Avoid use of "echo -n" some platforms don't support it.

Update from 0.9.7-stable
Fix from 0.9.7-stable
2007-02-23 20:14:21 +00:00 · 2007-02-23 20:13:40 +00:00 · 2007-02-23 00:37:25 +00:00 · 2007-02-22 13:26:44 +00:00 · 2007-02-21 18:17:19 +00:00 · 2007-02-21 16:57:35 +00:00
80 changed files with 1989 additions and 2359 deletions
--- a/.cvsignore
+++ b/.cvsignore
@@ -13,6 +13,7 @@ cctest
 cctest.c
 cctest.a
 libcrypto.so.*
+libfips.so.*
 libssl.so.*
 libcrypto.sha1
 libcrypto.a.sha1
--- a/39
+++ b/39
@@ -2,24 +2,33 @@
 OpenSSL CHANGES
 _______________

- Changes between 0.9.7m and 0.9.7n  [xx XXX xxxx]
+ Changes between 0.9.7l and 0.9.7m-fips2 [xx XXX xxxx]

-  *) In the SSL/TLS server implementation, be strict about session ID
-     context matching (which matters if an application uses a single
-     external cache for different purposes).  Previously,
-     out-of-context reuse was forbidden only if SSL_VERIFY_PEER was
-     set.  This did ensure strict client verification, but meant that,
-     with applications using a single external cache for quite
-     different requirements, clients could circumvent ciphersuite
-     restrictions for a given session ID context by starting a session
-     in a different context.
-     [Bodo Moeller]
+  *) Replace FIPS PRNG with AES based version based on ANSI X9.31 A.2.4 .
+     This supports larger keys (up to 256 bits) and large seeding and DT
+     vectors (128 bits each). Update tests for modified PRNG.
+     [Steve Henson]

-  *) Update the SSL_get_shared_ciphers() fix CVE-2006-3738 which was
-     not complete and could lead to a possible single byte overflow
-     (CVE-2007-5135) [Ben Laurie]
+  *) FIPS portability patches.
+     [Brad House <brad@mainstreetsoftworks.com>]

- Changes between 0.9.7l and 0.9.7m  [23 Feb 2007]
+  *) Move error strings for remaing libraries into separate files to avoid 
+     unnecessary dependencies for fipscanister.o which doesn't require the
+     loading of error strings.
+     [Steve Henson]
+
+  *) New build option fipsdso to link fipscanister.o into a DSO called 
+     libfips.so and modify build system to link against it. Preliminary changes
+     to VC++ build system to accomodate fipsdso.
+     [Steve Henson]
+
+  *) New version of RSA_{sign,verify} for FIPS code. This uses pregenerated
+     DigestInfo encodings and thus avoids all ASN1 library dependencies. Update
+     FIPS digests to use new functions. Remove large numbers of obsolete 
+     dependencies from fipscanister.o
+     [Steve Henson]
+
+ Changes between 0.9.7l and 0.9.7m  [xx XXX xxxx]

  *) Cleanse PEM buffers before freeing them since they may contain 
     sensitive data.
--- a/57
+++ b/57
@@ -186,17 +186,17 @@ my %table=(
 #### SPARC Solaris with GNU C setups
 "solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# -m32 should be safe to add as long as driver recognizes -mcpu=ultrasparc
-"solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-gcc31","gcc:-mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8
+# -m32 should be safe to add as long as driver recognizes -march=ultrasparc
+"solaris-sparcv9-gcc","gcc:-m32 -march=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-gcc31","gcc:-march=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# gcc pre-2.8 doesn't understand -march=ultrasparc, so fall down to -mv8
 # but keep the assembler modules.
 "solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-gcc","gcc:-m64 -march=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 ####
 "debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -march=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 #### SPARC Solaris with Sun C setups
 # DO NOT use /xO[34] on sparc with SC3.0.  It is broken, and will not pass the tests
@@ -217,11 +217,11 @@ my %table=(
 # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
 # assisted with debugging of following two configs.
 "linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# it's a real mess with -mcpu=ultrasparc option under Linux, but
+# it's a real mess with -march=ultrasparc option under Linux, but
 # -Wa,-Av8plus should do the trick no matter what.
-"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-sparcv9","gcc:-march=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # GCC 3.1 is a requirement
-"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux64-sparcv9","gcc:-m64 -march=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 # Sunos configs, assuming sparc for the gcc one.
 ##"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:::",
@@ -373,7 +373,7 @@ my %table=(
 # Special notes:
 # - linux-alpha+bwx-gcc is ment to be used from ./config only. If you
 #   ought to run './Configure linux-alpha+bwx-gcc' manually, do
-#   complement the command line with -mcpu=ev56, -mcpu=ev6 or whatever
+#   complement the command line with -march=ev56, -march=ev6 or whatever
 #   which is appropriate.
 # - If you use ccc keep in mind that -fast implies -arch host and the
 #   compiler is free to issue instructions which gonna make elder CPU
@@ -404,7 +404,8 @@ my %table=(
 "linux-mipsel",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-mips",   "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ppc",    "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/linux_ppc32.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ppc64",  "gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/linux_ppc64.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# -bpowerpc64-linux is transient option, -m64 should be the one to use...
+"linux-ppc64",  "gcc:-bpowerpc64-linux -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/linux_ppc64.o:::::::::dlfcn:linux-shared:-fPIC:-bpowerpc64-linux:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-m68k",   "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::",
 "linux-s390",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-s390x",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -414,7 +415,7 @@ my %table=(
 "NetBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-m68",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-x86",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"FreeBSD-elf",  "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"FreeBSD-elf",  "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "FreeBSD-sparc64","gcc:-DB_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE:::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 BF_PTR::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "FreeBSD-ia64","gcc:-DL_ENDIAN -DTERMIOS -O -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64-cpp.o:::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "FreeBSD",      "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
@@ -459,13 +460,14 @@ my %table=(
 # SCO 5 - Ben Laurie <ben@algroup.co.uk> says the -O breaks the SCO cc.
 "sco5-cc",  "cc:-belf::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-
+"sco6-cc",  "cc:-O::-Kpthread::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 # IBM's AIX.
 "aix3-cc",    "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
 "aix-gcc",    "gcc:-O3 -DB_ENDIAN::-D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR:asm/aix_ppc32.o:::::::::dlfcn:",
 "aix-cc",     "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384::-qthreaded:AIX::BN_LLONG RC4_CHAR:asm/aix_ppc32.o:::::::::dlfcn:aix-shared::-q32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
 "aix64-cc",   "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384::-qthreaded:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:asm/aix_ppc64.o:::::::::dlfcn:aix-shared::-q64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
+"aix64-gcc",   "gcc:-maix64 -O -DB_ENDIAN::-D_THREAD_SAFE:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:asm/aix_ppc64.o:::::::::dlfcn:aix-shared::-maix64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",

 #
 # Cray T90 and similar (SDSC)
@@ -622,6 +624,7 @@ my $exe_ext="";
 my $install_prefix="";
 my $fipslibdir="/usr/local/ssl/lib/";
 my $nofipscanistercheck=0;
+my $fipsdso=0;
 my $fipscanisterinternal="n";
 my $baseaddr="0xFB00000";
 my $no_threads=0;
@@ -844,15 +847,25 @@ PROCESS_ARGS:
 			}
 		elsif (/^nofipscanistercheck$/)
 			{
+			$fips = 1;
 			$nofipscanistercheck = 1;
 			}
 		elsif (/^fipscanisterbuild$/)
 			{
-			$fips=1;
+			$fips = 1;
 			$nofipscanistercheck = 1;
 			$fipslibdir="";
 			$fipscanisterinternal="y";
 			}
+		elsif (/^fipsdso$/)
+			{
+			$fips = 1;
+			$nofipscanistercheck = 1;
+			$fipslibdir="";
+			$fipscanisterinternal="y";
+			$fipsdso = 1;
+			$no_shared = 0;
+			}
 		elsif (/^[-+]/)
 			{
 			if (/^-[lL](.*)$/)
@@ -979,6 +992,8 @@ print "Configuring for $target\n";

 my $IsWindows=scalar grep /^$target$/,@WinTargets;

+$no_shared = 1 if ($IsWindows && $fipsdso);
+
 $exe_ext=".exe" if ($target eq "Cygwin" || $target eq "DJGPP" || $target eq "mingw");
 $exe_ext=".pm" if ($target eq "vos-gcc" or $target eq "debug-vos-gcc" or $target eq "vos-vcc" or $target eq "debug-vos-vcc");
 $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq "");
@@ -1356,12 +1371,24 @@ while (<IN>)
 	s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
 	s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
 	s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
+	if ($fipsdso)
+		{
+		s/^FIPSCANLIB=.*/FIPSCANLIB=libfips/;
+		s/^SHARED_FIPS=.*/SHARED_FIPS=libfips\$(SHLIB_EXT)/;
+		s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl fips/;
+		}
+	else
+		{
+		s/^FIPSCANLIB=.*/FIPSCANLIB=libcrypto/;
+		s/^SHARED_FIPS=.*/SHARED_FIPS=/;
+		s/^SHLIBDIRS=.*/SHLIBDIRS= crypto ssl/;
+		}
 	s/^FIPSCANISTERINTERNAL=.*/FIPSCANISTERINTERNAL=$fipscanisterinternal/;
 	s/^BASEADDR=.*/BASEADDR=$baseaddr/;
 	s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
 	s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
 	s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
-	s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
+	s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL) \$(SHARED_FIPS)/ if (!$no_shared);
 	if ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*$/)
 		{
 		my $sotmp = $1;
--- a/2
+++ b/2
@@ -70,7 +70,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?

 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.7m was released on Feb 23rd, 2007.
+OpenSSL 0.9.7l was released on September 28, 2006.

 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
--- a/4
+++ b/4
@@ -140,7 +140,7 @@
     standard headers).  If it is a problem with OpenSSL itself, please
     report the problem to <openssl-bugs@openssl.org> (note that your
     message will be recorded in the request tracker publicly readable
-     via http://www.openssl.org/support/rt.html and will be forwarded to a
+     via http://www.openssl.org/support/rt2.html and will be forwarded to a
     public mailing list). Include the output of "make report" in your message.
     Please check out the request tracker. Maybe the bug was already
     reported or has already been fixed.
@@ -162,7 +162,7 @@
     in Makefile and run "make clean; make". Please send a bug
     report to <openssl-bugs@openssl.org>, including the output of
     "make report" in order to be added to the request tracker at
-     http://www.openssl.org/support/rt.html.
+     http://www.openssl.org/support/rt2.html.

  4. If everything tests ok, install OpenSSL with

--- a/Makefile.org
+++ b/Makefile.org
@@ -66,6 +66,7 @@ EX_LIBS=
 EXE_EXT= 
 ARFLAGS=
 AR=ar $(ARFLAGS) r
+ARD=ar $(ARFLAGS) d
 RANLIB= ranlib
 PERL= perl
 TAR= tar
@@ -185,6 +186,7 @@ LIBZLIB=

 FIPSLIBDIR=/usr/local/ssl/lib/
 FIPSCANISTERINTERNAL=n
+FIPSCANLIB=

 # Shared library base address. Currently only used on Windows.
 #
@@ -196,7 +198,7 @@ BASEADDR=
 SHLIB_MARK=

 DIRS=   crypto fips-1.0 ssl $(SHLIB_MARK) apps test tools
-SHLIBDIRS= crypto ssl
+SHLIBDIRS= crypto ssl fips

 # dirs in crypto to build
 SDIRS=  objects \
@@ -227,6 +229,7 @@ WDIRS=  windows
 LIBS=   libcrypto.a libssl.a
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
+SHARED_FIPS=
 SHARED_LIBS=
 SHARED_LIBS_LINK_EXTS=
 SHARED_LDFLAGS=
@@ -249,7 +252,7 @@ sub_all:
 	do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making all in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' FIPSLIBDIR='${FIPSLIBDIR}' all ) || exit 1; \
+		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}' FIPSLIBDIR='${FIPSLIBDIR}' FIPSCANLIB='${FIPSCANLIB}' all ) || exit 1; \
 	else \
 		$(MAKE) $$i; \
 	fi; \
@@ -266,9 +269,15 @@ sub_target:
 	fi; \
 	done;

-libcrypto$(SHLIB_EXT): libcrypto.a
+libcrypto$(SHLIB_EXT): libcrypto.a $(SHARED_FIPS)
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
-		$(MAKE) SHLIBDIRS=crypto build-shared; \
+		if [ "$(FIPSCANLIB)" = "libfips" ]; then \
+			$(ARD) libcrypto.a fipscanister.o ; \
+			$(MAKE) SHLIBDIRS='crypto' SHLIBDEPS='-lfips' build-shared; \
+			$(AR) libcrypto.a fips-1.0/fipscanister.o ; \
+		else \
+			$(MAKE) SHLIBDIRS='crypto' build-shared; \
+		fi \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 	fi
@@ -280,6 +289,13 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
 		echo "There's no support for shared libraries on this platform" >&2; \
 	fi

+libfips$(SHLIB_EXT):
+	@if [ "$(SHLIB_TARGET)" != "" ]; then \
+		$(MAKE) SHLIBDIRS=fips build-shared; \
+	else \
+		echo "There's no support for shared libraries on this platform" >&2; \
+	fi
+
 clean-shared:
 	@for i in $(SHLIBDIRS); do \
 		if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
--- a/5
+++ b/5
@@ -5,11 +5,6 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.

-  Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m:
-
-      o FIPS 1.1.1 module linking.
-      o Various ciphersuite selection fixes.
-
  Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l:

      o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
--- a/17
+++ b/17
@@ -1,5 +1,5 @@

- OpenSSL 0.9.7n-dev xx XXX xxxx
+ OpenSSL 0.9.7m-dev xx XXX xxxx

 Copyright (c) 1998-2007 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -36,13 +36,12 @@
     actually logically part of it. It includes routines for the following:

     Ciphers
-        libdes - EAY's libdes DES encryption package which was floating
-                 around the net for a few years, and was then relicensed by
-                 him as part of SSLeay.  It includes 15 'modes/variations'
-                 of DES (1, 2 and 3 key versions of ecb, cbc, cfb and ofb;
-                 pcbc and a more general form of cfb and ofb) including desx
-                 in cbc mode, a fast crypt(3), and routines to read
-                 passwords from the keyboard.
+        libdes - EAY's libdes DES encryption package which has been floating
+                 around the net for a few years.  It includes 15
+                 'modes/variations' of DES (1, 2 and 3 key versions of ecb,
+                 cbc, cfb and ofb; pcbc and a more general form of cfb and
+                 ofb) including desx in cbc mode, a fast crypt(3), and
+                 routines to read passwords from the keyboard.
        RC4 encryption,
        RC2 encryption      - 4 different modes, ecb, cbc, cfb and ofb.
        Blowfish encryption - 4 different modes, ecb, cbc, cfb and ofb.
@@ -157,7 +156,7 @@
    - Stack Traceback (if the application dumps core)

 Report the bug to the OpenSSL project via the Request Tracker
- (http://www.openssl.org/support/rt.html) by mail to:
+ (http://www.openssl.org/support/rt2.html) by mail to:

    openssl-bugs@openssl.org

--- a/6
+++ b/6
@@ -1,17 +1,15 @@

  OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2008/04/07 06:34:10 $
+  ______________                           $Date: 2006/09/28 11:56:56 $

  DEVELOPMENT STATE

    o  OpenSSL 0.9.9:  Under development...
-    o  OpenSSL 0.9.8e: Released on February  23rd, 2007
    o  OpenSSL 0.9.8d: Released on September 28th, 2006
    o  OpenSSL 0.9.8c: Released on September  5th, 2006
    o  OpenSSL 0.9.8b: Released on May        4th, 2006
    o  OpenSSL 0.9.8a: Released on October   11th, 2005
    o  OpenSSL 0.9.8:  Released on July       5th, 2005
-    o  OpenSSL 0.9.7m: Released on February  23rd, 2007
    o  OpenSSL 0.9.7l: Released on September 28th, 2006
    o  OpenSSL 0.9.7k: Released on September  5th, 2006
    o  OpenSSL 0.9.7j: Released on May        4th, 2006
@@ -47,7 +45,7 @@
    o  OpenSSL 0.9.2b: Released on March     22th, 1999
    o  OpenSSL 0.9.1c: Released on December  23th, 1998

-  [See also http://www.openssl.org/support/rt.html]
+  [See also http://www.openssl.org/support/rt2.html]

  RELEASE SHOWSTOPPERS

--- a/26
+++ b/26
@@ -1652,7 +1652,7 @@ $arflags      =

 *** debug-levitte-linux-elf
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -march=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe
+$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1677,7 +1677,7 @@ $arflags      =

 *** debug-levitte-linux-elf-extreme
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -march=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe
+$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1702,7 +1702,7 @@ $arflags      =

 *** debug-levitte-linux-noasm
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -march=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe
+$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1727,7 +1727,7 @@ $arflags      =

 *** debug-levitte-linux-noasm-extreme
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -march=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe
+$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1802,7 +1802,7 @@ $arflags      =

 *** debug-linux-pentium
 $cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=pentium -Wall
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1827,7 +1827,7 @@ $arflags      =

 *** debug-linux-ppro
 $cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=pentiumpro -Wall
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1977,7 +1977,7 @@ $arflags      =

 *** debug-steve
 $cc           = gcc
-$cflags       = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -march=i486 -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe
+$cflags       = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -2002,7 +2002,7 @@ $arflags      =

 *** debug-steve-linux-pseudo64
 $cc           = gcc
-$cflags       = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -march=i486 -Wall -Werror -Wshadow -pipe
+$cflags       = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -3127,7 +3127,7 @@ $arflags      =

 *** linux-k6
 $cc           = gcc
-$cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=k6 -Wall
+$cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=k6 -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -3252,7 +3252,7 @@ $arflags      =

 *** linux-pentium
 $cc           = gcc
-$cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=pentium -Wall
+$cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentium -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -3302,7 +3302,7 @@ $arflags      =

 *** linux-ppc64
 $cc           = gcc
-$cflags       = -m64 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
+$cflags       = -bpowerpc64-linux -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -3320,14 +3320,14 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= linux-shared
 $shared_cflag = -fPIC
-$shared_ldflag = -m64
+$shared_ldflag = -bpowerpc64-linux
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 

 *** linux-ppro
 $cc           = gcc
-$cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=pentiumpro -Wall
+$cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentiumpro -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
--- a/apps/Makefile
+++ b/apps/Makefile
@@ -103,7 +103,7 @@ install:
 	 chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
 	 mv -f  $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new \
 	 	$(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
-	); done
+	) done;
 	@for i in $(SCRIPTS); \
 	do  \
 	(echo installing $$i; \
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -8,9 +8,6 @@
 HOME			= .
 RANDFILE		= $ENV::HOME/.rnd

-# Uncomment out to enable OpenSSL configuration see config(3)
-# openssl_conf = openssl_init
-
 # Extra OBJECT IDENTIFIER info:
 #oid_file		= $ENV::HOME/.oid
 oid_section		= new_oids
@@ -22,11 +19,6 @@ oid_section		= new_oids
 # (Alternatively, use a configuration file that has only
 # X.509v3 extensions in its main [= default] section.)

-[openssl_init]
-# Extra OBJECT IDENTIFIER info:
-oid_section = new_oids
-alg_section = algs
-
 [ new_oids ]

 # We can add new OIDs in here for use by 'ca' and 'req'.
@@ -34,9 +26,6 @@ alg_section = algs
 # testoid1=1.2.3.4
 # Or use config file substitution like this:
 # testoid2=${testoid1}.5.6
-[ algs ]
-# Algorithm configuration options. Currently just fips_mode
-fips_mode = no

 ####################################################################
 [ ca ]
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -187,7 +187,7 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -port port     - use -connect instead\n");
 	BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);

-	BIO_printf(bio_err," -verify depth - turn on peer certificate verification\n");
+	BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
 	BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
 	BIO_printf(bio_err," -key arg      - Private key file to use, PEM format assumed, in cert file if\n");
 	BIO_printf(bio_err,"                 not specified but cert file is.\n");
--- a/6
+++ b/6
@@ -547,9 +547,9 @@ case "$GUESSOS" in
 	esac
 	if [ "$CC" = "gcc" ]; then
 	    case ${ISA:-generic} in
-	    EV5|EV45)		options="$options -mcpu=ev5";;
-	    EV56|PCA56)		options="$options -mcpu=ev56";;
-	    EV6|EV67|PCA57)	options="$options -mcpu=ev6";;
+	    EV5|EV45)		options="$options -march=ev5";;
+	    EV56|PCA56)		options="$options -march=ev56";;
+	    EV6|EV67|PCA57)	options="$options -march=ev6";;
 	    esac
 	fi
 	;;
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -35,8 +35,8 @@ GENERAL=Makefile README crypto-lib.com install.com

 LIB= $(TOP)/libcrypto.a
 SHARED_LIB= libcrypto$(SHLIB_EXT)
-LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c
-LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o
+LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c fips_err.c
+LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o fips_err.o

 SRC= $(LIBSRC)

@@ -185,6 +185,7 @@ ex_data.o: ../include/openssl/err.h ../include/openssl/lhash.h
 ex_data.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 ex_data.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 ex_data.o: ../include/openssl/symhacks.h cryptlib.h ex_data.c
+fips_err.o: ../include/openssl/opensslconf.h fips_err.c
 mem.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
 mem.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
 mem.o: ../include/openssl/err.h ../include/openssl/lhash.h
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -170,7 +170,7 @@ static int do_buf(unsigned char *buf, int buflen,
 	q = buf + buflen;
 	outlen = 0;
 	while(p != q) {
-		if(p == buf && flags & ASN1_STRFLGS_ESC_2253) orflags = CHARTYPE_FIRST_ESC_2253;
+		if(p == buf) orflags = CHARTYPE_FIRST_ESC_2253;
 		else orflags = 0;
 		switch(type & BUF_TYPE_WIDTH_MASK) {
 			case 4:
@@ -195,7 +195,7 @@ static int do_buf(unsigned char *buf, int buflen,
 			p += i;
 			break;
 		}
-		if (p == q && flags & ASN1_STRFLGS_ESC_2253) orflags = CHARTYPE_LAST_ESC_2253;
+		if (p == q) orflags = CHARTYPE_LAST_ESC_2253;
 		if(type & BUF_TYPE_CONVUTF8) {
 			unsigned char utfbuf[6];
 			int utflen;
--- a/crypto/asn1/t_req.c
+++ b/crypto/asn1/t_req.c
@@ -230,7 +230,7 @@ get_next:
 				}
 			}
 		}
-	if(!(cflag & X509_FLAG_NO_EXTENSIONS))
+	if(!(cflag & X509_FLAG_NO_ATTRIBUTES))
 		{
 		exts = X509_REQ_get_extensions(x);
 		if(exts)
@@ -248,7 +248,7 @@ get_next:
 				j=X509_EXTENSION_get_critical(ex);
 				if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0)
 					goto err;
-				if(!X509V3_EXT_print(bp, ex, cflag, 16))
+				if(!X509V3_EXT_print(bp, ex, 0, 16))
 					{
 					BIO_printf(bp, "%16s", "");
 					M_ASN1_OCTET_STRING_print(bp,ex->value);
--- a/crypto/asn1/tasn_fre.c
+++ b/crypto/asn1/tasn_fre.c
@@ -106,6 +106,7 @@ static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int c
 			if(i == 2) return;
 		}
 		i = asn1_get_choice_selector(pval, it);
+		if(asn1_cb) asn1_cb(ASN1_OP_FREE_PRE, pval, it);
 		if((i >= 0) && (i < it->tcount)) {
 			ASN1_VALUE **pchval;
 			tt = it->templates + i;
--- a/crypto/asn1/x_name.c
+++ b/crypto/asn1/x_name.c
@@ -160,40 +160,40 @@ static int x509_name_ex_d2i(ASN1_VALUE **val, unsigned char **in, long len, cons
 					int tag, int aclass, char opt, ASN1_TLC *ctx)
 {
 	unsigned char *p = *in, *q;
-	union { STACK *s; ASN1_VALUE *a; } intname = {NULL};
-	union { X509_NAME *x; ASN1_VALUE *a; } nm = {NULL};
+	STACK *intname = NULL, **intname_pp = &intname;
 	int i, j, ret;
+	X509_NAME *nm = NULL, **nm_pp = &nm;
 	STACK_OF(X509_NAME_ENTRY) *entries;
 	X509_NAME_ENTRY *entry;
 	q = p;

 	/* Get internal representation of Name */
-	ret = ASN1_item_ex_d2i(&intname.a,
+	ret = ASN1_item_ex_d2i((ASN1_VALUE **)intname_pp,
 			       &p, len, ASN1_ITEM_rptr(X509_NAME_INTERNAL),
 			       tag, aclass, opt, ctx);
 	
 	if(ret <= 0) return ret;

 	if(*val) x509_name_ex_free(val, NULL);
-	if(!x509_name_ex_new(&nm.a, NULL)) goto err;
+	if(!x509_name_ex_new((ASN1_VALUE **)nm_pp, NULL)) goto err;
 	/* We've decoded it: now cache encoding */
-	if(!BUF_MEM_grow(nm.x->bytes, p - q)) goto err;
-	memcpy(nm.x->bytes->data, q, p - q);
+	if(!BUF_MEM_grow(nm->bytes, p - q)) goto err;
+	memcpy(nm->bytes->data, q, p - q);

 	/* Convert internal representation to X509_NAME structure */
-	for(i = 0; i < sk_num(intname.s); i++) {
-		entries = (STACK_OF(X509_NAME_ENTRY) *)sk_value(intname.s, i);
+	for(i = 0; i < sk_num(intname); i++) {
+		entries = (STACK_OF(X509_NAME_ENTRY) *)sk_value(intname, i);
 		for(j = 0; j < sk_X509_NAME_ENTRY_num(entries); j++) {
 			entry = sk_X509_NAME_ENTRY_value(entries, j);
 			entry->set = i;
-			if(!sk_X509_NAME_ENTRY_push(nm.x->entries, entry))
+			if(!sk_X509_NAME_ENTRY_push(nm->entries, entry))
 				goto err;
 		}
 		sk_X509_NAME_ENTRY_free(entries);
 	}
-	sk_free(intname.s);
-	nm.x->modified = 0;
-	*val = nm.a;
+	sk_free(intname);
+	nm->modified = 0;
+	*val = (ASN1_VALUE *)nm;
 	*in = p;
 	return ret;
 	err:
@@ -219,35 +219,35 @@ static int x509_name_ex_i2d(ASN1_VALUE **val, unsigned char **out, const ASN1_IT

 static int x509_name_encode(X509_NAME *a)
 {
-	union { STACK *s; ASN1_VALUE *a; } intname = {NULL};
+	STACK *intname = NULL, **intname_pp = &intname;
 	int len;
 	unsigned char *p;
 	STACK_OF(X509_NAME_ENTRY) *entries = NULL;
 	X509_NAME_ENTRY *entry;
 	int i, set = -1;
-	intname.s = sk_new_null();
-	if(!intname.s) goto memerr;
+	intname = sk_new_null();
+	if(!intname) goto memerr;
 	for(i = 0; i < sk_X509_NAME_ENTRY_num(a->entries); i++) {
 		entry = sk_X509_NAME_ENTRY_value(a->entries, i);
 		if(entry->set != set) {
 			entries = sk_X509_NAME_ENTRY_new_null();
 			if(!entries) goto memerr;
-			if(!sk_push(intname.s, (char *)entries)) goto memerr;
+			if(!sk_push(intname, (char *)entries)) goto memerr;
 			set = entry->set;
 		}
 		if(!sk_X509_NAME_ENTRY_push(entries, entry)) goto memerr;
 	}
-	len = ASN1_item_ex_i2d(&intname.a, NULL,
+	len = ASN1_item_ex_i2d((ASN1_VALUE **)intname_pp, NULL,
 			       ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
 	if (!BUF_MEM_grow(a->bytes,len)) goto memerr;
 	p=(unsigned char *)a->bytes->data;
-	ASN1_item_ex_i2d(&intname.a,
+	ASN1_item_ex_i2d((ASN1_VALUE **)intname_pp,
 			 &p, ASN1_ITEM_rptr(X509_NAME_INTERNAL), -1, -1);
-	sk_pop_free(intname.s, sk_internal_free);
+	sk_pop_free(intname, sk_internal_free);
 	a->modified = 0;
 	return len;
 	memerr:
-	sk_pop_free(intname.s, sk_internal_free);
+	sk_pop_free(intname, sk_internal_free);
 	ASN1err(ASN1_F_D2I_X509_NAME, ERR_R_MALLOC_FAILURE);
 	return -1;
 }
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -79,7 +79,7 @@
 #include <openssl/bn.h>         /* To get BN_LLONG properly defined */
 #include <openssl/bio.h>

-#if defined(BN_LLONG) || defined(SIXTY_FOUR_BIT)
+#ifdef BN_LLONG
 # ifndef HAVE_LONG_LONG
 #  define HAVE_LONG_LONG 1
 # endif
@@ -117,7 +117,7 @@

 #if HAVE_LONG_LONG
 # if defined(OPENSSL_SYS_WIN32) && !defined(__GNUC__)
-# define LLONG __int64
+# define LLONG _int64
 # else
 # define LLONG long long
 # endif
--- a/crypto/bn/bn_mont.c
+++ b/crypto/bn/bn_mont.c
@@ -175,6 +175,7 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,

 	max=(nl+al+1); /* allow for overflow (no?) XXX */
 	if (bn_wexpand(r,max) == NULL) goto err;
+	if (bn_wexpand(ret,max) == NULL) goto err;

 	r->neg=a->neg^n->neg;
 	np=n->d;
@@ -226,70 +227,19 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
 		}
 	bn_fix_top(r);
 	
-	/* mont->ri will be a multiple of the word size and below code
-	 * is kind of BN_rshift(ret,r,mont->ri) equivalent */
-	if (r->top <= ri)
-		{
-		ret->top=0;
-		retn=1;
-		goto err;
-		}
-	al=r->top-ri;
-
-# define BRANCH_FREE 1
-# if BRANCH_FREE
-	if (bn_wexpand(ret,ri) == NULL) goto err;
-	x=0-(((al-ri)>>(sizeof(al)*8-1))&1);
-	ret->top=x=(ri&~x)|(al&x);	/* min(ri,al) */
-	ret->neg=r->neg;
-
+	/* mont->ri will be a multiple of the word size */
+#if 0
+	BN_rshift(ret,r,mont->ri);
+#else
+	ret->neg = r->neg;
+	x=ri;
 	rp=ret->d;
-	ap=&(r->d[ri]);
-
-	{
-	size_t m1,m2;
-
-	v=bn_sub_words(rp,ap,np,ri);
-	/* this ----------------^^ works even in al<ri case
-	 * thanks to zealous zeroing of top of the vector in the
-	 * beginning. */
-
-	/* if (al==ri && !v) || al>ri) nrp=rp; else nrp=ap; */
-	/* in other words if subtraction result is real, then
-	 * trick unconditional memcpy below to perform in-place
-	 * "refresh" instead of actual copy. */
-	m1=0-(size_t)(((al-ri)>>(sizeof(al)*8-1))&1);	/* al<ri */
-	m2=0-(size_t)(((ri-al)>>(sizeof(al)*8-1))&1);	/* al>ri */
-	m1|=m2;			/* (al!=ri) */
-	m1|=(0-(size_t)v);	/* (al!=ri || v) */
-	m1&=~m2;		/* (al!=ri || v) && !al>ri */
-	nrp=(BN_ULONG *)(((size_t)rp&~m1)|((size_t)ap&m1));
-	}
-
-	/* 'i<ri' is chosen to eliminate dependency on input data, even
-	 * though it results in redundant copy in al<ri case. */
-	for (i=0,ri-=4; i<ri; i+=4)
-		{
-		BN_ULONG t1,t2,t3,t4;
-		
-		t1=nrp[i+0];
-		t2=nrp[i+1];
-		t3=nrp[i+2];	ap[i+0]=0;
-		t4=nrp[i+3];	ap[i+1]=0;
-		rp[i+0]=t1;	ap[i+2]=0;
-		rp[i+1]=t2;	ap[i+3]=0;
-		rp[i+2]=t3;
-		rp[i+3]=t4;
-		}
-	for (ri+=4; i<ri; i++)
-		rp[i]=nrp[i], ap[i]=0;
-# else
-	if (bn_wexpand(ret,al) == NULL) goto err;
+	ap= &(r->d[x]);
+	if (r->top < x)
+		al=0;
+	else
+		al=r->top-x;
 	ret->top=al;
-	ret->neg=r->neg;
-
-	rp=ret->d;
-	ap=&(r->d[ri]);
 	al-=4;
 	for (i=0; i<al; i+=4)
 		{
@@ -307,7 +257,7 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
 	al+=4;
 	for (; i<al; i++)
 		rp[i]=ap[i];
-# endif
+#endif
 #else /* !MONT_WORD */ 
 	BIGNUM *t1,*t2;

@@ -327,14 +277,11 @@ int BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont,
 	if (!BN_rshift(ret,t2,mont->ri)) goto err;
 #endif /* MONT_WORD */

-#if !defined(BRANCH_FREE) || BRANCH_FREE==0
 	if (BN_ucmp(ret, &(mont->N)) >= 0)
 		{
 		if (!BN_usub(ret,ret,&(mont->N))) goto err;
 		}
-#endif
 	retn=1;
-	bn_check_top(ret);
 err:
 	BN_CTX_end(ctx);
 	return(retn);
--- a/crypto/conf/conf.h
+++ b/crypto/conf/conf.h
@@ -113,7 +113,6 @@ typedef void conf_finish_func(CONF_IMODULE *md);
 #define CONF_MFLAGS_SILENT		0x4
 #define CONF_MFLAGS_NO_DSO		0x8
 #define CONF_MFLAGS_IGNORE_MISSING_FILE	0x10
-#define CONF_MFLAGS_DEFAULT_SECTION	0x20

 int CONF_set_default_method(CONF_METHOD *meth);
 void CONF_set_nconf(CONF *conf,LHASH *hash);
--- a/crypto/conf/conf_mall.c
+++ b/crypto/conf/conf_mall.c
@@ -76,6 +76,5 @@ void OPENSSL_load_builtin_modules(void)
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE_add_conf_module();
 #endif
-	EVP_add_alg_module();
 	}

--- a/crypto/conf/conf_mod.c
+++ b/crypto/conf/conf_mod.c
@@ -126,18 +126,17 @@ int CONF_modules_load(const CONF *cnf, const char *appname,
 	{
 	STACK_OF(CONF_VALUE) *values;
 	CONF_VALUE *vl;
-	char *vsection = NULL;
+	char *vsection;

 	int ret, i;

 	if (!cnf)
 		return 1;

-	if (appname)
-		vsection = NCONF_get_string(cnf, NULL, appname);
+	if (appname == NULL)
+		appname = "openssl_conf";

-	if (!appname || (!vsection && (flags & CONF_MFLAGS_DEFAULT_SECTION)))
-		vsection = NCONF_get_string(cnf, NULL, "openssl_conf");
+	vsection = NCONF_get_string(cnf, NULL, appname); 

 	if (!vsection)
 		{
--- a/crypto/conf/conf_sap.c
+++ b/crypto/conf/conf_sap.c
@@ -88,8 +88,8 @@ void OPENSSL_config(const char *config_name)


 	ERR_clear_error();
-	if (CONF_modules_load_file(NULL, config_name,
-	CONF_MFLAGS_DEFAULT_SECTION|CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0)
+	if (CONF_modules_load_file(NULL, NULL,
+					CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0)
 		{
 		BIO *bio_err;
 		ERR_load_crypto_strings();
--- a/crypto/dh/dh.h
+++ b/crypto/dh/dh.h
@@ -210,8 +210,8 @@ void ERR_load_DH_strings(void);

 /* Reason codes. */
 #define DH_R_BAD_GENERATOR				 101
+#define DH_R_MODULUS_TOO_LARGE				 103
 #define DH_R_NO_PRIVATE_VALUE				 100
-#define DH_R_MODULUS_TOO_LARGE                           103

 #ifdef  __cplusplus
 }
--- a/crypto/dh/dh_err.c
+++ b/crypto/dh/dh_err.c
@@ -82,7 +82,7 @@ static ERR_STRING_DATA DH_str_functs[]=
 static ERR_STRING_DATA DH_str_reasons[]=
 	{
 {ERR_REASON(DH_R_BAD_GENERATOR)          ,"bad generator"},
-{ERR_REASON(DH_R_MODULUS_TOO_LARGE)      ,"modulus too large"},               
+{ERR_REASON(DH_R_MODULUS_TOO_LARGE)      ,"modulus too large"},
 {ERR_REASON(DH_R_NO_PRIVATE_VALUE)       ,"no private value"},
 {0,NULL}
 	};
--- a/crypto/dso/dso_dlfcn.c
+++ b/crypto/dso/dso_dlfcn.c
@@ -294,6 +294,15 @@ static char *dlfcn_name_converter(DSO *dso, const char *filename)
 	return(translated);
 	}

+/* This section uses dladdr() which appears to be a GNU extension, though
+ * some other OS's have adopted it.  Specifically, AIX4, AIX5, and SCO5
+ * do not support dladdr().
+ * No reference to DSO_pathbyaddr() is made, and appears to be a function
+ * which was added during construction of FIPS support in OpenSSL.  It appears
+ * that it has been replaced by FIPS_ref_point() in fipscanister.c
+ * Removing the below code fixes compile-time issues on the afore-mentioned
+ * OS's */
+#ifdef DEADBEEF_0
 #ifdef OPENSSL_FIPS
 static void dlfcn_ref_point(){}

@@ -322,4 +331,6 @@ int DSO_pathbyaddr(void *addr,char *path,int sz)
 	return -1;
 	}
 #endif
+#endif /* DEADBEEF_0 */
+
 #endif /* DSO_DLFCN */
--- a/crypto/err/Makefile
+++ b/crypto/err/Makefile
@@ -22,8 +22,8 @@ TEST=
 APPS=

 LIB=$(TOP)/libcrypto.a
-LIBSRC=err.c err_all.c err_prn.c
-LIBOBJ=err.o err_all.o err_prn.o
+LIBSRC=err.c err_all.c err_prn.c err_str.c
+LIBOBJ=err.o err_all.o err_prn.o err_str.o

 SRC= $(LIBSRC)

@@ -116,3 +116,10 @@ err_prn.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 err_prn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 err_prn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 err_prn.o: ../cryptlib.h err_prn.c
+err_str.o: ../../e_os.h ../../include/openssl/bio.h
+err_str.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+err_str.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+err_str.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+err_str.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
+err_str.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+err_str.o: ../cryptlib.h err_str.c
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -122,99 +122,6 @@
 static void err_load_strings(int lib, ERR_STRING_DATA *str);

 static void ERR_STATE_free(ERR_STATE *s);
-#ifndef OPENSSL_NO_ERR
-static ERR_STRING_DATA ERR_str_libraries[]=
-	{
-{ERR_PACK(ERR_LIB_NONE,0,0)		,"unknown library"},
-{ERR_PACK(ERR_LIB_SYS,0,0)		,"system library"},
-{ERR_PACK(ERR_LIB_BN,0,0)		,"bignum routines"},
-{ERR_PACK(ERR_LIB_RSA,0,0)		,"rsa routines"},
-{ERR_PACK(ERR_LIB_DH,0,0)		,"Diffie-Hellman routines"},
-{ERR_PACK(ERR_LIB_EVP,0,0)		,"digital envelope routines"},
-{ERR_PACK(ERR_LIB_BUF,0,0)		,"memory buffer routines"},
-{ERR_PACK(ERR_LIB_OBJ,0,0)		,"object identifier routines"},
-{ERR_PACK(ERR_LIB_PEM,0,0)		,"PEM routines"},
-{ERR_PACK(ERR_LIB_DSA,0,0)		,"dsa routines"},
-{ERR_PACK(ERR_LIB_X509,0,0)		,"x509 certificate routines"},
-{ERR_PACK(ERR_LIB_ASN1,0,0)		,"asn1 encoding routines"},
-{ERR_PACK(ERR_LIB_CONF,0,0)		,"configuration file routines"},
-{ERR_PACK(ERR_LIB_CRYPTO,0,0)		,"common libcrypto routines"},
-{ERR_PACK(ERR_LIB_EC,0,0)		,"elliptic curve routines"},
-{ERR_PACK(ERR_LIB_SSL,0,0)		,"SSL routines"},
-{ERR_PACK(ERR_LIB_BIO,0,0)		,"BIO routines"},
-{ERR_PACK(ERR_LIB_PKCS7,0,0)		,"PKCS7 routines"},
-{ERR_PACK(ERR_LIB_X509V3,0,0)		,"X509 V3 routines"},
-{ERR_PACK(ERR_LIB_PKCS12,0,0)		,"PKCS12 routines"},
-{ERR_PACK(ERR_LIB_RAND,0,0)		,"random number generator"},
-{ERR_PACK(ERR_LIB_DSO,0,0)		,"DSO support routines"},
-{ERR_PACK(ERR_LIB_ENGINE,0,0)		,"engine routines"},
-{ERR_PACK(ERR_LIB_OCSP,0,0)		,"OCSP routines"},
-{ERR_PACK(ERR_LIB_FIPS,0,0)		,"FIPS routines"},
-{0,NULL},
-	};
-
-static ERR_STRING_DATA ERR_str_functs[]=
-	{
-	{ERR_PACK(0,SYS_F_FOPEN,0),     	"fopen"},
-	{ERR_PACK(0,SYS_F_CONNECT,0),		"connect"},
-	{ERR_PACK(0,SYS_F_GETSERVBYNAME,0),	"getservbyname"},
-	{ERR_PACK(0,SYS_F_SOCKET,0),		"socket"}, 
-	{ERR_PACK(0,SYS_F_IOCTLSOCKET,0),	"ioctlsocket"},
-	{ERR_PACK(0,SYS_F_BIND,0),		"bind"},
-	{ERR_PACK(0,SYS_F_LISTEN,0),		"listen"},
-	{ERR_PACK(0,SYS_F_ACCEPT,0),		"accept"},
-#ifdef OPENSSL_SYS_WINDOWS
-	{ERR_PACK(0,SYS_F_WSASTARTUP,0),	"WSAstartup"},
-#endif
-	{ERR_PACK(0,SYS_F_OPENDIR,0),		"opendir"},
-	{ERR_PACK(0,SYS_F_FREAD,0),		"fread"},
-	{ERR_PACK(0,SYS_F_GETADDRINFO,0),	"getaddrinfo"},
-	{0,NULL},
-	};
-
-static ERR_STRING_DATA ERR_str_reasons[]=
-	{
-{ERR_R_SYS_LIB				,"system lib"},
-{ERR_R_BN_LIB				,"BN lib"},
-{ERR_R_RSA_LIB				,"RSA lib"},
-{ERR_R_DH_LIB				,"DH lib"},
-{ERR_R_EVP_LIB				,"EVP lib"},
-{ERR_R_BUF_LIB				,"BUF lib"},
-{ERR_R_OBJ_LIB				,"OBJ lib"},
-{ERR_R_PEM_LIB				,"PEM lib"},
-{ERR_R_DSA_LIB				,"DSA lib"},
-{ERR_R_X509_LIB				,"X509 lib"},
-{ERR_R_ASN1_LIB				,"ASN1 lib"},
-{ERR_R_CONF_LIB				,"CONF lib"},
-{ERR_R_CRYPTO_LIB			,"CRYPTO lib"},
-{ERR_R_EC_LIB				,"EC lib"},
-{ERR_R_SSL_LIB				,"SSL lib"},
-{ERR_R_BIO_LIB				,"BIO lib"},
-{ERR_R_PKCS7_LIB			,"PKCS7 lib"},
-{ERR_R_X509V3_LIB			,"X509V3 lib"},
-{ERR_R_PKCS12_LIB			,"PKCS12 lib"},
-{ERR_R_RAND_LIB				,"RAND lib"},
-{ERR_R_DSO_LIB				,"DSO lib"},
-{ERR_R_ENGINE_LIB			,"ENGINE lib"},
-{ERR_R_OCSP_LIB				,"OCSP lib"},
-
-{ERR_R_NESTED_ASN1_ERROR		,"nested asn1 error"},
-{ERR_R_BAD_ASN1_OBJECT_HEADER		,"bad asn1 object header"},
-{ERR_R_BAD_GET_ASN1_OBJECT_CALL		,"bad get asn1 object call"},
-{ERR_R_EXPECTING_AN_ASN1_SEQUENCE	,"expecting an asn1 sequence"},
-{ERR_R_ASN1_LENGTH_MISMATCH		,"asn1 length mismatch"},
-{ERR_R_MISSING_ASN1_EOS			,"missing asn1 eos"},
-
-{ERR_R_FATAL                            ,"fatal"},
-{ERR_R_MALLOC_FAILURE			,"malloc failure"},
-{ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED	,"called a function you should not call"},
-{ERR_R_PASSED_NULL_PARAMETER		,"passed a null parameter"},
-{ERR_R_INTERNAL_ERROR			,"internal error"},
-
-{0,NULL},
-	};
-#endif
-

 /* Define the predeclared (but externally opaque) "ERR_FNS" type */
 struct st_ERR_FNS
@@ -528,71 +435,6 @@ static int int_err_get_next_lib(void)
 	}


-#ifndef OPENSSL_NO_ERR
-#define NUM_SYS_STR_REASONS 127
-#define LEN_SYS_STR_REASON 32
-
-static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
-/* SYS_str_reasons is filled with copies of strerror() results at
- * initialization.
- * 'errno' values up to 127 should cover all usual errors,
- * others will be displayed numerically by ERR_error_string.
- * It is crucial that we have something for each reason code
- * that occurs in ERR_str_reasons, or bogus reason strings
- * will be returned for SYSerr(), which always gets an errno
- * value and never one of those 'standard' reason codes. */
-
-static void build_SYS_str_reasons()
-	{
-	/* OPENSSL_malloc cannot be used here, use static storage instead */
-	static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON];
-	int i;
-	static int init = 1;
-
-	CRYPTO_r_lock(CRYPTO_LOCK_ERR);
-	if (!init)
-		{
-		CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-		return;
-		}
-	
-	CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-	CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-	if (!init)
-		{
-		CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-		return;
-		}
-
-	for (i = 1; i <= NUM_SYS_STR_REASONS; i++)
-		{
-		ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
-
-		str->error = (unsigned long)i;
-		if (str->string == NULL)
-			{
-			char (*dest)[LEN_SYS_STR_REASON] = &(strerror_tab[i - 1]);
-			char *src = strerror(i);
-			if (src != NULL)
-				{
-				strncpy(*dest, src, sizeof *dest);
-				(*dest)[sizeof *dest - 1] = '\0';
-				str->string = *dest;
-				}
-			}
-		if (str->string == NULL)
-			str->string = "unknown";
-		}
-
-	/* Now we still have SYS_str_reasons[NUM_SYS_STR_REASONS] = {0, NULL},
-	 * as required by ERR_load_strings. */
-
-	init = 0;
-	
-	CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-	}
-#endif
-
 #define err_clear_data(p,i) \
 	if (((p)->err_data[i] != NULL) && \
 		(p)->err_data_flags[i] & ERR_TXT_MALLOCED) \
@@ -616,18 +458,6 @@ static void ERR_STATE_free(ERR_STATE *s)
 	OPENSSL_free(s);
 	}

-void ERR_load_ERR_strings(void)
-	{
-	err_fns_check();
-#ifndef OPENSSL_NO_ERR
-	err_load_strings(0,ERR_str_libraries);
-	err_load_strings(0,ERR_str_reasons);
-	err_load_strings(ERR_LIB_SYS,ERR_str_functs);
-	build_SYS_str_reasons();
-	err_load_strings(ERR_LIB_SYS,SYS_str_reasons);
-#endif
-	}
-
 static void err_load_strings(int lib, ERR_STRING_DATA *str)
 	{
 	while (str->error)
@@ -641,7 +471,7 @@ static void err_load_strings(int lib, ERR_STRING_DATA *str)

 void ERR_load_strings(int lib, ERR_STRING_DATA *str)
 	{
-	ERR_load_ERR_strings();
+	err_fns_check();
 	err_load_strings(lib, str);
 	}

--- a/crypto/err/err_str.c
+++ b/crypto/err/err_str.c
@@ -0,0 +1,296 @@
+/* crypto/err/err_str.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
+#include <openssl/lhash.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/buffer.h>
+#include <openssl/bio.h>
+#include <openssl/err.h>
+
+
+#ifndef OPENSSL_NO_ERR
+static ERR_STRING_DATA ERR_str_libraries[]=
+	{
+{ERR_PACK(ERR_LIB_NONE,0,0)		,"unknown library"},
+{ERR_PACK(ERR_LIB_SYS,0,0)		,"system library"},
+{ERR_PACK(ERR_LIB_BN,0,0)		,"bignum routines"},
+{ERR_PACK(ERR_LIB_RSA,0,0)		,"rsa routines"},
+{ERR_PACK(ERR_LIB_DH,0,0)		,"Diffie-Hellman routines"},
+{ERR_PACK(ERR_LIB_EVP,0,0)		,"digital envelope routines"},
+{ERR_PACK(ERR_LIB_BUF,0,0)		,"memory buffer routines"},
+{ERR_PACK(ERR_LIB_OBJ,0,0)		,"object identifier routines"},
+{ERR_PACK(ERR_LIB_PEM,0,0)		,"PEM routines"},
+{ERR_PACK(ERR_LIB_DSA,0,0)		,"dsa routines"},
+{ERR_PACK(ERR_LIB_X509,0,0)		,"x509 certificate routines"},
+{ERR_PACK(ERR_LIB_ASN1,0,0)		,"asn1 encoding routines"},
+{ERR_PACK(ERR_LIB_CONF,0,0)		,"configuration file routines"},
+{ERR_PACK(ERR_LIB_CRYPTO,0,0)		,"common libcrypto routines"},
+{ERR_PACK(ERR_LIB_EC,0,0)		,"elliptic curve routines"},
+{ERR_PACK(ERR_LIB_SSL,0,0)		,"SSL routines"},
+{ERR_PACK(ERR_LIB_BIO,0,0)		,"BIO routines"},
+{ERR_PACK(ERR_LIB_PKCS7,0,0)		,"PKCS7 routines"},
+{ERR_PACK(ERR_LIB_X509V3,0,0)		,"X509 V3 routines"},
+{ERR_PACK(ERR_LIB_PKCS12,0,0)		,"PKCS12 routines"},
+{ERR_PACK(ERR_LIB_RAND,0,0)		,"random number generator"},
+{ERR_PACK(ERR_LIB_DSO,0,0)		,"DSO support routines"},
+{ERR_PACK(ERR_LIB_ENGINE,0,0)		,"engine routines"},
+{ERR_PACK(ERR_LIB_OCSP,0,0)		,"OCSP routines"},
+{ERR_PACK(ERR_LIB_FIPS,0,0)		,"FIPS routines"},
+{0,NULL},
+	};
+
+static ERR_STRING_DATA ERR_str_functs[]=
+	{
+	{ERR_PACK(0,SYS_F_FOPEN,0),     	"fopen"},
+	{ERR_PACK(0,SYS_F_CONNECT,0),		"connect"},
+	{ERR_PACK(0,SYS_F_GETSERVBYNAME,0),	"getservbyname"},
+	{ERR_PACK(0,SYS_F_SOCKET,0),		"socket"}, 
+	{ERR_PACK(0,SYS_F_IOCTLSOCKET,0),	"ioctlsocket"},
+	{ERR_PACK(0,SYS_F_BIND,0),		"bind"},
+	{ERR_PACK(0,SYS_F_LISTEN,0),		"listen"},
+	{ERR_PACK(0,SYS_F_ACCEPT,0),		"accept"},
+#ifdef OPENSSL_SYS_WINDOWS
+	{ERR_PACK(0,SYS_F_WSASTARTUP,0),	"WSAstartup"},
+#endif
+	{ERR_PACK(0,SYS_F_OPENDIR,0),		"opendir"},
+	{ERR_PACK(0,SYS_F_FREAD,0),		"fread"},
+	{ERR_PACK(0,SYS_F_GETADDRINFO,0),	"getaddrinfo"},
+	{0,NULL},
+	};
+
+static ERR_STRING_DATA ERR_str_reasons[]=
+	{
+{ERR_R_SYS_LIB				,"system lib"},
+{ERR_R_BN_LIB				,"BN lib"},
+{ERR_R_RSA_LIB				,"RSA lib"},
+{ERR_R_DH_LIB				,"DH lib"},
+{ERR_R_EVP_LIB				,"EVP lib"},
+{ERR_R_BUF_LIB				,"BUF lib"},
+{ERR_R_OBJ_LIB				,"OBJ lib"},
+{ERR_R_PEM_LIB				,"PEM lib"},
+{ERR_R_DSA_LIB				,"DSA lib"},
+{ERR_R_X509_LIB				,"X509 lib"},
+{ERR_R_ASN1_LIB				,"ASN1 lib"},
+{ERR_R_CONF_LIB				,"CONF lib"},
+{ERR_R_CRYPTO_LIB			,"CRYPTO lib"},
+{ERR_R_EC_LIB				,"EC lib"},
+{ERR_R_SSL_LIB				,"SSL lib"},
+{ERR_R_BIO_LIB				,"BIO lib"},
+{ERR_R_PKCS7_LIB			,"PKCS7 lib"},
+{ERR_R_X509V3_LIB			,"X509V3 lib"},
+{ERR_R_PKCS12_LIB			,"PKCS12 lib"},
+{ERR_R_RAND_LIB				,"RAND lib"},
+{ERR_R_DSO_LIB				,"DSO lib"},
+{ERR_R_ENGINE_LIB			,"ENGINE lib"},
+{ERR_R_OCSP_LIB				,"OCSP lib"},
+
+{ERR_R_NESTED_ASN1_ERROR		,"nested asn1 error"},
+{ERR_R_BAD_ASN1_OBJECT_HEADER		,"bad asn1 object header"},
+{ERR_R_BAD_GET_ASN1_OBJECT_CALL		,"bad get asn1 object call"},
+{ERR_R_EXPECTING_AN_ASN1_SEQUENCE	,"expecting an asn1 sequence"},
+{ERR_R_ASN1_LENGTH_MISMATCH		,"asn1 length mismatch"},
+{ERR_R_MISSING_ASN1_EOS			,"missing asn1 eos"},
+
+{ERR_R_FATAL                            ,"fatal"},
+{ERR_R_MALLOC_FAILURE			,"malloc failure"},
+{ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED	,"called a function you should not call"},
+{ERR_R_PASSED_NULL_PARAMETER		,"passed a null parameter"},
+{ERR_R_INTERNAL_ERROR			,"internal error"},
+
+{0,NULL},
+	};
+#endif
+
+
+#ifndef OPENSSL_NO_ERR
+#define NUM_SYS_STR_REASONS 127
+#define LEN_SYS_STR_REASON 32
+
+static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
+/* SYS_str_reasons is filled with copies of strerror() results at
+ * initialization.
+ * 'errno' values up to 127 should cover all usual errors,
+ * others will be displayed numerically by ERR_error_string.
+ * It is crucial that we have something for each reason code
+ * that occurs in ERR_str_reasons, or bogus reason strings
+ * will be returned for SYSerr(), which always gets an errno
+ * value and never one of those 'standard' reason codes. */
+
+static void build_SYS_str_reasons()
+	{
+	/* OPENSSL_malloc cannot be used here, use static storage instead */
+	static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON];
+	int i;
+	static int init = 1;
+
+	CRYPTO_r_lock(CRYPTO_LOCK_ERR);
+	if (!init)
+		{
+		CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
+		return;
+		}
+	
+	CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
+	CRYPTO_w_lock(CRYPTO_LOCK_ERR);
+	if (!init)
+		{
+		CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+		return;
+		}
+
+	for (i = 1; i <= NUM_SYS_STR_REASONS; i++)
+		{
+		ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
+
+		str->error = (unsigned long)i;
+		if (str->string == NULL)
+			{
+			char (*dest)[LEN_SYS_STR_REASON] = &(strerror_tab[i - 1]);
+			char *src = strerror(i);
+			if (src != NULL)
+				{
+				strncpy(*dest, src, sizeof *dest);
+				(*dest)[sizeof *dest - 1] = '\0';
+				str->string = *dest;
+				}
+			}
+		if (str->string == NULL)
+			str->string = "unknown";
+		}
+
+	/* Now we still have SYS_str_reasons[NUM_SYS_STR_REASONS] = {0, NULL},
+	 * as required by ERR_load_strings. */
+
+	init = 0;
+	
+	CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
+	}
+
+#endif
+
+void ERR_load_ERR_strings(void)
+	{
+#ifndef OPENSSL_NO_ERR
+	if (ERR_func_error_string(ERR_str_functs[0].error) == NULL)
+		{
+		ERR_load_strings(0,ERR_str_libraries);
+		ERR_load_strings(0,ERR_str_reasons);
+		ERR_load_strings(ERR_LIB_SYS,ERR_str_functs);
+		build_SYS_str_reasons();
+		ERR_load_strings(ERR_LIB_SYS,SYS_str_reasons);
+		}
+#endif
+	}
+
--- a/crypto/err/openssl.ec
+++ b/crypto/err/openssl.ec
@@ -27,7 +27,7 @@ L DSO		crypto/dso/dso.h		crypto/dso/dso_err.c
 L ENGINE	crypto/engine/engine.h		crypto/engine/eng_err.c
 L OCSP		crypto/ocsp/ocsp.h		crypto/ocsp/ocsp_err.c
 L UI		crypto/ui/ui.h			crypto/ui/ui_err.c
-L FIPS		fips-1.0/fips.h			fips-1.0/fips_err.h
+L FIPS		fips-1.0/fips.h			crypto/fips_err.h

 # additional header files to be scanned for function names
 L NONE		crypto/x509/x509_vfy.h		NONE
--- a/crypto/evp/Makefile
+++ b/crypto/evp/Makefile
@@ -23,7 +23,7 @@ TESTDATA=evptests.txt
 APPS=

 LIB=$(TOP)/libcrypto.a
-LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c evp_cnf.c \
+LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c \
 	e_des.c e_bf.c e_idea.c e_des3.c \
 	e_rc4.c e_aes.c names.c \
 	e_xcbc_d.c e_rc2.c e_cast.c e_rc5.c \
@@ -35,7 +35,7 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c evp_cnf.c \
 	evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \
 	e_old.c

-LIBOBJ=	encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \
+LIBOBJ=	encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \
 	e_des.o e_bf.o e_idea.o e_des3.o \
 	e_rc4.o e_aes.o names.o \
 	e_xcbc_d.o e_rc2.o e_cast.o e_rc5.o \
@@ -527,29 +527,6 @@ evp_acnf.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 evp_acnf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 evp_acnf.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 evp_acnf.o: ../../include/openssl/ui_compat.h ../cryptlib.h evp_acnf.c
-evp_cnf.o: ../../e_os.h ../../include/openssl/aes.h
-evp_cnf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
-evp_cnf.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
-evp_cnf.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
-evp_cnf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
-evp_cnf.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
-evp_cnf.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
-evp_cnf.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
-evp_cnf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-evp_cnf.o: ../../include/openssl/fips.h ../../include/openssl/idea.h
-evp_cnf.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-evp_cnf.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-evp_cnf.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-evp_cnf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-evp_cnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-evp_cnf.o: ../../include/openssl/pkcs7.h ../../include/openssl/rc2.h
-evp_cnf.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
-evp_cnf.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
-evp_cnf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-evp_cnf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-evp_cnf.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
-evp_cnf.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-evp_cnf.o: ../../include/openssl/x509v3.h ../cryptlib.h evp_cnf.c
 evp_enc.o: ../../e_os.h ../../include/openssl/aes.h
 evp_enc.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 evp_enc.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
--- a/crypto/evp/evp.h
+++ b/crypto/evp/evp.h
@@ -875,8 +875,6 @@ int EVP_PBE_alg_add(int nid, const EVP_CIPHER *cipher, const EVP_MD *md,
 		    EVP_PBE_KEYGEN *keygen);
 void EVP_PBE_cleanup(void);

-void EVP_add_alg_module(void);
-
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
 * made after this point may be overwritten when the script is next run.
@@ -887,7 +885,6 @@ void ERR_load_EVP_strings(void);

 /* Function codes. */
 #define EVP_F_AES_INIT_KEY				 129
-#define EVP_F_ALG_MODULE_INIT				 134
 #define EVP_F_D2I_PKEY					 100
 #define EVP_F_EVP_ADD_CIPHER				 130
 #define EVP_F_EVP_ADD_DIGEST				 131
@@ -936,16 +933,12 @@ void ERR_load_EVP_strings(void);
 #define EVP_R_DIFFERENT_KEY_TYPES			 101
 #define EVP_R_DISABLED_FOR_FIPS				 141
 #define EVP_R_ENCODE_ERROR				 115
-#define EVP_R_ERROR_LOADING_SECTION			 142
-#define EVP_R_ERROR_SETTING_FIPS_MODE			 143
 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR			 119
 #define EVP_R_EXPECTING_AN_RSA_KEY			 127
 #define EVP_R_EXPECTING_A_DH_KEY			 128
 #define EVP_R_EXPECTING_A_DSA_KEY			 129
-#define EVP_R_FIPS_MODE_NOT_SUPPORTED			 144
 #define EVP_R_INITIALIZATION_ERROR			 134
 #define EVP_R_INPUT_NOT_INITIALIZED			 111
-#define EVP_R_INVALID_FIPS_MODE				 145
 #define EVP_R_INVALID_KEY_LENGTH			 130
 #define EVP_R_IV_TOO_LARGE				 102
 #define EVP_R_KEYGEN_FAILURE				 120
@@ -957,7 +950,6 @@ void ERR_load_EVP_strings(void);
 #define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED		 105
 #define EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE			 117
 #define EVP_R_PUBLIC_KEY_NOT_RSA			 106
-#define EVP_R_UNKNOWN_OPTION				 146
 #define EVP_R_UNKNOWN_PBE_ALGORITHM			 121
 #define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS		 135
 #define EVP_R_UNSUPPORTED_CIPHER			 107
--- a/crypto/evp/evp_cnf.c
+++ b/crypto/evp/evp_cnf.c
@@ -1,122 +0,0 @@
-/* evp_cnf.c */
-/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
- * project 2007.
- */
-/* ====================================================================
- * Copyright (c) 2007 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <ctype.h>
-#include <openssl/crypto.h>
-#include "cryptlib.h"
-#include <openssl/conf.h>
-#include <openssl/dso.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-#include <openssl/fips.h>
-
-/* Algorithm configuration module. */
-
-static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
-	{
-	int i;
-	const char *oid_section;
-	STACK_OF(CONF_VALUE) *sktmp;
-	CONF_VALUE *oval;
-	oid_section = CONF_imodule_get_value(md);
-	if(!(sktmp = NCONF_get_section(cnf, oid_section)))
-		{
-		EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_ERROR_LOADING_SECTION);
-		return 0;
-		}
-	for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++)
-		{
-		oval = sk_CONF_VALUE_value(sktmp, i);
-		if (!strcmp(oval->name, "fips_mode"))
-			{
-			int m;
-			if (!X509V3_get_value_bool(oval, &m))
-				{
-				EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_INVALID_FIPS_MODE);
-				return 0;
-				}
-			if (m > 0)
-				{
-#ifdef OPENSSL_FIPS
-				if (!FIPS_mode_set(1))
-					{
-					EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_ERROR_SETTING_FIPS_MODE);
-					return 0;
-					}
-#else
-				EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_FIPS_MODE_NOT_SUPPORTED);
-				return 0;
-#endif
-				}
-			}
-		else
-			{
-			EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_UNKNOWN_OPTION);
-			ERR_add_error_data(4, "name=", oval->name,
-						", value=", oval->value);
-			}
-				
-		}
-	return 1;
-	}
-
-void EVP_add_alg_module(void)
-	{
-	CONF_module_add("alg_section", alg_module_init, 0);
-	}
--- a/crypto/evp/evp_err.c
+++ b/crypto/evp/evp_err.c
@@ -1,6 +1,6 @@
 /* crypto/evp/evp_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -71,7 +71,6 @@
 static ERR_STRING_DATA EVP_str_functs[]=
 	{
 {ERR_FUNC(EVP_F_AES_INIT_KEY),	"AES_INIT_KEY"},
-{ERR_FUNC(EVP_F_ALG_MODULE_INIT),	"ALG_MODULE_INIT"},
 {ERR_FUNC(EVP_F_D2I_PKEY),	"D2I_PKEY"},
 {ERR_FUNC(EVP_F_EVP_ADD_CIPHER),	"EVP_add_cipher"},
 {ERR_FUNC(EVP_F_EVP_ADD_DIGEST),	"EVP_add_digest"},
@@ -123,16 +122,12 @@ static ERR_STRING_DATA EVP_str_reasons[]=
 {ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES)   ,"different key types"},
 {ERR_REASON(EVP_R_DISABLED_FOR_FIPS)     ,"disabled for fips"},
 {ERR_REASON(EVP_R_ENCODE_ERROR)          ,"encode error"},
-{ERR_REASON(EVP_R_ERROR_LOADING_SECTION) ,"error loading section"},
-{ERR_REASON(EVP_R_ERROR_SETTING_FIPS_MODE),"error setting fips mode"},
 {ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"},
 {ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY)  ,"expecting an rsa key"},
 {ERR_REASON(EVP_R_EXPECTING_A_DH_KEY)    ,"expecting a dh key"},
 {ERR_REASON(EVP_R_EXPECTING_A_DSA_KEY)   ,"expecting a dsa key"},
-{ERR_REASON(EVP_R_FIPS_MODE_NOT_SUPPORTED),"fips mode not supported"},
 {ERR_REASON(EVP_R_INITIALIZATION_ERROR)  ,"initialization error"},
 {ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) ,"input not initialized"},
-{ERR_REASON(EVP_R_INVALID_FIPS_MODE)     ,"invalid fips mode"},
 {ERR_REASON(EVP_R_INVALID_KEY_LENGTH)    ,"invalid key length"},
 {ERR_REASON(EVP_R_IV_TOO_LARGE)          ,"iv too large"},
 {ERR_REASON(EVP_R_KEYGEN_FAILURE)        ,"keygen failure"},
@@ -144,7 +139,6 @@ static ERR_STRING_DATA EVP_str_reasons[]=
 {ERR_REASON(EVP_R_NO_VERIFY_FUNCTION_CONFIGURED),"no verify function configured"},
 {ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE),"pkcs8 unknown broken type"},
 {ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA)    ,"public key not rsa"},
-{ERR_REASON(EVP_R_UNKNOWN_OPTION)        ,"unknown option"},
 {ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"},
 {ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),"unsuported number of rounds"},
 {ERR_REASON(EVP_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
--- a/crypto/evp/m_sha1.c
+++ b/crypto/evp/m_sha1.c
@@ -63,6 +63,9 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>

+#define EVP_PKEY_RSA_fips_method	FIPS_rsa_sign,FIPS_rsa_verify, \
+				{EVP_PKEY_RSA,EVP_PKEY_RSA2,0,0}
+
 static int init(EVP_MD_CTX *ctx)
 	{ return SHA1_Init(ctx->md_data); }

@@ -90,7 +93,11 @@ static const EVP_MD sha1_md=
 	final,
 	NULL,
 	NULL,
+#ifdef OPENSSL_FIPS
+	EVP_PKEY_RSA_fips_method,
+#else
 	EVP_PKEY_RSA_method,
+#endif
 	SHA_CBLOCK,
 	sizeof(EVP_MD *)+sizeof(SHA_CTX),
 	};
@@ -131,7 +138,7 @@ static const EVP_MD sha224_md=
 	final256,
 	NULL,
 	NULL,
-	EVP_PKEY_RSA_method,
+	EVP_PKEY_RSA_fips_method,
 	SHA256_CBLOCK,
 	sizeof(EVP_MD *)+sizeof(SHA256_CTX),
 	};
@@ -150,7 +157,7 @@ static const EVP_MD sha256_md=
 	final256,
 	NULL,
 	NULL,
-	EVP_PKEY_RSA_method,
+	EVP_PKEY_RSA_fips_method,
 	SHA256_CBLOCK,
 	sizeof(EVP_MD *)+sizeof(SHA256_CTX),
 	};
@@ -184,7 +191,7 @@ static const EVP_MD sha384_md=
 	final512,
 	NULL,
 	NULL,
-	EVP_PKEY_RSA_method,
+	EVP_PKEY_RSA_fips_method,
 	SHA512_CBLOCK,
 	sizeof(EVP_MD *)+sizeof(SHA512_CTX),
 	};
@@ -203,7 +210,7 @@ static const EVP_MD sha512_md=
 	final512,
 	NULL,
 	NULL,
-	EVP_PKEY_RSA_method,
+	EVP_PKEY_RSA_fips_method,
 	SHA512_CBLOCK,
 	sizeof(EVP_MD *)+sizeof(SHA512_CTX),
 	};
--- a/crypto/evp/names.c
+++ b/crypto/evp/names.c
@@ -61,9 +61,6 @@
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif

 int EVP_add_cipher(const EVP_CIPHER *c)
 	{
--- a/fips-1.0/fips_err_wrapper.c
+++ b/fips-1.0/fips_err_wrapper.c
--- a/fips-1.0/fips_err.h
+++ b/fips-1.0/fips_err.h
@@ -1,4 +1,4 @@
-/* fips-1.0/fips_err.h */
+/* crypto/fips_err.h */
 /* ====================================================================
 * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
 *
@@ -97,13 +97,13 @@ static ERR_STRING_DATA FIPS_str_functs[]=

 static ERR_STRING_DATA FIPS_str_reasons[]=
 	{
-{ERR_REASON(FIPS_R_CANNOT_READ_EXE)      ,"cannot access executable object"},
-{ERR_REASON(FIPS_R_CANNOT_READ_EXE_DIGEST),"cannot access detached digest"},
-{ERR_REASON(FIPS_R_CONTRADICTING_EVIDENCE),"duplicate code detected, check your linking procedure"},
-{ERR_REASON(FIPS_R_EXE_DIGEST_DOES_NOT_MATCH),"detached digest verification failed"},
+{ERR_REASON(FIPS_R_CANNOT_READ_EXE)      ,"cannot read exe"},
+{ERR_REASON(FIPS_R_CANNOT_READ_EXE_DIGEST),"cannot read exe digest"},
+{ERR_REASON(FIPS_R_CONTRADICTING_EVIDENCE),"contradicting evidence"},
+{ERR_REASON(FIPS_R_EXE_DIGEST_DOES_NOT_MATCH),"exe digest does not match"},
 {ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH),"fingerprint does not match"},
-{ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED),"fingerprint does not match, possibly because non-PIC was relocated"},
-{ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING),"fingerprint does not match, invalid segment aliasing"},
+{ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED),"fingerprint does not match nonpic relocated"},
+{ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH_SEGMENT_ALIASING),"fingerprint does not match segment aliasing"},
 {ERR_REASON(FIPS_R_FIPS_MODE_ALREADY_SET),"fips mode already set"},
 {ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED) ,"fips selftest failed"},
 {ERR_REASON(FIPS_R_INVALID_KEY_LENGTH)   ,"invalid key length"},
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -25,11 +25,11 @@
 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
 *  major minor fix final patch/beta)
 */
-#define OPENSSL_VERSION_NUMBER	0x009070e0L
+#define OPENSSL_VERSION_NUMBER	0x009070d0L
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7n-fips-dev xx XXX xxxx"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7m-fips2-dev xx XXX xxxx"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7n-dev xx XXX xxxx"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7m-dev xx XXX xxxx"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT

--- a/crypto/rand/rand.h
+++ b/crypto/rand/rand.h
@@ -125,13 +125,20 @@ void ERR_load_RAND_strings(void);
 /* Error codes for the RAND functions. */

 /* Function codes. */
+#define RAND_F_FIPS_RAND				 103
 #define RAND_F_FIPS_RAND_BYTES				 102
+#define RAND_F_FIPS_SET_DT				 104
+#define RAND_F_FIPS_SET_TEST_MODE			 105
 #define RAND_F_RAND_GET_RAND_METHOD			 101
 #define RAND_F_SSLEAY_RAND_BYTES			 100

 /* Reason codes. */
 #define RAND_R_NON_FIPS_METHOD				 101
+#define RAND_R_NOT_IN_TEST_MODE				 106
+#define RAND_R_NO_KEY_SET				 107
 #define RAND_R_PRNG_ASKING_FOR_TOO_MUCH			 105
+#define RAND_R_PRNG_ERROR				 108
+#define RAND_R_PRNG_KEYED				 109
 #define RAND_R_PRNG_NOT_REKEYED				 103
 #define RAND_R_PRNG_NOT_RESEEDED			 104
 #define RAND_R_PRNG_NOT_SEEDED				 100
--- a/crypto/rand/rand_err.c
+++ b/crypto/rand/rand_err.c
@@ -70,7 +70,10 @@

 static ERR_STRING_DATA RAND_str_functs[]=
 	{
+{ERR_FUNC(RAND_F_FIPS_RAND),	"FIPS_RAND"},
 {ERR_FUNC(RAND_F_FIPS_RAND_BYTES),	"FIPS_RAND_BYTES"},
+{ERR_FUNC(RAND_F_FIPS_SET_DT),	"FIPS_SET_DT"},
+{ERR_FUNC(RAND_F_FIPS_SET_TEST_MODE),	"FIPS_SET_TEST_MODE"},
 {ERR_FUNC(RAND_F_RAND_GET_RAND_METHOD),	"RAND_get_rand_method"},
 {ERR_FUNC(RAND_F_SSLEAY_RAND_BYTES),	"SSLEAY_RAND_BYTES"},
 {0,NULL}
@@ -79,7 +82,11 @@ static ERR_STRING_DATA RAND_str_functs[]=
 static ERR_STRING_DATA RAND_str_reasons[]=
 	{
 {ERR_REASON(RAND_R_NON_FIPS_METHOD)      ,"non fips method"},
+{ERR_REASON(RAND_R_NOT_IN_TEST_MODE)     ,"not in test mode"},
+{ERR_REASON(RAND_R_NO_KEY_SET)           ,"no key set"},
 {ERR_REASON(RAND_R_PRNG_ASKING_FOR_TOO_MUCH),"prng asking for too much"},
+{ERR_REASON(RAND_R_PRNG_ERROR)           ,"prng error"},
+{ERR_REASON(RAND_R_PRNG_KEYED)           ,"prng keyed"},
 {ERR_REASON(RAND_R_PRNG_NOT_REKEYED)     ,"prng not rekeyed"},
 {ERR_REASON(RAND_R_PRNG_NOT_RESEEDED)    ,"prng not reseeded"},
 {ERR_REASON(RAND_R_PRNG_NOT_SEEDED)      ,"PRNG not seeded"},
--- a/crypto/rsa/rsa.h
+++ b/crypto/rsa/rsa.h
@@ -276,6 +276,13 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_length,
 int RSA_verify(int type, const unsigned char *m, unsigned int m_length,
 	unsigned char *sigbuf, unsigned int siglen, RSA *rsa);

+#ifdef OPENSSL_FIPS
+int FIPS_rsa_sign(int type, const unsigned char *m, unsigned int m_length,
+	unsigned char *sigret, unsigned int *siglen, RSA *rsa);
+int FIPS_rsa_verify(int type, const unsigned char *m, unsigned int m_length,
+	unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
+#endif
+
 /* The following 2 function sign and verify a ASN1_OCTET_STRING
 * object inside PKCS#1 padded RSA encryption */
 int RSA_sign_ASN1_OCTET_STRING(int type,
--- a/crypto/sha/Makefile
+++ b/crypto/sha/Makefile
@@ -62,7 +62,7 @@ asm/sx86unix.cpp: asm/sha1-586.pl ../perlasm/x86asm.pl
 	(cd asm; $(PERL) sha1-586.pl cpp $(PROCESSOR) >sx86unix.cpp)

 asm/sha1-ia64.s:  asm/sha1-ia64.pl
-	(cd asm; $(PERL) sha1-ia64.pl ../$@ $(CFLAGS))
+	(cd asm; $(PERL) sha1-ia64.pl $(CFLAGS) ) > $@

 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
--- a/crypto/stack/safestack.h
+++ b/crypto/stack/safestack.h
@@ -170,7 +170,7 @@ STACK_OF(type) \
 #define SKM_sk_push(type, st,val) \
 	sk_push(st, (char *)val)
 #define SKM_sk_unshift(type, st,val) \
-	sk_unshift(st, (char *)val)
+	sk_unshift(st, val)
 #define SKM_sk_find(type, st,val) \
 	sk_find(st, (char *)val)
 #define SKM_sk_delete(type, st,i) \
--- a/crypto/x509v3/v3_pci.c
+++ b/crypto/x509v3/v3_pci.c
@@ -286,6 +286,12 @@ static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
 		X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
 		goto err;
 		}
+	pci->proxyPolicy = PROXY_POLICY_new();
+	if (!pci->proxyPolicy)
+		{
+		X509V3err(X509V3_F_R2I_PCI,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}

 	pci->proxyPolicy->policyLanguage = language; language = NULL;
 	pci->proxyPolicy->policy = policy; policy = NULL;
@@ -295,6 +301,11 @@ err:
 	if (language) { ASN1_OBJECT_free(language); language = NULL; }
 	if (pathlen) { ASN1_INTEGER_free(pathlen); pathlen = NULL; }
 	if (policy) { ASN1_OCTET_STRING_free(policy); policy = NULL; }
+	if (pci && pci->proxyPolicy)
+		{
+		PROXY_POLICY_free(pci->proxyPolicy);
+		pci->proxyPolicy = NULL;
+		}
 	if (pci) { PROXY_CERT_INFO_EXTENSION_free(pci); pci = NULL; }
 end:
 	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
--- a/doc/crypto/des_modes.pod
+++ b/doc/crypto/des_modes.pod
@@ -2,7 +2,7 @@

 =head1 NAME

-des_modes - the variants of DES and other crypto algorithms of OpenSSL
+Modes of DES - the variants of DES and other crypto algorithms of OpenSSL

 =head1 DESCRIPTION

--- a/fips-1.0/Makefile
+++ b/fips-1.0/Makefile
@@ -34,16 +34,16 @@ FDIRS=sha rand des aes dsa rsa dh hmac
 GENERAL=Makefile README fips-lib.com install.com

 LIB= $(TOP)/libcrypto.a
-SHARED_LIB= libcrypto$(SHLIB_EXT)
-LIBSRC=fips.c fips_err_wrapper.c
-LIBOBJ=fips.o fips_err_wrapper.o
+SHARED_LIB= $(FIPSCANLIB)$(SHLIB_EXT)
+LIBSRC=fips.c 
+LIBOBJ=fips.o

 FIPS_OBJ_LISTS=sha/lib hmac/lib rand/lib des/lib aes/lib dsa/lib rsa/lib dh/lib

 SRC= $(LIBSRC)

 EXHEADER=fips.h
-HEADER=$(EXHEADER) fips_err.h
+HEADER=$(EXHEADER)
 EXE=fipsld
 TEST=fips_test_suite.c

@@ -73,7 +73,7 @@ all:
 # vendor compiler drivers...

 fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o
-	@FIPS_BN_ASM=`for i in $(BN_ASM) ; do echo -n "../crypto/bn/$$i " ; done`; \
+	@FIPS_BN_ASM=""; for i in $(BN_ASM) ; do FIPS_BN_ASM="$$FIPS_BN_ASM ../crypto/bn/$$i" ; done; \
 	objs="fips_start.o $(LIBOBJ) $(FIPS_EX_OBJ) $$FIPS_BN_ASM"; \
 	for i in $(FIPS_OBJ_LISTS); do \
 		dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \
@@ -132,8 +132,12 @@ links:
 	done;

 lib:	$(FIPSCANLOC) delexobj
-	$(AR) $(LIB) $(FIPSCANLOC)
-	$(RANLIB) $(LIB) || echo Never mind.
+	$(AR) ../$(FIPSCANLIB).a $(FIPSCANLOC)
+	if [ "$(FIPSCANLIB)" == "libfips" ]; then \
+		$(AR) $(LIB) $(FIPSCANLOC) ; \
+		$(RANLIB) $(LIB) || echo Never Mind. ; \
+	fi
+	$(RANLIB) ../$(FIPSCANLIB).a || echo Never mind.
 	@touch lib

 shared:	fips_premain_dso$(EXE_EXT)
@@ -226,27 +230,6 @@ FIPS_EX_OBJ= ../crypto/aes/aes_cbc.o \
 	../crypto/aes/aes_cfb.o \
 	../crypto/aes/aes_ecb.o \
 	../crypto/aes/aes_ofb.o \
-	../crypto/asn1/a_bitstr.o \
-	../crypto/asn1/a_bytes.o \
-	../crypto/asn1/a_dup.o \
-	../crypto/asn1/a_int.o \
-	../crypto/asn1/a_object.o \
-	../crypto/asn1/asn1_err.o \
-	../crypto/asn1/asn1_lib.o \
-	../crypto/asn1/a_type.o \
-	../crypto/asn1/evp_asn1.o \
-	../crypto/asn1/tasn_dec.o \
-	../crypto/asn1/tasn_enc.o \
-	../crypto/asn1/tasn_fre.o \
-	../crypto/asn1/tasn_new.o \
-	../crypto/asn1/tasn_typ.o \
-	../crypto/asn1/tasn_utl.o \
-	../crypto/asn1/t_pkey.o \
-	../crypto/asn1/x_algor.o \
-	../crypto/asn1/x_bignum.o \
-	../crypto/asn1/x_long.o \
-	../crypto/asn1/x_sig.o \
-	../crypto/bio/bio_err.o \
 	../crypto/bio/bio_lib.o \
 	../crypto/bio/b_print.o \
 	../crypto/bio/bss_file.o \
@@ -254,7 +237,6 @@ FIPS_EX_OBJ= ../crypto/aes/aes_cbc.o \
 	../crypto/bn/bn_blind.o \
 	../crypto/bn/bn_ctx.o \
 	../crypto/bn/bn_div.o \
-	../crypto/bn/bn_err.o \
 	../crypto/bn/bn_exp2.o \
 	../crypto/bn/bn_exp.o \
 	../crypto/bn/bn_gcd.o \
@@ -270,10 +252,7 @@ FIPS_EX_OBJ= ../crypto/aes/aes_cbc.o \
 	../crypto/bn/bn_sqr.o \
 	../crypto/bn/bn_word.o \
 	../crypto/bn/bn_x931p.o \
-	../crypto/buffer/buf_err.o \
 	../crypto/buffer/buffer.o \
-	../crypto/conf/conf_err.o \
-	../crypto/cpt_err.o \
 	../crypto/cryptlib.o \
 	../crypto/des/cfb64ede.o \
 	../crypto/des/cfb64enc.o \
@@ -283,38 +262,25 @@ FIPS_EX_OBJ= ../crypto/aes/aes_cbc.o \
 	../crypto/des/ecb_enc.o \
 	../crypto/des/ofb64ede.o \
 	../crypto/des/ofb64enc.o \
-	../crypto/dh/dh_err.o \
+	../crypto/des/fcrypt_b.o \
+	../crypto/des/fcrypt.o \
 	../crypto/dh/dh_lib.o \
-	../crypto/dsa/dsa_asn1.o \
-	../crypto/dsa/dsa_err.o \
 	../crypto/dsa/dsa_lib.o \
 	../crypto/dsa/dsa_sign.o \
 	../crypto/dsa/dsa_vrf.o \
-	../crypto/dso/dso_err.o \
-	../crypto/ec/ec_err.o \
-	../crypto/engine/eng_err.o \
 	../crypto/engine/eng_init.o \
 	../crypto/engine/eng_lib.o \
 	../crypto/engine/eng_list.o \
 	../crypto/engine/eng_table.o \
-	../crypto/engine/tb_cipher.o \
 	../crypto/engine/tb_dh.o \
 	../crypto/engine/tb_digest.o \
 	../crypto/engine/tb_dsa.o \
 	../crypto/engine/tb_rand.o \
 	../crypto/engine/tb_rsa.o \
-	../crypto/err/err_all.o \
 	../crypto/err/err.o \
 	../crypto/err/err_prn.o \
 	../crypto/evp/digest.o \
-	../crypto/evp/e_aes.o \
-	../crypto/evp/e_des3.o \
-	../crypto/evp/e_des.o \
-	../crypto/evp/evp_enc.o \
-	../crypto/evp/evp_err.o \
-	../crypto/evp/evp_lib.o \
 	../crypto/evp/m_sha1.o \
-	../crypto/evp/p_lib.o \
 	../crypto/evp/p_sign.o \
 	../crypto/evp/p_verify.o \
 	../crypto/ex_data.o \
@@ -322,36 +288,23 @@ FIPS_EX_OBJ= ../crypto/aes/aes_cbc.o \
 	../crypto/mem_clr.o \
 	../crypto/mem_dbg.o \
 	../crypto/mem.o \
-	../crypto/objects/obj_dat.o \
-	../crypto/objects/obj_err.o \
-	../crypto/objects/obj_lib.o \
-	../crypto/ocsp/ocsp_err.o \
-	../crypto/pem/pem_err.o \
-	../crypto/pkcs12/pk12err.o \
-	../crypto/pkcs7/pkcs7err.o \
 	../crypto/rand/md_rand.o \
 	../crypto/rand/rand_egd.o \
-	../crypto/rand/rand_err.o \
 	../crypto/rand/randfile.o \
 	../crypto/rand/rand_lib.o \
 	../crypto/rand/rand_os2.o \
 	../crypto/rand/rand_unix.o \
 	../crypto/rand/rand_win.o \
-	../crypto/rsa/rsa_err.o \
 	../crypto/rsa/rsa_lib.o \
 	../crypto/rsa/rsa_none.o \
 	../crypto/rsa/rsa_oaep.o \
 	../crypto/rsa/rsa_pk1.o \
 	../crypto/rsa/rsa_pss.o \
-	../crypto/rsa/rsa_sign.o \
 	../crypto/rsa/rsa_ssl.o \
 	../crypto/rsa/rsa_x931.o \
 	../crypto/stack/stack.o \
 	../crypto/uid.o \
-	../crypto/ui/ui_err.o \
-	../crypto/x509v3/v3err.o \
-	../crypto/x509v3/v3_hex.o \
-	../crypto/x509/x509_err.o 
+	../crypto/x509v3/v3_hex.o

 # DO NOT DELETE THIS LINE -- make depend depends on it.

@@ -376,4 +329,3 @@ fips.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 fips.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 fips.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h fips.c
 fips.o: fips_locl.h
-fips_err_wrapper.o: ../include/openssl/opensslconf.h fips_err_wrapper.c
--- a/fips-1.0/aes/fips_aesavs.c
+++ b/fips-1.0/aes/fips_aesavs.c
@@ -476,10 +476,8 @@ int do_mct(char *amode,
 		if(j == 0)
 		    {
 		    /* compensate for wrong endianness of input file */
-#if 0
 		    if(i == 0)
 			ptext[0][0]<<=7;
-#endif
 		    ret=AESTest(&ctx,amode,akeysz,key[i],iv[i],dir,
 				ptext[j], ctext[j], len);
 		    }
@@ -696,7 +694,7 @@ static int tidy_line(char *linebuf, char *olinebuf)
  # Fri Aug 30 04:07:22 PM
  ----------------------------*/

-int proc_file(char *rqfile, char *rspfile)
+int proc_file(char *rqfile)
    {
    char afn[256], rfn[256];
    FILE *afp = NULL, *rfp = NULL;
@@ -727,21 +725,17 @@ int proc_file(char *rqfile, char *rspfile)
 	       afn, strerror(errno));
 	return -1;
 	}
-    if (!rspfile)
-	{
-	strcpy(rfn,afn);
-	rp=strstr(rfn,"req/");
+    strcpy(rfn,afn);
+    rp=strstr(rfn,"req/");
 #ifdef OPENSSL_SYS_WIN32
-	if (!rp)
-	    rp=strstr(rfn,"req\\");
+    if (!rp)
+	rp=strstr(rfn,"req\\");
 #endif
-	assert(rp);
-	memcpy(rp,"rsp",3);
-	rp = strstr(rfn, ".req");
-	memcpy(rp, ".rsp", 4);
-	rspfile = rfn;
-	}
-    if ((rfp = fopen(rspfile, "w")) == NULL)
+    assert(rp);
+    memcpy(rp,"rsp",3);
+    rp = strstr(rfn, ".req");
+    memcpy(rp, ".rsp", 4);
+    if ((rfp = fopen(rfn, "w")) == NULL)
 	{
 	printf("Cannot open file: %s, %s\n", 
 	       rfn, strerror(errno));
@@ -805,14 +799,12 @@ int proc_file(char *rqfile, char *rspfile)
 			strncpy(amode, xp+1, n);
 			amode[n] = '\0';
 			/* amode[3] = '\0'; */
-			if (VERBOSE)
-			    printf("Test = %s, Mode = %s\n", atest, amode);
+			printf("Test = %s, Mode = %s\n", atest, amode);
 			}
 		    else if (strncasecmp(pp, "Key Length : ", 13) == 0)
 			{
 			akeysz = atoi(pp+13);
-			if (VERBOSE)
-			    printf("Key size = %d\n", akeysz);
+			printf("Key size = %d\n", akeysz);
 			}
 		    }
 		}
@@ -959,6 +951,7 @@ int proc_file(char *rqfile, char *rspfile)
 		    err =1;
 		    break;
 		    }
+
 		PrintValue("CIPHERTEXT", ciphertext, len);
 		if (strcmp(atest, "MCT") == 0)  /* Monte Carlo Test */
 		    {
@@ -1009,7 +1002,7 @@ int proc_file(char *rqfile, char *rspfile)
 --------------------------------------------------*/
 int main(int argc, char **argv)
    {
-    char *rqlist = "req.txt", *rspfile = NULL;
+    char *rqlist = "req.txt";
    FILE *fp = NULL;
    char fn[250] = "", rfn[256] = "";
    int f_opt = 0, d_opt = 1;
@@ -1045,10 +1038,7 @@ int main(int argc, char **argv)
 	if (d_opt)
 	    rqlist = argv[2];
 	else
-	    {
 	    strcpy(fn, argv[2]);
-	    rspfile = argv[3];
-	    }
 	}
    if (d_opt)
 	{ /* list of files (directory) */
@@ -1061,9 +1051,8 @@ int main(int argc, char **argv)
 	    {
 	    strtok(fn, "\r\n");
 	    strcpy(rfn, fn);
-	    if (VERBOSE)
-	    	printf("Processing: %s\n", rfn);
-	    if (proc_file(rfn, rspfile))
+	    printf("Processing: %s\n", rfn);
+	    if (proc_file(rfn))
 		{
 		printf(">>> Processing failed for: %s <<<\n", rfn);
 		EXIT(1);
@@ -1073,9 +1062,8 @@ int main(int argc, char **argv)
 	}
    else /* single file */
 	{
-	if (VERBOSE)
-	    printf("Processing: %s\n", fn);
-	if (proc_file(fn, rspfile))
+	printf("Processing: %s\n", fn);
+	if (proc_file(fn))
 	    {
 	    printf(">>> Processing failed for: %s <<<\n", fn);
 	    }
--- a/fips-1.0/des/fips_desmovs.c
+++ b/fips-1.0/des/fips_desmovs.c
@@ -558,7 +558,7 @@ void do_mct(char *amode,
 	}
    }
    
-int proc_file(char *rqfile, char *rspfile)
+int proc_file(char *rqfile)
    {
    char afn[256], rfn[256];
    FILE *afp = NULL, *rfp = NULL;
@@ -588,21 +588,17 @@ int proc_file(char *rqfile, char *rspfile)
 	       afn, strerror(errno));
 	return -1;
 	}
-    if (!rspfile)
-	{
-	strcpy(rfn,afn);
-	rp=strstr(rfn,"req/");
+    strcpy(rfn,afn);
+    rp=strstr(rfn,"req/");
 #ifdef OPENSSL_SYS_WIN32
-	if (!rp)
-	    rp=strstr(rfn,"req\\");
+    if (!rp)
+	rp=strstr(rfn,"req\\");
 #endif
-	assert(rp);
-	memcpy(rp,"rsp",3);
-	rp = strstr(rfn, ".req");
-	memcpy(rp, ".rsp", 4);
-	rspfile = rfn;
-	}
-    if ((rfp = fopen(rspfile, "w")) == NULL)
+    assert(rp);
+    memcpy(rp,"rsp",3);
+    rp = strstr(rfn, ".req");
+    memcpy(rp, ".rsp", 4);
+    if ((rfp = fopen(rfn, "w")) == NULL)
 	{
 	printf("Cannot open file: %s, %s\n", 
 	       rfn, strerror(errno));
@@ -674,8 +670,7 @@ int proc_file(char *rqfile, char *rspfile)
 			strncpy(amode, xp+1, n);
 			amode[n] = '\0';
 			/* amode[3] = '\0'; */
-			if (VERBOSE)
-				printf("Test=%s, Mode=%s\n",atest,amode);
+			printf("Test=%s, Mode=%s\n",atest,amode);
 			}
 		    }
 		}
@@ -918,7 +913,7 @@ int proc_file(char *rqfile, char *rspfile)
 --------------------------------------------------*/
 int main(int argc, char **argv)
    {
-    char *rqlist = "req.txt", *rspfile = NULL;
+    char *rqlist = "req.txt";
    FILE *fp = NULL;
    char fn[250] = "", rfn[256] = "";
    int f_opt = 0, d_opt = 1;
@@ -954,10 +949,7 @@ int main(int argc, char **argv)
 	if (d_opt)
 	    rqlist = argv[2];
 	else
-	    {
 	    strcpy(fn, argv[2]);
-	    rspfile = argv[3];
-	    }
 	}
    if (d_opt)
 	{ /* list of files (directory) */
@@ -970,9 +962,8 @@ int main(int argc, char **argv)
 	    {
 	    strtok(fn, "\r\n");
 	    strcpy(rfn, fn);
-	    if (VERBOSE)
-	    	printf("Processing: %s\n", rfn);
-	    if (proc_file(rfn, rspfile))
+	    printf("Processing: %s\n", rfn);
+	    if (proc_file(rfn))
 		{
 		printf(">>> Processing failed for: %s <<<\n", rfn);
 		EXIT(1);
@@ -982,9 +973,8 @@ int main(int argc, char **argv)
 	}
    else /* single file */
 	{
-	if (VERBOSE)
-	    printf("Processing: %s\n", fn);
-	if (proc_file(fn, rspfile))
+	printf("Processing: %s\n", fn);
+	if (proc_file(fn))
 	    {
 	    printf(">>> Processing failed for: %s <<<\n", fn);
 	    }
--- a/fips-1.0/dh/.cvsignore
+++ b/fips-1.0/dh/.cvsignore
@@ -1,3 +1,4 @@
 lib
 *.flc
 semantic.cache
+Makefile.save
--- a/fips-1.0/dsa/fips_dsatest.c
+++ b/fips-1.0/dsa/fips_dsatest.c
@@ -129,8 +129,7 @@ static unsigned char out_g[]={
 static const unsigned char str1[]="12345678901234567890";

 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
-static const unsigned char rnd_key1[]="12345678";
-static const unsigned char rnd_key2[]="abcdefgh";
+static const unsigned char rnd_key[]="ABCDEFGHIJKLMNOPQRSTUVWXYZ123456";

 static BIO *bio_err=NULL;

@@ -156,7 +155,7 @@ int main(int argc, char **argv)
 	CRYPTO_dbg_set_options(V_CRYPTO_MDEBUG_ALL);
 	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);

-	FIPS_set_prng_key(rnd_key1,rnd_key2);
+	FIPS_rand_set_key(rnd_key, 32);
 	RAND_seed(rnd_seed, sizeof rnd_seed);

 	BIO_printf(bio_err,"test generation of DSA parameters\n");
--- a/fips-1.0/dsa/fips_dssvs.c
+++ b/fips-1.0/dsa/fips_dssvs.c
@@ -204,192 +204,6 @@ void pqg()
 	}
    }

-void pqgver()
-    {
-    char buf[1024];
-    char lbuf[1024];
-    char *keyword, *value;
-    BIGNUM *p = NULL, *q = NULL, *g = NULL;
-    int counter, counter2;
-    unsigned long h, h2;
-    DSA *dsa=NULL;
-    int nmod=0;
-    unsigned char seed[1024];
-
-    while(fgets(buf,sizeof buf,stdin) != NULL)
-	{
-	if (!parse_line(&keyword, &value, lbuf, buf))
-		{
-		fputs(buf,stdout);
-		continue;
-		}
-	if(!strcmp(keyword,"[mod"))
-	    nmod=atoi(value);
-	else if(!strcmp(keyword,"P"))
-	    p=hex2bn(value);
-	else if(!strcmp(keyword,"Q"))
-	    q=hex2bn(value);
-	else if(!strcmp(keyword,"G"))
-	    g=hex2bn(value);
-	else if(!strcmp(keyword,"Seed"))
-	    {
-	    int slen = hex2bin(value, seed);
-	    if (slen != 20)
-		{
-		fprintf(stderr, "Seed parse length error\n");
-		exit (1);
-		}
-	    }
-	else if(!strcmp(keyword,"c"))
-	    counter =atoi(buf+4);
-	else if(!strcmp(keyword,"H"))
-	    {
-	    h = atoi(value);
-	    if (!p || !q || !g)
-		{
-		fprintf(stderr, "Parse Error\n");
-		exit (1);
-		}
-	    pbn("P",p);
-	    pbn("Q",q);
-	    pbn("G",g);
-	    pv("Seed",seed,20);
-	    printf("c = %d\n",counter);
-	    printf("H = %lx\n",h);
-	    dsa=DSA_generate_parameters(nmod,seed,20,&counter2,&h2,NULL,NULL);
-            if (BN_cmp(dsa->p, p) || BN_cmp(dsa->q, q) || BN_cmp(dsa->g, g)
-		|| (counter != counter2) || (h != h2))
-	    	printf("Result = F\n");
-	    else
-	    	printf("Result = T\n");
-	    BN_free(p);
-	    BN_free(q);
-	    BN_free(g);
-	    p = NULL;
-	    q = NULL;
-	    g = NULL;
-	    DSA_free(dsa);
-	    dsa = NULL;
-	    }
-	}
-    }
-
-/* Keypair verification routine. NB: this isn't part of the standard FIPS140-2
- * algorithm tests. It is an additional test to perform sanity checks on the
- * output of the KeyPair test.
- */
-
-static int dss_paramcheck(int nmod, BIGNUM *p, BIGNUM *q, BIGNUM *g,
-							BN_CTX *ctx)
-    {
-    BIGNUM *rem = NULL;
-    if (BN_num_bits(p) != nmod)
-	return 0;
-    if (BN_num_bits(q) != 160)
-	return 0;
-    if (BN_is_prime(p, BN_prime_checks, NULL, NULL, NULL) != 1)
-	return 0;
-    if (BN_is_prime(q, BN_prime_checks, NULL, NULL, NULL) != 1)
-	return 0;
-    rem = BN_new();
-    if (!BN_mod(rem, p, q, ctx) || !BN_is_one(rem)
-    	|| (BN_cmp(g, BN_value_one()) <= 0)
-	|| !BN_mod_exp(rem, g, q, p, ctx) || !BN_is_one(rem))
-	{
-	BN_free(rem);
-	return 0;
-	}
-    BN_free(rem);
-    return 1;
-    }
-
-void keyver()
-    {
-    char buf[1024];
-    char lbuf[1024];
-    char *keyword, *value;
-    BIGNUM *p = NULL, *q = NULL, *g = NULL, *X = NULL, *Y = NULL;
-    BIGNUM *Y2;
-    BN_CTX *ctx = NULL;
-    int nmod=0, paramcheck = 0;
-
-    ctx = BN_CTX_new();
-    Y2 = BN_new();
-
-    while(fgets(buf,sizeof buf,stdin) != NULL)
-	{
-	if (!parse_line(&keyword, &value, lbuf, buf))
-		{
-		fputs(buf,stdout);
-		continue;
-		}
-	if(!strcmp(keyword,"[mod"))
-	    {
-	    if (p)
-		BN_free(p);
-	    p = NULL;
-	    if (q)
-		BN_free(q);
-	    q = NULL;
-	    if (g)
-		BN_free(g);
-	    g = NULL;
-	    paramcheck = 0;
-	    nmod=atoi(value);
-	    }
-	else if(!strcmp(keyword,"P"))
-	    p=hex2bn(value);
-	else if(!strcmp(keyword,"Q"))
-	    q=hex2bn(value);
-	else if(!strcmp(keyword,"G"))
-	    g=hex2bn(value);
-	else if(!strcmp(keyword,"X"))
-	    X=hex2bn(value);
-	else if(!strcmp(keyword,"Y"))
-	    {
-	    Y=hex2bn(value);
-	    if (!p || !q || !g || !X || !Y)
-		{
-		fprintf(stderr, "Parse Error\n");
-		exit (1);
-		}
-	    pbn("P",p);
-	    pbn("Q",q);
-	    pbn("G",g);
-	    pbn("X",X);
-	    pbn("Y",Y);
-	    if (!paramcheck)
-		{
-		if (dss_paramcheck(nmod, p, q, g, ctx))
-			paramcheck = 1;
-		else
-			paramcheck = -1;
-		}
-	    if (paramcheck != 1)
-	   	printf("Result = F\n");
-	    else
-		{
-		if (!BN_mod_exp(Y2, g, X, p, ctx) || BN_cmp(Y2, Y))
-	    		printf("Result = F\n");
-	        else
-	    		printf("Result = T\n");
-		}
-	    BN_free(X);
-	    BN_free(Y);
-	    X = NULL;
-	    Y = NULL;
-	    }
-	}
-	if (p)
-	    BN_free(p);
-	if (q)
-	    BN_free(q);
-	if (g)
-	    BN_free(g);
-	if (Y2)
-	    BN_free(Y2);
-    }
-
 void keypair()
    {
    char buf[1024];
@@ -563,12 +377,8 @@ int main(int argc,char **argv)
 	primes();
    else if(!strcmp(argv[1],"pqg"))
 	pqg();
-    else if(!strcmp(argv[1],"pqgver"))
-	pqgver();
    else if(!strcmp(argv[1],"keypair"))
 	keypair();
-    else if(!strcmp(argv[1],"keyver"))
-	keyver();
    else if(!strcmp(argv[1],"siggen"))
 	siggen();
    else if(!strcmp(argv[1],"sigver"))
--- a/fips-1.0/fips.c
+++ b/fips-1.0/fips.c
@@ -265,7 +265,7 @@ int FIPS_mode_set(int onoff)
 	    }

 	/* automagically seed PRNG if not already seeded */
-	if(!FIPS_rand_seeded())
+	if(!FIPS_rand_status())
 	    {
 	    if(RAND_bytes(buf,sizeof buf) <= 0)
 		{
@@ -273,8 +273,8 @@ int FIPS_mode_set(int onoff)
 		ret = 0;
 		goto end;
 		}
-	    FIPS_set_prng_key(buf,buf+8);
-	    FIPS_rand_seed(buf+16,8);
+	    FIPS_rand_set_key(buf,32);
+	    FIPS_rand_seed(buf+32,16);
 	    }

 	/* now switch into FIPS mode */
--- a/fips-1.0/fips.h
+++ b/fips-1.0/fips.h
@@ -92,7 +92,7 @@ void ERR_load_FIPS_strings(void);
 #define FIPS_F_FIPS_CHECK_DSA				 116
 #define FIPS_F_FIPS_CHECK_DSO				 120
 #define FIPS_F_FIPS_CHECK_EXE				 106
-#define FIPS_F_FIPS_CHECK_FINGERPRINT			 120
+#define FIPS_F_FIPS_CHECK_FINGERPRINT			 121
 #define FIPS_F_FIPS_CHECK_RSA				 115
 #define FIPS_F_FIPS_DSA_CHECK				 102
 #define FIPS_F_FIPS_MODE_SET				 105
--- a/fips-1.0/fips_canister.c
+++ b/fips-1.0/fips_canister.c
@@ -77,13 +77,19 @@ static void *instruction_pointer(void)
 # elif	defined(__ppc__) || defined(__powerpc) || defined(__powerpc__) || \
 	defined(__POWERPC__) || defined(_POWER) || defined(__PPC__) || \
 	defined(__PPC64__) || defined(__powerpc64__)
-#   define INSTRUCTION_POINTER_IMPLEMENTED
+/* GCC on AIX cannot use inline ASM since the assembler used is the
+ * native assembler, not GNU as. Prevent INSTRUCTION_POINTER_IMPLEMENTED
+ * from being defined. It will use the fallback method which is the
+ * same as xlC uses for AIX in FIPS_ref_point() */
+#   ifndef (_AIX)
+#     define INSTRUCTION_POINTER_IMPLEMENTED
    void *scratch;
    __asm __volatile (	"mfspr	%1,8\n\t"	/* save lr */
 			"bl	.+4\n\t"
 			"mfspr	%0,8\n\t"	/* mflr ret */
 			"mtspr	8,%1"		/* restore lr */
 			: "=r"(ret),"=r"(scratch) );
+#   endif /* !_AIX */
 # elif	defined(__sparc) || defined(__sparc__) || defined(__sparcv9)
 #   define INSTRUCTION_POINTER_IMPLEMENTED
    void *scratch;
--- a/fips-1.0/fipsalgtest.pl
+++ b/fips-1.0/fipsalgtest.pl
@@ -1,848 +0,0 @@
-#!/usr/bin/perl -w
-# Perl utility to run or verify FIPS 140-2 CMVP algorithm tests based on the
-# pathnames of input algorithm test files actually present (the unqualified
-# file names are consistent but the pathnames are not).
-#
-
-# FIPS test definitions
-# List of all the unqualified file names we expect and command lines to run
-
-# DSA tests
-my @fips_dsa_test_list = (
-
-    "DSA",
-
-    [ "PQGGen",  "fips_dssvs pqg" ],
-    [ "KeyPair", "fips_dssvs keypair" ],
-    [ "SigGen",  "fips_dssvs siggen" ],
-    [ "SigVer",  "fips_dssvs sigver" ]
-
-);
-
-# RSA tests
-
-my @fips_rsa_test_list = (
-
-    "RSA",
-
-    [ "SigGen15",  "fips_rsastest" ],
-    [ "SigVer15",  "fips_rsavtest" ],
-    [ "SigVerRSA", "fips_rsavtest -x931" ],
-    [ "KeyGenRSA", "fips_rsagtest" ],
-    [ "SigGenRSA", "fips_rsastest -x931" ]
-
-);
-
-# Special cases for PSS. The filename itself is
-# not sufficient to determine the test. Addditionally we
-# need to examine the file contents to determine the salt length
-# In these cases the test filename has (saltlen) appended.
-
-# RSA PSS salt length 0 tests
-
-my @fips_rsa_pss0_test_list = (
-
-    [ "SigGenPSS(0)", "fips_rsastest -saltlen 0" ],
-    [ "SigVerPSS(0)", "fips_rsavtest -saltlen 0" ]
-
-);
-
-# RSA PSS salt length 62 tests
-
-my @fips_rsa_pss62_test_list = (
-    [ "SigGenPSS(62)", "fips_rsastest -saltlen 62" ],
-    [ "SigVerPSS(62)", "fips_rsavtest -saltlen 62" ]
-
-);
-
-# SHA tests
-
-my @fips_sha_test_list = (
-
-    "SHA",
-
-    [ "SHA1LongMsg",    "fips_shatest" ],
-    [ "SHA1Monte",      "fips_shatest" ],
-    [ "SHA1ShortMsg",   "fips_shatest" ],
-    [ "SHA224LongMsg",  "fips_shatest" ],
-    [ "SHA224Monte",    "fips_shatest" ],
-    [ "SHA224ShortMsg", "fips_shatest" ],
-    [ "SHA256LongMsg",  "fips_shatest" ],
-    [ "SHA256Monte",    "fips_shatest" ],
-    [ "SHA256ShortMsg", "fips_shatest" ],
-    [ "SHA384LongMsg",  "fips_shatest" ],
-    [ "SHA384Monte",    "fips_shatest" ],
-    [ "SHA384ShortMsg", "fips_shatest" ],
-    [ "SHA512LongMsg",  "fips_shatest" ],
-    [ "SHA512Monte",    "fips_shatest" ],
-    [ "SHA512ShortMsg", "fips_shatest" ]
-
-);
-
-# HMAC
-
-my @fips_hmac_test_list = (
-
-    "HMAC",
-
-    [ "HMAC", "fips_hmactest" ]
-
-);
-
-# RAND tests, AES version
-
-my @fips_rand_aes_test_list = (
-
-    "RAND (AES)",
-
-    [ "ANSI931_AES128MCT", "fips_rngvs mct" ],
-    [ "ANSI931_AES192MCT", "fips_rngvs mct" ],
-    [ "ANSI931_AES256MCT", "fips_rngvs mct" ],
-    [ "ANSI931_AES128VST", "fips_rngvs vst" ],
-    [ "ANSI931_AES192VST", "fips_rngvs vst" ],
-    [ "ANSI931_AES256VST", "fips_rngvs vst" ]
-
-);
-
-# RAND tests, DES2 version
-
-my @fips_rand_des2_test_list = (
-
-    "RAND (DES2)",
-
-    [ "ANSI931_TDES2MCT", "fips_rngvs mct" ],
-    [ "ANSI931_TDES2VST", "fips_rngvs vst" ]
-
-);
-
-# AES tests
-
-my @fips_aes_test_list = (
-
-    "AES",
-
-    [ "CBCGFSbox128",     "fips_aesavs -f" ],
-    [ "CBCGFSbox192",     "fips_aesavs -f" ],
-    [ "CBCGFSbox256",     "fips_aesavs -f" ],
-    [ "CBCKeySbox128",    "fips_aesavs -f" ],
-    [ "CBCKeySbox192",    "fips_aesavs -f" ],
-    [ "CBCKeySbox256",    "fips_aesavs -f" ],
-    [ "CBCMCT128",        "fips_aesavs -f" ],
-    [ "CBCMCT192",        "fips_aesavs -f" ],
-    [ "CBCMCT256",        "fips_aesavs -f" ],
-    [ "CBCMMT128",        "fips_aesavs -f" ],
-    [ "CBCMMT192",        "fips_aesavs -f" ],
-    [ "CBCMMT256",        "fips_aesavs -f" ],
-    [ "CBCVarKey128",     "fips_aesavs -f" ],
-    [ "CBCVarKey192",     "fips_aesavs -f" ],
-    [ "CBCVarKey256",     "fips_aesavs -f" ],
-    [ "CBCVarTxt128",     "fips_aesavs -f" ],
-    [ "CBCVarTxt192",     "fips_aesavs -f" ],
-    [ "CBCVarTxt256",     "fips_aesavs -f" ],
-    [ "CFB128GFSbox128",  "fips_aesavs -f" ],
-    [ "CFB128GFSbox192",  "fips_aesavs -f" ],
-    [ "CFB128GFSbox256",  "fips_aesavs -f" ],
-    [ "CFB128KeySbox128", "fips_aesavs -f" ],
-    [ "CFB128KeySbox192", "fips_aesavs -f" ],
-    [ "CFB128KeySbox256", "fips_aesavs -f" ],
-    [ "CFB128MCT128",     "fips_aesavs -f" ],
-    [ "CFB128MCT192",     "fips_aesavs -f" ],
-    [ "CFB128MCT256",     "fips_aesavs -f" ],
-    [ "CFB128MMT128",     "fips_aesavs -f" ],
-    [ "CFB128MMT192",     "fips_aesavs -f" ],
-    [ "CFB128MMT256",     "fips_aesavs -f" ],
-    [ "CFB128VarKey128",  "fips_aesavs -f" ],
-    [ "CFB128VarKey192",  "fips_aesavs -f" ],
-    [ "CFB128VarKey256",  "fips_aesavs -f" ],
-    [ "CFB128VarTxt128",  "fips_aesavs -f" ],
-    [ "CFB128VarTxt192",  "fips_aesavs -f" ],
-    [ "CFB128VarTxt256",  "fips_aesavs -f" ],
-    [ "CFB8GFSbox128",    "fips_aesavs -f" ],
-    [ "CFB8GFSbox192",    "fips_aesavs -f" ],
-    [ "CFB8GFSbox256",    "fips_aesavs -f" ],
-    [ "CFB8KeySbox128",   "fips_aesavs -f" ],
-    [ "CFB8KeySbox192",   "fips_aesavs -f" ],
-    [ "CFB8KeySbox256",   "fips_aesavs -f" ],
-    [ "CFB8MCT128",       "fips_aesavs -f" ],
-    [ "CFB8MCT192",       "fips_aesavs -f" ],
-    [ "CFB8MCT256",       "fips_aesavs -f" ],
-    [ "CFB8MMT128",       "fips_aesavs -f" ],
-    [ "CFB8MMT192",       "fips_aesavs -f" ],
-    [ "CFB8MMT256",       "fips_aesavs -f" ],
-    [ "CFB8VarKey128",    "fips_aesavs -f" ],
-    [ "CFB8VarKey192",    "fips_aesavs -f" ],
-    [ "CFB8VarKey256",    "fips_aesavs -f" ],
-    [ "CFB8VarTxt128",    "fips_aesavs -f" ],
-    [ "CFB8VarTxt192",    "fips_aesavs -f" ],
-    [ "CFB8VarTxt256",    "fips_aesavs -f" ],
-
-    [ "ECBGFSbox128",  "fips_aesavs -f" ],
-    [ "ECBGFSbox192",  "fips_aesavs -f" ],
-    [ "ECBGFSbox256",  "fips_aesavs -f" ],
-    [ "ECBKeySbox128", "fips_aesavs -f" ],
-    [ "ECBKeySbox192", "fips_aesavs -f" ],
-    [ "ECBKeySbox256", "fips_aesavs -f" ],
-    [ "ECBMCT128",     "fips_aesavs -f" ],
-    [ "ECBMCT192",     "fips_aesavs -f" ],
-    [ "ECBMCT256",     "fips_aesavs -f" ],
-    [ "ECBMMT128",     "fips_aesavs -f" ],
-    [ "ECBMMT192",     "fips_aesavs -f" ],
-    [ "ECBMMT256",     "fips_aesavs -f" ],
-    [ "ECBVarKey128",  "fips_aesavs -f" ],
-    [ "ECBVarKey192",  "fips_aesavs -f" ],
-    [ "ECBVarKey256",  "fips_aesavs -f" ],
-    [ "ECBVarTxt128",  "fips_aesavs -f" ],
-    [ "ECBVarTxt192",  "fips_aesavs -f" ],
-    [ "ECBVarTxt256",  "fips_aesavs -f" ],
-    [ "OFBGFSbox128",  "fips_aesavs -f" ],
-    [ "OFBGFSbox192",  "fips_aesavs -f" ],
-    [ "OFBGFSbox256",  "fips_aesavs -f" ],
-    [ "OFBKeySbox128", "fips_aesavs -f" ],
-    [ "OFBKeySbox192", "fips_aesavs -f" ],
-    [ "OFBKeySbox256", "fips_aesavs -f" ],
-    [ "OFBMCT128",     "fips_aesavs -f" ],
-    [ "OFBMCT192",     "fips_aesavs -f" ],
-    [ "OFBMCT256",     "fips_aesavs -f" ],
-    [ "OFBMMT128",     "fips_aesavs -f" ],
-    [ "OFBMMT192",     "fips_aesavs -f" ],
-    [ "OFBMMT256",     "fips_aesavs -f" ],
-    [ "OFBVarKey128",  "fips_aesavs -f" ],
-    [ "OFBVarKey192",  "fips_aesavs -f" ],
-    [ "OFBVarKey256",  "fips_aesavs -f" ],
-    [ "OFBVarTxt128",  "fips_aesavs -f" ],
-    [ "OFBVarTxt192",  "fips_aesavs -f" ],
-    [ "OFBVarTxt256",  "fips_aesavs -f" ]
-
-);
-
-my @fips_aes_cfb1_test_list = (
-
-    # AES CFB1 tests
-
-    [ "CFB1GFSbox128",  "fips_aesavs -f" ],
-    [ "CFB1GFSbox192",  "fips_aesavs -f" ],
-    [ "CFB1GFSbox256",  "fips_aesavs -f" ],
-    [ "CFB1KeySbox128", "fips_aesavs -f" ],
-    [ "CFB1KeySbox192", "fips_aesavs -f" ],
-    [ "CFB1KeySbox256", "fips_aesavs -f" ],
-    [ "CFB1MCT128",     "fips_aesavs -f" ],
-    [ "CFB1MCT192",     "fips_aesavs -f" ],
-    [ "CFB1MCT256",     "fips_aesavs -f" ],
-    [ "CFB1MMT128",     "fips_aesavs -f" ],
-    [ "CFB1MMT192",     "fips_aesavs -f" ],
-    [ "CFB1MMT256",     "fips_aesavs -f" ],
-    [ "CFB1VarKey128",  "fips_aesavs -f" ],
-    [ "CFB1VarKey192",  "fips_aesavs -f" ],
-    [ "CFB1VarKey256",  "fips_aesavs -f" ],
-    [ "CFB1VarTxt128",  "fips_aesavs -f" ],
-    [ "CFB1VarTxt192",  "fips_aesavs -f" ],
-    [ "CFB1VarTxt256",  "fips_aesavs -f" ]
-
-);
-
-# Triple DES tests
-
-my @fips_des3_test_list = (
-
-    "Triple DES",
-
-    [ "TCBCinvperm",   "fips_desmovs -f" ],
-    [ "TCBCMMT1",      "fips_desmovs -f" ],
-    [ "TCBCMMT2",      "fips_desmovs -f" ],
-    [ "TCBCMMT3",      "fips_desmovs -f" ],
-    [ "TCBCMonte1",    "fips_desmovs -f" ],
-    [ "TCBCMonte2",    "fips_desmovs -f" ],
-    [ "TCBCMonte3",    "fips_desmovs -f" ],
-    [ "TCBCpermop",    "fips_desmovs -f" ],
-    [ "TCBCsubtab",    "fips_desmovs -f" ],
-    [ "TCBCvarkey",    "fips_desmovs -f" ],
-    [ "TCBCvartext",   "fips_desmovs -f" ],
-    [ "TCFB64invperm", "fips_desmovs -f" ],
-    [ "TCFB64MMT1",    "fips_desmovs -f" ],
-    [ "TCFB64MMT2",    "fips_desmovs -f" ],
-    [ "TCFB64MMT3",    "fips_desmovs -f" ],
-    [ "TCFB64Monte1",  "fips_desmovs -f" ],
-    [ "TCFB64Monte2",  "fips_desmovs -f" ],
-    [ "TCFB64Monte3",  "fips_desmovs -f" ],
-    [ "TCFB64permop",  "fips_desmovs -f" ],
-    [ "TCFB64subtab",  "fips_desmovs -f" ],
-    [ "TCFB64varkey",  "fips_desmovs -f" ],
-    [ "TCFB64vartext", "fips_desmovs -f" ],
-    [ "TCFB8invperm",  "fips_desmovs -f" ],
-    [ "TCFB8MMT1",     "fips_desmovs -f" ],
-    [ "TCFB8MMT2",     "fips_desmovs -f" ],
-    [ "TCFB8MMT3",     "fips_desmovs -f" ],
-    [ "TCFB8Monte1",   "fips_desmovs -f" ],
-    [ "TCFB8Monte2",   "fips_desmovs -f" ],
-    [ "TCFB8Monte3",   "fips_desmovs -f" ],
-    [ "TCFB8permop",   "fips_desmovs -f" ],
-    [ "TCFB8subtab",   "fips_desmovs -f" ],
-    [ "TCFB8varkey",   "fips_desmovs -f" ],
-    [ "TCFB8vartext",  "fips_desmovs -f" ],
-    [ "TECBinvperm",   "fips_desmovs -f" ],
-    [ "TECBMMT1",      "fips_desmovs -f" ],
-    [ "TECBMMT2",      "fips_desmovs -f" ],
-    [ "TECBMMT3",      "fips_desmovs -f" ],
-    [ "TECBMonte1",    "fips_desmovs -f" ],
-    [ "TECBMonte2",    "fips_desmovs -f" ],
-    [ "TECBMonte3",    "fips_desmovs -f" ],
-    [ "TECBpermop",    "fips_desmovs -f" ],
-    [ "TECBsubtab",    "fips_desmovs -f" ],
-    [ "TECBvarkey",    "fips_desmovs -f" ],
-    [ "TECBvartext",   "fips_desmovs -f" ],
-    [ "TOFBinvperm",   "fips_desmovs -f" ],
-    [ "TOFBMMT1",      "fips_desmovs -f" ],
-    [ "TOFBMMT2",      "fips_desmovs -f" ],
-    [ "TOFBMMT3",      "fips_desmovs -f" ],
-    [ "TOFBMonte1",    "fips_desmovs -f" ],
-    [ "TOFBMonte2",    "fips_desmovs -f" ],
-    [ "TOFBMonte3",    "fips_desmovs -f" ],
-    [ "TOFBpermop",    "fips_desmovs -f" ],
-    [ "TOFBsubtab",    "fips_desmovs -f" ],
-    [ "TOFBvarkey",    "fips_desmovs -f" ],
-    [ "TOFBvartext",   "fips_desmovs -f" ]
-
-);
-
-# Verification special cases.
-# In most cases the output of a test is deterministic and
-# it can be compared to a known good result. A few involve
-# the genration and use of random keys and the output will
-# be different each time. In thoses cases we perform special tests
-# to simply check their consistency. For example signature generation
-# output will be run through signature verification to see if all outputs
-# show as valid.
-#
-
-my %verify_special = (
-    "PQGGen"        => "fips_dssvs pqgver",
-    "KeyPair"       => "fips_dssvs keyver",
-    "SigGen"        => "fips_dssvs sigver",
-    "SigGen15"      => "fips_rsavtest",
-    "SigGenRSA"     => "fips_rsavtest -x931",
-    "SigGenPSS(0)"  => "fips_rsavtest -saltlen 0",
-    "SigGenPSS(62)" => "fips_rsavtest -saltlen 62",
-);
-
-my $win32  = $^O =~ m/mswin/i;
-my $onedir = 0;
-my $filter = "";
-my $tvdir;
-my $tprefix;
-my $shwrap_prefix;
-my $debug          = 0;
-my $quiet          = 0;
-my $notest         = 0;
-my $verify         = 1;
-my $rspdir         = "rsp";
-my $ignore_missing = 0;
-my $ignore_bogus   = 0;
-my $bufout         = '';
-my $list_tests     = 0;
-
-my %fips_enabled = (
-    dsa         => 1,
-    rsa         => 1,
-    "rsa-pss0"  => 1,
-    "rsa-pss62" => 1,
-    sha         => 1,
-    hmac        => 1,
-    "rand-aes"  => 0,
-    "rand-des2" => 1,
-    aes         => 1,
-    "aes-cfb1"  => 0,
-    des3        => 1
-);
-
-foreach (@ARGV) {
-    if ( $_ eq "--win32" ) {
-        $win32 = 1;
-    }
-    elsif ( $_ eq "--onedir" ) {
-        $onedir = 1;
-    }
-    elsif ( $_ eq "--debug" ) {
-        $debug = 1;
-    }
-    elsif ( $_ eq "--ignore-missing" ) {
-        $ignore_missing = 1;
-    }
-    elsif ( $_ eq "--ignore-bogus" ) {
-        $ignore_bogus = 1;
-    }
-    elsif ( $_ eq "--generate" ) {
-        $verify = 0;
-    }
-    elsif ( $_ eq "--notest" ) {
-        $notest = 1;
-    }
-    elsif ( $_ eq "--quiet" ) {
-        $quiet = 1;
-    }
-    elsif (/--dir=(.*)$/) {
-        $tvdir = $1;
-    }
-    elsif (/--rspdir=(.*)$/) {
-        $rspdir = $1;
-    }
-    elsif (/--tprefix=(.*)$/) {
-        $tprefix = $1;
-    }
-    elsif (/--shwrap_prefix=(.*)$/) {
-        $shwrap_prefix = $1;
-    }
-    elsif (/^--(enable|disable)-(.*)$/) {
-        if ( !exists $fips_enabled{$2} ) {
-            print STDERR "Unknown test $2\n";
-        }
-        if ( $1 eq "enable" ) {
-            $fips_enabled{$2} = 1;
-        }
-        else {
-            $fips_enabled{$2} = 0;
-        }
-    }
-    elsif (/--filter=(.*)$/) {
-        $filter = $1;
-    }
-    elsif (/^--list-tests$/) {
-        $list_tests = 1;
-    }
-    else {
-        Help();
-        exit(1);
-    }
-}
-
-my @fips_test_list;
-
-push @fips_test_list, @fips_dsa_test_list       if $fips_enabled{"dsa"};
-push @fips_test_list, @fips_rsa_test_list       if $fips_enabled{"rsa"};
-push @fips_test_list, @fips_rsa_pss0_test_list  if $fips_enabled{"rsa-pss0"};
-push @fips_test_list, @fips_rsa_pss62_test_list if $fips_enabled{"rsa-pss62"};
-push @fips_test_list, @fips_sha_test_list       if $fips_enabled{"sha"};
-push @fips_test_list, @fips_hmac_test_list      if $fips_enabled{"hmac"};
-push @fips_test_list, @fips_rand_aes_test_list  if $fips_enabled{"rand-aes"};
-push @fips_test_list, @fips_rand_des2_test_list if $fips_enabled{"rand-des2"};
-push @fips_test_list, @fips_aes_test_list       if $fips_enabled{"aes"};
-push @fips_test_list, @fips_aes_cfb1_test_list  if $fips_enabled{"aes-cfb1"};
-push @fips_test_list, @fips_des3_test_list      if $fips_enabled{"des3"};
-
-if ($list_tests) {
-    my ( $test, $en );
-    print "=====TEST LIST=====\n";
-    foreach $test ( sort keys %fips_enabled ) {
-        $en = $fips_enabled{$test};
-        $test =~ tr/[a-z]/[A-Z]/;
-        printf "%-10s %s\n", $test, $en ? "enabled" : "disabled";
-    }
-    exit(0);
-}
-
-foreach (@fips_test_list) {
-    next unless ref($_);
-    my $nm = $_->[0];
-    $_->[2] = "";
-    $_->[3] = "";
-    print STDERR "Duplicate test $nm\n" if exists $fips_tests{$nm};
-    $fips_tests{$nm} = $_;
-}
-
-$tvdir = "." unless defined $tvdir;
-
-if ($win32) {
-    if ( !defined $tprefix ) {
-        if ($onedir) {
-            $tprefix = ".\\";
-        }
-        else {
-            $tprefix = "..\\out32dll\\";
-        }
-    }
-}
-else {
-    if ($onedir) {
-        $tprefix       = "./" unless defined $tprefix;
-        $shwrap_prefix = "./" unless defined $shwrap_prefix;
-    }
-    else {
-        $tprefix       = "../test/" unless defined $tprefix;
-        $shwrap_prefix = "../util/" unless defined $shwrap_prefix;
-    }
-}
-
-sanity_check_exe( $win32, $tprefix, $shwrap_prefix );
-
-my $cmd_prefix = $win32 ? "" : "${shwrap_prefix}shlib_wrap.sh ";
-
-find_files( $filter, $tvdir );
-
-sanity_check_files();
-
-my ( $runerr, $cmperr, $cmpok, $scheckrunerr, $scheckerr, $scheckok, $skipcnt )
-  = ( 0, 0, 0, 0, 0, 0, 0 );
-
-exit(0) if $notest;
-
-run_tests( $verify, $win32, $tprefix, $filter, $tvdir );
-
-if ($verify) {
-    print "ALGORITHM TEST VERIFY SUMMARY REPORT:\n";
-    print "Tests skipped due to missing files:        $skipcnt\n";
-    print "Algorithm test program execution failures: $runerr\n";
-    print "Test comparisons successful:               $cmpok\n";
-    print "Test comparisons failed:                   $cmperr\n";
-    print "Test sanity checks successful:             $scheckok\n";
-    print "Test sanity checks failed:                 $scheckerr\n";
-    print "Sanity check program execution failures:   $scheckrunerr\n";
-
-    if ( $runerr || $cmperr || $scheckrunerr || $scheckerr ) {
-        print "***TEST FAILURE***\n";
-    }
-    else {
-        print "***ALL TESTS SUCCESSFUL***\n";
-    }
-}
-else {
-    print "ALGORITHM TEST SUMMARY REPORT:\n";
-    print "Tests skipped due to missing files:        $skipcnt\n";
-    print "Algorithm test program execution failures: $runerr\n";
-
-    if ($runerr) {
-        print "***TEST FAILURE***\n";
-    }
-    else {
-        print "***ALL TESTS SUCCESSFUL***\n";
-    }
-}
-
-#--------------------------------
-sub Help {
-    ( my $cmd ) = ( $0 =~ m#([^/]+)$# );
-    print <<EOF;
-$cmd: generate run CMVP algorithm tests
-	--debug                     Enable debug output
-	--dir=<dirname>             Optional root for *.req file search
-	--filter=<regexp>
-	--onedir <dirname>          Assume all components in current directory
-	--rspdir=<dirname>          Name of subdirectories containing *.rsp files, default "resp"
-	--shwrap_prefix=<prefix>
-	--tprefix=<prefix>
-	--ignore-bogus              Ignore duplicate or bogus files
-	--ignore-missing            Ignore missing test files
-	--quiet                     Shhh....
-	--generate                  Generate algorithm test output
-	--win32                     Win32 environment
-EOF
-}
-
-# Sanity check to see if all necessary executables exist
-
-sub sanity_check_exe {
-    my ( $win32, $tprefix, $shwrap_prefix ) = @_;
-    my %exe_list;
-    my $bad = 0;
-    $exe_list{ $shwrap_prefix . "shlib_wrap.sh" } = 1 unless $win32;
-    foreach (@fips_test_list) {
-        next unless ref($_);
-        my $cmd = $_->[1];
-        $cmd =~ s/ .*$//;
-        $cmd = $tprefix . $cmd;
-        $cmd .= ".exe" if $win32;
-        $exe_list{$cmd} = 1;
-    }
-
-    foreach ( sort keys %exe_list ) {
-        if ( !-f $_ ) {
-            print STDERR "ERROR: can't find executable $_\n";
-            $bad = 1;
-        }
-    }
-    if ($bad) {
-        print STDERR "FATAL ERROR: executables missing\n";
-        exit(1);
-    }
-    elsif ($debug) {
-        print STDERR "Executable sanity check passed OK\n";
-    }
-}
-
-# Search for all request and response files
-
-sub find_files {
-    my ( $filter, $dir ) = @_;
-    my ( $dirh, $testname );
-    opendir( $dirh, $dir );
-    while ( $_ = readdir($dirh) ) {
-        next if ( $_ eq "." || $_ eq ".." );
-        $_ = "$dir/$_";
-        if ( -f "$_" ) {
-            if (/\/([^\/]*)\.rsp$/) {
-                $testname = fix_pss( $1, $_ );
-                if ( exists $fips_tests{$testname} ) {
-                    if ( $fips_tests{$testname}->[3] eq "" ) {
-                        $fips_tests{$testname}->[3] = $_;
-                    }
-                    else {
-                        print STDERR
-"WARNING: duplicate response file $_ for test $testname\n";
-                        $nbogus++;
-                    }
-                }
-                else {
-                    print STDERR "WARNING: bogus file $_\n";
-                    $nbogus++;
-                }
-            }
-            next unless /$filter.*\.req$/i;
-            if (/\/([^\/]*)\.req$/) {
-                $testname = fix_pss( $1, $_ );
-                if ( exists $fips_tests{$testname} ) {
-                    if ( $fips_tests{$testname}->[2] eq "" ) {
-                        $fips_tests{$testname}->[2] = $_;
-                    }
-                    else {
-                        print STDERR
-"WARNING: duplicate request file $_ for test $testname\n";
-                        $nbogus++;
-                    }
-
-                }
-                elsif ( !/SHAmix\.req$/ ) {
-                    print STDERR "WARNING: unrecognized filename $_\n";
-                    $nbogus++;
-                }
-            }
-        }
-        elsif ( -d "$_" ) {
-            find_files( $filter, $_ );
-        }
-    }
-    closedir($dirh);
-}
-
-sub fix_pss {
-    my ( $test, $path ) = @_;
-    my $sl = "";
-    local $_;
-    if ( $test =~ /PSS/ ) {
-        open( IN, $path ) || die "Can't Open File $path";
-        while (<IN>) {
-            if (/^\s*#\s*salt\s+len:\s+(\d+)\s*$/i) {
-                $sl = $1;
-                last;
-            }
-        }
-        close IN;
-        if ( $sl eq "" ) {
-            print STDERR "WARNING: No Salt length detected for file $path\n";
-        }
-        else {
-            return $test . "($sl)";
-        }
-    }
-    return $test;
-}
-
-sub sanity_check_files {
-    my $bad = 0;
-    foreach (@fips_test_list) {
-        next unless ref($_);
-        my ( $tst, $cmd, $req, $resp ) = @$_;
-
-        #print STDERR "FILES $tst, $cmd, $req, $resp\n";
-        if ( $req eq "" ) {
-            print STDERR "WARNING: missing request file for $tst\n";
-            $bad = 1;
-            next;
-        }
-        if ( $verify && $resp eq "" ) {
-            print STDERR "WARNING: no response file for test $tst\n";
-            $bad = 1;
-        }
-        elsif ( !$verify && $resp ne "" ) {
-            print STDERR "WARNING: response file $resp will be overwritten\n";
-        }
-    }
-    if ($bad) {
-        print STDERR "ERROR: test vector file set not complete\n";
-        exit(1) unless $ignore_missing;
-    }
-    if ($nbogus) {
-        print STDERR
-          "ERROR: $nbogus bogus or duplicate request and response files\n";
-        exit(1) unless $ignore_bogus;
-    }
-    if ( $debug && !$nbogus && !$bad ) {
-        print STDERR "test vector file set complete\n";
-    }
-}
-
-sub run_tests {
-    my ( $verify, $win32, $tprefix, $filter, $tvdir ) = @_;
-    my ( $tname, $tref );
-    my $bad = 0;
-    foreach (@fips_test_list) {
-        if ( !ref($_) ) {
-            print "Running $_ tests\n" unless $quiet;
-            next;
-        }
-        my ( $tname, $tcmd, $req, $rsp ) = @$_;
-        my $out = $rsp;
-        if ($verify) {
-            $out =~ s/\.rsp$/.tst/;
-        }
-        if ( $req eq "" ) {
-            print STDERR
-              "WARNING: Request file for $tname missing: test skipped\n";
-            $skipcnt++;
-            next;
-        }
-        if ( $verify && $rsp eq "" ) {
-            print STDERR
-              "WARNING: Response file for $tname missing: test skipped\n";
-            $skipcnt++;
-            next;
-        }
-        elsif ( !$verify ) {
-            if ( $rsp ne "" ) {
-                print STDERR "WARNING: Response file for $tname deleted\n";
-                unlink $rsp;
-            }
-            $out = $req;
-            $out =~ s|/req/(\S+)\.req|/$rspdir/$1.rsp|;
-            my $outdir = $out;
-            $outdir =~ s|/[^/]*$||;
-            if ( !-d $outdir ) {
-                print STDERR "DEBUG: Creating directory $outdir\n" if $debug;
-                mkdir($outdir) || die "Can't create directory $outdir";
-            }
-        }
-        my $cmd = "$cmd_prefix$tprefix$tcmd ";
-        if ( $tcmd =~ /-f$/ ) {
-            $cmd .= "$req $out";
-        }
-        else {
-            $cmd .= "<$req >$out";
-        }
-        print STDERR "DEBUG: running test $tname\n" if ( $debug && !$verify );
-        system($cmd);
-        if ( $? != 0 ) {
-            print STDERR
-              "WARNING: error executing test $tname for command: $cmd\n";
-            $runerr++;
-            next;
-        }
-        if ($verify) {
-            if ( exists $verify_special{$tname} ) {
-                my $vout = $rsp;
-                $vout =~ s/\.rsp$/.ver/;
-                $tcmd = $verify_special{$tname};
-                $cmd  = "$cmd_prefix$tprefix$tcmd ";
-                $cmd .= "<$out >$vout";
-                system($cmd);
-                if ( $? != 0 ) {
-                    print STDERR
-                      "WARNING: error executing verify test $tname $cmd\n";
-                    $scheckrunerr++;
-                    next;
-                }
-                my ( $fcount, $pcount ) = ( 0, 0 );
-                open VER, "$vout";
-                while (<VER>) {
-                    if (/^Result\s*=\s*(\S*)\s*$/i)
-
-                    {
-                        if ( $1 eq "F" ) {
-                            $fcount++;
-                        }
-                        else {
-                            $pcount++;
-                        }
-                    }
-                }
-                close VER;
-
-                unlink $vout;
-                if ( $fcount || $debug ) {
-                    print STDERR "DEBUG: $tname, Pass=$pcount, Fail=$fcount\n";
-                }
-                if ( $fcount || !$pcount ) {
-                    $scheckerr++;
-                }
-                else {
-                    $scheckok++;
-                }
-
-            }
-            elsif ( !cmp_file( $tname, $rsp, $out ) ) {
-                $cmperr++;
-            }
-            else {
-                $cmpok++;
-            }
-            unlink $out;
-        }
-    }
-}
-
-sub cmp_file {
-    my ( $tname, $rsp, $tst ) = @_;
-    my ( $rspf,    $tstf );
-    my ( $rspline, $tstline );
-    if ( !open( $rspf, $rsp ) ) {
-        print STDERR "ERROR: can't open request file $rsp\n";
-        return 0;
-    }
-    if ( !open( $tstf, $tst ) ) {
-        print STDERR "ERROR: can't open output file $tst\n";
-        return 0;
-    }
-    for ( ; ; ) {
-        $rspline = next_line($rspf);
-        $tstline = next_line($tstf);
-        if ( !defined($rspline) && !defined($tstline) ) {
-            print STDERR "DEBUG: $tname file comparison OK\n" if $debug;
-            return 1;
-        }
-        if ( !defined($rspline) ) {
-            print STDERR "ERROR: $tname EOF on $rspf\n";
-            return 0;
-        }
-        if ( !defined($tstline) ) {
-            print STDERR "ERROR: $tname EOF on $tstf\n";
-            return 0;
-        }
-
-        # Workaround for bug in RAND des2 test output */
-        if ( $tstline =~ /^Key2 =/ && $rspline =~ /^Key1 =/ ) {
-            $rspline =~ s/^Key1/Key2/;
-        }
-
-        if ( $tstline ne $rspline ) {
-            print STDERR "ERROR: $tname mismatch:\n";
-            print STDERR "\t $tstline != $rspline\n";
-            return 0;
-        }
-    }
-    return 1;
-}
-
-sub next_line {
-    my ($in) = @_;
-
-    while (<$in>) {
-        chomp;
-
-        # Delete comments
-        s/#.*$//;
-
-        # Ignore blank lines
-        next if (/^\s*$/);
-
-        # Translate multiple space into one
-        s/\s+/ /g;
-        return $_;
-    }
-    return undef;
-}
--- a/fips-1.0/fipsld
+++ b/fips-1.0/fipsld
@@ -22,6 +22,25 @@ CC=${FIPSLD_CC:-${CC}}
    [ $# -ge 1 ]
 ) && exec ${CC} "$@"

+# If using an auto-tooled (autoconf/automake/libtool) project,
+# configure will fail when testing the compiler or even performing
+# simple checks.  Pass-thru to compiler directly if not linking
+# to libcrypto, allowing auto-tooled applications to utilize fipsld
+# (e.g.  CC=/usr/local/ssl/bin/fipsld FIPSLD_CC=gcc ./configure && make )
+# If FIPSLD_NPT is set never call the pass-thru: the standalone fips commands
+# need this because they don't link to libcrypto
+[ "x$FIPSLD_NPT" != "x" ] || {
+case "$*" in
+	*libcrypto.a*)
+	;;
+	*-lcrypto*)
+	;;
+	*)
+		exec ${CC} $*
+	;;
+esac
+}
+
 # Turn on debugging output?
 (   while [ "x$1" != "x" -a "x$1" != "x-DDEBUG_FINGERPRINT_PREMAIN" ]; do shift; done;
    [ $# -ge 1 ]
@@ -32,6 +51,11 @@ TARGET=`(while [ "x$1" != "x" -a "x$1" != "x-o" ]; do shift; done; echo $2)`

 THERE="`echo $0 | sed -e 's|[^/]*$||'`"..

+# FIPSCANLIB is the library containing fipscanister.o by default it is
+# libcrypto.a
+
+FIPSCANLIB=${FIPSCANLIB:-libcrypto}
+
 # FIPSLIBDIR is location of installed validated FIPS module
 # if FIPSCANISTERINTERNAL="y" link against internally generated fipscanister.o
 if [ "x$FIPSCANISTERINTERNAL" != "xy" ]; then
@@ -59,7 +83,7 @@ case "${TARGET}" in
 esac

 case "${TARGET}" in
-*libcrypto*|*.dll)	# must be linking a shared lib...
+*${FIPSCANLIB}*|*.dll)	# must be linking a shared lib...
 	# Shared lib creation can be taking place in the source
 	# directory only!!!
 	FINGERTYPE="${THERE}/fips-1.0/sha/fips_standalone_sha1"
@@ -78,15 +102,15 @@ echo Canister: $CANISTER_O
 		diff -w "${PREMAIN_C}.sha1" - || \
 	{ echo "${PREMAIN_C} fingerprint mismatch"; exit 1; }

-	# Temporarily remove fipscanister.o from libcrypto.a!
+	# Temporarily remove fipscanister.o from library!
 	# We are required to use the standalone copy...
-	trap	'ar r "${THERE}/libcrypto.a" "${CANISTER_O}";
-		 (ranlib "${THERE}/libcrypto.a") 2>/dev/null;
+	trap	'ar r "${THERE}/$FIPSCANLIB.a" "${CANISTER_O}";
+		 (ranlib "${THERE}/$FIPSCANLIB.a") 2>/dev/null;
 		 sleep 1;
 		 touch -c "${TARGET}"' 0

-	ar d "${THERE}/libcrypto.a" fipscanister.o 2>&1 > /dev/null || :
-	(ranlib "${THERE}/libcrypto.a") 2>/dev/null || :
+	ar d "${THERE}/$FIPSCANLIB.a" fipscanister.o 2>&1 > /dev/null || :
+	(ranlib "${THERE}/$FIPSCANLIB.a") 2>/dev/null || :

 	${CC}	"${CANISTER_O}" \
 		"${PREMAIN_C}" \
--- a/fips-1.0/mkfipsscr.pl
+++ b/fips-1.0/mkfipsscr.pl
@@ -60,8 +60,12 @@ my @fips_tests = (

 my $lnum = 0;
 my $win32 = 0;
-my $tvdir = "testvectors";
+my $onedir = 0;
 my $ltdir = "";
+my $tvdir;
+my $tvprefix;
+my $tprefix;
+my $shwrap_prefix;

 foreach (@ARGV)
 	{
@@ -69,15 +73,47 @@ foreach (@ARGV)
 		{
 		$win32 = 1;
 		}
+	elsif ($_ eq "--onedir")
+		{
+		$onedir = 1;
+		}
 	elsif (/--dir=(.*)$/)
 		{
 		$tvdir = $1;
 		}
+	elsif (/--tprefix=(.*)$/)
+		{
+		$tprefix = $1;
+		}
+	elsif (/--tvprefix=(.*)$/)
+		{
+		$tvprefix = $1;
+		}
+	elsif (/--shwrap_prefix=(.*)$/)
+		{
+		$shwrap_prefix = $1;
+		}
+	elsif (/--outfile=(.*)$/)
+		{
+		$outfile = $1;
+		}
 	}

+$tvdir = "testvectors" unless defined $tvdir;
+
 if ($win32)
 	{
-	open(OUT, ">fipstests.bat");
+	if ($onedir)
+		{
+		$tvprefix = "" unless defined $tvprefix;
+		}
+	else
+		{
+		$tvprefix = "..\\fips-1.0\\" unless defined $tvprefix;
+		}
+	$tprefix = ".\\" unless defined $tprefix;
+	$outfile = "fipstests.bat" unless defined $outfile;
+	open(OUT, ">$outfile");

 	print OUT <<END;
 \@echo off
@@ -90,9 +126,21 @@ END
 	}
 else
 	{
-open(OUT, ">fipstests.sh");
+	$tvprefix = "" unless defined $tvprefix;
+	if ($onedir)
+		{
+		$tprefix = "./" unless defined $tprefix;
+		$shwrap_prefix = "./" unless defined $shwrap_prefix;
+		}
+	else
+		{
+		$tprefix = "../test/" unless defined $tprefix;
+		$shwrap_prefix = "../util/" unless defined $shwrap_prefix;
+		}
+	$outfile = "fipstests.sh" unless defined $outfile;
+	open(OUT, ">$outfile");

-print OUT <<END;
+	print OUT <<END;
 #!/bin/sh

 # Test vector run script
@@ -120,11 +168,11 @@ sub test_dir
 	my ($win32, $tdir) = @_;
 	if ($win32)
 		{
-		my $rsp = "..\\fips-1.0\\$tvdir\\$tdir\\rsp";
+		my $rsp = "$tvprefix$tvdir\\$tdir\\rsp";
 		print OUT <<END;

 echo $tdir tests
-rd /s /q $rsp
+if exist $rsp rd /s /q $rsp
 md $rsp
 END
 		}
@@ -146,16 +194,17 @@ sub test_line
 	my ($win32, $tdir, $fprefix, $tcmd) = @_;
 	if ($fprefix =~ /\@/)
 		{
-		foreach(<$tvdir/$tdir/req/*.req>)
+		foreach(<$tvprefix$tvdir/$tdir/req/*.req>)
 			{
 			if ($win32)
 				{
-				print OUT ".\\$tcmd ../fips-1.0/${_}\n";
+				$_ =~ tr|/|\\|;
+				print OUT "$tprefix$tcmd $_\n";
 				}
 			else
 				{
 				print OUT <<END;
-../util/shlib_wrap.sh ../test/$tcmd $_
+${shwrap_prefix}shlib_wrap.sh $tprefix$tcmd $_
 END
 				}
 			}
@@ -163,9 +212,9 @@ END
 		}
 	if ($win32)
 		{
-		my $req = "..\\fips-1.0\\$tvdir\\$tdir\\req\\$fprefix.req";
-		my $rsp = "..\\fips-1.0\\$tvdir\\$tdir\\rsp\\$fprefix.rsp";
-	print OUT ".\\$tcmd < $req > $rsp\n";
+		my $req = "$tvprefix$tvdir\\$tdir\\req\\$fprefix.req";
+		my $rsp = "$tvprefix$tvdir\\$tdir\\rsp\\$fprefix.rsp";
+	print OUT "$tprefix$tcmd < $req > $rsp\n";
 END
 		}
 	else
@@ -173,7 +222,7 @@ END
 		my $req = "$tvdir/$tdir/req/$fprefix.req";
 		my $rsp = "$tvdir/$tdir/rsp/$fprefix.rsp";
 		print OUT <<END;
-if [ -f $req ] ; then ../util/shlib_wrap.sh ../test/$tcmd < $req > $rsp; fi
+if [ -f $req ] ; then ${shwrap_prefix}shlib_wrap.sh $tprefix$tcmd < $req > $rsp; fi
 END
 		}
 	}
--- a/fips-1.0/rand/fips_rand.c
+++ b/fips-1.0/rand/fips_rand.c
@@ -1,5 +1,5 @@
 /* ====================================================================
- * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2007 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -48,7 +48,7 @@
 */

 /*
- * This is a FIPS approved PRNG, ANSI X9.31 A.2.4.
+ * This is a FIPS approved AES PRNG based on ANSI X9.31 A.2.4.
 */

 #include "e_os.h"
@@ -60,8 +60,8 @@
 #define _XOPEN_SOURCE_EXTENDED 1
 #endif

-#include <openssl/des.h>
 #include <openssl/rand.h>
+#include <openssl/aes.h>
 #include <openssl/err.h>
 #include <openssl/fips_rand.h>
 #ifndef OPENSSL_SYS_WIN32
@@ -79,281 +79,288 @@

 void *OPENSSL_stderr(void);

-#ifdef OPENSSL_FIPS
+#define AES_BLOCK_LENGTH	16

-#define SEED_SIZE	8

-static unsigned char seed[SEED_SIZE];
-static FIPS_RAND_SIZE_T n_seed;
-static FIPS_RAND_SIZE_T o_seed;
-static DES_cblock key1;
-static DES_cblock key2;
-static DES_key_schedule ks1,ks2;
-static int key_set;
-static int key_init;
-static int test_mode;
-static unsigned char test_faketime[8];
+/* AES FIPS PRNG implementation */
+
+typedef struct 
+	{
+	int seeded;
+	int keyed;
+	int test_mode;
+	int second;
+	int error;
+	unsigned long counter;
+	AES_KEY ks;
+	int vpos;
+	unsigned char V[AES_BLOCK_LENGTH];
+	unsigned char DT[AES_BLOCK_LENGTH];
+	unsigned char last[AES_BLOCK_LENGTH];
+	} FIPS_PRNG_CTX;
+
+static FIPS_PRNG_CTX sctx;
+
+void fips_rand_prng_reset(FIPS_PRNG_CTX *ctx)
+	{
+	ctx->seeded = 0;
+	ctx->keyed = 0;
+	ctx->test_mode = 0;
+	ctx->counter = 0;
+	ctx->second = 0;
+	ctx->error = 0;
+	ctx->vpos = 0;
+	OPENSSL_cleanse(ctx->V, AES_BLOCK_LENGTH);
+	OPENSSL_cleanse(&ctx->ks, sizeof(AES_KEY));
+	}
+	
+
+static int fips_set_prng_key(FIPS_PRNG_CTX *ctx,
+			const unsigned char *key, FIPS_RAND_SIZE_T keylen)
+	{
+	if (keylen != 16 && keylen != 24 && keylen != 32)
+		{
+		/* error: invalid key size */
+		return 0;
+		}
+	AES_set_encrypt_key(key, keylen << 3, &ctx->ks);
+	ctx->keyed = 1;
+	ctx->seeded = 0;
+	ctx->second = 0;
+	return 1;
+	}
+
+static int fips_set_prng_seed(FIPS_PRNG_CTX *ctx,
+			const unsigned char *seed, FIPS_RAND_SIZE_T seedlen)
+	{
+	int i;
+	if (!ctx->keyed)
+		return 0;
+	/* In test mode seed is just supplied data */
+	if (ctx->test_mode)
+		{
+		if (seedlen != AES_BLOCK_LENGTH)
+			return 0;
+		memcpy(ctx->V, seed, AES_BLOCK_LENGTH);
+		ctx->seeded = 1;
+		return 1;
+		}
+	/* Outside test mode XOR supplied data with existing seed */
+	for (i = 0; i < seedlen; i++)
+		{
+		ctx->V[ctx->vpos++] ^= seed[i];
+		if (ctx->vpos == AES_BLOCK_LENGTH)
+			{
+			ctx->vpos = 0;
+			ctx->seeded = 1;
+			}
+		}
+	return 1;
+	}
+
+int fips_set_test_mode(FIPS_PRNG_CTX *ctx)
+	{
+	if (ctx->keyed)
+		{
+		RANDerr(RAND_F_FIPS_SET_TEST_MODE,RAND_R_PRNG_KEYED);
+		return 0;
+		}
+	ctx->test_mode = 1;
+	return 1;
+	}
+
+int FIPS_rand_test_mode(void)
+	{
+	return fips_set_test_mode(&sctx);
+	}
+
+int FIPS_rand_set_dt(unsigned char *dt)
+	{
+	if (!sctx.test_mode)
+		{
+		RANDerr(RAND_F_FIPS_SET_DT,RAND_R_NOT_IN_TEST_MODE);
+		return 0;
+		}
+	memcpy(sctx.DT, dt, AES_BLOCK_LENGTH);
+	return 1;
+	}
+
+static void fips_get_dt(FIPS_PRNG_CTX *ctx)
+    {
+#ifdef OPENSSL_SYS_WIN32
+	FILETIME ft;
+#else
+	struct timeval tv;
+#endif
+	unsigned char *buf = ctx->DT;
+
+	unsigned long pid;
+
+#ifdef OPENSSL_SYS_WIN32
+	GetSystemTimeAsFileTime(&ft);
+	buf[0] = (unsigned char) (ft.dwHighDateTime & 0xff);
+	buf[1] = (unsigned char) ((ft.dwHighDateTime >> 8) & 0xff);
+	buf[2] = (unsigned char) ((ft.dwHighDateTime >> 16) & 0xff);
+	buf[3] = (unsigned char) ((ft.dwHighDateTime >> 24) & 0xff);
+	buf[4] = (unsigned char) (ft.dwLowDateTime & 0xff);
+	buf[5] = (unsigned char) ((ft.dwLowDateTime >> 8) & 0xff);
+	buf[6] = (unsigned char) ((ft.dwLowDateTime >> 16) & 0xff);
+	buf[7] = (unsigned char) ((ft.dwLowDateTime >> 24) & 0xff);
+#else
+	gettimeofday(&tv,NULL);
+	buf[0] = (unsigned char) (tv.tv_sec & 0xff);
+	buf[1] = (unsigned char) ((tv.tv_sec >> 8) & 0xff);
+	buf[2] = (unsigned char) ((tv.tv_sec >> 16) & 0xff);
+	buf[3] = (unsigned char) ((tv.tv_sec >> 24) & 0xff);
+	buf[4] = (unsigned char) (tv.tv_usec & 0xff);
+	buf[5] = (unsigned char) ((tv.tv_usec >> 8) & 0xff);
+	buf[6] = (unsigned char) ((tv.tv_usec >> 16) & 0xff);
+	buf[7] = (unsigned char) ((tv.tv_usec >> 24) & 0xff);
+#endif
+	buf[8] = (unsigned char) (ctx->counter & 0xff);
+	buf[9] = (unsigned char) ((ctx->counter >> 8) & 0xff);
+	buf[10] = (unsigned char) ((ctx->counter >> 16) & 0xff);
+	buf[11] = (unsigned char) ((ctx->counter >> 24) & 0xff);
+
+	pid=(unsigned long)getpid();

 #ifndef GETPID_IS_MEANINGLESS
-static int seed_pid;
-static int key_pid;
+	buf[12] = (unsigned char) (pid & 0xff);
+	buf[13] = (unsigned char) ((pid >> 8) & 0xff);
+	buf[14] = (unsigned char) ((pid >> 16) & 0xff);
+	buf[15] = (unsigned char) ((pid >> 24) & 0xff);
 #endif
+    }

-static void fips_rand_cleanup(void);
-static void fips_rand_add(const void *buf, FIPS_RAND_SIZE_T num, double add_entropy);
-static int fips_rand_bytes(unsigned char *buf, FIPS_RAND_SIZE_T num);
-static int fips_rand_status(void);
+static int fips_rand(FIPS_PRNG_CTX *ctx,
+			unsigned char *out, FIPS_RAND_SIZE_T outlen)
+	{
+	unsigned char R[AES_BLOCK_LENGTH], I[AES_BLOCK_LENGTH];
+	unsigned char tmp[AES_BLOCK_LENGTH];
+	int i;
+	if (ctx->error)
+		{
+		RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_ERROR);
+		return 0;
+		}
+	if (!ctx->keyed)
+		{
+		RANDerr(RAND_F_FIPS_RAND,RAND_R_NO_KEY_SET);
+		return 0;
+		}
+	if (!ctx->seeded)
+		{
+		RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_NOT_SEEDED);
+		return 0;
+		}
+	for (;;)
+		{
+		if (!ctx->test_mode)
+			fips_get_dt(ctx);
+		AES_encrypt(ctx->DT, I, &ctx->ks);
+		for (i = 0; i < AES_BLOCK_LENGTH; i++)
+			tmp[i] = I[i] ^ ctx->V[i];
+		AES_encrypt(tmp, R, &ctx->ks);
+		for (i = 0; i < AES_BLOCK_LENGTH; i++)
+			tmp[i] = R[i] ^ I[i];
+		AES_encrypt(tmp, ctx->V, &ctx->ks);
+		if (ctx->second)
+			{
+			if (!memcmp(R, ctx->last, AES_BLOCK_LENGTH))
+				{
+	    			RANDerr(RAND_F_FIPS_RAND,RAND_R_PRNG_STUCK);
+				ctx->error = 1;
+				return 0;
+				}
+			}
+		memcpy(ctx->last, R, AES_BLOCK_LENGTH);
+		if (!ctx->second)
+			{
+			ctx->second = 1;
+			if (!ctx->test_mode)
+				continue;
+			}
+
+		if (outlen <= AES_BLOCK_LENGTH)
+			{
+			memcpy(out, R, outlen);
+			break;
+			}
+
+		memcpy(out, R, AES_BLOCK_LENGTH);
+		out += AES_BLOCK_LENGTH;
+		outlen -= AES_BLOCK_LENGTH;
+		}
+	return 1;
+	}
+
+
+int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen)
+	{
+	int ret;
+	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+	ret = fips_set_prng_key(&sctx, key, keylen);
+	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+	return ret;
+	}
+
+int FIPS_rand_seed(const void *seed, FIPS_RAND_SIZE_T seedlen)
+	{
+	int ret;
+	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+	ret = fips_set_prng_seed(&sctx, seed, seedlen);
+	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+	return ret;
+	}
+
+
+int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T count)
+	{
+	int ret;
+	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+	ret = fips_rand(&sctx, out, count);
+	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+	return ret;
+	}
+
+int FIPS_rand_status(void)
+	{
+	int ret;
+	CRYPTO_r_lock(CRYPTO_LOCK_RAND);
+	ret = sctx.seeded;
+	CRYPTO_r_unlock(CRYPTO_LOCK_RAND);
+	return ret;
+	}
+
+void FIPS_rand_reset(void)
+	{
+	CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+	fips_rand_prng_reset(&sctx);
+	CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+	}
+
+static void fips_do_rand_seed(const void *seed, FIPS_RAND_SIZE_T seedlen)
+	{
+	FIPS_rand_seed(seed, seedlen);
+	}
+
+static void fips_do_rand_add(const void *seed, FIPS_RAND_SIZE_T seedlen,
+					double add_entropy)
+	{
+	FIPS_rand_seed(seed, seedlen);
+	}

 static const RAND_METHOD rand_fips_meth=
    {
-    FIPS_rand_seed,
-    fips_rand_bytes,
-    fips_rand_cleanup,
-    fips_rand_add,
-    fips_rand_bytes,
-    fips_rand_status
+    fips_do_rand_seed,
+    FIPS_rand_bytes,
+    FIPS_rand_reset,
+    fips_do_rand_add,
+    FIPS_rand_bytes,
+    FIPS_rand_status
    };

-static int second;
-
 const RAND_METHOD *FIPS_rand_method(void)
 {
  return &rand_fips_meth;
 }
-
-void FIPS_set_prng_key(const unsigned char k1[8],const unsigned char k2[8])
-    {
-    memcpy(&key1,k1,sizeof key1);
-    memcpy(&key2,k2,sizeof key2);
-    key_set=1;
-#ifndef GETPID_IS_MEANINGLESS
-    key_pid=getpid();
-#endif
-    second=0;
-    }
-
-void FIPS_test_mode(int test,const unsigned char faketime[8])
-    {
-    test_mode=test;
-    if(!test_mode)
-	return;
-    memcpy(test_faketime,faketime,sizeof test_faketime);
-    }
-
-/* NB: this returns true if _partially_ seeded */
-int FIPS_rand_seeded()
-    { return key_set || n_seed; }
-
-static void fips_gettime(unsigned char buf[8])
-    {
-#ifdef OPENSSL_SYS_WIN32
-    FILETIME ft;
-#else
-    struct timeval tv;
-#endif
-
-    if(test_mode)
-	{
-	/* fprintf(OPENSSL_stderr(),"WARNING!!! PRNG IN TEST MODE!!!\n"); */
-	memcpy(buf,test_faketime,sizeof test_faketime);
-	return;
-	}
-#ifdef OPENSSL_SYS_WIN32
-    GetSystemTimeAsFileTime(&ft);
-    buf[0] = (unsigned char) (ft.dwHighDateTime & 0xff);
-    buf[1] = (unsigned char) ((ft.dwHighDateTime >> 8) & 0xff);
-    buf[2] = (unsigned char) ((ft.dwHighDateTime >> 16) & 0xff);
-    buf[3] = (unsigned char) ((ft.dwHighDateTime >> 24) & 0xff);
-    buf[4] = (unsigned char) (ft.dwLowDateTime & 0xff);
-    buf[5] = (unsigned char) ((ft.dwLowDateTime >> 8) & 0xff);
-    buf[6] = (unsigned char) ((ft.dwLowDateTime >> 16) & 0xff);
-    buf[7] = (unsigned char) ((ft.dwLowDateTime >> 24) & 0xff);
-#else
-    gettimeofday(&tv,NULL);
-    buf[0] = (unsigned char) (tv.tv_sec & 0xff);
-    buf[1] = (unsigned char) ((tv.tv_sec >> 8) & 0xff);
-    buf[2] = (unsigned char) ((tv.tv_sec >> 16) & 0xff);
-    buf[3] = (unsigned char) ((tv.tv_sec >> 24) & 0xff);
-    buf[4] = (unsigned char) (tv.tv_usec & 0xff);
-    buf[5] = (unsigned char) ((tv.tv_usec >> 8) & 0xff);
-    buf[6] = (unsigned char) ((tv.tv_usec >> 16) & 0xff);
-    buf[7] = (unsigned char) ((tv.tv_usec >> 24) & 0xff);
-#endif
-
-#if 0  /* This eminently sensible strategy is not acceptable to NIST. Sigh. */
-#ifndef GETPID_IS_MEANINGLESS
-    /* we mix in the PID to ensure that after a fork the children don't give
-     * the same results as each other
-     */
-    pid=getpid();
-    /* make sure we shift the pid to the MSB */
-    if((pid&0xffff0000) == 0)
-	pid<<=16;
-    *(long *)&buf[0]^=pid;
-#endif
-#endif
-    }
-
-static void fips_rand_encrypt(unsigned char *out,const unsigned char *in)
-    {
-    DES_ecb2_encrypt(in,out,&ks1,&ks2,1);
-    }
-
-static void fips_rand_cleanup(void)
-    {
-    OPENSSL_cleanse(seed,sizeof seed);
-    n_seed=0;
-    o_seed=0;
-    key_init=0;
-    }
-
-void FIPS_rand_seed(const void *buf_, FIPS_RAND_SIZE_T num)
-    {
-    const char *buf=buf_;
-    FIPS_RAND_SIZE_T n;
-
-    /* If the key hasn't been set, we can't seed! */
-    if(!key_set)
-	return;
-
-    CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-    if(!key_init)
-	{
-	key_init=1;
-	DES_set_key(&key1,&ks1);
-	DES_set_key(&key2,&ks2);
-	}
-
-    /*
-     * This algorithm only uses 64 bits of seed, so ensure that we use
-     * the most recent 64 bits.
-     */
-    for(n=0 ; n < num ; )
-	{
-	FIPS_RAND_SIZE_T t=num-n;
-
-	if(o_seed+t > sizeof seed)
-	    t=sizeof seed-o_seed;
-	memcpy(seed+o_seed,buf+n,t);
-	n+=t;
-	o_seed+=t;
-	if(o_seed == sizeof seed)
-	    o_seed=0;
-	if(n_seed < sizeof seed)
-	    n_seed+=t;
-	}
-
-#ifndef GETPID_IS_MEANINGLESS
-    seed_pid=getpid();
-#endif
-
-    CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-    }
-
-static void fips_rand_add(const void *buf, FIPS_RAND_SIZE_T num, double add_entropy)
-    {
-    FIPS_rand_seed(buf,num);
-    }
-
-static int fips_rand_bytes(unsigned char *buf,FIPS_RAND_SIZE_T num)
-    {
-    FIPS_RAND_SIZE_T n;
-    unsigned char timeseed[8];
-    unsigned char intermediate[SEED_SIZE];
-    unsigned char output[SEED_SIZE];
-    static unsigned char previous[SEED_SIZE];
-#ifndef GETPID_IS_MEANINGLESS
-    int pid;
-#endif
-
-    if(n_seed < sizeof seed)
-	{
-	RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_NOT_SEEDED);
-	return 0;
-	}
-
-#ifdef FIPS_RAND_MAX_SIZE_T
-    if (num > FIPS_RAND_MAX_SIZE_T)
-	{
-#ifdef RAND_R_PRNG_ASKING_FOR_TOO_MUCH
-	RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_ASKING_FOR_TOO_MUCH);
-	return 0;
-#else
-	return -1; /* signal "not supported" condition */
-#endif
-	}
-#endif
-
-#ifndef GETPID_IS_MEANINGLESS
-    pid=getpid();
-    if(pid != seed_pid)
-	{
-	RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_NOT_RESEEDED);
-	return 0;
-	}
-    if(pid != key_pid)
-	{
-	RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_NOT_REKEYED);
-	return 0;
-	}
-#endif
-
-    CRYPTO_w_lock(CRYPTO_LOCK_RAND);
-
-    for(n=0 ; n < num ; )
-	{
-	unsigned char t[SEED_SIZE];
-	FIPS_RAND_SIZE_T l;
-	
-	/* ANS X9.31 A.2.4:	I = ede*K(DT)
-	       timeseed == DT
-	       intermediate == I
-	*/
-	fips_gettime(timeseed);
-	fips_rand_encrypt(intermediate,timeseed);
-
-	/* ANS X9.31 A.2.4:     R = ede*K(I^V)
-	       intermediate == I
-	       seed == V
-	       output == R
-	*/
-	for(l=0 ; l < sizeof t ; ++l)
-	    t[l]=intermediate[l]^seed[l];
-	fips_rand_encrypt(output,t);
-
-	/* ANS X9.31 A.2.4:     V = ede*K(R^I)
-	       output == R
-	       intermediate == I
-	       seed == V
-	*/
-	for(l=0 ; l < sizeof t ; ++l)
-	    t[l]=output[l]^intermediate[l];
-	fips_rand_encrypt(seed,t);
-
-	if(second && !memcmp(output,previous,sizeof previous))
-	    {
-	    RANDerr(RAND_F_FIPS_RAND_BYTES,RAND_R_PRNG_STUCK);
-	    CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-	    return 0;
-	    }
-	memcpy(previous,output,sizeof previous);
-	second=1;
-
-	/* Successive values of R may be concatenated to produce a
-	   pseudo random number of the desired length */ 
-	l=SEED_SIZE < num-n ? SEED_SIZE : num-n;
-	memcpy(buf+n,output,l);
-	n+=l;
-	}
-
-    CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
-
-    return 1;
-    }
-
-static int fips_rand_status(void)
-    {
-    return n_seed == sizeof seed;
-    }
-
-#endif /* OPENSSL_FIPS */
--- a/fips-1.0/rand/fips_rand.h
+++ b/fips-1.0/rand/fips_rand.h
@@ -58,11 +58,15 @@
 extern "C" {
 #endif

-void FIPS_set_prng_key(const unsigned char k1[8],const unsigned char k2[8]);
-void FIPS_test_mode(int test,const unsigned char faketime[8]);
-void FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num);
-/* NB: this returns true if _partially_ seeded */
-int FIPS_rand_seeded(void);
+int FIPS_rand_set_key(const unsigned char *key, FIPS_RAND_SIZE_T keylen);
+int FIPS_rand_seed(const void *buf, FIPS_RAND_SIZE_T num);
+int FIPS_rand_bytes(unsigned char *out, FIPS_RAND_SIZE_T outlen);
+
+int FIPS_rand_test_mode(void);
+void FIPS_rand_reset(void);
+int FIPS_rand_set_dt(unsigned char *dt);
+
+int FIPS_rand_status(void);

 const RAND_METHOD *FIPS_rand_method(void);

--- a/fips-1.0/rand/fips_rand_selftest.c
+++ b/fips-1.0/rand/fips_rand_selftest.c
@@ -54,67 +54,318 @@
 #include <openssl/fips_rand.h>

 #ifdef OPENSSL_FIPS
-static struct
-    {
-    unsigned char key1[8];
-    unsigned char key2[8];
-    unsigned char seed[8];
-    unsigned char dt[8];
-    } init_iv[] =
-    {
-    { 
-    { 0x75, 0xc7, 0x1a, 0xe5, 0xa1, 0x1a, 0x23, 0x2c },
-    { 0x40, 0x25, 0x6d, 0xcd, 0x94, 0xf7, 0x67, 0xb0 },
-    { 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-    { 0xc8, 0x9a, 0x1d, 0x88, 0x8e, 0xd1, 0x2f, 0x3c },
-    },
-    {
-    { 0x75, 0xc7, 0x1a, 0xe5, 0xa1, 0x1a, 0x23, 0x2c },
-    { 0x40, 0x25, 0x6d, 0xcd, 0x94, 0xf7, 0x67, 0xb0 },
-    { 0xf8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
-    { 0xc8, 0x9a, 0x1d, 0x88, 0x8e, 0xd1, 0x2f, 0x40 },
-    },
-    {
-    { 0x75, 0xc7, 0x1a, 0xe5, 0xa1, 0x1a, 0x23, 0x2c },
-    { 0x40, 0x25, 0x6d, 0xcd, 0x94, 0xf7, 0x67, 0xb0 },
-    { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
-    { 0xc8, 0x9a, 0x1d, 0x88, 0x8e, 0xd1, 0x2f, 0x7b },
-    },
-    };

-static const unsigned char expected_ret[][8]=
-    {
-    { 0x94, 0x4d, 0xc7, 0x21, 0x0d, 0x6d, 0x7f, 0xd7 },
-    { 0x02, 0x43, 0x3c, 0x94, 0x17, 0xa3, 0x32, 0x6f },
-    { 0xe7, 0xe2, 0xb2, 0x96, 0x4f, 0x36, 0xed, 0x41 },
-    };
+
+
+typedef struct
+	{
+	unsigned char DT[16];
+	unsigned char V[16];
+	unsigned char R[16];
+	} AES_PRNG_TV;
+
+/* The following test vectors are taken directly from the RGNVS spec */
+
+static unsigned char aes_128_key[16] =
+		{0xf3,0xb1,0x66,0x6d,0x13,0x60,0x72,0x42,
+		 0xed,0x06,0x1c,0xab,0xb8,0xd4,0x62,0x02};
+
+static AES_PRNG_TV aes_128_tv[] = {
+	{
+				/* DT */
+		{0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
+		 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xf9},
+				/* V */
+		{0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+				/* R */
+		{0x59,0x53,0x1e,0xd1,0x3b,0xb0,0xc0,0x55,
+		 0x84,0x79,0x66,0x85,0xc1,0x2f,0x76,0x41}
+	},
+	{
+				/* DT */
+		{0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
+		 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfa},
+				/* V */
+		{0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+				/* R */
+		{0x7c,0x22,0x2c,0xf4,0xca,0x8f,0xa2,0x4c,
+		 0x1c,0x9c,0xb6,0x41,0xa9,0xf3,0x22,0x0d}
+	},
+	{
+				/* DT */
+		{0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
+		 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfb},
+				/* V */
+		{0xe0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+				/* R */
+		{0x8a,0xaa,0x00,0x39,0x66,0x67,0x5b,0xe5,
+		 0x29,0x14,0x28,0x81,0xa9,0x4d,0x4e,0xc7}
+	},
+	{
+				/* DT */
+		{0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
+		 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfc},
+				/* V */
+		{0xf0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+				/* R */
+		{0x88,0xdd,0xa4,0x56,0x30,0x24,0x23,0xe5,
+		 0xf6,0x9d,0xa5,0x7e,0x7b,0x95,0xc7,0x3a}
+	},
+	{
+				/* DT */
+		{0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
+		 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x22,0xfd},
+				/* V */
+		{0xf8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+				/* R */
+		{0x05,0x25,0x92,0x46,0x61,0x79,0xd2,0xcb,
+		 0x78,0xc4,0x0b,0x14,0x0a,0x5a,0x9a,0xc8}
+	},
+	{
+				/* DT */
+		{0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
+		 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x23,0x77},
+				/* V */
+		{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+		 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe},
+				/* R */
+		{0x0d,0xd5,0xa0,0x36,0x7a,0x59,0x26,0xbc,
+		 0x48,0xd9,0x38,0xbf,0xf0,0x85,0x8f,0xea}
+	},
+	{
+				/* DT */
+		{0xe6,0xb3,0xbe,0x78,0x2a,0x23,0xfa,0x62,
+		 0xd7,0x1d,0x4a,0xfb,0xb0,0xe9,0x23,0x78},
+				/* V */
+		{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+		 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff},
+				/* R */
+		{0xae,0x53,0x87,0xee,0x8c,0xd9,0x12,0xf5,
+		 0x73,0x53,0xae,0x03,0xf9,0xd5,0x13,0x33}
+	},
+};
+
+static unsigned char aes_192_key[24] =
+		{0x15,0xd8,0x78,0x0d,0x62,0xd3,0x25,0x6e,
+		 0x44,0x64,0x10,0x13,0x60,0x2b,0xa9,0xbc,
+		 0x4a,0xfb,0xca,0xeb,0x4c,0x8b,0x99,0x3b};
+
+static AES_PRNG_TV aes_192_tv[] = {
+	{
+				/* DT */
+		{0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
+		 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4b},
+				/* V */
+		{0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+				/* R */
+		{0x17,0x07,0xd5,0x28,0x19,0x79,0x1e,0xef,
+		 0xa5,0x0c,0xbf,0x25,0xe5,0x56,0xb4,0x93}
+	},
+	{
+				/* DT */
+		{0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
+		 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4c},
+				/* V */
+		{0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+				/* R */
+		{0x92,0x8d,0xbe,0x07,0xdd,0xc7,0x58,0xc0,
+		 0x6f,0x35,0x41,0x9b,0x17,0xc9,0xbd,0x9b}
+	},
+	{
+				/* DT */
+		{0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
+		 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4d},
+				/* V */
+		{0xe0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+				/* R */
+		{0xd5,0xde,0xf4,0x50,0xf3,0xb7,0x10,0x4e,
+		 0xb8,0xc6,0xf8,0xcf,0xe2,0xb1,0xca,0xa2}
+	},
+	{
+				/* DT */
+		{0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
+		 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4e},
+				/* V */
+		{0xf0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+				/* R */
+		{0xce,0x29,0x08,0x43,0xfc,0x34,0x41,0xe7,
+		 0x47,0x8f,0xb3,0x66,0x2b,0x46,0xb1,0xbb}
+	},
+	{
+				/* DT */
+		{0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
+		 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0x4f},
+				/* V */
+		{0xf8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+				/* R */
+		{0xb3,0x26,0x0f,0xf5,0xd6,0xca,0xa8,0xbf,
+		 0x89,0xb8,0x5e,0x2f,0x22,0x56,0x92,0x2f}
+	},
+	{
+				/* DT */
+		{0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
+		 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0xc9},
+				/* V */
+		{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+		 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe},
+				/* R */
+		{0x05,0xeb,0x18,0x52,0x34,0x43,0x00,0x43,
+		 0x6e,0x5a,0xa5,0xfe,0x7b,0x32,0xc4,0x2d}
+	},
+	{
+				/* DT */
+		{0x3f,0xd8,0xff,0xe8,0x80,0x69,0x8b,0xc1,
+		 0xbf,0x99,0x7d,0xa4,0x24,0x78,0xf3,0xca},
+				/* V */
+		{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+		 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff},
+				/* R */
+		{0x15,0x3c,0xe8,0xd1,0x04,0xc7,0xad,0x50,
+		 0x0b,0xf0,0x07,0x16,0xe7,0x56,0x7a,0xea}
+	},
+};
+
+static unsigned char aes_256_key[32] =
+		{0x6d,0x14,0x06,0x6c,0xb6,0xd8,0x21,0x2d,
+		 0x82,0x8d,0xfa,0xf2,0x7a,0x03,0xb7,0x9f,
+		 0x0c,0xc7,0x3e,0xcd,0x76,0xeb,0xee,0xb5,
+		 0x21,0x05,0x8c,0x4f,0x31,0x7a,0x80,0xbb};
+
+static AES_PRNG_TV aes_256_tv[] = {
+	{
+				/* DT */
+		{0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
+		 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x88},
+				/* V */
+		{0x80,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+				/* R */
+		{0x35,0xc7,0xef,0xa7,0x78,0x4d,0x29,0xbc,
+		 0x82,0x79,0x99,0xfb,0xd0,0xb3,0x3b,0x72}
+	},
+	{
+				/* DT */
+		{0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
+		 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x89},
+				/* V */
+		{0xc0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+				/* R */
+		{0x6c,0xf4,0x42,0x5d,0xc7,0x04,0x1a,0x41,
+		 0x28,0x2a,0x78,0xa9,0xb0,0x12,0xc4,0x95}
+	},
+	{
+				/* DT */
+		{0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
+		 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x8a},
+				/* V */
+		{0xe0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+				/* R */
+		{0x16,0x90,0xa4,0xff,0x7b,0x7e,0xb9,0x30,
+		 0xdb,0x67,0x4b,0xac,0x2d,0xe1,0xd1,0x75}
+	},
+	{
+				/* DT */
+		{0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
+		 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x8b},
+				/* V */
+		{0xf0,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+				/* R */
+		{0x14,0x6f,0xf5,0x95,0xa1,0x46,0x65,0x30,
+		 0xbc,0x57,0xe2,0x4a,0xf7,0x45,0x62,0x05}
+	},
+	{
+				/* DT */
+		{0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
+		 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9e,0x8c},
+				/* V */
+		{0xf8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+		 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
+				/* R */
+		{0x96,0xe2,0xb4,0x1e,0x66,0x5e,0x0f,0xa4,
+		 0xc5,0xcd,0xa2,0x07,0xcc,0xb7,0x94,0x40}
+	},
+	{
+				/* DT */
+		{0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
+		 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9f,0x06},
+				/* V */
+		{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+		 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xfe},
+				/* R */
+		{0x61,0xce,0x1d,0x6a,0x48,0x75,0x97,0x28,
+		 0x4b,0x41,0xde,0x18,0x44,0x4f,0x56,0xec}
+	},
+	{
+				/* DT */
+		{0xda,0x3a,0x41,0xec,0x1d,0xa3,0xb0,0xd5,
+		 0xf2,0xa9,0x4e,0x34,0x74,0x8e,0x9f,0x07},
+				/* V */
+		{0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
+		 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff},
+				/* R */
+		{0x52,0x89,0x59,0x79,0x2d,0xaa,0x28,0xb3,
+		 0xb0,0x8a,0x3e,0x70,0xfa,0x71,0x59,0x84}
+	},
+};
+

 void FIPS_corrupt_rng()
    {
-    init_iv[0].dt[0]++;
+    aes_192_tv[0].V[0]++;
    }

+#define fips_rand_test(key, tv) \
+	do_rand_test(key, sizeof key, tv, sizeof(tv)/sizeof(AES_PRNG_TV))
+
+static int do_rand_test(unsigned char *key, int keylen,
+			AES_PRNG_TV *tv, int ntv)
+	{
+	unsigned char R[16];
+	int i;
+	if (!FIPS_rand_set_key(key, keylen))
+		return 0;
+	for (i = 0; i < ntv; i++)
+		{
+		FIPS_rand_seed(tv[i].V, 16);
+		FIPS_rand_set_dt(tv[i].DT);
+		FIPS_rand_bytes(R, 16);
+		if (memcmp(R, tv[i].R, 16))
+			return 0;
+		}
+	return 1;
+	}
+	
+
 int FIPS_selftest_rng()
-    {
-    int n;
-
-    for(n=0 ; n < 3 ; ++n)
 	{
-	unsigned char actual_ret[8];
-
-	FIPS_rand_method()->cleanup();
-	FIPS_set_prng_key(init_iv[n].key1,init_iv[n].key2); 
-	FIPS_rand_seed(init_iv[n].seed,8);
-	FIPS_test_mode(1,init_iv[n].dt);
-	if ((FIPS_rand_method()->bytes(actual_ret, 8) <=0) || (memcmp(actual_ret,expected_ret[n],sizeof actual_ret)))
-	    {
-    	    FIPS_test_mode(0,NULL);
-	    FIPSerr(FIPS_F_FIPS_SELFTEST_RNG,FIPS_R_SELFTEST_FAILED);
-	    return 0;
-	    }
+	FIPS_rand_reset();
+	if (!FIPS_rand_test_mode())
+		{
+		FIPSerr(FIPS_F_FIPS_SELFTEST_RNG,FIPS_R_SELFTEST_FAILED);
+		return 0;
+		}
+	if (!fips_rand_test(aes_128_key,aes_128_tv)
+		|| !fips_rand_test(aes_192_key, aes_192_tv)
+		|| !fips_rand_test(aes_256_key, aes_256_tv))
+		{
+		FIPSerr(FIPS_F_FIPS_SELFTEST_RNG,FIPS_R_SELFTEST_FAILED);
+		return 0;
+		}
+	FIPS_rand_reset();
+	return 1;
 	}
-    FIPS_test_mode(0,NULL);
-    return 1;
-    }

 #endif
--- a/fips-1.0/rand/fips_randtest.c
+++ b/fips-1.0/rand/fips_randtest.c
@@ -105,6 +105,7 @@

 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
 #include <openssl/rand.h>
 #include <openssl/fips_rand.h>
 #include <openssl/err.h>
@@ -120,42 +121,63 @@ int main(int argc, char *argv[])

 #else

-/* some FIPS 140-1 random number test */
-/* some simple tests */
-
-static DES_cblock prng_key1={0x21,0x58,0x47,0xb7,0xc2,0x97,0x5a,0x8e};
-static DES_cblock prng_key2={0x61,0x23,0x05,0x96,0x18,0x91,0x86,0xac};
-static unsigned char prng_seed[8]={0x6b,0xa3,0x4f,0x07,0xe4,0x2a,0xb0,0xc};
-
 typedef struct
-    {
-    DES_cblock keys[2];
-    const unsigned char time[8];
-    const unsigned char seed[8];
-    const unsigned char block1[8];
-    const unsigned char block100[8];
-    } PRNGtest;
+	{
+	unsigned char DT[16];
+	unsigned char V[16];
+	unsigned char R[16];
+	} AES_PRNG_MCT;

-/* FIXME: these test vectors are made up! */
-static PRNGtest t1=
-    {
-    { { 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07 },
-      { 0x08,0x09,0x0a,0x0b,0x0c,0x0d,0x0e,0x0f },
-    },
-    { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
-    { 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
-    { 0x33,0xc3,0xdf,0xfe,0x60,0x60,0x49,0x9e },
-    { 0xcd,0x2b,0x41,0xaf,0x80,0x51,0x37,0xd8 }
-    };
-static PRNGtest t2=
-    {
-    { { 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff },
-      { 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff } },
-    { 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff },
-    { 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff },
-    { 0x65,0xf1,0xa4,0x07,0x42,0x38,0xd5,0x25 },
-    { 0xbb,0x75,0x84,0x20,0x7a,0x44,0xf0,0xa0 }
-    };
+static unsigned char aes_128_mct_key[16] =
+	{0x9f,0x5b,0x51,0x20,0x0b,0xf3,0x34,0xb5,
+	 0xd8,0x2b,0xe8,0xc3,0x72,0x55,0xc8,0x48};
+
+static AES_PRNG_MCT aes_128_mct_tv = {
+			/* DT */
+	{0x63,0x76,0xbb,0xe5,0x29,0x02,0xba,0x3b,
+	 0x67,0xc9,0x25,0xfa,0x70,0x1f,0x11,0xac},
+			/* V */
+	{0x57,0x2c,0x8e,0x76,0x87,0x26,0x47,0x97,
+	 0x7e,0x74,0xfb,0xdd,0xc4,0x95,0x01,0xd1},
+			/* R */
+	{0x48,0xe9,0xbd,0x0d,0x06,0xee,0x18,0xfb,
+	 0xe4,0x57,0x90,0xd5,0xc3,0xfc,0x9b,0x73}
+};
+
+static unsigned char aes_192_mct_key[24] =
+	{0xb7,0x6c,0x34,0xd1,0x09,0x67,0xab,0x73,
+	 0x4d,0x5a,0xd5,0x34,0x98,0x16,0x0b,0x91,
+	 0xbc,0x35,0x51,0x16,0x6b,0xae,0x93,0x8a};
+
+static AES_PRNG_MCT aes_192_mct_tv = {
+			/* DT */
+	{0x84,0xce,0x22,0x7d,0x91,0x5a,0xa3,0xc9,
+	 0x84,0x3c,0x0a,0xb3,0xa9,0x63,0x15,0x52},
+			/* V */
+	{0xb6,0xaf,0xe6,0x8f,0x99,0x9e,0x90,0x64,
+	 0xdd,0xc7,0x7a,0xc1,0xbb,0x90,0x3a,0x6d},
+			/* R */
+	{0xfc,0x85,0x60,0x9a,0x29,0x6f,0xef,0x21,
+	 0xdd,0x86,0x20,0x32,0x8a,0x29,0x6f,0x47}
+};
+
+static unsigned char aes_256_mct_key[32] =
+	{0x9b,0x05,0xc8,0x68,0xff,0x47,0xf8,0x3a,
+	 0xa6,0x3a,0xa8,0xcb,0x4e,0x71,0xb2,0xe0,
+	 0xb8,0x7e,0xf1,0x37,0xb6,0xb4,0xf6,0x6d,
+	 0x86,0x32,0xfc,0x1f,0x5e,0x1d,0x1e,0x50};
+
+static AES_PRNG_MCT aes_256_mct_tv = {
+			/* DT */
+	{0x31,0x6e,0x35,0x9a,0xb1,0x44,0xf0,0xee,
+	 0x62,0x6d,0x04,0x46,0xe0,0xa3,0x92,0x4c},
+			/* V */
+	{0x4f,0xcd,0xc1,0x87,0x82,0x1f,0x4d,0xa1,
+	 0x3e,0x0e,0x56,0x44,0x59,0xe8,0x83,0xca},
+			/* R */
+	{0xc8,0x87,0xc2,0x61,0x5b,0xd0,0xb9,0xe1,
+	 0xe7,0xf3,0x8b,0xd7,0x5b,0xd5,0xf1,0x8d}
+};

 static void dump(const unsigned char *b,int n)
    {
@@ -174,195 +196,49 @@ static void compare(const unsigned char *result,const unsigned char *expected,
 	if(result[i] != expected[i])
 	    {
 	    puts("Random test failed, got:");
-	    dump(result,8);
+	    dump(result,n);
 	    puts("\n               expected:");
-	    dump(expected,8);
+	    dump(expected,n);
 	    putchar('\n');
 	    EXIT(1);
 	    }
    }

-static void run_test(const PRNGtest *t)
+
+static void run_test(unsigned char *key, int keylen, AES_PRNG_MCT *tv)
    {
-    unsigned char buf[8];
-    int n;
-
-    FIPS_set_prng_key(t->keys[0],t->keys[1]);
-    FIPS_test_mode(1,t->time);
-    RAND_seed(t->seed,sizeof t->seed);
-
-    if(RAND_bytes(buf,8) <= 0)
+    unsigned char buf[16], dt[16];
+    int i, j;
+    FIPS_rand_reset();
+    FIPS_rand_test_mode();
+    FIPS_rand_set_key(key, keylen);
+    FIPS_rand_seed(tv->V, 16);
+    memcpy(dt, tv->DT, 16);
+    for (i = 0; i < 10000; i++)
 	{
-	ERR_print_errors_fp(stderr);
-	EXIT(2);
+    	FIPS_rand_set_dt(dt);
+	FIPS_rand_bytes(buf, 16);
+	/* Increment DT */
+	for (j = 15; j >= 0; j--)
+		{
+		dt[j]++;
+		if (dt[j])
+			break;
+		}
 	}
-    compare(buf,t->block1,8);
-    for(n=0 ; n < 99 ; ++n)
-	if(RAND_bytes(buf,8) <= 0)
-	    {
-	    ERR_print_errors_fp(stderr);
-	    EXIT(2);
-	    }
-    compare(buf,t->block100,8);
-    FIPS_test_mode(0,NULL);
+
+    compare(buf,tv->R, 16);
    }

 int main()
 	{
-	unsigned char buf[2500];
-	int i,j,k,s,sign,nsign,err=0;
-	unsigned long n1;
-	unsigned long n2[16];
-	unsigned long runs[2][34];
-	/*double d; */
-	long d;
-
-	RAND_set_rand_method(FIPS_rand_method());
-
-	run_test(&t1);
-	run_test(&t2);
-
-	FIPS_set_prng_key(prng_key1,prng_key2);
-	RAND_seed(prng_seed,sizeof prng_seed);
-
-	i = RAND_pseudo_bytes(buf,2500);
-	if (i <= 0)
-		{
-		printf ("init failed, the rand method is not properly installed\n");
-		err++;
-		goto err;
-		}
-
-	n1=0;
-	for (i=0; i<16; i++) n2[i]=0;
-	for (i=0; i<34; i++) runs[0][i]=runs[1][i]=0;
-
-	/* test 1 and 2 */
-	sign=0;
-	nsign=0;
-	for (i=0; i<2500; i++)
-		{
-		j=buf[i];
-
-		n2[j&0x0f]++;
-		n2[(j>>4)&0x0f]++;
-
-		for (k=0; k<8; k++)
-			{
-			s=(j&0x01);
-			if (s == sign)
-				nsign++;
-			else
-				{
-				if (nsign > 34) nsign=34;
-				if (nsign != 0)
-					{
-					runs[sign][nsign-1]++;
-					if (nsign > 6)
-						runs[sign][5]++;
-					}
-				sign=s;
-				nsign=1;
-				}
-
-			if (s) n1++;
-			j>>=1;
-			}
-		}
-		if (nsign > 34) nsign=34;
-		if (nsign != 0) runs[sign][nsign-1]++;
-
-	/* test 1 */
-	if (!((9654 < n1) && (n1 < 10346)))
-		{
-		printf("test 1 failed, X=%lu\n",n1);
-		err++;
-		}
-	printf("test 1 done\n");
-
-	/* test 2 */
-#ifdef undef
-	d=0;
-	for (i=0; i<16; i++)
-		d+=n2[i]*n2[i];
-	d=d*16.0/5000.0-5000.0;
-	if (!((1.03 < d) && (d < 57.4)))
-		{
-		printf("test 2 failed, X=%.2f\n",d);
-		err++;
-		}
-#endif
-	d=0;
-	for (i=0; i<16; i++)
-		d+=n2[i]*n2[i];
-	d=(d*8)/25-500000;
-	if (!((103 < d) && (d < 5740)))
-		{
-		printf("test 2 failed, X=%ld.%02ld\n",d/100L,d%100L);
-		err++;
-		}
-	printf("test 2 done\n");
-
-	/* test 3 */
-	for (i=0; i<2; i++)
-		{
-		if (!((2267 < runs[i][0]) && (runs[i][0] < 2733)))
-			{
-			printf("test 3 failed, bit=%d run=%d num=%lu\n",
-				i,1,runs[i][0]);
-			err++;
-			}
-		if (!((1079 < runs[i][1]) && (runs[i][1] < 1421)))
-			{
-			printf("test 3 failed, bit=%d run=%d num=%lu\n",
-				i,2,runs[i][1]);
-			err++;
-			}
-		if (!(( 502 < runs[i][2]) && (runs[i][2] <  748)))
-			{
-			printf("test 3 failed, bit=%d run=%d num=%lu\n",
-				i,3,runs[i][2]);
-			err++;
-			}
-		if (!(( 223 < runs[i][3]) && (runs[i][3] <  402)))
-			{
-			printf("test 3 failed, bit=%d run=%d num=%lu\n",
-				i,4,runs[i][3]);
-			err++;
-			}
-		if (!((  90 < runs[i][4]) && (runs[i][4] <  223)))
-			{
-			printf("test 3 failed, bit=%d run=%d num=%lu\n",
-				i,5,runs[i][4]);
-			err++;
-			}
-		if (!((  90 < runs[i][5]) && (runs[i][5] <  223)))
-			{
-			printf("test 3 failed, bit=%d run=%d num=%lu\n",
-				i,6,runs[i][5]);
-			err++;
-			}
-		}
-	printf("test 3 done\n");
-	
-	/* test 4 */
-	if (runs[0][33] != 0)
-		{
-		printf("test 4 failed, bit=%d run=%d num=%lu\n",
-			0,34,runs[0][33]);
-		err++;
-		}
-	if (runs[1][33] != 0)
-		{
-		printf("test 4 failed, bit=%d run=%d num=%lu\n",
-			1,34,runs[1][33]);
-		err++;
-		}
-	printf("test 4 done\n");
- err:
-	err=((err)?1:0);
-	EXIT(err);
-	return(err);
+	run_test(aes_128_mct_key, 16, &aes_128_mct_tv);
+	printf("FIPS PRNG test 1 done\n");
+	run_test(aes_192_mct_key, 24, &aes_192_mct_tv);
+	printf("FIPS PRNG test 2 done\n");
+	run_test(aes_256_mct_key, 32, &aes_256_mct_tv);
+	printf("FIPS PRNG test 3 done\n");
+	return 0;
 	}

 #endif
--- a/fips-1.0/rand/fips_rngvs.c
+++ b/fips-1.0/rand/fips_rngvs.c
@@ -24,6 +24,7 @@ int main()
 #include <openssl/err.h>
 #include <openssl/rand.h>
 #include <openssl/fips_rand.h>
+#include <openssl/x509v3.h>
 #include <string.h>
 #include <ctype.h>

@@ -134,55 +135,161 @@ void pv(const char *tag,const unsigned char *val,int len)

 void vst()
    {
-    unsigned char key1[8];
-    unsigned char key2[8];
-    unsigned char v[8];
-    unsigned char dt[8];
-    unsigned char ret[8];
+    unsigned char *key;
+    unsigned char *v;
+    unsigned char *dt;
+    unsigned char ret[16];
    char buf[1024];
    char lbuf[1024];
    char *keyword, *value;
-    int n;
+    long i, keylen;
+
+    keylen = 0;

    while(fgets(buf,sizeof buf,stdin) != NULL)
 	{
 	fputs(buf,stdout);
+	if(!strncmp(buf,"[AES 128-Key]", 13))
+		keylen = 16;
+	else if(!strncmp(buf,"[AES 192-Key]", 13))
+		keylen = 24;
+	else if(!strncmp(buf,"[AES 256-Key]", 13))
+		keylen = 32;
 	if (!parse_line(&keyword, &value, lbuf, buf))
 		continue;
-	if(!strcmp(keyword,"Key1"))
+	if(!strcmp(keyword,"Key"))
 	    {
-	    n=hex2bin(value,key1);
-	    }
-	else if(!strcmp(keyword,"Key2"))
-	    {
-	    n=hex2bin(value,key2);
+	    key=string_to_hex(value,&i);
+	    if (i != keylen)
+		{
+		fprintf(stderr, "Invalid key length, expecting %ld\n", keylen);
+		return;
+		}
 	    }
 	else if(!strcmp(keyword,"DT"))
 	    {
-	    n=hex2bin(value,dt);
+	    dt=string_to_hex(value,&i);
+	    if (i != 16)
+		{
+		fprintf(stderr, "Invalid DT length\n");
+		return;
+		}
 	    }
 	else if(!strcmp(keyword,"V"))
 	    {
-	    n=hex2bin(value,v);
+	    v=string_to_hex(value,&i);
+	    if (i != 16)
+		{
+		fprintf(stderr, "Invalid V length\n");
+		return;
+		}

-	    FIPS_rand_method()->cleanup();
-	    FIPS_set_prng_key(key1,key2);
-	    FIPS_rand_seed(v,8);
-	    FIPS_test_mode(1,dt);
-	    if (FIPS_rand_method()->bytes(ret,8) <= 0)
-	        {
-	        FIPS_test_mode(0,NULL);
-	        FIPSerr(FIPS_F_FIPS_SELFTEST_RNG,FIPS_R_SELFTEST_FAILED);
+	    if (!key || !dt)
+		{
+		fprintf(stderr, "Missing key or DT\n");
+		return;
+		}
+
+	    FIPS_rand_set_key(key, keylen);
+	    FIPS_rand_seed(v,16);
+	    FIPS_rand_set_dt(dt);
+	    if (FIPS_rand_bytes(ret,16) <= 0)
+		{
+		fprintf(stderr, "Error getting PRNG value\n");
 	        return;
 	        }

-	    pv("R",ret,8);
+	    pv("R",ret,16);
+	    putc('\n',stdout);
+	    }
+	}
+    }
+
+void mct()
+    {
+    unsigned char *key;
+    unsigned char *v;
+    unsigned char *dt;
+    unsigned char ret[16];
+    char buf[1024];
+    char lbuf[1024];
+    char *keyword, *value;
+    long i, keylen;
+    int j;
+
+    keylen = 0;
+
+    while(fgets(buf,sizeof buf,stdin) != NULL)
+	{
+	fputs(buf,stdout);
+	if(!strncmp(buf,"[AES 128-Key]", 13))
+		keylen = 16;
+	else if(!strncmp(buf,"[AES 192-Key]", 13))
+		keylen = 24;
+	else if(!strncmp(buf,"[AES 256-Key]", 13))
+		keylen = 32;
+	if (!parse_line(&keyword, &value, lbuf, buf))
+		continue;
+	if(!strcmp(keyword,"Key"))
+	    {
+	    key=string_to_hex(value,&i);
+	    if (i != keylen)
+		{
+		fprintf(stderr, "Invalid key length, expecting %ld\n", keylen);
+		return;
+		}
+	    }
+	else if(!strcmp(keyword,"DT"))
+	    {
+	    dt=string_to_hex(value,&i);
+	    if (i != 16)
+		{
+		fprintf(stderr, "Invalid DT length\n");
+		return;
+		}
+	    }
+	else if(!strcmp(keyword,"V"))
+	    {
+	    v=string_to_hex(value,&i);
+	    if (i != 16)
+		{
+		fprintf(stderr, "Invalid V length\n");
+		return;
+		}
+
+	    if (!key || !dt)
+		{
+		fprintf(stderr, "Missing key or DT\n");
+		return;
+		}
+
+	    FIPS_rand_set_key(key, keylen);
+	    FIPS_rand_seed(v,16);
+	    for (i = 0; i < 10000; i++)
+		{
+		    FIPS_rand_set_dt(dt);
+		    if (FIPS_rand_bytes(ret,16) <= 0)
+			{
+			fprintf(stderr, "Error getting PRNG value\n");
+		        return;
+		        }
+		    /* Increment DT */
+		    for (j = 15; j >= 0; j--)
+			{
+			dt[j]++;
+			if (dt[j])
+				break;
+			}
+		}
+
+	    pv("R",ret,16);
 	    putc('\n',stdout);
 	    }
 	}
    }


+#if 0
 void mct()
    {
    unsigned char key1[8];
@@ -199,6 +306,12 @@ void mct()
    BIGNUM *pbn;
    bn = BN_new();

+    if (FIPS_rand_reset() && !FIPS_rand_test_mode())
+	{
+	fprintf(stderr, Error setting PRNG test mode\n");
+	return;
+	}
+
    while(fgets(buf,sizeof buf,stdin) != NULL)
 	{
 	fputs(buf,stdout);
@@ -244,6 +357,7 @@ void mct()
 	}
    BN_free(bn);
    }
+#endif

 int main(int argc,char **argv)
    {
@@ -257,6 +371,13 @@ int main(int argc,char **argv)
 	ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
 	exit(1);
 	}
+    FIPS_rand_reset();
+    if (!FIPS_rand_test_mode())
+	{
+	fprintf(stderr, "Error setting PRNG test mode\n");
+	ERR_print_errors_fp(stderr);
+	exit(1);
+	}
    if(!strcmp(argv[1],"mct"))
 	mct();
    else if(!strcmp(argv[1],"vst"))
--- a/fips-1.0/rsa/Makefile
+++ b/fips-1.0/rsa/Makefile
@@ -22,8 +22,10 @@ TEST= fips_rsavtest.c fips_rsastest.c fips_rsagtest.c
 APPS=

 LIB=$(TOP)/libcrypto.a
-LIBSRC=fips_rsa_eay.c fips_rsa_gen.c fips_rsa_selftest.c fips_rsa_x931g.c
-LIBOBJ=fips_rsa_eay.o fips_rsa_gen.o fips_rsa_selftest.o fips_rsa_x931g.o
+LIBSRC=fips_rsa_eay.c fips_rsa_gen.c fips_rsa_selftest.c fips_rsa_x931g.c \
+	fips_rsa_sign.c
+LIBOBJ=fips_rsa_eay.o fips_rsa_gen.o fips_rsa_selftest.o fips_rsa_x931g.o \
+	fips_rsa_sign.o

 SRC= $(LIBSRC)

@@ -124,6 +126,27 @@ fips_rsa_selftest.o: ../../include/openssl/rsa.h
 fips_rsa_selftest.o: ../../include/openssl/safestack.h
 fips_rsa_selftest.o: ../../include/openssl/stack.h
 fips_rsa_selftest.o: ../../include/openssl/symhacks.h fips_rsa_selftest.c
+fips_rsa_sign.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
+fips_rsa_sign.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+fips_rsa_sign.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
+fips_rsa_sign.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+fips_rsa_sign.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+fips_rsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+fips_rsa_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+fips_rsa_sign.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+fips_rsa_sign.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+fips_rsa_sign.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+fips_rsa_sign.o: ../../include/openssl/obj_mac.h
+fips_rsa_sign.o: ../../include/openssl/objects.h
+fips_rsa_sign.o: ../../include/openssl/opensslconf.h
+fips_rsa_sign.o: ../../include/openssl/opensslv.h
+fips_rsa_sign.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
+fips_rsa_sign.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+fips_rsa_sign.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+fips_rsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+fips_rsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+fips_rsa_sign.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+fips_rsa_sign.o: fips_rsa_sign.c
 fips_rsa_x931g.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 fips_rsa_x931g.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
 fips_rsa_x931g.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
--- a/fips-1.0/rsa/fips_rsa_sign.c
+++ b/fips-1.0/rsa/fips_rsa_sign.c
@@ -0,0 +1,231 @@
+/* fips_rsa_sign.c */
+/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+ * project 2007.
+ */
+/* ====================================================================
+ * Copyright (c) 2007 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include <openssl/err.h>
+
+/* FIPS versions of RSA_sign() and RSA_verify().
+ * These will only have to deal with SHA* signatures and by including
+ * pregenerated encodings all ASN1 dependencies can be avoided
+ */
+
+static const unsigned char sha1_bin[] = {
+  0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05,
+  0x00, 0x04, 0x14
+};
+
+static const unsigned char sha224_bin[] = {
+  0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
+  0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c
+};
+
+static const unsigned char sha256_bin[] = {
+  0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
+  0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
+};
+
+static const unsigned char sha384_bin[] = {
+  0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
+  0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30
+};
+
+static const unsigned char sha512_bin[] = {
+  0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
+  0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40
+};
+
+
+static const unsigned char *fips_digestinfo_encoding(int nid, unsigned int *len)
+	{
+	switch (nid)
+		{
+
+		case NID_sha1:
+		*len = sizeof(sha1_bin);
+		return sha1_bin;
+
+		case NID_sha224:
+		*len = sizeof(sha224_bin);
+		return sha224_bin;
+
+		case NID_sha256:
+		*len = sizeof(sha256_bin);
+		return sha256_bin;
+
+		case NID_sha384:
+		*len = sizeof(sha384_bin);
+		return sha384_bin;
+
+		case NID_sha512:
+		*len = sizeof(sha512_bin);
+		return sha512_bin;
+
+		default:
+		return NULL;
+
+		}
+	}
+
+int FIPS_rsa_sign(int type, const unsigned char *m, unsigned int m_len,
+	     unsigned char *sigret, unsigned int *siglen, RSA *rsa)
+	{
+	int i,j,ret=1;
+	unsigned int dlen;
+	const unsigned char *der;
+	/* Largest DigestInfo: 19 (max encoding) + max MD */
+	unsigned char tmpdinfo[19 + EVP_MAX_MD_SIZE];
+	if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign)
+		{
+		return rsa->meth->rsa_sign(type, m, m_len,
+			sigret, siglen, rsa);
+		}
+
+	if(m_len > EVP_MAX_MD_SIZE)
+		{
+		RSAerr(RSA_F_RSA_SIGN,RSA_R_INVALID_MESSAGE_LENGTH);
+		return 0;
+		}
+
+	der = fips_digestinfo_encoding(type, &dlen);
+	
+	if (!der)
+		{
+		RSAerr(RSA_F_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);
+		return(0);
+		}
+	memcpy(tmpdinfo, der, dlen);
+	memcpy(tmpdinfo + dlen, m, m_len);
+
+	i = dlen + m_len;
+
+	j=RSA_size(rsa);
+	if (i > (j-RSA_PKCS1_PADDING_SIZE))
+		{
+		RSAerr(RSA_F_RSA_SIGN,RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY);
+		return(0);
+		}
+	j=RSA_private_encrypt(i,tmpdinfo,sigret,rsa,RSA_PKCS1_PADDING);
+	if (j <= 0)
+		ret=0;
+	else
+		*siglen=j;
+
+	OPENSSL_cleanse(tmpdinfo,i);
+	return(ret);
+	}
+
+int FIPS_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len,
+	     unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
+	{
+	int i,ret=0;
+	unsigned int dlen;
+	unsigned char *s;
+	const unsigned char *der;
+
+	if (siglen != (unsigned int)RSA_size(rsa))
+		{
+		RSAerr(RSA_F_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH);
+		return(0);
+		}
+
+	if((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify)
+		{
+		return rsa->meth->rsa_verify(dtype, m, m_len,
+			sigbuf, siglen, rsa);
+		}
+
+	s= OPENSSL_malloc((unsigned int)siglen);
+	if (s == NULL)
+		{
+		RSAerr(RSA_F_RSA_VERIFY,ERR_R_MALLOC_FAILURE);
+		goto err;
+		}
+
+	i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
+
+	if (i <= 0) goto err;
+
+	der = fips_digestinfo_encoding(dtype, &dlen);
+	
+	if (!der)
+		{
+		RSAerr(RSA_F_RSA_SIGN,RSA_R_UNKNOWN_ALGORITHM_TYPE);
+		return(0);
+		}
+
+	/* Compare, DigestInfo length, DigestInfo header and finally
+	 * digest value itself
+	 */
+	if ((i != (int)(dlen + m_len)) || memcmp(der, s, dlen)
+		|| memcmp(s + dlen, m, m_len))
+		{
+		RSAerr(RSA_F_RSA_VERIFY,RSA_R_BAD_SIGNATURE);
+		goto err;
+		}
+	else
+		ret = 1;
+err:
+	if (s != NULL)
+		{
+		OPENSSL_cleanse(s, siglen);
+		OPENSSL_free(s);
+		}
+	return(ret);
+	}
--- a/fips-1.0/sha/Makefile
+++ b/fips-1.0/sha/Makefile
@@ -38,7 +38,7 @@ HEADER=	$(EXHEADER) fips_sha_locl.h fips_md32_common.h
 ALL=    $(GENERAL) $(SRC) $(HEADER)

 top:
-	(cd $(TOP); $(MAKE) DIRS=fips SDIRS=$(DIR) sub_all)
+	(cd $(TOP); $(MAKE) DIRS=fips-1.0 SDIRS=$(DIR) sub_all)

 all:	fips_standalone_sha1$(EXE_EXT) lib

--- a/makevms.com
+++ b/makevms.com
@@ -307,12 +307,7 @@ $   WRITE H_FILE "#define THIRTY_TWO_BIT"
 $   WRITE H_FILE "#undef SIXTEEN_BIT"
 $   WRITE H_FILE "#undef EIGHT_BIT"
 $   WRITE H_FILE "#endif"
-$!
-$   WRITE H_FILE "#if defined(HEADER_SHA_H)"
-$   WRITE H_FILE "#undef OPENSSL_NO_SHA512"
-$   WRITE H_FILE "#define OPENSSL_NO_SHA512"
-$   WRITE H_FILE "#endif"
-$!
+$
 $   WRITE H_FILE "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION"
 $   WRITE H_FILE "#define OPENSSL_EXPORT_VAR_AS_FUNCTION"
 $!
--- a/openssl.spec
+++ b/openssl.spec
@@ -1,7 +1,7 @@
 %define libmaj 0
 %define libmin 9
 %define librel 7
-%define librev n
+%define librev l
 Release: 1

 %define openssldir /var/ssl
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1169,6 +1169,7 @@ int SSL_set_cipher_list(SSL *s,const char *str)
 char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
 	{
 	char *p;
+	const char *cp;
 	STACK_OF(SSL_CIPHER) *sk;
 	SSL_CIPHER *c;
 	int i;
@@ -1181,21 +1182,20 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
 	sk=s->session->ciphers;
 	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
 		{
-		int n;
-
+		/* Decrement for either the ':' or a '\0' */
+		len--;
 		c=sk_SSL_CIPHER_value(sk,i);
-		n=strlen(c->name);
-		if (n+1 > len)
+		for (cp=c->name; *cp; )
 			{
-			if (p != buf)
-				--p;
-			*p='\0';
-			return buf;
+			if (len-- <= 0)
+				{
+				*p='\0';
+				return(buf);
+				}
+			else
+				*(p++)= *(cp++);
 			}
-		strcpy(p,c->name);
-		p+=n;
 		*(p++)=':';
-		len-=n+1;
 		}
 	p[-1]='\0';
 	return(buf);
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -322,35 +322,33 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len)

 	/* Now ret is non-NULL, and we own one of its reference counts. */

-	if (ret->sid_ctx_length != s->sid_ctx_length
-	    || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length))
-		{
+	if((s->verify_mode&SSL_VERIFY_PEER)
+	   && (!s->sid_ctx_length || ret->sid_ctx_length != s->sid_ctx_length
+	       || memcmp(ret->sid_ctx,s->sid_ctx,ret->sid_ctx_length)))
+	    {
 		/* We've found the session named by the client, but we don't
 		 * want to use it in this context. */
-
-#if 0 /* The client cannot always know when a session is not appropriate,
-       * so we shouldn't generate an error message. */
-
-		SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
-#endif
-		goto err; /* treat like cache miss */
-		}
-	
-	if((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0)
-		{
-		/* We can't be sure if this session is being used out of
-		 * context, which is especially important for SSL_VERIFY_PEER.
-		 * The application should have used SSL[_CTX]_set_session_id_context.
-		 *
-		 * For this error case, we generate an error instead of treating
-		 * the event like a cache miss (otherwise it would be easy for
-		 * applications to effectively disable the session cache by
-		 * accident without anyone noticing).
-		 */
 		
-		SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
-		fatal = 1;
-		goto err;
+		if (s->sid_ctx_length == 0)
+			{
+			/* application should have used SSL[_CTX]_set_session_id_context
+			 * -- we could tolerate this and just pretend we never heard
+			 * of this session, but then applications could effectively
+			 * disable the session cache by accident without anyone noticing */
+
+			SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED);
+			fatal = 1;
+			goto err;
+			}
+		else
+			{
+#if 0 /* The client cannot always know when a session is not appropriate,
+	   * so we shouldn't generate an error message. */
+
+			SSLerr(SSL_F_SSL_GET_PREV_SESSION,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
+#endif
+			goto err; /* treat like cache miss */
+			}
 		}

 	if (ret->cipher == NULL)
--- a/test/Makefile
+++ b/test/Makefile
@@ -342,12 +342,18 @@ STANDALONE_BUILD_CMD=SHARED_LIBS="$(SHARED_LIBS)"; \
 	fi; \
 	if [ -z "$$SHARED_LIBS" ]; then \
 		set -x; $${CC:-$(CC)} -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBKRB5) $(EX_LIBS) ; \
-	else	set -x; LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
-		$(CC) -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBKRB5) $(EX_LIBS) ; \
+	else	set -x; LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH ; \
+		if [ "$(FIPSCANLIB)" = "libfips" ]; then \
+			fipsexlib="-lfips" ; \
+		else \
+			fipsexlib="-lcrypto" ; \
+		fi ; \
+		$(CC) -o $$target$(EXE_EXT) $(CFLAGS) $$target.o $(PEX_LIBS) $(LIBKRB5) $(EX_LIBS) -L.. $$fipsexlib ; \
 	fi

 FIPS_BUILD_CMD=if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-	  FIPSLD_CC=$(CC); CC=$(TOP)/fips-1.0/fipsld; export CC FIPSLD_CC; \
+	  FIPSLD_CC=$(CC); CC=$(TOP)/fips-1.0/fipsld; FIPSLD_NPT="y" \
+	  export CC FIPSLD_CC FIPSLD_NPT ; \
 	fi; $(STANDALONE_BUILD_CMD)

 FIPS_CRYPTO_BUILD_CMD=if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
--- a/util/clean-depend.pl
+++ b/util/clean-depend.pl
@@ -37,10 +37,6 @@ foreach $file (sort keys %files) {
    $file=~s/^\.\///;
    push @{$files{$file}},$origfile;
    my $prevdep="";
-
-    # Remove leading ./ before sorting
-    my @deps = map { $_ =~ s/^\.\///; $_ } @{$files{$file}};
-
    foreach $dep (sort @{$files{$file}}) {
 	$dep=~s/^\.\///;
 	next if $prevdep eq $dep; # to exterminate duplicates...
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -1330,7 +1330,6 @@ i2d_PBE2PARAM                           1401	EXIST::FUNCTION:
 PBE2PARAM_new                           1402	EXIST::FUNCTION:
 d2i_PBE2PARAM                           1403	EXIST::FUNCTION:
 PBE2PARAM_free                          1404	EXIST::FUNCTION:
-EVP_add_alg_module                      1405	EXIST::FUNCTION:
 d2i_ASN1_SET_OF_GENERAL_NAME            1421	NOEXIST::FUNCTION:
 i2d_ASN1_SET_OF_GENERAL_NAME            1422	NOEXIST::FUNCTION:
 d2i_ASN1_SET_OF_SXNETID                 1439	NOEXIST::FUNCTION:
@@ -2906,3 +2905,5 @@ SHA384_Init                             3737	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA
 SHA384_Final                            3740	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
 SHA384                                  3745	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA512
 SHA256_Update                           3765	EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA256
+FIPS_rsa_sign                           3766	EXIST:OPENSSL_FIPS:FUNCTION:RSA
+FIPS_rsa_verify                         3767	EXIST:OPENSSL_FIPS:FUNCTION:RSA
--- a/util/mk1mf.pl
+++ b/util/mk1mf.pl
@@ -19,6 +19,7 @@ my $fips_premain_c_path = "";
 my $fips_sha1_exe_path = "";

 local $fipscanisterbuild = 0;
+local $fipsdso = 0;

 my $fipslibdir = "";
 my $baseaddr = "";
@@ -450,6 +451,8 @@ if ($fips_premain_dso_exe_path eq "")

 #	$ex_build_targets .= "\$(BIN_D)${o}\$(E_PREMAIN_DSO)$exep" if ($fips);

+$ex_l_libs .= " \$(L_FIPS)" if $fipsdso;
+
 if ($fips)
 	{
 	if (!$shlib)
@@ -587,6 +590,7 @@ PREMAIN_DSO_EXE=$fips_premain_dso_exe_path
 E_EXE=openssl
 SSL=$ssl
 CRYPTO=$crypto
+LIBFIPS=libfips

 # BIN_D  - Binary output directory
 # TEST_D - Binary test file output directory
@@ -605,10 +609,12 @@ INCL_D=\$(TMP_D)

 O_SSL=     \$(LIB_D)$o$plib\$(SSL)$shlibp
 O_CRYPTO=  \$(LIB_D)$o$plib\$(CRYPTO)$shlibp
+O_FIPS=    \$(LIB_D)$o$plib\$(LIBFIPS)$shlibp
 SO_SSL=    $plib\$(SSL)$so_shlibp
 SO_CRYPTO= $plib\$(CRYPTO)$so_shlibp
 L_SSL=     \$(LIB_D)$o$plib\$(SSL)$libp
 L_CRYPTO=  \$(LIB_D)$o$plib\$(CRYPTO)$libp
+L_FIPS=    \$(LIB_D)$o$plib\$(LIBFIPS)$libp

 L_LIBS= \$(L_SSL) \$(L_CRYPTO) $ex_l_libs

@@ -841,10 +847,24 @@ if ($fips)
 	{
 	if ($shlib)
 		{
-		$rules.= &do_lib_rule("\$(CRYPTOOBJ) \$(O_FIPSCANISTER)",
-			"\$(O_CRYPTO)",
-			"$crypto",
-			$shlib, "\$(SO_CRYPTO)", "\$(BASEADDR)");
+		if ($fipsdso)
+			{
+			$rules.= &do_lib_rule("\$(CRYPTOOBJ)",
+					"\$(O_CRYPTO)", "$crypto",
+					$shlib, "", "");
+			$rules.= &do_lib_rule(
+				"\$(O_FIPSCANISTER)",
+				"\$(O_FIPS)", "libfips",
+				$shlib, "\$(SO_CRYPTO)", "\$(BASEADDR)");
+			$rules.= &do_sdef_rule();
+			}
+		else
+			{
+			$rules.= &do_lib_rule(
+				"\$(CRYPTOOBJ) \$(O_FIPSCANISTER)",
+				"\$(O_CRYPTO)", "$crypto",
+				$shlib, "\$(SO_CRYPTO)", "\$(BASEADDR)");
+			}
 		}
 	else
 		{
@@ -1184,10 +1204,17 @@ sub read_options
 				}
 			}
 		}
-	elsif (/^--fipscanisterbuild$/)
+	elsif (/^fipscanisterbuild$/)
 		{
+		$fips=1;
 		$fipscanisterbuild=1;
 		}
+	elsif (/^fipsdso$/)
+		{
+		$fips=1;
+		$fipscanisterbuild=1;
+		$fipsdso=1;
+		}
 	elsif (/^([^=]*)=(.*)$/){ $VARS{$1}=$2; }
 	elsif (/^-[lL].*$/)	{ $l_flags.="$_ "; }
 	elsif ((!/^-help/) && (!/^-h/) && (!/^-\?/) && /^-.*$/)
@@ -1223,3 +1250,4 @@ sub fips_check_files
 		}
 	fipslib_error() if ($ret == 0);
 	}
+
--- a/util/mkdef.pl
+++ b/util/mkdef.pl
@@ -130,7 +130,7 @@ foreach (@ARGV, split(/ /, $options))
 	}
 	$VMS=1 if $_ eq "VMS";
 	$OS2=1 if $_ eq "OS2";
-	$fips=1 if $_ eq "fips";
+	$fips=1 if /^fips/;

 	$do_ssl=1 if $_ eq "ssleay";
 	if ($_ eq "ssl") {
--- a/util/mkerr.pl
+++ b/util/mkerr.pl
@@ -266,7 +266,7 @@ foreach $lib (keys %csrc)
 	} else {
 	    push @out,
 "/* ====================================================================\n",
-" * Copyright (c) 2001-2007 The OpenSSL Project.  All rights reserved.\n",
+" * Copyright (c) 2001-2005 The OpenSSL Project.  All rights reserved.\n",
 " *\n",
 " * Redistribution and use in source and binary forms, with or without\n",
 " * modification, are permitted provided that the following conditions\n",
@@ -422,7 +422,7 @@ EOF
 	print OUT <<"EOF";
 /* $cfile */
 /* ====================================================================
- * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
--- a/util/mksdef.pl
+++ b/util/mksdef.pl
@@ -0,0 +1,85 @@
+
+# Perl script to split libeay32.def into two distinct DEF files for use in
+# fipdso mode. It works out symbols in each case by running "link" command and
+# parsing the output to find the list of missing symbols then splitting
+# libeay32.def based on the result.
+
+
+# Get list of unknown symbols
+
+my @deferr = `link @ARGV`;
+
+my $preamble = "";
+my @fipsdll;
+my @fipsrest;
+my %nosym;
+
+# Add symbols to a hash for easy lookup
+
+foreach (@deferr)
+	{
+	if (/^.*symbol (\S+)$/)
+		{
+		$nosym{$1} = 1;
+		}
+	}
+
+open (IN, "ms/libeay32.def") || die "Can't Open DEF file for splittling";
+
+my $started = 0;
+
+# Parse libeay32.def into two arrays depending on whether the symbol matches
+# the missing list.
+
+
+foreach (<IN>)
+	{
+	if (/^\s*(\S+)\s*\@/)
+		{
+		$started = 1;
+		if (exists $nosym{$1})
+			{
+			push @fipsrest, $_;
+			}
+		else
+			{
+			push @fipsdll, "\t$1\n";
+			}
+		}
+	$preamble .= $_ unless $started;
+	}
+
+close IN;
+
+# Hack! Add some additional exports needed to libcryptofips.dll
+#
+
+push @fipsdll, "\tengine_table_unregister\n";
+push @fipsdll, "\tengine_table_register\n";
+push @fipsdll, "\tengine_table_cleanup\n";
+push @fipsdll, "\tengine_table_select\n";
+push @fipsdll, "\tengine_set_all_null\n";
+
+# Write out DEF files for each array
+
+write_def("ms/libfips.def", "LIBFIPS", $preamble, \@fipsdll);
+write_def("ms/libcryptofips.def", "LIBCRYPTOFIPS", $preamble, \@fipsrest);
+
+
+sub write_def
+	{
+	my ($fnam, $defname, $preamble, $rdefs) = @_;
+	open (OUT, ">$fnam") || die "Can't Open DEF file $fnam for Writing\n";
+
+	$preamble =~ s/LIBEAY32/$defname/g;
+	$preamble =~ s/LIBEAY/$defname/g;
+
+	print OUT $preamble;
+	foreach (@$rdefs)
+		{
+		print OUT $_;
+		}
+	close OUT;
+	}
+
+
--- a/util/pl/VC-32.pl
+++ b/util/pl/VC-32.pl
@@ -13,7 +13,14 @@ if ($fips && !$shlib)
 	}
 else
 	{
-	$crypto="libeay32";
+	if ($fipsdso) 
+		{
+		$crypto="libcryptofips";
+		}
+	else
+		{
+		$crypto="libeay32";
+		}
 	}

 $o='\\';
@@ -25,6 +32,8 @@ $zlib_lib="zlib1.lib";
 # C compiler stuff
 $cc='cl';
 $cflags=' /MD /W3 /WX /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32';
+$cflags.=' -D_CRT_SECURE_NO_DEPRECATE';		# shut up VC8
+$cflags.=' -D_CRT_NONSTDC_NO_DEPRECATE';	# shut up VC8
 $lflags="/nologo /subsystem:console /machine:I386 /opt:ref";
 $mlflags='';

@@ -38,8 +47,6 @@ if ($debug)
 	$lflags.=" /debug";
 	$mlflags.=' /debug';
 	}
-$cflags .= ' -D_CRT_SECURE_NO_DEPRECATE';	# shut up VC8
-$cflags .= ' -D_CRT_NONSTDC_NO_DEPRECATE';	# shut up VC8
 $cflags .= " -DOPENSSL_SYSNAME_WINNT" if $NT == 1;

 $obj='.obj';
@@ -119,6 +126,7 @@ sub do_lib_rule
 	local($objs,$target,$name,$shlib,$ign,$base_addr) = @_;
 	local($ret,$Name);

+
 	$taget =~ s/\//$o/g if $o ne '/';
 	($Name=$name) =~ tr/a-z/A-Z/;
 	my $base_arg;
@@ -143,14 +151,29 @@ sub do_lib_rule
 		}
 	else
 		{
-		local($ex)=($target =~ /O_SSL/)?' $(L_CRYPTO)':'';
+		my $ex = "";		
+		if ($target =~ /O_SSL/)
+			{
+			$ex .= " \$(L_CRYPTO)";
+			$ex .= " \$(L_FIPS)" if $fipsdso;
+			}
+		my $fipstarget;
+		if ($fipsdso)
+			{
+			$fipstarget = "O_FIPS";
+			}
+		else
+			{
+			$fipstarget = "O_CRYPTO";
+			}
 		$ex.=' wsock32.lib gdi32.lib advapi32.lib user32.lib';
 		$ex.=" $zlib_lib" if $zlib_opt == 1 && $target =~ /O_CRYPTO/;
- 		if ($fips && $target =~ /O_CRYPTO/)
+ 		if ($fips && $target =~ /$fipstarget/)
 			{
 			$ex.= $mwex unless $fipscanisterbuild;
-			$ret.="$target: $objs \$(PREMAIN_DSO_EXE)\n";
-			$ret.="\tSET FIPS_LINK=\$(LINK)\n";
+			$ret.="$target: $objs \$(PREMAIN_DSO_EXE)";
+			$ret.=" ms/libfips.def" if $fipsdso;
+			$ret.="\n\tSET FIPS_LINK=\$(LINK)\n";
 			$ret.="\tSET FIPS_CC=\$(CC)\n";
 			$ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\n";
 			$ret.="\tSET PREMAIN_DSO_EXE=\$(PREMAIN_DSO_EXE)\n";
@@ -163,8 +186,13 @@ sub do_lib_rule
 			}
 		else
 			{
-			$ret.="$target: $objs\n";
-			$ret.="\t\$(LINK) \$(MLFLAGS) $base_arg $efile$target /def:ms/${Name}.def @<<\n  \$(SHLIB_EX_OBJ) $objs $ex\n<<\n";
+			$ret.="$target: $objs";
+			if ($target =~ /O_CRYPTO/ && $fipsdso)
+				{
+				$ret .= " \$(O_FIPS)";
+				$ex .= " \$(L_FIPS)";
+				}
+			$ret.="\n\t\$(LINK) \$(MLFLAGS) $efile$target /def:ms/${Name}.def @<<\n  \$(SHLIB_EX_OBJ) $objs $ex\n<<\n";
 			}
 		}
 	$ret.="\n";
@@ -173,7 +201,7 @@ sub do_lib_rule

 sub do_link_rule
 	{
-	local($target,$files,$dep_libs,$libs,$standalone)=@_;
+	my($target,$files,$dep_libs,$libs,$standalone)=@_;
 	local($ret,$_);
 	$file =~ s/\//$o/g if $o ne '/';
 	$n=&bname($targer);
@@ -216,11 +244,19 @@ sub do_rlink_rule
 	$ret.="\t\$(MKCANISTER) $target <<\n";
 	$ret.="INPUT($files)\n<<\n";
 	$ret.="\t\$(FIPS_SHA1_EXE) $target > ${target}.sha1\n";
-	$ret.="\tperl util${o}copy.pl -stripcr fips-1.0${o}fips_premain.c \$(LIB_D)${o}fips_premain.c\n";
+	$ret.="\t\$(PERL) util${o}copy.pl -stripcr fips-1.0${o}fips_premain.c \$(LIB_D)${o}fips_premain.c\n";
 	$ret.="\t\$(CP) fips-1.0${o}fips_premain.c.sha1 \$(LIB_D)${o}fips_premain.c.sha1\n";
 	$ret.="\n";
 	return($ret);
 	}

+sub do_sdef_rule
+	{
+	my $ret = "ms/libfips.def: \$(O_FIPSCANISTER)\n";
+	$ret.="\t\$(PERL) util/mksdef.pl \$(MLFLAGS) /out:dummy.dll /def:ms/libeay32.def @<<\n  \$(O_FIPSCANISTER)\n<<\n";
+	$ret.="\n";
+	return $ret;
+	}
+

 1;
Author	SHA1	Message	Date
Dr. Stephen Henson	7e9826109c	Avoid use of "echo -n" some platforms don't support it.	2007-02-23 20:14:21 +00:00
Dr. Stephen Henson	79f67018b0	Update from 0.9.7-stable	2007-02-23 20:13:40 +00:00
Dr. Stephen Henson	090f0f3d0c	Fix from 0.9.7-stable	2007-02-23 00:37:25 +00:00
Dr. Stephen Henson	e29f1da219	Fix from stable branch.	2007-02-22 13:26:44 +00:00
Dr. Stephen Henson	89b439fbf4	Update from 0.9.7-stable.	2007-02-21 18:17:19 +00:00
Dr. Stephen Henson	7e92432b39	Replace FIPS PRNG with AES version.	2007-02-21 16:57:35 +00:00
Dr. Stephen Henson	28def5dc99	Fix to Win32 build system.	2007-02-21 16:53:55 +00:00
Dr. Stephen Henson	e3435a51f7	Include changes from 0.9.7-stable.	2007-02-21 13:50:22 +00:00
Dr. Stephen Henson	91588bbb6e	FIPS error codes are in fips_err.h not fips_err.c	2007-02-14 13:15:58 +00:00
Dr. Stephen Henson	a8a7887ee2	Typo.	2007-02-11 00:53:39 +00:00
Dr. Stephen Henson	c9e912599f	FIPSLD_NPT environment variable to disable pass-thru when building standalone utilities.	2007-02-11 00:51:58 +00:00
Dr. Stephen Henson	53ddf0cc10	FIPS portability patches. Submitted by: Brad House <brad@mainstreetsoftworks.com>	2007-02-05 18:42:12 +00:00
Dr. Stephen Henson	43df8ea9d8	Update .cvsignore	2007-02-03 17:39:14 +00:00
Dr. Stephen Henson	7fa5c5a9f6	Update dependencies.	2007-02-03 17:38:31 +00:00
Dr. Stephen Henson	16fc2d25d3	Constification.	2007-02-03 17:30:41 +00:00
Dr. Stephen Henson	ca36b0969a	Remove all error string tables out of fipscanister.o, reorganise ERR and SYS error code files to achieve this.	2007-02-03 17:19:43 +00:00
Dr. Stephen Henson	913236a4f8	Fix paths for --onedir and Unix.	2007-02-03 13:43:53 +00:00
Dr. Stephen Henson	c6292a2636	Stop missing directory error messages on Win32.	2007-01-29 00:31:22 +00:00
Dr. Stephen Henson	1d7cec1013	More options to allow directory locations to be specified in mkfipsscr.pl script. Make AES/DES algorithm test programs handle Win32 path separator. Switch off verbose mode in AES test program.	2007-01-29 00:21:08 +00:00
Dr. Stephen Henson	385075063e	Preliminary VC++ build changes to support fipsdso. New perl script nksdef.pl to work out how to split the DEF file between the two DLLs based on which symbols the linker complains about (!).	2007-01-27 13:19:42 +00:00
Dr. Stephen Henson	f47f786fe9	Use $(PERL) not perl in Win32 Makefile	2007-01-26 17:01:47 +00:00
Dr. Stephen Henson	fa57af81a1	Make WIN32 build work with fipscanisterbuild option. Update ordinals and fix warning.	2007-01-26 14:25:30 +00:00
Dr. Stephen Henson	5ae2774b89	Use correct shared lib name in fips-1.0	2007-01-26 00:39:55 +00:00
Dr. Stephen Henson	89d18a93bf	Typo.	2007-01-26 00:13:45 +00:00
Dr. Stephen Henson	f1c2ab35db	Fix to make install works in all configurations.	2007-01-25 22:39:08 +00:00
Dr. Stephen Henson	7506ac8d25	Make install option work in fipdso (maybe!).	2007-01-25 22:05:52 +00:00
Dr. Stephen Henson	a98be6cfc2	Create libfips.a if needed.	2007-01-25 21:38:04 +00:00
Dr. Stephen Henson	613f1c7e91	Fixes to build system to cleanly handle fipsdso	2007-01-25 21:29:07 +00:00
Dr. Stephen Henson	9c823a2ab4	Add missing definition for ARD	2007-01-25 18:56:19 +00:00
Dr. Stephen Henson	77116a52d9	Update .cvsignore	2007-01-25 18:49:54 +00:00
Dr. Stephen Henson	af10d72e10	New build option fipsdso	2007-01-25 18:47:19 +00:00
Dr. Stephen Henson	8e664b2055	Remove ASN1 library (and other) dependencies from fipscanister.o	2007-01-24 13:00:15 +00:00
Dr. Stephen Henson	d02dab1b32	Update version for FIPS2 branch.	2007-01-24 12:42:20 +00:00
cvs2svn	19b4199dd7	This commit was manufactured by cvs2svn to create branch 'OpenSSL- fips2-0_9_7-stable'.	2007-01-23 18:25:02 +00:00