Another stupid diff.

FIPS depends on object, so crypto must be built before fips.
Don't assume diff is any good.
2003-10-08 13:12:50 +00:00 · 2003-10-08 10:18:02 +00:00 · 2003-10-07 10:55:36 +00:00 · 2003-10-05 22:22:15 +00:00 · 2003-10-04 14:11:45 +00:00 · 2003-10-02 10:55:25 +00:00
541 changed files with 80327 additions and 2405 deletions
--- a/.cvsignore
+++ b/.cvsignore
@@ -14,3 +14,4 @@ cctest.c
 cctest.a
 libcrypto.so.*
 libssl.so.*
+libcrypto.sha1
--- a/44
+++ b/44
@@ -2,7 +2,32 @@
 OpenSSL CHANGES
 _______________

- Changes between 0.9.7b and 0.9.7c  [xx XXX 2003]
+ Changes between 0.9.7c and 0.9.7d  [xx XXX XXXX]
+
+  *)
+
+ Changes between 0.9.7b and 0.9.7c  [30 Sep 2003]
+
+  *) Fix various bugs revealed by running the NISCC test suite:
+
+     Stop out of bounds reads in the ASN1 code when presented with
+     invalid tags (CAN-2003-0543 and CAN-2003-0544).
+     
+     Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545).
+
+     If verify callback ignores invalid public key errors don't try to check
+     certificate signature with the NULL public key.
+
+     [Steve Henson]
+
+  *) New -ignore_err option in ocsp application to stop the server
+     exiting on the first error in a request.
+     [Steve Henson]
+
+  *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+     if the server requested one: as stated in TLS 1.0 and SSL 3.0
+     specifications.
+     [Steve Henson]

  *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
     extra data after the compression methods not only for TLS 1.0
@@ -1971,7 +1996,22 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) Clean old EAY MD5 hack from e_os.h.
     [Richard Levitte]

- Changes between 0.9.6j and 0.9.6k  [xx XXX 2003]
+ Changes between 0.9.6j and 0.9.6k  [30 Sep 2003]
+
+  *) Fix various bugs revealed by running the NISCC test suite:
+
+     Stop out of bounds reads in the ASN1 code when presented with
+     invalid tags (CAN-2003-0543 and CAN-2003-0544).
+     
+     If verify callback ignores invalid public key errors don't try to check
+     certificate signature with the NULL public key.
+
+     [Steve Henson]
+
+  *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+     if the server requested one: as stated in TLS 1.0 and SSL 3.0
+     specifications.
+     [Steve Henson]

  *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
     extra data after the compression methods not only for TLS 1.0
--- a/32
+++ b/32
@@ -10,7 +10,7 @@ use strict;

 # see INSTALL for instructions.

-my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-engine] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-engine] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [fips] [debug] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";

 # Options:
 #
@@ -135,12 +135,11 @@ my %table=(
 # Our development configs
 "purify",	"purify gcc:-g -DPURIFY -Wall::(unknown)::-lsocket -lnsl::::",
 "debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown)::-lefence::::",
-"debug-ben",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
+"debug-ben",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
 "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
 "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
-"debug-ben-debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::",
+"debug-ben-debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -Wall -Wshadow -Werror -pipe::(unknown)::::::",
 "debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
-"debug-ben-fips","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DFIPS -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
 "debug-ben-fips-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DFIPS -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
 "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-bodo",	"gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
@@ -562,6 +561,8 @@ my %table=(
 "vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::",
 "vxworks-ppc750","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h \$(DEBUG_FLAG):::VXWORKS:-r:::::",
 "vxworks-ppc750-debug","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g:::VXWORKS:-r:::::",
+"vxworks-ppc860","ccppc:-nostdinc -msoft-float -DCPU=PPC860 -DNO_STRINGS_H -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::",
+"vxworks-mipsle","ccmips:-B\$(WIND_BASE)/host/\$(WIND_HOST_TYPE)/lib/gcc-lib/ -DL_ENDIAN -EL -Wl,-EL -mips2 -mno-branch-likely -G 0 -fno-builtin -msoft-float -DCPU=MIPS32 -DMIPSEL -DNO_STRINGS_H -I\$(WIND_BASE)/target/h:::VXWORKS:-r::::::::::::::::ranlibmips:",

 ##### Compaq Non-Stop Kernel (Tandem)
 "tandem-c89","c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown):::THIRTY_TWO_BIT:::",
@@ -630,6 +631,8 @@ my $rmd160_obj="";
 my $processor="";
 my $default_ranlib;
 my $perl;
+my $fips=0;
+my $debug=0;

 my $no_ssl2=0;
 my $no_ssl3=0;
@@ -803,6 +806,15 @@ PROCESS_ARGS:
 			}
 		elsif (/^386$/)
 			{ $processor=386; }
+		elsif (/^fips$/)
+			{
+			$fips=1;
+			$openssl_other_defines.="#define OPENSSL_FIPS\n";
+		        }
+		elsif (/^debug$/)
+			{
+			$debug=1;
+			}
 		elsif (/^rsaref$/)
 			{
 			# No RSAref support any more since it's not needed.
@@ -1138,7 +1150,11 @@ if ($ranlib eq "")

 $bn_obj = $bn_asm unless $bn_obj ne "";

-$des_obj=$des_enc	unless ($des_obj =~ /\.o$/);
+if ($fips)
+	{
+	$des_obj=$sha1_obj="";
+	}
+$des_obj=$des_enc	unless (!$fips && $des_obj =~ /\.o$/);
 $bf_obj=$bf_enc		unless ($bf_obj =~ /\.o$/);
 $cast_obj=$cast_enc	unless ($cast_obj =~ /\.o$/);
 $rc4_obj=$rc4_enc	unless ($rc4_obj =~ /\.o$/);
@@ -1159,6 +1175,12 @@ if ($rmd160_obj =~ /\.o$/)
 	$cflags.=" -DRMD160_ASM";
 	}

+if ($debug)
+	{
+	$cflags.=" -g";
+	$cflags=~s/-fomit-frame-pointer//;
+	}
+
 # "Stringify" the C flags string.  This permits it to be made part of a string
 # and works as well on command lines.
 $cflags =~ s/([\\\"])/\\\1/g;
--- a/2
+++ b/2
@@ -68,7 +68,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?

 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.7b was released on April 10, 2003.
+OpenSSL 0.9.7c was released on September 30, 2003.

 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
--- a/INSTALL.W32
+++ b/INSTALL.W32
@@ -225,7 +225,7 @@
 	$ md c:\openssl\lib
 	$ md c:\openssl\include
 	$ md c:\openssl\include\openssl
-	$ copy /b inc32\*               c:\openssl\include\openssl
+	$ copy /b inc32\openssl\*       c:\openssl\include\openssl
 	$ copy /b out32dll\ssleay32.lib c:\openssl\lib
 	$ copy /b out32dll\libeay32.lib c:\openssl\lib
 	$ copy /b out32dll\ssleay32.dll c:\openssl\bin
--- a/Makefile.org
+++ b/Makefile.org
@@ -173,7 +173,7 @@ LIBKRB5=
 # we might set SHLIB_MARK to '$(SHARED_LIBS)'.
 SHLIB_MARK=

-DIRS=   crypto fips ssl $(SHLIB_MARK) apps test tools
+DIRS=   crypto fips ssl $(SHLIB_MARK) sigs apps test tools
 SHLIBDIRS= fips crypto ssl

 # dirs in crypto to build
@@ -184,7 +184,7 @@ SDIRS=  objects \
 	buffer bio stack lhash rand err \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5

-FDIRS=	rand sha1 des aes dsa
+FDIRS=	sha1 rand des aes dsa rsa

 # tests to perform.  "alltests" is a special word indicating that all tests
 # should be performed.
@@ -222,11 +222,13 @@ HEADER=         e_os.h
 # When we're prepared to use shared libraries in the programs we link here
 # we might remove 'clean-shared' from the targets to perform at this stage

-all: Makefile.ssl sub_all openssl.pc sigs
+all: Makefile.ssl sub_all openssl.pc

-sigs:
-	fips/sha1/fips_standalone_sha1 libcrypto.a > libcrypto.sha1
-	if [ "$(SHLIBEXT)" != "" ]; then fips/sha1/fips_standalone_sha1 libcrypto$(SHLIBEXT) >> libcrypto.sha1; fi
+sigs:	$(SIGS)
+libcrypto.sha1: libcrypto.a
+	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
+		fips/sha1/fips_standalone_sha1 libcrypto.a > libcrypto.sha1; \
+	fi

 sub_all:
 	@for i in $(DIRS); \
@@ -858,7 +860,7 @@ install: all install_docs
 		fi; \
 	done;
 	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/openssl.pc

 install_docs:
 	@$(PERL) $(TOP)/util/mkdir-p.pl \
@@ -883,6 +885,7 @@ install_docs:
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			grep -v $$filecase "^$$fn\$$" | \
+			grep -v "[	]" | \
 			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
 			 while read n; do \
 				$$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
@@ -899,6 +902,7 @@ install_docs:
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			grep -v $$filecase "^$$fn\$$" | \
+			grep -v "[	]" | \
 			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
 			 while read n; do \
 				$$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
--- a/12
+++ b/12
@@ -5,6 +5,13 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.

+  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c:
+
+      o Security: fix various ASN1 parsing bugs.
+      o New -ignore_err option to OCSP utility.
+      o Various interop and bug fixes in S/MIME code.
+      o SSL/TLS protocol fix for unrequested client certificates.
+
  Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b:

      o Security: counter the Klima-Pokorny-Rosa extension of
@@ -73,6 +80,11 @@
      o SSL/TLS: add callback to retrieve SSL/TLS messages.
      o SSL/TLS: support AES cipher suites (RFC3268).

+  Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k:
+
+      o Security: fix various ASN1 parsing bugs.
+      o SSL/TLS protocol fix for unrequested client certificates.
+
  Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j:

      o Security: counter the Klima-Pokorny-Rosa extension of
--- a/2
+++ b/2
@@ -1,5 +1,5 @@

- OpenSSL 0.9.7c-dev xx XXX 2003
+ OpenSSL 0.9.7c 30 Sep 2003

 Copyright (c) 1998-2003 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
--- a/4
+++ b/4
@@ -1,13 +1,15 @@

  OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2003/04/10 20:22:12 $
+  ______________                           $Date: 2003/10/02 10:55:20 $

  DEVELOPMENT STATE

    o  OpenSSL 0.9.8:  Under development...
+    o  OpenSSL 0.9.7c: Released on September 30th, 2003
    o  OpenSSL 0.9.7b: Released on April     10th, 2003
    o  OpenSSL 0.9.7a: Released on February  19th, 2003
    o  OpenSSL 0.9.7:  Released on December  31st, 2002
+    o  OpenSSL 0.9.6k: Released on September 30th, 2003
    o  OpenSSL 0.9.6j: Released on April     10th, 2003
    o  OpenSSL 0.9.6i: Released on February  19th, 2003
    o  OpenSSL 0.9.6h: Released on December   5th, 2002
--- a/104
+++ b/104
@@ -1502,7 +1502,7 @@ $arflags      =

 *** debug-ben
 $cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -Wall -Wshadow -Werror -pipe
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = 
@@ -1527,7 +1527,7 @@ $arflags      =

 *** debug-ben-debug
 $cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -Wall -Wshadow -Werror -pipe
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = 
@@ -1550,31 +1550,6 @@ $shared_extension =
 $ranlib       = 
 $arflags      = 

-*** debug-ben-fips
-$cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DFIPS -O2 -pedantic -Wall -Wshadow -Werror -pipe
-$unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = 
-$lflags       = 
-$bn_ops       = 
-$bn_obj       = asm/bn86-elf.o asm/co86-elf.o
-$des_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = 
-$ranlib       = 
-$arflags      = 
-
 *** debug-ben-fips-debug
 $cc           = gcc
 $cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DFIPS -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe
@@ -4300,6 +4275,31 @@ $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 

+*** vxworks-mipsle
+$cc           = ccmips
+$cflags       = -B$(WIND_BASE)/host/$(WIND_HOST_TYPE)/lib/gcc-lib/ -DL_ENDIAN -EL -Wl,-EL -mips2 -mno-branch-likely -G 0 -fno-builtin -msoft-float -DCPU=MIPS32 -DMIPSEL -DNO_STRINGS_H -I$(WIND_BASE)/target/h
+$unistd       = 
+$thread_cflag = 
+$sys_id       = VXWORKS
+$lflags       = -r
+$bn_ops       = 
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = 
+$shared_extension = 
+$ranlib       = ranlibmips
+$arflags      = 
+
 *** vxworks-ppc405
 $cc           = ccppc
 $cflags       = -g -msoft-float -mlongcall -DCPU=PPC405 -I$(WIND_BASE)/target/h
@@ -4374,3 +4374,53 @@ $shared_ldflag =
 $shared_extension = 
 $ranlib       = 
 $arflags      = 
+
+*** vxworks-ppc860
+$cc           = ccppc
+$cflags       = -g -msoft-float -DCPU=PPC860 -DNO_STRINGS_H -I$(WIND_BASE)/target/h
+$unistd       = 
+$thread_cflag = 
+$sys_id       = VXWORKS
+$lflags       = -r
+$bn_ops       = 
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = 
+$shared_extension = 
+$ranlib       = 
+$arflags      = 
+
+*** vxworks-ppc860
+$cc           = ccppc
+$cflags       = -nostdinc -msoft-float -DCPU=PPC860 -DNO_STRINGS_H -I$(WIND_BASE)/target/h
+$unistd       = 
+$thread_cflag = 
+$sys_id       = VXWORKS
+$lflags       = -r
+$bn_ops       = 
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = 
+$shared_extension = 
+$ranlib       = 
+$arflags      = 
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -126,16 +126,6 @@
 #include <openssl/engine.h>
 #endif

-#ifdef OPENSSL_SYS_WINDOWS
-#define strcasecmp _stricmp
-#else
-#  ifdef NO_STRINGS_H
-    int	strcasecmp();
-#  else
-#    include <strings.h>
-#  endif /* NO_STRINGS_H */
-#endif
-
 #define NON_MAIN
 #include "apps.h"
 #undef NON_MAIN
@@ -378,22 +368,6 @@ int WIN32_rename(char *from, char *to)
 	}
 #endif

-#ifdef OPENSSL_SYS_VMS
-int VMS_strcasecmp(const char *str1, const char *str2)
-	{
-	while (*str1 && *str2)
-		{
-		int res = toupper(*str1) - toupper(*str2);
-		if (res) return res < 0 ? -1 : 1;
-		}
-	if (*str1)
-		return 1;
-	if (*str2)
-		return -1;
-	return 0;
-	}
-#endif
-
 int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
 	{
 	int num,len,i;
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -141,12 +141,6 @@ long app_RAND_load_files(char *file); /* `file' is a list of files to read,
 int WIN32_rename(char *oldname,char *newname);
 #endif

-/* VMS below version 7.0 doesn't have strcasecmp() */
-#ifdef OPENSSL_SYS_VMS
-#define strcasecmp(str1,str2) VMS_strcasecmp((str1),(str2))
-int VMS_strcasecmp(const char *str1, const char *str2);
-#endif
-
 #ifndef MONOLITH

 #define MAIN(a,v)	main(a,v)
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -76,16 +76,6 @@
 #include <openssl/ocsp.h>
 #include <openssl/pem.h>

-#ifdef OPENSSL_SYS_WINDOWS
-#define strcasecmp _stricmp
-#else
-#  ifdef NO_STRINGS_H
-    int	strcasecmp();
-#  else
-#    include <strings.h>
-#  endif /* NO_STRINGS_H */
-#endif
-
 #ifndef W_OK
 #  ifdef OPENSSL_SYS_VMS
 #    if defined(__DECC)
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -136,6 +136,7 @@ int MAIN(int argc, char **argv)
 	int accept_count = -1;
 	int badarg = 0;
 	int i;
+	int ignore_err = 0;
 	STACK *reqnames = NULL;
 	STACK_OF(OCSP_CERTID) *ids = NULL;

@@ -195,6 +196,8 @@ int MAIN(int argc, char **argv)
 				}
 			else badarg = 1;
 			}
+		else if (!strcmp(*args, "-ignore_err"))
+			ignore_err = 1;
 		else if (!strcmp(*args, "-noverify"))
 			noverify = 1;
 		else if (!strcmp(*args, "-nonce"))
@@ -809,6 +812,8 @@ int MAIN(int argc, char **argv)
 		{
 		BIO_printf(out, "Responder Error: %s (%ld)\n",
 				OCSP_response_status_str(i), i);
+		if (ignore_err)
+			goto redo_accept;
 		ret = 0;
 		goto end;
 		}
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -163,7 +163,7 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
 		goto err;
 		}

-	if (type < 0 || type > CRYPTO_NUM_LOCKS)
+	if (type < 0 || type >= CRYPTO_NUM_LOCKS)
 		{
 		errstr = "type out of bounds";
 		goto err;
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -235,7 +235,7 @@ int MAIN(int argc, char **argv)
 			return (1);
 		}
 		if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) {
-			BIO_printf(bio_err, "Error converting key\n", outfile);
+			BIO_printf(bio_err, "Error converting key\n");
 			ERR_print_errors(bio_err);
 			return (1);
 		}
@@ -259,8 +259,7 @@ int MAIN(int argc, char **argv)
 			if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
 					p8pass, strlen(p8pass),
 					NULL, 0, iter, p8inf))) {
-				BIO_printf(bio_err, "Error encrypting key\n",
-								 outfile);
+				BIO_printf(bio_err, "Error encrypting key\n");
 				ERR_print_errors(bio_err);
 				return (1);
 			}
@@ -303,7 +302,7 @@ int MAIN(int argc, char **argv)
 		}

 		if (!p8) {
-			BIO_printf (bio_err, "Error reading key\n", outfile);
+			BIO_printf (bio_err, "Error reading key\n");
 			ERR_print_errors(bio_err);
 			return (1);
 		}
@@ -317,13 +316,13 @@ int MAIN(int argc, char **argv)
 	}

 	if (!p8inf) {
-		BIO_printf(bio_err, "Error decrypting key\n", outfile);
+		BIO_printf(bio_err, "Error decrypting key\n");
 		ERR_print_errors(bio_err);
 		return (1);
 	}

 	if (!(pkey = EVP_PKCS82PKEY(p8inf))) {
-		BIO_printf(bio_err, "Error converting key\n", outfile);
+		BIO_printf(bio_err, "Error converting key\n");
 		ERR_print_errors(bio_err);
 		return (1);
 	}
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -112,6 +112,14 @@
 #include <sys/types.h>
 #include <openssl/opensslconf.h>

+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+#include <conio.h>
+#endif
+
+#ifdef OPENSSL_SYS_MSDOS
+#define _kbhit kbhit
+#endif
+
 #if defined(OPENSSL_SYS_VMS) && !defined(FD_SET)
 /* VAX C does not defined fd_set and friends, but it's actually quite simple */
 /* These definitions are borrowed from SOCKETSHR.	/Richard Levitte */
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -136,10 +136,6 @@ typedef unsigned int u_int;
 #include <openssl/rand.h>
 #include "s_apps.h"

-#ifdef OPENSSL_SYS_WINDOWS
-#include <conio.h>
-#endif
-
 #ifdef OPENSSL_SYS_WINCE
 /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
 #ifdef fileno
@@ -260,7 +256,7 @@ int MAIN(int argc, char **argv)
 	char *engine_id=NULL;
 	ENGINE *e=NULL;
 #endif
-#ifdef OPENSSL_SYS_WINDOWS
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
 	struct timeval tv;
 #endif

@@ -644,7 +640,7 @@ re_start:

 		if (!ssl_pending)
 			{
-#ifndef OPENSSL_SYS_WINDOWS
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
 			if (tty_on)
 				{
 				if (read_tty)  FD_SET(fileno(stdin),&readfds);
@@ -671,8 +667,8 @@ re_start:
 			 * will choke the compiler: if you do have a cast then
 			 * you can either go for (int *) or (void *).
 			 */
-#ifdef OPENSSL_SYS_WINDOWS
-			/* Under Windows we make the assumption that we can
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+                        /* Under Windows/DOS we make the assumption that we can
 			 * always write to the tty: therefore if we need to
 			 * write to the tty we just fall through. Otherwise
 			 * we timeout the select every second and see if there
@@ -686,7 +682,7 @@ re_start:
 					tv.tv_usec = 0;
 					i=select(width,(void *)&readfds,(void *)&writefds,
 						 NULL,&tv);
-#ifdef OPENSSL_SYS_WINCE
+#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
 					if(!i && (!_kbhit() || !read_tty) ) continue;
 #else
 					if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
@@ -855,8 +851,8 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240
 				}
 			}

-#ifdef OPENSSL_SYS_WINDOWS
-#ifdef OPENSSL_SYS_WINCE
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
 		else if (_kbhit())
 #else
 		else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -140,10 +140,6 @@ typedef unsigned int u_int;
 #include <openssl/rand.h>
 #include "s_apps.h"

-#ifdef OPENSSL_SYS_WINDOWS
-#include <conio.h>
-#endif
-
 #ifdef OPENSSL_SYS_WINCE
 /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
 #ifdef fileno
@@ -917,7 +913,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 	unsigned long l;
 	SSL *con=NULL;
 	BIO *sbio;
-#ifdef OPENSSL_SYS_WINDOWS
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
 	struct timeval tv;
 #endif

@@ -991,7 +987,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 		if (!read_from_sslcon)
 			{
 			FD_ZERO(&readfds);
-#ifndef OPENSSL_SYS_WINDOWS
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
 			FD_SET(fileno(stdin),&readfds);
 #endif
 			FD_SET(s,&readfds);
@@ -1001,8 +997,8 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 			 * the compiler: if you do have a cast then you can either
 			 * go for (int *) or (void *).
 			 */
-#ifdef OPENSSL_SYS_WINDOWS
-			/* Under Windows we can't select on stdin: only
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+                        /* Under DOS (non-djgpp) and Windows we can't select on stdin: only
 			 * on sockets. As a workaround we timeout the select every
 			 * second and check for any keypress. In a proper Windows
 			 * application we wouldn't do this because it is inefficient.
@@ -1263,7 +1259,13 @@ static int init_ssl_connection(SSL *con)
 	if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) &
 		TLS1_FLAGS_TLS_PADDING_BUG)
 		BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n");
-
+#ifndef OPENSSL_NO_KRB5
+	if (con->kssl_ctx->client_princ != NULL)
+		{
+		BIO_printf(bio_s_out,"Kerberos peer principal is %s\n",
+			con->kssl_ctx->client_princ);
+		}
+#endif /* OPENSSL_NO_KRB5 */
 	return(1);
 	}

--- a/apps/x509.c
+++ b/apps/x509.c
@@ -1145,7 +1145,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
 	else if (!(bs = load_serial(CAfile, serialfile, create)))
 		goto end;

-	if (!X509_STORE_add_cert(ctx,x)) goto end;
+/*	if (!X509_STORE_add_cert(ctx,x)) goto end;*/

 	/* NOTE: this certificate can/should be self signed, unless it was
 	 * a certificate request in which case it is not. */
--- a/crypto/Makefile.ssl
+++ b/crypto/Makefile.ssl
@@ -36,14 +36,14 @@ GENERAL=Makefile README crypto-lib.com install.com

 LIB= $(TOP)/libcrypto.a
 SHARED_LIB= libcrypto$(SHLIB_EXT)
-LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c
-LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o
+LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c
+LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o

 SRC= $(LIBSRC)

 EXHEADER= crypto.h tmdiff.h opensslv.h opensslconf.h ebcdic.h symhacks.h \
 	ossl_typ.h
-HEADER=	cryptlib.h buildinf.h md32_common.h o_time.h $(EXHEADER)
+HEADER=	cryptlib.h buildinf.h md32_common.h o_time.h o_str.h $(EXHEADER)

 ALL=    $(GENERAL) $(SRC) $(HEADER)

@@ -203,6 +203,8 @@ mem_dbg.o: ../include/openssl/err.h ../include/openssl/lhash.h
 mem_dbg.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 mem_dbg.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 mem_dbg.o: ../include/openssl/symhacks.h cryptlib.h mem_dbg.c
+o_str.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h o_str.c
+o_str.o: o_str.h
 o_time.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h o_time.c
 o_time.o: o_time.h
 tmdiff.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
--- a/crypto/aes/aes_cfb.c
+++ b/crypto/aes/aes_cfb.c
@@ -162,7 +162,7 @@ void AES_cfbr_encrypt_block(const unsigned char *in,unsigned char *out,
 			    const int nbits,const AES_KEY *key,
 			    unsigned char *ivec,const int enc)
    {
-    unsigned int n;
+    int n;
    unsigned char ovec[AES_BLOCK_SIZE*2];

    assert(in && out && key && ivec);
--- a/crypto/aes/aes_core.c
+++ b/crypto/aes/aes_core.c
@@ -40,7 +40,7 @@
 #include <openssl/fips.h>
 #include "aes_locl.h"

-#ifndef FIPS
+#ifndef OPENSSL_FIPS

 /*
 Te0[x] = S [x].[02, 01, 01, 03];
@@ -1258,4 +1258,4 @@ void AES_decrypt(const unsigned char *in, unsigned char *out,
 	PUTU32(out + 12, s3);
 }

-#endif /* ndef FIPS */
+#endif /* ndef OPENSSL_FIPS */
--- a/crypto/asn1/a_gentm.c
+++ b/crypto/asn1/a_gentm.c
@@ -115,7 +115,7 @@ err:

 #endif

-int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d)
+int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *d)
 	{
 	static int min[9]={ 0, 0, 1, 1, 0, 0, 0, 0, 0};
 	static int max[9]={99, 99,12,31,23,59,59,12,59};
--- a/crypto/asn1/a_mbstr.c
+++ b/crypto/asn1/a_mbstr.c
@@ -296,7 +296,7 @@ static int in_utf8(unsigned long value, void *arg)

 static int out_utf8(unsigned long value, void *arg)
 {
-	long *outlen;
+	int *outlen;
 	outlen = arg;
 	*outlen += UTF8_putc(NULL, -1, value);
 	return 1;
--- a/crypto/asn1/a_time.c
+++ b/crypto/asn1/a_time.c
@@ -114,7 +114,7 @@ ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t)
 	return ASN1_GENERALIZEDTIME_set(s,t);
 	}

-int ASN1_TIME_check(ASN1_TIME *t)
+int ASN1_TIME_check(const ASN1_TIME *t)
 	{
 	if (t->type == V_ASN1_GENERALIZEDTIME)
 		return ASN1_GENERALIZEDTIME_check(t);
@@ -124,7 +124,8 @@ int ASN1_TIME_check(ASN1_TIME *t)
 	}

 /* Convert an ASN1_TIME structure to GeneralizedTime */
-ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out)
+ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(const ASN1_TIME *t,
+						   ASN1_GENERALIZEDTIME **out)
 	{
 	ASN1_GENERALIZEDTIME *ret;
 	char *str;
--- a/crypto/asn1/a_utctm.c
+++ b/crypto/asn1/a_utctm.c
@@ -112,7 +112,7 @@ err:

 #endif

-int ASN1_UTCTIME_check(ASN1_UTCTIME *d)
+int ASN1_UTCTIME_check(const ASN1_UTCTIME *d)
 	{
 	static int min[8]={ 0, 1, 1, 0, 0, 0, 0, 0};
 	static int max[8]={99,12,31,23,59,59,12,59};
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -754,7 +754,7 @@ int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y);

 DECLARE_ASN1_FUNCTIONS(ASN1_ENUMERATED)

-int ASN1_UTCTIME_check(ASN1_UTCTIME *a);
+int ASN1_UTCTIME_check(const ASN1_UTCTIME *a);
 ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s,time_t t);
 int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, char *str); 
 int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t);
@@ -762,7 +762,7 @@ int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t);
 time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s);
 #endif

-int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *a);
+int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *a);
 ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,time_t t);
 int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, char *str); 

@@ -793,8 +793,8 @@ DECLARE_ASN1_FUNCTIONS(ASN1_GENERALIZEDTIME)
 DECLARE_ASN1_FUNCTIONS(ASN1_TIME)

 ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s,time_t t);
-int ASN1_TIME_check(ASN1_TIME *t);
-ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out);
+int ASN1_TIME_check(const ASN1_TIME *t);
+ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(const ASN1_TIME *t, ASN1_GENERALIZEDTIME **out);

 int		i2d_ASN1_SET(STACK *a, unsigned char **pp,
 			int (*func)(), int ex_tag, int ex_class, int is_set);
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -104,10 +104,12 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass,
 			l<<=7L;
 			l|= *(p++)&0x7f;
 			if (--max == 0) goto err;
+			if (l > (INT_MAX >> 7L)) goto err;
 			}
 		l<<=7L;
 		l|= *(p++)&0x7f;
 		tag=(int)l;
+		if (--max == 0) goto err;
 		}
 	else
 		{ 
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -691,6 +691,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inl

 int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it)
 {
+	ASN1_VALUE **opval = NULL;
 	ASN1_STRING *stmp;
 	ASN1_TYPE *typ = NULL;
 	int ret = 0;
@@ -705,6 +706,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char
 			*pval = (ASN1_VALUE *)typ;
 		} else typ = (ASN1_TYPE *)*pval;
 		if(utype != typ->type) ASN1_TYPE_set(typ, utype, NULL);
+		opval = pval;
 		pval = (ASN1_VALUE **)&typ->value.ptr;
 	}
 	switch(utype) {
@@ -796,7 +798,12 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char

 	ret = 1;
 	err:
-	if(!ret) ASN1_TYPE_free(typ);
+	if(!ret)
+		{
+		ASN1_TYPE_free(typ);
+		if (opval)
+			*opval = NULL;
+		}
 	return ret;
 }

--- a/crypto/bio/bss_file.c
+++ b/crypto/bio/bss_file.c
@@ -213,12 +213,29 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
 		b->shutdown=(int)num&BIO_CLOSE;
 		b->ptr=(char *)ptr;
 		b->init=1;
-#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS)
-		/* Set correct text/binary mode */
+#if defined(OPENSSL_SYS_WINDOWS)
 		if (num & BIO_FP_TEXT)
 			_setmode(fileno((FILE *)ptr),_O_TEXT);
 		else
 			_setmode(fileno((FILE *)ptr),_O_BINARY);
+#elif defined(OPENSSL_SYS_MSDOS)
+		{
+		int fd = fileno((FILE*)ptr);
+		/* Set correct text/binary mode */
+		if (num & BIO_FP_TEXT)
+			_setmode(fd,_O_TEXT);
+		/* Dangerous to set stdin/stdout to raw (unless redirected) */
+		else
+			{
+			if (fd == STDIN_FILENO || fd == STDOUT_FILENO)
+				{
+				if (isatty(fd) <= 0)
+					_setmode(fd,_O_BINARY);
+				}
+			else
+				_setmode(fd,_O_BINARY);
+			}
+		}
 #elif defined(OPENSSL_SYS_OS2)
 		if (num & BIO_FP_TEXT)
 			setmode(fileno((FILE *)ptr), O_TEXT);
--- a/crypto/cast/asm/.cvsignore
+++ b/crypto/cast/asm/.cvsignore
@@ -1 +1,2 @@
 cx86unix.cpp
+cx86-elf.s
--- a/crypto/cryptlib.c
+++ b/crypto/cryptlib.c
@@ -66,10 +66,10 @@
 static double SSLeay_MSVC5_hack=0.0; /* and for VC1.5 */
 #endif

-#ifdef FIPS
+#ifdef OPENSSL_FIPS
 int FIPS_mode;
 void *FIPS_rand_check;
-#endif /* def FIPS */
+#endif /* def OPENSSL_FIPS */

 DECLARE_STACK_OF(CRYPTO_dynlock)
 IMPLEMENT_STACK_OF(CRYPTO_dynlock)
--- a/crypto/crypto-lib.com
+++ b/crypto/crypto-lib.com
@@ -158,7 +158,7 @@ $!
 $ APPS_DES = "DES/DES,CBC3_ENC"
 $ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE"
 $
-$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time"
+$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time,o_str"
 $ LIB_MD2 = "md2_dgst,md2_one"
 $ LIB_MD4 = "md4_dgst,md4_one"
 $ LIB_MD5 = "md5_dgst,md5_one"
--- a/crypto/des/cfb64ede.c
+++ b/crypto/des/cfb64ede.c
@@ -140,3 +140,114 @@ void DES_ede2_cfb64_encrypt(unsigned char *in, unsigned char *out, long length,
 	DES_ede3_cfb64_encrypt(in,out,length,ks1,ks2,ks1,ivec,num,enc);
 	}
 #endif
+
+/* This is compatible with the single key CFB-r for DES, even thought that's
+ * not what EVP needs.
+ */
+
+void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out,
+			  int numbits,long length,DES_key_schedule *ks1,
+			  DES_key_schedule *ks2,DES_key_schedule *ks3,
+			  DES_cblock *ivec,int enc)
+	{
+	register DES_LONG d0,d1,v0,v1,n=(numbits+7)/8;
+	register unsigned long l=length;
+	register int num=numbits;
+	DES_LONG ti[2];
+	unsigned char *iv;
+	unsigned char ovec[16];
+
+	if (num > 64) return;
+	iv = &(*ivec)[0];
+	c2l(iv,v0);
+	c2l(iv,v1);
+	if (enc)
+		{
+		while (l >= n)
+			{
+			l-=n;
+			ti[0]=v0;
+			ti[1]=v1;
+			DES_encrypt3(ti,ks1,ks2,ks3);
+			c2ln(in,d0,d1,n);
+			in+=n;
+			d0^=ti[0];
+			d1^=ti[1];
+			l2cn(d0,d1,out,n);
+			out+=n;
+			/* 30-08-94 - eay - changed because l>>32 and
+			 * l<<32 are bad under gcc :-( */
+			if (num == 32)
+				{ v0=v1; v1=d0; }
+			else if (num == 64)
+				{ v0=d0; v1=d1; }
+			else
+				{
+				iv=&ovec[0];
+				l2c(v0,iv);
+				l2c(v1,iv);
+				l2c(d0,iv);
+				l2c(d1,iv);
+				/* shift ovec left most of the bits... */
+				memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
+				/* now the remaining bits */
+				if(num%8 != 0)
+					for(n=0 ; n < 8 ; ++n)
+						{
+						ovec[n]<<=num%8;
+						ovec[n]|=ovec[n+1]>>(8-num%8);
+						}
+				iv=&ovec[0];
+				c2l(iv,v0);
+				c2l(iv,v1);
+				}
+			}
+		}
+	else
+		{
+		while (l >= n)
+			{
+			l-=n;
+			ti[0]=v0;
+			ti[1]=v1;
+			DES_encrypt3(ti,ks1,ks2,ks3);
+			c2ln(in,d0,d1,n);
+			in+=n;
+			/* 30-08-94 - eay - changed because l>>32 and
+			 * l<<32 are bad under gcc :-( */
+			if (num == 32)
+				{ v0=v1; v1=d0; }
+			else if (num == 64)
+				{ v0=d0; v1=d1; }
+			else
+				{
+				iv=&ovec[0];
+				l2c(v0,iv);
+				l2c(v1,iv);
+				l2c(d0,iv);
+				l2c(d1,iv);
+				/* shift ovec left most of the bits... */
+				memmove(ovec,ovec+num/8,8+(num%8 ? 1 : 0));
+				/* now the remaining bits */
+				if(num%8 != 0)
+					for(n=0 ; n < 8 ; ++n)
+						{
+						ovec[n]<<=num%8;
+						ovec[n]|=ovec[n+1]>>(8-num%8);
+						}
+				iv=&ovec[0];
+				c2l(iv,v0);
+				c2l(iv,v1);
+				}
+			d0^=ti[0];
+			d1^=ti[1];
+			l2cn(d0,d1,out,n);
+			out+=n;
+			}
+		}
+	iv = &(*ivec)[0];
+	l2c(v0,iv);
+	l2c(v1,iv);
+	v0=v1=d0=d1=ti[0]=ti[1]=0;
+	}
+
--- a/crypto/des/cfb_enc.c
+++ b/crypto/des/cfb_enc.c
@@ -56,6 +56,7 @@
 * [including the GNU Public Licence.]
 */

+#include "e_os.h"
 #include "des_locl.h"

 /* The input and output are loaded in multiples of 8 bits.
--- a/crypto/des/des.h
+++ b/crypto/des/des.h
@@ -187,6 +187,10 @@ void DES_ede3_cfb64_encrypt(const unsigned char *in,unsigned char *out,
 			    long length,DES_key_schedule *ks1,
 			    DES_key_schedule *ks2,DES_key_schedule *ks3,
 			    DES_cblock *ivec,int *num,int enc);
+void DES_ede3_cfb_encrypt(const unsigned char *in,unsigned char *out,
+			  int numbits,long length,DES_key_schedule *ks1,
+			  DES_key_schedule *ks2,DES_key_schedule *ks3,
+			  DES_cblock *ivec,int enc);
 void DES_ede3_ofb64_encrypt(const unsigned char *in,unsigned char *out,
 			    long length,DES_key_schedule *ks1,
 			    DES_key_schedule *ks2,DES_key_schedule *ks3,
--- a/crypto/des/des_enc.c
+++ b/crypto/des/des_enc.c
@@ -58,7 +58,7 @@

 #include "des_locl.h"

-#ifndef FIPS
+#ifndef OPENSSL_FIPS

 void DES_encrypt1(DES_LONG *data, DES_key_schedule *ks, int enc)
 	{
@@ -289,7 +289,7 @@ void DES_decrypt3(DES_LONG *data, DES_key_schedule *ks1,
 	data[1]=r;
 	}

-#endif /* ndef FIPS */
+#endif /* ndef OPENSSL_FIPS */

 #ifndef DES_DEFAULT_OPTIONS

--- a/crypto/dsa/dsa_gen.c
+++ b/crypto/dsa/dsa_gen.c
@@ -80,6 +80,7 @@
 #include <openssl/rand.h>
 #include <openssl/sha.h>

+#ifndef OPENSSL_FIPS
 DSA *DSA_generate_parameters(int bits,
 		unsigned char *seed_in, int seed_len,
 		int *counter_ret, unsigned long *h_ret,
@@ -293,4 +294,6 @@ err:
 	if (mont != NULL) BN_MONT_CTX_free(mont);
 	return(ok?ret:NULL);
 	}
-#endif
+#endif /* ndef OPENSSL_FIPS */
+#endif /* ndef OPENSSL_NO_SHA */
+
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -65,7 +65,7 @@
 #include <openssl/rand.h>
 #include <openssl/asn1.h>

-#ifndef FIPS
+#ifndef OPENSSL_FIPS
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
 static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
--- a/crypto/dsa/dsa_sign.c
+++ b/crypto/dsa/dsa_sign.c
@@ -71,7 +71,7 @@

 DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 	{
-#ifdef FIPS
+#ifdef OPENSSL_FIPS
 	if(FIPS_mode && !FIPS_dsa_check(dsa))
 		return NULL;
 #endif
@@ -95,7 +95,7 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,

 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 	{
-#ifdef FIPS
+#ifdef OPENSSL_FIPS
 	if(FIPS_mode && !FIPS_dsa_check(dsa))
 		return 0;
 #endif
--- a/crypto/dsa/dsa_vrf.c
+++ b/crypto/dsa/dsa_vrf.c
@@ -73,7 +73,7 @@
 int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 		  DSA *dsa)
 	{
-#ifdef FIPS
+#ifdef OPENSSL_FIPS
 	if(FIPS_mode && !FIPS_dsa_check(dsa))
 		return -1;
 #endif
--- a/crypto/engine/engine.h
+++ b/crypto/engine/engine.h
@@ -538,10 +538,10 @@ void ENGINE_add_conf_module(void);
 /**************************/

 /* Binary/behaviour compatibility levels */
-#define OSSL_DYNAMIC_VERSION		(unsigned long)0x00010100
+#define OSSL_DYNAMIC_VERSION		(unsigned long)0x00010200
 /* Binary versions older than this are too old for us (whether we're a loader or
 * a loadee) */
-#define OSSL_DYNAMIC_OLDEST		(unsigned long)0x00010100
+#define OSSL_DYNAMIC_OLDEST		(unsigned long)0x00010200

 /* When compiling an ENGINE entirely as an external shared library, loadable by
 * the "dynamic" ENGINE, these types are needed. The 'dynamic_fns' structure
--- a/crypto/engine/hw_cryptodev.c
+++ b/crypto/engine/hw_cryptodev.c
@@ -80,7 +80,7 @@ static int cryptodev_max_iv(int cipher);
 static int cryptodev_key_length_valid(int cipher, int len);
 static int cipher_nid_to_cryptodev(int nid);
 static int get_cryptodev_ciphers(const int **cnids);
-static int get_cryptodev_digests(const int **cnids);
+/*static int get_cryptodev_digests(const int **cnids);*/
 static int cryptodev_usable_ciphers(const int **nids);
 static int cryptodev_usable_digests(const int **nids);
 static int cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
@@ -140,6 +140,7 @@ static struct {
 	{ 0,				NID_undef,		0,	 0, },
 };

+#if 0 /* UNUSED */
 static struct {
 	int	id;
 	int	nid;
@@ -152,6 +153,7 @@ static struct {
 	{ CRYPTO_SHA1,			NID_undef,		},
 	{ 0,				NID_undef,		},
 };
+#endif

 /*
 * Return a fd if /dev/crypto seems usable, 0 otherwise.
@@ -292,6 +294,7 @@ get_cryptodev_ciphers(const int **cnids)
 * returning them here is harmless, as long as we return NULL
 * when asked for a handler in the cryptodev_engine_digests routine
 */
+#if 0 /* UNUSED */
 static int
 get_cryptodev_digests(const int **cnids)
 {
@@ -321,6 +324,7 @@ get_cryptodev_digests(const int **cnids)
 		*cnids = NULL;
 	return (count);
 }
+#endif

 /*
 * Find the useable ciphers|digests from dev/crypto - this is the first
@@ -626,7 +630,7 @@ static int
 bn2crparam(const BIGNUM *a, struct crparam *crp)
 {
 	int i, j, k;
-	ssize_t words, bytes, bits;
+	ssize_t bytes, bits;
 	u_char *b;

 	crp->crp_p = NULL;
--- a/crypto/err/err.c
+++ b/crypto/err/err.c
@@ -225,6 +225,7 @@ struct st_ERR_FNS
 	ERR_STRING_DATA *(*cb_err_del_item)(ERR_STRING_DATA *);
 	/* Works on the "thread_hash" error-state table */
 	LHASH *(*cb_thread_get)(int create);
+	void (*cb_thread_release)(LHASH **hash);
 	ERR_STATE *(*cb_thread_get_item)(const ERR_STATE *);
 	ERR_STATE *(*cb_thread_set_item)(ERR_STATE *);
 	void (*cb_thread_del_item)(const ERR_STATE *);
@@ -239,6 +240,7 @@ static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *);
 static ERR_STRING_DATA *int_err_set_item(ERR_STRING_DATA *);
 static ERR_STRING_DATA *int_err_del_item(ERR_STRING_DATA *);
 static LHASH *int_thread_get(int create);
+static void int_thread_release(LHASH **hash);
 static ERR_STATE *int_thread_get_item(const ERR_STATE *);
 static ERR_STATE *int_thread_set_item(ERR_STATE *);
 static void int_thread_del_item(const ERR_STATE *);
@@ -252,6 +254,7 @@ static const ERR_FNS err_defaults =
 	int_err_set_item,
 	int_err_del_item,
 	int_thread_get,
+	int_thread_release,
 	int_thread_get_item,
 	int_thread_set_item,
 	int_thread_del_item,
@@ -271,6 +274,7 @@ static const ERR_FNS *err_fns = NULL;
 * and state in the loading application. */
 static LHASH *int_error_hash = NULL;
 static LHASH *int_thread_hash = NULL;
+static int int_thread_hash_references = 0;
 static int int_err_library_number= ERR_LIB_USER;

 /* Internal function that checks whether "err_fns" is set and if not, sets it to
@@ -417,11 +421,37 @@ static LHASH *int_thread_get(int create)
 		CRYPTO_pop_info();
 		}
 	if (int_thread_hash)
+		{
+		int_thread_hash_references++;
 		ret = int_thread_hash;
+		}
 	CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
 	return ret;
 	}

+static void int_thread_release(LHASH **hash)
+	{
+	int i;
+
+	if (hash == NULL || *hash == NULL)
+		return;
+
+	i = CRYPTO_add(&int_thread_hash_references, -1, CRYPTO_LOCK_ERR);
+
+#ifdef REF_PRINT
+	fprintf(stderr,"%4d:%s\n",int_thread_hash_references,"ERR");
+#endif
+	if (i > 0) return;
+#ifdef REF_CHECK
+	if (i < 0)
+		{
+		fprintf(stderr,"int_thread_release, bad reference count\n");
+		abort(); /* ok */
+		}
+#endif
+	*hash = NULL;
+	}
+
 static ERR_STATE *int_thread_get_item(const ERR_STATE *d)
 	{
 	ERR_STATE *p;
@@ -436,6 +466,7 @@ static ERR_STATE *int_thread_get_item(const ERR_STATE *d)
 	p = (ERR_STATE *)lh_retrieve(hash, d);
 	CRYPTO_r_unlock(CRYPTO_LOCK_ERR);

+	ERRFN(thread_release)(&hash);
 	return p;
 	}

@@ -453,6 +484,7 @@ static ERR_STATE *int_thread_set_item(ERR_STATE *d)
 	p = (ERR_STATE *)lh_insert(hash, d);
 	CRYPTO_w_unlock(CRYPTO_LOCK_ERR);

+	ERRFN(thread_release)(&hash);
 	return p;
 	}

@@ -469,13 +501,15 @@ static void int_thread_del_item(const ERR_STATE *d)
 	CRYPTO_w_lock(CRYPTO_LOCK_ERR);
 	p = (ERR_STATE *)lh_delete(hash, d);
 	/* make sure we don't leak memory */
-	if (int_thread_hash && (lh_num_items(int_thread_hash) == 0))
+	if (int_thread_hash_references == 1
+		&& int_thread_hash && (lh_num_items(int_thread_hash) == 0))
 		{
 		lh_free(int_thread_hash);
 		int_thread_hash = NULL;
 		}
 	CRYPTO_w_unlock(CRYPTO_LOCK_ERR);

+	ERRFN(thread_release)(&hash);
 	if (p)
 		ERR_STATE_free(p);
 	}
@@ -845,6 +879,12 @@ LHASH *ERR_get_err_state_table(void)
 	return ERRFN(thread_get)(0);
 	}

+void ERR_release_err_state_table(LHASH **hash)
+	{
+	err_fns_check();
+	ERRFN(thread_release)(hash);
+	}
+
 const char *ERR_lib_error_string(unsigned long e)
 	{
 	ERR_STRING_DATA d,*p;
--- a/crypto/err/err.h
+++ b/crypto/err/err.h
@@ -280,6 +280,7 @@ ERR_STATE *ERR_get_state(void);
 #ifndef OPENSSL_NO_LHASH
 LHASH *ERR_get_string_table(void);
 LHASH *ERR_get_err_state_table(void);
+void ERR_release_err_state_table(LHASH **hash);
 #endif

 int ERR_get_next_error_library(void);
--- a/crypto/err/err_all.c
+++ b/crypto/err/err_all.c
@@ -131,7 +131,7 @@ void ERR_load_crypto_strings(void)
 	ERR_load_OCSP_strings();
 	ERR_load_UI_strings();
 #endif
-#ifdef FIPS
+#ifdef OPENSSL_FIPS
 	ERR_load_FIPS_strings();
 #endif
 	}
--- a/crypto/err/openssl.ec
+++ b/crypto/err/openssl.ec
@@ -27,7 +27,7 @@ L DSO		crypto/dso/dso.h		crypto/dso/dso_err.c
 L ENGINE	crypto/engine/engine.h		crypto/engine/eng_err.c
 L OCSP		crypto/ocsp/ocsp.h		crypto/ocsp/ocsp_err.c
 L UI		crypto/ui/ui.h			crypto/ui/ui_err.c
-L FIPS		fips/fips.h			fips/fips_err.c
+L FIPS		fips/fips.h			fips/fips_err.h

 # additional header files to be scanned for function names
 L NONE		crypto/x509/x509_vfy.h		NONE
--- a/crypto/evp/e_des.c
+++ b/crypto/evp/e_des.c
@@ -125,7 +125,7 @@ static int des_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
    {
    unsigned char *tmp; /* DES_cfb_encrypt rudely overwrites the whole buffer*/

-    tmp=alloca(inl);
+    tmp=alloca(inl+7);
    memcpy(tmp,in,inl);
    DES_cfb_encrypt(tmp,tmp,8,inl,ctx->cipher_data,(DES_cblock *)ctx->iv,
 		    ctx->encrypt);
--- a/crypto/evp/e_des3.c
+++ b/crypto/evp/e_des3.c
@@ -130,6 +130,42 @@ static int des_ede_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 	return 1;
 }

+/* Although we have a CFB-r implementation for 3-DES, it doesn't pack the right
+   way, so wrap it here */
+static int des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+				const unsigned char *in, unsigned int inl)
+    {
+    unsigned int n;
+    unsigned char c[8],d[8]; /* DES_cfb_encrypt rudely overwrites the whole buffer*/
+
+    memset(out,0,(inl+7)/8);
+    for(n=0 ; n < inl ; ++n)
+	{
+	c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;
+	DES_ede3_cfb_encrypt(c,d,1,1,
+			     &data(ctx)->ks1,&data(ctx)->ks2,&data(ctx)->ks3,
+			     (DES_cblock *)ctx->iv,ctx->encrypt);
+	out[n/8]=(out[n/8]&~(0x80 >> (n%8)))|((d[0]&0x80) >> (n%8));
+	}
+
+    return 1;
+    }
+
+static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+				const unsigned char *in, unsigned int inl)
+    {
+    unsigned char *tmp; /* DES_cfb_encrypt rudely overwrites the whole buffer*/
+
+    tmp=alloca(inl+7);
+    memcpy(tmp,in,inl);
+    DES_ede3_cfb_encrypt(tmp,tmp,8,inl,
+			 &data(ctx)->ks1,&data(ctx)->ks2,&data(ctx)->ks3,
+			 (DES_cblock *)ctx->iv,ctx->encrypt);
+    memcpy(out,tmp,inl);
+
+    return 1;
+    }
+
 BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
 			0, des_ede_init_key, NULL, 
 			EVP_CIPHER_set_asn1_iv,
@@ -147,6 +183,16 @@ BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
 			EVP_CIPHER_get_asn1_iv,
 			NULL)

+BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,0,
+		     des_ede3_init_key,NULL,
+		     EVP_CIPHER_set_asn1_iv,
+		     EVP_CIPHER_get_asn1_iv,NULL)
+
+BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,0,
+		     des_ede3_init_key,NULL,
+		     EVP_CIPHER_set_asn1_iv,
+		     EVP_CIPHER_get_asn1_iv,NULL)
+
 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 			    const unsigned char *iv, int enc)
 	{
--- a/crypto/evp/evp.h
+++ b/crypto/evp/evp.h
@@ -644,8 +644,10 @@ const EVP_CIPHER *EVP_des_cfb1(void);
 const EVP_CIPHER *EVP_des_cfb8(void);
 const EVP_CIPHER *EVP_des_ede_cfb64(void);
 # define EVP_des_ede_cfb EVP_des_ede_cfb64
+#if 0
 const EVP_CIPHER *EVP_des_ede_cfb1(void);
 const EVP_CIPHER *EVP_des_ede_cfb8(void);
+#endif
 const EVP_CIPHER *EVP_des_ede3_cfb64(void);
 # define EVP_des_ede3_cfb EVP_des_ede3_cfb64
 const EVP_CIPHER *EVP_des_ede3_cfb1(void);
--- a/crypto/md32_common.h
+++ b/crypto/md32_common.h
@@ -130,6 +130,7 @@

 #include <openssl/fips.h>
 #include <openssl/err.h>
+#include "../fips/fips_locl.h"

 #if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN)
 #error "DATA_ORDER must be defined!"
@@ -558,8 +559,8 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c)
 	static const unsigned char end[4]={0x80,0x00,0x00,0x00};
 	const unsigned char *cp=end;

-#ifdef FIPS
-	if(FIPS_mode)
+#ifdef OPENSSL_FIPS
+	if(FIPS_mode && !FIPS_md5_allowed)
 	    {
 	    FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD);
 	    return 0;
--- a/crypto/md4/Makefile.ssl
+++ b/crypto/md4/Makefile.ssl
@@ -80,10 +80,11 @@ clean:

 # DO NOT DELETE THIS LINE -- make depend depends on it.

-md4_dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-md4_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-md4_dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-md4_dgst.o: ../../include/openssl/md4.h ../../include/openssl/opensslconf.h
+md4_dgst.o: ../../fips/fips_locl.h ../../include/openssl/bio.h
+md4_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+md4_dgst.o: ../../include/openssl/err.h ../../include/openssl/fips.h
+md4_dgst.o: ../../include/openssl/lhash.h ../../include/openssl/md4.h
+md4_dgst.o: ../../include/openssl/opensslconf.h
 md4_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 md4_dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 md4_dgst.o: ../md32_common.h md4_dgst.c md4_locl.h
--- a/crypto/md5/Makefile.ssl
+++ b/crypto/md5/Makefile.ssl
@@ -116,10 +116,11 @@ clean:

 # DO NOT DELETE THIS LINE -- make depend depends on it.

-md5_dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-md5_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-md5_dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-md5_dgst.o: ../../include/openssl/md5.h ../../include/openssl/opensslconf.h
+md5_dgst.o: ../../fips/fips_locl.h ../../include/openssl/bio.h
+md5_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+md5_dgst.o: ../../include/openssl/err.h ../../include/openssl/fips.h
+md5_dgst.o: ../../include/openssl/lhash.h ../../include/openssl/md5.h
+md5_dgst.o: ../../include/openssl/opensslconf.h
 md5_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 md5_dgst.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 md5_dgst.o: ../md32_common.h md5_dgst.c md5_locl.h
--- a/crypto/md5/asm/md5-586.pl
+++ b/crypto/md5/asm/md5-586.pl
@@ -293,7 +293,7 @@ sub md5_block
 	 &mov(&DWP(12,$tmp2,"",0),$D);

 	&cmp($tmp1,$X) unless $normal;			# check count
-	 &jge(&label("start")) unless $normal;
+	 &jae(&label("start")) unless $normal;

 	&pop("eax"); # pop the temp variable off the stack
 	 &pop("ebx");
--- a/crypto/o_str.c
+++ b/crypto/o_str.c
@@ -0,0 +1,96 @@
+/* crypto/o_str.c -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2003.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <o_str.h>
+#include <openssl/e_os2.h>
+
+int OPENSSL_strncasecmp(const char *str1, const char *str2, size_t n)
+	{
+#if defined(OPENSSL_SYS_VMS)
+	while (*str1 && *str2 && n)
+		{
+		int res = toupper(*str1) - toupper(*str2);
+		if (res) return res < 0 ? -1 : 1;
+		str1++;
+		str2++;
+		n--;
+		}
+	if (n == 0)
+		return 0;
+	if (*str1)
+		return 1;
+	if (*str2)
+		return -1;
+	return 0;
+#elif defined(OPENSSL_SYS_WINDOWS)
+	return _strnicmp(str1, str2, n);
+#else
+	return strncasecmp(str1, str2, n);
+#endif
+	}
+int OPENSSL_strcasecmp(const char *str1, const char *str2)
+	{
+#if defined(OPENSSL_SYS_VMS)
+	return OSSL_strncasecmp(str1, str2, (size_t)-1);
+#elif defined(OPENSSL_SYS_WINDOWS)
+	return _stricmp(str1, str2);
+#else
+	return strcasecmp(str1, str2);
+#endif
+	}
+
--- a/crypto/o_str.h
+++ b/crypto/o_str.h
@@ -0,0 +1,67 @@
+/* crypto/o_str.h -*- mode:C; c-file-style: "eay" -*- */
+/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
+ * project 2003.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#ifndef HEADER_O_STR_H
+#define HEADER_O_STR_H
+
+#include <string.h>
+
+int OPENSSL_strcasecmp(const char *str1, const char *str2);
+int OPENSSL_strncasecmp(const char *str1, const char *str2, size_t n);
+
+#endif
--- a/crypto/objects/obj_dat.h
+++ b/crypto/objects/obj_dat.h
@@ -62,9 +62,9 @@
 * [including the GNU Public Licence.]
 */

-#define NUM_NID 658
-#define NUM_SN 651
-#define NUM_LN 651
+#define NUM_NID 660
+#define NUM_SN 653
+#define NUM_LN 653
 #define NUM_OBJ 617

 static unsigned char lvalues[4455]={
@@ -1736,6 +1736,8 @@ static ASN1_OBJECT nid_objs[NUM_NID]={
 {"AES-256-CFB8","aes-256-cfb8",NID_aes_256_cfb8,0,NULL},
 {"DES-CFB1","des-cfb1",NID_des_cfb1,0,NULL},
 {"DES-CFB8","des-cfb8",NID_des_cfb8,0,NULL},
+{"DES-EDE3-CFB1","des-ede3-cfb1",NID_des_ede3_cfb1,0,NULL},
+{"DES-EDE3-CFB8","des-ede3-cfb8",NID_des_ede3_cfb8,0,NULL},
 };

 static ASN1_OBJECT *sn_objs[NUM_SN]={
@@ -1786,6 +1788,8 @@ static ASN1_OBJECT *sn_objs[NUM_SN]={
 &(nid_objs[33]),/* "DES-EDE3" */
 &(nid_objs[44]),/* "DES-EDE3-CBC" */
 &(nid_objs[61]),/* "DES-EDE3-CFB" */
+&(nid_objs[658]),/* "DES-EDE3-CFB1" */
+&(nid_objs[659]),/* "DES-EDE3-CFB8" */
 &(nid_objs[63]),/* "DES-EDE3-OFB" */
 &(nid_objs[45]),/* "DES-OFB" */
 &(nid_objs[80]),/* "DESX-CBC" */
@@ -2563,6 +2567,8 @@ static ASN1_OBJECT *ln_objs[NUM_LN]={
 &(nid_objs[33]),/* "des-ede3" */
 &(nid_objs[44]),/* "des-ede3-cbc" */
 &(nid_objs[61]),/* "des-ede3-cfb" */
+&(nid_objs[658]),/* "des-ede3-cfb1" */
+&(nid_objs[659]),/* "des-ede3-cfb8" */
 &(nid_objs[63]),/* "des-ede3-ofb" */
 &(nid_objs[45]),/* "des-ofb" */
 &(nid_objs[107]),/* "description" */
--- a/crypto/objects/obj_mac.h
+++ b/crypto/objects/obj_mac.h
@@ -2041,6 +2041,14 @@
 #define LN_des_cfb8		"des-cfb8"
 #define NID_des_cfb8		657

+#define SN_des_ede3_cfb1		"DES-EDE3-CFB1"
+#define LN_des_ede3_cfb1		"des-ede3-cfb1"
+#define NID_des_ede3_cfb1		658
+
+#define SN_des_ede3_cfb8		"DES-EDE3-CFB8"
+#define LN_des_ede3_cfb8		"des-ede3-cfb8"
+#define NID_des_ede3_cfb8		659
+
 #define SN_hold_instruction_code		"holdInstructionCode"
 #define LN_hold_instruction_code		"Hold Instruction Code"
 #define NID_hold_instruction_code		430
--- a/crypto/objects/obj_mac.num
+++ b/crypto/objects/obj_mac.num
@@ -655,3 +655,5 @@ aes_192_cfb8		654
 aes_256_cfb8		655
 des_cfb1		656
 des_cfb8		657
+des_ede3_cfb1		658
+des_ede3_cfb8		659
--- a/crypto/objects/objects.txt
+++ b/crypto/objects/objects.txt
@@ -691,6 +691,8 @@ aes 44			: AES-256-CFB		: aes-256-cfb
 			: AES-256-CFB8		: aes-256-cfb8
 			: DES-CFB1		: des-cfb1
 			: DES-CFB8		: des-cfb8
+			: DES-EDE3-CFB1		: des-ede3-cfb1
+			: DES-EDE3-CFB8		: des-ede3-cfb8

 # Hold instruction CRL entry extension
 !Cname hold-instruction-code
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -25,8 +25,8 @@
 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
 *  major minor fix final patch/beta)
 */
-#define OPENSSL_VERSION_NUMBER	0x00907030L
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7c-dev xx XXX 2003"
+#define OPENSSL_VERSION_NUMBER	0x00907040L
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7d-dev [fips] xx XXX XXXX"
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT


--- a/crypto/perlasm/x86ms.pl
+++ b/crypto/perlasm/x86ms.pl
@@ -144,7 +144,10 @@ sub main'jle	{ &out1("jle",@_); }
 sub main'jz	{ &out1("jz",@_); }
 sub main'jge	{ &out1("jge",@_); }
 sub main'jl	{ &out1("jl",@_); }
+sub main'ja	{ &out1("ja",@_); }
+sub main'jae	{ &out1("jae",@_); }
 sub main'jb	{ &out1("jb",@_); }
+sub main'jbe	{ &out1("jbe",@_); }
 sub main'jc	{ &out1("jc",@_); }
 sub main'jnc	{ &out1("jnc",@_); }
 sub main'jnz	{ &out1("jnz",@_); }
--- a/crypto/perlasm/x86nasm.pl
+++ b/crypto/perlasm/x86nasm.pl
@@ -152,7 +152,10 @@ sub main'jle	{ &out1("jle NEAR",@_); }
 sub main'jz	{ &out1("jz NEAR",@_); }
 sub main'jge	{ &out1("jge NEAR",@_); }
 sub main'jl	{ &out1("jl NEAR",@_); }
+sub main'ja	{ &out1("ja NEAR",@_); }
+sub main'jae	{ &out1("jae NEAR",@_); }
 sub main'jb	{ &out1("jb NEAR",@_); }
+sub main'jbe	{ &out1("jbe NEAR",@_); }
 sub main'jc	{ &out1("jc NEAR",@_); }
 sub main'jnc	{ &out1("jnc NEAR",@_); }
 sub main'jnz	{ &out1("jnz NEAR",@_); }
--- a/crypto/perlasm/x86unix.pl
+++ b/crypto/perlasm/x86unix.pl
@@ -156,7 +156,10 @@ sub main'jnz	{ &out1("jnz",@_); }
 sub main'jz	{ &out1("jz",@_); }
 sub main'jge	{ &out1("jge",@_); }
 sub main'jl	{ &out1("jl",@_); }
+sub main'ja	{ &out1("ja",@_); }
+sub main'jae	{ &out1("jae",@_); }
 sub main'jb	{ &out1("jb",@_); }
+sub main'jbe	{ &out1("jbe",@_); }
 sub main'jc	{ &out1("jc",@_); }
 sub main'jnc	{ &out1("jnc",@_); }
 sub main'jno	{ &out1("jno",@_); }
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -333,7 +333,7 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 #endif
 	int do_stir_pool = 0;

-#ifdef FIPS
+#ifdef OPENSSL_FIPS
 	if(FIPS_mode)
 	    {
 	    FIPSerr(FIPS_F_SSLEAY_RAND_BYTES,FIPS_R_NON_FIPS_METHOD);
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -87,7 +87,7 @@ int RAND_set_rand_method(const RAND_METHOD *meth)

 const RAND_METHOD *RAND_get_rand_method(void)
 	{
-#ifdef FIPS
+#ifdef OPENSSL_FIPS
 	if(FIPS_mode && default_RAND_meth != FIPS_rand_check)
 	    {
 	    RANDerr(RAND_F_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD);
--- a/crypto/ripemd/Makefile.ssl
+++ b/crypto/ripemd/Makefile.ssl
@@ -97,10 +97,10 @@ clean:

 # DO NOT DELETE THIS LINE -- make depend depends on it.

-rmd_dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-rmd_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-rmd_dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-rmd_dgst.o: ../../include/openssl/opensslconf.h
+rmd_dgst.o: ../../fips/fips_locl.h ../../include/openssl/bio.h
+rmd_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+rmd_dgst.o: ../../include/openssl/err.h ../../include/openssl/fips.h
+rmd_dgst.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 rmd_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/ripemd.h
 rmd_dgst.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rmd_dgst.o: ../../include/openssl/symhacks.h ../md32_common.h rmd_dgst.c
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -62,7 +62,7 @@
 #include <openssl/rsa.h>
 #include <openssl/rand.h>

-#ifndef RSA_NULL
+#if !defined(RSA_NULL) && !defined(OPENSSL_FIPS)

 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
 		unsigned char *to, RSA *rsa,int padding);
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -62,6 +62,8 @@
 #include <openssl/bn.h>
 #include <openssl/rsa.h>

+#ifndef OPENSSL_FIPS
+
 RSA *RSA_generate_key(int bits, unsigned long e_value,
 	     void (*callback)(int,int,void *), void *cb_arg)
 	{
@@ -195,3 +197,4 @@ err:
 		return(rsa);
 	}

+#endif
--- a/crypto/sha/Makefile.ssl
+++ b/crypto/sha/Makefile.ssl
@@ -102,18 +102,18 @@ sha1_one.o: ../../include/openssl/opensslconf.h
 sha1_one.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 sha1_one.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 sha1_one.o: ../../include/openssl/symhacks.h sha1_one.c
-sha1dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-sha1dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-sha1dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-sha1dgst.o: ../../include/openssl/opensslconf.h
+sha1dgst.o: ../../fips/fips_locl.h ../../include/openssl/bio.h
+sha1dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+sha1dgst.o: ../../include/openssl/err.h ../../include/openssl/fips.h
+sha1dgst.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 sha1dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 sha1dgst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 sha1dgst.o: ../../include/openssl/symhacks.h ../md32_common.h sha1dgst.c
 sha1dgst.o: sha_locl.h
-sha_dgst.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
-sha_dgst.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-sha_dgst.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
-sha_dgst.o: ../../include/openssl/opensslconf.h
+sha_dgst.o: ../../fips/fips_locl.h ../../include/openssl/bio.h
+sha_dgst.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+sha_dgst.o: ../../include/openssl/err.h ../../include/openssl/fips.h
+sha_dgst.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 sha_dgst.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 sha_dgst.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 sha_dgst.o: ../../include/openssl/symhacks.h ../md32_common.h sha_dgst.c
--- a/crypto/sha/sha1dgst.c
+++ b/crypto/sha/sha1dgst.c
@@ -62,12 +62,20 @@
 #define SHA_1

 #include <openssl/opensslv.h>
+#include <openssl/opensslconf.h>

+#ifndef OPENSSL_FIPS
 const char *SHA1_version="SHA1" OPENSSL_VERSION_PTEXT;

 /* The implementation is in ../md32_common.h */

 #include "sha_locl.h"

+#else /* ndef OPENSSL_FIPS */
+
+static void *dummy=&dummy;
+
+#endif /* ndef OPENSSL_FIPS */
+
 #endif

--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -674,7 +674,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
 				ok=(*cb)(0,ctx);
 				if (!ok) goto end;
 				}
-			if (X509_verify(xs,pkey) <= 0)
+			else if (X509_verify(xs,pkey) <= 0)
 				/* XXX  For the final trusted self-signed cert,
 				 * this is a waste of time.  That check should
 				 * optional so that e.g. 'openssl x509' can be
--- a/crypto/x509v3/v3_prn.c
+++ b/crypto/x509v3/v3_prn.c
@@ -184,7 +184,7 @@ int X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts
 		j=X509_EXTENSION_get_critical(ex);
 		if (BIO_printf(bp,": %s\n",j?"critical":"","") <= 0)
 			return 0;
-		if(!X509V3_EXT_print(bp, ex, flag, 12))
+		if(!X509V3_EXT_print(bp, ex, flag, indent + 4))
 			{
 			BIO_printf(bp, "%*s", indent + 4, "");
 			M_ASN1_OCTET_STRING_print(bp,ex->value);
--- a/doc/crypto/EVP_BytesToKey.pod
+++ b/doc/crypto/EVP_BytesToKey.pod
@@ -2,7 +2,7 @@

 =head1 NAME

- EVP_BytesToKey - password based encryption routine
+EVP_BytesToKey - password based encryption routine

 =head1 SYNOPSIS

--- a/doc/crypto/EVP_DigestInit.pod
+++ b/doc/crypto/EVP_DigestInit.pod
@@ -4,7 +4,7 @@

 EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_DigestInit_ex, EVP_DigestUpdate,
 EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
-EVP_MD_CTX_copy_ex EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
+EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
 EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type,
 EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2,
 EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj -
--- a/doc/crypto/des.pod
+++ b/doc/crypto/des.pod
@@ -283,7 +283,7 @@ DES_cbc_encrypt is used.
 =head1 NOTES

 Single-key DES is insecure due to its short key size.  ECB mode is
-not suitable for most applications; see L<DES_modes(7)|DES_modes(7)>.
+not suitable for most applications; see L<des_modes(7)|des_modes(7)>.

 The L<evp(3)|evp(3)> library provides higher-level encryption functions.

--- a/doc/crypto/ui.pod
+++ b/doc/crypto/ui.pod
@@ -5,7 +5,7 @@
 UI_new, UI_new_method, UI_free, UI_add_input_string, UI_dup_input_string,
 UI_add_verify_string, UI_dup_verify_string, UI_add_input_boolean,
 UI_dup_input_boolean, UI_add_info_string, UI_dup_info_string,
-UI_add_error_string, UI_dup_error_string, UI_construct_prompt
+UI_add_error_string, UI_dup_error_string, UI_construct_prompt,
 UI_add_user_data, UI_get0_user_data, UI_get0_result, UI_process,
 UI_ctrl, UI_set_default_method, UI_get_default_method, UI_get_method,
 UI_set_method, UI_OpenSSL, ERR_load_UI_strings - New User Interface
--- a/e_os.h
+++ b/e_os.h
@@ -174,6 +174,13 @@ extern "C" {
 #define closesocket(s)          close(s)
 #define readsocket(s,b,n)       recv((s),(b),(n),0)
 #define writesocket(s,b,n)      send((s),(b),(n),0)
+#elif defined(OPENSSL_SYS_VXWORKS)
+#define get_last_socket_error()	errno
+#define clear_socket_error()	errno=0
+#define ioctlsocket(a,b,c)	    ioctl((a),(b),(int)(c))
+#define closesocket(s)		    close(s)
+#define readsocket(s,b,n)	    read((s),(b),(n))
+#define writesocket(s,b,n)	    write((s),(char *)(b),(n))
 #else
 #define get_last_socket_error()	errno
 #define clear_socket_error()	errno=0
@@ -503,11 +510,30 @@ extern char *sys_errlist[]; extern int sys_nerr;
 #define IRIX_CC_BUG	/* CDS++ up to V2.0Bsomething suffered from the same bug.*/
 #endif

+#if defined(OPENSSL_SYS_WINDOWS)
+#  define strcasecmp _stricmp
+#  define strncasecmp _strnicmp
+#elif defined(OPENSSL_SYS_VMS)
+/* VMS below version 7.0 doesn't have strcasecmp() */
+#  include <openssl/o_str.h>
+#  define strcasecmp OPENSSL_strcasecmp
+#  define strncasecmp OPENSSL_strncasecmp
+#elif defined(OPENSSL_SYS_OS2) && defined(__EMX__)
+#  define strcasecmp stricmp
+#  define strncasecmp strnicmp
+#else
+#  ifdef NO_STRINGS_H
+    int	strcasecmp();
+    int	strncasecmp();
+#  else
+#    include <strings.h>
+#  endif /* NO_STRINGS_H */
+#endif
+
 #if defined(OPENSSL_SYS_OS2) && defined(__EMX__)
 # include <io.h>
 # include <fcntl.h>
 # define NO_SYSLOG
-# define strcasecmp stricmp
 #endif

 /* vxworks */
@@ -519,10 +545,6 @@ extern char *sys_errlist[]; extern int sys_nerr;
 #define TTY_STRUCT int

 #define sleep(a) taskDelay((a) * sysClkRateGet())
-#if defined(ioctlsocket)
-#undef ioctlsocket
-#endif
-#define ioctlsocket(a,b,c) ioctl((a),(b),*(c))

 #include <vxWorks.h>
 #include <sockLib.h>
--- a/fips/Makefile.ssl
+++ b/fips/Makefile.ssl
@@ -26,7 +26,7 @@ CFLAGS= $(INCLUDE) $(CFLAG)

 LIBS=

-FDIRS=rand sha1 des aes dsa
+FDIRS=sha1 rand des aes dsa rsa

 GENERAL=Makefile README fips-lib.com install.com

@@ -38,14 +38,15 @@ LIBOBJ=fips.o fips_err_wrapper.o
 SRC= $(LIBSRC)

 EXHEADER=fips.h
-HEADER=$(EXHEADER) fips_err.c
+HEADER=$(EXHEADER) fips_err.h
+EXE=openssl_fips_fingerprint

 ALL=    $(GENERAL) $(SRC) $(HEADER)

 top:
 	@(cd ..; $(MAKE) DIRS=$(DIR) all)

-all: check lib subdirs shared
+all: subdirs lib check shared

 check:
 	TOP=`pwd`/$(TOP) ./fips_check_sha1 fingerprint.sha1 $(SRC) $(HEADER)
@@ -104,17 +105,30 @@ tests:
 	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' AR='${AR}' tests ); \
 	done;

+fips_test:
+	@for i in dsa sha1 aes des ; \
+	do \
+		(cd $$i && echo "making fips_test in fips/$$i..." && make fips_test) \
+	done;
+
 install:
 	@for i in $(EXHEADER) ;\
 	do \
-	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
+		(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
+		chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
 	done;
 	@for i in $(FDIRS) ;\
 	do \
-	(cd $$i && echo "making install in fips/$$i..." && \
-	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}'  INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' install ); \
+		(cd $$i && echo "making install in fips/$$i..." && \
+		$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}'  INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' install ); \
 	done;
+	@for i in $(EXE) ; \
+	do \
+		echo "installing $$i"; \
+		cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+		chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+		mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
+	done

 lint:
 	@for i in $(FDIRS) ;\
@@ -125,7 +139,7 @@ lint:

 depend:
 	if [ ! -f buildinf.h ]; then touch buildinf.h; fi # fake buildinf.h if it does not exist
-	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(SRC)
 	if [ ! -s buildinf.h ]; then rm buildinf.h; fi
 	@for i in $(FDIRS) ;\
 	do \
@@ -152,12 +166,24 @@ dclean:

 # DO NOT DELETE THIS LINE -- make depend depends on it.

+fips.o: ../include/openssl/aes.h ../include/openssl/asn1.h
+fips.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+fips.o: ../include/openssl/bn.h ../include/openssl/cast.h
 fips.o: ../include/openssl/crypto.h ../include/openssl/des.h
-fips.o: ../include/openssl/des_old.h ../include/openssl/e_os2.h
+fips.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+fips.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+fips.o: ../include/openssl/err.h ../include/openssl/evp.h
 fips.o: ../include/openssl/fips.h ../include/openssl/fips_rand.h
+fips.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+fips.o: ../include/openssl/md2.h ../include/openssl/md4.h
+fips.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+fips.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 fips.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 fips.o: ../include/openssl/ossl_typ.h ../include/openssl/rand.h
-fips.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+fips.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+fips.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+fips.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+fips.o: ../include/openssl/sha.h ../include/openssl/stack.h
 fips.o: ../include/openssl/symhacks.h ../include/openssl/ui.h
-fips.o: ../include/openssl/ui_compat.h fips.c
-fips_err_wrapper.o: fips_err_wrapper.c
+fips.o: ../include/openssl/ui_compat.h fips.c fips_locl.h
+fips_err_wrapper.o: ../include/openssl/opensslconf.h fips_err_wrapper.c
--- a/fips/aes/.cvsignore
+++ b/fips/aes/.cvsignore
@@ -1,4 +1,5 @@
 lib
 fips_aesavs
+fips_aesavs.sha1
 testlist
 Makefile.save
--- a/fips/aes/Makefile.ssl
+++ b/fips/aes/Makefile.ssl
@@ -19,12 +19,13 @@ AR=		ar r
 CFLAGS= $(INCLUDES) $(CFLAG)

 GENERAL=Makefile
-TEST=fips_aesavs.c fips_aes_data
+TEST=fips_aesavs.c
+TESTDATA=fips_aes_data
 APPS=

 LIB=$(TOP)/libcrypto.a
-LIBSRC=fips_aes_core.c
-LIBOBJ=fips_aes_core.o
+LIBSRC=fips_aes_core.c fips_aes_selftest.c
+LIBOBJ=fips_aes_core.o fips_aes_selftest.o

 SRC= $(LIBSRC)

@@ -34,9 +35,9 @@ HEADER=	$(EXHEADER) fips_aes_locl.h
 ALL=    $(GENERAL) $(SRC) $(HEADER)

 top:
-	(cd ../..; $(MAKE) DIRS=fips FDIRS=$(DIR) sub_all)
+	(cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) sub_all)

-all:	check lib fips_aesavs
+all:	check lib

 check:
 	TOP=`pwd`/$(TOP) ../fips_check_sha1 fingerprint.sha1 $(SRC) $(HEADER)
@@ -51,9 +52,10 @@ files:

 links:
 	@$(TOP)/util/point.sh Makefile.ssl Makefile
-	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
-	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
-	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+	@$(PERL) $(TOP)/util/mklink.pl $(TOP)/include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TESTDATA)
+	@$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS)

 install:
 	@for i in $(EXHEADER) ; \
@@ -67,10 +69,14 @@ tags:

 tests:

-fips_aesavs: fips_aesavs.o ../../libcrypto.a
-	$(CC) $(CFLAGS) -o fips_aesavs fips_aesavs.o ../../libcrypto.a
+top_fips_aesavs:
+	(cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) TARGET=fips_aesavs sub_target)

-fips_test: top
+fips_aesavs: fips_aesavs.o $(TOP)/libcrypto.a
+	$(CC) $(CFLAGS) -o fips_aesavs fips_aesavs.o $(TOP)/libcrypto.a
+	TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a fips_aesavs
+
+fips_test: top top_fips_aesavs
 	find ../testvectors/aes/req -name '*.req' > testlist
 	-rm -rf ../testvectors/aes/rsp
 	mkdir ../testvectors/aes/rsp
@@ -81,7 +87,7 @@ lint:

 depend:
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) \
-		$(LIBSRC) fips_aesavs.c
+		$(SRC) $(TEST)

 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -94,18 +100,27 @@ clean:
 fips_aes_core.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 fips_aes_core.o: ../../include/openssl/opensslconf.h fips_aes_core.c
 fips_aes_core.o: fips_aes_locl.h
-fips_aesavs.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-fips_aesavs.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-fips_aesavs.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
-fips_aesavs.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-fips_aesavs.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
-fips_aesavs.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-fips_aesavs.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-fips_aesavs.o: ../../include/openssl/fips.h ../../include/openssl/idea.h
-fips_aesavs.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-fips_aesavs.o: ../../include/openssl/md4.h ../../include/openssl/md5.h
-fips_aesavs.o: ../../include/openssl/mdc2.h ../../include/openssl/obj_mac.h
-fips_aesavs.o: ../../include/openssl/objects.h
+fips_aes_selftest.o: ../../include/openssl/aes.h ../../include/openssl/bio.h
+fips_aes_selftest.o: ../../include/openssl/crypto.h
+fips_aes_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+fips_aes_selftest.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+fips_aes_selftest.o: ../../include/openssl/opensslconf.h
+fips_aes_selftest.o: ../../include/openssl/opensslv.h
+fips_aes_selftest.o: ../../include/openssl/safestack.h
+fips_aes_selftest.o: ../../include/openssl/stack.h
+fips_aes_selftest.o: ../../include/openssl/symhacks.h fips_aes_selftest.c
+fips_aesavs.o: ../../e_os.h ../../include/openssl/aes.h
+fips_aesavs.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+fips_aesavs.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+fips_aesavs.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+fips_aesavs.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+fips_aesavs.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+fips_aesavs.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+fips_aesavs.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+fips_aesavs.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+fips_aesavs.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+fips_aesavs.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+fips_aesavs.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 fips_aesavs.o: ../../include/openssl/opensslconf.h
 fips_aesavs.o: ../../include/openssl/opensslv.h
 fips_aesavs.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
--- a/fips/aes/fingerprint.sha1
+++ b/fips/aes/fingerprint.sha1
@@ -1,2 +1,3 @@
-SHA1(fips_aes_core.c)= 5298df7807877eed470a1ee5f8331fc0876689da
+SHA1(fips_aes_core.c)= 638c2707398fea4181243b0d7a2d6acd33084659
+SHA1(fips_aes_selftest.c)= b41f520aa90f813de815ee77ade4e7c73ef147b0
 SHA1(fips_aes_locl.h)= a3c01d9a4f9d5211e9e785852f6f1a2febfd73b6
--- a/fips/aes/fips_aes_core.c
+++ b/fips/aes/fips_aes_core.c
@@ -39,7 +39,7 @@
 #include <openssl/aes.h>
 #include "fips_aes_locl.h"

-#ifdef FIPS
+#ifdef OPENSSL_FIPS

 /*
 Te0[x] = S [x].[02, 01, 01, 03];
@@ -1257,4 +1257,4 @@ void AES_decrypt(const unsigned char *in, unsigned char *out,
 	PUTU32(out + 12, s3);
 }

-#endif /* def FIPS */
+#endif /* def OPENSSL_FIPS */
--- a/fips/aes/fips_aes_data/.cvsignore
+++ b/fips/aes/fips_aes_data/.cvsignore
@@ -0,0 +1 @@
+rsp
--- a/fips/aes/fips_aes_data/list
+++ b/fips/aes/fips_aes_data/list
--- a/fips/aes/fips_aes_selftest.c
+++ b/fips/aes/fips_aes_selftest.c
@@ -0,0 +1,92 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
+#include <openssl/aes.h>
+
+#ifdef OPENSSL_FIPS
+static struct
+    {
+    unsigned char key[16];
+    unsigned char plaintext[16];
+    unsigned char ciphertext[16];
+    } tests[]=
+	{
+	{
+	{ 0x00,0x01,0x02,0x03,0x04,0x05,0x06,0x07,
+	  0x08,0x09,0x0A,0x0B,0x0C,0x0D,0x0E,0x0F },
+	{ 0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,
+	  0x88,0x99,0xAA,0xBB,0xCC,0xDD,0xEE,0xFF },
+	{ 0x69,0xC4,0xE0,0xD8,0x6A,0x7B,0x04,0x30,
+	  0xD8,0xCD,0xB7,0x80,0x70,0xB4,0xC5,0x5A },
+	},
+	};
+
+int FIPS_selftest_aes()
+    {
+    int n;
+
+    for(n=0 ; n < 1 ; ++n)
+	{
+	AES_KEY key;
+	unsigned char buf[16];
+
+	AES_set_encrypt_key(tests[n].key,128,&key);
+	AES_encrypt(tests[n].plaintext,buf,&key);
+	if(memcmp(buf,tests[n].ciphertext,sizeof buf))
+	    {
+	    FIPSerr(FIPS_F_FIPS_SELFTEST_AES,FIPS_R_SELFTEST_FAILED);
+	    return 0;
+	    }
+	}
+    return 1;
+    }
+#endif
--- a/fips/aes/fips_aesavs.c
+++ b/fips/aes/fips_aesavs.c
@@ -19,6 +19,7 @@
 #include <openssl/evp.h>
 #include <openssl/fips.h>
 #include <openssl/err.h>
+#include "e_os.h"

 #define AES_BLOCK_SIZE 16

@@ -722,7 +723,7 @@ int proc_file(char *rqfile)
 		break;
 	    if(!strncasecmp(ibuf,"COUNT = ",8))
 		break;
-	  
+
 	    if (strncasecmp(ibuf, "KEY = ", 6) != 0)
 		{
 		printf("Missing KEY\n");
@@ -832,7 +833,7 @@ int proc_file(char *rqfile)
 		    err =1;
 		    break;
 		    }
-		
+
 		PrintValue("CIPHERTEXT", ciphertext, len);
 		if (strcmp(atest, "MCT") == 0)  /* Monte Carlo Test */
 		    {
@@ -888,8 +889,12 @@ int main(int argc, char **argv)
    char fn[250] = "", rfn[256] = "";
    int f_opt = 0, d_opt = 1;

-#ifdef FIPS
-    FIPS_mode_set(1);
+#ifdef OPENSSL_FIPS
+    if(!FIPS_mode_set(1,argv[0]))
+	{
+	ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+	exit(1);
+	}
 #endif
    ERR_load_crypto_strings();
    if (argc > 1)
--- a/fips/des/.cvsignore
+++ b/fips/des/.cvsignore
@@ -1,3 +1,5 @@
 lib
 fips_desmovs
+fips_desmovs.sha1
 testlist
+Makefile.save
--- a/fips/des/Makefile.ssl
+++ b/fips/des/Makefile.ssl
@@ -19,12 +19,12 @@ AR=		ar r
 CFLAGS= $(INCLUDES) $(CFLAG) -g

 GENERAL=Makefile
-TEST=
+TEST= fips_desmovs.c
 APPS=

 LIB=$(TOP)/libcrypto.a
-LIBSRC=fips_des_enc.c
-LIBOBJ=fips_des_enc.o
+LIBSRC=fips_des_enc.c fips_des_selftest.c
+LIBOBJ=fips_des_enc.o fips_des_selftest.o

 SRC= $(LIBSRC)

@@ -34,7 +34,7 @@ HEADER=	$(EXHEADER) fips_des_locl.h
 ALL=    $(GENERAL) $(SRC) $(HEADER)

 top:
-	(cd ../..; $(MAKE) DIRS=fips FDIRS=$(DIR) sub_all)
+	(cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) sub_all)

 all:	check lib

@@ -51,9 +51,9 @@ files:

 links:
 	@$(TOP)/util/point.sh Makefile.ssl Makefile
-	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
-	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
-	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+	@$(PERL) $(TOP)/util/mklink.pl $(TOP)/include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS)

 install:
 	@for i in $(EXHEADER) ; \
@@ -68,25 +68,32 @@ tags:
 tests:

 top_fips_desmovs:
-	(cd ../..; $(MAKE) DIRS=fips FDIRS=$(DIR) TARGET=fips_desmovs sub_target)
+	(cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) TARGET=fips_desmovs sub_target)

-
-fips_desmovs: fips_desmovs.o ../../libcrypto.a
-	$(CC) $(CFLAGS) -o fips_desmovs fips_desmovs.o ../../libcrypto.a
+fips_desmovs: fips_desmovs.o $(TOP)/libcrypto.a
+	$(CC) $(CFLAGS) -o fips_desmovs fips_desmovs.o $(TOP)/libcrypto.a
+	TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a fips_desmovs

 fips_test: top_fips_desmovs
 	find ../testvectors/des/req -name '*.req' > testlist
 	-rm -rf ../testvectors/des/rsp
 	mkdir ../testvectors/des/rsp
 	./fips_desmovs -d testlist
+	find ../testvectors/des2/req -name '*.req' > testlist
+	-rm -rf ../testvectors/des2/rsp
+	mkdir ../testvectors/des2/rsp
+	./fips_desmovs -d testlist
+	find ../testvectors/des3/req -name '*.req' > testlist
+	-rm -rf ../testvectors/des3/rsp
+	mkdir ../testvectors/des3/rsp
+	./fips_desmovs -d testlist

 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff

 depend:
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) \
-		$(LIBSRC) fips_aesavs.c
-
+		$(SRC) $(TEST)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
 	mv -f Makefile.new $(MAKEFILE)
@@ -95,11 +102,45 @@ clean:
 	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 # DO NOT DELETE THIS LINE -- make depend depends on it.

-fips_des_enc.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-fips_des_enc.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+fips_des_enc.o: ../../e_os.h ../../include/openssl/crypto.h
+fips_des_enc.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+fips_des_enc.o: ../../include/openssl/e_os2.h
 fips_des_enc.o: ../../include/openssl/opensslconf.h
 fips_des_enc.o: ../../include/openssl/opensslv.h
 fips_des_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 fips_des_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 fips_des_enc.o: ../../include/openssl/ui_compat.h fips_des_enc.c
 fips_des_enc.o: fips_des_locl.h
+fips_des_selftest.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
+fips_des_selftest.o: ../../include/openssl/des.h
+fips_des_selftest.o: ../../include/openssl/des_old.h
+fips_des_selftest.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+fips_des_selftest.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+fips_des_selftest.o: ../../include/openssl/opensslconf.h
+fips_des_selftest.o: ../../include/openssl/opensslv.h
+fips_des_selftest.o: ../../include/openssl/safestack.h
+fips_des_selftest.o: ../../include/openssl/stack.h
+fips_des_selftest.o: ../../include/openssl/symhacks.h
+fips_des_selftest.o: ../../include/openssl/ui.h
+fips_des_selftest.o: ../../include/openssl/ui_compat.h fips_des_selftest.c
+fips_desmovs.o: ../../e_os.h ../../include/openssl/aes.h
+fips_desmovs.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+fips_desmovs.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+fips_desmovs.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
+fips_desmovs.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
+fips_desmovs.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+fips_desmovs.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+fips_desmovs.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+fips_desmovs.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+fips_desmovs.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+fips_desmovs.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+fips_desmovs.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+fips_desmovs.o: ../../include/openssl/opensslconf.h
+fips_desmovs.o: ../../include/openssl/opensslv.h
+fips_desmovs.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
+fips_desmovs.o: ../../include/openssl/rc4.h ../../include/openssl/rc5.h
+fips_desmovs.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
+fips_desmovs.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+fips_desmovs.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+fips_desmovs.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+fips_desmovs.o: fips_desmovs.c
--- a/fips/des/fingerprint.sha1
+++ b/fips/des/fingerprint.sha1
@@ -1,2 +1,3 @@
-SHA1(fips_des_enc.c)= 1661dde9506404376f9565d8c6f49c205a468995
-SHA1(fips_des_locl.h)= 5e5128f074485e72d6fdee00d22d46a694bd5abe
+SHA1(fips_des_enc.c)= 75389f527cc456178e6a2e35f82bf49f98fe3e90
+SHA1(fips_des_selftest.c)= d81ee4db762d89cca749138a99100d342f195665
+SHA1(fips_des_locl.h)= a4cf60ca32476a2483b3e4460ec9a19c0444fd20
--- a/fips/des/fips_des_enc.c
+++ b/fips/des/fips_des_enc.c
@@ -58,7 +58,7 @@

 #include "fips_des_locl.h"

-#ifdef FIPS
+#ifdef OPENSSL_FIPS

 void DES_encrypt1(DES_LONG *data, DES_key_schedule *ks, int enc)
 	{
@@ -289,9 +289,9 @@ void DES_decrypt3(DES_LONG *data, DES_key_schedule *ks1,
 	data[1]=r;
 	}

-#else /* ndef FIPS */
+#else /* ndef OPENSSL_FIPS */

 static void *dummy=&dummy;

-#endif /* ndef FIPS */
+#endif /* ndef OPENSSL_FIPS */

--- a/fips/des/fips_des_locl.h
+++ b/fips/des/fips_des_locl.h
@@ -59,7 +59,7 @@
 #ifndef HEADER_DES_LOCL_H
 #define HEADER_DES_LOCL_H

-#include <openssl/e_os2.h>
+#include "e_os.h"

 #if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16)
 #ifndef OPENSSL_SYS_MSDOS
--- a/fips/des/fips_des_selftest.c
+++ b/fips/des/fips_des_selftest.c
@@ -0,0 +1,95 @@
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+#include <openssl/err.h>
+#include <openssl/fips.h>
+#include <openssl/des.h>
+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_FIPS
+static struct
+    {
+    DES_cblock key;
+    DES_cblock plaintext;
+    unsigned char ciphertext[8];
+    } tests[]=
+	{
+	{
+	{ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
+	{ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 },
+	{ 0x8C,0xA6,0x4D,0xE9,0xC1,0xB1,0x23,0xA7 }
+	},
+	{
+	{ 0xFE,0xDC,0xBA,0x98,0x76,0x54,0x32,0x10 },
+	{ 0x01,0x23,0x45,0x67,0x89,0xAB,0xCD,0xEF },
+	{ 0xED,0x39,0xD9,0x50,0xFA,0x74,0xBC,0xC4 },
+	},
+	};
+
+int FIPS_selftest_des()
+    {
+    int n;
+
+    for(n=0 ; n < 2 ; ++n)
+	{
+	DES_key_schedule key;
+	DES_cblock buf;
+
+	DES_set_key(&tests[n].key,&key);
+	DES_ecb_encrypt(&tests[n].plaintext,&buf,&key,1);
+	if(memcmp(buf,tests[n].ciphertext,sizeof buf))
+	    {
+	    FIPSerr(FIPS_F_FIPS_SELFTEST_DES,FIPS_R_SELFTEST_FAILED);
+	    return 0;
+	    }
+	}
+    return 1;
+    }
+#endif
--- a/fips/des/fips_desmovs.c
+++ b/fips/des/fips_desmovs.c
@@ -20,8 +20,9 @@
 #include <openssl/evp.h>
 #include <openssl/fips.h>
 #include <openssl/err.h>
+#include "e_os.h"

-//#define AES_BLOCK_SIZE 16
+/*#define AES_BLOCK_SIZE 16*/

 #define VERBOSE 0

@@ -59,10 +60,10 @@ int DESTest(EVP_CIPHER_CTX *ctx,
 	}
    if (ret)
 	{
-	if (akeysz != 64)
+	if (akeysz != 64 && akeysz != 192)
 	    {
 	    printf("Invalid key size: %d\n", akeysz);
-	    ret = 0;
+	    exit(1);
 	    }
 	else
 	    {
@@ -72,21 +73,39 @@ int DESTest(EVP_CIPHER_CTX *ctx,
 	    case 1064:
 		cipher=EVP_des_cbc();
 		break;
+	    case 1192:
+		cipher=EVP_des_ede3_cbc();
+		break;
 	    case 2064:
 		cipher=EVP_des_ecb();
 		break;
+	    case 2192:
+		cipher=EVP_des_ede3_ecb();
+		break;
 	    case 3064:
 		cipher=EVP_des_cfb64();
 		break;
+	    case 3192:
+		cipher=EVP_des_ede3_cfb64();
+		break;
 	    case 4064:
 		cipher=EVP_des_ofb();
 		break;
+	    case 4192:
+		cipher=EVP_des_ede3_ofb();
+		break;
 	    case 5064:
 		cipher=EVP_des_cfb1();
 		break;
+	    case 5192:
+		cipher=EVP_des_ede3_cfb1();
+		break;
 	    case 6064:
 		cipher=EVP_des_cfb8();
 		break;
+	    case 6192:
+		cipher=EVP_des_ede3_cfb8();
+		break;
 	    default:
 		printf("Didn't handle mode %d\n",kt);
 		exit(1);
@@ -248,7 +267,7 @@ void do_mct(char *amode,
 	    FILE *rfp)
    {
    int i,imode;
-    unsigned char nk[16]; // double size to make the bitshift easier
+    unsigned char nk[16]; /* double size to make the bitshift easier */

    for (imode=0 ; imode < 6 ; ++imode)
 	if(!strcmp(amode,t_mode[imode]))
@@ -291,12 +310,12 @@ void do_mct(char *amode,
 	    if(j == 9999)
 		{
 		OutputValue(t_tag[dir],text,len,rfp,imode == CFB1);
-		//		memcpy(ivec,text,8);
+		/*		memcpy(ivec,text,8); */
 		}
-	    //	    DebugValue("iv",ctx.iv,8);
+	    /*	    DebugValue("iv",ctx.iv,8); */
 	    /* accumulate material for the next key */
 	    shiftin(nk,text,Sizes[imode]);
-	    //	    DebugValue("nk",nk,8);
+	    /*	    DebugValue("nk",nk,8); */
 	    if(imode == CFB1 || imode == CFB8 || imode == CBC)
 		memcpy(text,old_iv,8);
 	    }
@@ -312,7 +331,6 @@ int proc_file(char *rqfile)
    FILE *afp = NULL, *rfp = NULL;
    char ibuf[2048];
    int ilen, len, ret = 0;
-    char algo[8] = "";
    char amode[8] = "";
    char atest[100] = "";
    int akeysz=0;
@@ -353,18 +371,20 @@ int proc_file(char *rqfile)
    while (!err && (fgets(ibuf, sizeof(ibuf), afp)) != NULL)
 	{
 	ilen = strlen(ibuf);
-	//	printf("step=%d ibuf=%s",step,ibuf);
+	/*	printf("step=%d ibuf=%s",step,ibuf);*/
+	if(step == 3 && !strcmp(amode,"ECB"))
+	    {
+	    memset(iVec, 0, sizeof(iVec));
+	    step = (dir)? 4: 5;  /* no ivec for ECB */
+	    }
 	switch (step)
 	    {
 	case 0:  /* read preamble */
 	    if (ibuf[0] == '\n')
 		{ /* end of preamble */
-		if ((*algo == '\0') ||
-		    (*amode == '\0') ||
-		    (akeysz == 0))
+		if (*amode == '\0')
 		    {
-		    printf("Missing Algorithm, Mode or KeySize (%s/%s/%d)\n",
-			   algo,amode,akeysz);
+		    printf("Missing Mode\n");
 		    err = 1;
 		    }
 		else
@@ -382,7 +402,7 @@ int proc_file(char *rqfile)
 		{ /* process preamble */
 		char *xp, *pp = ibuf+2;
 		int n;
-		if (akeysz)
+		if(*amode)
 		    { /* insert current time & date */
 		    time_t rtim = time(0);
 		    fprintf(rfp, "# %s", ctime(&rtim));
@@ -391,14 +411,16 @@ int proc_file(char *rqfile)
 		    {
 		    fputs(ibuf, rfp);
 		    if(!strncmp(pp,"INVERSE ",8) || !strncmp(pp,"DES ",4)
+		       || !strncmp(pp,"TDES ",5)
 		       || !strncmp(pp,"PERMUTATION ",12)
 		       || !strncmp(pp,"SUBSTITUTION ",13)
 		       || !strncmp(pp,"VARIABLE ",9))
 			{
-			strcpy(algo, "DES");
 			/* get test type */
 			if(!strncmp(pp,"DES ",4))
 			    pp+=4;
+			else if(!strncmp(pp,"TDES ",5))
+			    pp+=5;
 			xp = strchr(pp, ' ');
 			n = xp-pp;
 			strncpy(atest, pp, n);
@@ -409,10 +431,8 @@ int proc_file(char *rqfile)
 			strncpy(amode, xp+1, n);
 			amode[n] = '\0';
 			/* amode[3] = '\0'; */
-			printf("Test = %s, Mode = %s\n", atest, amode);
+			printf("Test=%s, Mode=%s\n",atest,amode);
 			}
-		    else if(!strncmp(pp,"State :",7))
-			akeysz=64;
 		    }
 		}
 	    break;
@@ -450,30 +470,62 @@ int proc_file(char *rqfile)
 		break;
 	    if(!strncasecmp(ibuf,"COUNT = ",8))
 		break;
+	    if(!strncasecmp(ibuf,"COUNT=",6))
+		break;
+	    if(!strncasecmp(ibuf,"NumKeys = ",10))
+		break;
 	  
-	    if (strncasecmp(ibuf, "KEY = ", 6) != 0)
-		{
-		printf("Missing KEY\n");
-		err = 1;
-		}
-	    else
+	    if(!strncasecmp(ibuf,"KEY = ",6))
 		{
+		akeysz=64;
 		len = hex2bin((char*)ibuf+6, strlen(ibuf+6)-1, aKey);
 		if (len < 0)
 		    {
 		    printf("Invalid KEY\n");
-		    err =1;
+		    err=1;
 		    break;
 		    }
 		PrintValue("KEY", aKey, len);
-		if (strcmp(amode, "ECB") == 0)
+		++step;
+		}
+	    else if(!strncasecmp(ibuf,"KEYs = ",7))
+		{
+		akeysz=64*3;
+		len=hex2bin(ibuf+7,strlen(ibuf+7)-1,aKey);
+		if(len != 8)
 		    {
-		    memset(iVec, 0, sizeof(iVec));
-		    step = (dir)? 4: 5;  /* no ivec for ECB */
+		    printf("Invalid KEY\n");
+		    err=1;
+		    break;
 		    }
-		else
+		memcpy(aKey+8,aKey,8);
+		memcpy(aKey+16,aKey,8);
+		ibuf[4]='\0';
+		PrintValue("KEYs",aKey,len);
+		++step;
+		}
+	    else if(!strncasecmp(ibuf,"KEY",3))
+		{
+		int n=ibuf[3]-'1';
+
+		akeysz=64*3;
+		len=hex2bin(ibuf+7,strlen(ibuf+7)-1,aKey+n*8);
+		if(len != 8)
+		    {
+		    printf("Invalid KEY\n");
+		    err=1;
+		    break;
+		    }
+		ibuf[4]='\0';
+		PrintValue(ibuf,aKey,len);
+		if(n == 2)
 		    ++step;
 		}
+	    else
+		{
+		printf("Missing KEY\n");
+		err = 1;
+		}
 	    break;

 	case 3: /* IV = xxxx */
@@ -615,8 +667,13 @@ int main(int argc, char **argv)
    char fn[250] = "", rfn[256] = "";
    int f_opt = 0, d_opt = 1;

-#ifdef FIPS
-    FIPS_mode_set(1);
+#ifdef OPENSSL_FIPS
+    if(!FIPS_mode_set(1,argv[0]))
+	{
+	ERR_load_crypto_strings();
+	ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+	exit(1);
+	}
 #endif
    ERR_load_crypto_strings();
    if (argc > 1)
--- a/fips/dsa/.cvsignore
+++ b/fips/dsa/.cvsignore
@@ -1,2 +1,4 @@
 Makefile.save
 lib
+fips_dssvs
+fips_dssvs.sha1
--- a/fips/dsa/Makefile.ssl
+++ b/fips/dsa/Makefile.ssl
@@ -1,5 +1,5 @@
 #
-# SSLeay/fips/sha1/Makefile
+# SSLeay/fips/dsa/Makefile
 #

 DIR=	dsa
@@ -23,8 +23,8 @@ TEST=fips_dsatest.c
 APPS=

 LIB=$(TOP)/libcrypto.a
-LIBSRC=fips_dsa_ossl.c
-LIBOBJ=fips_dsa_ossl.o
+LIBSRC=fips_dsa_ossl.c fips_dsa_gen.c fips_dsa_selftest.c
+LIBOBJ=fips_dsa_ossl.o fips_dsa_gen.o fips_dsa_selftest.o

 SRC= $(LIBSRC)

@@ -34,7 +34,7 @@ HEADER=	$(EXHEADER)
 ALL=    $(GENERAL) $(SRC) $(HEADER)

 top:
-	(cd ../..; $(MAKE) DIRS=fips FDIRS=$(DIR) sub_all)
+	(cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) sub_all)

 all:	check lib

@@ -51,9 +51,9 @@ files:

 links:
 	@$(TOP)/util/point.sh Makefile.ssl Makefile
-	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
-	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
-	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
+	@$(PERL) $(TOP)/util/mklink.pl $(TOP)/include/openssl $(EXHEADER)
+	@$(PERL) $(TOP)/util/mklink.pl $(TOP)/test $(TEST)
+	@$(PERL) $(TOP)/util/mklink.pl $(TOP)/apps $(APPS)

 install:
 	@for i in $(EXHEADER) ; \
@@ -67,11 +67,27 @@ tags:

 tests:

+top_fips_dssvs:
+	(cd $(TOP); $(MAKE) DIRS=fips FDIRS=$(DIR) TARGET=fips_dssvs sub_target)
+
+fips_dssvs: fips_dssvs.o $(TOP)/libcrypto.a
+	$(CC) $(CFLAGS) -o fips_dssvs fips_dssvs.o $(TOP)/libcrypto.a
+	TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a fips_dssvs
+
+Q=../testvectors/dsa/req
+A=../testvectors/dsa/rsp
+
+fips_test: top_fips_dssvs
+	-rm -rf $A
+	mkdir $A
+	./fips_dssvs prime < $Q/prime.req > $A/prime.rsp
+	./fips_dssvs pqg < $Q/pqg.req > $A/pqg.rsp
+
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff

 depend:
-	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(SRC) $(TEST)

 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -81,6 +97,25 @@ clean:
 	rm -f *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
 # DO NOT DELETE THIS LINE -- make depend depends on it.

+fips_dsa_gen.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
+fips_dsa_gen.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
+fips_dsa_gen.o: ../../include/openssl/bn.h ../../include/openssl/cast.h
+fips_dsa_gen.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+fips_dsa_gen.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+fips_dsa_gen.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+fips_dsa_gen.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
+fips_dsa_gen.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
+fips_dsa_gen.o: ../../include/openssl/md5.h ../../include/openssl/mdc2.h
+fips_dsa_gen.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+fips_dsa_gen.o: ../../include/openssl/opensslconf.h
+fips_dsa_gen.o: ../../include/openssl/opensslv.h
+fips_dsa_gen.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+fips_dsa_gen.o: ../../include/openssl/rc2.h ../../include/openssl/rc4.h
+fips_dsa_gen.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
+fips_dsa_gen.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+fips_dsa_gen.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+fips_dsa_gen.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+fips_dsa_gen.o: ../../include/openssl/ui_compat.h fips_dsa_gen.c
 fips_dsa_ossl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 fips_dsa_ossl.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
 fips_dsa_ossl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
@@ -93,3 +128,29 @@ fips_dsa_ossl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 fips_dsa_ossl.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 fips_dsa_ossl.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 fips_dsa_ossl.o: ../../include/openssl/ui.h fips_dsa_ossl.c
+fips_dsa_selftest.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+fips_dsa_selftest.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
+fips_dsa_selftest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+fips_dsa_selftest.o: ../../include/openssl/err.h ../../include/openssl/fips.h
+fips_dsa_selftest.o: ../../include/openssl/lhash.h
+fips_dsa_selftest.o: ../../include/openssl/opensslconf.h
+fips_dsa_selftest.o: ../../include/openssl/opensslv.h
+fips_dsa_selftest.o: ../../include/openssl/ossl_typ.h
+fips_dsa_selftest.o: ../../include/openssl/safestack.h
+fips_dsa_selftest.o: ../../include/openssl/stack.h
+fips_dsa_selftest.o: ../../include/openssl/symhacks.h fips_dsa_selftest.c
+fips_dsatest.o: ../../e_os.h ../../include/openssl/asn1.h
+fips_dsatest.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+fips_dsatest.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+fips_dsatest.o: ../../include/openssl/des_old.h ../../include/openssl/dh.h
+fips_dsatest.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
+fips_dsatest.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+fips_dsatest.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
+fips_dsatest.o: ../../include/openssl/lhash.h
+fips_dsatest.o: ../../include/openssl/opensslconf.h
+fips_dsatest.o: ../../include/openssl/opensslv.h
+fips_dsatest.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+fips_dsatest.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+fips_dsatest.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+fips_dsatest.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+fips_dsatest.o: fips_dsatest.c
--- a/fips/dsa/fingerprint.sha1
+++ b/fips/dsa/fingerprint.sha1
@@ -1 +1,3 @@
-SHA1(fips_dsa_ossl.c)= eb769361b524507754bcbfbda92b973e37433478
+SHA1(fips_dsa_ossl.c)= 7902d159932771d749ecba2ebf78995240356990
+SHA1(fips_dsa_gen.c)= 37549c7769084e9989a3a26f7732557d3b691812
+SHA1(fips_dsa_selftest.c)= d638e2d13912befe42e0ed6efa8a27719b6689d5
--- a/fips/dsa/fips_dsa_gen.c
+++ b/fips/dsa/fips_dsa_gen.c
@@ -0,0 +1,306 @@
+/* crypto/dsa/dsa_gen.c */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+#undef GENUINE_DSA
+
+#ifdef GENUINE_DSA
+/* Parameter generation follows the original release of FIPS PUB 186,
+ * Appendix 2.2 (i.e. use SHA as defined in FIPS PUB 180) */
+#define HASH    EVP_sha()
+#else
+/* Parameter generation follows the updated Appendix 2.2 for FIPS PUB 186,
+ * also Appendix 2.2 of FIPS PUB 186-1 (i.e. use SHA as defined in
+ * FIPS PUB 180-1) */
+#define HASH    EVP_sha1()
+#endif 
+
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+/*#include "cryptlib.h"*/
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#ifndef OPENSSL_NO_SHA
+#include <openssl/dsa.h>
+#endif
+#ifndef OPENSSL_NO_RAND
+#include <openssl/rand.h>
+#endif
+#ifndef OPENSSL_NO_SHA
+#include <openssl/sha.h>
+
+#ifdef OPENSSL_FIPS
+
+DSA *DSA_generate_parameters(int bits,
+		unsigned char *seed_in, int seed_len,
+		int *counter_ret, unsigned long *h_ret,
+		void (*callback)(int, int, void *),
+		void *cb_arg)
+	{
+	int ok=0;
+	unsigned char seed[SHA_DIGEST_LENGTH];
+	unsigned char md[SHA_DIGEST_LENGTH];
+	unsigned char buf[SHA_DIGEST_LENGTH],buf2[SHA_DIGEST_LENGTH];
+	BIGNUM *r0,*W,*X,*c,*test;
+	BIGNUM *g=NULL,*q=NULL,*p=NULL;
+	BN_MONT_CTX *mont=NULL;
+	int k,n=0,i,b,m=0;
+	int counter=0;
+	int r=0;
+	BN_CTX *ctx=NULL,*ctx2=NULL,*ctx3=NULL;
+	unsigned int h=2;
+	DSA *ret=NULL;
+	unsigned char *seed_out=seed_in;
+
+	if (bits < 512) bits=512;
+	bits=(bits+63)/64*64;
+
+	if (seed_len < 20)
+		seed_in = NULL; /* seed buffer too small -- ignore */
+	if (seed_len > 20) 
+		seed_len = 20; /* App. 2.2 of FIPS PUB 186 allows larger SEED,
+		                * but our internal buffers are restricted to 160 bits*/
+	if ((seed_in != NULL) && (seed_len == 20))
+		memcpy(seed,seed_in,seed_len);
+
+	if ((ctx=BN_CTX_new()) == NULL) goto err;
+	if ((ctx2=BN_CTX_new()) == NULL) goto err;
+	if ((ctx3=BN_CTX_new()) == NULL) goto err;
+	if ((ret=DSA_new()) == NULL) goto err;
+
+	if ((mont=BN_MONT_CTX_new()) == NULL) goto err;
+
+	BN_CTX_start(ctx2);
+	r0 = BN_CTX_get(ctx2);
+	g = BN_CTX_get(ctx2);
+	W = BN_CTX_get(ctx2);
+	q = BN_CTX_get(ctx2);
+	X = BN_CTX_get(ctx2);
+	c = BN_CTX_get(ctx2);
+	p = BN_CTX_get(ctx2);
+	test = BN_CTX_get(ctx2);
+
+	BN_lshift(test,BN_value_one(),bits-1);
+
+	for (;;)
+		{
+		for (;;) /* find q */
+			{
+			int seed_is_random;
+
+			/* step 1 */
+			if (callback != NULL) callback(0,m++,cb_arg);
+
+			if (!seed_len)
+				{
+				if(RAND_pseudo_bytes(seed,SHA_DIGEST_LENGTH) < 0)
+					goto err;
+				seed_is_random = 1;
+				}
+			else
+				{
+				seed_is_random = 0;
+				seed_len=0; /* use random seed if 'seed_in' turns out to be bad*/
+				}
+			memcpy(buf,seed,SHA_DIGEST_LENGTH);
+			memcpy(buf2,seed,SHA_DIGEST_LENGTH);
+			/* precompute "SEED + 1" for step 7: */
+			for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
+				{
+				buf[i]++;
+				if (buf[i] != 0) break;
+				}
+
+			/* step 2 */
+			EVP_Digest(seed,SHA_DIGEST_LENGTH,md,NULL,HASH, NULL);
+			EVP_Digest(buf,SHA_DIGEST_LENGTH,buf2,NULL,HASH, NULL);
+			for (i=0; i<SHA_DIGEST_LENGTH; i++)
+				md[i]^=buf2[i];
+
+			/* step 3 */
+			md[0]|=0x80;
+			md[SHA_DIGEST_LENGTH-1]|=0x01;
+			if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,q)) goto err;
+
+			/* step 4 */
+			r = BN_is_prime_fasttest(q, DSS_prime_checks, callback, ctx3, cb_arg, seed_is_random);
+			if (r > 0)
+				break;
+			if (r != 0)
+				goto err;
+
+			/* do a callback call */
+			/* step 5 */
+			}
+
+		if (callback != NULL) callback(2,0,cb_arg);
+		if (callback != NULL) callback(3,0,cb_arg);
+
+		/* step 6 */
+		counter=0;
+		/* "offset = 2" */
+
+		n=(bits-1)/160;
+		b=(bits-1)-n*160;
+
+		for (;;)
+			{
+			if (callback != NULL && counter != 0)
+				callback(0,counter,cb_arg);
+
+			/* step 7 */
+			BN_zero(W);
+			/* now 'buf' contains "SEED + offset - 1" */
+			for (k=0; k<=n; k++)
+				{
+				/* obtain "SEED + offset + k" by incrementing: */
+				for (i=SHA_DIGEST_LENGTH-1; i >= 0; i--)
+					{
+					buf[i]++;
+					if (buf[i] != 0) break;
+					}
+
+				EVP_Digest(buf,SHA_DIGEST_LENGTH,md,NULL,HASH, NULL);
+
+				/* step 8 */
+				if (!BN_bin2bn(md,SHA_DIGEST_LENGTH,r0))
+					goto err;
+				BN_lshift(r0,r0,160*k);
+				BN_add(W,W,r0);
+				}
+
+			/* more of step 8 */
+			BN_mask_bits(W,bits-1);
+			BN_copy(X,W); /* this should be ok */
+			BN_add(X,X,test); /* this should be ok */
+
+			/* step 9 */
+			BN_lshift1(r0,q);
+			BN_mod(c,X,r0,ctx);
+			BN_sub(r0,c,BN_value_one());
+			BN_sub(p,X,r0);
+
+			/* step 10 */
+			if (BN_cmp(p,test) >= 0)
+				{
+				/* step 11 */
+				r = BN_is_prime_fasttest(p, DSS_prime_checks, callback, ctx3, cb_arg, 1);
+				if (r > 0)
+						goto end; /* found it */
+				if (r != 0)
+					goto err;
+				}
+
+			/* step 13 */
+			counter++;
+			/* "offset = offset + n + 1" */
+
+			/* step 14 */
+			if (counter >= 4096) break;
+			}
+		}
+end:
+	if (callback != NULL) callback(2,1,cb_arg);
+
+	/* We now need to generate g */
+	/* Set r0=(p-1)/q */
+	BN_sub(test,p,BN_value_one());
+	BN_div(r0,NULL,test,q,ctx);
+
+	BN_set_word(test,h);
+	BN_MONT_CTX_set(mont,p,ctx);
+
+	for (;;)
+		{
+		/* g=test^r0%p */
+		BN_mod_exp_mont(g,test,r0,p,ctx,mont);
+		if (!BN_is_one(g)) break;
+		BN_add(test,test,BN_value_one());
+		h++;
+		}
+
+	if (callback != NULL) callback(3,1,cb_arg);
+
+	ok=1;
+err:
+	if (!ok)
+		{
+		if (ret != NULL) DSA_free(ret);
+		}
+	else
+		{
+		ret->p=BN_dup(p);
+		ret->q=BN_dup(q);
+		ret->g=BN_dup(g);
+		if(seed_out != NULL) memcpy(seed_out,seed,20);
+		if (counter_ret != NULL) *counter_ret=counter;
+		if (h_ret != NULL) *h_ret=h;
+		}
+	if (ctx != NULL) BN_CTX_free(ctx);
+	if (ctx2 != NULL)
+		{
+		BN_CTX_end(ctx2);
+		BN_CTX_free(ctx2);
+		}
+	if (ctx3 != NULL) BN_CTX_free(ctx3);
+	if (mont != NULL) BN_MONT_CTX_free(mont);
+	return(ok?ret:NULL);
+	}
+#endif
+
+#endif
--- a/fips/dsa/fips_dsa_ossl.c
+++ b/fips/dsa/fips_dsa_ossl.c
@@ -68,7 +68,7 @@
 #endif
 #include <openssl/fips.h>

-#ifdef FIPS
+#ifdef OPENSSL_FIPS

 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
@@ -367,8 +367,8 @@ static int dsa_bn_mod_exp(DSA *dsa, BIGNUM *r, BIGNUM *a, const BIGNUM *p,
 	return BN_mod_exp_mont(r, a, p, m, ctx, m_ctx);
 }

-#else /* ndef FIPS */
+#else /* ndef OPENSSL_FIPS */

 static void *dummy=&dummy;

-#endif /* ndef FIPS */
+#endif /* ndef OPENSSL_FIPS */
--- a/Show More
+++ b/Show More