines"},
-{ERR_PACK(ERR_LIB_DH,0,0)		,"Diffie-Hellman routines"},
-{ERR_PACK(ERR_LIB_EVP,0,0)		,"digital envelope routines"},
-{ERR_PACK(ERR_LIB_BUF,0,0)		,"memory buffer routines"},
-{ERR_PACK(ERR_LIB_OBJ,0,0)		,"object identifier routines"},
-{ERR_PACK(ERR_LIB_PEM,0,0)		,"PEM routines"},
-{ERR_PACK(ERR_LIB_DSA,0,0)		,"dsa routines"},
-{ERR_PACK(ERR_LIB_X509,0,0)		,"x509 certificate routines"},
-{ERR_PACK(ERR_LIB_ASN1,0,0)		,"asn1 encoding routines"},
-{ERR_PACK(ERR_LIB_CONF,0,0)		,"configuration file routines"},
-{ERR_PACK(ERR_LIB_CRYPTO,0,0)		,"common libcrypto routines"},
-{ERR_PACK(ERR_LIB_EC,0,0)		,"elliptic curve routines"},
-{ERR_PACK(ERR_LIB_SSL,0,0)		,"SSL routines"},
-{ERR_PACK(ERR_LIB_BIO,0,0)		,"BIO routines"},
-{ERR_PACK(ERR_LIB_PKCS7,0,0)		,"PKCS7 routines"},
-{ERR_PACK(ERR_LIB_X509V3,0,0)		,"X509 V3 routines"},
-{ERR_PACK(ERR_LIB_PKCS12,0,0)		,"PKCS12 routines"},
-{ERR_PACK(ERR_LIB_RAND,0,0)		,"random number generator"},
-{ERR_PACK(ERR_LIB_DSO,0,0)		,"DSO support routines"},
-{ERR_PACK(ERR_LIB_ENGINE,0,0)		,"engine routines"},
-{ERR_PACK(ERR_LIB_OCSP,0,0)		,"OCSP routines"},
-{ERR_PACK(ERR_LIB_FIPS,0,0)		,"FIPS routines"},
-{0,NULL},
-	};
-
-static ERR_STRING_DATA ERR_str_functs[]=
-	{
-	{ERR_PACK(0,SYS_F_FOPEN,0),     	"fopen"},
-	{ERR_PACK(0,SYS_F_CONNECT,0),		"connect"},
-	{ERR_PACK(0,SYS_F_GETSERVBYNAME,0),	"getservbyname"},
-	{ERR_PACK(0,SYS_F_SOCKET,0),		"socket"}, 
-	{ERR_PACK(0,SYS_F_IOCTLSOCKET,0),	"ioctlsocket"},
-	{ERR_PACK(0,SYS_F_BIND,0),		"bind"},
-	{ERR_PACK(0,SYS_F_LISTEN,0),		"listen"},
-	{ERR_PACK(0,SYS_F_ACCEPT,0),		"accept"},
-#ifdef OPENSSL_SYS_WINDOWS
-	{ERR_PACK(0,SYS_F_WSASTARTUP,0),	"WSAstartup"},
-#endif
-	{ERR_PACK(0,SYS_F_OPENDIR,0),		"opendir"},
-	{ERR_PACK(0,SYS_F_FREAD,0),		"fread"},
-	{ERR_PACK(0,SYS_F_GETADDRINFO,0),	"getaddrinfo"},
-	{0,NULL},
-	};
-
-static ERR_STRING_DATA ERR_str_reasons[]=
-	{
-{ERR_R_SYS_LIB				,"system lib"},
-{ERR_R_BN_LIB				,"BN lib"},
-{ERR_R_RSA_LIB				,"RSA lib"},
-{ERR_R_DH_LIB				,"DH lib"},
-{ERR_R_EVP_LIB				,"EVP lib"},
-{ERR_R_BUF_LIB				,"BUF lib"},
-{ERR_R_OBJ_LIB				,"OBJ lib"},
-{ERR_R_PEM_LIB				,"PEM lib"},
-{ERR_R_DSA_LIB				,"DSA lib"},
-{ERR_R_X509_LIB				,"X509 lib"},
-{ERR_R_ASN1_LIB				,"ASN1 lib"},
-{ERR_R_CONF_LIB				,"CONF lib"},
-{ERR_R_CRYPTO_LIB			,"CRYPTO lib"},
-{ERR_R_EC_LIB				,"EC lib"},
-{ERR_R_SSL_LIB				,"SSL lib"},
-{ERR_R_BIO_LIB				,"BIO lib"},
-{ERR_R_PKCS7_LIB			,"PKCS7 lib"},
-{ERR_R_X509V3_LIB			,"X509V3 lib"},
-{ERR_R_PKCS12_LIB			,"PKCS12 lib"},
-{ERR_R_RAND_LIB				,"RAND lib"},
-{ERR_R_DSO_LIB				,"DSO lib"},
-{ERR_R_ENGINE_LIB			,"ENGINE lib"},
-{ERR_R_OCSP_LIB				,"OCSP lib"},
-
-{ERR_R_NESTED_ASN1_ERROR		,"nested asn1 error"},
-{ERR_R_BAD_ASN1_OBJECT_HEADER		,"bad asn1 object header"},
-{ERR_R_BAD_GET_ASN1_OBJECT_CALL		,"bad get asn1 object call"},
-{ERR_R_EXPECTING_AN_ASN1_SEQUENCE	,"expecting an asn1 sequence"},
-{ERR_R_ASN1_LENGTH_MISMATCH		,"asn1 length mismatch"},
-{ERR_R_MISSING_ASN1_EOS			,"missing asn1 eos"},
-
-{ERR_R_FATAL                            ,"fatal"},
-{ERR_R_MALLOC_FAILURE			,"malloc failure"},
-{ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED	,"called a function you should not call"},
-{ERR_R_PASSED_NULL_PARAMETER		,"passed a null parameter"},
-{ERR_R_INTERNAL_ERROR			,"internal error"},
-
-{0,NULL},
-	};
-#endif
-
-
-#ifndef OPENSSL_NO_ERR
-#define NUM_SYS_STR_REASONS 127
-#define LEN_SYS_STR_REASON 32
-
-static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
-/* SYS_str_reasons is filled with copies of strerror() results at
- * initialization.
- * 'errno' values up to 127 should cover all usual errors,
- * others will be displayed numerically by ERR_error_string.
- * It is crucial that we have something for each reason code
- * that occurs in ERR_str_reasons, or bogus reason strings
- * will be returned for SYSerr(), which always gets an errno
- * value and never one of those 'standard' reason codes. */
-
-static void build_SYS_str_reasons()
-	{
-	/* OPENSSL_malloc cannot be used here, use static storage instead */
-	static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON];
-	int i;
-	static int init = 1;
-
-	CRYPTO_r_lock(CRYPTO_LOCK_ERR);
-	if (!init)
-		{
-		CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-		return;
-		}
-	
-	CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-	CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-	if (!init)
-		{
-		CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-		return;
-		}
-
-	for (i = 1; i <= NUM_SYS_STR_REASONS; i++)
-		{
-		ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
-
-		str->error = (unsigned long)i;
-		if (str->string == NULL)
-			{
-			char (*dest)[LEN_SYS_STR_REASON] = &(strerror_tab[i - 1]);
-			char *src = strerror(i);
-			if (src != NULL)
-				{
-				strncpy(*dest, src, sizeof *dest);
-				(*dest)[sizeof *dest - 1] = '\0';
-				str->string = *dest;
-				}
-			}
-		if (str->string == NULL)
-			str->string = "unknown";
-		}
-
-	/* Now we still have SYS_str_reasons[NUM_SYS_STR_REASONS] = {0, NULL},
-	 * as required by ERR_load_strings. */
-
-	init = 0;
-	
-	CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-	}
-
-#endif
-
-void ERR_load_ERR_strings(void)
-	{
-#ifndef OPENSSL_NO_ERR
-	if (ERR_func_error_string(ERR_str_functs[0].error) == NULL)
-		{
-		ERR_load_strings(0,ERR_str_libraries);
-		ERR_load_strings(0,ERR_str_reasons);
-		ERR_load_strings(ERR_LIB_SYS,ERR_str_functs);
-		build_SYS_str_reasons();
-		ERR_load_strings(ERR_LIB_SYS,SYS_str_reasons);
-		}
-#endif
-	}
-
--- a/crypto/err/openssl.ec
+++ b/crypto/err/openssl.ec
@@ -27,7 +27,7 @@ L DSO		crypto/dso/dso.h		crypto/dso/dso_err.c
 L ENGINE	crypto/engine/engine.h		crypto/engine/eng_err.c
 L OCSP		crypto/ocsp/ocsp.h		crypto/ocsp/ocsp_err.c
 L UI		crypto/ui/ui.h			crypto/ui/ui_err.c
-L FIPS		fips-1.0/fips.h			crypto/fips_err.h
+L FIPS		fips-1.0/fips.h			fips-1.0/fips_err.h

 # additional header files to be scanned for function names
 L NONE		crypto/x509/x509_vfy.h		NONE
--- a/crypto/evp/m_sha1.c
+++ b/crypto/evp/m_sha1.c
@@ -63,9 +63,6 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>

-#define EVP_PKEY_RSA_fips_method	FIPS_rsa_sign,FIPS_rsa_verify, \
-				{EVP_PKEY_RSA,EVP_PKEY_RSA2,0,0}
-
 static int init(EVP_MD_CTX *ctx)
 	{ return SHA1_Init(ctx->md_data); }

@@ -93,11 +90,7 @@ static const EVP_MD sha1_md=
 	final,
 	NULL,
 	NULL,
-#ifdef OPENSSL_FIPS
-	EVP_PKEY_RSA_fips_method,
-#else
 	EVP_PKEY_RSA_method,
-#endif
 	SHA_CBLOCK,
 	sizeof(EVP_MD *)+sizeof(SHA_CTX),
 	};
@@ -138,7 +131,7 @@ static const EVP_MD sha224_md=
 	final256,
 	NULL,
 	NULL,
-	EVP_PKEY_RSA_fips_method,
+	EVP_PKEY_RSA_method,
 	SHA256_CBLOCK,
 	sizeof(EVP_MD *)+sizeof(SHA256_CTX),
 	};
@@ -157,7 +150,7 @@ static const EVP_MD sha256_md=
 	final256,
 	NULL,
 	NULL,
-	EVP_PKEY_RSA_fips_method,
+	EVP_PKEY_RSA_method,
 	SHA256_CBLOCK,
 	sizeof(EVP_MD *)+sizeof(SHA256_CTX),
 	};
@@ -191,7 +184,7 @@ static const EVP_MD sha384_md=
 	final512,
 	NULL,
 	NULL,
-	EVP_PKEY_RSA_fips_method,
+	EVP_PKEY_RSA_method,
 	SHA512_CBLOCK,
 	sizeof(EVP_MD *)+sizeof(SHA512_CTX),
 	};
@@ -210,7 +203,7 @@ static const EVP_MD sha512_md=
 	final512,
 	NULL,
 	NULL,
-	EVP_PKEY_RSA_fips_method,
+	EVP_PKEY_RSA_method,
 	SHA512_CBLOCK,
 	sizeof(EVP_MD *)+sizeof(SHA512_CTX),
 	};
--- a/crypto/evp/names.c
+++ b/crypto/evp/names.c
@@ -61,6 +61,9 @@
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif

 int EVP_add_cipher(const EVP_CIPHER *c)
 	{
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -25,11 +25,11 @@
 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
 *  major minor fix final patch/beta)
 */
-#define OPENSSL_VERSION_NUMBER	0x009070d0L
+#define OPENSSL_VERSION_NUMBER	0x009070dfL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7m-fips2-dev xx XXX xxxx"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7m-fips 23 Feb 2007"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7m-dev xx XXX xxxx"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7m 23 Feb 2007"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT

--- a/crypto/rand/rand.h
+++ b/crypto/rand/rand.h
@@ -125,20 +125,13 @@ void ERR_load_RAND_strings(void);
 /* Error codes for the RAND functions. */

 /* Function codes. */
-#define RAND_F_FIPS_RAND				 103
 #define RAND_F_FIPS_RAND_BYTES				 102
-#define RAND_F_FIPS_SET_DT				 104
-#define RAND_F_FIPS_SET_TEST_MODE			 105
 #define RAND_F_RAND_GET_RAND_METHOD			 101
 #define RAND_F_SSLEAY_RAND_BYTES			 100

 /* Reason codes. */
 #define RAND_R_NON_FIPS_METHOD				 101
-#define RAND_R_NOT_IN_TEST_MODE				 106
-#define RAND_R_NO_KEY_SET				 107
 #define RAND_R_PRNG_ASKING_FOR_TOO_MUCH			 105
-#define RAND_R_PRNG_ERROR				 108
-#define RAND_R_PRNG_KEYED				 109
 #define RAND_R_PRNG_NOT_REKEYED				 103
 #define RAND_R_PRNG_NOT_RESEEDED			 104
 #define RAND_R_PRNG_NOT_SEEDED				 100
--- a/crypto/rand/rand_err.c
+++ b/crypto/rand/rand_err.c
@@ -70,10 +70,7 @@

 static ERR_STRING_DATA RAND_str_functs[]=
 	{
-{ERR_FUNC(RAND_F_FIPS_RAND),	"FIPS_RAND"},
 {ERR_FUNC(RAND_F_FIPS_RAND_BYTES),	"FIPS_RAND_BYTES"},
-{ERR_FUNC(RAND_F_FIPS_SET_DT),	"FIPS_SET_DT"},
-{ERR_FUNC(RAND_F_FIPS_SET_TEST_MODE),	"FIPS_SET_TEST_MODE"},
 {ERR_FUNC(RAND_F_RAND_GET_RAND_METHOD),	"RAND_get_rand_method"},
 {ERR_FUNC(RAND_F_SSLEAY_RAND_BYTES),	"SSLEAY_RAND_BYTES"},
 {0,NULL}
@@ -82,11 +79,7 @@ static ERR_STRING_DATA RAND_str_functs[]=
 static ERR_STRING_DATA RAND_str_reasons[]=
 	{
 {ERR_REASON(RAND_R_NON_FIPS_METHOD)      ,"non fips method"},
-{ERR_REASON(RAND_R_NOT_IN_TEST_MODE)     ,"not in test mode"},
-{ERR_REASON(RAND_R_NO_KEY_SET)           ,"no key set"},
 {ERR_REASON(RAND_R_PRNG_ASKING_FOR_TOO_MUCH),"prng asking for too much"},
-{ERR_REASON(RAND_R_PRNG_ERROR)           ,"prng error"},
-{ERR_REASON(RAND_R_PRNG_KEYED)           ,"prng keyed"},
 {ERR_REASON(RAND_R_PRNG_NOT_REKEYED)     ,"prng not rekeyed"},
 {ERR_REASON(RAND_R_PRNG_NOT_RESEEDED)    ,"prng not reseeded"},
 {ERR_REASON(RAND_R_PRNG_NOT_SEEDED)      ,"PRNG not seeded"},
--- a/crypto/rsa/rsa.h
+++ b/crypto/rsa/rsa.h
@@ -276,13 +276,6 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_length,
 int RSA_verify(int type, const unsigned char *m, unsigned int m_length,
 	unsigned char *sigbuf, unsigned int siglen, RSA *rsa);

-#ifdef OPENSSL_FIPS
-int FIPS_rsa_sign(int type, const unsigned char *m, unsigned int m_length,
-	unsigned char *sigret, unsigned int *siglen, RSA *rsa);
-int FIPS_rsa_verify(int type, const unsigned char *m, unsigned int m_length,
-	unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
-#endif
-
 /* The following 2 function sign and verify a ASN1_OCTET_STRING
 * object inside PKCS#1 padded RSA encryption */
 int RSA_sign_ASN1_OCTET_STRING(int type,
--- a/fips-1.0/Makefile
+++ b/fips-1.0/Makefile
@@ -34,16 +34,16 @@ FDIRS=sha rand des aes dsa rsa dh hmac
 GENERAL=Makefile README fips-lib.com install.com

 LIB= $(TOP)/libcrypto.a
-SHARED_LIB= $(FIPSCANLIB)$(SHLIB_EXT)
-LIBSRC=fips.c 
-LIBOBJ=fips.o
+SHARED_LIB= libcrypto$(SHLIB_EXT)
+LIBSRC=fips.c fips_err_wrapper.c
+LIBOBJ=fips.o fips_err_wrapper.o

 FIPS_OBJ_LISTS=sha/lib hmac/lib rand/lib des/lib aes/lib dsa/lib rsa/lib dh/lib

 SRC= $(LIBSRC)

 EXHEADER=fips.h
-HEADER=$(EXHEADER)
+HEADER=$(EXHEADER) fips_err.h
 EXE=fipsld
 TEST=fips_test_suite.c

@@ -73,7 +73,7 @@ all:
 # vendor compiler drivers...

 fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o
-	@FIPS_BN_ASM=""; for i in $(BN_ASM) ; do FIPS_BN_ASM="$$FIPS_BN_ASM ../crypto/bn/$$i" ; done; \
+	@FIPS_BN_ASM=`for i in $(BN_ASM) ; do echo -n "../crypto/bn/$$i " ; done`; \
 	objs="fips_start.o $(LIBOBJ) $(FIPS_EX_OBJ) $$FIPS_BN_ASM"; \
 	for i in $(FIPS_OBJ_LISTS); do \
 		dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \
@@ -132,12 +132,8 @@ links:
 	done;

 lib:	$(FIPSCANLOC) delexobj
-	$(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC)
-	if [ "$(FIPSCANLIB)" == "libfips" ]; then \
-		$(AR) $(LIB) $(FIPSCANLOC) ; \
-		$(RANLIB) $(LIB) || echo Never Mind. ; \
-	fi
-	$(RANLIB) ../$(FIPSCANLIB).a || echo Never mind.
+	$(AR) $(LIB) $(FIPSCANLOC)
+	$(RANLIB) $(LIB) || echo Never mind.
 	@touch lib

 shared:	fips_premain_dso$(EXE_EXT)
@@ -230,6 +226,27 @@ FIPS_EX_OBJ= ../crypto/aes/aes_cbc.o \
 	../crypto/aes/aes_cfb.o \
 	../crypto/aes/aes_ecb.o \
 	../crypto/aes/aes_ofb.o \
+	../crypto/asn1/a_bitstr.o \
+	../crypto/asn1/a_bytes.o \
+	../crypto/asn1/a_dup.o \
+	../crypto/asn1/a_int.o \
+	../crypto/asn1/a_object.o \
+	../crypto/asn1/asn1_err.o \
+	../crypto/asn1/asn1_lib.o \
+	../crypto/asn1/a_type.o \
+	../crypto/asn1/evp_asn1.o \
+	../crypto/asn1/tasn_dec.o \
+	../crypto/asn1/tasn_enc.o \
+	../crypto/asn1/tasn_fre.o \
+	../crypto/asn1/tasn_new.o \
+	../crypto/asn1/tasn_typ.o \
+	../crypto/asn1/tasn_utl.o \
+	../crypto/asn1/t_pkey.o \
+	../crypto/asn1/x_algor.o \
+	../crypto/asn1/x_bignum.o \
+	../crypto/asn1/x_long.o \
+	../crypto/asn1/x_sig.o \
+	../crypto/bio/bio_err.o \
 	../crypto/bio/bio_lib.o \
 	../crypto/bio/b_print.o \
 	../crypto/bio/bss_file.o \
@@ -237,6 +254,7 @@ FIPS_EX_OBJ= ../crypto/aes/aes_cbc.o \
 	../crypto/bn/bn_blind.o \
 	../crypto/bn/bn_ctx.o \
 	../crypto/bn/bn_div.o \
+	../crypto/bn/bn_err.o \
 	../crypto/bn/bn_exp2.o \
 	../crypto/bn/bn_exp.o \
 	../crypto/bn/bn_gcd.o \
@@ -252,7 +270,10 @@ FIPS_EX_OBJ= ../crypto/aes/aes_cbc.o \
 	../crypto/bn/bn_sqr.o \
 	../crypto/bn/bn_word.o \
 	../crypto/bn/bn_x931p.o \
+	../crypto/buffer/buf_err.o \
 	../crypto/buffer/buffer.o \
+	../crypto/conf/conf_err.o \
+	../crypto/cpt_err.o \
 	../crypto/cryptlib.o \
 	../crypto/des/cfb64ede.o \
 	../crypto/des/cfb64enc.o \
@@ -262,25 +283,38 @@ FIPS_EX_OBJ= ../crypto/aes/aes_cbc.o \
 	../crypto/des/ecb_enc.o \
 	../crypto/des/ofb64ede.o \
 	../crypto/des/ofb64enc.o \
-	../crypto/des/fcrypt_b.o \
-	../crypto/des/fcrypt.o \
+	../crypto/dh/dh_err.o \
 	../crypto/dh/dh_lib.o \
+	../crypto/dsa/dsa_asn1.o \
+	../crypto/dsa/dsa_err.o \
 	../crypto/dsa/dsa_lib.o \
 	../crypto/dsa/dsa_sign.o \
 	../crypto/dsa/dsa_vrf.o \
+	../crypto/dso/dso_err.o \
+	../crypto/ec/ec_err.o \
+	../crypto/engine/eng_err.o \
 	../crypto/engine/eng_init.o \
 	../crypto/engine/eng_lib.o \
 	../crypto/engine/eng_list.o \
 	../crypto/engine/eng_table.o \
+	../crypto/engine/tb_cipher.o \
 	../crypto/engine/tb_dh.o \
 	../crypto/engine/tb_digest.o \
 	../crypto/engine/tb_dsa.o \
 	../crypto/engine/tb_rand.o \
 	../crypto/engine/tb_rsa.o \
+	../crypto/err/err_all.o \
 	../crypto/err/err.o \
 	../crypto/err/err_prn.o \
 	../crypto/evp/digest.o \
+	../crypto/evp/e_aes.o \
+	../crypto/evp/e_des3.o \
+	../crypto/evp/e_des.o \
+	../crypto/evp/evp_enc.o \
+	../crypto/evp/evp_err.o \
+	../crypto/evp/evp_lib.o \
 	../crypto/evp/m_sha1.o \
+	../crypto/evp/p_lib.o \
 	../crypto/evp/p_sign.o \
 	../crypto/evp/p_verify.o \
 	../crypto/ex_data.o \
@@ -288,23 +322,36 @@ FIPS_EX_OBJ= ../crypto/aes/aes_cbc.o \
 	../crypto/mem_clr.o \
 	../crypto/mem_dbg.o \
 	../crypto/mem.o \
+	../crypto/objects/obj_dat.o \
+	../crypto/objects/obj_err.o \
+	../crypto/objects/obj_lib.o \
+	../crypto/ocsp/ocsp_err.o \
+	../crypto/pem/pem_err.o \
+	../crypto/pkcs12/pk12err.o \
+	../crypto/pkcs7/pkcs7err.o \
 	../crypto/rand/md_rand.o \
 	../crypto/rand/rand_egd.o \
+	../crypto/rand/rand_err.o \
 	../crypto/rand/randfile.o \
 	../crypto/rand/rand_lib.o \
 	../crypto/rand/rand_os2.o \
 	../crypto/rand/rand_unix.o \
 	../crypto/rand/rand_win.o \
+	../crypto/rsa/rsa_err.o \
 	../crypto/rsa/rsa_lib.o \
 	../crypto/rsa/rsa_none.o \
 	../crypto/rsa/rsa_oaep.o \
 	../crypto/rsa/rsa_pk1.o \
 	../crypto/rsa/rsa_pss.o \
+	../crypto/rsa/rsa_sign.o \
 	../crypto/rsa/rsa_ssl.o \
 	../crypto/rsa/rsa_x931.o \
 	../crypto/stack/stack.o \
 	../crypto/uid.o \
-	../crypto/x509v3/v3_hex.o
+	../crypto/ui/ui_err.o \
+	../crypto/x509v3/v3err.o \
+	../crypto/x509v3/v3_hex.o \
+	../crypto/x509/x509_err.o 

 # DO NOT DELETE THIS LINE -- make depend depends on it.

@@ -329,3 +376,4 @@ fips.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 fips.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 fips.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h fips.c
 fips.o: fips_locl.h
+fips_err_wrapper.o: ../include/openssl/opensslconf.h fips_err_wrapper.c
--- a/fips-1.0/aes/fips_aesavs.c
+++ b/fips-1.0/aes/fips_aesavs.c
@@ -82,7 +82,7 @@ int main(int argc, char *argv[])

 #define AES_BLOCK_SIZE 16

-#define VERBOSE 0
+#define VERBOSE 1

 /*-----------------------------------------------*/

@@ -727,10 +727,6 @@ int proc_file(char *rqfile)
 	}
    strcpy(rfn,afn);
    rp=strstr(rfn,"req/");
-#ifdef OPENSSL_SYS_WIN32
-    if (!rp)
-	rp=strstr(rfn,"req\\");
-#endif
    assert(rp);
    memcpy(rp,"rsp",3);
    rp = strstr(rfn, ".req");
--- a/fips-1.0/des/fips_desmovs.c
+++ b/fips-1.0/des/fips_desmovs.c
@@ -590,10 +590,6 @@ int proc_file(char *rqfile)
 	}
    strcpy(rfn,afn);
    rp=strstr(rfn,"req/");
-#ifdef OPENSSL_SYS_WIN32
-    if (!rp)
-	rp=strstr(rfn,"req\\");
-#endif
    assert(rp);
    memcpy(rp,"rsp",3);
    rp = strstr(rfn, ".req");
--- a/fips-1.0/dh/.cvsignore
+++ b/fips-1.0/dh/.cvsignore
@@ -1,4 +1,3 @@
 lib
 *.flc
 semantic.cache
-Makefile.save
--- a/fips-1.0/dsa/fips_dsatest.c
+++ b/fips-1.0/dsa/fips_dsatest.c
@@ -129,7 +129,8 @@ static unsigned char out_g[]={
 static const unsigned char str1[]="12345678901234567890";

 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
-static const unsigned char rnd_key[]="ABCDEFGHIJKLMNOPQRSTUVWXYZ123456";
+static const unsigned char rnd_key1[]="12345678";
+static const unsigned char rnd_key2[]="abcdefgh";

 static BIO *bio_err=NULL;

@@ -155,7 +156,7 @@ int main(int argc, char **argv)
 	CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
 	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);

-	FIPS_rand_set_key(rnd_key, 32);
+	FIPS_set_prng_key(rnd_key1,rnd_key2);
 	RAND_seed(rnd_seed, sizeof rnd_seed);

 	BIO_printf(bio_err,"test generation of DSA parameters\n");
--- a/fips-1.0/fips.c
+++ b/fips-1.0/fips.c
@@ -265,7 +265,7 @@ int FIPS_mode_set(int onoff)
 	    }

 	/* automagically seed PRNG if not already seeded */
-	if(!FIPS_rand_status())
+	if(!FIPS_rand_seeded())
 	    {
 	    if(RAND_bytes(buf,sizeof buf) <= 0)
 		{
@@ -273,8 +273,8 @@ int FIPS_mode_set(int onoff)
 		ret = 0;
 		goto end;
 		}
-	    FIPS_rand_set_key(buf,32);
-	    FIPS_rand_seed(buf+32,16);
+	    FIPS_set_prng_key(buf,buf+8);
+	    FIPS_rand_seed(buf+16,8);
 	    }

 	/* now switch into FIPS mode */
--- a/fips-1.0/fips.h
+++ b/fips-1.0/fips.h
@@ -92,7 +92,7 @@ void ERR_load_FIPS_strings(void);
 #define FIPS_F_FIPS_CHECK_DSA				 116
 #define FIPS_F_FIPS_CHECK_DSO				 120
 #define FIPS_F_FIPS_CHECK_EXE				 106
-#define FIPS_F_FIPS_CHECK_FINGERPRINT			 121
+#define FIPS_F_FIPS_CHECK_FINGERPRINT			 120
 #define FIPS_F_FIPS_CHECK_RSA				 115
 #define FIPS_F_FIPS_DSA_CHECK				 102
 #define FIPS_F_FIPS_MODE_SET				 105
--- a/fips-1.0/fips_canister.c
+++ b/fips-1.0/fips_canister.c
@@ -77,19 +77,13 @@ static void *instruction_pointer(void)
 # elif	defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \
 	defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \
 	defined(__PPC64__) || defined(__powerpc64__)
-/* GCC on AIX cannot use inline ASM since the assembler used is the
- * native assembler, not GNU as. Prevent INSTRUCTION_POINTER_IMPLEMENTED
- * from being defined. It will use the fallback method which is the
- * same as xlC uses for AIX in FIPS_ref_point() */
-#   ifndef (_AIX)
-#     define INSTRUCTION_POINTER_IMPLEMENTED
+#   define INSTRUCTION_POINTER_IMPLEMENTED
    void *scratch;
    __asm __volatile (	"mfspr	%1,8\n\t"	/* save lr */
 			"bl	.+4\n\t"
 			"mfspr	%0,8\n\t"	/* mflr ret */
 			"mtspr	8,%1"		/* restore lr */
 			: "=r"(ret),"=r"(scratch) );
-#   endif /* !_AIX */
 # elif	defined(__sparc) || defined(__sparc__) || defined(__sparcv9)
 #   define INSTRUCTION_POINTER_IMPLEMENTED
    void *scratch;
--- a/fips-1.0/fips_err.h
+++ b/fips-1.0/fips_err.h
@@ -1,4 +1,4 @@
-/* crypto/fips_err.h */
+/* fips-1.0/fips_err.h */
 /* ====================================================================
 * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
 *
@@ -97,13 +97,13 @@ static ERR_STRING_DATA FIPS_str_functs[]=

 static ERR_STRING_DATA FIPS_str_reasons[]=
 	{
-{ERR_REASON(FIPS_R_CANNOT_READ_EXE)      ,"cannot read exe"},
-{ERR_REASON(FIPS_R_CANNOT_READ_EXE_DIGEST),"cannot read exe digest"},
-{ERR_REASON(FIPS_R_CONTRADICTING_EVIDENCE),"contradicting evidence"},
-{ERR_REASON(FIPS_R_EXE_DIGEST_DOES_NOT_MATCH),"exe digest does not match"},
+{ERR_REASON(FIPS_R_CANNOT_READ_EXE)      ,"cannot access executable object"},
+{ERR_REASON(FIPS_R_CANNOT_READ_EXE_DIGEST),"cannot access detached digest"},
+{ERR_REASON(FIPS_R_CONTRADICTING_EVIDENCE),"duplicate code detected, check your linking procedure"},
+{ERR_REASON(FIPS_R_EXE_DIGEST_DOES_NOT_MATCH),"detached digest verification failed"},
 {ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH),"fingerprint does not match"},
-{ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED),"fingerprint does not match nonpic relocated"},
-{ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING),"fingerprint does not match segment aliasing"},
+{ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED),"fingerprint does not match, possibly because non-PIC was relocated"},
+{ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING),"fingerprint does not match, invalid segment aliasing"},
 {ERR_REASON(FIPS_R_FIPS_MODE_ALREADY_SET),"fips mode already set"},
 {ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED) ,"fips selftest failed"},
 {ERR_REASON(FIPS_R_INVALID_KEY_LENGTH)   ,"invalid key length"},
--- a/fips-1.0/fips_err_wrapper.c
+++ b/fips-1.0/fips_err_wrapper.c
--- a/fips-1.0/fipsld
+++ b/fips-1.0/fipsld
@@ -22,25 +22,6 @@ CC=${FIPSLD_CC:-${CC}}
    [ $# -ge 1 ]
 ) && exec ${CC} "$@"

-# If using an auto-tooled (autoconf/automake/libtool) project,
-# configure will fail when testing the compiler or even performing
-# simple checks.  Pass-thru to compiler directly if not linking
-# to libcrypto, allowing auto-tooled applications to utilize fipsld
-# (e.g.  CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc ./configure && make )
-# If FIPSLD_NPT is set never call the pass-thru: the standalone fips commands
-# need this because they don't link to libcrypto
-[ "x$FIPSLD_NPT" != "x" ] || {
-case "$*" in
-	*libcrypto.a*)
-	;;
-	*-lcrypto*)
-	;;
-	*)
-		exec ${CC} $*
-	;;
-esac
-}
-
 # Turn on debugging output?
 (   while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done;
    [ $# -ge 1 ]
@@ -51,11 +32,6 @@ TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`

 THERE="`echo $0 | sed -e 's|[^/]*$||'`"..

-# FIPSCANLIB is the library containing fipscanister.o by default it is
-# libcrypto.a
-
-FIPSCANLIB=${FIPSCANLIB:-libcrypto}
-
 # FIPSLIBDIR is location of installed validated FIPS module
 # if FIPSCANISTERINTERNAL="y" link against internally generated fipscanister.o
 if [ "x$FIPSCANISTERINTERNAL" != "xy" ]; then
@@ -83,7 +59,7 @@ case "${TARGET}" in
 esac

 case "${TARGET}" in
-*${FIPSCANLIB}*|*.dll)	# must be linking a shared lib...
+*libcrypto*|*.dll)	# must be linking a shared lib...
 	# Shared lib creation can be taking place in the source
 	# directory only!!!
 	FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1"
@@ -102,15 +78,15 @@ echo Canister: $CANISTER_O
 		diff -w "${PREMAIN_C}.sha1" - || \
 	{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }

-	# Temporarily remove fipscanister.o from library!
+	# Temporarily remove fipscanister.o from libcrypto.a!
 	# We are required to use the standalone copy...
-	trap	'ar r "${THERE}/$FIPSCANLIB.a" "${CANISTER_O}";
-		 (ranlib "${THERE}/$FIPSCANLIB.a") 2>/dev/null;
+	trap	'ar r "${THERE}/libcrypto.a" "${CANISTER_O}";
+		 (ranlib "${THERE}/libcrypto.a") 2>/dev/null;
 		 sleep 1;
 		 touch -c "${TARGET}"' 0

-	ar d "${THERE}/$FIPSCANLIB.a" fipscanister.o 2>&1 > /dev/null || :
-	(ranlib "${THERE}/$FIPSCANLIB.a") 2>/dev/null || :
+	ar d "${THERE}/libcrypto.a" fipscanister.o 2>&1 > /dev/null || :
+	(ranlib "${THERE}/libcrypto.a") 2>/dev/null || :

 	${CC}	"${CANISTER_O}" \
 		"${PREMAIN_C}" \
--- a/fips-1.0/mkfipsscr.pl
+++ b/fips-1.0/mkfipsscr.pl
@@ -60,12 +60,8 @@ my @fips_tests = (

 my $lnum = 0;
 my $win32 = 0;
-my $onedir = 0;
+my $tvdir = "testvectors";
 my $ltdir = "";
-my $tvdir;
-my $tvprefix;
-my $tprefix;
-my $shwrap_prefix;

 foreach (@ARGV)
 	{
@@ -73,47 +69,15 @@ foreach (@ARGV)
 		{
 		$win32 = 1;
 		}
-	elsif ($_ eq "--onedir")
-		{
-		$onedir = 1;
-		}
 	elsif (/--dir=(.*)$/)
 		{
 		$tvdir = $1;
 		}
-	elsif (/--tprefix=(.*)$/)
-		{
-		$tprefix = $1;
-		}
-	elsif (/--tvprefix=(.*)$/)
-		{
-		$tvprefix = $1;
-		}
-	elsif (/--shwrap_prefix=(.*)$/)
-		{
-		$shwrap_prefix = $1;
-		}
-	elsif (/--outfile=(.*)$/)
-		{
-		$outfile = $1;
-		}
 	}

-$tvdir = "testvectors" unless defined $tvdir;
-
 if ($win32)
 	{
-	if ($onedir)
-		{
-		$tvprefix = "" unless defined $tvprefix;
-		}
-	else
-		{
-		$tvprefix = "..\\fips-1.0\\" unless defined $tvprefix;
-		}
-	$tprefix = ".\\" unless defined $tprefix;
-	$outfile = "fipstests.bat" unless defined $outfile;
-	open(OUT, ">$outfile");
+	open(OUT, ">fipstests.bat");

 	print OUT <<END;
 \@echo off
@@ -126,21 +90,9 @@ END
 	}
 else
 	{
-	$tvprefix = "" unless defined $tvprefix;
-	if ($onedir)
-		{
-		$tprefix = "./" unless defined $tprefix;
-		$shwrap_prefix = "./" unless defined $shwrap_prefix;
-		}
-	else
-		{
-		$tprefix = "../test/" unless defined $tprefix;
-		$shwrap_prefix = "../util/" unless defined $shwrap_prefix;
-		}
-	$outfile = "fipstests.sh" unless defined $outfile;
-	open(OUT, ">$outfile");
+open(OUT, ">fipstests.sh");

-	print OUT <<END;
+print OUT <<END;
 #!/bin/sh

 # Test vector run script
@@ -168,11 +120,11 @@ sub test_dir
 	my ($win32, $tdir) = @_;
 	if ($win32)
 		{
-		my $rsp = "$tvprefix$tvdir\\$tdir\\rsp";
+		my $rsp = "..\\fips-1.0\\$tvdir\\$tdir\\rsp";
 		print OUT <<END;

 echo $tdir tests
-if exist $rsp rd /s /q $rsp
+rd /s /q $rsp
 md $rsp
 END
 		}
@@ -194,17 +146,16 @@ sub test_line
 	my ($win32, $tdir, $fprefix, $tcmd) = @_;
 	if ($fprefix =~ /\@/)
 		{
-		foreach(<$tvprefix$tvdir/$tdir/req/*.req>)
+		foreach(<$tvdir/$tdir/req/*.req>)
 			{
 			if ($win32)
 				{
-				$_ =~ tr|/|\\|;
-				print OUT "$tprefix$tcmd $_\n";
+				print OUT ".\\$tcmd ../fips-1.0/${_}\n";
 				}
 			else
 				{
 				print OUT <<END;
-${shwrap_prefix}shlib_wrap.sh $tprefix$tcmd $_
+../util/shlib_wrap.sh ../test/$tcmd $_
 END
 				}
 			}
@@ -212,9 +163,9 @@ END
 		}
 	if ($win32)
 		{
-		my $req = "$tvprefix$tvdir\\$tdir\\req\\$fprefix.req";
-		my $rsp = "$tvprefix$tvdir\\$tdir\\rsp\\$fprefix.rsp";
-	print OUT "$tprefix$tcmd < $req > $rsp\n";
+		my $req = "..\\fips-1.0\\$tvdir\\$tdir\\req\\$fprefix.req";
+		my $rsp = "..\\fips-1.0\\$tvdir\\$tdir\\rsp\\$fprefix.rsp";
+	print OUT ".\\$tcmd < $req > $rsp\n";
 END
 		}
 	else
@@ -222,7 +173,7 @@ END
 		my $req = "$tvdir/$tdir/req/$fprefix.req";
 		my $rsp = "$tvdir/$tdir/rsp/$fprefix.rsp";
 		print OUT <<END;
-if [ -f $req ] ; then ${shwrap_prefix}shlib_wrap.sh $tprefix$tcmd < $req > $rsp; fi
+if [ -f $req ] ; then ../util/shlib_wrap.sh ../test/$tcmd < $req > $rsp; fi
 END
 		}
 	}
--- a/fips-1.0/rand/fips_rand.c
+++ b/fips-1.0/rand/fips_rand.c
@@ -1,5 +1,5 @@
 /* ====================================================================
- * Copyright (c) 2007 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -48,7 +48,7 @@
 */

 /*
- * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4.
+ * This is a FIPS approved PRNG, ANSI X9.31 A.2.4.
 */

 #include "e_os.h"
@@ -60,8 +60,8 @@
 #define _XOPEN_SOURCE_EXTENDED 1
 #endif

+#include <openssl/des.h>
 #include <openssl/rand.h>
-#include <openssl/aes.h>
 #include <openssl/err.h>
 #include <openssl/fips_rand.h>
 #ifndef OPENSSL_SYS_WIN32
@@ -79,288 +79,281 @@

 void *OPENSSL_stderr(void);

-#define AES_BLOCK_LENGTH	16
+#ifdef OPENSSL_FIPS

+#define SEED_SIZE	8

-/* AES FIPS PRNG implementation */
-
-typedef struct 
-	{
-	int seeded;
-	int keyed;
-	int test_mode;
-	int second;
-	int error;
-	unsigned long counter;
-	AES_KEY ks;
-	int vpos;
-	unsigned char V[AES_BLOCK_LENGTH];
-	unsigned char DT[AES_BLOCK_LENGTH];
-	unsigned char last[AES_BLOCK_LENGTH];
-	} FIPS_PRNG_CTX;
-
-static FIPS_PRNG_CTX sctx;
-
-void fips_rand_prng_reset(FIPS_PRNG_CTX *ctx)
-	{
-	ctx->seeded = 0;
-	ctx->keyed = 0;
-	ctx->test_mode = 0;
-	ctx->counter = 0;
-	ctx->second = 0;
-	ctx->error = 0;
-	ctx->vpos = 0;
-	OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH);
-	OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY));
-	}
-	
-
-static int fips_set_prng_key(FIPS_PRNG_CTX *ctx,
-			const unsigned char *key, FIPS_RAND_SIZE_T keylen)
-	{
-	if (keylen != 16 && keylen != 24 && keylen != 32)
-		{
-		/* error: invalid key size */
-		return 0;
-		}
-	AES_set_encrypt_key(key, keylen << 3, &ctx->ks);
-	ctx->keyed = 1;
-	ctx->seeded = 0;
-	ctx->second = 0;
-	return 1;
-	}
-
-static int fips_set_prng_seed(FIPS_PRNG_CTX *ctx,
-			const unsigned char *seed, FIPS_RAND_SIZE_T seedlen)
-	{
-	int i;
-	if (!ctx->keyed)
-		return 0;
-	/* In test mode seed is just supplied data */
-	if (ctx->test_mode)
-		{
-		if (seedlen != AES_BLOCK_LENGTH)
-			return 0;
-		memcpy(ctx->V, seed, AES_BLOCK_LENGTH);
-		ctx->seeded = 1;
-		return 1;
-		}
-	/* Outside test mode XOR supplied data with existing seed */
-	for (i = 0; i < seedlen; i++)
-		{
-		ctx->V[ctx->vpos++] ^= seed[i];
-		if (ctx->vpos == AES_BLOCK_LENGTH)
-			{
-			ctx->vpos = 0;
-			ctx->seeded = 1;
-			}
-		}
-	return 1;
-	}
-
-int fips_set_test_mode(FIPS_PRNG_CTX *ctx)
-	{
-	if (ctx->keyed)
-		{
-		RANDerr(RAND_F_FIPS_SET_TEST_MODE,RAND_R_PRNG_KEYED);
-		return 0;
-		}
-	ctx->test_mode = 1;
-	return 1;
-	}
-
-int FIPS_rand_test_mode(void)
-	{
-	return fips_set_test_mode(&sctx);
-	}
-
-int FIPS_rand_set_dt(unsigned char *dt)
-	{
-	if (!sctx.test_mode)
-		{
-		RANDerr(RAND_F_FIPS_SET_DT,RAND_R_NOT_IN_TEST_MODE);
-		return 0;
-		}
-	memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
-	return 1;
-	}
-
-static void fips_get_dt(FIPS_PRNG_CTX *ctx)
-    {
-#ifdef OPENSSL_SYS_WIN32
-	FILETIME ft;
-#else
-	struct timeval tv;
-#endif
-	unsigned char *buf = ctx->DT;
-
-	unsigned long pid;
-
-#ifdef OPENSSL_SYS_WIN32
-	GetSystemTimeAsFileTime(&ft);
-	buf[0] = (unsigned char) (ft.dwHighDateTime & 0xff);
-	buf[1] = (unsigned char) ((ft.dwHighDateTime >> 8) & 0xff);
-	buf[2] = (unsigned char) ((ft.dwHighDateTime >> 16) & 0xff);
-	buf[3] = (unsigned char) ((ft.dwHighDateTime >> 24) & 0xff);
-	buf[4] = (unsigned char) (ft.dwLowDateTime & 0xff);
-	buf[5] = (unsigned char) ((ft.dwLowDateTime >> 8) & 0xff);
-	buf[6] = (unsigned char) ((ft.dwLowDateTime >> 16) & 0xff);
-	buf[7] = (unsigned char) ((ft.dwLowDateTime >> 24) & 0xff);
-#else
-	gettimeofday(&tv,NULL);
-	buf[0] = (unsigned char) (tv.tv_sec & 0xff);
-	buf[1] = (unsigned char) ((tv.tv_sec >> 8) & 0xff);
-	buf[2] = (unsigned char) ((tv.tv_sec >> 16) & 0xff);
-	buf[3] = (unsigned char) ((tv.tv_sec >> 24) & 0xff);
-	buf[4] = (unsigned char) (tv.tv_usec & 0xff);
-	buf[5] = (unsigned char) ((tv.tv_usec >> 8) & 0xff);
-	buf[6] = (unsigned char) ((tv.tv_usec >> 16) & 0xff);
-	buf[7] = (unsigned char) ((tv.tv_usec >> 24) & 0xff);
-#endif
-	buf[8] = (unsigned char) (ctx->counter & 0xff);
-	buf[9] = (unsigned char) ((ctx->counter >> 8) & 0xff);
-	buf[10] = (unsigned char) ((ctx->counter >> 16) & 0xff);
-	buf[11] = (unsigned char) ((ctx->counter >> 24) & 0xff);
-
-	pid=(unsigned long)getpid();
+static unsigned char seed[SEED_SIZE];
+static FIPS_RAND_SIZE_T n_seed;
+static FIPS_RAND_SIZE_T o_seed;
+static DES_cblock key1;
+static DES_cblock key2;
+static DES_key_schedule ks1,ks2;
+static int key_set;
+static int key_init;
+static int test_mode;
+static unsigned char test_faketime[8];

 #ifndef GETPID_IS_MEANINGLESS
-	buf[12] = (unsigned char) (pid & 0xff);
-	buf[13] = (unsigned char) ((pid >> 8) & 0xff);
-	buf[14] = (unsigned char) ((pid >> 16) & 0xff);
-	buf[15] = (unsigned char) ((pid >> 24) & 0xff);
+static int seed_pid;
+static int key_pid;
 #endif
-    }

-static int fips_rand(FIPS_PRNG_CTX *ctx,
-			unsigned char *out, FIPS_RAND_SIZE_T outlen)
-	{
-	unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
-	unsigned char tmp[AES_BLOCK_LENGTH];
-	int i;
-	if (ctx->error)
-		{
-		RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
-		return 0;
-		}
-	if (!ctx->keyed)
-		{
-		RANDerr(RAND_F_FIPS_RAND,RAND_R_NO_KEY_SET);
-		return 0;
-		}
-	if (!ctx->seeded)
-		{
-		RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_NOT_SEEDED);
-		return 0;
-		}
-	for (;;)
-		{
-		if (!ctx->test_mode)
-			fips_get_dt(ctx);
-		AES_encrypt(ctx->DT, I, &ctx->ks);
-		for (i = 0; i < AES_BLOCK_LENGTH; i++)
-			tmp[i] = I[i] ^ ctx->V[i];
-		AES_encrypt(tmp, R, &ctx->ks);
-		for (i = 0; i < AES_BLOCK_LENGTH; i++)
-			tmp[i] = R[i] ^ I[i];
-		AES_encrypt(tmp, ctx->V, &ctx->ks);
-		if (ctx->second)
-			{
-			if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))
-				{
-	    			RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK);
-				ctx->error = 1;
-				return 0;
-				}
-			}
-		memcpy(ctx->last, R, AES_BLOCK_LENGTH);
-		if (!ctx->second)
-			{
-			ctx->second = 1;
-			if (!ctx->test_mode)
-				continue;
-			}
-
-		if (outlen <= AES_BLOCK_LENGTH)
-			{
-			memcpy(out, R, outlen);
-			break;
-			}
-
-		memcpy(out, R, AES_BLOCK_LENGTH);
-		out += AES_BLOCK_LENGTH;
-		outlen -= AES_BLOCK_LENGTH;
-		}
-	return 1;
-	}
-
-
-int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen)
-	{
-	int ret;
-	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-	ret = fips_set_prng_key(&sctx, key, keylen);
-	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-	return ret;
-	}
-
-int FIPS_rand_seed(const void *seed, FIPS_RAND_SIZE_T seedlen)
-	{
-	int ret;
-	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-	ret = fips_set_prng_seed(&sctx, seed, seedlen);
-	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-	return ret;
-	}
-
-
-int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T count)
-	{
-	int ret;
-	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-	ret = fips_rand(&sctx, out, count);
-	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-	return ret;
-	}
-
-int FIPS_rand_status(void)
-	{
-	int ret;
-	CRYPTO_r_lock(CRYPTO_LOCK_RAND);
-	ret = sctx.seeded;
-	CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
-	return ret;
-	}
-
-void FIPS_rand_reset(void)
-	{
-	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-	fips_rand_prng_reset(&sctx);
-	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-	}
-
-static void fips_do_rand_seed(const void *seed, FIPS_RAND_SIZE_T seedlen)
-	{
-	FIPS_rand_seed(seed, seedlen);
-	}
-
-static void fips_do_rand_add(const void *seed, FIPS_RAND_SIZE_T seedlen,
-					double add_entropy)
-	{
-	FIPS_rand_seed(seed, seedlen);
-	}
+static void fips_rand_cleanup(void);
+static void fips_rand_add(const void *buf, FIPS_RAND_SIZE_T num, double add_entropy);
+static int fips_rand_bytes(unsigned char *buf, FIPS_RAND_SIZE_T num);
+static int fips_rand_status(void);

 static const RAND_METHOD rand_fips_meth=
    {
-    fips_do_rand_seed,
-    FIPS_rand_bytes,
-    FIPS_rand_reset,
-    fips_do_rand_add,
-    FIPS_rand_bytes,
-    FIPS_rand_status
+    FIPS_rand_seed,
+    fips_rand_bytes,
+    fips_rand_cleanup,
+    fips_rand_add,
+    fips_rand_bytes,
+    fips_rand_status
    };

+static int second;
+
 const RAND_METHOD *FIPS_rand_method(void)
 {
  return &rand_fips_meth;
 }
+
+void FIPS_set_prng_key(const unsigned char k1[8],const unsigned char k2[8])
+    {
+    memcpy(&key1,k1,sizeof key1);
+    memcpy(&key2,k2,sizeof key2);
+    key_set=1;
+#ifndef GETPID_IS_MEANINGLESS
+    key_pid=getpid();
+#endif
+    second=0;
+    }
+
+void FIPS_test_mode(int test,const unsigned char faketime[8])
+    {
+    test_mode=test;
+    if(!test_mode)
+	return;
+    memcpy(test_faketime,faketime,sizeof test_faketime);
+    }
+
+/* NB: this returns true if _partially_ seeded */
+int FIPS_rand_seeded()
+    { return key_set || n_seed; }
+
+static void fips_gettime(unsigned char buf[8])
+    {
+#ifdef OPENSSL_SYS_WIN32
+    FILETIME ft;
+#else
+    struct timeval tv;
+#endif
+
+    if(test_mode)
+	{
+	/* fprintf(OPENSSL_stderr(),"WARNING!!! PRNG IN TEST MODE!!!\n"); */
+	memcpy(buf,test_faketime,sizeof test_faketime);
+	return;
+	}
+#ifdef OPENSSL_SYS_WIN32
+    GetSystemTimeAsFileTime(&ft);
+    buf[0] = (unsigned char) (ft.dwHighDateTime & 0xff);
+    buf[1] = (unsigned char) ((ft.dwHighDateTime >> 8) & 0xff);
+    buf[2] = (unsigned char) ((ft.dwHighDateTime >> 16) & 0xff);
+    buf[3] = (unsigned char) ((ft.dwHighDateTime >> 24) & 0xff);
+    buf[4] = (unsigned char) (ft.dwLowDateTime & 0xff);
+    buf[5] = (unsigned char) ((ft.dwLowDateTime >> 8) & 0xff);
+    buf[6] = (unsigned char) ((ft.dwLowDateTime >> 16) & 0xff);
+    buf[7] = (unsigned char) ((ft.dwLowDateTime >> 24) & 0xff);
+#else
+    gettimeofday(&tv,NULL);
+    buf[0] = (unsigned char) (tv.tv_sec & 0xff);
+    buf[1] = (unsigned char) ((tv.tv_sec >> 8) & 0xff);
+    buf[2] = (unsigned char) ((tv.tv_sec >> 16) & 0xff);
+    buf[3] = (unsigned char) ((tv.tv_sec >> 24) & 0xff);
+    buf[4] = (unsigned char) (tv.tv_usec & 0xff);
+    buf[5] = (unsigned char) ((tv.tv_usec >> 8) & 0xff);
+    buf[6] = (unsigned char) ((tv.tv_usec >> 16) & 0xff);
+    buf[7] = (unsigned char) ((tv.tv_usec >> 24) & 0xff);
+#endif
+
+#if 0  /* This eminently sensible strategy is not acceptable to NIST. Sigh. */
+#ifndef GETPID_IS_MEANINGLESS
+    /* we mix in the PID to ensure that after a fork the children don't give
+     * the same results as each other
+     */
+    pid=getpid();
+    /* make sure we shift the pid to the MSB */
+    if((pid&0xffff0000) == 0)
+	pid<<=16;
+    *(long *)&buf[0]^=pid;
+#endif
+#endif
+    }
+
+static void fips_rand_encrypt(unsigned char *out,const unsigned char *in)
+    {
+    DES_ecb2_encrypt(in,out,&ks1,&ks2,1);
+    }
+
+static void fips_rand_cleanup(void)
+    {
+    OPENSSL_cleanse(seed,sizeof seed);
+    n_seed=0;
+    o_seed=0;
+    key_init=0;
+    }
+
+void FIPS_rand_seed(const void *buf_, FIPS_RAND_SIZE_T num)
+    {
+    const char *buf=buf_;
+    FIPS_RAND_SIZE_T n;
+
+    /* If the key hasn't been set, we can't seed! */
+    if(!key_set)
+	return;
+
+    CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+    if(!key_init)
+	{
+	key_init=1;
+	DES_set_key(&key1,&ks1);
+	DES_set_key(&key2,&ks2);
+	}
+
+    /*
+     * This algorithm only uses 64 bits of seed, so ensure that we use
+     * the most recent 64 bits.
+     */
+    for(n=0 ; n < num ; )
+	{
+	FIPS_RAND_SIZE_T t=num-n;
+
+	if(o_seed+t > sizeof seed)
+	    t=sizeof seed-o_seed;
+	memcpy(seed+o_seed,buf+n,t);
+	n+=t;
+	o_seed+=t;
+	if(o_seed == sizeof seed)
+	    o_seed=0;
+	if(n_seed < sizeof seed)
+	    n_seed+=t;
+	}
+
+#ifndef GETPID_IS_MEANINGLESS
+    seed_pid=getpid();
+#endif
+
+    CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+    }
+
+static void fips_rand_add(const void *buf, FIPS_RAND_SIZE_T num, double add_entropy)
+    {
+    FIPS_rand_seed(buf,num);
+    }
+
+static int fips_rand_bytes(unsigned char *buf,FIPS_RAND_SIZE_T num)
+    {
+    FIPS_RAND_SIZE_T n;
+    unsigned char timeseed[8];
+    unsigned char intermediate[SEED_SIZE];
+    unsigned char output[SEED_SIZE];
+    static unsigned char previous[SEED_SIZE];
+#ifndef GETPID_IS_MEANINGLESS
+    int pid;
+#endif
+
+    if(n_seed < sizeof seed)
+	{
+	RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED);
+	return 0;
+	}
+
+#ifdef FIPS_RAND_MAX_SIZE_T
+    if (num > FIPS_RAND_MAX_SIZE_T)
+	{
+#ifdef RAND_R_PRNG_ASKING_FOR_TOO_MUCH
+	RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_ASKING_FOR_TOO_MUCH);
+	return 0;
+#else
+	return -1; /* signal "not supported" condition */
+#endif
+	}
+#endif
+
+#ifndef GETPID_IS_MEANINGLESS
+    pid=getpid();
+    if(pid != seed_pid)
+	{
+	RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_NOT_RESEEDED);
+	return 0;
+	}
+    if(pid != key_pid)
+	{
+	RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_NOT_REKEYED);
+	return 0;
+	}
+#endif
+
+    CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+
+    for(n=0 ; n < num ; )
+	{
+	unsigned char t[SEED_SIZE];
+	FIPS_RAND_SIZE_T l;
+	
+	/* ANS X9.31 A.2.4:	I = ede*K(DT)
+	       timeseed == DT
+	       intermediate == I
+	*/
+	fips_gettime(timeseed);
+	fips_rand_encrypt(intermediate,timeseed);
+
+	/* ANS X9.31 A.2.4:     R = ede*K(I^V)
+	       intermediate == I
+	       seed == V
+	       output == R
+	*/
+	for(l=0 ; l < sizeof t ; ++l)
+	    t[l]=intermediate[l]^seed[l];
+	fips_rand_encrypt(output,t);
+
+	/* ANS X9.31 A.2.4:     V = ede*K(R^I)
+	       output == R
+	       intermediate == I
+	       seed == V
+	*/
+	for(l=0 ; l < sizeof t ; ++l)
+	    t[l]=output[l]^intermediate[l];
+	fips_rand_encrypt(seed,t);
+
+	if(second && !memcmp(output,previous,sizeof previous))
+	    {
+	    RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_STUCK);
+	    CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+	    return 0;
+	    }
+	memcpy(previous,output,sizeof previous);
+	second=1;
+
+	/* Successive values of R may be concatenated to produce a
+	   pseudo random number of the desired length */ 
+	l=SEED_SIZE < num-n ? SEED_SIZE : num-n;
+	memcpy(buf+n,output,l);
+	n+=l;
+	}
+
+    CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+
+    return 1;
+    }
+
+static int fips_rand_status(void)
+    {
+    return n_seed == sizeof seed;
+    }
+
+#endif /* OPENSSL_FIPS */
--- a/fips-1.0/rand/fips_rand.h
+++ b/fips-1.0/rand/fips_rand.h
@@ -58,15 +58,11 @@
 extern "C" {
 #endif

-int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen);
-int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num);
-int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T outlen);
-
-int FIPS_rand_test_mode(void);
-void FIPS_rand_reset(void);
-int FIPS_rand_set_dt(unsigned char *dt);
-
-int FIPS_rand_status(void);
+void FIPS_set_prng_key(const unsigned char k1[8],const unsigned char k2[8]);
+void FIPS_test_mode(int test,const unsigned char faketime[8]);
+void FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num);
+/* NB: this returns true if _partially_ seeded */
+int FIPS_rand_seeded(void);

 const RAND_METHOD *FIPS_rand_method(void);

--- a/fips-1.0/rand/fips_rand_selftest.c
+++ b/fips-1.0/rand/fips_rand_selftest.c
@@ -54,318 +54,67 @@
 #include <openssl/fips_rand.h>

 #ifdef OPENSSL_FIPS
+static struct
+    {
+    unsigned char key1[8];
+    unsigned char key2[8];
+    unsigned char seed[8];
+    unsigned char dt[8];
+    } init_iv[] =
+    {
+    { 
+    { 0x75, 0xc7, 0x1a, 0xe5, 0xa1, 0x1a, 0x23, 0x2c },
+    { 0x40, 0x25, 0x6d, 0xcd, 0x94, 0xf7, 0x67, 0xb0 },
+    { 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0xc8, 0x9a, 0x1d, 0x88, 0x8e, 0xd1, 0x2f, 0x3c },
+    },
+    {
+    { 0x75, 0xc7, 0x1a, 0xe5, 0xa1, 0x1a, 0x23, 0x2c },
+    { 0x40, 0x25, 0x6d, 0xcd, 0x94, 0xf7, 0x67, 0xb0 },
+    { 0xf8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+    { 0xc8, 0x9a, 0x1d, 0x88, 0x8e, 0xd1, 0x2f, 0x40 },
+    },
+    {
+    { 0x75, 0xc7, 0x1a, 0xe5, 0xa1, 0x1a, 0x23, 0x2c },
+    { 0x40, 0x25, 0x6d, 0xcd, 0x94, 0xf7, 0x67, 0xb0 },
+    { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
+    { 0xc8, 0x9a, 0x1d, 0x88, 0x8e, 0xd1, 0x2f, 0x7b },
+    },
+    };

-
-
-typedef struct
-	{
-	unsigned char DT[16];
-	unsigned char V[16];
-	unsigned char R[16];
-	} AES_PRNG_TV;
-
-/* The following test vectors are taken directly from the RGNVS spec */
-
-static unsigned char aes_128_key[16] =
-		{0xf3,0xb1,0x66,0x6d,0x13,0x60,0x72,0x42,
-		 0xed,0x06,0x1c,0xab,0xb8,0xd4,0x62,0x02};
-
-static AES_PRNG_TV aes_128_tv[] = {
-	{
-				/* DT */
-		{0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
-		 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xf9},
-				/* V */
-		{0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-				/* R */
-		{0x59,0x53,0x1e,0xd1,0x3b,0xb0,0xc0,0x55,
-		 0x84,0x79,0x66,0x85,0xc1,0x2f,0x76,0x41}
-	},
-	{
-				/* DT */
-		{0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
-		 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfa},
-				/* V */
-		{0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-				/* R */
-		{0x7c,0x22,0x2c,0xf4,0xca,0x8f,0xa2,0x4c,
-		 0x1c,0x9c,0xb6,0x41,0xa9,0xf3,0x22,0x0d}
-	},
-	{
-				/* DT */
-		{0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
-		 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfb},
-				/* V */
-		{0xe0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-				/* R */
-		{0x8a,0xaa,0x00,0x39,0x66,0x67,0x5b,0xe5,
-		 0x29,0x14,0x28,0x81,0xa9,0x4d,0x4e,0xc7}
-	},
-	{
-				/* DT */
-		{0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
-		 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfc},
-				/* V */
-		{0xf0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-				/* R */
-		{0x88,0xdd,0xa4,0x56,0x30,0x24,0x23,0xe5,
-		 0xf6,0x9d,0xa5,0x7e,0x7b,0x95,0xc7,0x3a}
-	},
-	{
-				/* DT */
-		{0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
-		 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfd},
-				/* V */
-		{0xf8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-				/* R */
-		{0x05,0x25,0x92,0x46,0x61,0x79,0xd2,0xcb,
-		 0x78,0xc4,0x0b,0x14,0x0a,0x5a,0x9a,0xc8}
-	},
-	{
-				/* DT */
-		{0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
-		 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x23,0x77},
-				/* V */
-		{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
-		 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe},
-				/* R */
-		{0x0d,0xd5,0xa0,0x36,0x7a,0x59,0x26,0xbc,
-		 0x48,0xd9,0x38,0xbf,0xf0,0x85,0x8f,0xea}
-	},
-	{
-				/* DT */
-		{0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
-		 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x23,0x78},
-				/* V */
-		{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
-		 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff},
-				/* R */
-		{0xae,0x53,0x87,0xee,0x8c,0xd9,0x12,0xf5,
-		 0x73,0x53,0xae,0x03,0xf9,0xd5,0x13,0x33}
-	},
-};
-
-static unsigned char aes_192_key[24] =
-		{0x15,0xd8,0x78,0x0d,0x62,0xd3,0x25,0x6e,
-		 0x44,0x64,0x10,0x13,0x60,0x2b,0xa9,0xbc,
-		 0x4a,0xfb,0xca,0xeb,0x4c,0x8b,0x99,0x3b};
-
-static AES_PRNG_TV aes_192_tv[] = {
-	{
-				/* DT */
-		{0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
-		 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4b},
-				/* V */
-		{0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-				/* R */
-		{0x17,0x07,0xd5,0x28,0x19,0x79,0x1e,0xef,
-		 0xa5,0x0c,0xbf,0x25,0xe5,0x56,0xb4,0x93}
-	},
-	{
-				/* DT */
-		{0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
-		 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4c},
-				/* V */
-		{0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-				/* R */
-		{0x92,0x8d,0xbe,0x07,0xdd,0xc7,0x58,0xc0,
-		 0x6f,0x35,0x41,0x9b,0x17,0xc9,0xbd,0x9b}
-	},
-	{
-				/* DT */
-		{0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
-		 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4d},
-				/* V */
-		{0xe0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-				/* R */
-		{0xd5,0xde,0xf4,0x50,0xf3,0xb7,0x10,0x4e,
-		 0xb8,0xc6,0xf8,0xcf,0xe2,0xb1,0xca,0xa2}
-	},
-	{
-				/* DT */
-		{0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
-		 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4e},
-				/* V */
-		{0xf0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-				/* R */
-		{0xce,0x29,0x08,0x43,0xfc,0x34,0x41,0xe7,
-		 0x47,0x8f,0xb3,0x66,0x2b,0x46,0xb1,0xbb}
-	},
-	{
-				/* DT */
-		{0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
-		 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4f},
-				/* V */
-		{0xf8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-				/* R */
-		{0xb3,0x26,0x0f,0xf5,0xd6,0xca,0xa8,0xbf,
-		 0x89,0xb8,0x5e,0x2f,0x22,0x56,0x92,0x2f}
-	},
-	{
-				/* DT */
-		{0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
-		 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0xc9},
-				/* V */
-		{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
-		 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe},
-				/* R */
-		{0x05,0xeb,0x18,0x52,0x34,0x43,0x00,0x43,
-		 0x6e,0x5a,0xa5,0xfe,0x7b,0x32,0xc4,0x2d}
-	},
-	{
-				/* DT */
-		{0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
-		 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0xca},
-				/* V */
-		{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
-		 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff},
-				/* R */
-		{0x15,0x3c,0xe8,0xd1,0x04,0xc7,0xad,0x50,
-		 0x0b,0xf0,0x07,0x16,0xe7,0x56,0x7a,0xea}
-	},
-};
-
-static unsigned char aes_256_key[32] =
-		{0x6d,0x14,0x06,0x6c,0xb6,0xd8,0x21,0x2d,
-		 0x82,0x8d,0xfa,0xf2,0x7a,0x03,0xb7,0x9f,
-		 0x0c,0xc7,0x3e,0xcd,0x76,0xeb,0xee,0xb5,
-		 0x21,0x05,0x8c,0x4f,0x31,0x7a,0x80,0xbb};
-
-static AES_PRNG_TV aes_256_tv[] = {
-	{
-				/* DT */
-		{0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
-		 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x88},
-				/* V */
-		{0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-				/* R */
-		{0x35,0xc7,0xef,0xa7,0x78,0x4d,0x29,0xbc,
-		 0x82,0x79,0x99,0xfb,0xd0,0xb3,0x3b,0x72}
-	},
-	{
-				/* DT */
-		{0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
-		 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x89},
-				/* V */
-		{0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-				/* R */
-		{0x6c,0xf4,0x42,0x5d,0xc7,0x04,0x1a,0x41,
-		 0x28,0x2a,0x78,0xa9,0xb0,0x12,0xc4,0x95}
-	},
-	{
-				/* DT */
-		{0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
-		 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x8a},
-				/* V */
-		{0xe0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-				/* R */
-		{0x16,0x90,0xa4,0xff,0x7b,0x7e,0xb9,0x30,
-		 0xdb,0x67,0x4b,0xac,0x2d,0xe1,0xd1,0x75}
-	},
-	{
-				/* DT */
-		{0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
-		 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x8b},
-				/* V */
-		{0xf0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-				/* R */
-		{0x14,0x6f,0xf5,0x95,0xa1,0x46,0x65,0x30,
-		 0xbc,0x57,0xe2,0x4a,0xf7,0x45,0x62,0x05}
-	},
-	{
-				/* DT */
-		{0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
-		 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x8c},
-				/* V */
-		{0xf8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
-		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
-				/* R */
-		{0x96,0xe2,0xb4,0x1e,0x66,0x5e,0x0f,0xa4,
-		 0xc5,0xcd,0xa2,0x07,0xcc,0xb7,0x94,0x40}
-	},
-	{
-				/* DT */
-		{0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
-		 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9f,0x06},
-				/* V */
-		{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
-		 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe},
-				/* R */
-		{0x61,0xce,0x1d,0x6a,0x48,0x75,0x97,0x28,
-		 0x4b,0x41,0xde,0x18,0x44,0x4f,0x56,0xec}
-	},
-	{
-				/* DT */
-		{0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
-		 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9f,0x07},
-				/* V */
-		{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
-		 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff},
-				/* R */
-		{0x52,0x89,0x59,0x79,0x2d,0xaa,0x28,0xb3,
-		 0xb0,0x8a,0x3e,0x70,0xfa,0x71,0x59,0x84}
-	},
-};
-
+static const unsigned char expected_ret[][8]=
+    {
+    { 0x94, 0x4d, 0xc7, 0x21, 0x0d, 0x6d, 0x7f, 0xd7 },
+    { 0x02, 0x43, 0x3c, 0x94, 0x17, 0xa3, 0x32, 0x6f },
+    { 0xe7, 0xe2, 0xb2, 0x96, 0x4f, 0x36, 0xed, 0x41 },
+    };

 void FIPS_corrupt_rng()
    {
-    aes_192_tv[0].V[0]++;
+    init_iv[0].dt[0]++;
    }

-#define fips_rand_test(key, tv) \
-	do_rand_test(key, sizeof key, tv, sizeof(tv)/sizeof(AES_PRNG_TV))
-
-static int do_rand_test(unsigned char *key, int keylen,
-			AES_PRNG_TV *tv, int ntv)
-	{
-	unsigned char R[16];
-	int i;
-	if (!FIPS_rand_set_key(key, keylen))
-		return 0;
-	for (i = 0; i < ntv; i++)
-		{
-		FIPS_rand_seed(tv[i].V, 16);
-		FIPS_rand_set_dt(tv[i].DT);
-		FIPS_rand_bytes(R, 16);
-		if (memcmp(R, tv[i].R, 16))
-			return 0;
-		}
-	return 1;
-	}
-	
-
 int FIPS_selftest_rng()
+    {
+    int n;
+
+    for(n=0 ; n < 3 ; ++n)
 	{
-	FIPS_rand_reset();
-	if (!FIPS_rand_test_mode())
-		{
-		FIPSerr(FIPS_F_FIPS_SELFTEST_RNG,FIPS_R_SELFTEST_FAILED);
-		return 0;
-		}
-	if (!fips_rand_test(aes_128_key,aes_128_tv)
-		|| !fips_rand_test(aes_192_key, aes_192_tv)
-		|| !fips_rand_test(aes_256_key, aes_256_tv))
-		{
-		FIPSerr(FIPS_F_FIPS_SELFTEST_RNG,FIPS_R_SELFTEST_FAILED);
-		return 0;
-		}
-	FIPS_rand_reset();
-	return 1;
+	unsigned char actual_ret[8];
+
+	FIPS_rand_method()->cleanup();
+	FIPS_set_prng_key(init_iv[n].key1,init_iv[n].key2); 
+	FIPS_rand_seed(init_iv[n].seed,8);
+	FIPS_test_mode(1,init_iv[n].dt);
+	if ((FIPS_rand_method()->bytes(actual_ret, 8) <=0) || (memcmp(actual_ret,expected_ret[n],sizeof actual_ret)))
+	    {
+    	    FIPS_test_mode(0,NULL);
+	    FIPSerr(FIPS_F_FIPS_SELFTEST_RNG,FIPS_R_SELFTEST_FAILED);
+	    return 0;
+	    }
 	}
+    FIPS_test_mode(0,NULL);
+    return 1;
+    }

 #endif
--- a/fips-1.0/rand/fips_randtest.c
+++ b/fips-1.0/rand/fips_randtest.c
@@ -105,7 +105,6 @@

 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 #include <openssl/rand.h>
 #include <openssl/fips_rand.h>
 #include <openssl/err.h>
@@ -121,63 +120,42 @@ int main(int argc, char *argv[])

 #else

+/* some FIPS 140-1 random number test */
+/* some simple tests */
+
+static DES_cblock prng_key1={0x21,0x58,0x47,0xb7,0xc2,0x97,0x5a,0x8e};
+static DES_cblock prng_key2={0x61,0x23,0x05,0x96,0x18,0x91,0x86,0xac};
+static unsigned char prng_seed[8]={0x6b,0xa3,0x4f,0x07,0xe4,0x2a,0xb0,0xc};
+
 typedef struct
-	{
-	unsigned char DT[16];
-	unsigned char V[16];
-	unsigned char R[16];
-	} AES_PRNG_MCT;
+    {
+    DES_cblock keys[2];
+    const unsigned char time[8];
+    const unsigned char seed[8];
+    const unsigned char block1[8];
+    const unsigned char block100[8];
+    } PRNGtest;

-static unsigned char aes_128_mct_key[16] =
-	{0x9f,0x5b,0x51,0x20,0x0b,0xf3,0x34,0xb5,
-	 0xd8,0x2b,0xe8,0xc3,0x72,0x55,0xc8,0x48};
-
-static AES_PRNG_MCT aes_128_mct_tv = {
-			/* DT */
-	{0x63,0x76,0xbb,0xe5,0x29,0x02,0xba,0x3b,
-	 0x67,0xc9,0x25,0xfa,0x70,0x1f,0x11,0xac},
-			/* V */
-	{0x57,0x2c,0x8e,0x76,0x87,0x26,0x47,0x97,
-	 0x7e,0x74,0xfb,0xdd,0xc4,0x95,0x01,0xd1},
-			/* R */
-	{0x48,0xe9,0xbd,0x0d,0x06,0xee,0x18,0xfb,
-	 0xe4,0x57,0x90,0xd5,0xc3,0xfc,0x9b,0x73}
-};
-
-static unsigned char aes_192_mct_key[24] =
-	{0xb7,0x6c,0x34,0xd1,0x09,0x67,0xab,0x73,
-	 0x4d,0x5a,0xd5,0x34,0x98,0x16,0x0b,0x91,
-	 0xbc,0x35,0x51,0x16,0x6b,0xae,0x93,0x8a};
-
-static AES_PRNG_MCT aes_192_mct_tv = {
-			/* DT */
-	{0x84,0xce,0x22,0x7d,0x91,0x5a,0xa3,0xc9,
-	 0x84,0x3c,0x0a,0xb3,0xa9,0x63,0x15,0x52},
-			/* V */
-	{0xb6,0xaf,0xe6,0x8f,0x99,0x9e,0x90,0x64,
-	 0xdd,0xc7,0x7a,0xc1,0xbb,0x90,0x3a,0x6d},
-			/* R */
-	{0xfc,0x85,0x60,0x9a,0x29,0x6f,0xef,0x21,
-	 0xdd,0x86,0x20,0x32,0x8a,0x29,0x6f,0x47}
-};
-
-static unsigned char aes_256_mct_key[32] =
-	{0x9b,0x05,0xc8,0x68,0xff,0x47,0xf8,0x3a,
-	 0xa6,0x3a,0xa8,0xcb,0x4e,0x71,0xb2,0xe0,
-	 0xb8,0x7e,0xf1,0x37,0xb6,0xb4,0xf6,0x6d,
-	 0x86,0x32,0xfc,0x1f,0x5e,0x1d,0x1e,0x50};
-
-static AES_PRNG_MCT aes_256_mct_tv = {
-			/* DT */
-	{0x31,0x6e,0x35,0x9a,0xb1,0x44,0xf0,0xee,
-	 0x62,0x6d,0x04,0x46,0xe0,0xa3,0x92,0x4c},
-			/* V */
-	{0x4f,0xcd,0xc1,0x87,0x82,0x1f,0x4d,0xa1,
-	 0x3e,0x0e,0x56,0x44,0x59,0xe8,0x83,0xca},
-			/* R */
-	{0xc8,0x87,0xc2,0x61,0x5b,0xd0,0xb9,0xe1,
-	 0xe7,0xf3,0x8b,0xd7,0x5b,0xd5,0xf1,0x8d}
-};
+/* FIXME: these test vectors are made up! */
+static PRNGtest t1=
+    {
+    { { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07 },
+      { 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f },
+    },
+    { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
+    { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
+    { 0x33,0xc3,0xdf,0xfe,0x60,0x60,0x49,0x9e },
+    { 0xcd,0x2b,0x41,0xaf,0x80,0x51,0x37,0xd8 }
+    };
+static PRNGtest t2=
+    {
+    { { 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff },
+      { 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff } },
+    { 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff },
+    { 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff },
+    { 0x65,0xf1,0xa4,0x07,0x42,0x38,0xd5,0x25 },
+    { 0xbb,0x75,0x84,0x20,0x7a,0x44,0xf0,0xa0 }
+    };

 static void dump(const unsigned char *b,int n)
    {
@@ -196,49 +174,195 @@ static void compare(const unsigned char *result,const unsigned char *expected,
 	if(result[i] != expected[i])
 	    {
 	    puts("Random test failed, got:");
-	    dump(result,n);
+	    dump(result,8);
 	    puts("\n               expected:");
-	    dump(expected,n);
+	    dump(expected,8);
 	    putchar('\n');
 	    EXIT(1);
 	    }
    }

-
-static void run_test(unsigned char *key, int keylen, AES_PRNG_MCT *tv)
+static void run_test(const PRNGtest *t)
    {
-    unsigned char buf[16], dt[16];
-    int i, j;
-    FIPS_rand_reset();
-    FIPS_rand_test_mode();
-    FIPS_rand_set_key(key, keylen);
-    FIPS_rand_seed(tv->V, 16);
-    memcpy(dt, tv->DT, 16);
-    for (i = 0; i < 10000; i++)
-	{
-    	FIPS_rand_set_dt(dt);
-	FIPS_rand_bytes(buf, 16);
-	/* Increment DT */
-	for (j = 15; j >= 0; j--)
-		{
-		dt[j]++;
-		if (dt[j])
-			break;
-		}
-	}
+    unsigned char buf[8];
+    int n;

-    compare(buf,tv->R, 16);
+    FIPS_set_prng_key(t->keys[0],t->keys[1]);
+    FIPS_test_mode(1,t->time);
+    RAND_seed(t->seed,sizeof t->seed);
+
+    if(RAND_bytes(buf,8) <= 0)
+	{
+	ERR_print_errors_fp(stderr);
+	EXIT(2);
+	}
+    compare(buf,t->block1,8);
+    for(n=0 ; n < 99 ; ++n)
+	if(RAND_bytes(buf,8) <= 0)
+	    {
+	    ERR_print_errors_fp(stderr);
+	    EXIT(2);
+	    }
+    compare(buf,t->block100,8);
+    FIPS_test_mode(0,NULL);
    }

 int main()
 	{
-	run_test(aes_128_mct_key, 16, &aes_128_mct_tv);
-	printf("FIPS PRNG test 1 done\n");
-	run_test(aes_192_mct_key, 24, &aes_192_mct_tv);
-	printf("FIPS PRNG test 2 done\n");
-	run_test(aes_256_mct_key, 32, &aes_256_mct_tv);
-	printf("FIPS PRNG test 3 done\n");
-	return 0;
+	unsigned char buf[2500];
+	int i,j,k,s,sign,nsign,err=0;
+	unsigned long n1;
+	unsigned long n2[16];
+	unsigned long runs[2][34];
+	/*double d; */
+	long d;
+
+	RAND_set_rand_method(FIPS_rand_method());
+
+	run_test(&t1);
+	run_test(&t2);
+
+	FIPS_set_prng_key(prng_key1,prng_key2);
+	RAND_seed(prng_seed,sizeof prng_seed);
+
+	i = RAND_pseudo_bytes(buf,2500);
+	if (i <= 0)
+		{
+		printf ("init failed, the rand method is not properly installed\n");
+		err++;
+		goto err;
+		}
+
+	n1=0;
+	for (i=0; i<16; i++) n2[i]=0;
+	for (i=0; i<34; i++) runs[0][i]=runs[1][i]=0;
+
+	/* test 1 and 2 */
+	sign=0;
+	nsign=0;
+	for (i=0; i<2500; i++)
+		{
+		j=buf[i];
+
+		n2[j&0x0f]++;
+		n2[(j>>4)&0x0f]++;
+
+		for (k=0; k<8; k++)
+			{
+			s=(j&0x01);
+			if (s == sign)
+				nsign++;
+			else
+				{
+				if (nsign > 34) nsign=34;
+				if (nsign != 0)
+					{
+					runs[sign][nsign-1]++;
+					if (nsign > 6)
+						runs[sign][5]++;
+					}
+				sign=s;
+				nsign=1;
+				}
+
+			if (s) n1++;
+			j>>=1;
+			}
+		}
+		if (nsign > 34) nsign=34;
+		if (nsign != 0) runs[sign][nsign-1]++;
+
+	/* test 1 */
+	if (!((9654 < n1) && (n1 < 10346)))
+		{
+		printf("test 1 failed, X=%lu\n",n1);
+		err++;
+		}
+	printf("test 1 done\n");
+
+	/* test 2 */
+#ifdef undef
+	d=0;
+	for (i=0; i<16; i++)
+		d+=n2[i]*n2[i];
+	d=d*16.0/5000.0-5000.0;
+	if (!((1.03 < d) && (d < 57.4)))
+		{
+		printf("test 2 failed, X=%.2f\n",d);
+		err++;
+		}
+#endif
+	d=0;
+	for (i=0; i<16; i++)
+		d+=n2[i]*n2[i];
+	d=(d*8)/25-500000;
+	if (!((103 < d) && (d < 5740)))
+		{
+		printf("test 2 failed, X=%ld.%02ld\n",d/100L,d%100L);
+		err++;
+		}
+	printf("test 2 done\n");
+
+	/* test 3 */
+	for (i=0; i<2; i++)
+		{
+		if (!((2267 < runs[i][0]) && (runs[i][0] < 2733)))
+			{
+			printf("test 3 failed, bit=%d run=%d num=%lu\n",
+				i,1,runs[i][0]);
+			err++;
+			}
+		if (!((1079 < runs[i][1]) && (runs[i][1] < 1421)))
+			{
+			printf("test 3 failed, bit=%d run=%d num=%lu\n",
+				i,2,runs[i][1]);
+			err++;
+			}
+		if (!(( 502 < runs[i][2]) && (runs[i][2] <  748)))
+			{
+			printf("test 3 failed, bit=%d run=%d num=%lu\n",
+				i,3,runs[i][2]);
+			err++;
+			}
+		if (!(( 223 < runs[i][3]) && (runs[i][3] <  402)))
+			{
+			printf("test 3 failed, bit=%d run=%d num=%lu\n",
+				i,4,runs[i][3]);
+			err++;
+			}
+		if (!((  90 < runs[i][4]) && (runs[i][4] <  223)))
+			{
+			printf("test 3 failed, bit=%d run=%d num=%lu\n",
+				i,5,runs[i][4]);
+			err++;
+			}
+		if (!((  90 < runs[i][5]) && (runs[i][5] <  223)))
+			{
+			printf("test 3 failed, bit=%d run=%d num=%lu\n",
+				i,6,runs[i][5]);
+			err++;
+			}
+		}
+	printf("test 3 done\n");
+	
+	/* test 4 */
+	if (runs[0][33] != 0)
+		{
+		printf("test 4 failed, bit=%d run=%d num=%lu\n",
+			0,34,runs[0][33]);
+		err++;
+		}
+	if (runs[1][33] != 0)
+		{
+		printf("test 4 failed, bit=%d run=%d num=%lu\n",
+			1,34,runs[1][33]);
+		err++;
+		}
+	printf("test 4 done\n");
+ err:
+	err=((err)?1:0);
+	EXIT(err);
+	return(err);
 	}

 #endif
--- a/fips-1.0/rand/fips_rngvs.c
+++ b/fips-1.0/rand/fips_rngvs.c
@@ -24,7 +24,6 @@ int main()
 #include <openssl/err.h>
 #include <openssl/rand.h>
 #include <openssl/fips_rand.h>
-#include <openssl/x509v3.h>
 #include <string.h>
 #include <ctype.h>

@@ -135,161 +134,55 @@ void pv(const char *tag,const unsigned char *val,int len)

 void vst()
    {
-    unsigned char *key;
-    unsigned char *v;
-    unsigned char *dt;
-    unsigned char ret[16];
+    unsigned char key1[8];
+    unsigned char key2[8];
+    unsigned char v[8];
+    unsigned char dt[8];
+    unsigned char ret[8];
    char buf[1024];
    char lbuf[1024];
    char *keyword, *value;
-    long i, keylen;
-
-    keylen = 0;
+    int n;

    while(fgets(buf,sizeof buf,stdin) != NULL)
 	{
 	fputs(buf,stdout);
-	if(!strncmp(buf,"[AES 128-Key]", 13))
-		keylen = 16;
-	else if(!strncmp(buf,"[AES 192-Key]", 13))
-		keylen = 24;
-	else if(!strncmp(buf,"[AES 256-Key]", 13))
-		keylen = 32;
 	if (!parse_line(&keyword, &value, lbuf, buf))
 		continue;
-	if(!strcmp(keyword,"Key"))
+	if(!strcmp(keyword,"Key1"))
 	    {
-	    key=string_to_hex(value,&i);
-	    if (i != keylen)
-		{
-		fprintf(stderr, "Invalid key length, expecting %ld\n", keylen);
-		return;
-		}
+	    n=hex2bin(value,key1);
+	    }
+	else if(!strcmp(keyword,"Key2"))
+	    {
+	    n=hex2bin(value,key2);
 	    }
 	else if(!strcmp(keyword,"DT"))
 	    {
-	    dt=string_to_hex(value,&i);
-	    if (i != 16)
-		{
-		fprintf(stderr, "Invalid DT length\n");
-		return;
-		}
+	    n=hex2bin(value,dt);
 	    }
 	else if(!strcmp(keyword,"V"))
 	    {
-	    v=string_to_hex(value,&i);
-	    if (i != 16)
-		{
-		fprintf(stderr, "Invalid V length\n");
-		return;
-		}
+	    n=hex2bin(value,v);

-	    if (!key || !dt)
-		{
-		fprintf(stderr, "Missing key or DT\n");
-		return;
-		}
-
-	    FIPS_rand_set_key(key, keylen);
-	    FIPS_rand_seed(v,16);
-	    FIPS_rand_set_dt(dt);
-	    if (FIPS_rand_bytes(ret,16) <= 0)
-		{
-		fprintf(stderr, "Error getting PRNG value\n");
+	    FIPS_rand_method()->cleanup();
+	    FIPS_set_prng_key(key1,key2);
+	    FIPS_rand_seed(v,8);
+	    FIPS_test_mode(1,dt);
+	    if (FIPS_rand_method()->bytes(ret,8) <= 0)
+	        {
+	        FIPS_test_mode(0,NULL);
+	        FIPSerr(FIPS_F_FIPS_SELFTEST_RNG,FIPS_R_SELFTEST_FAILED);
 	        return;
 	        }

-	    pv("R",ret,16);
-	    putc('\n',stdout);
-	    }
-	}
-    }
-
-void mct()
-    {
-    unsigned char *key;
-    unsigned char *v;
-    unsigned char *dt;
-    unsigned char ret[16];
-    char buf[1024];
-    char lbuf[1024];
-    char *keyword, *value;
-    long i, keylen;
-    int j;
-
-    keylen = 0;
-
-    while(fgets(buf,sizeof buf,stdin) != NULL)
-	{
-	fputs(buf,stdout);
-	if(!strncmp(buf,"[AES 128-Key]", 13))
-		keylen = 16;
-	else if(!strncmp(buf,"[AES 192-Key]", 13))
-		keylen = 24;
-	else if(!strncmp(buf,"[AES 256-Key]", 13))
-		keylen = 32;
-	if (!parse_line(&keyword, &value, lbuf, buf))
-		continue;
-	if(!strcmp(keyword,"Key"))
-	    {
-	    key=string_to_hex(value,&i);
-	    if (i != keylen)
-		{
-		fprintf(stderr, "Invalid key length, expecting %ld\n", keylen);
-		return;
-		}
-	    }
-	else if(!strcmp(keyword,"DT"))
-	    {
-	    dt=string_to_hex(value,&i);
-	    if (i != 16)
-		{
-		fprintf(stderr, "Invalid DT length\n");
-		return;
-		}
-	    }
-	else if(!strcmp(keyword,"V"))
-	    {
-	    v=string_to_hex(value,&i);
-	    if (i != 16)
-		{
-		fprintf(stderr, "Invalid V length\n");
-		return;
-		}
-
-	    if (!key || !dt)
-		{
-		fprintf(stderr, "Missing key or DT\n");
-		return;
-		}
-
-	    FIPS_rand_set_key(key, keylen);
-	    FIPS_rand_seed(v,16);
-	    for (i = 0; i < 10000; i++)
-		{
-		    FIPS_rand_set_dt(dt);
-		    if (FIPS_rand_bytes(ret,16) <= 0)
-			{
-			fprintf(stderr, "Error getting PRNG value\n");
-		        return;
-		        }
-		    /* Increment DT */
-		    for (j = 15; j >= 0; j--)
-			{
-			dt[j]++;
-			if (dt[j])
-				break;
-			}
-		}
-
-	    pv("R",ret,16);
+	    pv("R",ret,8);
 	    putc('\n',stdout);
 	    }
 	}
    }


-#if 0
 void mct()
    {
    unsigned char key1[8];
@@ -306,12 +199,6 @@ void mct()
    BIGNUM *pbn;
    bn = BN_new();

-    if (FIPS_rand_reset() && !FIPS_rand_test_mode())
-	{
-	fprintf(stderr, Error setting PRNG test mode\n");
-	return;
-	}
-
    while(fgets(buf,sizeof buf,stdin) != NULL)
 	{
 	fputs(buf,stdout);
@@ -357,7 +244,6 @@ void mct()
 	}
    BN_free(bn);
    }
-#endif

 int main(int argc,char **argv)
    {
@@ -371,13 +257,6 @@ int main(int argc,char **argv)
 	ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
 	exit(1);
 	}
-    FIPS_rand_reset();
-    if (!FIPS_rand_test_mode())
-	{
-	fprintf(stderr, "Error setting PRNG test mode\n");
-	ERR_print_errors_fp(stderr);
-	exit(1);
-	}
    if(!strcmp(argv[1],"mct"))
 	mct();
    else if(!strcmp(argv[1],"vst"))
--- a/fips-1.0/rsa/Makefile
+++ b/fips-1.0/rsa/Makefile
@@ -22,10 +22,8 @@ TEST= fips_rsavtest.c fips_rsastest.c fips_rsagtest.c
 APPS=

 LIB=$(TOP)/libcrypto.a
-LIBSRC=fips_rsa_eay.c fips_rsa_gen.c fips_rsa_selftest.c fips_rsa_x931g.c \
-	fips_rsa_sign.c
-LIBOBJ=fips_rsa_eay.o fips_rsa_gen.o fips_rsa_selftest.o fips_rsa_x931g.o \
-	fips_rsa_sign.o
+LIBSRC=fips_rsa_eay.c fips_rsa_gen.c fips_rsa_selftest.c fips_rsa_x931g.c
+LIBOBJ=fips_rsa_eay.o fips_rsa_gen.o fips_rsa_selftest.o fips_rsa_x931g.o

 SRC= $(LIBSRC)

@@ -126,27 +124,6 @@ fips_rsa_selftest.o: ../../include/openssl/rsa.h
 fips_rsa_selftest.o: ../../include/openssl/safestack.h
 fips_rsa_selftest.o: ../../include/openssl/stack.h
 fips_rsa_selftest.o: ../../include/openssl/symhacks.h fips_rsa_selftest.c
-fips_rsa_sign.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-fips_rsa_sign.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-fips_rsa_sign.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
-fips_rsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-fips_rsa_sign.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-fips_rsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-fips_rsa_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-fips_rsa_sign.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
-fips_rsa_sign.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
-fips_rsa_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
-fips_rsa_sign.o: ../../include/openssl/obj_mac.h
-fips_rsa_sign.o: ../../include/openssl/objects.h
-fips_rsa_sign.o: ../../include/openssl/opensslconf.h
-fips_rsa_sign.o: ../../include/openssl/opensslv.h
-fips_rsa_sign.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
-fips_rsa_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-fips_rsa_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-fips_rsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-fips_rsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-fips_rsa_sign.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-fips_rsa_sign.o: fips_rsa_sign.c
 fips_rsa_x931g.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 fips_rsa_x931g.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
 fips_rsa_x931g.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
--- a/fips-1.0/rsa/fips_rsa_sign.c
+++ b/fips-1.0/rsa/fips_rsa_sign.c
@@ -1,231 +0,0 @@
-/* fips_rsa_sign.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 2007.
- */
-/* ====================================================================
- * Copyright (c) 2007 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <string.h>
-#include <openssl/evp.h>
-#include <openssl/rsa.h>
-#include <openssl/err.h>
-
-/* FIPS versions of RSA_sign() and RSA_verify().
- * These will only have to deal with SHA* signatures and by including
- * pregenerated encodings all ASN1 dependencies can be avoided
- */
-
-static const unsigned char sha1_bin[] = {
-  0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
-  0x00, 0x04, 0x14
-};
-
-static const unsigned char sha224_bin[] = {
-  0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
-  0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c
-};
-
-static const unsigned char sha256_bin[] = {
-  0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
-  0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
-};
-
-static const unsigned char sha384_bin[] = {
-  0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
-  0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30
-};
-
-static const unsigned char sha512_bin[] = {
-  0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
-  0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40
-};
-
-
-static const unsigned char *fips_digestinfo_encoding(int nid, unsigned int *len)
-	{
-	switch (nid)
-		{
-
-		case NID_sha1:
-		*len = sizeof(sha1_bin);
-		return sha1_bin;
-
-		case NID_sha224:
-		*len = sizeof(sha224_bin);
-		return sha224_bin;
-
-		case NID_sha256:
-		*len = sizeof(sha256_bin);
-		return sha256_bin;
-
-		case NID_sha384:
-		*len = sizeof(sha384_bin);
-		return sha384_bin;
-
-		case NID_sha512:
-		*len = sizeof(sha512_bin);
-		return sha512_bin;
-
-		default:
-		return NULL;
-
-		}
-	}
-
-int FIPS_rsa_sign(int type, const unsigned char *m, unsigned int m_len,
-	     unsigned char *sigret, unsigned int *siglen, RSA *rsa)
-	{
-	int i,j,ret=1;
-	unsigned int dlen;
-	const unsigned char *der;
-	/* Largest DigestInfo: 19 (max encoding) + max MD */
-	unsigned char tmpdinfo[19 + EVP_MAX_MD_SIZE];
-	if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
-		{
-		return rsa->meth->rsa_sign(type, m, m_len,
-			sigret, siglen, rsa);
-		}
-
-	if(m_len > EVP_MAX_MD_SIZE)
-		{
-		RSAerr(RSA_F_RSA_SIGN,RSA_R_INVALID_MESSAGE_LENGTH);
-		return 0;
-		}
-
-	der = fips_digestinfo_encoding(type, &dlen);
-	
-	if (!der)
-		{
-		RSAerr(RSA_F_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);
-		return(0);
-		}
-	memcpy(tmpdinfo, der, dlen);
-	memcpy(tmpdinfo + dlen, m, m_len);
-
-	i = dlen + m_len;
-
-	j=RSA_size(rsa);
-	if (i > (j-RSA_PKCS1_PADDING_SIZE))
-		{
-		RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
-		return(0);
-		}
-	j=RSA_private_encrypt(i,tmpdinfo,sigret,rsa,RSA_PKCS1_PADDING);
-	if (j <= 0)
-		ret=0;
-	else
-		*siglen=j;
-
-	OPENSSL_cleanse(tmpdinfo,i);
-	return(ret);
-	}
-
-int FIPS_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len,
-	     unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
-	{
-	int i,ret=0;
-	unsigned int dlen;
-	unsigned char *s;
-	const unsigned char *der;
-
-	if (siglen != (unsigned int)RSA_size(rsa))
-		{
-		RSAerr(RSA_F_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);
-		return(0);
-		}
-
-	if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
-		{
-		return rsa->meth->rsa_verify(dtype, m, m_len,
-			sigbuf, siglen, rsa);
-		}
-
-	s= OPENSSL_malloc((unsigned int)siglen);
-	if (s == NULL)
-		{
-		RSAerr(RSA_F_RSA_VERIFY,ERR_R_MALLOC_FAILURE);
-		goto err;
-		}
-
-	i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
-
-	if (i <= 0) goto err;
-
-	der = fips_digestinfo_encoding(dtype, &dlen);
-	
-	if (!der)
-		{
-		RSAerr(RSA_F_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);
-		return(0);
-		}
-
-	/* Compare, DigestInfo length, DigestInfo header and finally
-	 * digest value itself
-	 */
-	if ((i != (int)(dlen + m_len)) || memcmp(der, s, dlen)
-		|| memcmp(s + dlen, m, m_len))
-		{
-		RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
-		goto err;
-		}
-	else
-		ret = 1;
-err:
-	if (s != NULL)
-		{
-		OPENSSL_cleanse(s, siglen);
-		OPENSSL_free(s);
-		}
-	return(ret);
-	}
--- a/fips-1.0/sha/Makefile
+++ b/fips-1.0/sha/Makefile
@@ -38,7 +38,7 @@ HEADER=	$(EXHEADER) fips_sha_locl.h fips_md32_common.h
 ALL=    $(GENERAL) $(SRC) $(HEADER)

 top:
-	(cd $(TOP); $(MAKE) DIRS=fips-1.0 SDIRS=$(DIR) sub_all)
+	(cd $(TOP); $(MAKE) DIRS=fips SDIRS=$(DIR) sub_all)

 all:	fips_standalone_sha1$(EXE_EXT) lib

--- a/openssl.spec
+++ b/openssl.spec
@@ -1,7 +1,7 @@
 %define libmaj 0
 %define libmin 9
 %define librel 7
-%define librev l
+%define librev m
 Release: 1

 %define openssldir /var/ssl
--- a/test/Makefile
+++ b/test/Makefile
@@ -342,18 +342,12 @@ STANDALONE_BUILD_CMD=SHARED_LIBS="$(SHARED_LIBS)"; \
 	fi; \
 	if [ -z "$$SHARED_LIBS" ]; then \
 		set -x; $${CC:-$(CC)} -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBKRB5) $(EX_LIBS) ; \
-	else	set -x; LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH ; \
-		if [ "$(FIPSCANLIB)" = "libfips" ]; then \
-			fipsexlib="-lfips" ; \
-		else \
-			fipsexlib="-lcrypto" ; \
-		fi ; \
-		$(CC) -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBKRB5) $(EX_LIBS) -L.. $$fipsexlib ; \
+	else	set -x; LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+		$(CC) -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBKRB5) $(EX_LIBS) ; \
 	fi

 FIPS_BUILD_CMD=if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-	  FIPSLD_CC=$(CC); CC=$(TOP)/fips-1.0/fipsld; FIPSLD_NPT="y" \
-	  export CC FIPSLD_CC FIPSLD_NPT ; \
+	  FIPSLD_CC=$(CC); CC=$(TOP)/fips-1.0/fipsld; export CC FIPSLD_CC; \
 	fi; $(STANDALONE_BUILD_CMD)

 FIPS_CRYPTO_BUILD_CMD=if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -2905,5 +2905,3 @@ SHA384_Init                             3737	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA
 SHA384_Final                            3740	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
 SHA384                                  3745	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
 SHA256_Update                           3765	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
-FIPS_rsa_sign                           3766	EXIST:OPENSSL_FIPS:FUNCTION:RSA
-FIPS_rsa_verify                         3767	EXIST:OPENSSL_FIPS:FUNCTION:RSA
--- a/util/mk1mf.pl
+++ b/util/mk1mf.pl
@@ -19,7 +19,6 @@ my $fips_premain_c_path = "";
 my $fips_sha1_exe_path = "";

 local $fipscanisterbuild = 0;
-local $fipsdso = 0;

 my $fipslibdir = "";
 my $baseaddr = "";
@@ -451,8 +450,6 @@ if ($fips_premain_dso_exe_path eq "")

 #	$ex_build_targets .= "\$(BIN_D)${o}\$(E_PREMAIN_DSO)$exep" if ($fips);

-$ex_l_libs .= " \$(L_FIPS)" if $fipsdso;
-
 if ($fips)
 	{
 	if (!$shlib)
@@ -590,7 +587,6 @@ PREMAIN_DSO_EXE=$fips_premain_dso_exe_path
 E_EXE=openssl
 SSL=$ssl
 CRYPTO=$crypto
-LIBFIPS=libfips

 # BIN_D  - Binary output directory
 # TEST_D - Binary test file output directory
@@ -609,12 +605,10 @@ INCL_D=\$(TMP_D)

 O_SSL=     \$(LIB_D)$o$plib\$(SSL)$shlibp
 O_CRYPTO=  \$(LIB_D)$o$plib\$(CRYPTO)$shlibp
-O_FIPS=    \$(LIB_D)$o$plib\$(LIBFIPS)$shlibp
 SO_SSL=    $plib\$(SSL)$so_shlibp
 SO_CRYPTO= $plib\$(CRYPTO)$so_shlibp
 L_SSL=     \$(LIB_D)$o$plib\$(SSL)$libp
 L_CRYPTO=  \$(LIB_D)$o$plib\$(CRYPTO)$libp
-L_FIPS=    \$(LIB_D)$o$plib\$(LIBFIPS)$libp

 L_LIBS= \$(L_SSL) \$(L_CRYPTO) $ex_l_libs

@@ -847,24 +841,10 @@ if ($fips)
 	{
 	if ($shlib)
 		{
-		if ($fipsdso)
-			{
-			$rules.= &do_lib_rule("\$(CRYPTOOBJ)",
-					"\$(O_CRYPTO)", "$crypto",
-					$shlib, "", "");
-			$rules.= &do_lib_rule(
-				"\$(O_FIPSCANISTER)",
-				"\$(O_FIPS)", "libfips",
-				$shlib, "\$(SO_CRYPTO)", "\$(BASEADDR)");
-			$rules.= &do_sdef_rule();
-			}
-		else
-			{
-			$rules.= &do_lib_rule(
-				"\$(CRYPTOOBJ) \$(O_FIPSCANISTER)",
-				"\$(O_CRYPTO)", "$crypto",
-				$shlib, "\$(SO_CRYPTO)", "\$(BASEADDR)");
-			}
+		$rules.= &do_lib_rule("\$(CRYPTOOBJ) \$(O_FIPSCANISTER)",
+			"\$(O_CRYPTO)",
+			"$crypto",
+			$shlib, "\$(SO_CRYPTO)", "\$(BASEADDR)");
 		}
 	else
 		{
@@ -1204,17 +1184,10 @@ sub read_options
 				}
 			}
 		}
-	elsif (/^fipscanisterbuild$/)
+	elsif (/^--fipscanisterbuild$/)
 		{
-		$fips=1;
 		$fipscanisterbuild=1;
 		}
-	elsif (/^fipsdso$/)
-		{
-		$fips=1;
-		$fipscanisterbuild=1;
-		$fipsdso=1;
-		}
 	elsif (/^([^=]*)=(.*)$/){ $VARS{$1}=$2; }
 	elsif (/^-[lL].*$/)	{ $l_flags.="$_ "; }
 	elsif ((!/^-help/) && (!/^-h/) && (!/^-\?/) && /^-.*$/)
@@ -1250,4 +1223,3 @@ sub fips_check_files
 		}
 	fipslib_error() if ($ret == 0);
 	}
-
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -130,7 +130,7 @@ foreach (@ARGV, split(/ /, $options))
 	}
 	$VMS=1 if $_ eq "VMS";
 	$OS2=1 if $_ eq "OS2";
-	$fips=1 if /^fips/;
+	$fips=1 if $_ eq "fips";

 	$do_ssl=1 if $_ eq "ssleay";
 	if ($_ eq "ssl") {
--- a/util/mksdef.pl
+++ b/util/mksdef.pl
@@ -1,85 +0,0 @@
-
-# Perl script to split libeay32.def into two distinct DEF files for use in
-# fipdso mode. It works out symbols in each case by running "link" command and
-# parsing the output to find the list of missing symbols then splitting
-# libeay32.def based on the result.
-
-
-# Get list of unknown symbols
-
-my @deferr = `link @ARGV`;
-
-my $preamble = "";
-my @fipsdll;
-my @fipsrest;
-my %nosym;
-
-# Add symbols to a hash for easy lookup
-
-foreach (@deferr)
-	{
-	if (/^.*symbol (\S+)$/)
-		{
-		$nosym{$1} = 1;
-		}
-	}
-
-open (IN, "ms/libeay32.def") || die "Can't Open DEF file for splittling";
-
-my $started = 0;
-
-# Parse libeay32.def into two arrays depending on whether the symbol matches
-# the missing list.
-
-
-foreach (<IN>)
-	{
-	if (/^\s*(\S+)\s*\@/)
-		{
-		$started = 1;
-		if (exists $nosym{$1})
-			{
-			push @fipsrest, $_;
-			}
-		else
-			{
-			push @fipsdll, "\t$1\n";
-			}
-		}
-	$preamble .= $_ unless $started;
-	}
-
-close IN;
-
-# Hack! Add some additional exports needed to libcryptofips.dll
-#
-
-push @fipsdll, "\tengine_table_unregister\n";
-push @fipsdll, "\tengine_table_register\n";
-push @fipsdll, "\tengine_table_cleanup\n";
-push @fipsdll, "\tengine_table_select\n";
-push @fipsdll, "\tengine_set_all_null\n";
-
-# Write out DEF files for each array
-
-write_def("ms/libfips.def", "LIBFIPS", $preamble, \@fipsdll);
-write_def("ms/libcryptofips.def", "LIBCRYPTOFIPS", $preamble, \@fipsrest);
-
-
-sub write_def
-	{
-	my ($fnam, $defname, $preamble, $rdefs) = @_;
-	open (OUT, ">$fnam") || die "Can't Open DEF file $fnam for Writing\n";
-
-	$preamble =~ s/LIBEAY32/$defname/g;
-	$preamble =~ s/LIBEAY/$defname/g;
-
-	print OUT $preamble;
-	foreach (@$rdefs)
-		{
-		print OUT $_;
-		}
-	close OUT;
-	}
-
-
--- a/util/pl/VC-32.pl
+++ b/util/pl/VC-32.pl
@@ -13,14 +13,7 @@ if ($fips && !$shlib)
 	}
 else
 	{
-	if ($fipsdso) 
-		{
-		$crypto="libcryptofips";
-		}
-	else
-		{
-		$crypto="libeay32";
-		}
+	$crypto="libeay32";
 	}

 $o='\\';
@@ -126,7 +119,6 @@ sub do_lib_rule
 	local($objs,$target,$name,$shlib,$ign,$base_addr) = @_;
 	local($ret,$Name);

-
 	$taget =~ s/\//$o/g if $o ne '/';
 	($Name=$name) =~ tr/a-z/A-Z/;
 	my $base_arg;
@@ -151,29 +143,14 @@ sub do_lib_rule
 		}
 	else
 		{
-		my $ex = "";		
-		if ($target =~ /O_SSL/)
-			{
-			$ex .= " \$(L_CRYPTO)";
-			$ex .= " \$(L_FIPS)" if $fipsdso;
-			}
-		my $fipstarget;
-		if ($fipsdso)
-			{
-			$fipstarget = "O_FIPS";
-			}
-		else
-			{
-			$fipstarget = "O_CRYPTO";
-			}
+		local($ex)=($target =~ /O_SSL/)?' $(L_CRYPTO)':'';
 		$ex.=' wsock32.lib gdi32.lib advapi32.lib user32.lib';
 		$ex.=" $zlib_lib" if $zlib_opt == 1 && $target =~ /O_CRYPTO/;
- 		if ($fips && $target =~ /$fipstarget/)
+ 		if ($fips && $target =~ /O_CRYPTO/)
 			{
 			$ex.= $mwex unless $fipscanisterbuild;
-			$ret.="$target: $objs \$(PREMAIN_DSO_EXE)";
-			$ret.=" ms/libfips.def" if $fipsdso;
-			$ret.="\n\tSET FIPS_LINK=\$(LINK)\n";
+			$ret.="$target: $objs \$(PREMAIN_DSO_EXE)\n";
+			$ret.="\tSET FIPS_LINK=\$(LINK)\n";
 			$ret.="\tSET FIPS_CC=\$(CC)\n";
 			$ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\n";
 			$ret.="\tSET PREMAIN_DSO_EXE=\$(PREMAIN_DSO_EXE)\n";
@@ -186,13 +163,8 @@ sub do_lib_rule
 			}
 		else
 			{
-			$ret.="$target: $objs";
-			if ($target =~ /O_CRYPTO/ && $fipsdso)
-				{
-				$ret .= " \$(O_FIPS)";
-				$ex .= " \$(L_FIPS)";
-				}
-			$ret.="\n\t\$(LINK) \$(MLFLAGS) $efile$target /def:ms/${Name}.def @<<\n  \$(SHLIB_EX_OBJ) $objs $ex\n<<\n";
+			$ret.="$target: $objs\n";
+			$ret.="\t\$(LINK) \$(MLFLAGS) $base_arg $efile$target /def:ms/${Name}.def @<<\n  \$(SHLIB_EX_OBJ) $objs $ex\n<<\n";
 			}
 		}
 	$ret.="\n";
@@ -201,7 +173,7 @@ sub do_lib_rule

 sub do_link_rule
 	{
-	my($target,$files,$dep_libs,$libs,$standalone)=@_;
+	local($target,$files,$dep_libs,$libs,$standalone)=@_;
 	local($ret,$_);
 	$file =~ s/\//$o/g if $o ne '/';
 	$n=&bname($targer);
@@ -244,19 +216,11 @@ sub do_rlink_rule
 	$ret.="\t\$(MKCANISTER) $target <<\n";
 	$ret.="INPUT($files)\n<<\n";
 	$ret.="\t\$(FIPS_SHA1_EXE) $target > ${target}.sha1\n";
-	$ret.="\t\$(PERL) util${o}copy.pl -stripcr fips-1.0${o}fips_premain.c \$(LIB_D)${o}fips_premain.c\n";
+	$ret.="\tperl util${o}copy.pl -stripcr fips-1.0${o}fips_premain.c \$(LIB_D)${o}fips_premain.c\n";
 	$ret.="\t\$(CP) fips-1.0${o}fips_premain.c.sha1 \$(LIB_D)${o}fips_premain.c.sha1\n";
 	$ret.="\n";
 	return($ret);
 	}

-sub do_sdef_rule
-	{
-	my $ret = "ms/libfips.def: \$(O_FIPSCANISTER)\n";
-	$ret.="\t\$(PERL) util/mksdef.pl \$(MLFLAGS) /out:dummy.dll /def:ms/libeay32.def @<<\n  \$(O_FIPSCANISTER)\n<<\n";
-	$ret.="\n";
-	return $ret;
-	}
-

 1;
Author	SHA1	Message	Date
cvs2svn	10626fac15	This commit was manufactured by cvs2svn to create tag 'OpenSSL_0_9_7m'.	2007-02-23 12:49:10 +00:00
Dr. Stephen Henson	0be4302f64	Use date in README.	2007-02-23 12:49:09 +00:00
Dr. Stephen Henson	f4819d8ab2	Update to next dev version.	2007-02-23 12:35:48 +00:00
Dr. Stephen Henson	44f69e6f26	Oops! Correct version file.	2007-02-23 12:17:03 +00:00
Dr. Stephen Henson	d08d0c124a	Prepare for release.	2007-02-23 12:07:21 +00:00
Dr. Stephen Henson	f7bd41b449	Make update.	2007-02-23 00:59:28 +00:00
Dr. Stephen Henson	63486f8477	Fix syntax error in asm file.	2007-02-23 00:36:03 +00:00
Dr. Stephen Henson	2cbd4a1f19	Set $fips when fipscanistebuild is used.	2007-02-22 22:30:49 +00:00
Dr. Stephen Henson	dde967a580	Typo.	2007-02-22 22:30:00 +00:00
Dr. Stephen Henson	0d64ce0dfb	Only give warning if relevant options are given.	2007-02-22 01:51:34 +00:00
Dr. Stephen Henson	d0db21641b	Update NEWS file.	2007-02-22 01:36:15 +00:00
Dr. Stephen Henson	15fca1a6e3	Include big warning message if test fipscanister.o compilation option used.	2007-02-21 18:16:25 +00:00
Lutz Jänicke	4804720353	Fix incorrect handling of special characters. PR: 1459 Submitted by: tnitschke@innominate.com Reviewed by: steve@openssl.org	2007-02-21 17:44:08 +00:00
Dr. Stephen Henson	9a3a58e13b	Cleanse PEM buffers before freeing them. Submitted by: Benjamin Bennett <ben@psc.edu>	2007-02-21 13:48:09 +00:00
Bodo Möller	3bd95a14ca	Include "!eNULL" in SSL_DEFAULT_CIPHER_LIST to make sure that a ciphersuite string such as "DEFAULT:RSA" cannot enable authentication-only ciphersuites.	2007-02-19 18:35:45 +00:00
Bodo Möller	fd31dfae39	fix incorrect strength bit values for certain Kerberos ciphersuites Submitted by: Victor Duchovni	2007-02-19 14:45:57 +00:00
Bodo Möller	d875a212c3	Some fixes for ciphersuite string processing: - add a workaround provided by Victor Duchovni so that 128- and 256-bit variants of otherwise identical ciphersuites are treated correctly; - also, correctly skip invalid parts of ciphersuite description strings. Submitted by: Victor Duchovni, Bodo Moeller	2007-02-17 06:53:10 +00:00
Dr. Stephen Henson	f35dd4c360	Update from fips2 branch.	2007-02-03 17:33:30 +00:00
Nils Larsch	3f9b157fcf	fix documentation PR: 1466	2007-02-03 10:27:06 +00:00