Prepare for release

libeay32.dll to be explicitly specified.

CHANGES

@@ -2,6 +2,21 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.7i and 0.9.7j  [04 May 2006]
+
+  *) Adapt fipsld and the build system to link against the validated FIPS
+     module in FIPS mode.
+     [Steve Henson]
+
+  *) Fixes for VC++ 2005 build under Windows.
+     [Steve Henson]
+
+  *) Add new Windows build target VC-32-GMAKE for VC++. This uses GNU make 
+     from a Windows bash shell such as MSYS. It is autodetected from the
+     "config" script when run from a VC++ environment. Modify standard VC++
+     build to use fipscanister.o from the GNU make build. 
+     [Steve Henson]
+
  Changes between 0.9.7h and 0.9.7i  [14 Oct 2005]
 
   *) Wrapped the definition of EVP_MAX_MD_SIZE in a #ifdef OPENSSL_FIPS.
@@ -17,7 +32,7 @@
      (part of SSL_OP_ALL).  This option used to disable the
      countermeasure against man-in-the-middle protocol-version
      rollback in the SSL 2.0 server implementation, which is a bad
-     idea.  (CAN-2005-2969)
+     idea.  (CVE-2005-2969)
 
      [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
      for Information Security, National Institute of Advanced Industrial
@@ -182,11 +197,11 @@
  Changes between 0.9.7c and 0.9.7d  [17 Mar 2004]
 
   *) Fix null-pointer assignment in do_change_cipher_spec() revealed           
-     by using the Codenomicon TLS Test Tool (CAN-2004-0079)                    
+     by using the Codenomicon TLS Test Tool (CVE-2004-0079)                    
      [Joe Orton, Steve Henson]   
 
   *) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
-     (CAN-2004-0112)
+     (CVE-2004-0112)
      [Joe Orton, Steve Henson]   
 
   *) Make it possible to have multiple active certificates with the same
@@ -229,9 +244,9 @@
   *) Fix various bugs revealed by running the NISCC test suite:
 
      Stop out of bounds reads in the ASN1 code when presented with
-     invalid tags (CAN-2003-0543 and CAN-2003-0544).
+     invalid tags (CVE-2003-0543 and CVE-2003-0544).
      
-     Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545).
+     Free up ASN1_TYPE correctly if ANY type is invalid (CVE-2003-0545).
 
      If verify callback ignores invalid public key errors don't try to check
      certificate signature with the NULL public key.
@@ -316,7 +331,7 @@
      via timing by performing a MAC computation even if incorrrect
      block cipher padding has been found.  This is a countermeasure
      against active attacks where the attacker has to distinguish
-     between bad padding and a MAC verification error. (CAN-2003-0078)
+     between bad padding and a MAC verification error. (CVE-2003-0078)
 
      [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
      Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
@@ -533,7 +548,7 @@
 
      Remote buffer overflow in SSL3 protocol - an attacker could
      supply an oversized master key in Kerberos-enabled versions.
-     (CAN-2002-0657)
+     (CVE-2002-0657)
      [Ben Laurie (CHATS)]
 
   *) Change the SSL kerb5 codes to match RFC 2712.
@@ -2217,7 +2232,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  Changes between 0.9.6l and 0.9.6m  [17 Mar 2004]
 
   *) Fix null-pointer assignment in do_change_cipher_spec() revealed
-     by using the Codenomicon TLS Test Tool (CAN-2004-0079)
+     by using the Codenomicon TLS Test Tool (CVE-2004-0079)
      [Joe Orton, Steve Henson]
 
  Changes between 0.9.6k and 0.9.6l  [04 Nov 2003]
@@ -2225,7 +2240,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
   *) Fix additional bug revealed by the NISCC test suite:
 
      Stop bug triggering large recursion when presented with
-     certain ASN.1 tags (CAN-2003-0851)
+     certain ASN.1 tags (CVE-2003-0851)
      [Steve Henson]
 
  Changes between 0.9.6j and 0.9.6k  [30 Sep 2003]
@@ -2233,7 +2248,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
   *) Fix various bugs revealed by running the NISCC test suite:
 
      Stop out of bounds reads in the ASN1 code when presented with
-     invalid tags (CAN-2003-0543 and CAN-2003-0544).
+     invalid tags (CVE-2003-0543 and CVE-2003-0544).
      
      If verify callback ignores invalid public key errors don't try to check
      certificate signature with the NULL public key.
@@ -2285,7 +2300,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      via timing by performing a MAC computation even if incorrrect
      block cipher padding has been found.  This is a countermeasure
      against active attacks where the attacker has to distinguish
-     between bad padding and a MAC verification error. (CAN-2003-0078)
+     between bad padding and a MAC verification error. (CVE-2003-0078)
 
      [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
      Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
@@ -2418,7 +2433,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
   *) Add various sanity checks to asn1_get_length() to reject
      the ASN1 length bytes if they exceed sizeof(long), will appear
      negative or the content length exceeds the length of the
-     supplied buffer. (CAN-2002-0659)
+     supplied buffer. (CVE-2002-0659)
      [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
 
   *) Assertions for various potential buffer overflows, not known to
@@ -2426,15 +2441,15 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
      [Ben Laurie (CHATS)]
 
   *) Various temporary buffers to hold ASCII versions of integers were
-     too small for 64 bit platforms. (CAN-2002-0655)
+     too small for 64 bit platforms. (CVE-2002-0655)
      [Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>
 
   *) Remote buffer overflow in SSL3 protocol - an attacker could
-     supply an oversized session ID to a client. (CAN-2002-0656)
+     supply an oversized session ID to a client. (CVE-2002-0656)
      [Ben Laurie (CHATS)]
 
   *) Remote buffer overflow in SSL2 protocol - an attacker could
-     supply an oversized client master key. (CAN-2002-0656)
+     supply an oversized client master key. (CVE-2002-0656)
      [Ben Laurie (CHATS)]
 
  Changes between 0.9.6c and 0.9.6d  [9 May 2002]

Configure

@@ -205,7 +205,7 @@ my %table=(
 # SC4.2 is ok, better than gcc even on bn as long as you tell it -xarch=v8
 # SC5.0 note: Compiler common patch 107357-01 or later is required!
 "solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:-xarch=v9 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs",
 ####
@@ -563,7 +563,7 @@ my %table=(
 ##### MacOS X (a.k.a. Rhapsody or Darwin) setup
 "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
 "darwin-ppc-cc","cc:-O3 -fomit-frame-pointer -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/osx_ppc32.o:::::::::dlfcn:darwin-shared:-fPIC -fno-common::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 
 ##### A/UX
 "aux3-gcc","gcc:-O2 -DTERMIO::(unknown):AUX:-lbsd:RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
@@ -621,6 +621,8 @@ my $prefix="";
 my $openssldir="";
 my $exe_ext="";
 my $install_prefix="";
+my $fipslibdir="/usr/local/ssl/lib";
+my $baseaddr="0xFB00000";
 my $no_threads=0;
 my $no_shared=1;
 my $zlib=0;
@@ -806,7 +808,7 @@ PROCESS_ARGS:
 				{
 				while (<IN>)
 					{
-					chop;
+					chomp;
 					if (/^CONFIGURE_ARGS=(.*)/)
 						{
 						$argvstring=$1;
@@ -865,6 +867,22 @@ PROCESS_ARGS:
 				{
 				$withargs{"krb5-".$1}=$2;
 				}
+			elsif (/^--with-zlib-lib=(.*)$/)
+				{
+				$withargs{"zlib-lib"}=$1;
+				}
+			elsif (/^--with-fipslibdir=(.*)$/)
+				{
+				$fipslibdir="$1";
+				}
+			elsif (/^--with-baseaddr=(.*)$/)
+				{
+				$baseaddr="$1";
+				}
+			elsif (/^--with-zlib-include=(.*)$/)
+				{
+				$withargs{"zlib-include"}="-I$1";
+				}
 			else
 				{
 				print STDERR $usage;
@@ -964,6 +982,21 @@ chop $prefix if $prefix =~ /\/$/;
 $openssldir=$prefix . "/ssl" if $openssldir eq "";
 $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
 
+if ($fips && ! -f "$fipslibdir/fipscanister.o")
+	{
+	my $fipswinerr = "";
+	$fipswinerr = <<EOF if $IsWindows;
+ Ensure that the correct path to the FIPS module directory
+has been given to the --with-fipslibdir option.
+EOF
+	print STDERR <<EOF;
+The file fipscanister.o could not be located. Please build and install the
+FIPS module using the instructions in the user guide before compiling OpenSSL
+in FIPS mode.$fipswinerr
+EOF
+	exit 1;
+	}
+
 
 print "IsWindows=$IsWindows\n";
 
@@ -1152,6 +1185,7 @@ if (!$no_shared)
 	if ($shared_cflag ne "")
 		{
 		$cflags = "$shared_cflag -DOPENSSL_PIC $cflags";
+		$shared_ldflag = "$shared_ldflag $shared_cflag" if($fips);
 		}
 	}
 
@@ -1261,7 +1295,7 @@ print OUT "### Generated automatically from Makefile.org by Configure.\n\n";
 my $sdirs=0;
 while (<IN>)
 	{
-	chop;
+	chomp;
 	$sdirs = 1 if /^SDIRS=/;
 	if ($sdirs) {
 		my $dir;
@@ -1308,6 +1342,10 @@ while (<IN>)
 	s/^PERL=.*/PERL= $perl/;
 	s/^KRB5_INCLUDES=.*/KRB5_INCLUDES=$withargs{"krb5-include"}/;
 	s/^LIBKRB5=.*/LIBKRB5=$withargs{"krb5-lib"}/;
+	s/^LIBZLIB=.*/LIBZLIB=$withargs{"zlib-lib"}/;
+	s/^FIPSLIBDIR=.*/FIPSLIBDIR=$fipslibdir/;
+	s/^BASEADDR=.*/BASEADDR=$baseaddr/;
+	s/^ZLIB_INCLUDE=.*/ZLIB_INCLUDE=$withargs{"zlib-include"}/;
 	s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
 	s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
 	s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);

FAQ

@@ -70,7 +70,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.7i was released on October 14, 2005.
+OpenSSL 0.9.7j was released on May 4, 2006.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:

Makefile.org

@@ -172,11 +172,29 @@ RMD160_ASM_OBJ= asm/rm86-out.o
 KRB5_INCLUDES=
 LIBKRB5=
 
+# Zlib stuff
+ZLIB_INCLUDE=
+LIBZLIB=
+
+# This is the location of fipscanister.o and friends.
+# The FIPS module build will place it $(INSTALLTOP)/lib
+# but since $(INSTALLTOP) can only take the default value
+# when the module is built it will be in /usr/local/ssl/lib
+# $(INSTALLTOP) for this build make be different so hard
+# code the path.
+
+FIPSLIBDIR=/usr/local/ssl/lib
+
+# Shared library base address. Currently only used on Windows.
+#
+
+BASEADDR=
+
 # When we're prepared to use shared libraries in the programs we link here
 # we might set SHLIB_MARK to '$(SHARED_LIBS)'.
 SHLIB_MARK=
 
-DIRS=   crypto fips ssl $(SHLIB_MARK) sigs apps test tools
+DIRS=   crypto fips-1.0 ssl $(SHLIB_MARK) apps test tools
 SHLIBDIRS= crypto ssl
 
 # dirs in crypto to build
@@ -206,7 +224,6 @@ ONEDIRS=out tmp
 EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
 WDIRS=  windows
 LIBS=   libcrypto.a libssl.a
-SIGS=	libcrypto.a.sha1
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
 SHARED_LIBS=
@@ -226,19 +243,12 @@ HEADER=         e_os.h
 
 all: Makefile sub_all openssl.pc
 
-sigs:	$(SIGS)
-libcrypto.a.sha1: libcrypto.a
-	@if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-		$(RANLIB) libcrypto.a; \
-		fips/sha/fips_standalone_sha1 libcrypto.a > libcrypto.a.sha1; \
-	fi
-
 sub_all:
 	@for i in $(DIRS); \
 	do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making all in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
+		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' FIPS_AES_ENC='${FIPS_AES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' FIPSLIBDIR='${FIPSLIBDIR}' all ) || exit 1; \
 	else \
 		$(MAKE) $$i; \
 	fi; \
@@ -258,9 +268,6 @@ sub_target:
 libcrypto$(SHLIB_EXT): libcrypto.a
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
 		$(MAKE) SHLIBDIRS=crypto build-shared; \
-        	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-                    fips/sha/fips_standalone_sha1 -binary $@ > $@.$${HMAC_EXT:-sha1}; \
-		fi; \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 	fi
@@ -308,7 +315,7 @@ do_gnu-shared:
 	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
-	( set -x; ${CC} ${SHARED_LDFLAGS} \
+	( set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 		-shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-Wl,-Bsymbolic \
@@ -325,7 +332,7 @@ do_darwin-shared:
 	if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
-	( set -x; ${CC} ${SHARED_LDFLAGS} \
+	( set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 		--verbose -dynamiclib -o lib$$i${SHLIB_EXT} \
 		lib$$i.a $$libs -all_load -current_version ${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-compatibility_version ${SHLIB_MAJOR}.`echo ${SHLIB_MINOR} | cut -d. -f1` \
@@ -344,13 +351,14 @@ do_cygwin-shared:
 	[ -f apps/$$shlib ] && rm apps/$$shlib; \
 	[ -f test/$$shlib ] && rm test/$$shlib; \
 	base=;  [ $$i = "crypto" ] && base=-Wl,--image-base,0x63000000; \
-	( set -x; ${CC} ${SHARED_LDFLAGS} \
+	( set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 		-shared $$base -o $$shlib \
 		-Wl,-Bsymbolic \
 		-Wl,--whole-archive lib$$i.a \
 		-Wl,--out-implib,lib$$i.dll.a \
 		-Wl,--no-whole-archive $$libs ${EX_LIBS} ) || exit 1; \
 	cp -p $$shlib apps/; cp -p $$shlib test/; \
+	touch -c lib$$i.dll.a; \
 	libs="-l$$i $$libs"; \
 	done
 
@@ -363,7 +371,7 @@ do_alpha-osf1-shared:
 		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
-		( set -x; ${CC} ${SHARED_LDFLAGS} \
+		( set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 			-shared -o lib$$i.so \
 			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
 			-all lib$$i.a -none $$libs ${EX_LIBS} ) || exit 1; \
@@ -382,7 +390,7 @@ do_tru64-shared:
 		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
-		( set -x; ${CC} ${SHARED_LDFLAGS} \
+		( set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 			-shared -msym -o lib$$i.so \
 			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
 			-all lib$$i.a -none $$libs ${EX_LIBS} ) || exit 1; \
@@ -401,7 +409,7 @@ do_tru64-shared-rpath:
 		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
-		( set -x; ${CC} ${SHARED_LDFLAGS} \
+		( set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 			-shared -msym -o lib$$i.so \
 			-rpath  ${INSTALLTOP}/lib \
 			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
@@ -423,7 +431,7 @@ do_solaris-shared:
 		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
 		  MINUSZ='-z '; \
 		  (${CC} -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
-		  set -x; ${CC} ${SHARED_LDFLAGS} \
+		  set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 			-o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-Wl,-Bsymbolic \
@@ -448,7 +456,7 @@ do_svr3-shared:
 		  for obj in `ar t lib$$i.a` ; do \
 		    OBJS="$${OBJS} `grep /$$obj allobjs`" ; \
 		  done ; \
-		  set -x; ${CC} ${SHARED_LDFLAGS} \
+		  set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 			-G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
@@ -474,7 +482,7 @@ do_svr5-shared:
 		    OBJS="$${OBJS} `grep /$$obj allobjs`" ; \
 		  done ; \
 		  set -x; LD_LIBRARY_PATH=.:$$LD_LIBRARY_PATH \
-			${CC} ${SHARED_LDFLAGS} \
+			$${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 			$${SHARE_FLAG} -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
@@ -493,7 +501,7 @@ do_irix-shared:
 		fi; \
 		( WHOLELIB="-all lib$$i.a -none"; \
 		  (${CC} -v 2>&1 | grep gcc) > /dev/null && WHOLELIB="-Wl,-all,lib$$i.a,-none"; \
-		  set -x; ${CC} ${SHARED_LDFLAGS} \
+		  set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 			-shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			$${WHOLELIB} $$libs ${EX_LIBS}) || exit 1; \
@@ -516,7 +524,7 @@ do_hpux-shared:
 	[ -f $$shlib ] && rm -f $$shlib; \
 	ALLSYMSFLAGS='-Wl,-Fl'; \
 	expr $(PLATFORM) : 'hpux64' > /dev/null && ALLSYMSFLAGS='-Wl,+forceload'; \
-	( set -x; ${CC} ${SHARED_LDFLAGS} \
+	( set -x; $${FIPSLD:-${CC}} ${SHARED_LDFLAGS} \
 		-Wl,-B,symbolic,+vnocompatwarnings,-z,+h,$$shlib \
 		-o $$shlib $$ALLSYMSFLAGS,lib$$i.a -ldld ) || exit 1; \
 	chmod a=rx $$shlib; \
@@ -564,7 +572,7 @@ do_aix-shared:
 	  OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
 	  ld -r -o lib$$i.o $(ALLSYMSFLAG) lib$$i.a && \
 	  ( nm -Pg lib$$i.o | grep ' [BD] ' | cut -f1 -d' ' > lib$$i.exp; \
-	    $(SHAREDCMD) $(SHAREDFLAGS) \
+	    $${FIPSLD:-${CC}} $(SHAREDFLAGS) \
 		-o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} lib$$i.o \
 		$$libs ${EX_LIBS} ) ) \
 	|| exit 1; \
@@ -580,7 +588,7 @@ do_reliantunix-shared:
 	( set -x; \
 	  ( Opwd=`pwd` ; mkdir $$tmpdir || exit 1; \
 	    cd $$tmpdir || exit 1 ; ar x $$Opwd/lib$$i.a ; \
-	    ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} *.o \
+	    $${FIPSLD:-${CC}} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} *.o \
 	  ) || exit 1; \
 	  cp $$tmpdir/lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} . ; \
 	) || exit 1; \
@@ -816,16 +824,7 @@ install_sw:
 				if [ "$(PLATFORM)" != "Cygwin" ]; then \
 					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
 					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-					mv -f	$(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new \
-						$(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
-					sig="$$i.$${HMAC_EXT:-sha1}"; \
-					if [ -f $$sig ]; then \
-						echo installing $$sig; \
-						cp $$sig $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$sig.new; \
-						chmod 444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$sig.new; \
-						mv -f	$(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$sig.new \
-							$(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$sig; \
-					fi; \
+					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 				else \
 					c=`echo $$i | sed 's/^lib\(.*\)\.dll/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
 					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
@@ -848,15 +847,6 @@ install_sw:
 			sed -e '1,/^$$/d' doc/openssl-shared.txt; \
 		fi; \
 	fi
-	@for i in $(SIGS) ;\
-	do \
-		if [ -f "$$i" ]; then \
-		(       echo installing $$i; \
-			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
-		fi; \
-	done;
 	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/openssl.pc
 

NEWS

@@ -5,6 +5,10 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j:
+
+      o Update Windows build system for FIPS.
+
   Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i:
 
       o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build.

README

@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.7i 14 Och 2005
+ OpenSSL 0.9.7j 04 May 2006
 
  Copyright (c) 1998-2005 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

STATUS

@@ -1,12 +1,14 @@
 
   OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2005/10/14 22:15:44 $
+  ______________                           $Date: 2006/05/04 12:52:57 $
 
   DEVELOPMENT STATE
 
     o  OpenSSL 0.9.9:  Under development...
+    o  OpenSSL 0.9.8b: Released on May        4th, 2006
     o  OpenSSL 0.9.8a: Released on October   11th, 2005
     o  OpenSSL 0.9.8:  Released on July       5th, 2005
+    o  OpenSSL 0.9.7j: Released on May        4th, 2006
     o  OpenSSL 0.9.7i: Released on October   14th, 2005
     o  OpenSSL 0.9.7h: Released on October   11th, 2005
     o  OpenSSL 0.9.7g: Released on April     11th, 2005

TABLE

@@ -1402,7 +1402,7 @@ $arflags      =
 
 *** darwin-i386-cc
 $cc           = cc
-$cflags       = -O3 -fomit-frame-pointer -fno-common -DB_ENDIAN
+$cflags       = -O3 -fomit-frame-pointer -fno-common
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = MACOSX
@@ -3920,7 +3920,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= solaris-shared
 $shared_cflag = -KPIC
-$shared_ldflag = 
+$shared_ldflag = -G -dy -z text
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 

apps/Makefile

@@ -103,14 +103,6 @@ install:
 	 chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
 	 mv -f  $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new \
 	 	$(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
-	 sig="$$i.$${HMAC_EXT:-sha1}"; \
-	 if [ -f $$sig ]; then \
-	  echo installing $$sig; \
-	  cp $$sig $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$sig.new; \
-	  chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$sig.new; \
-	  mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$sig.new \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$sig; \
-	 fi; \
 	) done;
 	@for i in $(SCRIPTS); \
 	do  \
@@ -152,20 +144,18 @@ $(DLIBCRYPTO):
 
 $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
 	$(RM) $(EXE)
+	@if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
+	  FIPSLD_CC=$(CC); CC=$(TOP)/fips-1.0/fipsld; export CC FIPSLD_CC; \
+	fi; \
 	SHARED_LIBS="$(SHARED_LIBS)"; \
 	if [ "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
 	  SHARED_LIBS=""; \
 	fi; \
-	if [ -z "$(SHARED_LIBS)" ]; then \
+	if [ -z "$$SHARED_LIBS" ]; then \
 	  set -x; $${CC:-$(CC)} -o $(EXE) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \
 	else \
 	  set -x; LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
 	  $(CC) -o $(EXE) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
-	fi; \
-	if [ -z "$$SHARED_LIBS" ]; then \
-	  if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
-	    TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(EXE); \
-	  fi; \
 	fi
 	-(cd ..; \
 	  OPENSSL="`pwd`/util/opensslwrap.sh"; export OPENSSL; \

apps/openssl.c

@@ -237,14 +237,7 @@ int main(int Argc, char *Argv[])
 
 #ifdef OPENSSL_FIPS
 	if(getenv("OPENSSL_FIPS")) {
-#if defined(_WIN32)
-		char filename[MAX_PATH] = "";
-		GetModuleFileNameA( NULL, filename, MAX_PATH) ;
-		p = filename;
-#else
-		p = Argv[0];
-#endif
-		if (!FIPS_mode_set(1,p)) {
+		if (!FIPS_mode_set(1)) {
 			ERR_load_crypto_strings();
 			ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
 			EXIT(1);

config

@@ -54,6 +54,22 @@ SYSTEM=`(uname -s) 2>/dev/null`  || SYSTEM="unknown"
 VERSION=`(uname -v) 2>/dev/null` || VERSION="unknown"
 
 
+
+ 
+
+# Check for VC++ presence first.
+#
+#if [ "x$MSVCDIR" != "x" -o "x$VCINSTALLDIR" != "x" ]; then
+#	perl Configure VC-WIN32 $*
+#	cmd /c ms\\do_masm.bat
+#	perl util/mk1mf.pl VC-WIN32-GMAKE >mak.tmp
+#	rm Makefile
+#	mv mak.tmp Makefile
+#	echo "Configured for VC++ using GNU make"
+#	exit 0
+#fi
+#
+
 # Now test for ISC and SCO, since it is has a braindamaged uname.
 #
 # We need to work around FreeBSD 1.1.5.1 
@@ -339,6 +355,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 
     MINGW*)
 	echo "${MACHINE}-whatever-mingw"; echo 0;
+	# Save fipslib path so VC++ build can find it
+	(cd /usr/local/ssl/lib ; pwd -W ) > util/fipslib_path.txt
+	# Extract _chkstk.o so VC++ can use it, to avoid __alloca link error
+	(cd ms ; ar x `gcc -print-libgcc-file-name` _chkstk.o)
 	;;
     CYGWIN*)
 	case "$RELEASE" in
@@ -407,7 +427,7 @@ if [ "$GCCVER" != "" ]; then
   CC=gcc
   # then strip off whatever prefix egcs prepends the number with...
   # Hopefully, this will work for any future prefixes as well.
-  GCCVER=`echo $GCCVER | sed 's/^[a-zA-Z]*\-//'`
+  GCCVER=`echo $GCCVER | LC_ALL=C sed 's/^[a-zA-Z]*\-//'`
   # Since gcc 3.1 gcc --version behaviour has changed.  gcc -dumpversion
   # does give us what we want though, so we use that.  We just just the
   # major and minor version numbers.

crypto/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/Makefile
+# OpenSSL/crypto/Makefile
 #
 
 DIR=		crypto

crypto/asn1/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/asn1/Makefile
+# OpenSSL/crypto/asn1/Makefile
 #
 
 DIR=	asn1

crypto/asn1/tasn_dec.c

@@ -903,7 +903,7 @@ static int asn1_collect(BUF_MEM *buf, unsigned char **in, long len, char inf, in
 			return 0;
 #endif
 		} else {
-			if(!collect_data(buf, &p, plen)) return 0;
+			if(plen && !collect_data(buf, &p, plen)) return 0;
 		}
 		len -= p - q;
 	}

crypto/asn1/tasn_enc.c

@@ -445,9 +445,12 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, const ASN1_
 		case V_ASN1_BOOLEAN:
 		tbool = (ASN1_BOOLEAN *)pval;
 		if(*tbool == -1) return -1;
-		/* Default handling if value == size field then omit */
-		if(*tbool && (it->size > 0)) return -1;
-		if(!*tbool && !it->size) return -1;
+		if (it->utype != V_ASN1_ANY)
+			{
+			/* Default handling if value == size field then omit */
+			if(*tbool && (it->size > 0)) return -1;
+			if(!*tbool && !it->size) return -1;
+			}
 		c = (unsigned char)*tbool;
 		cont = &c;
 		len = 1;

crypto/bf/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/blowfish/Makefile
+# OpenSSL/crypto/blowfish/Makefile
 #
 
 DIR=	bf

crypto/bio/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/bio/Makefile
+# OpenSSL/crypto/bio/Makefile
 #
 
 DIR=	bio

crypto/bio/bss_conn.c

@@ -469,7 +469,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
 		break;
 	case BIO_C_DO_STATE_MACHINE:
 		/* use this one to start the connection */
-		if (!(data->state != BIO_CONN_S_OK))
+		if (data->state != BIO_CONN_S_OK)
 			ret=(long)conn_state(b,data);
 		else
 			ret=1;

crypto/bn/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/bn/Makefile
+# OpenSSL/crypto/bn/Makefile
 #
 
 DIR=	bn

crypto/bn/asm/sparcv8plus.S

@@ -162,10 +162,14 @@
  * BN_ULONG w;
  */
 bn_mul_add_words:
+	sra	%o2,%g0,%o2	! signx %o2
 	brgz,a	%o2,.L_bn_mul_add_words_proceed
 	lduw	[%o1],%g2
 	retl
 	clr	%o0
+	nop
+	nop
+	nop
 
 .L_bn_mul_add_words_proceed:
 	srl	%o3,%g0,%o3	! clruw	%o3
@@ -260,10 +264,14 @@ bn_mul_add_words:
  * BN_ULONG w;
  */
 bn_mul_words:
+	sra	%o2,%g0,%o2	! signx %o2
 	brgz,a	%o2,.L_bn_mul_words_proceeed
 	lduw	[%o1],%g2
 	retl
 	clr	%o0
+	nop
+	nop
+	nop
 
 .L_bn_mul_words_proceeed:
 	srl	%o3,%g0,%o3	! clruw	%o3
@@ -344,10 +352,14 @@ bn_mul_words:
  * int n;
  */
 bn_sqr_words:
+	sra	%o2,%g0,%o2	! signx %o2
 	brgz,a	%o2,.L_bn_sqr_words_proceeed
 	lduw	[%o1],%g2
 	retl
 	clr	%o0
+	nop
+	nop
+	nop
 
 .L_bn_sqr_words_proceeed:
 	andcc	%o2,-4,%g0
@@ -445,6 +457,7 @@ bn_div_words:
  * int n;
  */
 bn_add_words:
+	sra	%o3,%g0,%o3	! signx %o3
 	brgz,a	%o3,.L_bn_add_words_proceed
 	lduw	[%o1],%o4
 	retl
@@ -454,7 +467,6 @@ bn_add_words:
 	andcc	%o3,-4,%g0
 	bz,pn	%icc,.L_bn_add_words_tail
 	addcc	%g0,0,%g0	! clear carry flag
-	nop
 
 .L_bn_add_words_loop:		! wow! 32 aligned!
 	dec	4,%o3
@@ -523,6 +535,7 @@ bn_add_words:
  * int n;
  */
 bn_sub_words:
+	sra	%o3,%g0,%o3	! signx %o3
 	brgz,a	%o3,.L_bn_sub_words_proceed
 	lduw	[%o1],%o4
 	retl
@@ -532,7 +545,6 @@ bn_sub_words:
 	andcc	%o3,-4,%g0
 	bz,pn	%icc,.L_bn_sub_words_tail
 	addcc	%g0,0,%g0	! clear carry flag
-	nop
 
 .L_bn_sub_words_loop:		! wow! 32 aligned!
 	dec	4,%o3

crypto/buffer/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/buffer/Makefile
+# OpenSSL/crypto/buffer/Makefile
 #
 
 DIR=	buffer

crypto/cast/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/cast/Makefile
+# OpenSSL/crypto/cast/Makefile
 #
 
 DIR=	cast

crypto/comp/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/comp/Makefile
+# OpenSSL/crypto/comp/Makefile
 #
 
 DIR=	comp

crypto/comp/c_zlib.c

@@ -51,32 +51,17 @@ static COMP_METHOD zlib_method={
  */
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
 # include <windows.h>
-
-# define Z_CALLCONV _stdcall
-# ifndef ZLIB_SHARED
-#  define ZLIB_SHARED
-# endif
-#else
-# define Z_CALLCONV
 #endif /* !(OPENSSL_SYS_WINDOWS || OPENSSL_SYS_WIN32) */
 
 #ifdef ZLIB_SHARED
 #include <openssl/dso.h>
 
-/* Prototypes for built in stubs */
-static int stub_compress(Bytef *dest,uLongf *destLen,
-	const Bytef *source, uLong sourceLen);
-static int stub_inflateEnd(z_streamp strm);
-static int stub_inflate(z_streamp strm, int flush);
-static int stub_inflateInit_(z_streamp strm, const char * version,
-	int stream_size);
-
 /* Function pointers */
-typedef int (Z_CALLCONV *compress_ft)(Bytef *dest,uLongf *destLen,
+typedef int (*compress_ft)(Bytef *dest,uLongf *destLen,
 	const Bytef *source, uLong sourceLen);
-typedef int (Z_CALLCONV *inflateEnd_ft)(z_streamp strm);
-typedef int (Z_CALLCONV *inflate_ft)(z_streamp strm, int flush);
-typedef int (Z_CALLCONV *inflateInit__ft)(z_streamp strm,
+typedef int (*inflateEnd_ft)(z_streamp strm);
+typedef int (*inflate_ft)(z_streamp strm, int flush);
+typedef int (*inflateInit__ft)(z_streamp strm,
 	const char * version, int stream_size);
 static compress_ft	p_compress=NULL;
 static inflateEnd_ft	p_inflateEnd=NULL;
@@ -86,10 +71,10 @@ static inflateInit__ft	p_inflateInit_=NULL;
 static int zlib_loaded = 0;     /* only attempt to init func pts once */
 static DSO *zlib_dso = NULL;
 
-#define compress                stub_compress
-#define inflateEnd              stub_inflateEnd
-#define inflate                 stub_inflate
-#define inflateInit_            stub_inflateInit_
+#define compress                p_compress
+#define inflateEnd              p_inflateEnd
+#define inflate                 p_inflate
+#define inflateInit_            p_inflateInit_
 #endif /* ZLIB_SHARED */
 
 static int zlib_compress_block(COMP_CTX *ctx, unsigned char *out,
@@ -193,16 +178,6 @@ COMP_METHOD *COMP_zlib(void)
 		{
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
 		zlib_dso = DSO_load(NULL, "ZLIB1", NULL, 0);
-		if (!zlib_dso)
-			{
-			zlib_dso = DSO_load(NULL, "ZLIB", NULL, 0);
-			if (zlib_dso)
-				{
-				/* Clear the errors from the first failed
-				   DSO_load() */
-				ERR_clear_error();
-				}
-			}
 #else
 		zlib_dso = DSO_load(NULL, "z", NULL, 0);
 #endif
@@ -220,54 +195,21 @@ COMP_METHOD *COMP_zlib(void)
 			p_inflateInit_
 				= (inflateInit__ft) DSO_bind_func(zlib_dso,
 					"inflateInit_");
-			zlib_loaded++;
+
+			if (p_compress && p_inflateEnd && p_inflate
+				&& p_inflateInit_)
+				zlib_loaded++;
 			}
 		}
 
 #endif
+#ifdef ZLIB_SHARED
+	if (zlib_loaded)
+#endif
 #if defined(ZLIB) || defined(ZLIB_SHARED)
-	meth = &zlib_method;
+		meth = &zlib_method;
 #endif
 
 	return(meth);
 	}
 
-#ifdef ZLIB_SHARED
-/* Stubs for each function to be dynamicly loaded */
-static int 
-stub_compress(Bytef *dest,uLongf *destLen,const Bytef *source, uLong sourceLen)
-	{
-	if (p_compress)
-		return(p_compress(dest,destLen,source,sourceLen));
-	else
-		return(Z_MEM_ERROR);
-	}
-
-static int
-stub_inflateEnd(z_streamp strm)
-	{
-	if ( p_inflateEnd )
-		return(p_inflateEnd(strm));
-	else
-		return(Z_MEM_ERROR);
-	}
-
-static int
-stub_inflate(z_streamp strm, int flush)
-	{
-	if ( p_inflate )
-		return(p_inflate(strm,flush));
-	else
-		return(Z_MEM_ERROR);
-	}
-
-static int
-stub_inflateInit_(z_streamp strm, const char * version, int stream_size)
-	{
-	if ( p_inflateInit_ )
-		return(p_inflateInit_(strm,version,stream_size));
-	else
-		return(Z_MEM_ERROR);
-	}
-
-#endif /* ZLIB_SHARED */

crypto/conf/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/conf/Makefile
+# OpenSSL/crypto/conf/Makefile
 #
 
 DIR=	conf

crypto/cryptlib.c

@@ -734,5 +734,11 @@ int fips_clear_owning_thread(void)
 		}
 	return ret;
 	}
+
+unsigned char *fips_signature_witness(void)
+	{
+	extern unsigned char FIPS_signature[];
+	return FIPS_signature;
+	}
 #endif /* OPENSSL_FIPS */
 

crypto/crypto-lib.com

@@ -265,10 +265,15 @@ $ LIB_KRB5 = "krb5_asn"
 $!
 $! Setup exceptional compilations
 $!
+$ ! Add definitions for no threads on OpenVMS 7.1 and higher
 $ COMPILEWITH_CC3 = ",bss_rtcp,"
+$ ! Disable the DOLLARID warning
 $ COMPILEWITH_CC4 = ",a_utctm,bss_log,o_time,"
+$ ! Disable disjoint optimization
 $ COMPILEWITH_CC5 = ",md2_dgst,md4_dgst,md5_dgst,mdc2dgst," + -
                     "sha_dgst,sha1dgst,rmd_dgst,bf_enc,"
+$ ! Disable the MIXLINKAGE warning
+$ COMPILEWITH_CC6 = ",enc_read,set_key,"
 $!
 $! Figure Out What Other Modules We Are To Build.
 $!
@@ -497,7 +502,12 @@ $       IF COMPILEWITH_CC5 - FILE_NAME0 .NES. COMPILEWITH_CC5
 $       THEN
 $         CC5/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
 $       ELSE
-$         CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$         IF COMPILEWITH_CC6 - FILE_NAME0 .NES. COMPILEWITH_CC6
+$         THEN
+$           CC6/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$         ELSE
+$           CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$         ENDIF
 $       ENDIF
 $     ENDIF
 $   ENDIF
@@ -1077,14 +1087,18 @@ $   THEN
 $     IF CCDISABLEWARNINGS .EQS. ""
 $     THEN
 $       CC4DISABLEWARNINGS = "DOLLARID"
+$       CC6DISABLEWARNINGS = "MIXLINKAGE"
 $     ELSE
 $       CC4DISABLEWARNINGS = CCDISABLEWARNINGS + ",DOLLARID"
+$       CC6DISABLEWARNINGS = CCDISABLEWARNINGS + ",MIXLINKAGE"
 $       CCDISABLEWARNINGS = "/WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
 $     ENDIF
 $     CC4DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC4DISABLEWARNINGS + "))"
+$     CC6DISABLEWARNINGS = "/WARNING=(DISABLE=(" + CC6DISABLEWARNINGS + "))"
 $   ELSE
 $     CCDISABLEWARNINGS = ""
 $     CC4DISABLEWARNINGS = ""
+$     CC6DISABLEWARNINGS = ""
 $   ENDIF
 $   CC3 = CC + "/DEFINE=(" + CCDEFS + ISSEVEN + ")" + CCDISABLEWARNINGS
 $   CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
@@ -1095,6 +1109,7 @@ $   ELSE
 $     CC5 = CC + "/NOOPTIMIZE"
 $   ENDIF
 $   CC4 = CC - CCDISABLEWARNINGS + CC4DISABLEWARNINGS
+$   CC6 = CC - CCDISABLEWARNINGS + CC6DISABLEWARNINGS
 $!
 $!  Show user the result
 $!

crypto/des/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/des/Makefile
+# OpenSSL/crypto/des/Makefile
 #
 
 DIR=	des

crypto/dh/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/dh/Makefile
+# OpenSSL/crypto/dh/Makefile
 #
 
 DIR=	dh

crypto/dh/dh_key.c

@@ -213,8 +213,11 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
 
 	ret=BN_bn2bin(tmp,key);
 err:
-	BN_CTX_end(ctx);
-	BN_CTX_free(ctx);
+	if (ctx != NULL)
+		{
+		BN_CTX_end(ctx);
+		BN_CTX_free(ctx);
+		}
 	return(ret);
 	}
 

crypto/dsa/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/dsa/Makefile
+# OpenSSL/crypto/dsa/Makefile
 #
 
 DIR=	dsa

crypto/dsa/dsa.h

@@ -88,6 +88,13 @@
                                               * be used for all exponents.
                                               */
 
+/* If this flag is set external DSA_METHOD callbacks are allowed in FIPS mode
+ * it is then the applications responsibility to ensure the external method
+ * is compliant.
+ */
+
+#define DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW	0x04
+
 #if defined(OPENSSL_FIPS)
 #define FIPS_DSA_SIZE_T	int
 #endif

crypto/dsa/dsa_sign.c

@@ -72,7 +72,8 @@
 DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 	{
 #ifdef OPENSSL_FIPS
-	if(FIPS_mode() && !FIPS_dsa_check(dsa))
+	if(FIPS_mode() && !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW)
+		&& !FIPS_dsa_check(dsa))
 		return NULL;
 #endif
 	return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
@@ -96,7 +97,8 @@ int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
 	{
 #ifdef OPENSSL_FIPS
-	if(FIPS_mode() && !FIPS_dsa_check(dsa))
+	if(FIPS_mode() && !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW)
+		&& !FIPS_dsa_check(dsa))
 		return 0;
 #endif
 	return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);

crypto/dsa/dsa_vrf.c

@@ -74,7 +74,8 @@ int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 		  DSA *dsa)
 	{
 #ifdef OPENSSL_FIPS
-	if(FIPS_mode() && !FIPS_dsa_check(dsa))
+	if(FIPS_mode() && !(dsa->flags & DSA_FLAG_FIPS_EXTERNAL_METHOD_ALLOW)
+		&& !FIPS_dsa_check(dsa))
 		return -1;
 #endif
 	return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);

crypto/dso/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/dso/Makefile
+# OpenSSL/crypto/dso/Makefile
 #
 
 DIR=	dso

crypto/err/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/err/Makefile
+# OpenSSL/crypto/err/Makefile
 #
 
 DIR=	err

crypto/err/openssl.ec

@@ -27,7 +27,7 @@ L DSO		crypto/dso/dso.h		crypto/dso/dso_err.c
 L ENGINE	crypto/engine/engine.h		crypto/engine/eng_err.c
 L OCSP		crypto/ocsp/ocsp.h		crypto/ocsp/ocsp_err.c
 L UI		crypto/ui/ui.h			crypto/ui/ui_err.c
-L FIPS		fips/fips.h			fips/fips_err.h
+L FIPS		fips-1.0/fips.h			fips-1.0/fips_err.h
 
 # additional header files to be scanned for function names
 L NONE		crypto/x509/x509_vfy.h		NONE

crypto/evp/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/evp/Makefile
+# OpenSSL/crypto/evp/Makefile
 #
 
 DIR=	evp

crypto/evp/evp_key.c

@@ -126,7 +126,8 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
 	EVP_MD_CTX_init(&c);
 	for (;;)
 		{
-		EVP_DigestInit_ex(&c,md, NULL);
+		if (!EVP_DigestInit_ex(&c,md, NULL))
+			return 0;
 		if (addmd++)
 			EVP_DigestUpdate(&c,&(md_buf[0]),mds);
 		EVP_DigestUpdate(&c,data,datal);

crypto/evp/p5_crpt2.c

@@ -194,11 +194,16 @@ int PKCS5_v2_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 
 	/* Now decode key derivation function */
 
+	if(!pbe2->keyfunc->parameter ||
+		 (pbe2->keyfunc->parameter->type != V_ASN1_SEQUENCE))
+		{
+		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+		goto err;
+		}
+
 	pbuf = pbe2->keyfunc->parameter->value.sequence->data;
 	plen = pbe2->keyfunc->parameter->value.sequence->length;
-	if(!pbe2->keyfunc->parameter ||
-		 (pbe2->keyfunc->parameter->type != V_ASN1_SEQUENCE) ||
-				!(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) {
+	if(!(kdf = d2i_PBKDF2PARAM(NULL, &pbuf, plen)) ) {
 		EVPerr(EVP_F_PKCS5_V2_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
 		goto err;
 	}

crypto/hmac/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md/Makefile
+# OpenSSL/crypto/md/Makefile
 #
 
 DIR=	hmac

crypto/idea/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/idea/Makefile
+# OpenSSL/crypto/idea/Makefile
 #
 
 DIR=	idea

crypto/lhash/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/lhash/Makefile
+# OpenSSL/crypto/lhash/Makefile
 #
 
 DIR=	lhash

crypto/md2/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md/Makefile
+# OpenSSL/crypto/md/Makefile
 #
 
 DIR=	md2

crypto/md4/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md4/Makefile
+# OpenSSL/crypto/md4/Makefile
 #
 
 DIR=    md4

crypto/md5/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/md5/Makefile
+# OpenSSL/crypto/md5/Makefile
 #
 
 DIR=    md5

crypto/mdc2/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/mdc2/Makefile
+# OpenSSL/crypto/mdc2/Makefile
 #
 
 DIR=	mdc2

crypto/objects/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/objects/Makefile
+# OpenSSL/crypto/objects/Makefile
 #
 
 DIR=	objects

crypto/opensslv.h

@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x0090709fL
+#define OPENSSL_VERSION_NUMBER	0x009070afL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7i-fips 14 Oct 2005"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7j-fips 04 May 2006"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7i 14 Oct 2005"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.7j 04 May 2006"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 

crypto/pem/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/pem/Makefile
+# OpenSSL/crypto/pem/Makefile
 #
 
 DIR=	pem

crypto/perlasm/x86asm.pl

@@ -90,7 +90,7 @@ $tmp
 #ifdef OUT
 #define OK	1
 #define ALIGN	4
-#if defined(__CYGWIN__) || defined(__DJGPP__)
+#if defined(__CYGWIN__) || defined(__DJGPP__) || defined(__MINGW32__)
 #undef SIZE
 #undef TYPE
 #define SIZE(a,b)

crypto/pkcs12/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/pkcs12/Makefile
+# OpenSSL/crypto/pkcs12/Makefile
 #
 
 DIR=	pkcs12

crypto/pkcs12/p12_crt.c

@@ -76,7 +76,15 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 	unsigned int keyidlen;
 
 	/* Set defaults */
-	if(!nid_cert) nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+	if(!nid_cert)
+		{
+#ifdef OPENSSL_FIPS
+		if (FIPS_mode())
+			nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+		else
+#endif
+			nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+		}
 	if(!nid_key) nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
 	if(!iter) iter = PKCS12_DEFAULT_ITER;
 	if(!mac_iter) mac_iter = 1;

crypto/pkcs7/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/pkcs7/Makefile
+# OpenSSL/crypto/pkcs7/Makefile
 #
 
 DIR=	pkcs7

crypto/rand/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rand/Makefile
+# OpenSSL/crypto/rand/Makefile
 #
 
 DIR=	rand

crypto/rc2/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rc2/Makefile
+# OpenSSL/crypto/rc2/Makefile
 #
 
 DIR=	rc2

crypto/rc2/rc2speed.c

@@ -102,10 +102,10 @@ OPENSSL_DECLARE_EXIT
 #ifndef HZ
 #ifndef CLK_TCK
 #define HZ	100.0
-#endif
-#else /* CLK_TCK */
+#else	/* CLK_TCK */
 #define HZ ((double)CLK_TCK)
-#endif
+#endif	/* CLK_TCK */
+#endif	/* HZ */
 
 #define BUFSIZE	((long)1024)
 long run=0;

crypto/rc4/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rc4/Makefile
+# OpenSSL/crypto/rc4/Makefile
 #
 
 DIR=	rc4

crypto/rc5/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rc5/Makefile
+# OpenSSL/crypto/rc5/Makefile
 #
 
 DIR=	rc5

crypto/ripemd/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/ripemd/Makefile
+# OpenSSL/crypto/ripemd/Makefile
 #
 
 DIR=    ripemd

crypto/rsa/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/rsa/Makefile
+# OpenSSL/crypto/rsa/Makefile
 #
 
 DIR=	rsa

crypto/rsa/rsa.h

@@ -389,17 +389,17 @@ void ERR_load_RSA_strings(void);
 #define RSA_R_NULL_BEFORE_BLOCK_MISSING			 113
 #define RSA_R_N_DOES_NOT_EQUAL_P_Q			 127
 #define RSA_R_OAEP_DECODING_ERROR			 121
-#define RSA_R_SLEN_RECOVERY_FAILED			 135
 #define RSA_R_PADDING_CHECK_FAILED			 114
 #define RSA_R_P_NOT_PRIME				 128
 #define RSA_R_Q_NOT_PRIME				 129
 #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED		 130
+#define RSA_R_SLEN_CHECK_FAILED				 136
+#define RSA_R_SLEN_RECOVERY_FAILED			 135
 #define RSA_R_SSLV3_ROLLBACK_ATTACK			 115
 #define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116
 #define RSA_R_UNKNOWN_ALGORITHM_TYPE			 117
 #define RSA_R_UNKNOWN_PADDING_TYPE			 118
 #define RSA_R_WRONG_SIGNATURE_LENGTH			 119
-#define RSA_R_SLEN_CHECK_FAILED				 136
 
 #ifdef  __cplusplus
 }

crypto/rsa/rsa_gen.c

@@ -184,7 +184,8 @@ err:
 		RSAerr(RSA_F_RSA_GENERATE_KEY,ERR_LIB_BN);
 		ok=0;
 		}
-	BN_CTX_end(ctx);
+	if (ctx != NULL)
+		BN_CTX_end(ctx);
 	BN_CTX_free(ctx);
 	BN_CTX_free(ctx2);
 	

crypto/sha/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/sha/Makefile
+# OpenSSL/crypto/sha/Makefile
 #
 
 DIR=    sha

crypto/stack/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/stack/Makefile
+# OpenSSL/crypto/stack/Makefile
 #
 
 DIR=	stack

crypto/txt_db/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/txt_db/Makefile
+# OpenSSL/crypto/txt_db/Makefile
 #
 
 DIR=	txt_db

crypto/x509/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/x509/Makefile
+# OpenSSL/crypto/x509/Makefile
 #
 
 DIR=	x509

crypto/x509v3/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/crypto/x509v3/Makefile
+# OpenSSL/crypto/x509v3/Makefile
 #
 
 DIR=	x509v3

doc/crypto/PKCS7_verify.pod

@@ -8,7 +8,7 @@ PKCS7_verify - verify a PKCS#7 signedData structure
 
 int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata, BIO *out, int flags);
 
-int PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
+STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
 
 =head1 DESCRIPTION
 

doc/crypto/hmac.pod

@@ -18,7 +18,7 @@ authentication code
  void HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len,
                const EVP_MD *md);
  void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len,
-               	   const EVP_MD *md);
+               	   const EVP_MD *md, ENGINE *impl);
  void HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len);
  void HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
 

fips-1.0/Makefile

@@ -1,8 +1,8 @@
 #
-# SSLeay/fips/Makefile
+# OpenSSL/fips-1.0/Makefile
 #
 
-DIR=		fips
+DIR=		fips-1.0
 TOP=		..
 CC=		cc
 INCLUDE=	-I. -I$(TOP) -I../include
@@ -32,15 +32,17 @@ GENERAL=Makefile README fips-lib.com install.com
 
 LIB= $(TOP)/libcrypto.a
 SHARED_LIB= libcrypto$(SHLIB_EXT)
-LIBSRC=fips.c fips_err_wrapper.c
-LIBOBJ=fips.o fips_err_wrapper.o
+LIBSRC=fips.c fips_err_wrapper.c fipshashes.c
+LIBOBJ=fips.o fips_err_wrapper.o fipshashes.o
+
+FIPS_OBJ_LISTS=sha/lib hmac/lib rand/lib des/lib aes/lib dsa/lib rsa/lib dh/lib
 
 SRC= $(LIBSRC)
 
 EXHEADER=fips.h
 HEADER=$(EXHEADER) fips_err.h
-EXE=openssl_fips_fingerprint
-TEST= fips_test_suite.c
+EXE=fipsld
+TEST=fips_test_suite.c
 
 ALL=    $(GENERAL) $(SRC) $(HEADER)
 
@@ -53,7 +55,51 @@ all:
 	fi
 
 check:
-	$(PERL) ../util/checkhash.pl
+#	$(PERL) ../util/checkhash.pl || (rm fipscanister.o* 2>/dev/null; exit 1)
+	echo FIPS module not built: no check done
+
+# Idea behind fipscanister.o is to "seize" the sequestered code between
+# known symbols for fingerprinting purposes, which would be commonly
+# done with ld -r start.o ... end.o. The latter however presents a minor
+# challenge on multi-ABI platforms. As just implied, we'd rather use ld,
+# but the trouble is that we don't generally know how ABI-selection
+# compiler flag is translated to corresponding linker flag. All compiler
+# drivers seem to recognize -r flag and pass it down to linker, but some
+# of them, including gcc, erroneously add -lc, as well as run-time
+# components, such as crt1.o and alike. Fortunately among those vendor
+# compilers which were observed to misinterpret -r flag multi-ABI ones
+# are equipped with smart linkers, which don't require any ABI-selection
+# flag and simply assume that all objects are of the same type as first
+# one in command line. So the idea is to identify gcc and deficient
+# vendor compiler drivers...
+
+fipscanister.o: fips_start.o $(LIBOBJ) $(FIPS_OBJ_LISTS) fips_end.o
+	@objs="fips_start.o $(LIBOBJ)"; \
+	for i in $(FIPS_OBJ_LISTS); do \
+		dir=`dirname $$i`; script="s|^|$$dir/|;s| | $$dir/|g"; \
+		objs="$$objs `sed "$$script" $$i`"; \
+	done; \
+	objs="$$objs fips_end.o" ; \
+	if [ -n "${FIPS_SITE_LD}" ]; then \
+		set -x; ${FIPS_SITE_LD} -r -o $@ $$objs; \
+	elif $(CC) -dumpversion >/dev/null 2>&1; then \
+		set -x; $(CC) $(CFLAGS) -r -nostdlib -o $@ $$objs ; \
+	else case "`(uname -s) 2>/dev/null`" in \
+		HP-UX|OSF1|SunOS) set -x; /usr/ccs/bin/ld -r -o $@ $$objs ;; \
+		*) set -x; $(CC) $(CFLAGS) -r -o $@ $$objs ;; \
+	esac fi
+	sha/fips_standalone_sha1 fipscanister.o > fipscanister.o.sha1
+
+# If another exception is immediately required, assign approprite
+# site-specific ld command to FIPS_SITE_LD environment variable.
+
+fips_start.o: fips_canister.c
+	$(CC) $(CFLAGS) -DFIPS_START -c -o $@ fips_canister.c
+fips_end.o: fips_canister.c
+	$(CC) $(CFLAGS) -DFIPS_END -c -o $@ fips_canister.c
+fips_premain_dso$(EXE_EXT): fips_premain.c
+	$(CC) $(CFLAGS) -DFINGERPRINT_PREMAIN_DSO_LOAD -o $@ fips_premain.c \
+		../libcrypto.a $(EX_LIBS)
 
 subdirs:
 	@for i in $(FDIRS) ;\
@@ -85,14 +131,14 @@ links:
 	$(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PERL='${PERL}' links ); \
 	done;
 
-lib:	$(LIBOBJ)
-	$(AR) $(LIB) $(LIBOBJ)
+lib:	$(FIPSLIBDIR)/fipscanister.o
+	$(AR) $(LIB) $(FIPSLIBDIR)/fipscanister.o
 	$(RANLIB) $(LIB) || echo Never mind.
 	@touch lib
 
-shared:
+shared:	fips_premain_dso$(EXE_EXT)
 	if [ -n "$(SHARED_LIBS)" ]; then \
-		(cd ..; $(MAKE) $(SHARED_LIB)); \
+		(cd ..; $(MAKE) FIPSLD_CC=$(CC) FIPSLD=fips-1.0/fipsld $(SHARED_LIB)); \
 	fi
 
 libs:
@@ -130,6 +176,11 @@ install:
 		chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
 		mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
 	done
+	@cp -p -f fipscanister.o fipscanister.o.sha1 fips_premain.c \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/; \
+	strings fipscanister.o | grep "HMAC-SHA1(fips_premain\\.c)" > \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips_premain.c.sha1; \
+	chmod 0444 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/fips*
 
 lint:
 	@for i in $(FDIRS) ;\
@@ -149,7 +200,7 @@ depend:
 	done;
 
 clean:
-	rm -f buildinf.h *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
+	rm -f buildinf.h *.o *.obj fips_premain_dso$(EXE_EXT) lib tags core .pure .nfs* *.old *.bak fluff
 	@for i in $(FDIRS) ;\
 	do \
 	(cd $$i && echo "making clean in fips/$$i..." && \

fips-1.0/aes/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/fips/aes/Makefile
+# OpenSSL/fips-1.0/aes/Makefile
 #
 
 DIR=	aes
@@ -41,9 +41,7 @@ top:
 all:	lib
 
 lib:	$(LIBOBJ)
-	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB) || echo Never mind.
-	@sleep 2; touch lib
+	@echo $(LIBOBJ) > lib
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO

fips-1.0/aes/fips_aesavs.c

@@ -939,7 +939,7 @@ int main(int argc, char **argv)
     int f_opt = 0, d_opt = 1;
 
 #ifdef OPENSSL_FIPS
-    if(!FIPS_mode_set(1,argv[0]))
+    if(!FIPS_mode_set(1))
 	{
 	ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
 	EXIT(1);

fips-1.0/des/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/fips/des/Makefile
+# OpenSSL/fips-1.0/des/Makefile
 #
 
 DIR=	des
@@ -40,9 +40,7 @@ top:
 all:	lib
 
 lib:	$(LIBOBJ)
-	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB) || echo Never mind.
-	@sleep 2; touch lib
+	@echo $(LIBOBJ) > lib
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO

fips-1.0/des/fips_desmovs.c

@@ -766,7 +766,7 @@ int main(int argc, char **argv)
     int f_opt = 0, d_opt = 1;
 
 #ifdef OPENSSL_FIPS
-    if(!FIPS_mode_set(1,argv[0]))
+    if(!FIPS_mode_set(1))
 	{
 	ERR_load_crypto_strings();
 	ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));

fips-1.0/dh/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/fips/dh/Makefile
+# OpenSSL/fips-1.0/dh/Makefile
 #
 
 DIR=	dh
@@ -38,9 +38,7 @@ top:
 all:	lib
 
 lib:	$(LIBOBJ)
-	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB) || echo Never mind.
-	@sleep 2; touch lib
+	@echo $(LIBOBJ) > lib
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO

fips-1.0/dsa/Makefile

@@ -1,5 +1,5 @@
 #
-# SSLeay/fips/dsa/Makefile
+# OpenSSL/fips-1.0/dsa/Makefile
 #
 
 DIR=	dsa
@@ -38,9 +38,7 @@ top:
 all:	lib
 
 lib:	$(LIBOBJ)
-	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB) || echo Never mind.
-	@sleep 2; touch lib
+	@echo $(LIBOBJ) > lib
 
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO

fips-1.0/dsa/fips_dsatest.c

@@ -147,7 +147,7 @@ int main(int argc, char **argv)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 
 #ifdef OPENSSL_FIPS
-	if(!FIPS_mode_set(1,argv[0]))
+	if(!FIPS_mode_set(1))
 	    {
 	    ERR_print_errors(bio_err);
 	    EXIT(1);