resolve conflicts

237 files changed, 3588 insertions, 3007 deletions

diff --git a/src/lib/libcrypto/aes/aes.h b/src/lib/libcrypto/aes/aes.h
index baf0222d49..450f2b4051 100644
--- a/src/lib/libcrypto/aes/aes.h
+++ b/src/lib/libcrypto/aes/aes.h
@@ -66,6 +66,10 @@
 #define AES_MAXNR 14
 #define AES_BLOCK_SIZE 16
 
+#ifdef OPENSSL_FIPS
+#define FIPS_AES_SIZE_T int
+#endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
diff --git a/src/lib/libcrypto/aes/aes_cbc.c b/src/lib/libcrypto/aes/aes_cbc.c
index d2ba6bcdb4..373864cd4b 100644
--- a/src/lib/libcrypto/aes/aes_cbc.c
+++ b/src/lib/libcrypto/aes/aes_cbc.c
@@ -59,6 +59,7 @@
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
+#if !defined(OPENSSL_FIPS_AES_ASM)
 void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
                      const unsigned long length, const AES_KEY *key,
                      unsigned char *ivec, const int enc) {
@@ -129,3 +130,4 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
                 }
         }
 }
+#endif
diff --git a/src/lib/libcrypto/aes/aes_core.c b/src/lib/libcrypto/aes/aes_core.c
index 3a80e18b0a..cffdd4daec 100644
--- a/src/lib/libcrypto/aes/aes_core.c
+++ b/src/lib/libcrypto/aes/aes_core.c
@@ -37,6 +37,10 @@
 
 #include <stdlib.h>
 #include <openssl/aes.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 #include "aes_locl.h"
 
 /*
@@ -631,6 +635,10 @@ int AES_set_encrypt_key(const unsigned char *userKey, const int bits,
         int i = 0;
         u32 temp;
 
+#ifdef OPENSSL_FIPS
+        FIPS_selftest_check();
+#endif
+
         if (!userKey || !key)
                 return -1;
         if (bits != 128 && bits != 192 && bits != 256)
diff --git a/src/lib/libcrypto/aes/asm/aes-586.pl b/src/lib/libcrypto/aes/asm/aes-586.pl
index 3da307bef9..e771e83953 100644
--- a/src/lib/libcrypto/aes/asm/aes-586.pl
+++ b/src/lib/libcrypto/aes/asm/aes-586.pl
@@ -955,8 +955,9 @@ my $mark=&DWP(60+240,"esp");	#copy of aes_key->rounds
 
     &align      (4);
     &set_label("enc_tail");
-        &push   ($key eq "edi" ? $key : "");    # push ivp
+        &mov    ($s0,$key eq "edi" ? $key : "");
         &mov    ($key,$_out);                   # load out
+        &push   ($s0);                          # push ivp
         &mov    ($s1,16);
         &sub    ($s1,$s2);
         &cmp    ($key,$acc);                    # compare with inp
diff --git a/src/lib/libcrypto/asn1/a_mbstr.c b/src/lib/libcrypto/asn1/a_mbstr.c
index 2d4800a22a..1bcd046893 100644
--- a/src/lib/libcrypto/asn1/a_mbstr.c
+++ b/src/lib/libcrypto/asn1/a_mbstr.c
@@ -1,5 +1,5 @@
 /* a_mbstr.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/a_sign.c b/src/lib/libcrypto/asn1/a_sign.c
index 1081950518..4dee45fbb8 100644
--- a/src/lib/libcrypto/asn1/a_sign.c
+++ b/src/lib/libcrypto/asn1/a_sign.c
@@ -267,7 +267,12 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
                 goto err;
                 }
 
-        EVP_SignInit_ex(&ctx,type, NULL);
+        if (!EVP_SignInit_ex(&ctx,type, NULL))
+                {
+                outl=0;
+                ASN1err(ASN1_F_ASN1_ITEM_SIGN,ERR_R_EVP_LIB);
+                goto err;
+                }
         EVP_SignUpdate(&ctx,(unsigned char *)buf_in,inl);
         if (!EVP_SignFinal(&ctx,(unsigned char *)buf_out,
                         (unsigned int *)&outl,pkey))
diff --git a/src/lib/libcrypto/asn1/a_strex.c b/src/lib/libcrypto/asn1/a_strex.c
index c2dbb6f9a5..7fc14d3296 100644
--- a/src/lib/libcrypto/asn1/a_strex.c
+++ b/src/lib/libcrypto/asn1/a_strex.c
@@ -1,5 +1,5 @@
 /* a_strex.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/a_strnid.c b/src/lib/libcrypto/asn1/a_strnid.c
index 613bbc4a7d..fe515b52ba 100644
--- a/src/lib/libcrypto/asn1/a_strnid.c
+++ b/src/lib/libcrypto/asn1/a_strnid.c
@@ -1,5 +1,5 @@
 /* a_strnid.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/a_verify.c b/src/lib/libcrypto/asn1/a_verify.c
index fdce6e4380..da3efaaf8d 100644
--- a/src/lib/libcrypto/asn1/a_verify.c
+++ b/src/lib/libcrypto/asn1/a_verify.c
@@ -100,7 +100,12 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
         p=buf_in;
 
         i2d(data,&p);
-        EVP_VerifyInit_ex(&ctx,type, NULL);
+        if (!EVP_VerifyInit_ex(&ctx,type, NULL))
+                {
+                ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
+                ret=0;
+                goto err;
+                }
         EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
 
         OPENSSL_cleanse(buf_in,(unsigned int)inl);
diff --git a/src/lib/libcrypto/asn1/asn1t.h b/src/lib/libcrypto/asn1/asn1t.h
index bf315e65ed..ac14f9415b 100644
--- a/src/lib/libcrypto/asn1/asn1t.h
+++ b/src/lib/libcrypto/asn1/asn1t.h
@@ -1,5 +1,5 @@
 /* asn1t.h */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/asn_moid.c b/src/lib/libcrypto/asn1/asn_moid.c
index 9132350f10..1ea6a59248 100644
--- a/src/lib/libcrypto/asn1/asn_moid.c
+++ b/src/lib/libcrypto/asn1/asn_moid.c
@@ -1,5 +1,5 @@
 /* asn_moid.c */
-/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Stephen Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/asn_pack.c b/src/lib/libcrypto/asn1/asn_pack.c
index e8b671b7b5..f1a5a05632 100644
--- a/src/lib/libcrypto/asn1/asn_pack.c
+++ b/src/lib/libcrypto/asn1/asn_pack.c
@@ -1,5 +1,5 @@
 /* asn_pack.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/nsseq.c b/src/lib/libcrypto/asn1/nsseq.c
index 50e2d4d07a..e551c57d59 100644
--- a/src/lib/libcrypto/asn1/nsseq.c
+++ b/src/lib/libcrypto/asn1/nsseq.c
@@ -1,5 +1,5 @@
 /* nsseq.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/p5_pbe.c b/src/lib/libcrypto/asn1/p5_pbe.c
index da91170094..c4582f8041 100644
--- a/src/lib/libcrypto/asn1/p5_pbe.c
+++ b/src/lib/libcrypto/asn1/p5_pbe.c
@@ -1,5 +1,5 @@
 /* p5_pbe.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/p5_pbev2.c b/src/lib/libcrypto/asn1/p5_pbev2.c
index c834a38ddf..2b0516afee 100644
--- a/src/lib/libcrypto/asn1/p5_pbev2.c
+++ b/src/lib/libcrypto/asn1/p5_pbev2.c
@@ -1,5 +1,5 @@
 /* p5_pbev2.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999-2004.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/p8_pkey.c b/src/lib/libcrypto/asn1/p8_pkey.c
index 24b409132f..0a1957556e 100644
--- a/src/lib/libcrypto/asn1/p8_pkey.c
+++ b/src/lib/libcrypto/asn1/p8_pkey.c
@@ -1,5 +1,5 @@
 /* p8_pkey.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/t_bitst.c b/src/lib/libcrypto/asn1/t_bitst.c
index 397332d9b8..2e59a25fa1 100644
--- a/src/lib/libcrypto/asn1/t_bitst.c
+++ b/src/lib/libcrypto/asn1/t_bitst.c
@@ -1,5 +1,5 @@
 /* t_bitst.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/t_crl.c b/src/lib/libcrypto/asn1/t_crl.c
index 929b3e5904..bdb244c015 100644
--- a/src/lib/libcrypto/asn1/t_crl.c
+++ b/src/lib/libcrypto/asn1/t_crl.c
@@ -1,5 +1,5 @@
 /* t_crl.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/t_spki.c b/src/lib/libcrypto/asn1/t_spki.c
index c2a5797dd8..a73369b949 100644
--- a/src/lib/libcrypto/asn1/t_spki.c
+++ b/src/lib/libcrypto/asn1/t_spki.c
@@ -1,5 +1,5 @@
 /* t_spki.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/t_x509.c b/src/lib/libcrypto/asn1/t_x509.c
index cb76c32c8d..8f746f9c05 100644
--- a/src/lib/libcrypto/asn1/t_x509.c
+++ b/src/lib/libcrypto/asn1/t_x509.c
@@ -393,7 +393,7 @@ int ASN1_GENERALIZEDTIME_print(BIO *bp, ASN1_GENERALIZEDTIME *tm)
         d= (v[6]-'0')*10+(v[7]-'0');
         h= (v[8]-'0')*10+(v[9]-'0');
         m=  (v[10]-'0')*10+(v[11]-'0');
-        if (i >= 14 &&
+        if (tm->length >= 14 &&
             (v[12] >= '0') && (v[12] <= '9') &&
             (v[13] >= '0') && (v[13] <= '9'))
                 s=  (v[12]-'0')*10+(v[13]-'0');
@@ -429,7 +429,7 @@ int ASN1_UTCTIME_print(BIO *bp, ASN1_UTCTIME *tm)
         d= (v[4]-'0')*10+(v[5]-'0');
         h= (v[6]-'0')*10+(v[7]-'0');
         m=  (v[8]-'0')*10+(v[9]-'0');
-        if (i >=12 &&
+        if (tm->length >=12 &&
             (v[10] >= '0') && (v[10] <= '9') &&
             (v[11] >= '0') && (v[11] <= '9'))
                 s=  (v[10]-'0')*10+(v[11]-'0');
diff --git a/src/lib/libcrypto/asn1/t_x509a.c b/src/lib/libcrypto/asn1/t_x509a.c
index ffbbfb51f4..8b18801a17 100644
--- a/src/lib/libcrypto/asn1/t_x509a.c
+++ b/src/lib/libcrypto/asn1/t_x509a.c
@@ -1,5 +1,5 @@
 /* t_x509a.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c
index 0ee406231e..ced641698e 100644
--- a/src/lib/libcrypto/asn1/tasn_dec.c
+++ b/src/lib/libcrypto/asn1/tasn_dec.c
@@ -1,5 +1,5 @@
 /* tasn_dec.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/tasn_enc.c b/src/lib/libcrypto/asn1/tasn_enc.c
index be19b36acd..2721f904a6 100644
--- a/src/lib/libcrypto/asn1/tasn_enc.c
+++ b/src/lib/libcrypto/asn1/tasn_enc.c
@@ -1,5 +1,5 @@
 /* tasn_enc.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/tasn_fre.c b/src/lib/libcrypto/asn1/tasn_fre.c
index bb7c1e2af4..d7c017fa1d 100644
--- a/src/lib/libcrypto/asn1/tasn_fre.c
+++ b/src/lib/libcrypto/asn1/tasn_fre.c
@@ -1,5 +1,5 @@
 /* tasn_fre.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/tasn_new.c b/src/lib/libcrypto/asn1/tasn_new.c
index 531dad365c..5c6a2ebd4d 100644
--- a/src/lib/libcrypto/asn1/tasn_new.c
+++ b/src/lib/libcrypto/asn1/tasn_new.c
@@ -1,5 +1,5 @@
 /* tasn_new.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/tasn_prn.c b/src/lib/libcrypto/asn1/tasn_prn.c
index 719639b511..b9c96a6dbe 100644
--- a/src/lib/libcrypto/asn1/tasn_prn.c
+++ b/src/lib/libcrypto/asn1/tasn_prn.c
@@ -1,5 +1,5 @@
 /* tasn_prn.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/tasn_typ.c b/src/lib/libcrypto/asn1/tasn_typ.c
index 6f17f1bec7..6252213d15 100644
--- a/src/lib/libcrypto/asn1/tasn_typ.c
+++ b/src/lib/libcrypto/asn1/tasn_typ.c
@@ -1,5 +1,5 @@
 /* tasn_typ.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/tasn_utl.c b/src/lib/libcrypto/asn1/tasn_utl.c
index 34d520b180..ca9ec7a32f 100644
--- a/src/lib/libcrypto/asn1/tasn_utl.c
+++ b/src/lib/libcrypto/asn1/tasn_utl.c
@@ -1,5 +1,5 @@
 /* tasn_utl.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/x_algor.c b/src/lib/libcrypto/asn1/x_algor.c
index 33533aba86..99e53429b7 100644
--- a/src/lib/libcrypto/asn1/x_algor.c
+++ b/src/lib/libcrypto/asn1/x_algor.c
@@ -1,5 +1,5 @@
 /* x_algor.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/x_bignum.c b/src/lib/libcrypto/asn1/x_bignum.c
index 869c05d931..9cf3204a1b 100644
--- a/src/lib/libcrypto/asn1/x_bignum.c
+++ b/src/lib/libcrypto/asn1/x_bignum.c
@@ -1,5 +1,5 @@
 /* x_bignum.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/x_exten.c b/src/lib/libcrypto/asn1/x_exten.c
index 1732e66712..3a21239926 100644
--- a/src/lib/libcrypto/asn1/x_exten.c
+++ b/src/lib/libcrypto/asn1/x_exten.c
@@ -1,5 +1,5 @@
 /* x_exten.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/x_long.c b/src/lib/libcrypto/asn1/x_long.c
index 0db233cb95..bf35457c1f 100644
--- a/src/lib/libcrypto/asn1/x_long.c
+++ b/src/lib/libcrypto/asn1/x_long.c
@@ -1,5 +1,5 @@
 /* x_long.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/asn1/x_x509a.c b/src/lib/libcrypto/asn1/x_x509a.c
index 13db5fd03f..b603f82de7 100644
--- a/src/lib/libcrypto/asn1/x_x509a.c
+++ b/src/lib/libcrypto/asn1/x_x509a.c
@@ -1,5 +1,5 @@
 /* a_x509a.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/bf/bf_skey.c b/src/lib/libcrypto/bf/bf_skey.c
index 3673cdee6e..6ac2aeb279 100644
--- a/src/lib/libcrypto/bf/bf_skey.c
+++ b/src/lib/libcrypto/bf/bf_skey.c
@@ -59,10 +59,15 @@
 #include <stdio.h>
 #include <string.h>
 #include <openssl/blowfish.h>
+#include <openssl/crypto.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 #include "bf_locl.h"
 #include "bf_pi.h"
 
-void BF_set_key(BF_KEY *key, int len, const unsigned char *data)
+FIPS_NON_FIPS_VCIPHER_Init(BF)
         {
         int i;
         BF_LONG *p,ri,in[2];
diff --git a/src/lib/libcrypto/bf/blowfish.h b/src/lib/libcrypto/bf/blowfish.h
index cd49e85ab2..d24ffccb65 100644
--- a/src/lib/libcrypto/bf/blowfish.h
+++ b/src/lib/libcrypto/bf/blowfish.h
@@ -104,7 +104,9 @@ typedef struct bf_key_st
         BF_LONG S[4*256];
         } BF_KEY;
 
- 
+#ifdef OPENSSL_FIPS 
+void private_BF_set_key(BF_KEY *key, int len, const unsigned char *data);
+#endif
 void BF_set_key(BF_KEY *key, int len, const unsigned char *data);
 
 void BF_encrypt(BF_LONG *data,const BF_KEY *key);
diff --git a/src/lib/libcrypto/bio/bss_bio.c b/src/lib/libcrypto/bio/bss_bio.c
index 0f9f0955b4..76bd48e767 100644
--- a/src/lib/libcrypto/bio/bss_bio.c
+++ b/src/lib/libcrypto/bio/bss_bio.c
@@ -919,6 +919,6 @@ int BIO_nwrite(BIO *bio, char **buf, int num)
 
         ret = BIO_ctrl(bio, BIO_C_NWRITE, num, buf);
         if (ret > 0)
-                bio->num_read += ret;
+                bio->num_write += ret;
         return ret;
         }
diff --git a/src/lib/libcrypto/bio/bss_file.c b/src/lib/libcrypto/bio/bss_file.c
index 0c8c8115fa..e692a08e58 100644
--- a/src/lib/libcrypto/bio/bss_file.c
+++ b/src/lib/libcrypto/bio/bss_file.c
@@ -279,7 +279,7 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
 #endif
                 {
 #if defined(OPENSSL_SYS_WINDOWS)
-                int fd = fileno((FILE*)ptr);
+                int fd = _fileno((FILE*)ptr);
                 if (num & BIO_FP_TEXT)
                         _setmode(fd,_O_TEXT);
                 else
diff --git a/src/lib/libcrypto/bn/Makefile b/src/lib/libcrypto/bn/Makefile
index 0491e3db4c..f5e8f65a46 100644
--- a/src/lib/libcrypto/bn/Makefile
+++ b/src/lib/libcrypto/bn/Makefile
@@ -28,13 +28,13 @@ LIBSRC=	bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c bn_mod.c \
         bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
         bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \
         bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
-        bn_depr.c bn_const.c
+        bn_depr.c bn_x931p.c bn_const.c bn_opt.c
 
 LIBOBJ= bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o bn_mod.o \
         bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \
         bn_kron.o bn_sqrt.o bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) \
         bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o bn_gf2m.o bn_nist.o \
-        bn_depr.o bn_const.o
+        bn_depr.o bn_x931p.o bn_const.o bn_opt.o
 
 SRC= $(LIBSRC)
 
@@ -58,7 +58,7 @@ bnbug: bnbug.c ../../libcrypto.a top
         cc -g -I../../include bnbug.c -o bnbug ../../libcrypto.a
 
 lib:    $(LIBOBJ)
-        $(AR) $(LIB) $(LIBOBJ)
+        $(ARX) $(LIB) $(LIBOBJ)
         $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
@@ -292,6 +292,13 @@ bn_nist.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bn_nist.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 bn_nist.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 bn_nist.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_nist.c
+bn_opt.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_opt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+bn_opt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+bn_opt.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+bn_opt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bn_opt.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_opt.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_opt.c
 bn_prime.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_prime.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_prime.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@@ -350,3 +357,6 @@ bn_word.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 bn_word.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 bn_word.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_word.c
+bn_x931p.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h
+bn_x931p.o: ../../include/openssl/opensslconf.h
+bn_x931p.o: ../../include/openssl/ossl_typ.h bn_x931p.c
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index 6d754d5547..f1719a5877 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -408,8 +408,8 @@ BIGNUM *BN_CTX_get(BN_CTX *ctx);
 void    BN_CTX_end(BN_CTX *ctx);
 int     BN_rand(BIGNUM *rnd, int bits, int top,int bottom);
 int     BN_pseudo_rand(BIGNUM *rnd, int bits, int top,int bottom);
-int     BN_rand_range(BIGNUM *rnd, BIGNUM *range);
-int     BN_pseudo_rand_range(BIGNUM *rnd, BIGNUM *range);
+int     BN_rand_range(BIGNUM *rnd, const BIGNUM *range);
+int     BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range);
 int     BN_num_bits(const BIGNUM *a);
 int     BN_num_bits_word(BN_ULONG);
 BIGNUM *BN_new(void);
@@ -531,6 +531,17 @@ int	BN_is_prime_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx, BN_GENCB *cb);
 int     BN_is_prime_fasttest_ex(const BIGNUM *p,int nchecks, BN_CTX *ctx,
                 int do_trial_division, BN_GENCB *cb);
 
+int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx);
+
+int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
+                        const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2,
+                        const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb);
+int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2,
+                        BIGNUM *Xp1, BIGNUM *Xp2,
+                        const BIGNUM *Xp,
+                        const BIGNUM *e, BN_CTX *ctx,
+                        BN_GENCB *cb);
+
 BN_MONT_CTX *BN_MONT_CTX_new(void );
 void BN_MONT_CTX_init(BN_MONT_CTX *ctx);
 int BN_mod_mul_montgomery(BIGNUM *r,const BIGNUM *a,const BIGNUM *b,
diff --git a/src/lib/libcrypto/bn/bn_lib.c b/src/lib/libcrypto/bn/bn_lib.c
index 2649b8c538..32a8fbaf51 100644
--- a/src/lib/libcrypto/bn/bn_lib.c
+++ b/src/lib/libcrypto/bn/bn_lib.c
@@ -139,25 +139,6 @@ const BIGNUM *BN_value_one(void)
         return(&const_one);
         }
 
-char *BN_options(void)
-        {
-        static int init=0;
-        static char data[16];
-
-        if (!init)
-                {
-                init++;
-#ifdef BN_LLONG
-                BIO_snprintf(data,sizeof data,"bn(%d,%d)",
-                             (int)sizeof(BN_ULLONG)*8,(int)sizeof(BN_ULONG)*8);
-#else
-                BIO_snprintf(data,sizeof data,"bn(%d,%d)",
-                             (int)sizeof(BN_ULONG)*8,(int)sizeof(BN_ULONG)*8);
-#endif
-                }
-        return(data);
-        }
-
 int BN_num_bits_word(BN_ULONG l)
         {
         static const char bits[256]={
diff --git a/src/lib/libcrypto/bn/bn_nist.c b/src/lib/libcrypto/bn/bn_nist.c
index 1fc94f55c3..2ca5b01391 100644
--- a/src/lib/libcrypto/bn/bn_nist.c
+++ b/src/lib/libcrypto/bn/bn_nist.c
@@ -66,46 +66,157 @@
 #define BN_NIST_384_TOP (384+BN_BITS2-1)/BN_BITS2
 #define BN_NIST_521_TOP (521+BN_BITS2-1)/BN_BITS2
 
+/* pre-computed tables are "carry-less" values of modulus*(i+1) */
 #if BN_BITS2 == 64
-static const BN_ULONG _nist_p_192[] =
-        {0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFEULL,
-        0xFFFFFFFFFFFFFFFFULL};
-static const BN_ULONG _nist_p_224[] =
+static const BN_ULONG _nist_p_192[][BN_NIST_192_TOP] = {
+        {0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFEULL,0xFFFFFFFFFFFFFFFFULL},
+        {0xFFFFFFFFFFFFFFFEULL,0xFFFFFFFFFFFFFFFDULL,0xFFFFFFFFFFFFFFFFULL},
+        {0xFFFFFFFFFFFFFFFDULL,0xFFFFFFFFFFFFFFFCULL,0xFFFFFFFFFFFFFFFFULL}
+        };
+static const BN_ULONG _nist_p_192_sqr[] = {
+        0x0000000000000001ULL,0x0000000000000002ULL,0x0000000000000001ULL,
+        0xFFFFFFFFFFFFFFFEULL,0xFFFFFFFFFFFFFFFDULL,0xFFFFFFFFFFFFFFFFULL
+        };
+static const BN_ULONG _nist_p_224[][BN_NIST_224_TOP] = {
         {0x0000000000000001ULL,0xFFFFFFFF00000000ULL,
-        0xFFFFFFFFFFFFFFFFULL,0x00000000FFFFFFFFULL};
-static const BN_ULONG _nist_p_256[] =
+         0xFFFFFFFFFFFFFFFFULL,0x00000000FFFFFFFFULL},
+        {0x0000000000000002ULL,0xFFFFFFFE00000000ULL,
+         0xFFFFFFFFFFFFFFFFULL,0x00000001FFFFFFFFULL} /* this one is "carry-full" */
+        };
+static const BN_ULONG _nist_p_224_sqr[] = {
+        0x0000000000000001ULL,0xFFFFFFFE00000000ULL,
+        0xFFFFFFFFFFFFFFFFULL,0x0000000200000000ULL,
+        0x0000000000000000ULL,0xFFFFFFFFFFFFFFFEULL,
+        0xFFFFFFFFFFFFFFFFULL
+        };
+static const BN_ULONG _nist_p_256[][BN_NIST_256_TOP] = {
         {0xFFFFFFFFFFFFFFFFULL,0x00000000FFFFFFFFULL,
-        0x0000000000000000ULL,0xFFFFFFFF00000001ULL};
-static const BN_ULONG _nist_p_384[] =
-        {0x00000000FFFFFFFFULL,0xFFFFFFFF00000000ULL,
-        0xFFFFFFFFFFFFFFFEULL,0xFFFFFFFFFFFFFFFFULL,
-        0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL};
+         0x0000000000000000ULL,0xFFFFFFFF00000001ULL},
+        {0xFFFFFFFFFFFFFFFEULL,0x00000001FFFFFFFFULL,
+         0x0000000000000000ULL,0xFFFFFFFE00000002ULL},
+        {0xFFFFFFFFFFFFFFFDULL,0x00000002FFFFFFFFULL,
+         0x0000000000000000ULL,0xFFFFFFFD00000003ULL},
+        {0xFFFFFFFFFFFFFFFCULL,0x00000003FFFFFFFFULL,
+         0x0000000000000000ULL,0xFFFFFFFC00000004ULL},
+        {0xFFFFFFFFFFFFFFFBULL,0x00000004FFFFFFFFULL,
+         0x0000000000000000ULL,0xFFFFFFFB00000005ULL},
+        };
+static const BN_ULONG _nist_p_256_sqr[] = {
+        0x0000000000000001ULL,0xFFFFFFFE00000000ULL,
+        0xFFFFFFFFFFFFFFFFULL,0x00000001FFFFFFFEULL,
+        0x00000001FFFFFFFEULL,0x00000001FFFFFFFEULL,
+        0xFFFFFFFE00000001ULL,0xFFFFFFFE00000002ULL
+        };
+static const BN_ULONG _nist_p_384[][BN_NIST_384_TOP] = {
+        {0x00000000FFFFFFFFULL,0xFFFFFFFF00000000ULL,0xFFFFFFFFFFFFFFFEULL,
+         0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL},
+        {0x00000001FFFFFFFEULL,0xFFFFFFFE00000000ULL,0xFFFFFFFFFFFFFFFDULL,
+         0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL},
+        {0x00000002FFFFFFFDULL,0xFFFFFFFD00000000ULL,0xFFFFFFFFFFFFFFFCULL,
+         0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL},
+        {0x00000003FFFFFFFCULL,0xFFFFFFFC00000000ULL,0xFFFFFFFFFFFFFFFBULL,
+         0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL},
+        {0x00000004FFFFFFFBULL,0xFFFFFFFB00000000ULL,0xFFFFFFFFFFFFFFFAULL,
+         0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL},
+        };
+static const BN_ULONG _nist_p_384_sqr[] = {
+        0xFFFFFFFE00000001ULL,0x0000000200000000ULL,0xFFFFFFFE00000000ULL,
+        0x0000000200000000ULL,0x0000000000000001ULL,0x0000000000000000ULL,
+        0x00000001FFFFFFFEULL,0xFFFFFFFE00000000ULL,0xFFFFFFFFFFFFFFFDULL,
+        0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL
+        };
 static const BN_ULONG _nist_p_521[] =
         {0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
         0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
         0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
         0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
         0x00000000000001FFULL};
+static const BN_ULONG _nist_p_521_sqr[] = {
+        0x0000000000000001ULL,0x0000000000000000ULL,0x0000000000000000ULL,
+        0x0000000000000000ULL,0x0000000000000000ULL,0x0000000000000000ULL,
+        0x0000000000000000ULL,0x0000000000000000ULL,0xFFFFFFFFFFFFFC00ULL,
+        0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
+        0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,0xFFFFFFFFFFFFFFFFULL,
+        0xFFFFFFFFFFFFFFFFULL,0x000000000003FFFFULL
+        };
 #elif BN_BITS2 == 32
-static const BN_ULONG _nist_p_192[] = {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFE,
-        0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF};
-static const BN_ULONG _nist_p_224[] = {0x00000001,0x00000000,0x00000000,
-        0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF};
-static const BN_ULONG _nist_p_256[] = {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
-        0x00000000,0x00000000,0x00000000,0x00000001,0xFFFFFFFF};
-static const BN_ULONG _nist_p_384[] = {0xFFFFFFFF,0x00000000,0x00000000,
-        0xFFFFFFFF,0xFFFFFFFE,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
-        0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF};
+static const BN_ULONG _nist_p_192[][BN_NIST_192_TOP] = {
+        {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFE,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
+        {0xFFFFFFFE,0xFFFFFFFF,0xFFFFFFFD,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
+        {0xFFFFFFFD,0xFFFFFFFF,0xFFFFFFFC,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF}
+        };
+static const BN_ULONG _nist_p_192_sqr[] = {
+        0x00000001,0x00000000,0x00000002,0x00000000,0x00000001,0x00000000,
+        0xFFFFFFFE,0xFFFFFFFF,0xFFFFFFFD,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF
+        };
+static const BN_ULONG _nist_p_224[][BN_NIST_224_TOP] = {
+        {0x00000001,0x00000000,0x00000000,0xFFFFFFFF,
+         0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
+        {0x00000002,0x00000000,0x00000000,0xFFFFFFFE,
+         0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF}
+        };
+static const BN_ULONG _nist_p_224_sqr[] = {
+        0x00000001,0x00000000,0x00000000,0xFFFFFFFE,
+        0xFFFFFFFF,0xFFFFFFFF,0x00000000,0x00000002,
+        0x00000000,0x00000000,0xFFFFFFFE,0xFFFFFFFF,
+        0xFFFFFFFF,0xFFFFFFFF
+        };
+static const BN_ULONG _nist_p_256[][BN_NIST_256_TOP] = {
+        {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0x00000000,
+         0x00000000,0x00000000,0x00000001,0xFFFFFFFF},
+        {0xFFFFFFFE,0xFFFFFFFF,0xFFFFFFFF,0x00000001,
+         0x00000000,0x00000000,0x00000002,0xFFFFFFFE},
+        {0xFFFFFFFD,0xFFFFFFFF,0xFFFFFFFF,0x00000002,
+         0x00000000,0x00000000,0x00000003,0xFFFFFFFD},
+        {0xFFFFFFFC,0xFFFFFFFF,0xFFFFFFFF,0x00000003,
+         0x00000000,0x00000000,0x00000004,0xFFFFFFFC},
+        {0xFFFFFFFB,0xFFFFFFFF,0xFFFFFFFF,0x00000004,
+         0x00000000,0x00000000,0x00000005,0xFFFFFFFB},
+        };
+static const BN_ULONG _nist_p_256_sqr[] = {
+        0x00000001,0x00000000,0x00000000,0xFFFFFFFE,
+        0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFE,0x00000001,
+        0xFFFFFFFE,0x00000001,0xFFFFFFFE,0x00000001,
+        0x00000001,0xFFFFFFFE,0x00000002,0xFFFFFFFE
+        };
+static const BN_ULONG _nist_p_384[][BN_NIST_384_TOP] = {
+        {0xFFFFFFFF,0x00000000,0x00000000,0xFFFFFFFF,0xFFFFFFFE,0xFFFFFFFF,
+         0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
+        {0xFFFFFFFE,0x00000001,0x00000000,0xFFFFFFFE,0xFFFFFFFD,0xFFFFFFFF,
+         0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
+        {0xFFFFFFFD,0x00000002,0x00000000,0xFFFFFFFD,0xFFFFFFFC,0xFFFFFFFF,
+         0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
+        {0xFFFFFFFC,0x00000003,0x00000000,0xFFFFFFFC,0xFFFFFFFB,0xFFFFFFFF,
+         0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
+        {0xFFFFFFFB,0x00000004,0x00000000,0xFFFFFFFB,0xFFFFFFFA,0xFFFFFFFF,
+         0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF},
+        };
+static const BN_ULONG _nist_p_384_sqr[] = {
+        0x00000001,0xFFFFFFFE,0x00000000,0x00000002,0x00000000,0xFFFFFFFE,
+        0x00000000,0x00000002,0x00000001,0x00000000,0x00000000,0x00000000,
+        0xFFFFFFFE,0x00000001,0x00000000,0xFFFFFFFE,0xFFFFFFFD,0xFFFFFFFF,
+        0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF
+        };
 static const BN_ULONG _nist_p_521[] = {0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
         0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
         0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
         0xFFFFFFFF,0x000001FF};
+static const BN_ULONG _nist_p_521_sqr[] = {
+        0x00000001,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
+        0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,0x00000000,
+        0x00000000,0x00000000,0x00000000,0x00000000,0xFFFFFC00,0xFFFFFFFF,
+        0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
+        0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,0xFFFFFFFF,
+        0xFFFFFFFF,0xFFFFFFFF,0x0003FFFF
+        };
+#else
+#error "unsupported BN_BITS2"
 #endif
 
 
 static const BIGNUM _bignum_nist_p_192 =
         {
-        (BN_ULONG *)_nist_p_192,
+        (BN_ULONG *)_nist_p_192[0],
         BN_NIST_192_TOP,
         BN_NIST_192_TOP,
         0,
@@ -114,7 +225,7 @@ static const BIGNUM _bignum_nist_p_192 =
 
 static const BIGNUM _bignum_nist_p_224 =
         {
-        (BN_ULONG *)_nist_p_224,
+        (BN_ULONG *)_nist_p_224[0],
         BN_NIST_224_TOP,
         BN_NIST_224_TOP,
         0,
@@ -123,7 +234,7 @@ static const BIGNUM _bignum_nist_p_224 =
 
 static const BIGNUM _bignum_nist_p_256 =
         {
-        (BN_ULONG *)_nist_p_256,
+        (BN_ULONG *)_nist_p_256[0],
         BN_NIST_256_TOP,
         BN_NIST_256_TOP,
         0,
@@ -132,7 +243,7 @@ static const BIGNUM _bignum_nist_p_256 =
 
 static const BIGNUM _bignum_nist_p_384 =
         {
-        (BN_ULONG *)_nist_p_384,
+        (BN_ULONG *)_nist_p_384[0],
         BN_NIST_384_TOP,
         BN_NIST_384_TOP,
         0,
@@ -180,7 +291,9 @@ static void nist_cp_bn_0(BN_ULONG *buf, BN_ULONG *a, int top, int max)
         int i;
         BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
 
+#ifdef BN_DEBUG
         OPENSSL_assert(top <= max);
+#endif
         for (i = (top); i != 0; i--)
                 *_tmp1++ = *_tmp2++;
         for (i = (max) - (top); i != 0; i--)
@@ -198,9 +311,14 @@ static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
 #if BN_BITS2 == 64
 #define bn_cp_64(to, n, from, m)        (to)[n] = (m>=0)?((from)[m]):0;
 #define bn_64_set_0(to, n)              (to)[n] = (BN_ULONG)0;
-/* TBD */
-#define bn_cp_32(to, n, from, m)        (to)[n] = (m>=0)?((from)[m]):0;
-#define bn_32_set_0(to, n)              (to)[n] = (BN_ULONG)0;
+/*
+ * two following macros are implemented under assumption that they
+ * are called in a sequence with *ascending* n, i.e. as they are...
+ */
+#define bn_cp_32_naked(to, n, from, m)  (((n)&1)?(to[(n)/2]|=((m)&1)?(from[(m)/2]&BN_MASK2h):(from[(m)/2]<<32))\
+                                                :(to[(n)/2] =((m)&1)?(from[(m)/2]>>32):(from[(m)/2]&BN_MASK2l)))
+#define bn_32_set_0(to, n)              (((n)&1)?(to[(n)/2]&=BN_MASK2l):(to[(n)/2]=0));
+#define bn_cp_32(to,n,from,m)           ((m)>=0)?bn_cp_32_naked(to,n,from,m):bn_32_set_0(to,n)
 #else
 #define bn_cp_64(to, n, from, m) \
         { \
@@ -221,9 +339,9 @@ static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top)
 
 #define nist_set_192(to, from, a1, a2, a3) \
         { \
-        if (a3 != 0) bn_cp_64(to, 0, from, (a3) - 3) else bn_64_set_0(to, 0)\
+        bn_cp_64(to, 0, from, (a3) - 3) \
         bn_cp_64(to, 1, from, (a2) - 3) \
-        if (a1 != 0) bn_cp_64(to, 2, from, (a1) - 3) else bn_64_set_0(to, 2)\
+        bn_cp_64(to, 2, from, (a1) - 3) \
         }
 
 int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
@@ -237,11 +355,16 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                  c_d[BN_NIST_192_TOP],
                 *res;
         size_t   mask;
+        static const BIGNUM _bignum_nist_p_192_sqr = {
+                (BN_ULONG *)_nist_p_192_sqr,
+                sizeof(_nist_p_192_sqr)/sizeof(_nist_p_192_sqr[0]),
+                sizeof(_nist_p_192_sqr)/sizeof(_nist_p_192_sqr[0]),
+                0,BN_FLG_STATIC_DATA };
 
         field = &_bignum_nist_p_192; /* just to make sure */
 
-        if (BN_is_negative(a) || a->top > 2*BN_NIST_192_TOP)
-                return BN_nnmod(r, field, a, ctx);
+        if (BN_is_negative(a) || BN_ucmp(a,&_bignum_nist_p_192_sqr)>=0)
+                return BN_nnmod(r, a, field, ctx);
 
         i = BN_ucmp(field, a);
         if (i == 0)
@@ -265,50 +388,49 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         nist_cp_bn_0(buf, a_d + BN_NIST_192_TOP, top - BN_NIST_192_TOP, BN_NIST_192_TOP);
 
         nist_set_192(t_d, buf, 0, 3, 3);
-        carry = bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
-        mask = 0-(size_t)bn_sub_words(c_d,r_d,_nist_p_192,BN_NIST_192_TOP);
-        mask = ~mask | (0-(size_t)carry);
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
-        
+        carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
         nist_set_192(t_d, buf, 4, 4, 0);
-        carry = bn_add_words(r_d, res, t_d, BN_NIST_192_TOP);
-        mask = 0-(size_t)bn_sub_words(c_d,r_d,_nist_p_192,BN_NIST_192_TOP);
-        mask = ~mask | (0-(size_t)carry);
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
-
+        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
         nist_set_192(t_d, buf, 5, 5, 5)
-        carry = bn_add_words(r_d, res, t_d, BN_NIST_192_TOP);
-        mask = 0-(size_t)bn_sub_words(c_d,r_d,_nist_p_192,BN_NIST_192_TOP);
-        mask = ~mask | (0-(size_t)carry);
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
+        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP);
 
+        if (carry > 0)
+                carry = (int)bn_sub_words(r_d,r_d,_nist_p_192[carry-1],BN_NIST_192_TOP);
+        else
+                carry = 1;
+
+        /*
+         * we need 'if (carry==0 || result>=modulus) result-=modulus;'
+         * as comparison implies subtraction, we can write
+         * 'tmp=result-modulus; if (!carry || !borrow) result=tmp;'
+         * this is what happens below, but without explicit if:-) a.
+         */
+        mask  = 0-(size_t)bn_sub_words(c_d,r_d,_nist_p_192[0],BN_NIST_192_TOP);
+        mask &= 0-(size_t)carry;
+        res   = (BN_ULONG *)(((size_t)c_d&~mask) | ((size_t)r_d&mask));
         nist_cp_bn(r_d, res, BN_NIST_192_TOP);
         r->top = BN_NIST_192_TOP;
         bn_correct_top(r);
 
-        if (BN_ucmp(field, r) <= 0)
-                {
-                if (!BN_usub(r, r, field)) return 0;
-                }
-
         return 1;
         }
 
+typedef BN_ULONG (*bn_addsub_f)(BN_ULONG *,const BN_ULONG *,const BN_ULONG *,int);
+
 #define nist_set_224(to, from, a1, a2, a3, a4, a5, a6, a7) \
         { \
-        if (a7 != 0) bn_cp_32(to, 0, from, (a7) - 7) else bn_32_set_0(to, 0)\
-        if (a6 != 0) bn_cp_32(to, 1, from, (a6) - 7) else bn_32_set_0(to, 1)\
-        if (a5 != 0) bn_cp_32(to, 2, from, (a5) - 7) else bn_32_set_0(to, 2)\
-        if (a4 != 0) bn_cp_32(to, 3, from, (a4) - 7) else bn_32_set_0(to, 3)\
-        if (a3 != 0) bn_cp_32(to, 4, from, (a3) - 7) else bn_32_set_0(to, 4)\
-        if (a2 != 0) bn_cp_32(to, 5, from, (a2) - 7) else bn_32_set_0(to, 5)\
-        if (a1 != 0) bn_cp_32(to, 6, from, (a1) - 7) else bn_32_set_0(to, 6)\
+        bn_cp_32(to, 0, from, (a7) - 7) \
+        bn_cp_32(to, 1, from, (a6) - 7) \
+        bn_cp_32(to, 2, from, (a5) - 7) \
+        bn_cp_32(to, 3, from, (a4) - 7) \
+        bn_cp_32(to, 4, from, (a3) - 7) \
+        bn_cp_32(to, 5, from, (a2) - 7) \
+        bn_cp_32(to, 6, from, (a1) - 7) \
         }
 
 int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         BN_CTX *ctx)
         {
-#if BN_BITS2 == 32
         int     top = a->top, i;
         int     carry;
         BN_ULONG *r_d, *a_d = a->d;
@@ -317,11 +439,18 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                  c_d[BN_NIST_224_TOP],
                 *res;
         size_t   mask;
+        union { bn_addsub_f f; size_t p; } u;
+        static const BIGNUM _bignum_nist_p_224_sqr = {
+                (BN_ULONG *)_nist_p_224_sqr,
+                sizeof(_nist_p_224_sqr)/sizeof(_nist_p_224_sqr[0]),
+                sizeof(_nist_p_224_sqr)/sizeof(_nist_p_224_sqr[0]),
+                0,BN_FLG_STATIC_DATA };
+
 
         field = &_bignum_nist_p_224; /* just to make sure */
 
-        if (BN_is_negative(a) || a->top > 2*BN_NIST_224_TOP)
-                return BN_nnmod(r, field, a, ctx);
+        if (BN_is_negative(a) || BN_ucmp(a,&_bignum_nist_p_224_sqr)>=0)
+                return BN_nnmod(r, a, field, ctx);
 
         i = BN_ucmp(field, a);
         if (i == 0)
@@ -342,72 +471,77 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         else
                 r_d = a_d;
 
+#if BN_BITS2==64
+        /* copy upper 256 bits of 448 bit number ... */
+        nist_cp_bn_0(t_d, a_d + (BN_NIST_224_TOP-1), top - (BN_NIST_224_TOP-1), BN_NIST_224_TOP);
+        /* ... and right shift by 32 to obtain upper 224 bits */
+        nist_set_224(buf, t_d, 14, 13, 12, 11, 10, 9, 8);
+        /* truncate lower part to 224 bits too */
+        r_d[BN_NIST_224_TOP-1] &= BN_MASK2l;
+#else
         nist_cp_bn_0(buf, a_d + BN_NIST_224_TOP, top - BN_NIST_224_TOP, BN_NIST_224_TOP);
-
+#endif
         nist_set_224(t_d, buf, 10, 9, 8, 7, 0, 0, 0);
-        carry = bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
-        mask = 0-(size_t)bn_sub_words(c_d,r_d,_nist_p_224,BN_NIST_224_TOP);
-        mask = ~mask | (0-(size_t)carry);
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
-        
+        carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
         nist_set_224(t_d, buf, 0, 13, 12, 11, 0, 0, 0);
-        carry = bn_add_words(r_d, res, t_d, BN_NIST_224_TOP);
-        mask = 0-(size_t)bn_sub_words(c_d,r_d,_nist_p_224,BN_NIST_224_TOP);
-        mask = ~mask | (0-(size_t)carry);
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
-
+        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
         nist_set_224(t_d, buf, 13, 12, 11, 10, 9, 8, 7);
-#if BRANCH_FREE
-        carry = bn_sub_words(r_d, res, t_d, BN_NIST_224_TOP);
-        bn_add_words(c_d,r_d,_nist_p_224,BN_NIST_224_TOP);
-        mask = 0-(size_t)carry;
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
-#else
-        if (bn_sub_words(r_d, res, t_d, BN_NIST_224_TOP))
-                bn_add_words(r_d,r_d,_nist_p_224,BN_NIST_224_TOP);
-#endif
+        carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP);
         nist_set_224(t_d, buf, 0, 0, 0, 0, 13, 12, 11);
-#if BRANCH_FREE
-        carry = bn_sub_words(r_d, res, t_d, BN_NIST_224_TOP);
-        bn_add_words(c_d,r_d,_nist_p_224,BN_NIST_224_TOP);
-        mask = 0-(size_t)carry;
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
+        carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP);
 
-        nist_cp_bn(r_d, res, BN_NIST_224_TOP);
-#else
-        if (bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP))
-                bn_add_words(r_d,r_d,_nist_p_224,BN_NIST_224_TOP);
+#if BN_BITS2==64
+        carry = (int)(r_d[BN_NIST_224_TOP-1]>>32);
 #endif
-        r->top = BN_NIST_224_TOP;
-        bn_correct_top(r);
-
-        if (BN_ucmp(field, r) <= 0)
+        u.f = bn_sub_words;
+        if (carry > 0)
                 {
-                if (!BN_usub(r, r, field)) return 0;
+                carry = (int)bn_sub_words(r_d,r_d,_nist_p_224[carry-1],BN_NIST_224_TOP);
+#if BN_BITS2==64
+                carry=(int)(~(r_d[BN_NIST_224_TOP-1]>>32))&1;
+#endif
                 }
+        else if (carry < 0)
+                {
+                /* it's a bit more comlicated logic in this case.
+                 * if bn_add_words yields no carry, then result
+                 * has to be adjusted by unconditionally *adding*
+                 * the modulus. but if it does, then result has
+                 * to be compared to the modulus and conditionally
+                 * adjusted by *subtracting* the latter. */
+                carry = (int)bn_add_words(r_d,r_d,_nist_p_224[-carry-1],BN_NIST_224_TOP);
+                mask = 0-(size_t)carry;
+                u.p = ((size_t)bn_sub_words&mask) | ((size_t)bn_add_words&~mask);
+                }
+        else
+                carry = 1;
+
+        /* otherwise it's effectively same as in BN_nist_mod_192... */
+        mask  = 0-(size_t)(*u.f)(c_d,r_d,_nist_p_224[0],BN_NIST_224_TOP);
+        mask &= 0-(size_t)carry;
+        res   = (BN_ULONG *)(((size_t)c_d&~mask) | ((size_t)r_d&mask));
+        nist_cp_bn(r_d, res, BN_NIST_224_TOP);
+        r->top = BN_NIST_224_TOP;
+        bn_correct_top(r);
 
         return 1;
-#else   /* BN_BITS!=32 */
-        return 0;
-#endif
         }
 
 #define nist_set_256(to, from, a1, a2, a3, a4, a5, a6, a7, a8) \
         { \
-        if (a8 != 0) bn_cp_32(to, 0, from, (a8) - 8) else bn_32_set_0(to, 0)\
-        if (a7 != 0) bn_cp_32(to, 1, from, (a7) - 8) else bn_32_set_0(to, 1)\
-        if (a6 != 0) bn_cp_32(to, 2, from, (a6) - 8) else bn_32_set_0(to, 2)\
-        if (a5 != 0) bn_cp_32(to, 3, from, (a5) - 8) else bn_32_set_0(to, 3)\
-        if (a4 != 0) bn_cp_32(to, 4, from, (a4) - 8) else bn_32_set_0(to, 4)\
-        if (a3 != 0) bn_cp_32(to, 5, from, (a3) - 8) else bn_32_set_0(to, 5)\
-        if (a2 != 0) bn_cp_32(to, 6, from, (a2) - 8) else bn_32_set_0(to, 6)\
-        if (a1 != 0) bn_cp_32(to, 7, from, (a1) - 8) else bn_32_set_0(to, 7)\
+        bn_cp_32(to, 0, from, (a8) - 8) \
+        bn_cp_32(to, 1, from, (a7) - 8) \
+        bn_cp_32(to, 2, from, (a6) - 8) \
+        bn_cp_32(to, 3, from, (a5) - 8) \
+        bn_cp_32(to, 4, from, (a4) - 8) \
+        bn_cp_32(to, 5, from, (a3) - 8) \
+        bn_cp_32(to, 6, from, (a2) - 8) \
+        bn_cp_32(to, 7, from, (a1) - 8) \
         }
 
 int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         BN_CTX *ctx)
         {
-#if BN_BITS2 == 32
         int     i, top = a->top;
         int     carry = 0;
         register BN_ULONG *a_d = a->d, *r_d;
@@ -416,11 +550,17 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                  c_d[BN_NIST_256_TOP],
                 *res;
         size_t   mask;
+        union { bn_addsub_f f; size_t p; } u;
+        static const BIGNUM _bignum_nist_p_256_sqr = {
+                (BN_ULONG *)_nist_p_256_sqr,
+                sizeof(_nist_p_256_sqr)/sizeof(_nist_p_256_sqr[0]),
+                sizeof(_nist_p_256_sqr)/sizeof(_nist_p_256_sqr[0]),
+                0,BN_FLG_STATIC_DATA };
 
         field = &_bignum_nist_p_256; /* just to make sure */
 
-        if (BN_is_negative(a) || a->top > 2*BN_NIST_256_TOP)
-                return BN_nnmod(r, field, a, ctx);
+        if (BN_is_negative(a) || BN_ucmp(a,&_bignum_nist_p_256_sqr)>=0)
+                return BN_nnmod(r, a, field, ctx);
 
         i = BN_ucmp(field, a);
         if (i == 0)
@@ -446,116 +586,84 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         /*S1*/
         nist_set_256(t_d, buf, 15, 14, 13, 12, 11, 0, 0, 0);
         /*S2*/
-        nist_set_256(c_d,buf, 0, 15, 14, 13, 12, 0, 0, 0);
-        carry = bn_add_words(t_d, t_d, c_d, BN_NIST_256_TOP);
-        mask = 0-(size_t)bn_sub_words(c_d,t_d,_nist_p_256,BN_NIST_256_TOP);
-        mask = ~mask | (0-(size_t)carry);
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)t_d&~mask));
-
-        carry = bn_add_words(t_d, res, res, BN_NIST_256_TOP);
-        mask = 0-(size_t)bn_sub_words(c_d,t_d,_nist_p_256,BN_NIST_256_TOP);
-        mask = ~mask | (0-(size_t)carry);
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)t_d&~mask));
-
-        carry = bn_add_words(r_d, r_d, res, BN_NIST_256_TOP);
-        mask = 0-(size_t)bn_sub_words(c_d,r_d,_nist_p_256,BN_NIST_256_TOP);
-        mask = ~mask | (0-(size_t)carry);
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
-
+        nist_set_256(c_d, buf, 0, 15, 14, 13, 12, 0, 0, 0);
+        carry = (int)bn_add_words(t_d, t_d, c_d, BN_NIST_256_TOP);
+        /* left shift */
+                {
+                register BN_ULONG *ap,t,c;
+                ap = t_d;
+                c=0;
+                for (i = BN_NIST_256_TOP; i != 0; --i)
+                        {
+                        t= *ap;
+                        *(ap++)=((t<<1)|c)&BN_MASK2;
+                        c=(t & BN_TBIT)?1:0;
+                        }
+                carry <<= 1;
+                carry  |= c;
+                }
+        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
         /*S3*/
         nist_set_256(t_d, buf, 15, 14, 0, 0, 0, 10, 9, 8);
-        carry = bn_add_words(r_d, res, t_d, BN_NIST_256_TOP);
-        mask = 0-(size_t)bn_sub_words(c_d,r_d,_nist_p_256,BN_NIST_256_TOP);
-        mask = ~mask | (0-(size_t)carry);
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
-
+        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
         /*S4*/
         nist_set_256(t_d, buf, 8, 13, 15, 14, 13, 11, 10, 9);
-        carry = bn_add_words(r_d, res, t_d, BN_NIST_256_TOP);
-        mask = 0-(size_t)bn_sub_words(c_d,r_d,_nist_p_256,BN_NIST_256_TOP);
-        mask = ~mask | (0-(size_t)carry);
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
-
+        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP);
         /*D1*/
         nist_set_256(t_d, buf, 10, 8, 0, 0, 0, 13, 12, 11);
-#if BRANCH_FREE
-        carry = bn_sub_words(r_d, res, t_d, BN_NIST_256_TOP);
-        bn_add_words(c_d,r_d,_nist_p_256,BN_NIST_256_TOP);
-        mask = 0-(size_t)carry;
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));   
-#else
-        if (bn_sub_words(r_d, res, t_d, BN_NIST_256_TOP))
-                bn_add_words(r_d,r_d,_nist_p_256,BN_NIST_256_TOP);
-#endif
+        carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
         /*D2*/
         nist_set_256(t_d, buf, 11, 9, 0, 0, 15, 14, 13, 12);
-#if BRANCH_FREE
-        carry = bn_sub_words(r_d, res, t_d, BN_NIST_256_TOP);
-        bn_add_words(c_d,r_d,_nist_p_256,BN_NIST_256_TOP);
-        mask = 0-(size_t)carry;
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));   
-#else
-        if (bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP))
-                bn_add_words(r_d,r_d,_nist_p_256,BN_NIST_256_TOP);
-#endif
+        carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
         /*D3*/
         nist_set_256(t_d, buf, 12, 0, 10, 9, 8, 15, 14, 13);
-#if BRANCH_FREE
-        carry = bn_sub_words(r_d, res, t_d, BN_NIST_256_TOP);
-        bn_add_words(c_d,r_d,_nist_p_256,BN_NIST_256_TOP);
-        mask = 0-(size_t)carry;
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));   
-#else
-        if (bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP))
-                bn_add_words(r_d,r_d,_nist_p_256,BN_NIST_256_TOP);
-#endif
+        carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
         /*D4*/
         nist_set_256(t_d, buf, 13, 0, 11, 10, 9, 0, 15, 14);
-#if BRANCH_FREE
-        carry = bn_sub_words(r_d, res, t_d, BN_NIST_256_TOP);
-        bn_add_words(c_d,r_d,_nist_p_256,BN_NIST_256_TOP);
-        mask = 0-(size_t)carry;
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));   
-
-        nist_cp_bn(r_d, res, BN_NIST_384_TOP);
-#else
-        if (bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP))
-                bn_add_words(r_d,r_d,_nist_p_256,BN_NIST_256_TOP);
-#endif
-        r->top = BN_NIST_256_TOP;
-        bn_correct_top(r);
+        carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP);
 
-        if (BN_ucmp(field, r) <= 0)
+        /* see BN_nist_mod_224 for explanation */
+        u.f = bn_sub_words;
+        if (carry > 0)
+                carry = (int)bn_sub_words(r_d,r_d,_nist_p_256[carry-1],BN_NIST_256_TOP);
+        else if (carry < 0)
                 {
-                if (!BN_usub(r, r, field)) return 0;
+                carry = (int)bn_add_words(r_d,r_d,_nist_p_256[-carry-1],BN_NIST_256_TOP);
+                mask = 0-(size_t)carry;
+                u.p = ((size_t)bn_sub_words&mask) | ((size_t)bn_add_words&~mask);
                 }
+        else
+                carry = 1;
+
+        mask  = 0-(size_t)(*u.f)(c_d,r_d,_nist_p_256[0],BN_NIST_256_TOP);
+        mask &= 0-(size_t)carry;
+        res   = (BN_ULONG *)(((size_t)c_d&~mask) | ((size_t)r_d&mask));
+        nist_cp_bn(r_d, res, BN_NIST_256_TOP);
+        r->top = BN_NIST_256_TOP;
+        bn_correct_top(r);
 
         return 1;
-#else   /* BN_BITS!=32 */
-        return 0;
-#endif
         }
 
 #define nist_set_384(to,from,a1,a2,a3,a4,a5,a6,a7,a8,a9,a10,a11,a12) \
         { \
-        if (a12 != 0) bn_cp_32(to, 0, from,  (a12) - 12) else bn_32_set_0(to, 0)\
-        if (a11 != 0) bn_cp_32(to, 1, from,  (a11) - 12) else bn_32_set_0(to, 1)\
-        if (a10 != 0) bn_cp_32(to, 2, from,  (a10) - 12) else bn_32_set_0(to, 2)\
-        if (a9 != 0)  bn_cp_32(to, 3, from,  (a9) - 12)  else bn_32_set_0(to, 3)\
-        if (a8 != 0)  bn_cp_32(to, 4, from,  (a8) - 12)  else bn_32_set_0(to, 4)\
-        if (a7 != 0)  bn_cp_32(to, 5, from,  (a7) - 12)  else bn_32_set_0(to, 5)\
-        if (a6 != 0)  bn_cp_32(to, 6, from,  (a6) - 12)  else bn_32_set_0(to, 6)\
-        if (a5 != 0)  bn_cp_32(to, 7, from,  (a5) - 12)  else bn_32_set_0(to, 7)\
-        if (a4 != 0)  bn_cp_32(to, 8, from,  (a4) - 12)  else bn_32_set_0(to, 8)\
-        if (a3 != 0)  bn_cp_32(to, 9, from,  (a3) - 12)  else bn_32_set_0(to, 9)\
-        if (a2 != 0)  bn_cp_32(to, 10, from, (a2) - 12)  else bn_32_set_0(to, 10)\
-        if (a1 != 0)  bn_cp_32(to, 11, from, (a1) - 12)  else bn_32_set_0(to, 11)\
+        bn_cp_32(to, 0, from,  (a12) - 12) \
+        bn_cp_32(to, 1, from,  (a11) - 12) \
+        bn_cp_32(to, 2, from,  (a10) - 12) \
+        bn_cp_32(to, 3, from,  (a9) - 12)  \
+        bn_cp_32(to, 4, from,  (a8) - 12)  \
+        bn_cp_32(to, 5, from,  (a7) - 12)  \
+        bn_cp_32(to, 6, from,  (a6) - 12)  \
+        bn_cp_32(to, 7, from,  (a5) - 12)  \
+        bn_cp_32(to, 8, from,  (a4) - 12)  \
+        bn_cp_32(to, 9, from,  (a3) - 12)  \
+        bn_cp_32(to, 10, from, (a2) - 12)  \
+        bn_cp_32(to, 11, from, (a1) - 12)  \
         }
 
 int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         BN_CTX *ctx)
         {
-#if BN_BITS2 == 32
         int     i, top = a->top;
         int     carry = 0;
         register BN_ULONG *r_d, *a_d = a->d;
@@ -564,11 +672,18 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                  c_d[BN_NIST_384_TOP],
                 *res;
         size_t   mask;
+        union { bn_addsub_f f; size_t p; } u;
+        static const BIGNUM _bignum_nist_p_384_sqr = {
+                (BN_ULONG *)_nist_p_384_sqr,
+                sizeof(_nist_p_384_sqr)/sizeof(_nist_p_384_sqr[0]),
+                sizeof(_nist_p_384_sqr)/sizeof(_nist_p_384_sqr[0]),
+                0,BN_FLG_STATIC_DATA };
+
 
         field = &_bignum_nist_p_384; /* just to make sure */
 
-        if (BN_is_negative(a) || a->top > 2*BN_NIST_384_TOP)
-                return BN_nnmod(r, field, a, ctx);
+        if (BN_is_negative(a) || BN_ucmp(a,&_bignum_nist_p_384_sqr)>=0)
+                return BN_nnmod(r, a, field, ctx);
 
         i = BN_ucmp(field, a);
         if (i == 0)
@@ -606,171 +721,116 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
                         }
                 *ap=c;
                 }
-        carry = bn_add_words(r_d+(128/BN_BITS2), r_d+(128/BN_BITS2), 
+        carry = (int)bn_add_words(r_d+(128/BN_BITS2), r_d+(128/BN_BITS2), 
                 t_d, BN_NIST_256_TOP);
-        /*
-         * we need if (result>=modulus) subtract(result,modulus);
-         * in n-bit space this can be expressed as
-         * if (carry || result>=modulus) subtract(result,modulus);
-         * the catch is that comparison implies subtraction and
-         * therefore one can write tmp=subtract(result,modulus);
-         * and then if(carry || !borrow) result=tmp; this's what
-         * happens below, but without explicit if:-) a.
-         */
-        mask = 0-(size_t)bn_sub_words(c_d,r_d,_nist_p_384,BN_NIST_384_TOP);
-        mask = ~mask | (0-(size_t)carry);
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
-
         /*S2 */
-        carry = bn_add_words(r_d, res, buf, BN_NIST_384_TOP);
-        mask = 0-(size_t)bn_sub_words(c_d,r_d,_nist_p_384,BN_NIST_384_TOP);
-        mask = ~mask | (0-(size_t)carry);
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
-
+        carry += (int)bn_add_words(r_d, r_d, buf, BN_NIST_384_TOP);
         /*S3*/
         nist_set_384(t_d,buf,20,19,18,17,16,15,14,13,12,23,22,21);
-        carry = bn_add_words(r_d, res, t_d, BN_NIST_384_TOP);
-        mask = 0-(size_t)bn_sub_words(c_d,r_d,_nist_p_384,BN_NIST_384_TOP);
-        mask = ~mask | (0-(size_t)carry);
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
-
+        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
         /*S4*/
         nist_set_384(t_d,buf,19,18,17,16,15,14,13,12,20,0,23,0);
-        carry = bn_add_words(r_d, res, t_d, BN_NIST_384_TOP);
-        mask = 0-(size_t)bn_sub_words(c_d,r_d,_nist_p_384,BN_NIST_384_TOP);
-        mask = ~mask | (0-(size_t)carry);
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
-
+        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
         /*S5*/
         nist_set_384(t_d, buf,0,0,0,0,23,22,21,20,0,0,0,0);
-        carry = bn_add_words(r_d, res, t_d, BN_NIST_384_TOP);
-        mask = 0-(size_t)bn_sub_words(c_d,r_d,_nist_p_384,BN_NIST_384_TOP);
-        mask = ~mask | (0-(size_t)carry);
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
-
+        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
         /*S6*/
         nist_set_384(t_d,buf,0,0,0,0,0,0,23,22,21,0,0,20);
-        carry = bn_add_words(r_d, res, t_d, BN_NIST_384_TOP);
-        mask = 0-(size_t)bn_sub_words(c_d,r_d,_nist_p_384,BN_NIST_384_TOP);
-        mask = ~mask | (0-(size_t)carry);
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
-
+        carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP);
         /*D1*/
         nist_set_384(t_d,buf,22,21,20,19,18,17,16,15,14,13,12,23);
-#if BRANCH_FREE
-        carry = bn_sub_words(r_d, res, t_d, BN_NIST_384_TOP);
-        bn_add_words(c_d,r_d,_nist_p_384,BN_NIST_384_TOP);
-        mask = 0-(size_t)carry;
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
-#else
-        if (bn_sub_words(r_d, res, t_d, BN_NIST_384_TOP))
-                bn_add_words(r_d,r_d,_nist_p_384,BN_NIST_384_TOP);
-#endif
+        carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
         /*D2*/
         nist_set_384(t_d,buf,0,0,0,0,0,0,0,23,22,21,20,0);
-#if BRANCH_FREE
-        carry = bn_sub_words(r_d, res, t_d, BN_NIST_384_TOP);
-        bn_add_words(c_d,r_d,_nist_p_384,BN_NIST_384_TOP);
-        mask = 0-(size_t)carry;
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
-#else
-        if (bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP))
-                bn_add_words(r_d,r_d,_nist_p_384,BN_NIST_384_TOP);
-#endif
+        carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
         /*D3*/
         nist_set_384(t_d,buf,0,0,0,0,0,0,0,23,23,0,0,0);
-#if BRANCH_FREE
-        carry = bn_sub_words(r_d, res, t_d, BN_NIST_384_TOP);
-        bn_add_words(c_d,r_d,_nist_p_384,BN_NIST_384_TOP);
-        mask = 0-(size_t)carry;
-        res = (BN_ULONG *)(((size_t)c_d&mask) | ((size_t)r_d&~mask));
+        carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP);
 
+        /* see BN_nist_mod_224 for explanation */
+        u.f = bn_sub_words;
+        if (carry > 0)
+                carry = (int)bn_sub_words(r_d,r_d,_nist_p_384[carry-1],BN_NIST_384_TOP);
+        else if (carry < 0)
+                {
+                carry = (int)bn_add_words(r_d,r_d,_nist_p_384[-carry-1],BN_NIST_384_TOP);
+                mask = 0-(size_t)carry;
+                u.p = ((size_t)bn_sub_words&mask) | ((size_t)bn_add_words&~mask);
+                }
+        else
+                carry = 1;
+
+        mask  = 0-(size_t)(*u.f)(c_d,r_d,_nist_p_384[0],BN_NIST_384_TOP);
+        mask &= 0-(size_t)carry;
+        res   = (BN_ULONG *)(((size_t)c_d&~mask) | ((size_t)r_d&mask));
         nist_cp_bn(r_d, res, BN_NIST_384_TOP);
-#else
-        if (bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP))
-                bn_add_words(r_d,r_d,_nist_p_384,BN_NIST_384_TOP);
-#endif
         r->top = BN_NIST_384_TOP;
         bn_correct_top(r);
 
-        if (BN_ucmp(field, r) <= 0)
-                {
-                if (!BN_usub(r, r, field)) return 0;
-                }
-
         return 1;
-#else   /* BN_BITS!=32 */
-        return 0;
-#endif
         }
 
+#define BN_NIST_521_RSHIFT      (521%BN_BITS2)
+#define BN_NIST_521_LSHIFT      (BN_BITS2-BN_NIST_521_RSHIFT)
+#define BN_NIST_521_TOP_MASK    ((BN_ULONG)BN_MASK2>>BN_NIST_521_LSHIFT)
+
 int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
         BN_CTX *ctx)
         {
-#if BN_BITS2 == 64
-#define BN_NIST_521_TOP_MASK    (BN_ULONG)0x1FF
-#elif BN_BITS2 == 32
-#define BN_NIST_521_TOP_MASK    (BN_ULONG)0x1FF
-#endif
-        int     top, ret = 0;
-        BIGNUM  *tmp;
+        int     top = a->top, i;
+        BN_ULONG *r_d, *a_d = a->d,
+                 t_d[BN_NIST_521_TOP],
+                 val,tmp,*res;
+        size_t  mask;
+        static const BIGNUM _bignum_nist_p_521_sqr = {
+                (BN_ULONG *)_nist_p_521_sqr,
+                sizeof(_nist_p_521_sqr)/sizeof(_nist_p_521_sqr[0]),
+                sizeof(_nist_p_521_sqr)/sizeof(_nist_p_521_sqr[0]),
+                0,BN_FLG_STATIC_DATA };
 
         field = &_bignum_nist_p_521; /* just to make sure */
 
-        if (BN_is_negative(a))
-                return BN_nnmod(r, field, a, ctx);
+        if (BN_is_negative(a) || BN_ucmp(a,&_bignum_nist_p_521_sqr)>=0)
+                return BN_nnmod(r, a, field, ctx);
 
-        /* check whether a reduction is necessary */
-        top = a->top;
-        if (top < BN_NIST_521_TOP  || ( top == BN_NIST_521_TOP &&
-            (!(a->d[BN_NIST_521_TOP-1] & ~(BN_NIST_521_TOP_MASK)))))
+        i = BN_ucmp(field, a);
+        if (i == 0)
                 {
-                int i = BN_ucmp(field, a);
-                if (i == 0)
-                        {
-                        BN_zero(r);
-                        return 1;
-                        }
-                else
-                        {
-#ifdef BN_DEBUG
-                        OPENSSL_assert(i > 0); /* because 'field' is 1111...1111 */
-#endif
-                        return (r == a)? 1 : (BN_copy(r ,a) != NULL);
-                        }
+                BN_zero(r);
+                return 1;
                 }
+        else if (i > 0)
+                return (r == a)? 1 : (BN_copy(r ,a) != NULL);
 
-        if (BN_num_bits(a) > 2*521)
-                return BN_nnmod(r, field, a, ctx);
-
-        BN_CTX_start(ctx);
-        tmp = BN_CTX_get(ctx);
-        if (!tmp)
-                goto err;
-
-        if (!bn_wexpand(tmp, BN_NIST_521_TOP))
-                goto err;
-        nist_cp_bn(tmp->d, a->d, BN_NIST_521_TOP);
-
-        tmp->top = BN_NIST_521_TOP;
-        tmp->d[BN_NIST_521_TOP-1]  &= BN_NIST_521_TOP_MASK;
-        bn_correct_top(tmp);
-
-        if (!BN_rshift(r, a, 521))
-                goto err;
-
-        if (!BN_uadd(r, tmp, r))
-                goto err;
-
-        if (BN_ucmp(field, r) <= 0)
+        if (r != a)
                 {
-                if (!BN_usub(r, r, field)) goto err;
+                if (!bn_wexpand(r,BN_NIST_521_TOP))
+                        return 0;
+                r_d = r->d;
+                nist_cp_bn(r_d,a_d, BN_NIST_521_TOP);
                 }
+        else
+                r_d = a_d;
 
-        ret = 1;
-err:
-        BN_CTX_end(ctx);
+        /* upper 521 bits, copy ... */
+        nist_cp_bn_0(t_d,a_d + (BN_NIST_521_TOP-1), top - (BN_NIST_521_TOP-1),BN_NIST_521_TOP);
+        /* ... and right shift */
+        for (val=t_d[0],i=0; i<BN_NIST_521_TOP-1; i++)
+                {
+                tmp = val>>BN_NIST_521_RSHIFT;
+                val = t_d[i+1];
+                t_d[i] = (tmp | val<<BN_NIST_521_LSHIFT) & BN_MASK2;
+                }
+        t_d[i] = val>>BN_NIST_521_RSHIFT;
+        /* lower 521 bits */
+        r_d[i] &= BN_NIST_521_TOP_MASK;
+
+        bn_add_words(r_d,r_d,t_d,BN_NIST_521_TOP);
+        mask = 0-(size_t)bn_sub_words(t_d,r_d,_nist_p_521,BN_NIST_521_TOP);
+        res  = (BN_ULONG *)(((size_t)t_d&~mask) | ((size_t)r_d&mask));
+        nist_cp_bn(r_d,res,BN_NIST_521_TOP);
+        r->top = BN_NIST_521_TOP;
+        bn_correct_top(r);
 
-        bn_check_top(r);
-        return ret;
+        return 1;
         }
diff --git a/src/lib/libcrypto/bn/bn_rand.c b/src/lib/libcrypto/bn/bn_rand.c
index f51830b12b..b376c28ff3 100644
--- a/src/lib/libcrypto/bn/bn_rand.c
+++ b/src/lib/libcrypto/bn/bn_rand.c
@@ -227,7 +227,7 @@ int     BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom)
 
 
 /* random number r:  0 <= r < range */
-static int bn_rand_range(int pseudo, BIGNUM *r, BIGNUM *range)
+static int bn_rand_range(int pseudo, BIGNUM *r, const BIGNUM *range)
         {
         int (*bn_rand)(BIGNUM *, int, int, int) = pseudo ? BN_pseudo_rand : BN_rand;
         int n;
@@ -294,12 +294,12 @@ static int bn_rand_range(int pseudo, BIGNUM *r, BIGNUM *range)
         }
 
 
-int     BN_rand_range(BIGNUM *r, BIGNUM *range)
+int     BN_rand_range(BIGNUM *r, const BIGNUM *range)
         {
         return bn_rand_range(0, r, range);
         }
 
-int     BN_pseudo_rand_range(BIGNUM *r, BIGNUM *range)
+int     BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range)
         {
         return bn_rand_range(1, r, range);
         }
diff --git a/src/lib/libcrypto/bn/bn_shift.c b/src/lib/libcrypto/bn/bn_shift.c
index de9312dce2..c4d301afc4 100644
--- a/src/lib/libcrypto/bn/bn_shift.c
+++ b/src/lib/libcrypto/bn/bn_shift.c
@@ -177,7 +177,7 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n)
         nw=n/BN_BITS2;
         rb=n%BN_BITS2;
         lb=BN_BITS2-rb;
-        if (nw > a->top || a->top == 0)
+        if (nw >= a->top || a->top == 0)
                 {
                 BN_zero(r);
                 return(1);
diff --git a/src/lib/libcrypto/buffer/buffer.c b/src/lib/libcrypto/buffer/buffer.c
index 3bf03c7eff..b3e947771d 100644
--- a/src/lib/libcrypto/buffer/buffer.c
+++ b/src/lib/libcrypto/buffer/buffer.c
@@ -161,61 +161,3 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len)
                 }
         return(len);
         }
-
-char *BUF_strdup(const char *str)
-        {
-        if (str == NULL) return(NULL);
-        return BUF_strndup(str, strlen(str));
-        }
-
-char *BUF_strndup(const char *str, size_t siz)
-        {
-        char *ret;
-
-        if (str == NULL) return(NULL);
-
-        ret=OPENSSL_malloc(siz+1);
-        if (ret == NULL) 
-                {
-                BUFerr(BUF_F_BUF_STRNDUP,ERR_R_MALLOC_FAILURE);
-                return(NULL);
-                }
-        BUF_strlcpy(ret,str,siz+1);
-        return(ret);
-        }
-
-void *BUF_memdup(const void *data, size_t siz)
-        {
-        void *ret;
-
-        if (data == NULL) return(NULL);
-
-        ret=OPENSSL_malloc(siz);
-        if (ret == NULL) 
-                {
-                BUFerr(BUF_F_BUF_MEMDUP,ERR_R_MALLOC_FAILURE);
-                return(NULL);
-                }
-        return memcpy(ret, data, siz);
-        }       
-
-size_t BUF_strlcpy(char *dst, const char *src, size_t size)
-        {
-        size_t l = 0;
-        for(; size > 1 && *src; size--)
-                {
-                *dst++ = *src++;
-                l++;
-                }
-        if (size)
-                *dst = '\0';
-        return l + strlen(src);
-        }
-
-size_t BUF_strlcat(char *dst, const char *src, size_t size)
-        {
-        size_t l = 0;
-        for(; size > 0 && *dst; size--, dst++)
-                l++;
-        return l + BUF_strlcpy(dst, src, size);
-        }
diff --git a/src/lib/libcrypto/cast/c_skey.c b/src/lib/libcrypto/cast/c_skey.c
index 76e40005c9..68e690a60c 100644
--- a/src/lib/libcrypto/cast/c_skey.c
+++ b/src/lib/libcrypto/cast/c_skey.c
@@ -57,6 +57,11 @@
  */
 
 #include <openssl/cast.h>
+#include <openssl/crypto.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 #include "cast_lcl.h"
 #include "cast_s.h"
 
@@ -72,7 +77,7 @@
 #define S6 CAST_S_table6
 #define S7 CAST_S_table7
 
-void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data)
+FIPS_NON_FIPS_VCIPHER_Init(CAST)
         {
         CAST_LONG x[16];
         CAST_LONG z[16];
diff --git a/src/lib/libcrypto/cast/cast.h b/src/lib/libcrypto/cast/cast.h
index 90b45b950a..1faf5806aa 100644
--- a/src/lib/libcrypto/cast/cast.h
+++ b/src/lib/libcrypto/cast/cast.h
@@ -83,7 +83,9 @@ typedef struct cast_key_st
         int short_key;  /* Use reduced rounds for short key */
         } CAST_KEY;
 
- 
+#ifdef OPENSSL_FIPS 
+void private_CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
+#endif
 void CAST_set_key(CAST_KEY *key, int len, const unsigned char *data);
 void CAST_ecb_encrypt(const unsigned char *in,unsigned char *out,CAST_KEY *key,
                       int enc);
diff --git a/src/lib/libcrypto/cms/cms_smime.c b/src/lib/libcrypto/cms/cms_smime.c
index b35d28d411..b9463f9abb 100644
--- a/src/lib/libcrypto/cms/cms_smime.c
+++ b/src/lib/libcrypto/cms/cms_smime.c
@@ -68,7 +68,10 @@ static int cms_copy_content(BIO *out, BIO *in, unsigned int flags)
         if (out == NULL)
                 tmpout = BIO_new(BIO_s_null());
         else if (flags & CMS_TEXT)
+                {
                 tmpout = BIO_new(BIO_s_mem());
+                BIO_set_mem_eof_return(tmpout, 0);
+                }
         else
                 tmpout = out;
 
diff --git a/src/lib/libcrypto/comp/c_zlib.c b/src/lib/libcrypto/comp/c_zlib.c
index 0f34597e70..eccfd09137 100644
--- a/src/lib/libcrypto/comp/c_zlib.c
+++ b/src/lib/libcrypto/comp/c_zlib.c
@@ -727,6 +727,7 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr)
         case BIO_CTRL_RESET:
                 ctx->ocount = 0;
                 ctx->odone = 0;
+                ret = 1;
                 break;
 
         case BIO_CTRL_FLUSH:
@@ -771,7 +772,7 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr)
                                 }
                         ctx->obufsize = obs;
                         }
-
+                ret = 1;
                 break;
 
         case BIO_C_DO_STATE_MACHINE:
@@ -783,7 +784,6 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr)
         default:
                 ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
                 break;
-
                 }
 
         return ret;
diff --git a/src/lib/libcrypto/conf/conf_mall.c b/src/lib/libcrypto/conf/conf_mall.c
index 4ba40cf44c..1cc1fd5534 100644
--- a/src/lib/libcrypto/conf/conf_mall.c
+++ b/src/lib/libcrypto/conf/conf_mall.c
@@ -1,5 +1,5 @@
 /* conf_mall.c */
-/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Stephen Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
 /* ====================================================================
@@ -63,6 +63,7 @@
 #include <openssl/dso.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
+#include <openssl/evp.h>
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
@@ -76,5 +77,6 @@ void OPENSSL_load_builtin_modules(void)
 #ifndef OPENSSL_NO_ENGINE
         ENGINE_add_conf_module();
 #endif
+        EVP_add_alg_module();
         }
 
diff --git a/src/lib/libcrypto/conf/conf_mod.c b/src/lib/libcrypto/conf/conf_mod.c
index 58b23ba992..e286378cb1 100644
--- a/src/lib/libcrypto/conf/conf_mod.c
+++ b/src/lib/libcrypto/conf/conf_mod.c
@@ -1,5 +1,5 @@
 /* conf_mod.c */
-/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Stephen Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/conf/conf_sap.c b/src/lib/libcrypto/conf/conf_sap.c
index 9c53bac1a8..760dc2632d 100644
--- a/src/lib/libcrypto/conf/conf_sap.c
+++ b/src/lib/libcrypto/conf/conf_sap.c
@@ -1,5 +1,5 @@
 /* conf_sap.c */
-/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Stephen Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/cryptlib.c b/src/lib/libcrypto/cryptlib.c
index 8c68623828..8f9e88e403 100644
--- a/src/lib/libcrypto/cryptlib.c
+++ b/src/lib/libcrypto/cryptlib.c
@@ -121,275 +121,17 @@
 static double SSLeay_MSVC5_hack=0.0; /* and for VC1.5 */
 #endif
 
-DECLARE_STACK_OF(CRYPTO_dynlock)
-IMPLEMENT_STACK_OF(CRYPTO_dynlock)
-
-/* real #defines in crypto.h, keep these upto date */
-static const char* const lock_names[CRYPTO_NUM_LOCKS] =
-        {
-        "<<ERROR>>",
-        "err",
-        "ex_data",
-        "x509",
-        "x509_info",
-        "x509_pkey",
-        "x509_crl",
-        "x509_req",
-        "dsa",
-        "rsa",
-        "evp_pkey",
-        "x509_store",
-        "ssl_ctx",
-        "ssl_cert",
-        "ssl_session",
-        "ssl_sess_cert",
-        "ssl",
-        "ssl_method",
-        "rand",
-        "rand2",
-        "debug_malloc",
-        "BIO",
-        "gethostbyname",
-        "getservbyname",
-        "readdir",
-        "RSA_blinding",
-        "dh",
-        "debug_malloc2",
-        "dso",
-        "dynlock",
-        "engine",
-        "ui",
-        "ecdsa",
-        "ec",
-        "ecdh",
-        "bn",
-        "ec_pre_comp",
-        "store",
-        "comp",
-#if CRYPTO_NUM_LOCKS != 39
-# error "Inconsistency between crypto.h and cryptlib.c"
-#endif
-        };
-
-/* This is for applications to allocate new type names in the non-dynamic
-   array of lock names.  These are numbered with positive numbers.  */
-static STACK *app_locks=NULL;
-
-/* For applications that want a more dynamic way of handling threads, the
-   following stack is used.  These are externally numbered with negative
-   numbers.  */
-static STACK_OF(CRYPTO_dynlock) *dyn_locks=NULL;
-
-
 static void (MS_FAR *locking_callback)(int mode,int type,
         const char *file,int line)=NULL;
 static int (MS_FAR *add_lock_callback)(int *pointer,int amount,
         int type,const char *file,int line)=NULL;
 static unsigned long (MS_FAR *id_callback)(void)=NULL;
-static struct CRYPTO_dynlock_value *(MS_FAR *dynlock_create_callback)
-        (const char *file,int line)=NULL;
-static void (MS_FAR *dynlock_lock_callback)(int mode,
-        struct CRYPTO_dynlock_value *l, const char *file,int line)=NULL;
-static void (MS_FAR *dynlock_destroy_callback)(struct CRYPTO_dynlock_value *l,
-        const char *file,int line)=NULL;
-
-int CRYPTO_get_new_lockid(char *name)
-        {
-        char *str;
-        int i;
-
-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16)
-        /* A hack to make Visual C++ 5.0 work correctly when linking as
-         * a DLL using /MT. Without this, the application cannot use
-         * and floating point printf's.
-         * It also seems to be needed for Visual C 1.5 (win16) */
-        SSLeay_MSVC5_hack=(double)name[0]*(double)name[1];
-#endif
-
-        if ((app_locks == NULL) && ((app_locks=sk_new_null()) == NULL))
-                {
-                CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_LOCKID,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        if ((str=BUF_strdup(name)) == NULL)
-                {
-                CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_LOCKID,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        i=sk_push(app_locks,str);
-        if (!i)
-                OPENSSL_free(str);
-        else
-                i+=CRYPTO_NUM_LOCKS; /* gap of one :-) */
-        return(i);
-        }
 
 int CRYPTO_num_locks(void)
         {
         return CRYPTO_NUM_LOCKS;
         }
 
-int CRYPTO_get_new_dynlockid(void)
-        {
-        int i = 0;
-        CRYPTO_dynlock *pointer = NULL;
-
-        if (dynlock_create_callback == NULL)
-                {
-                CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID,CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK);
-                return(0);
-                }
-        CRYPTO_w_lock(CRYPTO_LOCK_DYNLOCK);
-        if ((dyn_locks == NULL)
-                && ((dyn_locks=sk_CRYPTO_dynlock_new_null()) == NULL))
-                {
-                CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
-                CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
-
-        pointer = (CRYPTO_dynlock *)OPENSSL_malloc(sizeof(CRYPTO_dynlock));
-        if (pointer == NULL)
-                {
-                CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        pointer->references = 1;
-        pointer->data = dynlock_create_callback(__FILE__,__LINE__);
-        if (pointer->data == NULL)
-                {
-                OPENSSL_free(pointer);
-                CRYPTOerr(CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-
-        CRYPTO_w_lock(CRYPTO_LOCK_DYNLOCK);
-        /* First, try to find an existing empty slot */
-        i=sk_CRYPTO_dynlock_find(dyn_locks,NULL);
-        /* If there was none, push, thereby creating a new one */
-        if (i == -1)
-                /* Since sk_push() returns the number of items on the
-                   stack, not the location of the pushed item, we need
-                   to transform the returned number into a position,
-                   by decreasing it.  */
-                i=sk_CRYPTO_dynlock_push(dyn_locks,pointer) - 1;
-        else
-                /* If we found a place with a NULL pointer, put our pointer
-                   in it.  */
-                (void)sk_CRYPTO_dynlock_set(dyn_locks,i,pointer);
-        CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
-
-        if (i == -1)
-                {
-                dynlock_destroy_callback(pointer->data,__FILE__,__LINE__);
-                OPENSSL_free(pointer);
-                }
-        else
-                i += 1; /* to avoid 0 */
-        return -i;
-        }
-
-void CRYPTO_destroy_dynlockid(int i)
-        {
-        CRYPTO_dynlock *pointer = NULL;
-        if (i)
-                i = -i-1;
-        if (dynlock_destroy_callback == NULL)
-                return;
-
-        CRYPTO_w_lock(CRYPTO_LOCK_DYNLOCK);
-
-        if (dyn_locks == NULL || i >= sk_CRYPTO_dynlock_num(dyn_locks))
-                {
-                CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
-                return;
-                }
-        pointer = sk_CRYPTO_dynlock_value(dyn_locks, i);
-        if (pointer != NULL)
-                {
-                --pointer->references;
-#ifdef REF_CHECK
-                if (pointer->references < 0)
-                        {
-                        fprintf(stderr,"CRYPTO_destroy_dynlockid, bad reference count\n");
-                        abort();
-                        }
-                else
-#endif
-                        if (pointer->references <= 0)
-                                {
-                                (void)sk_CRYPTO_dynlock_set(dyn_locks, i, NULL);
-                                }
-                        else
-                                pointer = NULL;
-                }
-        CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
-
-        if (pointer)
-                {
-                dynlock_destroy_callback(pointer->data,__FILE__,__LINE__);
-                OPENSSL_free(pointer);
-                }
-        }
-
-struct CRYPTO_dynlock_value *CRYPTO_get_dynlock_value(int i)
-        {
-        CRYPTO_dynlock *pointer = NULL;
-        if (i)
-                i = -i-1;
-
-        CRYPTO_w_lock(CRYPTO_LOCK_DYNLOCK);
-
-        if (dyn_locks != NULL && i < sk_CRYPTO_dynlock_num(dyn_locks))
-                pointer = sk_CRYPTO_dynlock_value(dyn_locks, i);
-        if (pointer)
-                pointer->references++;
-
-        CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
-
-        if (pointer)
-                return pointer->data;
-        return NULL;
-        }
-
-struct CRYPTO_dynlock_value *(*CRYPTO_get_dynlock_create_callback(void))
-        (const char *file,int line)
-        {
-        return(dynlock_create_callback);
-        }
-
-void (*CRYPTO_get_dynlock_lock_callback(void))(int mode,
-        struct CRYPTO_dynlock_value *l, const char *file,int line)
-        {
-        return(dynlock_lock_callback);
-        }
-
-void (*CRYPTO_get_dynlock_destroy_callback(void))
-        (struct CRYPTO_dynlock_value *l, const char *file,int line)
-        {
-        return(dynlock_destroy_callback);
-        }
-
-void CRYPTO_set_dynlock_create_callback(struct CRYPTO_dynlock_value *(*func)
-        (const char *file, int line))
-        {
-        dynlock_create_callback=func;
-        }
-
-void CRYPTO_set_dynlock_lock_callback(void (*func)(int mode,
-        struct CRYPTO_dynlock_value *l, const char *file, int line))
-        {
-        dynlock_lock_callback=func;
-        }
-
-void CRYPTO_set_dynlock_destroy_callback(void (*func)
-        (struct CRYPTO_dynlock_value *l, const char *file, int line))
-        {
-        dynlock_destroy_callback=func;
-        }
-
-
 void (*CRYPTO_get_locking_callback(void))(int mode,int type,const char *file,
                 int line)
         {
@@ -445,6 +187,14 @@ unsigned long CRYPTO_thread_id(void)
         return(ret);
         }
 
+static void (*do_dynlock_cb)(int mode, int type, const char *file, int line);
+
+void int_CRYPTO_set_do_dynlock_callback(
+        void (*dyn_cb)(int mode, int type, const char *file, int line))
+        {
+        do_dynlock_cb = dyn_cb;
+        }
+
 void CRYPTO_lock(int mode, int type, const char *file, int line)
         {
 #ifdef LOCK_DEBUG
@@ -472,17 +222,8 @@ void CRYPTO_lock(int mode, int type, const char *file, int line)
 #endif
         if (type < 0)
                 {
-                if (dynlock_lock_callback != NULL)
-                        {
-                        struct CRYPTO_dynlock_value *pointer
-                                = CRYPTO_get_dynlock_value(type);
-
-                        OPENSSL_assert(pointer != NULL);
-
-                        dynlock_lock_callback(mode, pointer, file, line);
-
-                        CRYPTO_destroy_dynlockid(type);
-                        }
+                if (do_dynlock_cb)
+                        do_dynlock_cb(mode, type, file, line);
                 }
         else
                 if (locking_callback != NULL)
@@ -527,21 +268,9 @@ int CRYPTO_add_lock(int *pointer, int amount, int type, const char *file,
         return(ret);
         }
 
-const char *CRYPTO_get_lock_name(int type)
-        {
-        if (type < 0)
-                return("dynamic");
-        else if (type < CRYPTO_NUM_LOCKS)
-                return(lock_names[type]);
-        else if (type-CRYPTO_NUM_LOCKS > sk_num(app_locks))
-                return("ERROR");
-        else
-                return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS));
-        }
-
 #if     defined(__i386)   || defined(__i386__)   || defined(_M_IX86) || \
         defined(__INTEL__) || \
-        defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64)
+        defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)
 
 unsigned long  OPENSSL_ia32cap_P=0;
 unsigned long *OPENSSL_ia32cap_loc(void) { return &OPENSSL_ia32cap_P; }
@@ -577,6 +306,62 @@ void OPENSSL_cpuid_setup(void) {}
 #endif
 
 #if (defined(_WIN32) || defined(__CYGWIN__)) && defined(_WINDLL)
+
+#ifdef OPENSSL_FIPS
+
+#include <tlhelp32.h>
+#if defined(__GNUC__) && __GNUC__>=2
+static int DllInit(void) __attribute__((constructor));
+#elif defined(_MSC_VER)
+static int DllInit(void);
+# ifdef _WIN64
+# pragma section(".CRT$XCU",read)
+  __declspec(allocate(".CRT$XCU"))
+# else
+# pragma data_seg(".CRT$XCU")
+# endif
+  static int (*p)(void) = DllInit;
+# pragma data_seg()
+#endif
+
+static int DllInit(void)
+{
+#if defined(_WIN32_WINNT)
+        union   { int(*f)(void); BYTE *p; } t = { DllInit };
+        HANDLE  hModuleSnap = INVALID_HANDLE_VALUE;
+        IMAGE_DOS_HEADER *dos_header;
+        IMAGE_NT_HEADERS *nt_headers;
+        MODULEENTRY32 me32 = {sizeof(me32)};
+
+        hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,0);
+        if (hModuleSnap != INVALID_HANDLE_VALUE &&
+            Module32First(hModuleSnap,&me32)) do
+                {
+                if (t.p >= me32.modBaseAddr &&
+                    t.p <  me32.modBaseAddr+me32.modBaseSize)
+                        {
+                        dos_header=(IMAGE_DOS_HEADER *)me32.modBaseAddr;
+                        if (dos_header->e_magic==IMAGE_DOS_SIGNATURE)
+                                {
+                                nt_headers=(IMAGE_NT_HEADERS *)
+                                        ((BYTE *)dos_header+dos_header->e_lfanew);
+                                if (nt_headers->Signature==IMAGE_NT_SIGNATURE &&
+                                    me32.modBaseAddr!=(BYTE*)nt_headers->OptionalHeader.ImageBase)
+                                        OPENSSL_NONPIC_relocated=1;
+                                }
+                        break;
+                        }
+                } while (Module32Next(hModuleSnap,&me32));
+
+        if (hModuleSnap != INVALID_HANDLE_VALUE)
+                CloseHandle(hModuleSnap);
+#endif
+        OPENSSL_cpuid_setup();
+        return 0;
+}
+
+#else
+
 #ifdef __CYGWIN__
 /* pick DLL_[PROCESS|THREAD]_[ATTACH|DETACH] definitions */
 #include <windows.h>
@@ -620,6 +405,8 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason,
         }
 #endif
 
+#endif
+
 #if defined(_WIN32) && !defined(__CYGWIN__)
 #include <tchar.h>
 
diff --git a/src/lib/libcrypto/crypto-lib.com b/src/lib/libcrypto/crypto-lib.com
index 8898f30c1f..db9c882fb0 100644
--- a/src/lib/libcrypto/crypto-lib.com
+++ b/src/lib/libcrypto/crypto-lib.com
@@ -83,7 +83,7 @@ $ ENCRYPT_TYPES = "Basic,"+ -
                   "BUFFER,BIO,STACK,LHASH,RAND,ERR,"+ -
                   "EVP,EVP_2,ASN1,ASN1_2,PEM,X509,X509V3,"+ -
                   "CONF,TXT_DB,PKCS7,PKCS12,COMP,OCSP,UI,KRB5,"+ -
-                  "STORE,CMS,PQUEUE"
+                  "STORE,CMS,PQUEUE,JPAKE"
 $!
 $! Check To Make Sure We Have Valid Command Line Parameters.
 $!
@@ -161,7 +161,7 @@ $!
 $ APPS_DES = "DES/DES,CBC3_ENC"
 $ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE"
 $
-$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time,o_str,o_dir"
+$ LIB_ = "cryptlib,dyn_lck,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid,o_time,o_str,o_dir,o_init,fips_err"
 $ LIB_MD2 = "md2_dgst,md2_one"
 $ LIB_MD4 = "md4_dgst,md4_one"
 $ LIB_MD5 = "md5_dgst,md5_one"
@@ -197,9 +197,9 @@ $ LIB_EC = "ec_lib,ecp_smpl,ecp_mont,ecp_nist,ec_cvt,ec_mult,"+ -
         "ec2_smpl,ec2_mult"
 $ LIB_RSA = "rsa_eay,rsa_gen,rsa_lib,rsa_sign,rsa_saos,rsa_err,"+ -
         "rsa_pk1,rsa_ssl,rsa_none,rsa_oaep,rsa_chk,rsa_null,"+ -
-        "rsa_pss,rsa_x931,rsa_asn1,rsa_depr"
+        "rsa_pss,rsa_x931,rsa_x931g,rsa_asn1,rsa_depr,rsa_eng"
 $ LIB_DSA = "dsa_gen,dsa_key,dsa_lib,dsa_asn1,dsa_vrf,dsa_sign,"+ -
-        "dsa_err,dsa_ossl,dsa_depr"
+        "dsa_err,dsa_ossl,dsa_depr,dsa_utl"
 $ LIB_ECDSA = "ecs_lib,ecs_asn1,ecs_ossl,ecs_sign,ecs_vrf,ecs_err"
 $ LIB_DH = "dh_asn1,dh_gen,dh_key,dh_lib,dh_check,dh_err,dh_depr"
 $ LIB_ECDH = "ech_lib,ech_ossl,ech_key,ech_err"
@@ -211,8 +211,8 @@ $ LIB_ENGINE = "eng_err,eng_lib,eng_list,eng_init,eng_ctrl,"+ -
         "tb_cipher,tb_digest,"+ -
         "eng_openssl,eng_dyn,eng_cnf,eng_cryptodev,eng_padlock"
 $ LIB_AES = "aes_core,aes_misc,aes_ecb,aes_cbc,aes_cfb,aes_ofb,"+ -
-        "aes_ctr,aes_ige,aes_wrap"
-$ LIB_BUFFER = "buffer,buf_err"
+        "aes_ctr,aes_ige"
+$ LIB_BUFFER = "buffer,buf_str,buf_err"
 $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ -
         "bss_mem,bss_null,bss_fd,"+ -
         "bss_file,bss_sock,bss_conn,"+ -
@@ -224,18 +224,19 @@ $ LIB_STACK = "stack"
 $ LIB_LHASH = "lhash,lh_stats"
 $ LIB_RAND = "md_rand,randfile,rand_lib,rand_err,rand_egd,"+ -
         "rand_vms"
-$ LIB_ERR = "err,err_all,err_prn"
+$ LIB_ERR = "err,err_def,err_all,err_prn,err_str,err_bio"
 $ LIB_OBJECTS = "o_names,obj_dat,obj_lib,obj_err"
-$ LIB_EVP = "encode,digest,evp_enc,evp_key,evp_acnf,"+ -
-        "e_des,e_bf,e_idea,e_des3,e_camellia,e_seed,"+ -
-        "e_rc4,e_aes,names,"+ -
-        "e_xcbc_d,e_rc2,e_cast,e_rc5"
+$ LIB_EVP = "encode,digest,dig_eng,evp_enc,evp_key,evp_acnf,evp_cnf,"+ -
+        "e_des,e_bf,e_idea,e_des3,e_camellia,"+ -
+        "e_rc4,e_aes,names,e_seed,"+ -
+        "e_xcbc_d,e_rc2,e_cast,e_rc5,enc_min"
 $ LIB_EVP_2 = "m_null,m_md2,m_md4,m_md5,m_sha,m_sha1," + -
         "m_dss,m_dss1,m_mdc2,m_ripemd,m_ecdsa,"+ -
         "p_open,p_seal,p_sign,p_verify,p_lib,p_enc,p_dec,"+ -
         "bio_md,bio_b64,bio_enc,evp_err,e_null,"+ -
         "c_all,c_allc,c_alld,evp_lib,bio_ok,"+-
         "evp_pkey,evp_pbe,p5_crpt,p5_crpt2"
+$ LIB_EVP_3 = "e_old"
 $ LIB_ASN1 = "a_object,a_bitstr,a_utctm,a_gentm,a_time,a_int,a_octet,"+ -
         "a_print,a_type,a_set,a_dup,a_d2i_fp,a_i2d_fp,"+ -
         "a_enum,a_utf8,a_sign,a_digest,a_verify,a_mbstr,a_strex,"+ -
@@ -245,7 +246,7 @@ $ LIB_ASN1 = "a_object,a_bitstr,a_utctm,a_gentm,a_time,a_int,a_octet,"+ -
 $ LIB_ASN1_2 = "t_req,t_x509,t_x509a,t_crl,t_pkey,t_spki,t_bitst,"+ -
         "tasn_new,tasn_fre,tasn_enc,tasn_dec,tasn_utl,tasn_typ,"+ -
         "f_int,f_string,n_pkey,"+ -
-        "f_enum,a_hdr,x_pkey,a_bool,x_exten,asn_mime,"+ -
+        "f_enum,a_hdr,x_pkey,a_bool,x_exten,"+ -
         "asn1_gen,asn1_par,asn1_lib,asn1_err,a_meth,a_bytes,a_strnid,"+ -
         "evp_asn1,asn_pack,p5_pbe,p5_pbev2,p8_pkey,asn_moid"
 $ LIB_PEM = "pem_sign,pem_seal,pem_info,pem_lib,pem_all,pem_err,"+ -
@@ -280,6 +281,7 @@ $ LIB_STORE = "str_err,str_lib,str_meth,str_mem"
 $ LIB_CMS = "cms_lib,cms_asn1,cms_att,cms_io,cms_smime,cms_err,"+ -
         "cms_sd,cms_dd,cms_cd,cms_env,cms_enc,cms_ess"
 $ LIB_PQUEUE = "pqueue"
+$ LIB_JPAKE = "jpake,jpake_err"
 $!
 $! Setup exceptional compilations
 $!
diff --git a/src/lib/libcrypto/crypto.h b/src/lib/libcrypto/crypto.h
index fe2c1d6403..0e4fb0723c 100644
--- a/src/lib/libcrypto/crypto.h
+++ b/src/lib/libcrypto/crypto.h
@@ -219,7 +219,13 @@ typedef struct openssl_item_st
 #define CRYPTO_LOCK_EC_PRE_COMP         36
 #define CRYPTO_LOCK_STORE               37
 #define CRYPTO_LOCK_COMP                38
+#ifndef OPENSSL_FIPS
 #define CRYPTO_NUM_LOCKS                39
+#else
+#define CRYPTO_LOCK_FIPS                39
+#define CRYPTO_LOCK_FIPS2               40
+#define CRYPTO_NUM_LOCKS                41
+#endif
 
 #define CRYPTO_LOCK             1
 #define CRYPTO_UNLOCK           2
@@ -341,14 +347,7 @@ DECLARE_STACK_OF(CRYPTO_EX_DATA_FUNCS)
 
 /* Set standard debugging functions (not done by default
  * unless CRYPTO_MDEBUG is defined) */
-#define CRYPTO_malloc_debug_init()      do {\
-        CRYPTO_set_mem_debug_functions(\
-                CRYPTO_dbg_malloc,\
-                CRYPTO_dbg_realloc,\
-                CRYPTO_dbg_free,\
-                CRYPTO_dbg_set_options,\
-                CRYPTO_dbg_get_options);\
-        } while(0)
+void CRYPTO_malloc_debug_init(void);
 
 int CRYPTO_mem_ctrl(int mode);
 int CRYPTO_is_mem_check_on(void);
@@ -363,6 +362,7 @@ int CRYPTO_is_mem_check_on(void);
 #define is_MemCheck_on() CRYPTO_is_mem_check_on()
 
 #define OPENSSL_malloc(num)     CRYPTO_malloc((int)num,__FILE__,__LINE__)
+#define OPENSSL_strdup(str)     CRYPTO_strdup((str),__FILE__,__LINE__)
 #define OPENSSL_realloc(addr,num) \
         CRYPTO_realloc((char *)addr,(int)num,__FILE__,__LINE__)
 #define OPENSSL_realloc_clean(addr,old_num,num) \
@@ -427,6 +427,9 @@ const char *CRYPTO_get_lock_name(int type);
 int CRYPTO_add_lock(int *pointer,int amount,int type, const char *file,
                     int line);
 
+void int_CRYPTO_set_do_dynlock_callback(
+        void (*do_dynlock_cb)(int mode, int type, const char *file, int line));
+
 int CRYPTO_get_new_dynlockid(void);
 void CRYPTO_destroy_dynlockid(int i);
 struct CRYPTO_dynlock_value *CRYPTO_get_dynlock_value(int i);
@@ -451,6 +454,10 @@ int CRYPTO_set_mem_debug_functions(void (*m)(void *,int,const char *,int,int),
                                    void (*f)(void *,int),
                                    void (*so)(long),
                                    long (*go)(void));
+void CRYPTO_set_mem_info_functions(
+        int  (*push_info_fn)(const char *info, const char *file, int line),
+        int  (*pop_info_fn)(void),
+        int (*remove_all_info_fn)(void));
 void CRYPTO_get_mem_functions(void *(**m)(size_t),void *(**r)(void *, size_t), void (**f)(void *));
 void CRYPTO_get_locked_mem_functions(void *(**m)(size_t), void (**f)(void *));
 void CRYPTO_get_mem_ex_functions(void *(**m)(size_t,const char *,int),
@@ -467,6 +474,7 @@ void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int),
 void *CRYPTO_malloc_locked(int num, const char *file, int line);
 void CRYPTO_free_locked(void *);
 void *CRYPTO_malloc(int num, const char *file, int line);
+char *CRYPTO_strdup(const char *str, const char *file, int line);
 void CRYPTO_free(void *);
 void *CRYPTO_realloc(void *addr,int num, const char *file, int line);
 void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file,
@@ -506,6 +514,9 @@ void CRYPTO_dbg_free(void *addr,int before_p);
 void CRYPTO_dbg_set_options(long bits);
 long CRYPTO_dbg_get_options(void);
 
+int CRYPTO_dbg_push_info(const char *info, const char *file, int line);
+int CRYPTO_dbg_pop_info(void);
+int CRYPTO_dbg_remove_all_info(void);
 
 #ifndef OPENSSL_NO_FP_API
 void CRYPTO_mem_leaks_fp(FILE *);
@@ -523,12 +534,69 @@ unsigned long *OPENSSL_ia32cap_loc(void);
 #define OPENSSL_ia32cap (*(OPENSSL_ia32cap_loc()))
 int OPENSSL_isservice(void);
 
+#ifdef OPENSSL_FIPS
+#define FIPS_ERROR_IGNORED(alg) OpenSSLDie(__FILE__, __LINE__, \
+                alg " previous FIPS forbidden algorithm error ignored");
+
+#define FIPS_BAD_ABORT(alg) OpenSSLDie(__FILE__, __LINE__, \
+                #alg " Algorithm forbidden in FIPS mode");
+
+#ifdef OPENSSL_FIPS_STRICT
+#define FIPS_BAD_ALGORITHM(alg) FIPS_BAD_ABORT(alg)
+#else
+#define FIPS_BAD_ALGORITHM(alg) \
+        { \
+        FIPSerr(FIPS_F_HASH_FINAL,FIPS_R_NON_FIPS_METHOD); \
+        ERR_add_error_data(2, "Algorithm=", #alg); \
+        return 0; \
+        }
+#endif
+
+/* Low level digest API blocking macro */
+
+#define FIPS_NON_FIPS_MD_Init(alg) \
+        int alg##_Init(alg##_CTX *c) \
+                { \
+                if (FIPS_mode()) \
+                        FIPS_BAD_ALGORITHM(alg) \
+                return private_##alg##_Init(c); \
+                } \
+        int private_##alg##_Init(alg##_CTX *c)
+
+/* For ciphers the API often varies from cipher to cipher and each needs to
+ * be treated as a special case. Variable key length ciphers (Blowfish, RC4,
+ * CAST) however are very similar and can use a blocking macro.
+ */
+
+#define FIPS_NON_FIPS_VCIPHER_Init(alg) \
+        void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data) \
+                { \
+                if (FIPS_mode()) \
+                        FIPS_BAD_ABORT(alg) \
+                private_##alg##_set_key(key, len, data); \
+                } \
+        void private_##alg##_set_key(alg##_KEY *key, int len, \
+                                        const unsigned char *data)
+
+#else
+
+#define FIPS_NON_FIPS_VCIPHER_Init(alg) \
+        void alg##_set_key(alg##_KEY *key, int len, const unsigned char *data)
+
+#define FIPS_NON_FIPS_MD_Init(alg) \
+        int alg##_Init(alg##_CTX *c) 
+
+#endif /* def OPENSSL_FIPS */
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
  */
 void ERR_load_CRYPTO_strings(void);
 
+#define OPENSSL_HAVE_INIT       1
+void OPENSSL_init(void);
+
 /* Error codes for the CRYPTO functions. */
 
 /* Function codes. */
diff --git a/src/lib/libcrypto/des/des_enc.c b/src/lib/libcrypto/des/des_enc.c
index 0fe4e0b2ad..22701e0669 100644
--- a/src/lib/libcrypto/des/des_enc.c
+++ b/src/lib/libcrypto/des/des_enc.c
@@ -293,6 +293,8 @@ void DES_decrypt3(DES_LONG *data, DES_key_schedule *ks1,
 
 #ifndef DES_DEFAULT_OPTIONS
 
+#if !defined(OPENSSL_FIPS_DES_ASM)
+
 #undef CBC_ENC_C__DONT_UPDATE_IV
 #include "ncbc_enc.c" /* DES_ncbc_encrypt */
 
@@ -408,4 +410,6 @@ void DES_ede3_cbc_encrypt(const unsigned char *input, unsigned char *output,
         tin[0]=tin[1]=0;
         }
 
+#endif
+
 #endif /* DES_DEFAULT_OPTIONS */
diff --git a/src/lib/libcrypto/des/ecb_enc.c b/src/lib/libcrypto/des/ecb_enc.c
index 00d5b91e8c..75ae6cf8bb 100644
--- a/src/lib/libcrypto/des/ecb_enc.c
+++ b/src/lib/libcrypto/des/ecb_enc.c
@@ -57,54 +57,7 @@
  */
 
 #include "des_locl.h"
-#include "des_ver.h"
 #include "spr.h"
-#include <openssl/opensslv.h>
-#include <openssl/bio.h>
-
-OPENSSL_GLOBAL const char libdes_version[]="libdes" OPENSSL_VERSION_PTEXT;
-OPENSSL_GLOBAL const char DES_version[]="DES" OPENSSL_VERSION_PTEXT;
-
-const char *DES_options(void)
-        {
-        static int init=1;
-        static char buf[32];
-
-        if (init)
-                {
-                const char *ptr,*unroll,*risc,*size;
-
-#ifdef DES_PTR
-                ptr="ptr";
-#else
-                ptr="idx";
-#endif
-#if defined(DES_RISC1) || defined(DES_RISC2)
-#ifdef DES_RISC1
-                risc="risc1";
-#endif
-#ifdef DES_RISC2
-                risc="risc2";
-#endif
-#else
-                risc="cisc";
-#endif
-#ifdef DES_UNROLL
-                unroll="16";
-#else
-                unroll="4";
-#endif
-                if (sizeof(DES_LONG) != sizeof(long))
-                        size="int";
-                else
-                        size="long";
-                BIO_snprintf(buf,sizeof buf,"des(%s,%s,%s,%s)",ptr,risc,unroll,
-                             size);
-                init=0;
-                }
-        return(buf);
-        }
-                
 
 void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output,
                      DES_key_schedule *ks, int enc)
diff --git a/src/lib/libcrypto/des/enc_read.c b/src/lib/libcrypto/des/enc_read.c
index c70fb686b8..e7da2ec66b 100644
--- a/src/lib/libcrypto/des/enc_read.c
+++ b/src/lib/libcrypto/des/enc_read.c
@@ -147,7 +147,11 @@ int DES_enc_read(int fd, void *buf, int len, DES_key_schedule *sched,
         /* first - get the length */
         while (net_num < HDRSIZE) 
                 {
+#ifndef _WIN32
                 i=read(fd,(void *)&(net[net_num]),HDRSIZE-net_num);
+#else
+                i=_read(fd,(void *)&(net[net_num]),HDRSIZE-net_num);
+#endif
 #ifdef EINTR
                 if ((i == -1) && (errno == EINTR)) continue;
 #endif
diff --git a/src/lib/libcrypto/des/enc_writ.c b/src/lib/libcrypto/des/enc_writ.c
index af5b8c2349..c2f032c9a6 100644
--- a/src/lib/libcrypto/des/enc_writ.c
+++ b/src/lib/libcrypto/des/enc_writ.c
@@ -153,7 +153,11 @@ int DES_enc_write(int fd, const void *_buf, int len,
                 {
                 /* eay 26/08/92 I was not doing writing from where we
                  * got up to. */
+#ifndef _WIN32
                 i=write(fd,(void *)&(outbuf[j]),outnum-j);
+#else
+                i=_write(fd,(void *)&(outbuf[j]),outnum-j);
+#endif
                 if (i == -1)
                         {
 #ifdef EINTR
diff --git a/src/lib/libcrypto/des/set_key.c b/src/lib/libcrypto/des/set_key.c
index a43ef3c881..c0806d593c 100644
--- a/src/lib/libcrypto/des/set_key.c
+++ b/src/lib/libcrypto/des/set_key.c
@@ -64,6 +64,10 @@
  * 1.0 First working version
  */
 #include "des_locl.h"
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 
 OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key);    /* defaults to false */
 
@@ -349,6 +353,10 @@ void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
         k = &schedule->ks->deslong[0];
         in = &(*key)[0];
 
+#ifdef OPENSSL_FIPS
+        FIPS_selftest_check();
+#endif
+
         c2l(in,c);
         c2l(in,d);
 
@@ -405,3 +413,4 @@ void des_fixup_key_parity(des_cblock *key)
         des_set_odd_parity(key);
         }
 */
+
diff --git a/src/lib/libcrypto/dh/Makefile b/src/lib/libcrypto/dh/Makefile
index 950cad9c5b..d01fa960eb 100644
--- a/src/lib/libcrypto/dh/Makefile
+++ b/src/lib/libcrypto/dh/Makefile
@@ -33,7 +33,7 @@ top:
 all:    lib
 
 lib:    $(LIBOBJ)
-        $(AR) $(LIB) $(LIBOBJ)
+        $(ARX) $(LIB) $(LIBOBJ)
         $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
@@ -129,11 +129,11 @@ dh_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
 dh_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 dh_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 dh_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-dh_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-dh_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-dh_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dh_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-dh_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-dh_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-dh_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-dh_lib.o: ../cryptlib.h dh_lib.c
+dh_lib.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+dh_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+dh_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+dh_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+dh_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+dh_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+dh_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+dh_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h dh_lib.c
diff --git a/src/lib/libcrypto/dh/dh.h b/src/lib/libcrypto/dh/dh.h
index 0afabc7dd3..0a39742773 100644
--- a/src/lib/libcrypto/dh/dh.h
+++ b/src/lib/libcrypto/dh/dh.h
@@ -77,6 +77,8 @@
 # define OPENSSL_DH_MAX_MODULUS_BITS    10000
 #endif
 
+#define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
+
 #define DH_FLAG_CACHE_MONT_P     0x01
 #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
                                        * implementation now uses constant time
@@ -167,6 +169,11 @@ struct dh_st
 
 const DH_METHOD *DH_OpenSSL(void);
 
+#ifdef OPENSSL_FIPS
+DH *    FIPS_dh_new(void);
+void    FIPS_dh_free(DH *dh);
+#endif
+
 void DH_set_default_method(const DH_METHOD *meth);
 const DH_METHOD *DH_get_default_method(void);
 int DH_set_method(DH *dh, const DH_METHOD *meth);
@@ -218,6 +225,9 @@ void ERR_load_DH_strings(void);
 #define DH_F_DHPARAMS_PRINT                              100
 #define DH_F_DHPARAMS_PRINT_FP                           101
 #define DH_F_DH_BUILTIN_GENPARAMS                        106
+#define DH_F_DH_COMPUTE_KEY                              107
+#define DH_F_DH_GENERATE_KEY                             108
+#define DH_F_DH_GENERATE_PARAMETERS                      109
 #define DH_F_DH_NEW_METHOD                               105
 #define DH_F_GENERATE_KEY                                103
 #define DH_F_GENERATE_PARAMETERS                         104
@@ -225,6 +235,7 @@ void ERR_load_DH_strings(void);
 /* Reason codes. */
 #define DH_R_BAD_GENERATOR                               101
 #define DH_R_INVALID_PUBKEY                              102
+#define DH_R_KEY_SIZE_TOO_SMALL                          104
 #define DH_R_MODULUS_TOO_LARGE                           103
 #define DH_R_NO_PRIVATE_VALUE                            100
 #define DH_R_INVALID_PUBKEY                              102
diff --git a/src/lib/libcrypto/dh/dh_asn1.c b/src/lib/libcrypto/dh/dh_asn1.c
index 769b5b68c5..76740af2bd 100644
--- a/src/lib/libcrypto/dh/dh_asn1.c
+++ b/src/lib/libcrypto/dh/dh_asn1.c
@@ -1,5 +1,5 @@
 /* dh_asn1.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/dh/dh_check.c b/src/lib/libcrypto/dh/dh_check.c
index b846913004..316cb9221d 100644
--- a/src/lib/libcrypto/dh/dh_check.c
+++ b/src/lib/libcrypto/dh/dh_check.c
@@ -70,6 +70,8 @@
  * should hold.
  */
 
+#ifndef OPENSSL_FIPS
+
 int DH_check(const DH *dh, int *ret)
         {
         int ok=0;
@@ -140,3 +142,5 @@ err:
         if (q != NULL) BN_free(q);
         return(ok);
         }
+
+#endif
diff --git a/src/lib/libcrypto/dh/dh_err.c b/src/lib/libcrypto/dh/dh_err.c
index b2361c7389..b364362fca 100644
--- a/src/lib/libcrypto/dh/dh_err.c
+++ b/src/lib/libcrypto/dh/dh_err.c
@@ -1,6 +1,6 @@
 /* crypto/dh/dh_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -74,6 +74,9 @@ static ERR_STRING_DATA DH_str_functs[]=
 {ERR_FUNC(DH_F_DHPARAMS_PRINT), "DHparams_print"},
 {ERR_FUNC(DH_F_DHPARAMS_PRINT_FP),      "DHparams_print_fp"},
 {ERR_FUNC(DH_F_DH_BUILTIN_GENPARAMS),   "DH_BUILTIN_GENPARAMS"},
+{ERR_FUNC(DH_F_DH_COMPUTE_KEY), "DH_compute_key"},
+{ERR_FUNC(DH_F_DH_GENERATE_KEY),        "DH_generate_key"},
+{ERR_FUNC(DH_F_DH_GENERATE_PARAMETERS), "DH_generate_parameters"},
 {ERR_FUNC(DH_F_DH_NEW_METHOD),  "DH_new_method"},
 {ERR_FUNC(DH_F_GENERATE_KEY),   "GENERATE_KEY"},
 {ERR_FUNC(DH_F_GENERATE_PARAMETERS),    "GENERATE_PARAMETERS"},
@@ -84,6 +87,7 @@ static ERR_STRING_DATA DH_str_reasons[]=
         {
 {ERR_REASON(DH_R_BAD_GENERATOR)          ,"bad generator"},
 {ERR_REASON(DH_R_INVALID_PUBKEY)         ,"invalid public key"},
+{ERR_REASON(DH_R_KEY_SIZE_TOO_SMALL)     ,"key size too small"},
 {ERR_REASON(DH_R_MODULUS_TOO_LARGE)      ,"modulus too large"},
 {ERR_REASON(DH_R_NO_PRIVATE_VALUE)       ,"no private value"},
 {ERR_REASON(DH_R_INVALID_PUBKEY)         ,"invalid public key"},
diff --git a/src/lib/libcrypto/dh/dh_gen.c b/src/lib/libcrypto/dh/dh_gen.c
index cfd5b11868..999e1deb40 100644
--- a/src/lib/libcrypto/dh/dh_gen.c
+++ b/src/lib/libcrypto/dh/dh_gen.c
@@ -66,6 +66,8 @@
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 
+#ifndef OPENSSL_FIPS
+
 static int dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb);
 
 int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, BN_GENCB *cb)
@@ -173,3 +175,5 @@ err:
                 }
         return ok;
         }
+
+#endif
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index e7db440342..79dd331863 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -62,6 +62,8 @@
 #include <openssl/rand.h>
 #include <openssl/dh.h>
 
+#ifndef OPENSSL_FIPS
+
 static int generate_key(DH *dh);
 static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
 static int dh_bn_mod_exp(const DH *dh, BIGNUM *r,
@@ -261,3 +263,5 @@ static int dh_finish(DH *dh)
                 BN_MONT_CTX_free(dh->method_mont_p);
         return(1);
         }
+
+#endif
diff --git a/src/lib/libcrypto/dsa/Makefile b/src/lib/libcrypto/dsa/Makefile
index 5493f19e85..2cc45cdc62 100644
--- a/src/lib/libcrypto/dsa/Makefile
+++ b/src/lib/libcrypto/dsa/Makefile
@@ -18,9 +18,9 @@ APPS=
 
 LIB=$(TOP)/libcrypto.a
 LIBSRC= dsa_gen.c dsa_key.c dsa_lib.c dsa_asn1.c dsa_vrf.c dsa_sign.c \
-        dsa_err.c dsa_ossl.c dsa_depr.c
+        dsa_err.c dsa_ossl.c dsa_depr.c dsa_utl.c
 LIBOBJ= dsa_gen.o dsa_key.o dsa_lib.o dsa_asn1.o dsa_vrf.o dsa_sign.o \
-        dsa_err.o dsa_ossl.o dsa_depr.o
+        dsa_err.o dsa_ossl.o dsa_depr.o dsa_utl.o
 
 SRC= $(LIBSRC)
 
@@ -35,7 +35,7 @@ top:
 all:    lib
 
 lib:    $(LIBOBJ)
-        $(AR) $(LIB) $(LIBOBJ)
+        $(ARX) $(LIB) $(LIBOBJ)
         $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
@@ -78,9 +78,10 @@ clean:
 
 dsa_asn1.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_asn1.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
-dsa_asn1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-dsa_asn1.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-dsa_asn1.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+dsa_asn1.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
+dsa_asn1.o: ../../include/openssl/crypto.h ../../include/openssl/dsa.h
+dsa_asn1.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+dsa_asn1.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
 dsa_asn1.o: ../../include/openssl/opensslconf.h
 dsa_asn1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 dsa_asn1.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
@@ -90,8 +91,9 @@ dsa_depr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_depr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_depr.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 dsa_depr.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-dsa_depr.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-dsa_depr.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+dsa_depr.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+dsa_depr.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+dsa_depr.o: ../../include/openssl/opensslconf.h
 dsa_depr.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 dsa_depr.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 dsa_depr.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
@@ -108,12 +110,13 @@ dsa_gen.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_gen.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_gen.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 dsa_gen.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-dsa_gen.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-dsa_gen.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-dsa_gen.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dsa_gen.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
-dsa_gen.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-dsa_gen.o: ../../include/openssl/symhacks.h ../cryptlib.h dsa_gen.c
+dsa_gen.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+dsa_gen.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+dsa_gen.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dsa_gen.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+dsa_gen.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+dsa_gen.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dsa_gen.o: ../cryptlib.h dsa_gen.c
 dsa_key.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_key.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
@@ -129,14 +132,14 @@ dsa_lib.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
 dsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 dsa_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 dsa_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-dsa_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-dsa_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-dsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-dsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-dsa_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-dsa_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-dsa_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-dsa_lib.o: ../cryptlib.h dsa_lib.c
+dsa_lib.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+dsa_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+dsa_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+dsa_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+dsa_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+dsa_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+dsa_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+dsa_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h dsa_lib.c
 dsa_ossl.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_ossl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_ossl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -151,19 +154,34 @@ dsa_sign.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_sign.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 dsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 dsa_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
-dsa_sign.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
-dsa_sign.o: ../../include/openssl/opensslconf.h
+dsa_sign.o: ../../include/openssl/err.h ../../include/openssl/fips.h
+dsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 dsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 dsa_sign.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 dsa_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 dsa_sign.o: ../cryptlib.h dsa_sign.c
+dsa_utl.o: ../../e_os.h ../../include/openssl/asn1.h
+dsa_utl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+dsa_utl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+dsa_utl.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+dsa_utl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+dsa_utl.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+dsa_utl.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+dsa_utl.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+dsa_utl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+dsa_utl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+dsa_utl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+dsa_utl.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+dsa_utl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+dsa_utl.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+dsa_utl.o: ../../include/openssl/x509_vfy.h ../cryptlib.h dsa_utl.c
 dsa_vrf.o: ../../e_os.h ../../include/openssl/asn1.h
 dsa_vrf.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
 dsa_vrf.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 dsa_vrf.o: ../../include/openssl/crypto.h ../../include/openssl/dsa.h
 dsa_vrf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-dsa_vrf.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-dsa_vrf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-dsa_vrf.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
-dsa_vrf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-dsa_vrf.o: ../cryptlib.h dsa_vrf.c
+dsa_vrf.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+dsa_vrf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dsa_vrf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+dsa_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+dsa_vrf.o: ../../include/openssl/symhacks.h ../cryptlib.h dsa_vrf.c
diff --git a/src/lib/libcrypto/dsa/dsa.h b/src/lib/libcrypto/dsa/dsa.h
index 3a8fe5b56b..702c50d6dc 100644
--- a/src/lib/libcrypto/dsa/dsa.h
+++ b/src/lib/libcrypto/dsa/dsa.h
@@ -88,6 +88,8 @@
 # define OPENSSL_DSA_MAX_MODULUS_BITS   10000
 #endif
 
+#define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
+
 #define DSA_FLAG_CACHE_MONT_P   0x01
 #define DSA_FLAG_NO_EXP_CONSTTIME       0x02 /* new with 0.9.7h; the built-in DSA
                                               * implementation now uses constant time
@@ -97,6 +99,25 @@
                                               * be used for all exponents.
                                               */
 
+/* If this flag is set the DSA method is FIPS compliant and can be used
+ * in FIPS mode. This is set in the validated module method. If an
+ * application sets this flag in its own methods it is its reposibility
+ * to ensure the result is compliant.
+ */
+
+#define DSA_FLAG_FIPS_METHOD                    0x0400
+
+/* If this flag is set the operations normally disabled in FIPS mode are
+ * permitted it is then the applications responsibility to ensure that the
+ * usage is compliant.
+ */
+
+#define DSA_FLAG_NON_FIPS_ALLOW                 0x0400
+
+#ifdef OPENSSL_FIPS
+#define FIPS_DSA_SIZE_T int
+#endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
@@ -189,6 +210,11 @@ void	DSA_set_default_method(const DSA_METHOD *);
 const DSA_METHOD *DSA_get_default_method(void);
 int     DSA_set_method(DSA *dsa, const DSA_METHOD *);
 
+#ifdef OPENSSL_FIPS
+DSA *   FIPS_dsa_new(void);
+void    FIPS_dsa_free (DSA *r);
+#endif
+
 DSA *   DSA_new(void);
 DSA *   DSA_new_method(ENGINE *engine);
 void    DSA_free (DSA *r);
@@ -249,6 +275,11 @@ int	DSA_print_fp(FILE *bp, const DSA *x, int off);
 DH *DSA_dup_DH(const DSA *r);
 #endif
 
+#ifdef OPENSSL_FIPS
+int FIPS_dsa_sig_encode(unsigned char *out, DSA_SIG *sig);
+int FIPS_dsa_sig_decode(DSA_SIG *sig, const unsigned char *in, int inlen);
+#endif
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
@@ -261,11 +292,16 @@ void ERR_load_DSA_strings(void);
 #define DSA_F_D2I_DSA_SIG                                110
 #define DSA_F_DSAPARAMS_PRINT                            100
 #define DSA_F_DSAPARAMS_PRINT_FP                         101
+#define DSA_F_DSA_BUILTIN_KEYGEN                         119
+#define DSA_F_DSA_BUILTIN_PARAMGEN                       118
 #define DSA_F_DSA_DO_SIGN                                112
 #define DSA_F_DSA_DO_VERIFY                              113
+#define DSA_F_DSA_GENERATE_PARAMETERS                    117
 #define DSA_F_DSA_NEW_METHOD                             103
 #define DSA_F_DSA_PRINT                                  104
 #define DSA_F_DSA_PRINT_FP                               105
+#define DSA_F_DSA_SET_DEFAULT_METHOD                     115
+#define DSA_F_DSA_SET_METHOD                             116
 #define DSA_F_DSA_SIGN                                   106
 #define DSA_F_DSA_SIGN_SETUP                             107
 #define DSA_F_DSA_SIG_NEW                                109
@@ -276,8 +312,11 @@ void ERR_load_DSA_strings(void);
 /* Reason codes. */
 #define DSA_R_BAD_Q_VALUE                                102
 #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE                100
+#define DSA_R_KEY_SIZE_TOO_SMALL                         106
 #define DSA_R_MISSING_PARAMETERS                         101
 #define DSA_R_MODULUS_TOO_LARGE                          103
+#define DSA_R_NON_FIPS_METHOD                            104
+#define DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE         105
 
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/dsa/dsa_asn1.c b/src/lib/libcrypto/dsa/dsa_asn1.c
index 23fce555aa..0645facb4b 100644
--- a/src/lib/libcrypto/dsa/dsa_asn1.c
+++ b/src/lib/libcrypto/dsa/dsa_asn1.c
@@ -1,5 +1,5 @@
 /* dsa_asn1.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
@@ -61,6 +61,11 @@
 #include <openssl/dsa.h>
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
+#include <openssl/bn.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 
 /* Override the default new methods */
 static int sig_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
@@ -83,7 +88,7 @@ ASN1_SEQUENCE_cb(DSA_SIG, sig_cb) = {
         ASN1_SIMPLE(DSA_SIG, s, CBIGNUM)
 } ASN1_SEQUENCE_END_cb(DSA_SIG, DSA_SIG)
 
-IMPLEMENT_ASN1_FUNCTIONS_const(DSA_SIG)
+IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(DSA_SIG,DSA_SIG,DSA_SIG)
 
 /* Override the default free and new methods */
 static int dsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
@@ -138,3 +143,76 @@ ASN1_CHOICE_cb(DSAPublicKey, dsa_cb) = {
 } ASN1_CHOICE_END_cb(DSA, DSAPublicKey, write_params)
 
 IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(DSA, DSAPublicKey, DSAPublicKey)
+
+int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
+             unsigned int *siglen, DSA *dsa)
+        {
+        DSA_SIG *s;
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
+                {
+                DSAerr(DSA_F_DSA_SIGN, DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+                return 0;
+                }
+#endif
+        s=DSA_do_sign(dgst,dlen,dsa);
+        if (s == NULL)
+                {
+                *siglen=0;
+                return(0);
+                }
+        *siglen=i2d_DSA_SIG(s,&sig);
+        DSA_SIG_free(s);
+        return(1);
+        }
+
+int DSA_size(const DSA *r)
+        {
+        int ret,i;
+        ASN1_INTEGER bs;
+        unsigned char buf[4];   /* 4 bytes looks really small.
+                                   However, i2d_ASN1_INTEGER() will not look
+                                   beyond the first byte, as long as the second
+                                   parameter is NULL. */
+
+        i=BN_num_bits(r->q);
+        bs.length=(i+7)/8;
+        bs.data=buf;
+        bs.type=V_ASN1_INTEGER;
+        /* If the top bit is set the asn1 encoding is 1 larger. */
+        buf[0]=0xff;    
+
+        i=i2d_ASN1_INTEGER(&bs,NULL);
+        i+=i; /* r and s */
+        ret=ASN1_object_size(1,i,V_ASN1_SEQUENCE);
+        return(ret);
+        }
+
+/* data has already been hashed (probably with SHA or SHA-1). */
+/* returns
+ *      1: correct signature
+ *      0: incorrect signature
+ *     -1: error
+ */
+int DSA_verify(int type, const unsigned char *dgst, int dgst_len,
+             const unsigned char *sigbuf, int siglen, DSA *dsa)
+        {
+        DSA_SIG *s;
+        int ret=-1;
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
+                {
+                DSAerr(DSA_F_DSA_VERIFY, DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+                return 0;
+                }
+#endif
+
+        s = DSA_SIG_new();
+        if (s == NULL) return(ret);
+        if (d2i_DSA_SIG(&s,&sigbuf,siglen) == NULL) goto err;
+        ret=DSA_do_verify(dgst,dgst_len,s,dsa);
+err:
+        DSA_SIG_free(s);
+        return(ret);
+        }
+
diff --git a/src/lib/libcrypto/dsa/dsa_err.c b/src/lib/libcrypto/dsa/dsa_err.c
index 768711994b..872839af94 100644
--- a/src/lib/libcrypto/dsa/dsa_err.c
+++ b/src/lib/libcrypto/dsa/dsa_err.c
@@ -1,6 +1,6 @@
 /* crypto/dsa/dsa_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -73,11 +73,16 @@ static ERR_STRING_DATA DSA_str_functs[]=
 {ERR_FUNC(DSA_F_D2I_DSA_SIG),   "d2i_DSA_SIG"},
 {ERR_FUNC(DSA_F_DSAPARAMS_PRINT),       "DSAparams_print"},
 {ERR_FUNC(DSA_F_DSAPARAMS_PRINT_FP),    "DSAparams_print_fp"},
+{ERR_FUNC(DSA_F_DSA_BUILTIN_KEYGEN),    "DSA_BUILTIN_KEYGEN"},
+{ERR_FUNC(DSA_F_DSA_BUILTIN_PARAMGEN),  "DSA_BUILTIN_PARAMGEN"},
 {ERR_FUNC(DSA_F_DSA_DO_SIGN),   "DSA_do_sign"},
 {ERR_FUNC(DSA_F_DSA_DO_VERIFY), "DSA_do_verify"},
+{ERR_FUNC(DSA_F_DSA_GENERATE_PARAMETERS),       "DSA_generate_parameters"},
 {ERR_FUNC(DSA_F_DSA_NEW_METHOD),        "DSA_new_method"},
 {ERR_FUNC(DSA_F_DSA_PRINT),     "DSA_print"},
 {ERR_FUNC(DSA_F_DSA_PRINT_FP),  "DSA_print_fp"},
+{ERR_FUNC(DSA_F_DSA_SET_DEFAULT_METHOD),        "DSA_set_default_method"},
+{ERR_FUNC(DSA_F_DSA_SET_METHOD),        "DSA_set_method"},
 {ERR_FUNC(DSA_F_DSA_SIGN),      "DSA_sign"},
 {ERR_FUNC(DSA_F_DSA_SIGN_SETUP),        "DSA_sign_setup"},
 {ERR_FUNC(DSA_F_DSA_SIG_NEW),   "DSA_SIG_new"},
@@ -91,8 +96,11 @@ static ERR_STRING_DATA DSA_str_reasons[]=
         {
 {ERR_REASON(DSA_R_BAD_Q_VALUE)           ,"bad q value"},
 {ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
+{ERR_REASON(DSA_R_KEY_SIZE_TOO_SMALL)    ,"key size too small"},
 {ERR_REASON(DSA_R_MISSING_PARAMETERS)    ,"missing parameters"},
 {ERR_REASON(DSA_R_MODULUS_TOO_LARGE)     ,"modulus too large"},
+{ERR_REASON(DSA_R_NON_FIPS_METHOD)       ,"non fips method"},
+{ERR_REASON(DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE),"operation not allowed in fips mode"},
 {0,NULL}
         };
 
diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c
index ca0b86a6cf..6f1728e3cf 100644
--- a/src/lib/libcrypto/dsa/dsa_gen.c
+++ b/src/lib/libcrypto/dsa/dsa_gen.c
@@ -82,6 +82,8 @@
 #include <openssl/rand.h>
 #include <openssl/sha.h>
 
+#ifndef OPENSSL_FIPS
+
 static int dsa_builtin_paramgen(DSA *ret, int bits,
                 unsigned char *seed_in, int seed_len,
                 int *counter_ret, unsigned long *h_ret, BN_GENCB *cb);
@@ -320,3 +322,4 @@ err:
         return ok;
         }
 #endif
+#endif
diff --git a/src/lib/libcrypto/dsa/dsa_key.c b/src/lib/libcrypto/dsa/dsa_key.c
index c4aa86bc6d..5e39124230 100644
--- a/src/lib/libcrypto/dsa/dsa_key.c
+++ b/src/lib/libcrypto/dsa/dsa_key.c
@@ -64,6 +64,8 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 
+#ifndef OPENSSL_FIPS
+
 static int dsa_builtin_keygen(DSA *dsa);
 
 int DSA_generate_key(DSA *dsa)
@@ -126,3 +128,5 @@ err:
         return(ok);
         }
 #endif
+
+#endif
diff --git a/src/lib/libcrypto/dsa/dsa_lib.c b/src/lib/libcrypto/dsa/dsa_lib.c
index e9b75902db..7ac9dc8c89 100644
--- a/src/lib/libcrypto/dsa/dsa_lib.c
+++ b/src/lib/libcrypto/dsa/dsa_lib.c
@@ -76,6 +76,14 @@ static const DSA_METHOD *default_DSA_method = NULL;
 
 void DSA_set_default_method(const DSA_METHOD *meth)
         {
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && !(meth->flags & DSA_FLAG_FIPS_METHOD))
+                {
+                DSAerr(DSA_F_DSA_SET_DEFAULT_METHOD, DSA_R_NON_FIPS_METHOD);
+                return;
+                }
+#endif
+                
         default_DSA_method = meth;
         }
 
@@ -96,6 +104,13 @@ int DSA_set_method(DSA *dsa, const DSA_METHOD *meth)
         /* NB: The caller is specifically setting a method, so it's not up to us
          * to deal with which ENGINE it comes from. */
         const DSA_METHOD *mtmp;
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && !(meth->flags & DSA_FLAG_FIPS_METHOD))
+                {
+                DSAerr(DSA_F_DSA_SET_METHOD, DSA_R_NON_FIPS_METHOD);
+                return 0;
+                }
+#endif
         mtmp = dsa->meth;
         if (mtmp->finish) mtmp->finish(dsa);
 #ifndef OPENSSL_NO_ENGINE
@@ -147,6 +162,18 @@ DSA *DSA_new_method(ENGINE *engine)
                         }
                 }
 #endif
+#ifdef OPENSSL_FIPS
+        if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD))
+                {
+                DSAerr(DSA_F_DSA_NEW_METHOD, DSA_R_NON_FIPS_METHOD);
+#ifndef OPENSSL_NO_ENGINE
+                if (ret->engine)
+                        ENGINE_finish(ret->engine);
+#endif
+                OPENSSL_free(ret);
+                return NULL;
+                }
+#endif
 
         ret->pad=0;
         ret->version=0;
@@ -233,28 +260,6 @@ int DSA_up_ref(DSA *r)
         return ((i > 1) ? 1 : 0);
         }
 
-int DSA_size(const DSA *r)
-        {
-        int ret,i;
-        ASN1_INTEGER bs;
-        unsigned char buf[4];   /* 4 bytes looks really small.
-                                   However, i2d_ASN1_INTEGER() will not look
-                                   beyond the first byte, as long as the second
-                                   parameter is NULL. */
-
-        i=BN_num_bits(r->q);
-        bs.length=(i+7)/8;
-        bs.data=buf;
-        bs.type=V_ASN1_INTEGER;
-        /* If the top bit is set the asn1 encoding is 1 larger. */
-        buf[0]=0xff;    
-
-        i=i2d_ASN1_INTEGER(&bs,NULL);
-        i+=i; /* r and s */
-        ret=ASN1_object_size(1,i,V_ASN1_SEQUENCE);
-        return(ret);
-        }
-
 int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
              CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
         {
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index 75ff7cc4af..412cf1d88b 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -65,6 +65,8 @@
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
 
+#ifndef OPENSSL_FIPS
+
 static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp);
 static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
@@ -391,3 +393,4 @@ static int dsa_finish(DSA *dsa)
         return(1);
 }
 
+#endif
diff --git a/src/lib/libcrypto/dsa/dsa_sign.c b/src/lib/libcrypto/dsa/dsa_sign.c
index 89205026f0..4cfbbe57a8 100644
--- a/src/lib/libcrypto/dsa/dsa_sign.c
+++ b/src/lib/libcrypto/dsa/dsa_sign.c
@@ -64,29 +64,32 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
 
-DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
-        {
-        return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
-        }
 
-int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig,
-             unsigned int *siglen, DSA *dsa)
+DSA_SIG * DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
         {
-        DSA_SIG *s;
-        s=DSA_do_sign(dgst,dlen,dsa);
-        if (s == NULL)
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
                 {
-                *siglen=0;
-                return(0);
+                DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+                return NULL;
                 }
-        *siglen=i2d_DSA_SIG(s,&sig);
-        DSA_SIG_free(s);
-        return(1);
+#endif
+        return dsa->meth->dsa_do_sign(dgst, dlen, dsa);
         }
 
 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
         {
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
+                {
+                DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+                return 0;
+                }
+#endif
         return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp);
         }
 
diff --git a/src/lib/libcrypto/dsa/dsa_vrf.c b/src/lib/libcrypto/dsa/dsa_vrf.c
index c4aeddd056..c75e423048 100644
--- a/src/lib/libcrypto/dsa/dsa_vrf.c
+++ b/src/lib/libcrypto/dsa/dsa_vrf.c
@@ -64,31 +64,21 @@
 #include <openssl/dsa.h>
 #include <openssl/rand.h>
 #include <openssl/asn1.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 #include <openssl/asn1_mac.h>
 
 int DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                   DSA *dsa)
         {
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
+                {
+                DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+                return 0;
+                }
+#endif
         return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa);
         }
-
-/* data has already been hashed (probably with SHA or SHA-1). */
-/* returns
- *      1: correct signature
- *      0: incorrect signature
- *     -1: error
- */
-int DSA_verify(int type, const unsigned char *dgst, int dgst_len,
-             const unsigned char *sigbuf, int siglen, DSA *dsa)
-        {
-        DSA_SIG *s;
-        int ret=-1;
-
-        s = DSA_SIG_new();
-        if (s == NULL) return(ret);
-        if (d2i_DSA_SIG(&s,&sigbuf,siglen) == NULL) goto err;
-        ret=DSA_do_verify(dgst,dgst_len,s,dsa);
-err:
-        DSA_SIG_free(s);
-        return(ret);
-        }
diff --git a/src/lib/libcrypto/ecdh/Makefile b/src/lib/libcrypto/ecdh/Makefile
index 65d8904ee8..7a7b618eeb 100644
--- a/src/lib/libcrypto/ecdh/Makefile
+++ b/src/lib/libcrypto/ecdh/Makefile
@@ -34,7 +34,7 @@ top:
 all:    lib
 
 lib:    $(LIBOBJ)
-        $(AR) $(LIB) $(LIBOBJ)
+        $(ARX) $(LIB) $(LIBOBJ)
         $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
@@ -88,26 +88,27 @@ ech_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 ech_key.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 ech_key.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 ech_key.o: ../../include/openssl/engine.h ../../include/openssl/evp.h
-ech_key.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-ech_key.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-ech_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ech_key.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-ech_key.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-ech_key.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-ech_key.o: ../../include/openssl/x509_vfy.h ech_key.c ech_locl.h
+ech_key.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+ech_key.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+ech_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ech_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+ech_key.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ech_key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ech_key.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+ech_key.o: ech_key.c ech_locl.h
 ech_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 ech_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 ech_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 ech_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 ech_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-ech_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-ech_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-ech_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-ech_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-ech_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-ech_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-ech_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-ech_lib.o: ech_lib.c ech_locl.h
+ech_lib.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+ech_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+ech_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+ech_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+ech_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+ech_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+ech_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ech_lib.o: ../../include/openssl/x509_vfy.h ech_lib.c ech_locl.h
 ech_ossl.o: ../../e_os.h ../../include/openssl/asn1.h
 ech_ossl.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 ech_ossl.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
diff --git a/src/lib/libcrypto/ecdsa/Makefile b/src/lib/libcrypto/ecdsa/Makefile
index 9b48d5641f..4865f3c8d6 100644
--- a/src/lib/libcrypto/ecdsa/Makefile
+++ b/src/lib/libcrypto/ecdsa/Makefile
@@ -34,7 +34,7 @@ top:
 all:    lib
 
 lib:    $(LIBOBJ)
-        $(AR) $(LIB) $(LIBOBJ)
+        $(ARX) $(LIB) $(LIBOBJ)
         $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
@@ -97,13 +97,14 @@ ecs_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 ecs_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 ecs_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
 ecs_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-ecs_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-ecs_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-ecs_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ecs_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-ecs_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-ecs_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-ecs_lib.o: ../../include/openssl/x509_vfy.h ecs_lib.c ecs_locl.h
+ecs_lib.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+ecs_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+ecs_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ecs_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+ecs_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ecs_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ecs_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+ecs_lib.o: ecs_lib.c ecs_locl.h
 ecs_ossl.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 ecs_ossl.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
 ecs_ossl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
@@ -118,8 +119,9 @@ ecs_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 ecs_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 ecs_sign.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 ecs_sign.o: ../../include/openssl/engine.h ../../include/openssl/evp.h
-ecs_sign.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-ecs_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+ecs_sign.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+ecs_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+ecs_sign.o: ../../include/openssl/opensslconf.h
 ecs_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 ecs_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 ecs_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
@@ -130,10 +132,11 @@ ecs_vrf.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 ecs_vrf.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 ecs_vrf.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 ecs_vrf.o: ../../include/openssl/engine.h ../../include/openssl/evp.h
-ecs_vrf.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-ecs_vrf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-ecs_vrf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-ecs_vrf.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-ecs_vrf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-ecs_vrf.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-ecs_vrf.o: ../../include/openssl/x509_vfy.h ecs_locl.h ecs_vrf.c
+ecs_vrf.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+ecs_vrf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+ecs_vrf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+ecs_vrf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+ecs_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+ecs_vrf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+ecs_vrf.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+ecs_vrf.o: ecs_locl.h ecs_vrf.c
diff --git a/src/lib/libcrypto/engine/Makefile b/src/lib/libcrypto/engine/Makefile
index 47cc619b8a..0cc3722089 100644
--- a/src/lib/libcrypto/engine/Makefile
+++ b/src/lib/libcrypto/engine/Makefile
@@ -41,7 +41,7 @@ top:
 all:    lib
 
 lib:    $(LIBOBJ)
-        $(AR) $(LIB) $(LIBOBJ)
+        $(ARX) $(LIB) $(LIBOBJ)
         $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
@@ -88,34 +88,35 @@ eng_all.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 eng_all.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 eng_all.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
 eng_all.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-eng_all.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-eng_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-eng_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-eng_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-eng_all.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-eng_all.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_all.c eng_int.h
+eng_all.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+eng_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+eng_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+eng_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+eng_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+eng_all.o: ../cryptlib.h eng_all.c eng_int.h
 eng_cnf.o: ../../e_os.h ../../include/openssl/asn1.h
 eng_cnf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 eng_cnf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 eng_cnf.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 eng_cnf.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 eng_cnf.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_cnf.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-eng_cnf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-eng_cnf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-eng_cnf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-eng_cnf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-eng_cnf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-eng_cnf.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-eng_cnf.o: ../cryptlib.h eng_cnf.c eng_int.h
+eng_cnf.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+eng_cnf.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_cnf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+eng_cnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+eng_cnf.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_cnf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_cnf.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_cnf.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_cnf.c eng_int.h
 eng_cryptodev.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 eng_cryptodev.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
 eng_cryptodev.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 eng_cryptodev.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 eng_cryptodev.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
-eng_cryptodev.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-eng_cryptodev.o: ../../include/openssl/obj_mac.h
+eng_cryptodev.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+eng_cryptodev.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 eng_cryptodev.o: ../../include/openssl/objects.h
 eng_cryptodev.o: ../../include/openssl/opensslconf.h
 eng_cryptodev.o: ../../include/openssl/opensslv.h
@@ -130,8 +131,9 @@ eng_ctrl.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 eng_ctrl.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 eng_ctrl.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
 eng_ctrl.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-eng_ctrl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-eng_ctrl.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+eng_ctrl.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+eng_ctrl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_ctrl.o: ../../include/openssl/opensslconf.h
 eng_ctrl.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 eng_ctrl.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 eng_ctrl.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
@@ -143,49 +145,50 @@ eng_dyn.o: ../../include/openssl/crypto.h ../../include/openssl/dso.h
 eng_dyn.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 eng_dyn.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 eng_dyn.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_dyn.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-eng_dyn.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-eng_dyn.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-eng_dyn.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-eng_dyn.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-eng_dyn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-eng_dyn.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-eng_dyn.o: ../cryptlib.h eng_dyn.c eng_int.h
+eng_dyn.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+eng_dyn.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_dyn.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+eng_dyn.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+eng_dyn.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_dyn.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_dyn.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_dyn.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_dyn.c eng_int.h
 eng_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 eng_err.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 eng_err.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 eng_err.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 eng_err.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_err.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-eng_err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-eng_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-eng_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-eng_err.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-eng_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-eng_err.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-eng_err.o: eng_err.c
+eng_err.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+eng_err.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+eng_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+eng_err.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_err.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_err.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_err.o: ../../include/openssl/x509_vfy.h eng_err.c
 eng_fat.o: ../../e_os.h ../../include/openssl/asn1.h
 eng_fat.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 eng_fat.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 eng_fat.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 eng_fat.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 eng_fat.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_fat.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-eng_fat.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-eng_fat.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-eng_fat.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-eng_fat.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-eng_fat.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-eng_fat.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-eng_fat.o: ../cryptlib.h eng_fat.c eng_int.h
+eng_fat.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+eng_fat.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_fat.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+eng_fat.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+eng_fat.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+eng_fat.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_fat.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_fat.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_fat.c eng_int.h
 eng_init.o: ../../e_os.h ../../include/openssl/asn1.h
 eng_init.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 eng_init.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 eng_init.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 eng_init.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
 eng_init.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-eng_init.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-eng_init.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+eng_init.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+eng_init.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_init.o: ../../include/openssl/opensslconf.h
 eng_init.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 eng_init.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 eng_init.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
@@ -197,22 +200,23 @@ eng_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 eng_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 eng_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
 eng_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-eng_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-eng_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-eng_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-eng_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-eng_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-eng_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-eng_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-eng_lib.o: ../cryptlib.h eng_int.h eng_lib.c
+eng_lib.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+eng_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+eng_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+eng_lib.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+eng_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+eng_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+eng_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h eng_lib.c
 eng_list.o: ../../e_os.h ../../include/openssl/asn1.h
 eng_list.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 eng_list.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 eng_list.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 eng_list.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
 eng_list.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-eng_list.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-eng_list.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+eng_list.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+eng_list.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_list.o: ../../include/openssl/opensslconf.h
 eng_list.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 eng_list.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 eng_list.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
@@ -225,8 +229,9 @@ eng_openssl.o: ../../include/openssl/dsa.h ../../include/openssl/dso.h
 eng_openssl.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 eng_openssl.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 eng_openssl.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_openssl.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-eng_openssl.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_openssl.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+eng_openssl.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_openssl.o: ../../include/openssl/objects.h
 eng_openssl.o: ../../include/openssl/opensslconf.h
 eng_openssl.o: ../../include/openssl/opensslv.h
 eng_openssl.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pem.h
@@ -242,8 +247,9 @@ eng_padlock.o: ../../include/openssl/crypto.h ../../include/openssl/dso.h
 eng_padlock.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 eng_padlock.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 eng_padlock.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-eng_padlock.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-eng_padlock.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_padlock.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+eng_padlock.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+eng_padlock.o: ../../include/openssl/objects.h
 eng_padlock.o: ../../include/openssl/opensslconf.h
 eng_padlock.o: ../../include/openssl/opensslv.h
 eng_padlock.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
@@ -257,8 +263,9 @@ eng_pkey.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 eng_pkey.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 eng_pkey.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
 eng_pkey.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-eng_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-eng_pkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+eng_pkey.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+eng_pkey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+eng_pkey.o: ../../include/openssl/opensslconf.h
 eng_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 eng_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 eng_pkey.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
@@ -270,8 +277,8 @@ eng_table.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 eng_table.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 eng_table.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
 eng_table.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-eng_table.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-eng_table.o: ../../include/openssl/objects.h
+eng_table.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+eng_table.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 eng_table.o: ../../include/openssl/opensslconf.h
 eng_table.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 eng_table.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
@@ -285,8 +292,8 @@ tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 tb_cipher.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 tb_cipher.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
 tb_cipher.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-tb_cipher.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-tb_cipher.o: ../../include/openssl/objects.h
+tb_cipher.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+tb_cipher.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 tb_cipher.o: ../../include/openssl/opensslconf.h
 tb_cipher.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 tb_cipher.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
@@ -299,22 +306,22 @@ tb_dh.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 tb_dh.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 tb_dh.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 tb_dh.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-tb_dh.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-tb_dh.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-tb_dh.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-tb_dh.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-tb_dh.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-tb_dh.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-tb_dh.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-tb_dh.o: ../cryptlib.h eng_int.h tb_dh.c
+tb_dh.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+tb_dh.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_dh.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+tb_dh.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tb_dh.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_dh.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_dh.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_dh.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h tb_dh.c
 tb_digest.o: ../../e_os.h ../../include/openssl/asn1.h
 tb_digest.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 tb_digest.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 tb_digest.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 tb_digest.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
 tb_digest.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-tb_digest.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-tb_digest.o: ../../include/openssl/objects.h
+tb_digest.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+tb_digest.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 tb_digest.o: ../../include/openssl/opensslconf.h
 tb_digest.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 tb_digest.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
@@ -327,35 +334,37 @@ tb_dsa.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 tb_dsa.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 tb_dsa.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 tb_dsa.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-tb_dsa.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-tb_dsa.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-tb_dsa.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-tb_dsa.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-tb_dsa.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-tb_dsa.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-tb_dsa.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-tb_dsa.o: ../cryptlib.h eng_int.h tb_dsa.c
+tb_dsa.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+tb_dsa.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_dsa.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+tb_dsa.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tb_dsa.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_dsa.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_dsa.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_dsa.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h tb_dsa.c
 tb_ecdh.o: ../../e_os.h ../../include/openssl/asn1.h
 tb_ecdh.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 tb_ecdh.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 tb_ecdh.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 tb_ecdh.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
 tb_ecdh.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-tb_ecdh.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-tb_ecdh.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-tb_ecdh.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_ecdh.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-tb_ecdh.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-tb_ecdh.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-tb_ecdh.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h tb_ecdh.c
+tb_ecdh.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+tb_ecdh.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+tb_ecdh.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+tb_ecdh.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+tb_ecdh.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+tb_ecdh.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+tb_ecdh.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+tb_ecdh.o: ../cryptlib.h eng_int.h tb_ecdh.c
 tb_ecdsa.o: ../../e_os.h ../../include/openssl/asn1.h
 tb_ecdsa.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 tb_ecdsa.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 tb_ecdsa.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 tb_ecdsa.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
 tb_ecdsa.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-tb_ecdsa.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-tb_ecdsa.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+tb_ecdsa.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+tb_ecdsa.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+tb_ecdsa.o: ../../include/openssl/opensslconf.h
 tb_ecdsa.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 tb_ecdsa.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 tb_ecdsa.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
@@ -367,34 +376,36 @@ tb_rand.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 tb_rand.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 tb_rand.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
 tb_rand.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-tb_rand.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-tb_rand.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-tb_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-tb_rand.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-tb_rand.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-tb_rand.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-tb_rand.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h tb_rand.c
+tb_rand.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+tb_rand.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+tb_rand.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+tb_rand.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+tb_rand.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+tb_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+tb_rand.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+tb_rand.o: ../cryptlib.h eng_int.h tb_rand.c
 tb_rsa.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 tb_rsa.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 tb_rsa.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 tb_rsa.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 tb_rsa.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-tb_rsa.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-tb_rsa.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-tb_rsa.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-tb_rsa.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-tb_rsa.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-tb_rsa.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-tb_rsa.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-tb_rsa.o: ../cryptlib.h eng_int.h tb_rsa.c
+tb_rsa.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+tb_rsa.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+tb_rsa.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+tb_rsa.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+tb_rsa.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+tb_rsa.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+tb_rsa.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+tb_rsa.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h tb_rsa.c
 tb_store.o: ../../e_os.h ../../include/openssl/asn1.h
 tb_store.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 tb_store.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 tb_store.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 tb_store.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
 tb_store.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-tb_store.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-tb_store.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+tb_store.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+tb_store.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+tb_store.o: ../../include/openssl/opensslconf.h
 tb_store.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 tb_store.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 tb_store.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
diff --git a/src/lib/libcrypto/engine/eng_cnf.c b/src/lib/libcrypto/engine/eng_cnf.c
index 8417ddaaef..08066cea59 100644
--- a/src/lib/libcrypto/engine/eng_cnf.c
+++ b/src/lib/libcrypto/engine/eng_cnf.c
@@ -1,5 +1,5 @@
 /* eng_cnf.c */
-/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Stephen Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
 /* ====================================================================
@@ -98,7 +98,7 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
         CONF_VALUE *ecmd;
         char *ctrlname, *ctrlvalue;
         ENGINE *e = NULL;
-        int soft = 0;
+        int soft = 0;
 
         name = skip_dot(name);
 #ifdef ENGINE_CONF_DEBUG
@@ -127,8 +127,8 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
                 /* Override engine name to use */
                 if (!strcmp(ctrlname, "engine_id"))
                         name = ctrlvalue;
-                else if (!strcmp(ctrlname, "soft_load"))
-                        soft = 1;
+                else if (!strcmp(ctrlname, "soft_load"))
+                        soft = 1;
                 /* Load a dynamic ENGINE */
                 else if (!strcmp(ctrlname, "dynamic_path"))
                         {
@@ -151,11 +151,11 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
                         if (!e)
                                 {
                                 e = ENGINE_by_id(name);
-                                if (!e && soft)
-                                        {
-                                        ERR_clear_error();
-                                        return 1;
-                                        }
+                                if (!e && soft)
+                                        {
+                                        ERR_clear_error();
+                                        return 1;
+                                        }
                                 if (!e)
                                         return 0;
                                 }
diff --git a/src/lib/libcrypto/engine/enginetest.c b/src/lib/libcrypto/engine/enginetest.c
index cf82f490db..e3834611db 100644
--- a/src/lib/libcrypto/engine/enginetest.c
+++ b/src/lib/libcrypto/engine/enginetest.c
@@ -58,6 +58,7 @@
 
 #include <stdio.h>
 #include <string.h>
+#include <openssl/e_os2.h>
 
 #ifdef OPENSSL_NO_ENGINE
 int main(int argc, char *argv[])
@@ -66,7 +67,6 @@ int main(int argc, char *argv[])
     return(0);
 }
 #else
-#include <openssl/e_os2.h>
 #include <openssl/buffer.h>
 #include <openssl/crypto.h>
 #include <openssl/engine.h>
diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c
index 7952e70ab0..292404a2fb 100644
--- a/src/lib/libcrypto/err/err.c
+++ b/src/lib/libcrypto/err/err.c
@@ -119,480 +119,9 @@
 #include <openssl/bio.h>
 #include <openssl/err.h>
 
-static void err_load_strings(int lib, ERR_STRING_DATA *str);
-
-static void ERR_STATE_free(ERR_STATE *s);
-#ifndef OPENSSL_NO_ERR
-static ERR_STRING_DATA ERR_str_libraries[]=
-        {
-{ERR_PACK(ERR_LIB_NONE,0,0)             ,"unknown library"},
-{ERR_PACK(ERR_LIB_SYS,0,0)              ,"system library"},
-{ERR_PACK(ERR_LIB_BN,0,0)               ,"bignum routines"},
-{ERR_PACK(ERR_LIB_RSA,0,0)              ,"rsa routines"},
-{ERR_PACK(ERR_LIB_DH,0,0)               ,"Diffie-Hellman routines"},
-{ERR_PACK(ERR_LIB_EVP,0,0)              ,"digital envelope routines"},
-{ERR_PACK(ERR_LIB_BUF,0,0)              ,"memory buffer routines"},
-{ERR_PACK(ERR_LIB_OBJ,0,0)              ,"object identifier routines"},
-{ERR_PACK(ERR_LIB_PEM,0,0)              ,"PEM routines"},
-{ERR_PACK(ERR_LIB_DSA,0,0)              ,"dsa routines"},
-{ERR_PACK(ERR_LIB_X509,0,0)             ,"x509 certificate routines"},
-{ERR_PACK(ERR_LIB_ASN1,0,0)             ,"asn1 encoding routines"},
-{ERR_PACK(ERR_LIB_CONF,0,0)             ,"configuration file routines"},
-{ERR_PACK(ERR_LIB_CRYPTO,0,0)           ,"common libcrypto routines"},
-{ERR_PACK(ERR_LIB_EC,0,0)               ,"elliptic curve routines"},
-{ERR_PACK(ERR_LIB_SSL,0,0)              ,"SSL routines"},
-{ERR_PACK(ERR_LIB_BIO,0,0)              ,"BIO routines"},
-{ERR_PACK(ERR_LIB_PKCS7,0,0)            ,"PKCS7 routines"},
-{ERR_PACK(ERR_LIB_X509V3,0,0)           ,"X509 V3 routines"},
-{ERR_PACK(ERR_LIB_PKCS12,0,0)           ,"PKCS12 routines"},
-{ERR_PACK(ERR_LIB_RAND,0,0)             ,"random number generator"},
-{ERR_PACK(ERR_LIB_DSO,0,0)              ,"DSO support routines"},
-{ERR_PACK(ERR_LIB_ENGINE,0,0)           ,"engine routines"},
-{ERR_PACK(ERR_LIB_OCSP,0,0)             ,"OCSP routines"},
-{ERR_PACK(ERR_LIB_FIPS,0,0)             ,"FIPS routines"},
-{ERR_PACK(ERR_LIB_CMS,0,0)              ,"CMS routines"},
-{0,NULL},
-        };
-
-static ERR_STRING_DATA ERR_str_functs[]=
-        {
-        {ERR_PACK(0,SYS_F_FOPEN,0),             "fopen"},
-        {ERR_PACK(0,SYS_F_CONNECT,0),           "connect"},
-        {ERR_PACK(0,SYS_F_GETSERVBYNAME,0),     "getservbyname"},
-        {ERR_PACK(0,SYS_F_SOCKET,0),            "socket"}, 
-        {ERR_PACK(0,SYS_F_IOCTLSOCKET,0),       "ioctlsocket"},
-        {ERR_PACK(0,SYS_F_BIND,0),              "bind"},
-        {ERR_PACK(0,SYS_F_LISTEN,0),            "listen"},
-        {ERR_PACK(0,SYS_F_ACCEPT,0),            "accept"},
-#ifdef OPENSSL_SYS_WINDOWS
-        {ERR_PACK(0,SYS_F_WSASTARTUP,0),        "WSAstartup"},
-#endif
-        {ERR_PACK(0,SYS_F_OPENDIR,0),           "opendir"},
-        {ERR_PACK(0,SYS_F_FREAD,0),             "fread"},
-        {0,NULL},
-        };
-
-static ERR_STRING_DATA ERR_str_reasons[]=
-        {
-{ERR_R_SYS_LIB                          ,"system lib"},
-{ERR_R_BN_LIB                           ,"BN lib"},
-{ERR_R_RSA_LIB                          ,"RSA lib"},
-{ERR_R_DH_LIB                           ,"DH lib"},
-{ERR_R_EVP_LIB                          ,"EVP lib"},
-{ERR_R_BUF_LIB                          ,"BUF lib"},
-{ERR_R_OBJ_LIB                          ,"OBJ lib"},
-{ERR_R_PEM_LIB                          ,"PEM lib"},
-{ERR_R_DSA_LIB                          ,"DSA lib"},
-{ERR_R_X509_LIB                         ,"X509 lib"},
-{ERR_R_ASN1_LIB                         ,"ASN1 lib"},
-{ERR_R_CONF_LIB                         ,"CONF lib"},
-{ERR_R_CRYPTO_LIB                       ,"CRYPTO lib"},
-{ERR_R_EC_LIB                           ,"EC lib"},
-{ERR_R_SSL_LIB                          ,"SSL lib"},
-{ERR_R_BIO_LIB                          ,"BIO lib"},
-{ERR_R_PKCS7_LIB                        ,"PKCS7 lib"},
-{ERR_R_X509V3_LIB                       ,"X509V3 lib"},
-{ERR_R_PKCS12_LIB                       ,"PKCS12 lib"},
-{ERR_R_RAND_LIB                         ,"RAND lib"},
-{ERR_R_DSO_LIB                          ,"DSO lib"},
-{ERR_R_ENGINE_LIB                       ,"ENGINE lib"},
-{ERR_R_OCSP_LIB                         ,"OCSP lib"},
-
-{ERR_R_NESTED_ASN1_ERROR                ,"nested asn1 error"},
-{ERR_R_BAD_ASN1_OBJECT_HEADER           ,"bad asn1 object header"},
-{ERR_R_BAD_GET_ASN1_OBJECT_CALL         ,"bad get asn1 object call"},
-{ERR_R_EXPECTING_AN_ASN1_SEQUENCE       ,"expecting an asn1 sequence"},
-{ERR_R_ASN1_LENGTH_MISMATCH             ,"asn1 length mismatch"},
-{ERR_R_MISSING_ASN1_EOS                 ,"missing asn1 eos"},
-
-{ERR_R_FATAL                            ,"fatal"},
-{ERR_R_MALLOC_FAILURE                   ,"malloc failure"},
-{ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED      ,"called a function you should not call"},
-{ERR_R_PASSED_NULL_PARAMETER            ,"passed a null parameter"},
-{ERR_R_INTERNAL_ERROR                   ,"internal error"},
-{ERR_R_DISABLED                         ,"called a function that was disabled at compile-time"},
-
-{0,NULL},
-        };
-#endif
-
-
-/* Define the predeclared (but externally opaque) "ERR_FNS" type */
-struct st_ERR_FNS
-        {
-        /* Works on the "error_hash" string table */
-        LHASH *(*cb_err_get)(int create);
-        void (*cb_err_del)(void);
-        ERR_STRING_DATA *(*cb_err_get_item)(const ERR_STRING_DATA *);
-        ERR_STRING_DATA *(*cb_err_set_item)(ERR_STRING_DATA *);
-        ERR_STRING_DATA *(*cb_err_del_item)(ERR_STRING_DATA *);
-        /* Works on the "thread_hash" error-state table */
-        LHASH *(*cb_thread_get)(int create);
-        void (*cb_thread_release)(LHASH **hash);
-        ERR_STATE *(*cb_thread_get_item)(const ERR_STATE *);
-        ERR_STATE *(*cb_thread_set_item)(ERR_STATE *);
-        void (*cb_thread_del_item)(const ERR_STATE *);
-        /* Returns the next available error "library" numbers */
-        int (*cb_get_next_lib)(void);
-        };
-
-/* Predeclarations of the "err_defaults" functions */
-static LHASH *int_err_get(int create);
-static void int_err_del(void);
-static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *);
-static ERR_STRING_DATA *int_err_set_item(ERR_STRING_DATA *);
-static ERR_STRING_DATA *int_err_del_item(ERR_STRING_DATA *);
-static LHASH *int_thread_get(int create);
-static void int_thread_release(LHASH **hash);
-static ERR_STATE *int_thread_get_item(const ERR_STATE *);
-static ERR_STATE *int_thread_set_item(ERR_STATE *);
-static void int_thread_del_item(const ERR_STATE *);
-static int int_err_get_next_lib(void);
-/* The static ERR_FNS table using these defaults functions */
-static const ERR_FNS err_defaults =
-        {
-        int_err_get,
-        int_err_del,
-        int_err_get_item,
-        int_err_set_item,
-        int_err_del_item,
-        int_thread_get,
-        int_thread_release,
-        int_thread_get_item,
-        int_thread_set_item,
-        int_thread_del_item,
-        int_err_get_next_lib
-        };
-
-/* The replacable table of ERR_FNS functions we use at run-time */
-static const ERR_FNS *err_fns = NULL;
-
-/* Eg. rather than using "err_get()", use "ERRFN(err_get)()". */
-#define ERRFN(a) err_fns->cb_##a
-
-/* The internal state used by "err_defaults" - as such, the setting, reading,
- * creating, and deleting of this data should only be permitted via the
- * "err_defaults" functions. This way, a linked module can completely defer all
- * ERR state operation (together with requisite locking) to the implementations
- * and state in the loading application. */
-static LHASH *int_error_hash = NULL;
-static LHASH *int_thread_hash = NULL;
-static int int_thread_hash_references = 0;
-static int int_err_library_number= ERR_LIB_USER;
-
-/* Internal function that checks whether "err_fns" is set and if not, sets it to
- * the defaults. */
-static void err_fns_check(void)
-        {
-        if (err_fns) return;
-        
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-        if (!err_fns)
-                err_fns = &err_defaults;
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-        }
-
-/* API functions to get or set the underlying ERR functions. */
-
-const ERR_FNS *ERR_get_implementation(void)
-        {
-        err_fns_check();
-        return err_fns;
-        }
-
-int ERR_set_implementation(const ERR_FNS *fns)
-        {
-        int ret = 0;
-
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-        /* It's too late if 'err_fns' is non-NULL. BTW: not much point setting
-         * an error is there?! */
-        if (!err_fns)
-                {
-                err_fns = fns;
-                ret = 1;
-                }
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-        return ret;
-        }
-
-/* These are the callbacks provided to "lh_new()" when creating the LHASH tables
- * internal to the "err_defaults" implementation. */
-
-/* static unsigned long err_hash(ERR_STRING_DATA *a); */
-static unsigned long err_hash(const void *a_void);
-/* static int err_cmp(ERR_STRING_DATA *a, ERR_STRING_DATA *b); */
-static int err_cmp(const void *a_void, const void *b_void);
-/* static unsigned long pid_hash(ERR_STATE *pid); */
-static unsigned long pid_hash(const void *pid_void);
-/* static int pid_cmp(ERR_STATE *a,ERR_STATE *pid); */
-static int pid_cmp(const void *a_void,const void *pid_void);
-static unsigned long get_error_values(int inc,int top,const char **file,int *line,
-                                      const char **data,int *flags);
-
-/* The internal functions used in the "err_defaults" implementation */
-
-static LHASH *int_err_get(int create)
-        {
-        LHASH *ret = NULL;
-
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-        if (!int_error_hash && create)
-                {
-                CRYPTO_push_info("int_err_get (err.c)");
-                int_error_hash = lh_new(err_hash, err_cmp);
-                CRYPTO_pop_info();
-                }
-        if (int_error_hash)
-                ret = int_error_hash;
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
-        return ret;
-        }
-
-static void int_err_del(void)
-        {
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-        if (int_error_hash)
-                {
-                lh_free(int_error_hash);
-                int_error_hash = NULL;
-                }
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-        }
-
-static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *d)
-        {
-        ERR_STRING_DATA *p;
-        LHASH *hash;
-
-        err_fns_check();
-        hash = ERRFN(err_get)(0);
-        if (!hash)
-                return NULL;
-
-        CRYPTO_r_lock(CRYPTO_LOCK_ERR);
-        p = (ERR_STRING_DATA *)lh_retrieve(hash, d);
-        CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-
-        return p;
-        }
-
-static ERR_STRING_DATA *int_err_set_item(ERR_STRING_DATA *d)
-        {
-        ERR_STRING_DATA *p;
-        LHASH *hash;
-
-        err_fns_check();
-        hash = ERRFN(err_get)(1);
-        if (!hash)
-                return NULL;
-
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-        p = (ERR_STRING_DATA *)lh_insert(hash, d);
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
-        return p;
-        }
-
-static ERR_STRING_DATA *int_err_del_item(ERR_STRING_DATA *d)
-        {
-        ERR_STRING_DATA *p;
-        LHASH *hash;
-
-        err_fns_check();
-        hash = ERRFN(err_get)(0);
-        if (!hash)
-                return NULL;
-
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-        p = (ERR_STRING_DATA *)lh_delete(hash, d);
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
-        return p;
-        }
-
-static LHASH *int_thread_get(int create)
-        {
-        LHASH *ret = NULL;
-
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-        if (!int_thread_hash && create)
-                {
-                CRYPTO_push_info("int_thread_get (err.c)");
-                int_thread_hash = lh_new(pid_hash, pid_cmp);
-                CRYPTO_pop_info();
-                }
-        if (int_thread_hash)
-                {
-                int_thread_hash_references++;
-                ret = int_thread_hash;
-                }
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-        return ret;
-        }
-
-static void int_thread_release(LHASH **hash)
-        {
-        int i;
-
-        if (hash == NULL || *hash == NULL)
-                return;
-
-        i = CRYPTO_add(&int_thread_hash_references, -1, CRYPTO_LOCK_ERR);
-
-#ifdef REF_PRINT
-        fprintf(stderr,"%4d:%s\n",int_thread_hash_references,"ERR");
-#endif
-        if (i > 0) return;
-#ifdef REF_CHECK
-        if (i < 0)
-                {
-                fprintf(stderr,"int_thread_release, bad reference count\n");
-                abort(); /* ok */
-                }
-#endif
-        *hash = NULL;
-        }
-
-static ERR_STATE *int_thread_get_item(const ERR_STATE *d)
-        {
-        ERR_STATE *p;
-        LHASH *hash;
-
-        err_fns_check();
-        hash = ERRFN(thread_get)(0);
-        if (!hash)
-                return NULL;
-
-        CRYPTO_r_lock(CRYPTO_LOCK_ERR);
-        p = (ERR_STATE *)lh_retrieve(hash, d);
-        CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-
-        ERRFN(thread_release)(&hash);
-        return p;
-        }
-
-static ERR_STATE *int_thread_set_item(ERR_STATE *d)
-        {
-        ERR_STATE *p;
-        LHASH *hash;
-
-        err_fns_check();
-        hash = ERRFN(thread_get)(1);
-        if (!hash)
-                return NULL;
-
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-        p = (ERR_STATE *)lh_insert(hash, d);
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
-        ERRFN(thread_release)(&hash);
-        return p;
-        }
-
-static void int_thread_del_item(const ERR_STATE *d)
-        {
-        ERR_STATE *p;
-        LHASH *hash;
-
-        err_fns_check();
-        hash = ERRFN(thread_get)(0);
-        if (!hash)
-                return;
-
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-        p = (ERR_STATE *)lh_delete(hash, d);
-        /* make sure we don't leak memory */
-        if (int_thread_hash_references == 1
-                && int_thread_hash && (lh_num_items(int_thread_hash) == 0))
-                {
-                lh_free(int_thread_hash);
-                int_thread_hash = NULL;
-                }
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
-        ERRFN(thread_release)(&hash);
-        if (p)
-                ERR_STATE_free(p);
-        }
-
-static int int_err_get_next_lib(void)
-        {
-        int ret;
-
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-        ret = int_err_library_number++;
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-
-        return ret;
-        }
-
-
-#ifndef OPENSSL_NO_ERR
-#define NUM_SYS_STR_REASONS 127
-#define LEN_SYS_STR_REASON 32
-
-static ERR_STRING_DATA SYS_str_reasons[NUM_SYS_STR_REASONS + 1];
-/* SYS_str_reasons is filled with copies of strerror() results at
- * initialization.
- * 'errno' values up to 127 should cover all usual errors,
- * others will be displayed numerically by ERR_error_string.
- * It is crucial that we have something for each reason code
- * that occurs in ERR_str_reasons, or bogus reason strings
- * will be returned for SYSerr(), which always gets an errno
- * value and never one of those 'standard' reason codes. */
-
-static void build_SYS_str_reasons(void)
-        {
-        /* OPENSSL_malloc cannot be used here, use static storage instead */
-        static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON];
-        int i;
-        static int init = 1;
-
-        CRYPTO_r_lock(CRYPTO_LOCK_ERR);
-        if (!init)
-                {
-                CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-                return;
-                }
-        
-        CRYPTO_r_unlock(CRYPTO_LOCK_ERR);
-        CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-        if (!init)
-                {
-                CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-                return;
-                }
-
-        for (i = 1; i <= NUM_SYS_STR_REASONS; i++)
-                {
-                ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
-
-                str->error = (unsigned long)i;
-                if (str->string == NULL)
-                        {
-                        char (*dest)[LEN_SYS_STR_REASON] = &(strerror_tab[i - 1]);
-                        char *src = strerror(i);
-                        if (src != NULL)
-                                {
-                                strncpy(*dest, src, sizeof *dest);
-                                (*dest)[sizeof *dest - 1] = '\0';
-                                str->string = *dest;
-                                }
-                        }
-                if (str->string == NULL)
-                        str->string = "unknown";
-                }
-
-        /* Now we still have SYS_str_reasons[NUM_SYS_STR_REASONS] = {0, NULL},
-         * as required by ERR_load_strings. */
-
-        init = 0;
-        
-        CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
-        }
-#endif
+static unsigned long get_error_values(int inc,int top,
+                                        const char **file,int *line,
+                                        const char **data,int *flags);
 
 #define err_clear_data(p,i) \
         do { \
@@ -614,68 +143,6 @@ static void build_SYS_str_reasons(void)
         (p)->err_line[i]= -1; \
         } while(0)
 
-static void ERR_STATE_free(ERR_STATE *s)
-        {
-        int i;
-
-        if (s == NULL)
-            return;
-
-        for (i=0; i<ERR_NUM_ERRORS; i++)
-                {
-                err_clear_data(s,i);
-                }
-        OPENSSL_free(s);
-        }
-
-void ERR_load_ERR_strings(void)
-        {
-        err_fns_check();
-#ifndef OPENSSL_NO_ERR
-        err_load_strings(0,ERR_str_libraries);
-        err_load_strings(0,ERR_str_reasons);
-        err_load_strings(ERR_LIB_SYS,ERR_str_functs);
-        build_SYS_str_reasons();
-        err_load_strings(ERR_LIB_SYS,SYS_str_reasons);
-#endif
-        }
-
-static void err_load_strings(int lib, ERR_STRING_DATA *str)
-        {
-        while (str->error)
-                {
-                if (lib)
-                        str->error|=ERR_PACK(lib,0,0);
-                ERRFN(err_set_item)(str);
-                str++;
-                }
-        }
-
-void ERR_load_strings(int lib, ERR_STRING_DATA *str)
-        {
-        ERR_load_ERR_strings();
-        err_load_strings(lib, str);
-        }
-
-void ERR_unload_strings(int lib, ERR_STRING_DATA *str)
-        {
-        while (str->error)
-                {
-                if (lib)
-                        str->error|=ERR_PACK(lib,0,0);
-                ERRFN(err_del_item)(str);
-                str++;
-                }
-        }
-
-void ERR_free_strings(void)
-        {
-        err_fns_check();
-        ERRFN(err_del)();
-        }
-
-/********************************************************/
-
 void ERR_put_error(int lib, int func, int reason, const char *file,
              int line)
         {
@@ -830,218 +297,6 @@ static unsigned long get_error_values(int inc, int top, const char **file, int *
         return ret;
         }
 
-void ERR_error_string_n(unsigned long e, char *buf, size_t len)
-        {
-        char lsbuf[64], fsbuf[64], rsbuf[64];
-        const char *ls,*fs,*rs;
-        unsigned long l,f,r;
-
-        l=ERR_GET_LIB(e);
-        f=ERR_GET_FUNC(e);
-        r=ERR_GET_REASON(e);
-
-        ls=ERR_lib_error_string(e);
-        fs=ERR_func_error_string(e);
-        rs=ERR_reason_error_string(e);
-
-        if (ls == NULL) 
-                BIO_snprintf(lsbuf, sizeof(lsbuf), "lib(%lu)", l);
-        if (fs == NULL)
-                BIO_snprintf(fsbuf, sizeof(fsbuf), "func(%lu)", f);
-        if (rs == NULL)
-                BIO_snprintf(rsbuf, sizeof(rsbuf), "reason(%lu)", r);
-
-        BIO_snprintf(buf, len,"error:%08lX:%s:%s:%s", e, ls?ls:lsbuf, 
-                fs?fs:fsbuf, rs?rs:rsbuf);
-        if (strlen(buf) == len-1)
-                {
-                /* output may be truncated; make sure we always have 5 
-                 * colon-separated fields, i.e. 4 colons ... */
-#define NUM_COLONS 4
-                if (len > NUM_COLONS) /* ... if possible */
-                        {
-                        int i;
-                        char *s = buf;
-                        
-                        for (i = 0; i < NUM_COLONS; i++)
-                                {
-                                char *colon = strchr(s, ':');
-                                if (colon == NULL || colon > &buf[len-1] - NUM_COLONS + i)
-                                        {
-                                        /* set colon no. i at last possible position
-                                         * (buf[len-1] is the terminating 0)*/
-                                        colon = &buf[len-1] - NUM_COLONS + i;
-                                        *colon = ':';
-                                        }
-                                s = colon + 1;
-                                }
-                        }
-                }
-        }
-
-/* BAD for multi-threading: uses a local buffer if ret == NULL */
-/* ERR_error_string_n should be used instead for ret != NULL
- * as ERR_error_string cannot know how large the buffer is */
-char *ERR_error_string(unsigned long e, char *ret)
-        {
-        static char buf[256];
-
-        if (ret == NULL) ret=buf;
-        ERR_error_string_n(e, ret, 256);
-
-        return ret;
-        }
-
-LHASH *ERR_get_string_table(void)
-        {
-        err_fns_check();
-        return ERRFN(err_get)(0);
-        }
-
-LHASH *ERR_get_err_state_table(void)
-        {
-        err_fns_check();
-        return ERRFN(thread_get)(0);
-        }
-
-void ERR_release_err_state_table(LHASH **hash)
-        {
-        err_fns_check();
-        ERRFN(thread_release)(hash);
-        }
-
-const char *ERR_lib_error_string(unsigned long e)
-        {
-        ERR_STRING_DATA d,*p;
-        unsigned long l;
-
-        err_fns_check();
-        l=ERR_GET_LIB(e);
-        d.error=ERR_PACK(l,0,0);
-        p=ERRFN(err_get_item)(&d);
-        return((p == NULL)?NULL:p->string);
-        }
-
-const char *ERR_func_error_string(unsigned long e)
-        {
-        ERR_STRING_DATA d,*p;
-        unsigned long l,f;
-
-        err_fns_check();
-        l=ERR_GET_LIB(e);
-        f=ERR_GET_FUNC(e);
-        d.error=ERR_PACK(l,f,0);
-        p=ERRFN(err_get_item)(&d);
-        return((p == NULL)?NULL:p->string);
-        }
-
-const char *ERR_reason_error_string(unsigned long e)
-        {
-        ERR_STRING_DATA d,*p=NULL;
-        unsigned long l,r;
-
-        err_fns_check();
-        l=ERR_GET_LIB(e);
-        r=ERR_GET_REASON(e);
-        d.error=ERR_PACK(l,0,r);
-        p=ERRFN(err_get_item)(&d);
-        if (!p)
-                {
-                d.error=ERR_PACK(0,0,r);
-                p=ERRFN(err_get_item)(&d);
-                }
-        return((p == NULL)?NULL:p->string);
-        }
-
-/* static unsigned long err_hash(ERR_STRING_DATA *a) */
-static unsigned long err_hash(const void *a_void)
-        {
-        unsigned long ret,l;
-
-        l=((const ERR_STRING_DATA *)a_void)->error;
-        ret=l^ERR_GET_LIB(l)^ERR_GET_FUNC(l);
-        return(ret^ret%19*13);
-        }
-
-/* static int err_cmp(ERR_STRING_DATA *a, ERR_STRING_DATA *b) */
-static int err_cmp(const void *a_void, const void *b_void)
-        {
-        return((int)(((const ERR_STRING_DATA *)a_void)->error -
-                        ((const ERR_STRING_DATA *)b_void)->error));
-        }
-
-/* static unsigned long pid_hash(ERR_STATE *a) */
-static unsigned long pid_hash(const void *a_void)
-        {
-        return(((const ERR_STATE *)a_void)->pid*13);
-        }
-
-/* static int pid_cmp(ERR_STATE *a, ERR_STATE *b) */
-static int pid_cmp(const void *a_void, const void *b_void)
-        {
-        return((int)((long)((const ERR_STATE *)a_void)->pid -
-                        (long)((const ERR_STATE *)b_void)->pid));
-        }
-
-void ERR_remove_state(unsigned long pid)
-        {
-        ERR_STATE tmp;
-
-        err_fns_check();
-        if (pid == 0)
-                pid=(unsigned long)CRYPTO_thread_id();
-        tmp.pid=pid;
-        /* thread_del_item automatically destroys the LHASH if the number of
-         * items reaches zero. */
-        ERRFN(thread_del_item)(&tmp);
-        }
-
-ERR_STATE *ERR_get_state(void)
-        {
-        static ERR_STATE fallback;
-        ERR_STATE *ret,tmp,*tmpp=NULL;
-        int i;
-        unsigned long pid;
-
-        err_fns_check();
-        pid=(unsigned long)CRYPTO_thread_id();
-        tmp.pid=pid;
-        ret=ERRFN(thread_get_item)(&tmp);
-
-        /* ret == the error state, if NULL, make a new one */
-        if (ret == NULL)
-                {
-                ret=(ERR_STATE *)OPENSSL_malloc(sizeof(ERR_STATE));
-                if (ret == NULL) return(&fallback);
-                ret->pid=pid;
-                ret->top=0;
-                ret->bottom=0;
-                for (i=0; i<ERR_NUM_ERRORS; i++)
-                        {
-                        ret->err_data[i]=NULL;
-                        ret->err_data_flags[i]=0;
-                        }
-                tmpp = ERRFN(thread_set_item)(ret);
-                /* To check if insertion failed, do a get. */
-                if (ERRFN(thread_get_item)(ret) != ret)
-                        {
-                        ERR_STATE_free(ret); /* could not insert it */
-                        return(&fallback);
-                        }
-                /* If a race occured in this function and we came second, tmpp
-                 * is the first one that we just replaced. */
-                if (tmpp)
-                        ERR_STATE_free(tmpp);
-                }
-        return ret;
-        }
-
-int ERR_get_next_error_library(void)
-        {
-        err_fns_check();
-        return ERRFN(get_next_lib)();
-        }
-
 void ERR_set_error_data(char *data, int flags)
         {
         ERR_STATE *es;
@@ -1128,3 +383,34 @@ int ERR_pop_to_mark(void)
         es->err_flags[es->top]&=~ERR_FLAG_MARK;
         return 1;
         }
+
+#ifdef OPENSSL_FIPS
+
+static ERR_STATE *fget_state(void)
+        {
+        static ERR_STATE fstate;
+        return &fstate;
+        }
+
+ERR_STATE *(*get_state_func)(void) = fget_state;
+void (*remove_state_func)(unsigned long pid);
+
+ERR_STATE *ERR_get_state(void)
+        {
+        return get_state_func();
+        }
+
+void int_ERR_set_state_func(ERR_STATE *(*get_func)(void),
+                                void (*remove_func)(unsigned long pid))
+        {
+        get_state_func = get_func;
+        remove_state_func = remove_func;
+        }
+
+void ERR_remove_state(unsigned long pid)
+        {
+        if (remove_state_func)
+                remove_state_func(pid);
+        }
+
+#endif
diff --git a/src/lib/libcrypto/err/err.h b/src/lib/libcrypto/err/err.h
index 8d9f0da172..dcac415231 100644
--- a/src/lib/libcrypto/err/err.h
+++ b/src/lib/libcrypto/err/err.h
@@ -142,6 +142,7 @@ typedef struct err_state_st
 #define ERR_LIB_STORE           44
 #define ERR_LIB_FIPS            45
 #define ERR_LIB_CMS             46
+#define ERR_LIB_JPAKE           47
 
 #define ERR_LIB_USER            128
 
@@ -175,6 +176,7 @@ typedef struct err_state_st
 #define STOREerr(f,r) ERR_PUT_error(ERR_LIB_STORE,(f),(r),__FILE__,__LINE__)
 #define FIPSerr(f,r) ERR_PUT_error(ERR_LIB_FIPS,(f),(r),__FILE__,__LINE__)
 #define CMSerr(f,r) ERR_PUT_error(ERR_LIB_CMS,(f),(r),__FILE__,__LINE__)
+#define JPAKEerr(f,r) ERR_PUT_error(ERR_LIB_JPAKE,(f),(r),__FILE__,__LINE__)
 
 /* Borland C seems too stupid to be able to shift and do longs in
  * the pre-processor :-( */
@@ -306,6 +308,12 @@ int ERR_get_next_error_library(void);
 int ERR_set_mark(void);
 int ERR_pop_to_mark(void);
 
+#ifdef OPENSSL_FIPS
+void int_ERR_set_state_func(ERR_STATE *(*get_func)(void),
+                                void (*remove_func)(unsigned long pid));
+void int_ERR_lib_init(void);
+#endif
+
 /* Already defined in ossl_typ.h */
 /* typedef struct st_ERR_FNS ERR_FNS; */
 /* An application can use this function and provide the return value to loaded
diff --git a/src/lib/libcrypto/err/err_all.c b/src/lib/libcrypto/err/err_all.c
index 5813060ce2..f21a5276ed 100644
--- a/src/lib/libcrypto/err/err_all.c
+++ b/src/lib/libcrypto/err/err_all.c
@@ -94,9 +94,16 @@
 #include <openssl/ui.h>
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 #ifndef OPENSSL_NO_CMS
 #include <openssl/cms.h>
 #endif
+#ifndef OPENSSL_NO_JPAKE
+#include <openssl/jpake.h>
+#endif
 
 void ERR_load_crypto_strings(void)
         {
@@ -141,8 +148,14 @@ void ERR_load_crypto_strings(void)
 #endif
         ERR_load_OCSP_strings();
         ERR_load_UI_strings();
+#ifdef OPENSSL_FIPS
+        ERR_load_FIPS_strings();
+#endif
 #ifndef OPENSSL_NO_CMS
         ERR_load_CMS_strings();
 #endif
+#ifndef OPENSSL_NO_JPAKE
+        ERR_load_JPAKE_strings();
+#endif
 #endif
         }
diff --git a/src/lib/libcrypto/err/err_prn.c b/src/lib/libcrypto/err/err_prn.c
index 2224a901e5..4cdf342fa6 100644
--- a/src/lib/libcrypto/err/err_prn.c
+++ b/src/lib/libcrypto/err/err_prn.c
@@ -86,12 +86,7 @@ void ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u),
 #ifndef OPENSSL_NO_FP_API
 static int print_fp(const char *str, size_t len, void *fp)
         {
-        BIO bio;
-
-        BIO_set(&bio,BIO_s_file());
-        BIO_set_fp(&bio,fp,BIO_NOCLOSE);
-
-        return BIO_printf(&bio, "%s", str);
+        return fwrite(str, 1, len, fp);
         }
 void ERR_print_errors_fp(FILE *fp)
         {
@@ -99,13 +94,64 @@ void ERR_print_errors_fp(FILE *fp)
         }
 #endif
 
-static int print_bio(const char *str, size_t len, void *bp)
+void ERR_error_string_n(unsigned long e, char *buf, size_t len)
         {
-        return BIO_write((BIO *)bp, str, len);
+        char lsbuf[64], fsbuf[64], rsbuf[64];
+        const char *ls,*fs,*rs;
+        unsigned long l,f,r;
+
+        l=ERR_GET_LIB(e);
+        f=ERR_GET_FUNC(e);
+        r=ERR_GET_REASON(e);
+
+        ls=ERR_lib_error_string(e);
+        fs=ERR_func_error_string(e);
+        rs=ERR_reason_error_string(e);
+
+        if (ls == NULL) 
+                BIO_snprintf(lsbuf, sizeof(lsbuf), "lib(%lu)", l);
+        if (fs == NULL)
+                BIO_snprintf(fsbuf, sizeof(fsbuf), "func(%lu)", f);
+        if (rs == NULL)
+                BIO_snprintf(rsbuf, sizeof(rsbuf), "reason(%lu)", r);
+
+        BIO_snprintf(buf, len,"error:%08lX:%s:%s:%s", e, ls?ls:lsbuf, 
+                fs?fs:fsbuf, rs?rs:rsbuf);
+        if (strlen(buf) == len-1)
+                {
+                /* output may be truncated; make sure we always have 5 
+                 * colon-separated fields, i.e. 4 colons ... */
+#define NUM_COLONS 4
+                if (len > NUM_COLONS) /* ... if possible */
+                        {
+                        int i;
+                        char *s = buf;
+                        
+                        for (i = 0; i < NUM_COLONS; i++)
+                                {
+                                char *colon = strchr(s, ':');
+                                if (colon == NULL || colon > &buf[len-1] - NUM_COLONS + i)
+                                        {
+                                        /* set colon no. i at last possible position
+                                         * (buf[len-1] is the terminating 0)*/
+                                        colon = &buf[len-1] - NUM_COLONS + i;
+                                        *colon = ':';
+                                        }
+                                s = colon + 1;
+                                }
+                        }
+                }
         }
-void ERR_print_errors(BIO *bp)
+
+/* BAD for multi-threading: uses a local buffer if ret == NULL */
+/* ERR_error_string_n should be used instead for ret != NULL
+ * as ERR_error_string cannot know how large the buffer is */
+char *ERR_error_string(unsigned long e, char *ret)
         {
-        ERR_print_errors_cb(print_bio, bp);
-        }
+        static char buf[256];
+
+        if (ret == NULL) ret=buf;
+        ERR_error_string_n(e, ret, 256);
 
-        
+        return ret;
+        }
diff --git a/src/lib/libcrypto/err/openssl.ec b/src/lib/libcrypto/err/openssl.ec
index 1938f081ac..868826624d 100644
--- a/src/lib/libcrypto/err/openssl.ec
+++ b/src/lib/libcrypto/err/openssl.ec
@@ -31,7 +31,9 @@ L COMP		crypto/comp/comp.h		crypto/comp/comp_err.c
 L ECDSA         crypto/ecdsa/ecdsa.h            crypto/ecdsa/ecs_err.c
 L ECDH          crypto/ecdh/ecdh.h              crypto/ecdh/ech_err.c
 L STORE         crypto/store/store.h            crypto/store/str_err.c
+L FIPS          fips/fips.h                     crypto/fips_err.h
 L CMS           crypto/cms/cms.h                crypto/cms/cms_err.c
+L JPAKE         crypto/jpake/jpake.h            crypto/jpake/jpake_err.c
 
 # additional header files to be scanned for function names
 L NONE          crypto/x509/x509_vfy.h          NONE
diff --git a/src/lib/libcrypto/evp/Makefile b/src/lib/libcrypto/evp/Makefile
index 9de56dc03d..c204f84c1d 100644
--- a/src/lib/libcrypto/evp/Makefile
+++ b/src/lib/libcrypto/evp/Makefile
@@ -18,10 +18,10 @@ TESTDATA=evptests.txt
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c \
+LIBSRC= encode.c digest.c dig_eng.c evp_enc.c evp_key.c evp_acnf.c evp_cnf.c \
         e_des.c e_bf.c e_idea.c e_des3.c e_camellia.c\
         e_rc4.c e_aes.c names.c e_seed.c \
-        e_xcbc_d.c e_rc2.c e_cast.c e_rc5.c \
+        e_xcbc_d.c e_rc2.c e_cast.c e_rc5.c enc_min.c \
         m_null.c m_md2.c m_md4.c m_md5.c m_sha.c m_sha1.c \
         m_dss.c m_dss1.c m_mdc2.c m_ripemd.c m_ecdsa.c\
         p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \
@@ -30,10 +30,10 @@ LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c \
         evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c \
         e_old.c
 
-LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \
+LIBOBJ= encode.o digest.o dig_eng.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \
         e_des.o e_bf.o e_idea.o e_des3.o e_camellia.o\
         e_rc4.o e_aes.o names.o e_seed.o \
-        e_xcbc_d.o e_rc2.o e_cast.o e_rc5.o \
+        e_xcbc_d.o e_rc2.o e_cast.o e_rc5.o enc_min.o \
         m_null.o m_md2.o m_md4.o m_md5.o m_sha.o m_sha1.o \
         m_dss.o m_dss1.o m_mdc2.o m_ripemd.o m_ecdsa.o\
         p_open.o p_seal.o p_sign.o p_verify.o p_lib.o p_enc.o p_dec.o \
@@ -55,7 +55,7 @@ top:
 all:    lib
 
 lib:    $(LIBOBJ)
-        $(AR) $(LIB) $(LIBOBJ)
+        $(ARX) $(LIB) $(LIBOBJ)
         $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
@@ -101,177 +101,201 @@ bio_b64.o: ../../e_os.h ../../include/openssl/asn1.h
 bio_b64.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 bio_b64.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 bio_b64.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-bio_b64.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-bio_b64.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-bio_b64.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-bio_b64.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bio_b64.o: ../../include/openssl/symhacks.h ../cryptlib.h bio_b64.c
+bio_b64.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+bio_b64.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+bio_b64.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bio_b64.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+bio_b64.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bio_b64.o: ../cryptlib.h bio_b64.c
 bio_enc.o: ../../e_os.h ../../include/openssl/asn1.h
 bio_enc.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 bio_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 bio_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-bio_enc.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-bio_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-bio_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-bio_enc.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bio_enc.o: ../../include/openssl/symhacks.h ../cryptlib.h bio_enc.c
+bio_enc.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+bio_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+bio_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bio_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+bio_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bio_enc.o: ../cryptlib.h bio_enc.c
 bio_md.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 bio_md.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bio_md.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bio_md.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-bio_md.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-bio_md.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bio_md.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-bio_md.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bio_md.o: ../cryptlib.h bio_md.c
+bio_md.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+bio_md.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+bio_md.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bio_md.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bio_md.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bio_md.o: ../../include/openssl/symhacks.h ../cryptlib.h bio_md.c
 bio_ok.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 bio_ok.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bio_ok.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bio_ok.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-bio_ok.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-bio_ok.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-bio_ok.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-bio_ok.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bio_ok.o: ../../include/openssl/symhacks.h ../cryptlib.h bio_ok.c
+bio_ok.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+bio_ok.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+bio_ok.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+bio_ok.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+bio_ok.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+bio_ok.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bio_ok.o: ../cryptlib.h bio_ok.c
 c_all.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 c_all.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 c_all.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 c_all.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 c_all.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-c_all.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-c_all.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-c_all.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-c_all.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-c_all.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-c_all.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-c_all.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-c_all.o: ../cryptlib.h c_all.c
+c_all.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+c_all.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+c_all.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+c_all.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+c_all.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+c_all.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+c_all.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+c_all.o: ../../include/openssl/x509_vfy.h ../cryptlib.h c_all.c
 c_allc.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 c_allc.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 c_allc.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 c_allc.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 c_allc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-c_allc.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-c_allc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-c_allc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-c_allc.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-c_allc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-c_allc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-c_allc.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-c_allc.o: ../cryptlib.h c_allc.c
+c_allc.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+c_allc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+c_allc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+c_allc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h
+c_allc.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+c_allc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+c_allc.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+c_allc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h c_allc.c
 c_alld.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 c_alld.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 c_alld.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 c_alld.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 c_alld.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-c_alld.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-c_alld.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-c_alld.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-c_alld.o: ../../include/openssl/pkcs12.h ../../include/openssl/pkcs7.h
-c_alld.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-c_alld.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-c_alld.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-c_alld.o: ../cryptlib.h c_alld.c
+c_alld.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+c_alld.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+c_alld.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+c_alld.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs12.h
+c_alld.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+c_alld.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+c_alld.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+c_alld.o: ../../include/openssl/x509_vfy.h ../cryptlib.h c_alld.c
+dig_eng.o: ../../e_os.h ../../include/openssl/asn1.h
+dig_eng.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+dig_eng.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+dig_eng.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+dig_eng.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+dig_eng.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+dig_eng.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+dig_eng.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+dig_eng.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+dig_eng.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+dig_eng.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+dig_eng.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+dig_eng.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+dig_eng.o: ../cryptlib.h dig_eng.c evp_locl.h
 digest.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 digest.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 digest.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 digest.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 digest.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-digest.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-digest.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-digest.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-digest.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-digest.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-digest.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-digest.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-digest.o: ../cryptlib.h digest.c
+digest.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+digest.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+digest.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+digest.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+digest.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+digest.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+digest.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+digest.o: ../../include/openssl/x509_vfy.h ../cryptlib.h digest.c evp_locl.h
 e_aes.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
 e_aes.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
 e_aes.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-e_aes.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-e_aes.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-e_aes.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-e_aes.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-e_aes.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h e_aes.c
-e_aes.o: evp_locl.h
+e_aes.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+e_aes.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+e_aes.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_aes.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+e_aes.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+e_aes.o: ../../include/openssl/symhacks.h e_aes.c evp_locl.h
 e_bf.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 e_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/buffer.h
 e_bf.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 e_bf.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-e_bf.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-e_bf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-e_bf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-e_bf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-e_bf.o: ../../include/openssl/symhacks.h ../cryptlib.h e_bf.c evp_locl.h
+e_bf.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+e_bf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+e_bf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+e_bf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+e_bf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+e_bf.o: ../cryptlib.h e_bf.c evp_locl.h
 e_camellia.o: ../../include/openssl/opensslconf.h e_camellia.c
 e_cast.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 e_cast.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
 e_cast.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 e_cast.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-e_cast.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-e_cast.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-e_cast.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-e_cast.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-e_cast.o: ../../include/openssl/symhacks.h ../cryptlib.h e_cast.c evp_locl.h
+e_cast.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+e_cast.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+e_cast.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+e_cast.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+e_cast.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+e_cast.o: ../cryptlib.h e_cast.c evp_locl.h
 e_des.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 e_des.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 e_des.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 e_des.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-e_des.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-e_des.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-e_des.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-e_des.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-e_des.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-e_des.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-e_des.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_des.c evp_locl.h
+e_des.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+e_des.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+e_des.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_des.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+e_des.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+e_des.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+e_des.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+e_des.o: ../cryptlib.h e_des.c evp_locl.h
 e_des3.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 e_des3.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 e_des3.o: ../../include/openssl/des.h ../../include/openssl/des_old.h
 e_des3.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-e_des3.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-e_des3.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-e_des3.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-e_des3.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-e_des3.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-e_des3.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
-e_des3.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_des3.c evp_locl.h
+e_des3.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+e_des3.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+e_des3.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_des3.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+e_des3.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+e_des3.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+e_des3.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+e_des3.o: ../cryptlib.h e_des3.c evp_locl.h
 e_idea.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 e_idea.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 e_idea.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-e_idea.o: ../../include/openssl/evp.h ../../include/openssl/idea.h
-e_idea.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-e_idea.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-e_idea.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-e_idea.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-e_idea.o: ../../include/openssl/symhacks.h ../cryptlib.h e_idea.c evp_locl.h
+e_idea.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+e_idea.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
+e_idea.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+e_idea.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+e_idea.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+e_idea.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+e_idea.o: ../cryptlib.h e_idea.c evp_locl.h
 e_null.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 e_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 e_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-e_null.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-e_null.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-e_null.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-e_null.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-e_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-e_null.o: ../cryptlib.h e_null.c
+e_null.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+e_null.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+e_null.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_null.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+e_null.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+e_null.o: ../../include/openssl/symhacks.h ../cryptlib.h e_null.c
 e_old.o: e_old.c
 e_rc2.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 e_rc2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 e_rc2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-e_rc2.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-e_rc2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-e_rc2.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-e_rc2.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc2.h
-e_rc2.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-e_rc2.o: ../../include/openssl/symhacks.h ../cryptlib.h e_rc2.c evp_locl.h
+e_rc2.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+e_rc2.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+e_rc2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_rc2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+e_rc2.o: ../../include/openssl/rc2.h ../../include/openssl/safestack.h
+e_rc2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+e_rc2.o: ../cryptlib.h e_rc2.c evp_locl.h
 e_rc4.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 e_rc4.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 e_rc4.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-e_rc4.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-e_rc4.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-e_rc4.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-e_rc4.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rc4.h
-e_rc4.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-e_rc4.o: ../../include/openssl/symhacks.h ../cryptlib.h e_rc4.c
+e_rc4.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+e_rc4.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+e_rc4.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_rc4.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+e_rc4.o: ../../include/openssl/rc4.h ../../include/openssl/safestack.h
+e_rc4.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+e_rc4.o: ../cryptlib.h e_rc4.c evp_locl.h
 e_rc5.o: ../../e_os.h ../../include/openssl/bio.h
 e_rc5.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 e_rc5.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@@ -282,107 +306,141 @@ e_rc5.o: ../../include/openssl/symhacks.h ../cryptlib.h e_rc5.c
 e_seed.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 e_seed.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 e_seed.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-e_seed.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-e_seed.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-e_seed.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-e_seed.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-e_seed.o: ../../include/openssl/symhacks.h e_seed.c
+e_seed.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+e_seed.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+e_seed.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+e_seed.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+e_seed.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+e_seed.o: e_seed.c
 e_xcbc_d.o: ../../e_os.h ../../include/openssl/asn1.h
 e_xcbc_d.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 e_xcbc_d.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
 e_xcbc_d.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
 e_xcbc_d.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-e_xcbc_d.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-e_xcbc_d.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+e_xcbc_d.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+e_xcbc_d.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+e_xcbc_d.o: ../../include/openssl/opensslconf.h
 e_xcbc_d.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 e_xcbc_d.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 e_xcbc_d.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
 e_xcbc_d.o: ../../include/openssl/ui_compat.h ../cryptlib.h e_xcbc_d.c
+enc_min.o: ../../e_os.h ../../include/openssl/asn1.h
+enc_min.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+enc_min.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+enc_min.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+enc_min.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+enc_min.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+enc_min.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+enc_min.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+enc_min.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+enc_min.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+enc_min.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+enc_min.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+enc_min.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+enc_min.o: ../../include/openssl/x509_vfy.h ../cryptlib.h enc_min.c evp_locl.h
 encode.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 encode.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 encode.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-encode.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-encode.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-encode.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-encode.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
-encode.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-encode.o: ../cryptlib.h encode.c
+encode.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+encode.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+encode.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+encode.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+encode.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+encode.o: ../../include/openssl/symhacks.h ../cryptlib.h encode.c
 evp_acnf.o: ../../e_os.h ../../include/openssl/asn1.h
 evp_acnf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 evp_acnf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
 evp_acnf.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-evp_acnf.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-evp_acnf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-evp_acnf.o: ../../include/openssl/opensslconf.h
+evp_acnf.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+evp_acnf.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+evp_acnf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 evp_acnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 evp_acnf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 evp_acnf.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_acnf.c
+evp_cnf.o: ../../e_os.h ../../include/openssl/asn1.h
+evp_cnf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+evp_cnf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h
+evp_cnf.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h
+evp_cnf.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+evp_cnf.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
+evp_cnf.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+evp_cnf.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+evp_cnf.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_cnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+evp_cnf.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+evp_cnf.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+evp_cnf.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+evp_cnf.o: ../../include/openssl/x509_vfy.h ../../include/openssl/x509v3.h
+evp_cnf.o: ../cryptlib.h evp_cnf.c
 evp_enc.o: ../../e_os.h ../../include/openssl/asn1.h
 evp_enc.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 evp_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_enc.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 evp_enc.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
 evp_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-evp_enc.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-evp_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-evp_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-evp_enc.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-evp_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-evp_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-evp_enc.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-evp_enc.o: ../cryptlib.h evp_enc.c evp_locl.h
+evp_enc.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+evp_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+evp_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+evp_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+evp_enc.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+evp_enc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+evp_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+evp_enc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_enc.c evp_locl.h
 evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 evp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-evp_err.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-evp_err.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-evp_err.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-evp_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-evp_err.o: ../../include/openssl/symhacks.h evp_err.c
+evp_err.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+evp_err.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+evp_err.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+evp_err.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+evp_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+evp_err.o: evp_err.c
 evp_key.o: ../../e_os.h ../../include/openssl/asn1.h
 evp_key.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 evp_key.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_key.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 evp_key.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-evp_key.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-evp_key.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-evp_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-evp_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-evp_key.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-evp_key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-evp_key.o: ../../include/openssl/ui.h ../../include/openssl/x509.h
-evp_key.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_key.c
+evp_key.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+evp_key.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+evp_key.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+evp_key.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+evp_key.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+evp_key.o: ../../include/openssl/symhacks.h ../../include/openssl/ui.h
+evp_key.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+evp_key.o: ../cryptlib.h evp_key.c
 evp_lib.o: ../../e_os.h ../../include/openssl/asn1.h
 evp_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 evp_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-evp_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-evp_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-evp_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-evp_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-evp_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_lib.c
+evp_lib.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+evp_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+evp_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+evp_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
+evp_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+evp_lib.o: ../cryptlib.h evp_lib.c
 evp_pbe.o: ../../e_os.h ../../include/openssl/asn1.h
 evp_pbe.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 evp_pbe.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_pbe.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 evp_pbe.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-evp_pbe.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-evp_pbe.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-evp_pbe.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-evp_pbe.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-evp_pbe.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-evp_pbe.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-evp_pbe.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-evp_pbe.o: ../cryptlib.h evp_pbe.c
+evp_pbe.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+evp_pbe.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+evp_pbe.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+evp_pbe.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+evp_pbe.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+evp_pbe.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+evp_pbe.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+evp_pbe.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_pbe.c
 evp_pkey.o: ../../e_os.h ../../include/openssl/asn1.h
 evp_pkey.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 evp_pkey.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 evp_pkey.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 evp_pkey.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 evp_pkey.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-evp_pkey.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-evp_pkey.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-evp_pkey.o: ../../include/openssl/opensslconf.h
+evp_pkey.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+evp_pkey.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+evp_pkey.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 evp_pkey.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 evp_pkey.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
 evp_pkey.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
@@ -394,106 +452,110 @@ m_dss.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 m_dss.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 m_dss.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 m_dss.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-m_dss.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-m_dss.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-m_dss.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-m_dss.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-m_dss.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-m_dss.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_dss.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_dss.o: ../cryptlib.h m_dss.c
+m_dss.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+m_dss.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+m_dss.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_dss.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+m_dss.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+m_dss.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_dss.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+m_dss.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_dss.c
 m_dss1.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 m_dss1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 m_dss1.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 m_dss1.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 m_dss1.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-m_dss1.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-m_dss1.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-m_dss1.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-m_dss1.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-m_dss1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-m_dss1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_dss1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_dss1.o: ../cryptlib.h m_dss1.c
+m_dss1.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+m_dss1.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+m_dss1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_dss1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+m_dss1.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+m_dss1.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_dss1.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+m_dss1.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_dss1.c
 m_ecdsa.o: ../../e_os.h ../../include/openssl/asn1.h
 m_ecdsa.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 m_ecdsa.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 m_ecdsa.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 m_ecdsa.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-m_ecdsa.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-m_ecdsa.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-m_ecdsa.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-m_ecdsa.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-m_ecdsa.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-m_ecdsa.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_ecdsa.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_ecdsa.o: ../cryptlib.h m_ecdsa.c
+m_ecdsa.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+m_ecdsa.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+m_ecdsa.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_ecdsa.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+m_ecdsa.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+m_ecdsa.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_ecdsa.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+m_ecdsa.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_ecdsa.c
 m_md2.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 m_md2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 m_md2.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 m_md2.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 m_md2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-m_md2.o: ../../include/openssl/lhash.h ../../include/openssl/md2.h
-m_md2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-m_md2.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-m_md2.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-m_md2.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-m_md2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-m_md2.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-m_md2.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_md2.c
+m_md2.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+m_md2.o: ../../include/openssl/md2.h ../../include/openssl/obj_mac.h
+m_md2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_md2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+m_md2.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+m_md2.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+m_md2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+m_md2.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_md2.o: ../cryptlib.h evp_locl.h m_md2.c
 m_md4.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 m_md4.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 m_md4.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 m_md4.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 m_md4.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-m_md4.o: ../../include/openssl/lhash.h ../../include/openssl/md4.h
-m_md4.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-m_md4.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-m_md4.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-m_md4.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-m_md4.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-m_md4.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-m_md4.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_md4.c
+m_md4.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+m_md4.o: ../../include/openssl/md4.h ../../include/openssl/obj_mac.h
+m_md4.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_md4.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+m_md4.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+m_md4.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+m_md4.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+m_md4.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_md4.o: ../cryptlib.h evp_locl.h m_md4.c
 m_md5.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 m_md5.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 m_md5.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 m_md5.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 m_md5.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-m_md5.o: ../../include/openssl/lhash.h ../../include/openssl/md5.h
-m_md5.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-m_md5.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-m_md5.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-m_md5.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-m_md5.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-m_md5.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-m_md5.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_md5.c
+m_md5.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+m_md5.o: ../../include/openssl/md5.h ../../include/openssl/obj_mac.h
+m_md5.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+m_md5.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+m_md5.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+m_md5.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+m_md5.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+m_md5.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_md5.o: ../cryptlib.h evp_locl.h m_md5.c
 m_mdc2.o: ../../e_os.h ../../include/openssl/bio.h
 m_mdc2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 m_mdc2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 m_mdc2.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 m_mdc2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 m_mdc2.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-m_mdc2.o: ../../include/openssl/symhacks.h ../cryptlib.h m_mdc2.c
+m_mdc2.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_locl.h m_mdc2.c
 m_null.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 m_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 m_null.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 m_null.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 m_null.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-m_null.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-m_null.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-m_null.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-m_null.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-m_null.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-m_null.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-m_null.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_null.c
+m_null.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+m_null.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+m_null.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+m_null.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+m_null.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+m_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+m_null.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+m_null.o: ../cryptlib.h m_null.c
 m_ripemd.o: ../../e_os.h ../../include/openssl/asn1.h
 m_ripemd.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 m_ripemd.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 m_ripemd.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 m_ripemd.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-m_ripemd.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-m_ripemd.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-m_ripemd.o: ../../include/openssl/opensslconf.h
+m_ripemd.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+m_ripemd.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+m_ripemd.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 m_ripemd.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 m_ripemd.o: ../../include/openssl/pkcs7.h ../../include/openssl/ripemd.h
 m_ripemd.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
@@ -505,60 +567,62 @@ m_sha.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 m_sha.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 m_sha.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 m_sha.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-m_sha.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-m_sha.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-m_sha.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-m_sha.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
-m_sha.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-m_sha.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_sha.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_sha.o: ../cryptlib.h m_sha.c
+m_sha.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+m_sha.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+m_sha.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+m_sha.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+m_sha.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_sha.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_sha.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+m_sha.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_locl.h m_sha.c
 m_sha1.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 m_sha1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 m_sha1.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 m_sha1.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 m_sha1.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-m_sha1.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-m_sha1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-m_sha1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-m_sha1.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
-m_sha1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-m_sha1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-m_sha1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-m_sha1.o: ../cryptlib.h m_sha1.c
+m_sha1.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+m_sha1.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+m_sha1.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+m_sha1.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+m_sha1.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+m_sha1.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+m_sha1.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+m_sha1.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_sha1.c
 names.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 names.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 names.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 names.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 names.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-names.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-names.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-names.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-names.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-names.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-names.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-names.o: ../../include/openssl/x509_vfy.h ../cryptlib.h names.c
+names.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+names.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+names.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+names.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+names.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+names.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+names.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+names.o: ../cryptlib.h names.c
 p5_crpt.o: ../../e_os.h ../../include/openssl/asn1.h
 p5_crpt.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 p5_crpt.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 p5_crpt.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 p5_crpt.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-p5_crpt.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-p5_crpt.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-p5_crpt.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-p5_crpt.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-p5_crpt.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p5_crpt.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p5_crpt.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p5_crpt.o: ../cryptlib.h p5_crpt.c
+p5_crpt.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+p5_crpt.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+p5_crpt.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p5_crpt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p5_crpt.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
+p5_crpt.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p5_crpt.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p5_crpt.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p5_crpt.c
 p5_crpt2.o: ../../e_os.h ../../include/openssl/asn1.h
 p5_crpt2.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 p5_crpt2.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 p5_crpt2.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 p5_crpt2.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-p5_crpt2.o: ../../include/openssl/evp.h ../../include/openssl/hmac.h
-p5_crpt2.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-p5_crpt2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p5_crpt2.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+p5_crpt2.o: ../../include/openssl/hmac.h ../../include/openssl/lhash.h
+p5_crpt2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+p5_crpt2.o: ../../include/openssl/opensslconf.h
 p5_crpt2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 p5_crpt2.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 p5_crpt2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
@@ -569,27 +633,29 @@ p_dec.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 p_dec.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 p_dec.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 p_dec.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p_dec.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-p_dec.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p_dec.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-p_dec.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-p_dec.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p_dec.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p_dec.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p_dec.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_dec.c
+p_dec.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+p_dec.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+p_dec.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p_dec.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+p_dec.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+p_dec.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p_dec.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p_dec.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p_dec.o: ../cryptlib.h p_dec.c
 p_enc.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 p_enc.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 p_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 p_enc.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 p_enc.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p_enc.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-p_enc.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p_enc.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-p_enc.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-p_enc.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p_enc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p_enc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_enc.c
+p_enc.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+p_enc.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+p_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+p_enc.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+p_enc.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p_enc.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p_enc.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p_enc.o: ../cryptlib.h p_enc.c
 p_lib.o: ../../e_os.h ../../include/openssl/asn1.h
 p_lib.o: ../../include/openssl/asn1_mac.h ../../include/openssl/bio.h
 p_lib.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
@@ -597,60 +663,63 @@ p_lib.o: ../../include/openssl/crypto.h ../../include/openssl/dh.h
 p_lib.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 p_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 p_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-p_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-p_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-p_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-p_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-p_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_lib.c
+p_lib.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+p_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+p_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+p_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+p_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
+p_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p_lib.o: ../cryptlib.h p_lib.c
 p_open.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 p_open.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 p_open.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 p_open.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 p_open.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p_open.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-p_open.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p_open.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-p_open.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
-p_open.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-p_open.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-p_open.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-p_open.o: ../cryptlib.h p_open.c
+p_open.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+p_open.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+p_open.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p_open.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+p_open.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+p_open.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+p_open.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+p_open.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_open.c
 p_seal.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 p_seal.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 p_seal.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 p_seal.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 p_seal.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p_seal.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-p_seal.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p_seal.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-p_seal.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
-p_seal.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-p_seal.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p_seal.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p_seal.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_seal.c
+p_seal.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+p_seal.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+p_seal.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p_seal.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+p_seal.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+p_seal.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p_seal.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p_seal.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p_seal.o: ../cryptlib.h p_seal.c
 p_sign.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 p_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 p_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 p_sign.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 p_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-p_sign.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-p_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-p_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-p_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
-p_sign.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-p_sign.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-p_sign.o: ../../include/openssl/x509_vfy.h ../cryptlib.h p_sign.c
+p_sign.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+p_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+p_sign.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+p_sign.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
+p_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+p_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+p_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+p_sign.o: ../cryptlib.h p_sign.c
 p_verify.o: ../../e_os.h ../../include/openssl/asn1.h
 p_verify.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 p_verify.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 p_verify.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 p_verify.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-p_verify.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-p_verify.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-p_verify.o: ../../include/openssl/opensslconf.h
+p_verify.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+p_verify.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+p_verify.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 p_verify.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 p_verify.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h
 p_verify.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
diff --git a/src/lib/libcrypto/evp/bio_md.c b/src/lib/libcrypto/evp/bio_md.c
index d648ac6da6..ed5c1135fd 100644
--- a/src/lib/libcrypto/evp/bio_md.c
+++ b/src/lib/libcrypto/evp/bio_md.c
@@ -192,13 +192,8 @@ static long md_ctrl(BIO *b, int cmd, long num, void *ptr)
                         ret=0;
                 break;
         case BIO_C_GET_MD_CTX:
-                if (b->init)
-                        {
-                        pctx=ptr;
-                        *pctx=ctx;
-                        }
-                else
-                        ret=0;
+                pctx=ptr;
+                *pctx=ctx;
                 break;
         case BIO_C_SET_MD_CTX:
                 if (b->init)
diff --git a/src/lib/libcrypto/evp/digest.c b/src/lib/libcrypto/evp/digest.c
index 762e6d3450..3bc2d1295c 100644
--- a/src/lib/libcrypto/evp/digest.c
+++ b/src/lib/libcrypto/evp/digest.c
@@ -116,6 +116,7 @@
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
+#include "evp_locl.h"
 
 void EVP_MD_CTX_init(EVP_MD_CTX *ctx)
         {
@@ -137,18 +138,77 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type)
         return EVP_DigestInit_ex(ctx, type, NULL);
         }
 
-int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
+#ifdef OPENSSL_FIPS
+
+/* The purpose of these is to trap programs that attempt to use non FIPS
+ * algorithms in FIPS mode and ignore the errors.
+ */
+
+static int bad_init(EVP_MD_CTX *ctx)
+        { FIPS_ERROR_IGNORED("Digest init"); return 0;}
+
+static int bad_update(EVP_MD_CTX *ctx,const void *data,size_t count)
+        { FIPS_ERROR_IGNORED("Digest update"); return 0;}
+
+static int bad_final(EVP_MD_CTX *ctx,unsigned char *md)
+        { FIPS_ERROR_IGNORED("Digest Final"); return 0;}
+
+static const EVP_MD bad_md =
         {
-        EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
+        0,
+        0,
+        0,
+        0,
+        bad_init,
+        bad_update,
+        bad_final,
+        NULL,
+        NULL,
+        NULL,
+        0,
+        {0,0,0,0},
+        };
+
+#endif
+
 #ifndef OPENSSL_NO_ENGINE
-        /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
-         * so this context may already have an ENGINE! Try to avoid releasing
-         * the previous handle, re-querying for an ENGINE, and having a
-         * reinitialisation, when it may all be unecessary. */
-        if (ctx->engine && ctx->digest && (!type ||
-                        (type && (type->type == ctx->digest->type))))
-                goto skip_to_init;
-        if (type)
+
+#ifdef OPENSSL_FIPS
+
+static int do_engine_null(ENGINE *impl) { return 0;}
+static int do_evp_md_engine_null(EVP_MD_CTX *ctx,
+                                const EVP_MD **ptype, ENGINE *impl)
+        { return 1; }
+
+static int (*do_engine_init)(ENGINE *impl)
+                = do_engine_null;
+
+static int (*do_engine_finish)(ENGINE *impl)
+                = do_engine_null;
+
+static int (*do_evp_md_engine)
+        (EVP_MD_CTX *ctx, const EVP_MD **ptype, ENGINE *impl)
+                = do_evp_md_engine_null;
+
+void int_EVP_MD_set_engine_callbacks(
+        int (*eng_md_init)(ENGINE *impl),
+        int (*eng_md_fin)(ENGINE *impl),
+        int (*eng_md_evp)
+                (EVP_MD_CTX *ctx, const EVP_MD **ptype, ENGINE *impl))
+        {
+        do_engine_init = eng_md_init;
+        do_engine_finish = eng_md_fin;
+        do_evp_md_engine = eng_md_evp;
+        }
+
+#else
+
+#define do_engine_init  ENGINE_init
+#define do_engine_finish ENGINE_finish
+
+static int do_evp_md_engine(EVP_MD_CTX *ctx, const EVP_MD **ptype, ENGINE *impl)
+        {
+        if (*ptype)
                 {
                 /* Ensure an ENGINE left lying around from last time is cleared
                  * (the previous check attempted to avoid this if the same
@@ -159,25 +219,25 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
                         {
                         if (!ENGINE_init(impl))
                                 {
-                                EVPerr(EVP_F_EVP_DIGESTINIT_EX,EVP_R_INITIALIZATION_ERROR);
+                                EVPerr(EVP_F_DO_EVP_MD_ENGINE,EVP_R_INITIALIZATION_ERROR);
                                 return 0;
                                 }
                         }
                 else
                         /* Ask if an ENGINE is reserved for this job */
-                        impl = ENGINE_get_digest_engine(type->type);
+                        impl = ENGINE_get_digest_engine((*ptype)->type);
                 if(impl)
                         {
                         /* There's an ENGINE for this job ... (apparently) */
-                        const EVP_MD *d = ENGINE_get_digest(impl, type->type);
+                        const EVP_MD *d = ENGINE_get_digest(impl, (*ptype)->type);
                         if(!d)
                                 {
                                 /* Same comment from evp_enc.c */
-                                EVPerr(EVP_F_EVP_DIGESTINIT_EX,EVP_R_INITIALIZATION_ERROR);
+                                EVPerr(EVP_F_DO_EVP_MD_ENGINE,EVP_R_INITIALIZATION_ERROR);
                                 return 0;
                                 }
                         /* We'll use the ENGINE's private digest definition */
-                        type = d;
+                        *ptype = d;
                         /* Store the ENGINE functional reference so we know
                          * 'type' came from an ENGINE and we need to release
                          * it when done. */
@@ -189,12 +249,52 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
         else
         if(!ctx->digest)
                 {
-                EVPerr(EVP_F_EVP_DIGESTINIT_EX,EVP_R_NO_DIGEST_SET);
+                EVPerr(EVP_F_DO_EVP_MD_ENGINE,EVP_R_NO_DIGEST_SET);
                 return 0;
                 }
+        return 1;
+        }
+
+#endif
+
+#endif
+
+int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
+        {
+        M_EVP_MD_CTX_clear_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
+#ifdef OPENSSL_FIPS
+        if(FIPS_selftest_failed())
+                {
+                FIPSerr(FIPS_F_EVP_DIGESTINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED);
+                ctx->digest = &bad_md;
+                return 0;
+                }
+#endif
+#ifndef OPENSSL_NO_ENGINE
+        /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
+         * so this context may already have an ENGINE! Try to avoid releasing
+         * the previous handle, re-querying for an ENGINE, and having a
+         * reinitialisation, when it may all be unecessary. */
+        if (ctx->engine && ctx->digest && (!type ||
+                        (type && (type->type == ctx->digest->type))))
+                goto skip_to_init;
+        if (!do_evp_md_engine(ctx, &type, impl))
+                return 0;
 #endif
         if (ctx->digest != type)
                 {
+#ifdef OPENSSL_FIPS
+                if (FIPS_mode())
+                        {
+                        if (!(type->flags & EVP_MD_FLAG_FIPS) 
+                         && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))
+                                {
+                                EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
+                                ctx->digest = &bad_md;
+                                return 0;
+                                }
+                        }
+#endif
                 if (ctx->digest && ctx->digest->ctx_size)
                         OPENSSL_free(ctx->md_data);
                 ctx->digest=type;
@@ -202,7 +302,7 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
                         ctx->md_data=OPENSSL_malloc(type->ctx_size);
                 }
 #ifndef OPENSSL_NO_ENGINE
-skip_to_init:
+        skip_to_init:
 #endif
         return ctx->digest->init(ctx);
         }
@@ -210,6 +310,9 @@ skip_to_init:
 int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data,
              size_t count)
         {
+#ifdef OPENSSL_FIPS
+        FIPS_selftest_check();
+#endif
         return ctx->digest->update(ctx,data,count);
         }
 
@@ -226,6 +329,9 @@ int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
 int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
         {
         int ret;
+#ifdef OPENSSL_FIPS
+        FIPS_selftest_check();
+#endif
 
         OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
         ret=ctx->digest->final(ctx,md);
@@ -234,7 +340,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
         if (ctx->digest->cleanup)
                 {
                 ctx->digest->cleanup(ctx);
-                EVP_MD_CTX_set_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
+                M_EVP_MD_CTX_set_flags(ctx,EVP_MD_CTX_FLAG_CLEANED);
                 }
         memset(ctx->md_data,0,ctx->digest->ctx_size);
         return ret;
@@ -256,7 +362,7 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
                 }
 #ifndef OPENSSL_NO_ENGINE
         /* Make sure it's safe to copy a digest context using an ENGINE */
-        if (in->engine && !ENGINE_init(in->engine))
+        if (in->engine && !do_engine_init(in->engine))
                 {
                 EVPerr(EVP_F_EVP_MD_CTX_COPY_EX,ERR_R_ENGINE_LIB);
                 return 0;
@@ -266,7 +372,7 @@ int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
         if (out->digest == in->digest)
                 {
                 tmp_buf = out->md_data;
-                EVP_MD_CTX_set_flags(out,EVP_MD_CTX_FLAG_REUSE);
+                M_EVP_MD_CTX_set_flags(out,EVP_MD_CTX_FLAG_REUSE);
                 }
         else tmp_buf = NULL;
         EVP_MD_CTX_cleanup(out);
@@ -292,7 +398,7 @@ int EVP_Digest(const void *data, size_t count,
         int ret;
 
         EVP_MD_CTX_init(&ctx);
-        EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_ONESHOT);
+        M_EVP_MD_CTX_set_flags(&ctx,EVP_MD_CTX_FLAG_ONESHOT);
         ret=EVP_DigestInit_ex(&ctx, type, impl)
           && EVP_DigestUpdate(&ctx, data, count)
           && EVP_DigestFinal_ex(&ctx, md, size);
@@ -314,10 +420,10 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
          * because sometimes only copies of the context are ever finalised.
          */
         if (ctx->digest && ctx->digest->cleanup
-            && !EVP_MD_CTX_test_flags(ctx,EVP_MD_CTX_FLAG_CLEANED))
+            && !M_EVP_MD_CTX_test_flags(ctx,EVP_MD_CTX_FLAG_CLEANED))
                 ctx->digest->cleanup(ctx);
         if (ctx->digest && ctx->digest->ctx_size && ctx->md_data
-            && !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE))
+            && !M_EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE))
                 {
                 OPENSSL_cleanse(ctx->md_data,ctx->digest->ctx_size);
                 OPENSSL_free(ctx->md_data);
@@ -326,7 +432,7 @@ int EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
         if(ctx->engine)
                 /* The EVP_MD we used belongs to an ENGINE, release the
                  * functional reference we held for this reason. */
-                ENGINE_finish(ctx->engine);
+                do_engine_finish(ctx->engine);
 #endif
         memset(ctx,'\0',sizeof *ctx);
 
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index bd6c0a3a62..c9a5ee8d75 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -69,32 +69,29 @@ typedef struct
 
 IMPLEMENT_BLOCK_CIPHER(aes_128, ks, AES, EVP_AES_KEY,
                        NID_aes_128, 16, 16, 16, 128,
-                       0, aes_init_key, NULL, 
-                       EVP_CIPHER_set_asn1_iv,
-                       EVP_CIPHER_get_asn1_iv,
-                       NULL)
+                       EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
+                       aes_init_key,
+                       NULL, NULL, NULL, NULL)
 IMPLEMENT_BLOCK_CIPHER(aes_192, ks, AES, EVP_AES_KEY,
                        NID_aes_192, 16, 24, 16, 128,
-                       0, aes_init_key, NULL, 
-                       EVP_CIPHER_set_asn1_iv,
-                       EVP_CIPHER_get_asn1_iv,
-                       NULL)
+                       EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
+                       aes_init_key,
+                       NULL, NULL, NULL, NULL)
 IMPLEMENT_BLOCK_CIPHER(aes_256, ks, AES, EVP_AES_KEY,
                        NID_aes_256, 16, 32, 16, 128,
-                       0, aes_init_key, NULL, 
-                       EVP_CIPHER_set_asn1_iv,
-                       EVP_CIPHER_get_asn1_iv,
-                       NULL)
+                       EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
+                       aes_init_key,
+                       NULL, NULL, NULL, NULL)
 
-#define IMPLEMENT_AES_CFBR(ksize,cbits) IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16)
+#define IMPLEMENT_AES_CFBR(ksize,cbits,flags)   IMPLEMENT_CFBR(aes,AES,EVP_AES_KEY,ks,ksize,cbits,16,flags)
 
-IMPLEMENT_AES_CFBR(128,1)
-IMPLEMENT_AES_CFBR(192,1)
-IMPLEMENT_AES_CFBR(256,1)
+IMPLEMENT_AES_CFBR(128,1,EVP_CIPH_FLAG_FIPS)
+IMPLEMENT_AES_CFBR(192,1,EVP_CIPH_FLAG_FIPS)
+IMPLEMENT_AES_CFBR(256,1,EVP_CIPH_FLAG_FIPS)
 
-IMPLEMENT_AES_CFBR(128,8)
-IMPLEMENT_AES_CFBR(192,8)
-IMPLEMENT_AES_CFBR(256,8)
+IMPLEMENT_AES_CFBR(128,8,EVP_CIPH_FLAG_FIPS)
+IMPLEMENT_AES_CFBR(192,8,EVP_CIPH_FLAG_FIPS)
+IMPLEMENT_AES_CFBR(256,8,EVP_CIPH_FLAG_FIPS)
 
 static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
                    const unsigned char *iv, int enc)
diff --git a/src/lib/libcrypto/evp/e_des.c b/src/lib/libcrypto/evp/e_des.c
index 856323648c..04376df232 100644
--- a/src/lib/libcrypto/evp/e_des.c
+++ b/src/lib/libcrypto/evp/e_des.c
@@ -129,18 +129,21 @@ static int des_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     }
 
 BLOCK_CIPHER_defs(des, DES_key_schedule, NID_des, 8, 8, 8, 64,
-                        EVP_CIPH_RAND_KEY, des_init_key, NULL,
+                        EVP_CIPH_RAND_KEY,
+                        des_init_key, NULL,
                         EVP_CIPHER_set_asn1_iv,
                         EVP_CIPHER_get_asn1_iv,
                         des_ctrl)
 
 BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,1,
-                     EVP_CIPH_RAND_KEY, des_init_key,NULL,
+                     EVP_CIPH_RAND_KEY,
+                     des_init_key, NULL,
                      EVP_CIPHER_set_asn1_iv,
                      EVP_CIPHER_get_asn1_iv,des_ctrl)
 
 BLOCK_CIPHER_def_cfb(des,DES_key_schedule,NID_des,8,8,8,
-                     EVP_CIPH_RAND_KEY,des_init_key,NULL,
+                     EVP_CIPH_RAND_KEY,
+                     des_init_key,NULL,
                      EVP_CIPHER_set_asn1_iv,
                      EVP_CIPHER_get_asn1_iv,des_ctrl)
 
diff --git a/src/lib/libcrypto/evp/e_des3.c b/src/lib/libcrypto/evp/e_des3.c
index ac148efab2..f910af19b1 100644
--- a/src/lib/libcrypto/evp/e_des3.c
+++ b/src/lib/libcrypto/evp/e_des3.c
@@ -111,8 +111,7 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 #ifdef KSSL_DEBUG
         {
         int i;
-        char *cp;
-        printf("des_ede_cbc_cipher(ctx=%lx, buflen=%d)\n", ctx, ctx->buf_len);
+        printf("des_ede_cbc_cipher(ctx=%lx, buflen=%d)\n", (unsigned long)ctx, ctx->buf_len);
         printf("\t iv= ");
         for(i=0;i<8;i++)
                 printf("%02X",ctx->iv[i]);
@@ -164,9 +163,9 @@ static int des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     }
 
 BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
-                        EVP_CIPH_RAND_KEY, des_ede_init_key, NULL, 
-                        EVP_CIPHER_set_asn1_iv,
-                        EVP_CIPHER_get_asn1_iv,
+                EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
+                        des_ede_init_key,
+                        NULL, NULL, NULL,
                         des3_ctrl)
 
 #define des_ede3_cfb64_cipher des_ede_cfb64_cipher
@@ -175,21 +174,21 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64,
 #define des_ede3_ecb_cipher des_ede_ecb_cipher
 
 BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64,
-                        EVP_CIPH_RAND_KEY, des_ede3_init_key, NULL, 
-                        EVP_CIPHER_set_asn1_iv,
-                        EVP_CIPHER_get_asn1_iv,
+                EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
+                        des_ede3_init_key,
+                        NULL, NULL, NULL,
                         des3_ctrl)
 
 BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,1,
-                     EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL,
-                     EVP_CIPHER_set_asn1_iv,
-                     EVP_CIPHER_get_asn1_iv,
+                EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
+                     des_ede3_init_key,
+                     NULL, NULL, NULL,
                      des3_ctrl)
 
 BLOCK_CIPHER_def_cfb(des_ede3,DES_EDE_KEY,NID_des_ede3,24,8,8,
-                     EVP_CIPH_RAND_KEY, des_ede3_init_key,NULL,
-                     EVP_CIPHER_set_asn1_iv,
-                     EVP_CIPHER_get_asn1_iv,
+                EVP_CIPH_RAND_KEY|EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_DEFAULT_ASN1,
+                     des_ede3_init_key,
+                     NULL, NULL, NULL,
                      des3_ctrl)
 
 static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
@@ -216,7 +215,7 @@ static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 #ifdef KSSL_DEBUG
         {
         int i;
-        printf("des_ede3_init_key(ctx=%lx)\n", ctx);
+        printf("des_ede3_init_key(ctx=%lx)\n", (unsigned long)ctx);
         printf("\tKEY= ");
         for(i=0;i<24;i++) printf("%02X",key[i]); printf("\n");
         printf("\t IV= ");
diff --git a/src/lib/libcrypto/evp/e_null.c b/src/lib/libcrypto/evp/e_null.c
index 5205259f18..0872d733e4 100644
--- a/src/lib/libcrypto/evp/e_null.c
+++ b/src/lib/libcrypto/evp/e_null.c
@@ -69,7 +69,7 @@ static const EVP_CIPHER n_cipher=
         {
         NID_undef,
         1,0,0,
-        0,
+        EVP_CIPH_FLAG_FIPS,
         null_init_key,
         null_cipher,
         NULL,
diff --git a/src/lib/libcrypto/evp/e_rc4.c b/src/lib/libcrypto/evp/e_rc4.c
index 67af850bea..55baad7446 100644
--- a/src/lib/libcrypto/evp/e_rc4.c
+++ b/src/lib/libcrypto/evp/e_rc4.c
@@ -64,6 +64,7 @@
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/rc4.h>
+#include "evp_locl.h"
 
 /* FIXME: surely this is available elsewhere? */
 #define EVP_RC4_KEY_SIZE                16
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
index 1aa2d6fb35..51011f2b14 100644
--- a/src/lib/libcrypto/evp/evp.h
+++ b/src/lib/libcrypto/evp/evp.h
@@ -75,6 +75,10 @@
 #include <openssl/bio.h>
 #endif
 
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 /*
 #define EVP_RC2_KEY_SIZE                16
 #define EVP_RC4_KEY_SIZE                16
@@ -250,9 +254,19 @@ typedef int evp_verify_method(int type,const unsigned char *m,
                             unsigned int m_length,const unsigned char *sigbuf,
                             unsigned int siglen, void *key);
 
+typedef struct
+        {
+        EVP_MD_CTX *mctx;
+        void *key;
+        } EVP_MD_SVCTX;
+
 #define EVP_MD_FLAG_ONESHOT     0x0001 /* digest can only handle a single
                                         * block */
 
+#define EVP_MD_FLAG_FIPS        0x0400 /* Note if suitable for use in FIPS mode */
+
+#define EVP_MD_FLAG_SVCTX       0x0800 /* pass EVP_MD_SVCTX to sign/verify */
+
 #define EVP_PKEY_NULL_method    NULL,NULL,{0,0,0,0}
 
 #ifndef OPENSSL_NO_DSA
@@ -306,6 +320,15 @@ struct env_md_ctx_st
 #define EVP_MD_CTX_FLAG_NON_FIPS_ALLOW  0x0008  /* Allow use of non FIPS digest
                                                  * in FIPS mode */
 
+#define EVP_MD_CTX_FLAG_PAD_MASK        0xF0    /* RSA mode to use */
+#define EVP_MD_CTX_FLAG_PAD_PKCS1       0x00    /* PKCS#1 v1.5 mode */
+#define EVP_MD_CTX_FLAG_PAD_X931        0x10    /* X9.31 mode */
+#define EVP_MD_CTX_FLAG_PAD_PSS         0x20    /* PSS mode */
+#define M_EVP_MD_CTX_FLAG_PSS_SALT(ctx) \
+                ((ctx->flags>>16) &0xFFFF) /* seed length */
+#define EVP_MD_CTX_FLAG_PSS_MDLEN       0xFFFF  /* salt len same as digest */
+#define EVP_MD_CTX_FLAG_PSS_MREC        0xFFFE  /* salt max or auto recovered */
+
 struct evp_cipher_st
         {
         int nid;
@@ -349,6 +372,14 @@ struct evp_cipher_st
 #define         EVP_CIPH_NO_PADDING             0x100
 /* cipher handles random key generation */
 #define         EVP_CIPH_RAND_KEY               0x200
+/* Note if suitable for use in FIPS mode */
+#define         EVP_CIPH_FLAG_FIPS              0x400
+/* Allow non FIPS cipher in FIPS mode */
+#define         EVP_CIPH_FLAG_NON_FIPS_ALLOW    0x800
+/* Allow use default ASN1 get/set iv */
+#define         EVP_CIPH_FLAG_DEFAULT_ASN1      0x1000
+/* Buffer length in bits not bytes: CFB1 mode only */
+#define         EVP_CIPH_FLAG_LENGTH_BITS       0x2000
 
 /* ctrl() values */
 
@@ -432,6 +463,18 @@ typedef int (EVP_PBE_KEYGEN)(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 #define EVP_get_cipherbynid(a) EVP_get_cipherbyname(OBJ_nid2sn(a))
 #define EVP_get_cipherbyobj(a) EVP_get_cipherbynid(OBJ_obj2nid(a))
 
+/* Macros to reduce FIPS dependencies: do NOT use in applications */
+#define M_EVP_MD_size(e)                ((e)->md_size)
+#define M_EVP_MD_block_size(e)          ((e)->block_size)
+#define M_EVP_MD_CTX_set_flags(ctx,flgs) ((ctx)->flags|=(flgs))
+#define M_EVP_MD_CTX_clear_flags(ctx,flgs) ((ctx)->flags&=~(flgs))
+#define M_EVP_MD_CTX_test_flags(ctx,flgs) ((ctx)->flags&(flgs))
+#define M_EVP_MD_type(e)                        ((e)->type)
+#define M_EVP_MD_CTX_type(e)            M_EVP_MD_type(M_EVP_MD_CTX_md(e))
+#define M_EVP_MD_CTX_md(e)                      ((e)->digest)
+
+#define M_EVP_CIPHER_CTX_set_flags(ctx,flgs) ((ctx)->flags|=(flgs))
+
 int EVP_MD_type(const EVP_MD *md);
 #define EVP_MD_nid(e)                   EVP_MD_type(e)
 #define EVP_MD_name(e)                  OBJ_nid2sn(EVP_MD_nid(e))
@@ -527,6 +570,10 @@ int	EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md,
                 const unsigned char *salt, const unsigned char *data,
                 int datal, int count, unsigned char *key,unsigned char *iv);
 
+void    EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags);
+void    EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags);
+int     EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx,int flags);
+
 int     EVP_EncryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher,
                 const unsigned char *key, const unsigned char *iv);
 int     EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *cipher, ENGINE *impl,
@@ -885,6 +932,24 @@ int EVP_PBE_alg_add(int nid, const EVP_CIPHER *cipher, const EVP_MD *md,
                     EVP_PBE_KEYGEN *keygen);
 void EVP_PBE_cleanup(void);
 
+#ifdef OPENSSL_FIPS
+#ifndef OPENSSL_NO_ENGINE
+void int_EVP_MD_set_engine_callbacks(
+        int (*eng_md_init)(ENGINE *impl),
+        int (*eng_md_fin)(ENGINE *impl),
+        int (*eng_md_evp)
+                (EVP_MD_CTX *ctx, const EVP_MD **ptype, ENGINE *impl));
+void int_EVP_MD_init_engine_callbacks(void);
+void int_EVP_CIPHER_set_engine_callbacks(
+        int (*eng_ciph_fin)(ENGINE *impl),
+        int (*eng_ciph_evp)
+                (EVP_CIPHER_CTX *ctx, const EVP_CIPHER **pciph, ENGINE *impl));
+void int_EVP_CIPHER_init_engine_callbacks(void);
+#endif
+#endif
+
+void EVP_add_alg_module(void);
+
 /* BEGIN ERROR CODES */
 /* The following lines are auto generated by the script mkerr.pl. Any changes
  * made after this point may be overwritten when the script is next run.
@@ -895,16 +960,23 @@ void ERR_load_EVP_strings(void);
 
 /* Function codes. */
 #define EVP_F_AES_INIT_KEY                               133
+#define EVP_F_ALG_MODULE_INIT                            138
 #define EVP_F_CAMELLIA_INIT_KEY                          159
 #define EVP_F_D2I_PKEY                                   100
+#define EVP_F_DO_EVP_ENC_ENGINE                          140
+#define EVP_F_DO_EVP_ENC_ENGINE_FULL                     141
+#define EVP_F_DO_EVP_MD_ENGINE                           139
+#define EVP_F_DO_EVP_MD_ENGINE_FULL                      142
 #define EVP_F_DSAPKEY2PKCS8                              134
 #define EVP_F_DSA_PKEY2PKCS8                             135
 #define EVP_F_ECDSA_PKEY2PKCS8                           129
 #define EVP_F_ECKEY_PKEY2PKCS8                           132
+#define EVP_F_EVP_CIPHERINIT                             137
 #define EVP_F_EVP_CIPHERINIT_EX                          123
 #define EVP_F_EVP_CIPHER_CTX_CTRL                        124
 #define EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH              122
 #define EVP_F_EVP_DECRYPTFINAL_EX                        101
+#define EVP_F_EVP_DIGESTINIT                             136
 #define EVP_F_EVP_DIGESTINIT_EX                          128
 #define EVP_F_EVP_ENCRYPTFINAL_EX                        127
 #define EVP_F_EVP_MD_CTX_COPY_EX                         110
@@ -946,15 +1018,20 @@ void ERR_load_EVP_strings(void);
 #define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH          138
 #define EVP_R_DECODE_ERROR                               114
 #define EVP_R_DIFFERENT_KEY_TYPES                        101
+#define EVP_R_DISABLED_FOR_FIPS                          144
 #define EVP_R_ENCODE_ERROR                               115
+#define EVP_R_ERROR_LOADING_SECTION                      145
+#define EVP_R_ERROR_SETTING_FIPS_MODE                    146
 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR                   119
 #define EVP_R_EXPECTING_AN_RSA_KEY                       127
 #define EVP_R_EXPECTING_A_DH_KEY                         128
 #define EVP_R_EXPECTING_A_DSA_KEY                        129
 #define EVP_R_EXPECTING_A_ECDSA_KEY                      141
 #define EVP_R_EXPECTING_A_EC_KEY                         142
+#define EVP_R_FIPS_MODE_NOT_SUPPORTED                    147
 #define EVP_R_INITIALIZATION_ERROR                       134
 #define EVP_R_INPUT_NOT_INITIALIZED                      111
+#define EVP_R_INVALID_FIPS_MODE                          148
 #define EVP_R_INVALID_KEY_LENGTH                         130
 #define EVP_R_IV_TOO_LARGE                               102
 #define EVP_R_KEYGEN_FAILURE                             120
@@ -966,6 +1043,7 @@ void ERR_load_EVP_strings(void);
 #define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED              105
 #define EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE                  117
 #define EVP_R_PUBLIC_KEY_NOT_RSA                         106
+#define EVP_R_UNKNOWN_OPTION                             149
 #define EVP_R_UNKNOWN_PBE_ALGORITHM                      121
 #define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS                135
 #define EVP_R_UNSUPPORTED_CIPHER                         107
diff --git a/src/lib/libcrypto/evp/evp_acnf.c b/src/lib/libcrypto/evp/evp_acnf.c
index ff3e311cc5..643a1864e8 100644
--- a/src/lib/libcrypto/evp/evp_acnf.c
+++ b/src/lib/libcrypto/evp/evp_acnf.c
@@ -1,5 +1,5 @@
 /* evp_acnf.c */
-/* Written by Stephen Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Stephen Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c
index 6e582c458d..30e0ca4d9f 100644
--- a/src/lib/libcrypto/evp/evp_enc.c
+++ b/src/lib/libcrypto/evp/evp_enc.c
@@ -66,13 +66,15 @@
 #endif
 #include "evp_locl.h"
 
-const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT;
+#ifdef OPENSSL_FIPS
+        #define M_do_cipher(ctx, out, in, inl) \
+                EVP_Cipher(ctx,out,in,inl)
+#else
+        #define M_do_cipher(ctx, out, in, inl) \
+                ctx->cipher->do_cipher(ctx,out,in,inl)
+#endif
 
-void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *ctx)
-        {
-        memset(ctx,0,sizeof(EVP_CIPHER_CTX));
-        /* ctx->cipher=NULL; */
-        }
+const char EVP_version[]="EVP" OPENSSL_VERSION_PTEXT;
 
 EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void)
         {
@@ -90,144 +92,6 @@ int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
         return EVP_CipherInit_ex(ctx,cipher,NULL,key,iv,enc);
         }
 
-int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl,
-             const unsigned char *key, const unsigned char *iv, int enc)
-        {
-        if (enc == -1)
-                enc = ctx->encrypt;
-        else
-                {
-                if (enc)
-                        enc = 1;
-                ctx->encrypt = enc;
-                }
-#ifndef OPENSSL_NO_ENGINE
-        /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
-         * so this context may already have an ENGINE! Try to avoid releasing
-         * the previous handle, re-querying for an ENGINE, and having a
-         * reinitialisation, when it may all be unecessary. */
-        if (ctx->engine && ctx->cipher && (!cipher ||
-                        (cipher && (cipher->nid == ctx->cipher->nid))))
-                goto skip_to_init;
-#endif
-        if (cipher)
-                {
-                /* Ensure a context left lying around from last time is cleared
-                 * (the previous check attempted to avoid this if the same
-                 * ENGINE and EVP_CIPHER could be used). */
-                EVP_CIPHER_CTX_cleanup(ctx);
-
-                /* Restore encrypt field: it is zeroed by cleanup */
-                ctx->encrypt = enc;
-#ifndef OPENSSL_NO_ENGINE
-                if(impl)
-                        {
-                        if (!ENGINE_init(impl))
-                                {
-                                EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
-                                return 0;
-                                }
-                        }
-                else
-                        /* Ask if an ENGINE is reserved for this job */
-                        impl = ENGINE_get_cipher_engine(cipher->nid);
-                if(impl)
-                        {
-                        /* There's an ENGINE for this job ... (apparently) */
-                        const EVP_CIPHER *c = ENGINE_get_cipher(impl, cipher->nid);
-                        if(!c)
-                                {
-                                /* One positive side-effect of US's export
-                                 * control history, is that we should at least
-                                 * be able to avoid using US mispellings of
-                                 * "initialisation"? */
-                                EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
-                                return 0;
-                                }
-                        /* We'll use the ENGINE's private cipher definition */
-                        cipher = c;
-                        /* Store the ENGINE functional reference so we know
-                         * 'cipher' came from an ENGINE and we need to release
-                         * it when done. */
-                        ctx->engine = impl;
-                        }
-                else
-                        ctx->engine = NULL;
-#endif
-
-                ctx->cipher=cipher;
-                if (ctx->cipher->ctx_size)
-                        {
-                        ctx->cipher_data=OPENSSL_malloc(ctx->cipher->ctx_size);
-                        if (!ctx->cipher_data)
-                                {
-                                EVPerr(EVP_F_EVP_CIPHERINIT_EX, ERR_R_MALLOC_FAILURE);
-                                return 0;
-                                }
-                        }
-                else
-                        {
-                        ctx->cipher_data = NULL;
-                        }
-                ctx->key_len = cipher->key_len;
-                ctx->flags = 0;
-                if(ctx->cipher->flags & EVP_CIPH_CTRL_INIT)
-                        {
-                        if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL))
-                                {
-                                EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_INITIALIZATION_ERROR);
-                                return 0;
-                                }
-                        }
-                }
-        else if(!ctx->cipher)
-                {
-                EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_NO_CIPHER_SET);
-                return 0;
-                }
-#ifndef OPENSSL_NO_ENGINE
-skip_to_init:
-#endif
-        /* we assume block size is a power of 2 in *cryptUpdate */
-        OPENSSL_assert(ctx->cipher->block_size == 1
-            || ctx->cipher->block_size == 8
-            || ctx->cipher->block_size == 16);
-
-        if(!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) {
-                switch(EVP_CIPHER_CTX_mode(ctx)) {
-
-                        case EVP_CIPH_STREAM_CIPHER:
-                        case EVP_CIPH_ECB_MODE:
-                        break;
-
-                        case EVP_CIPH_CFB_MODE:
-                        case EVP_CIPH_OFB_MODE:
-
-                        ctx->num = 0;
-
-                        case EVP_CIPH_CBC_MODE:
-
-                        OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) <=
-                                        (int)sizeof(ctx->iv));
-                        if(iv) memcpy(ctx->oiv, iv, EVP_CIPHER_CTX_iv_length(ctx));
-                        memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx));
-                        break;
-
-                        default:
-                        return 0;
-                        break;
-                }
-        }
-
-        if(key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) {
-                if(!ctx->cipher->init(ctx,key,iv,enc)) return 0;
-        }
-        ctx->buf_len=0;
-        ctx->final_used=0;
-        ctx->block_mask=ctx->cipher->block_size-1;
-        return 1;
-        }
-
 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
              const unsigned char *in, int inl)
         {
@@ -287,7 +151,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
 
         if(ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0)
                 {
-                if(ctx->cipher->do_cipher(ctx,out,in,inl))
+                if(M_do_cipher(ctx,out,in,inl))
                         {
                         *outl=inl;
                         return 1;
@@ -314,7 +178,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
                         {
                         j=bl-i;
                         memcpy(&(ctx->buf[i]),in,j);
-                        if(!ctx->cipher->do_cipher(ctx,out,ctx->buf,bl)) return 0;
+                        if(!M_do_cipher(ctx,out,ctx->buf,bl)) return 0;
                         inl-=j;
                         in+=j;
                         out+=bl;
@@ -327,7 +191,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
         inl-=i;
         if (inl > 0)
                 {
-                if(!ctx->cipher->do_cipher(ctx,out,in,inl)) return 0;
+                if(!M_do_cipher(ctx,out,in,inl)) return 0;
                 *outl+=inl;
                 }
 
@@ -371,7 +235,7 @@ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
         n=b-bl;
         for (i=bl; i<b; i++)
                 ctx->buf[i]=n;
-        ret=ctx->cipher->do_cipher(ctx,out,ctx->buf,b);
+        ret=M_do_cipher(ctx,out,ctx->buf,b);
 
 
         if(ret)
@@ -493,28 +357,6 @@ void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)
                 }
         }
 
-int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
-        {
-        if (c->cipher != NULL)
-                {
-                if(c->cipher->cleanup && !c->cipher->cleanup(c))
-                        return 0;
-                /* Cleanse cipher context data */
-                if (c->cipher_data)
-                        OPENSSL_cleanse(c->cipher_data, c->cipher->ctx_size);
-                }
-        if (c->cipher_data)
-                OPENSSL_free(c->cipher_data);
-#ifndef OPENSSL_NO_ENGINE
-        if (c->engine)
-                /* The EVP_CIPHER we used belongs to an ENGINE, release the
-                 * functional reference we held for this reason. */
-                ENGINE_finish(c->engine);
-#endif
-        memset(c,0,sizeof(EVP_CIPHER_CTX));
-        return 1;
-        }
-
 int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, int keylen)
         {
         if(c->cipher->flags & EVP_CIPH_CUSTOM_KEY_LENGTH) 
@@ -536,27 +378,6 @@ int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *ctx, int pad)
         return 1;
         }
 
-int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
-{
-        int ret;
-        if(!ctx->cipher) {
-                EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_NO_CIPHER_SET);
-                return 0;
-        }
-
-        if(!ctx->cipher->ctrl) {
-                EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_CTRL_NOT_IMPLEMENTED);
-                return 0;
-        }
-
-        ret = ctx->cipher->ctrl(ctx, type, arg, ptr);
-        if(ret == -1) {
-                EVPerr(EVP_F_EVP_CIPHER_CTX_CTRL, EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED);
-                return 0;
-        }
-        return ret;
-}
-
 int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
         {
         if (ctx->cipher->flags & EVP_CIPH_RAND_KEY)
@@ -566,3 +387,54 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
         return 1;
         }
 
+#ifndef OPENSSL_NO_ENGINE
+
+#ifdef OPENSSL_FIPS
+
+static int do_evp_enc_engine_full(EVP_CIPHER_CTX *ctx, const EVP_CIPHER **pcipher, ENGINE *impl)
+        {
+        if(impl)
+                {
+                if (!ENGINE_init(impl))
+                        {
+                        EVPerr(EVP_F_DO_EVP_ENC_ENGINE_FULL, EVP_R_INITIALIZATION_ERROR);
+                        return 0;
+                        }
+                }
+        else
+                /* Ask if an ENGINE is reserved for this job */
+                impl = ENGINE_get_cipher_engine((*pcipher)->nid);
+        if(impl)
+                {
+                /* There's an ENGINE for this job ... (apparently) */
+                const EVP_CIPHER *c = ENGINE_get_cipher(impl, (*pcipher)->nid);
+                if(!c)
+                        {
+                        /* One positive side-effect of US's export
+                         * control history, is that we should at least
+                         * be able to avoid using US mispellings of
+                         * "initialisation"? */
+                        EVPerr(EVP_F_DO_EVP_ENC_ENGINE_FULL, EVP_R_INITIALIZATION_ERROR);
+                        return 0;
+                        }
+                /* We'll use the ENGINE's private cipher definition */
+                *pcipher = c;
+                /* Store the ENGINE functional reference so we know
+                 * 'cipher' came from an ENGINE and we need to release
+                 * it when done. */
+                ctx->engine = impl;
+                }
+        else
+                ctx->engine = NULL;
+        return 1;
+        }
+
+void int_EVP_CIPHER_init_engine_callbacks(void)
+        {
+        int_EVP_CIPHER_set_engine_callbacks(
+                ENGINE_finish, do_evp_enc_engine_full);
+        }
+
+#endif
+
+#endif
diff --git a/src/lib/libcrypto/evp/evp_err.c b/src/lib/libcrypto/evp/evp_err.c
index e8c9e8de9c..b5b900d4fe 100644
--- a/src/lib/libcrypto/evp/evp_err.c
+++ b/src/lib/libcrypto/evp/evp_err.c
@@ -1,6 +1,6 @@
 /* crypto/evp/evp_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -71,16 +71,23 @@
 static ERR_STRING_DATA EVP_str_functs[]=
         {
 {ERR_FUNC(EVP_F_AES_INIT_KEY),  "AES_INIT_KEY"},
+{ERR_FUNC(EVP_F_ALG_MODULE_INIT),       "ALG_MODULE_INIT"},
 {ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY),     "CAMELLIA_INIT_KEY"},
 {ERR_FUNC(EVP_F_D2I_PKEY),      "D2I_PKEY"},
+{ERR_FUNC(EVP_F_DO_EVP_ENC_ENGINE),     "DO_EVP_ENC_ENGINE"},
+{ERR_FUNC(EVP_F_DO_EVP_ENC_ENGINE_FULL),        "DO_EVP_ENC_ENGINE_FULL"},
+{ERR_FUNC(EVP_F_DO_EVP_MD_ENGINE),      "DO_EVP_MD_ENGINE"},
+{ERR_FUNC(EVP_F_DO_EVP_MD_ENGINE_FULL), "DO_EVP_MD_ENGINE_FULL"},
 {ERR_FUNC(EVP_F_DSAPKEY2PKCS8), "DSAPKEY2PKCS8"},
 {ERR_FUNC(EVP_F_DSA_PKEY2PKCS8),        "DSA_PKEY2PKCS8"},
 {ERR_FUNC(EVP_F_ECDSA_PKEY2PKCS8),      "ECDSA_PKEY2PKCS8"},
 {ERR_FUNC(EVP_F_ECKEY_PKEY2PKCS8),      "ECKEY_PKEY2PKCS8"},
+{ERR_FUNC(EVP_F_EVP_CIPHERINIT),        "EVP_CipherInit"},
 {ERR_FUNC(EVP_F_EVP_CIPHERINIT_EX),     "EVP_CipherInit_ex"},
 {ERR_FUNC(EVP_F_EVP_CIPHER_CTX_CTRL),   "EVP_CIPHER_CTX_ctrl"},
 {ERR_FUNC(EVP_F_EVP_CIPHER_CTX_SET_KEY_LENGTH), "EVP_CIPHER_CTX_set_key_length"},
 {ERR_FUNC(EVP_F_EVP_DECRYPTFINAL_EX),   "EVP_DecryptFinal_ex"},
+{ERR_FUNC(EVP_F_EVP_DIGESTINIT),        "EVP_DigestInit"},
 {ERR_FUNC(EVP_F_EVP_DIGESTINIT_EX),     "EVP_DigestInit_ex"},
 {ERR_FUNC(EVP_F_EVP_ENCRYPTFINAL_EX),   "EVP_EncryptFinal_ex"},
 {ERR_FUNC(EVP_F_EVP_MD_CTX_COPY_EX),    "EVP_MD_CTX_copy_ex"},
@@ -125,15 +132,20 @@ static ERR_STRING_DATA EVP_str_reasons[]=
 {ERR_REASON(EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH),"data not multiple of block length"},
 {ERR_REASON(EVP_R_DECODE_ERROR)          ,"decode error"},
 {ERR_REASON(EVP_R_DIFFERENT_KEY_TYPES)   ,"different key types"},
+{ERR_REASON(EVP_R_DISABLED_FOR_FIPS)     ,"disabled for fips"},
 {ERR_REASON(EVP_R_ENCODE_ERROR)          ,"encode error"},
+{ERR_REASON(EVP_R_ERROR_LOADING_SECTION) ,"error loading section"},
+{ERR_REASON(EVP_R_ERROR_SETTING_FIPS_MODE),"error setting fips mode"},
 {ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"},
 {ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY)  ,"expecting an rsa key"},
 {ERR_REASON(EVP_R_EXPECTING_A_DH_KEY)    ,"expecting a dh key"},
 {ERR_REASON(EVP_R_EXPECTING_A_DSA_KEY)   ,"expecting a dsa key"},
 {ERR_REASON(EVP_R_EXPECTING_A_ECDSA_KEY) ,"expecting a ecdsa key"},
 {ERR_REASON(EVP_R_EXPECTING_A_EC_KEY)    ,"expecting a ec key"},
+{ERR_REASON(EVP_R_FIPS_MODE_NOT_SUPPORTED),"fips mode not supported"},
 {ERR_REASON(EVP_R_INITIALIZATION_ERROR)  ,"initialization error"},
 {ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) ,"input not initialized"},
+{ERR_REASON(EVP_R_INVALID_FIPS_MODE)     ,"invalid fips mode"},
 {ERR_REASON(EVP_R_INVALID_KEY_LENGTH)    ,"invalid key length"},
 {ERR_REASON(EVP_R_IV_TOO_LARGE)          ,"iv too large"},
 {ERR_REASON(EVP_R_KEYGEN_FAILURE)        ,"keygen failure"},
@@ -145,6 +157,8 @@ static ERR_STRING_DATA EVP_str_reasons[]=
 {ERR_REASON(EVP_R_NO_VERIFY_FUNCTION_CONFIGURED),"no verify function configured"},
 {ERR_REASON(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE),"pkcs8 unknown broken type"},
 {ERR_REASON(EVP_R_PUBLIC_KEY_NOT_RSA)    ,"public key not rsa"},
+{ERR_REASON(EVP_R_SEED_KEY_SETUP_FAILED) ,"seed key setup failed"},
+{ERR_REASON(EVP_R_UNKNOWN_OPTION)        ,"unknown option"},
 {ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"},
 {ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),"unsuported number of rounds"},
 {ERR_REASON(EVP_R_UNSUPPORTED_CIPHER)    ,"unsupported cipher"},
diff --git a/src/lib/libcrypto/evp/evp_lib.c b/src/lib/libcrypto/evp/evp_lib.c
index edb28ef38e..174cf6c594 100644
--- a/src/lib/libcrypto/evp/evp_lib.c
+++ b/src/lib/libcrypto/evp/evp_lib.c
@@ -67,6 +67,8 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
 
         if (c->cipher->set_asn1_parameters != NULL)
                 ret=c->cipher->set_asn1_parameters(c,type);
+        else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)
+                ret=EVP_CIPHER_set_asn1_iv(c, type);
         else
                 ret=-1;
         return(ret);
@@ -78,6 +80,8 @@ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type)
 
         if (c->cipher->get_asn1_parameters != NULL)
                 ret=c->cipher->get_asn1_parameters(c,type);
+        else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)
+                ret=EVP_CIPHER_get_asn1_iv(c, type);
         else
                 ret=-1;
         return(ret);
@@ -178,11 +182,6 @@ int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx)
         return ctx->cipher->block_size;
         }
 
-int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl)
-        {
-        return ctx->cipher->do_cipher(ctx,out,in,inl);
-        }
-
 const EVP_CIPHER *EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx)
         {
         return ctx->cipher;
@@ -193,11 +192,6 @@ unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher)
         return cipher->flags;
         }
 
-unsigned long EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx)
-        {
-        return ctx->cipher->flags;
-        }
-
 void *EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx)
         {
         return ctx->app_data;
@@ -213,11 +207,6 @@ int EVP_CIPHER_iv_length(const EVP_CIPHER *cipher)
         return cipher->iv_len;
         }
 
-int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx)
-        {
-        return ctx->cipher->iv_len;
-        }
-
 int EVP_CIPHER_key_length(const EVP_CIPHER *cipher)
         {
         return cipher->key_len;
@@ -228,11 +217,6 @@ int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx)
         return ctx->key_len;
         }
 
-int EVP_CIPHER_nid(const EVP_CIPHER *cipher)
-        {
-        return cipher->nid;
-        }
-
 int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx)
         {
         return ctx->cipher->nid;
@@ -277,3 +261,18 @@ int EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx, int flags)
         {
         return (ctx->flags & flags);
         }
+
+void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags)
+        {
+        ctx->flags |= flags;
+        }
+
+void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags)
+        {
+        ctx->flags &= ~flags;
+        }
+
+int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags)
+        {
+        return (ctx->flags & flags);
+        }
diff --git a/src/lib/libcrypto/evp/evp_locl.h b/src/lib/libcrypto/evp/evp_locl.h
index 073b0adcff..eabcc96f30 100644
--- a/src/lib/libcrypto/evp/evp_locl.h
+++ b/src/lib/libcrypto/evp/evp_locl.h
@@ -1,5 +1,5 @@
 /* evp_locl.h */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
@@ -92,7 +92,7 @@ static int cname##_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const uns
 #define BLOCK_CIPHER_func_cfb(cname, cprefix, cbits, kstruct, ksched) \
 static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, unsigned int inl) \
 {\
-        cprefix##_cfb##cbits##_encrypt(in, out, (long)(cbits==1?inl*8:inl), &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num, ctx->encrypt);\
+        cprefix##_cfb##cbits##_encrypt(in, out, (long)((cbits==1) && !(ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS) ?inl*8:inl), &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num, ctx->encrypt);\
         return 1;\
 }
 
@@ -226,11 +226,27 @@ const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; }
 
 #define EVP_C_DATA(kstruct, ctx)        ((kstruct *)(ctx)->cipher_data)
 
-#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len) \
+#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len,fl) \
         BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \
         BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \
                              NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \
-                             0, cipher##_init_key, NULL, \
-                             EVP_CIPHER_set_asn1_iv, \
-                             EVP_CIPHER_get_asn1_iv, \
-                             NULL)
+                             (fl)|EVP_CIPH_FLAG_DEFAULT_ASN1, \
+                             cipher##_init_key, NULL, NULL, NULL, NULL)
+
+#ifdef OPENSSL_FIPS
+#define RC2_set_key     private_RC2_set_key
+#define RC4_set_key     private_RC4_set_key
+#define CAST_set_key    private_CAST_set_key
+#define RC5_32_set_key  private_RC5_32_set_key
+#define BF_set_key      private_BF_set_key
+#define Camellia_set_key private_Camellia_set_key
+#define idea_set_encrypt_key private_idea_set_encrypt_key
+
+#define MD5_Init        private_MD5_Init
+#define MD4_Init        private_MD4_Init
+#define MD2_Init        private_MD2_Init
+#define MDC2_Init       private_MDC2_Init
+#define SHA_Init        private_SHA_Init
+
+#endif
+
diff --git a/src/lib/libcrypto/evp/evp_pbe.c b/src/lib/libcrypto/evp/evp_pbe.c
index c26d2de0f3..5e830be65f 100644
--- a/src/lib/libcrypto/evp/evp_pbe.c
+++ b/src/lib/libcrypto/evp/evp_pbe.c
@@ -1,5 +1,5 @@
 /* evp_pbe.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/evp/evp_pkey.c b/src/lib/libcrypto/evp/evp_pkey.c
index 0147f3e02a..10d9e9e772 100644
--- a/src/lib/libcrypto/evp/evp_pkey.c
+++ b/src/lib/libcrypto/evp/evp_pkey.c
@@ -1,5 +1,5 @@
 /* evp_pkey.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/evp/m_dss.c b/src/lib/libcrypto/evp/m_dss.c
index a948c77fa4..6b0c0aa7a3 100644
--- a/src/lib/libcrypto/evp/m_dss.c
+++ b/src/lib/libcrypto/evp/m_dss.c
@@ -81,7 +81,7 @@ static const EVP_MD dsa_md=
         NID_dsaWithSHA,
         NID_dsaWithSHA,
         SHA_DIGEST_LENGTH,
-        0,
+        EVP_MD_FLAG_FIPS,
         init,
         update,
         final,
diff --git a/src/lib/libcrypto/evp/m_dss1.c b/src/lib/libcrypto/evp/m_dss1.c
index c12e13972b..da8babc147 100644
--- a/src/lib/libcrypto/evp/m_dss1.c
+++ b/src/lib/libcrypto/evp/m_dss1.c
@@ -68,6 +68,8 @@
 #include <openssl/dsa.h>
 #endif
 
+#ifndef OPENSSL_FIPS
+
 static int init(EVP_MD_CTX *ctx)
         { return SHA1_Init(ctx->md_data); }
 
@@ -98,3 +100,4 @@ const EVP_MD *EVP_dss1(void)
         return(&dss1_md);
         }
 #endif
+#endif
diff --git a/src/lib/libcrypto/evp/m_md2.c b/src/lib/libcrypto/evp/m_md2.c
index 5ce849f161..8eee6236ba 100644
--- a/src/lib/libcrypto/evp/m_md2.c
+++ b/src/lib/libcrypto/evp/m_md2.c
@@ -58,6 +58,7 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
+#include "evp_locl.h"
 
 #ifndef OPENSSL_NO_MD2
 
diff --git a/src/lib/libcrypto/evp/m_md4.c b/src/lib/libcrypto/evp/m_md4.c
index 1e0b7c5b42..5cd2ab5ade 100644
--- a/src/lib/libcrypto/evp/m_md4.c
+++ b/src/lib/libcrypto/evp/m_md4.c
@@ -58,6 +58,7 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
+#include "evp_locl.h"
 
 #ifndef OPENSSL_NO_MD4
 
diff --git a/src/lib/libcrypto/evp/m_md5.c b/src/lib/libcrypto/evp/m_md5.c
index 63c142119e..6455829671 100644
--- a/src/lib/libcrypto/evp/m_md5.c
+++ b/src/lib/libcrypto/evp/m_md5.c
@@ -62,6 +62,7 @@
 #ifndef OPENSSL_NO_MD5
 
 #include <openssl/evp.h>
+#include "evp_locl.h"
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/md5.h>
diff --git a/src/lib/libcrypto/evp/m_mdc2.c b/src/lib/libcrypto/evp/m_mdc2.c
index 36c4e9b134..9f9bcf06ed 100644
--- a/src/lib/libcrypto/evp/m_mdc2.c
+++ b/src/lib/libcrypto/evp/m_mdc2.c
@@ -58,6 +58,7 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
+#include "evp_locl.h"
 
 #ifndef OPENSSL_NO_MDC2
 
diff --git a/src/lib/libcrypto/evp/m_sha.c b/src/lib/libcrypto/evp/m_sha.c
index acccc8f92d..3f30dfc579 100644
--- a/src/lib/libcrypto/evp/m_sha.c
+++ b/src/lib/libcrypto/evp/m_sha.c
@@ -58,6 +58,7 @@
 
 #include <stdio.h>
 #include "cryptlib.h"
+#include "evp_locl.h"
 
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA0)
 
diff --git a/src/lib/libcrypto/evp/m_sha1.c b/src/lib/libcrypto/evp/m_sha1.c
index 4679b1c463..471ec30be0 100644
--- a/src/lib/libcrypto/evp/m_sha1.c
+++ b/src/lib/libcrypto/evp/m_sha1.c
@@ -68,6 +68,8 @@
 #include <openssl/rsa.h>
 #endif
 
+#ifndef OPENSSL_FIPS
+
 static int init(EVP_MD_CTX *ctx)
         { return SHA1_Init(ctx->md_data); }
 
@@ -97,7 +99,6 @@ const EVP_MD *EVP_sha1(void)
         {
         return(&sha1_md);
         }
-#endif
 
 #ifndef OPENSSL_NO_SHA256
 static int init224(EVP_MD_CTX *ctx)
@@ -202,3 +203,7 @@ static const EVP_MD sha512_md=
 const EVP_MD *EVP_sha512(void)
         { return(&sha512_md); }
 #endif  /* ifndef OPENSSL_NO_SHA512 */
+
+#endif
+
+#endif
diff --git a/src/lib/libcrypto/evp/names.c b/src/lib/libcrypto/evp/names.c
index 88c1e780dd..e2e04c3570 100644
--- a/src/lib/libcrypto/evp/names.c
+++ b/src/lib/libcrypto/evp/names.c
@@ -66,6 +66,10 @@ int EVP_add_cipher(const EVP_CIPHER *c)
         {
         int r;
 
+#ifdef OPENSSL_FIPS
+        OPENSSL_init();
+#endif
+
         r=OBJ_NAME_add(OBJ_nid2sn(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(const char *)c);
         if (r == 0) return(0);
         r=OBJ_NAME_add(OBJ_nid2ln(c->nid),OBJ_NAME_TYPE_CIPHER_METH,(const char *)c);
@@ -77,6 +81,9 @@ int EVP_add_digest(const EVP_MD *md)
         int r;
         const char *name;
 
+#ifdef OPENSSL_FIPS
+        OPENSSL_init();
+#endif
         name=OBJ_nid2sn(md->type);
         r=OBJ_NAME_add(name,OBJ_NAME_TYPE_MD_METH,(const char *)md);
         if (r == 0) return(0);
diff --git a/src/lib/libcrypto/evp/p5_crpt.c b/src/lib/libcrypto/evp/p5_crpt.c
index 48d50014a0..2a265fdee2 100644
--- a/src/lib/libcrypto/evp/p5_crpt.c
+++ b/src/lib/libcrypto/evp/p5_crpt.c
@@ -1,5 +1,5 @@
 /* p5_crpt.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/evp/p5_crpt2.c b/src/lib/libcrypto/evp/p5_crpt2.c
index c969d5a206..6bec77baf9 100644
--- a/src/lib/libcrypto/evp/p5_crpt2.c
+++ b/src/lib/libcrypto/evp/p5_crpt2.c
@@ -1,5 +1,5 @@
 /* p5_crpt2.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/evp/p_sign.c b/src/lib/libcrypto/evp/p_sign.c
index e4ae5906f5..bf41a0db68 100644
--- a/src/lib/libcrypto/evp/p_sign.c
+++ b/src/lib/libcrypto/evp/p_sign.c
@@ -84,10 +84,6 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, unsigned int *siglen,
         MS_STATIC EVP_MD_CTX tmp_ctx;
 
         *siglen=0;
-        EVP_MD_CTX_init(&tmp_ctx);
-        EVP_MD_CTX_copy_ex(&tmp_ctx,ctx);   
-        EVP_DigestFinal_ex(&tmp_ctx,&(m[0]),&m_len);
-        EVP_MD_CTX_cleanup(&tmp_ctx);
         for (i=0; i<4; i++)
                 {
                 v=ctx->digest->required_pkey_type[i];
@@ -108,7 +104,23 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, unsigned int *siglen,
                 EVPerr(EVP_F_EVP_SIGNFINAL,EVP_R_NO_SIGN_FUNCTION_CONFIGURED);
                 return(0);
                 }
-        return(ctx->digest->sign(ctx->digest->type,m,m_len,sigret,siglen,
-                pkey->pkey.ptr));
+        EVP_MD_CTX_init(&tmp_ctx);
+        EVP_MD_CTX_copy_ex(&tmp_ctx,ctx);
+        if (ctx->digest->flags & EVP_MD_FLAG_SVCTX)
+                {
+                EVP_MD_SVCTX sctmp;
+                sctmp.mctx = &tmp_ctx;
+                sctmp.key = pkey->pkey.ptr;
+                i = ctx->digest->sign(ctx->digest->type,
+                        NULL, -1, sigret, siglen, &sctmp);
+                }
+        else
+                {
+                EVP_DigestFinal_ex(&tmp_ctx,&(m[0]),&m_len);
+                i = ctx->digest->sign(ctx->digest->type,m,m_len,sigret,siglen,
+                                        pkey->pkey.ptr);
+                }
+        EVP_MD_CTX_cleanup(&tmp_ctx);
+        return i;
         }
 
diff --git a/src/lib/libcrypto/evp/p_verify.c b/src/lib/libcrypto/evp/p_verify.c
index 21a40a375e..2d46dffe7e 100644
--- a/src/lib/libcrypto/evp/p_verify.c
+++ b/src/lib/libcrypto/evp/p_verify.c
@@ -85,17 +85,29 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
                 EVPerr(EVP_F_EVP_VERIFYFINAL,EVP_R_WRONG_PUBLIC_KEY_TYPE);
                 return(-1);
                 }
-        EVP_MD_CTX_init(&tmp_ctx);
-        EVP_MD_CTX_copy_ex(&tmp_ctx,ctx);     
-        EVP_DigestFinal_ex(&tmp_ctx,&(m[0]),&m_len);
-        EVP_MD_CTX_cleanup(&tmp_ctx);
-        if (ctx->digest->verify == NULL)
+        if (ctx->digest->verify == NULL)
                 {
                 EVPerr(EVP_F_EVP_VERIFYFINAL,EVP_R_NO_VERIFY_FUNCTION_CONFIGURED);
                 return(0);
                 }
 
-        return(ctx->digest->verify(ctx->digest->type,m,m_len,
-                sigbuf,siglen,pkey->pkey.ptr));
+        EVP_MD_CTX_init(&tmp_ctx);
+        EVP_MD_CTX_copy_ex(&tmp_ctx,ctx);     
+        if (ctx->digest->flags & EVP_MD_FLAG_SVCTX)
+                {
+                EVP_MD_SVCTX sctmp;
+                sctmp.mctx = &tmp_ctx;
+                sctmp.key = pkey->pkey.ptr;
+                i = ctx->digest->verify(ctx->digest->type,
+                        NULL, -1, sigbuf, siglen, &sctmp);
+                }
+        else
+                {
+                EVP_DigestFinal_ex(&tmp_ctx,&(m[0]),&m_len);
+                i = ctx->digest->verify(ctx->digest->type,m,m_len,
+                                        sigbuf,siglen,pkey->pkey.ptr);
+                }
+        EVP_MD_CTX_cleanup(&tmp_ctx);
+        return i;
         }
 
diff --git a/src/lib/libcrypto/hmac/hmac.c b/src/lib/libcrypto/hmac/hmac.c
index 1d140f7adb..cbc1c76a57 100644
--- a/src/lib/libcrypto/hmac/hmac.c
+++ b/src/lib/libcrypto/hmac/hmac.c
@@ -61,6 +61,8 @@
 #include "cryptlib.h"
 #include <openssl/hmac.h>
 
+#ifndef OPENSSL_FIPS
+
 void HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
                   const EVP_MD *md, ENGINE *impl)
         {
@@ -178,3 +180,4 @@ void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags)
         EVP_MD_CTX_set_flags(&ctx->md_ctx, flags);
         }
 
+#endif
diff --git a/src/lib/libcrypto/idea/idea.h b/src/lib/libcrypto/idea/idea.h
index bf97a37e39..a137d4cbce 100644
--- a/src/lib/libcrypto/idea/idea.h
+++ b/src/lib/libcrypto/idea/idea.h
@@ -83,6 +83,9 @@ typedef struct idea_key_st
 const char *idea_options(void);
 void idea_ecb_encrypt(const unsigned char *in, unsigned char *out,
         IDEA_KEY_SCHEDULE *ks);
+#ifdef OPENSSL_FIPS
+void private_idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks);
+#endif
 void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks);
 void idea_set_decrypt_key(const IDEA_KEY_SCHEDULE *ek, IDEA_KEY_SCHEDULE *dk);
 void idea_cbc_encrypt(const unsigned char *in, unsigned char *out,
diff --git a/src/lib/libcrypto/install.com b/src/lib/libcrypto/install.com
index 58a4fecdaa..ffad1f97a7 100644
--- a/src/lib/libcrypto/install.com
+++ b/src/lib/libcrypto/install.com
@@ -35,12 +35,12 @@ $
 $       SDIRS := ,-
                  OBJECTS,-
                  MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,-
-                 DES,RC2,RC4,RC5,IDEA,BF,CAST,CAMELLIA,SEED,-
-                 BN,EC,RSA,DSA,ECDSA,DH,ECDH,DSO,ENGINE,AES,-
+                 DES,AES,RC2,RC4,RC5,IDEA,BF,CAST,CAMELLIA,SEED,-
+                 BN,EC,RSA,DSA,ECDSA,DH,ECDH,DSO,ENGINE,-
                  BUFFER,BIO,STACK,LHASH,RAND,ERR,-
                  EVP,ASN1,PEM,X509,X509V3,CONF,TXT_DB,PKCS7,PKCS12,COMP,OCSP,-
                  UI,KRB5,-
-                 STORE,CMS,PQUEUE
+                 STORE,PQUEUE,JPAKE
 $       EXHEADER_ := crypto.h,tmdiff.h,opensslv.h,opensslconf.h,ebcdic.h,-
                 symhacks.h,ossl_typ.h
 $       EXHEADER_OBJECTS := objects.h,obj_mac.h
@@ -52,6 +52,7 @@ $	EXHEADER_MDC2 := mdc2.h
 $       EXHEADER_HMAC := hmac.h
 $       EXHEADER_RIPEMD := ripemd.h
 $       EXHEADER_DES := des.h,des_old.h
+$       EXHEADER_AES := aes.h
 $       EXHEADER_RC2 := rc2.h
 $       EXHEADER_RC4 := rc4.h
 $       EXHEADER_RC5 := rc5.h
@@ -69,7 +70,6 @@ $	EXHEADER_DH := dh.h
 $       EXHEADER_ECDH := ecdh.h
 $       EXHEADER_DSO := dso.h
 $       EXHEADER_ENGINE := engine.h
-$       EXHEADER_AES := aes.h
 $       EXHEADER_BUFFER := buffer.h
 $       EXHEADER_BIO := bio.h
 $       EXHEADER_STACK := stack.h,safestack.h
@@ -92,7 +92,7 @@ $	EXHEADER_KRB5 := krb5_asn.h
 $!      EXHEADER_STORE := store.h,str_compat.h
 $       EXHEADER_STORE := store.h
 $       EXHEADER_PQUEUE := pqueue.h,pq_compat.h
-$       EXHEADER_CMS := cms.h
+$       EXHEADER_JPAKE := jpake.h
 $       LIBS := LIBCRYPTO
 $
 $       VEXE_DIR := [-.VAX.EXE.CRYPTO]
diff --git a/src/lib/libcrypto/md2/md2.h b/src/lib/libcrypto/md2/md2.h
index a46120e7d4..d59c9f2593 100644
--- a/src/lib/libcrypto/md2/md2.h
+++ b/src/lib/libcrypto/md2/md2.h
@@ -81,6 +81,9 @@ typedef struct MD2state_st
         } MD2_CTX;
 
 const char *MD2_options(void);
+#ifdef OPENSSL_FIPS
+int private_MD2_Init(MD2_CTX *c);
+#endif
 int MD2_Init(MD2_CTX *c);
 int MD2_Update(MD2_CTX *c, const unsigned char *data, size_t len);
 int MD2_Final(unsigned char *md, MD2_CTX *c);
diff --git a/src/lib/libcrypto/md2/md2_dgst.c b/src/lib/libcrypto/md2/md2_dgst.c
index 6f68b25c6a..cc4eeaf7a7 100644
--- a/src/lib/libcrypto/md2/md2_dgst.c
+++ b/src/lib/libcrypto/md2/md2_dgst.c
@@ -62,6 +62,11 @@
 #include <openssl/md2.h>
 #include <openssl/opensslv.h>
 #include <openssl/crypto.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
+#include <openssl/err.h>
 
 const char MD2_version[]="MD2" OPENSSL_VERSION_PTEXT;
 
@@ -116,7 +121,7 @@ const char *MD2_options(void)
                 return("md2(int)");
         }
 
-int MD2_Init(MD2_CTX *c)
+FIPS_NON_FIPS_MD_Init(MD2)
         {
         c->num=0;
         memset(c->state,0,sizeof c->state);
diff --git a/src/lib/libcrypto/md4/md4.h b/src/lib/libcrypto/md4/md4.h
index 5598c93a4f..ba1fe4a6ee 100644
--- a/src/lib/libcrypto/md4/md4.h
+++ b/src/lib/libcrypto/md4/md4.h
@@ -105,6 +105,9 @@ typedef struct MD4state_st
         unsigned int num;
         } MD4_CTX;
 
+#ifdef OPENSSL_FIPS
+int private_MD4_Init(MD4_CTX *c);
+#endif
 int MD4_Init(MD4_CTX *c);
 int MD4_Update(MD4_CTX *c, const void *data, size_t len);
 int MD4_Final(unsigned char *md, MD4_CTX *c);
diff --git a/src/lib/libcrypto/md4/md4_dgst.c b/src/lib/libcrypto/md4/md4_dgst.c
index cfef94af39..0f5448601d 100644
--- a/src/lib/libcrypto/md4/md4_dgst.c
+++ b/src/lib/libcrypto/md4/md4_dgst.c
@@ -59,6 +59,11 @@
 #include <stdio.h>
 #include "md4_locl.h"
 #include <openssl/opensslv.h>
+#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 
 const char MD4_version[]="MD4" OPENSSL_VERSION_PTEXT;
 
@@ -70,7 +75,7 @@ const char MD4_version[]="MD4" OPENSSL_VERSION_PTEXT;
 #define INIT_DATA_C (unsigned long)0x98badcfeL
 #define INIT_DATA_D (unsigned long)0x10325476L
 
-int MD4_Init(MD4_CTX *c)
+FIPS_NON_FIPS_MD_Init(MD4)
         {
         c->A=INIT_DATA_A;
         c->B=INIT_DATA_B;
diff --git a/src/lib/libcrypto/md5/md5.h b/src/lib/libcrypto/md5/md5.h
index dbdc0e1abc..0761f84a27 100644
--- a/src/lib/libcrypto/md5/md5.h
+++ b/src/lib/libcrypto/md5/md5.h
@@ -105,6 +105,9 @@ typedef struct MD5state_st
         unsigned int num;
         } MD5_CTX;
 
+#ifdef OPENSSL_FIPS
+int private_MD5_Init(MD5_CTX *c);
+#endif
 int MD5_Init(MD5_CTX *c);
 int MD5_Update(MD5_CTX *c, const void *data, size_t len);
 int MD5_Final(unsigned char *md, MD5_CTX *c);
diff --git a/src/lib/libcrypto/md5/md5_dgst.c b/src/lib/libcrypto/md5/md5_dgst.c
index b96e332ba4..47bb9020ee 100644
--- a/src/lib/libcrypto/md5/md5_dgst.c
+++ b/src/lib/libcrypto/md5/md5_dgst.c
@@ -59,6 +59,11 @@
 #include <stdio.h>
 #include "md5_locl.h"
 #include <openssl/opensslv.h>
+#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 
 const char MD5_version[]="MD5" OPENSSL_VERSION_PTEXT;
 
@@ -70,7 +75,7 @@ const char MD5_version[]="MD5" OPENSSL_VERSION_PTEXT;
 #define INIT_DATA_C (unsigned long)0x98badcfeL
 #define INIT_DATA_D (unsigned long)0x10325476L
 
-int MD5_Init(MD5_CTX *c)
+FIPS_NON_FIPS_MD_Init(MD5)
         {
         c->A=INIT_DATA_A;
         c->B=INIT_DATA_B;
diff --git a/src/lib/libcrypto/mdc2/Makefile b/src/lib/libcrypto/mdc2/Makefile
index 1d064f17a6..ea25688d88 100644
--- a/src/lib/libcrypto/mdc2/Makefile
+++ b/src/lib/libcrypto/mdc2/Makefile
@@ -33,7 +33,7 @@ top:
 all:    lib
 
 lib:    $(LIBOBJ)
-        $(AR) $(LIB) $(LIBOBJ)
+        $(ARX) $(LIB) $(LIBOBJ)
         $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
diff --git a/src/lib/libcrypto/mdc2/mdc2.h b/src/lib/libcrypto/mdc2/mdc2.h
index 72778a5212..7e1354116a 100644
--- a/src/lib/libcrypto/mdc2/mdc2.h
+++ b/src/lib/libcrypto/mdc2/mdc2.h
@@ -80,7 +80,9 @@ typedef struct mdc2_ctx_st
         int pad_type; /* either 1 or 2, default 1 */
         } MDC2_CTX;
 
-
+#ifdef OPENSSL_FIPS
+int private_MDC2_Init(MDC2_CTX *c);
+#endif
 int MDC2_Init(MDC2_CTX *c);
 int MDC2_Update(MDC2_CTX *c, const unsigned char *data, size_t len);
 int MDC2_Final(unsigned char *md, MDC2_CTX *c);
diff --git a/src/lib/libcrypto/mem.c b/src/lib/libcrypto/mem.c
index 6635167228..00ebaf0b9b 100644
--- a/src/lib/libcrypto/mem.c
+++ b/src/lib/libcrypto/mem.c
@@ -101,7 +101,7 @@ static void (*free_locked_func)(void *)     = free;
 
 /* may be changed as long as 'allow_customize_debug' is set */
 /* XXX use correct function pointer types */
-#ifdef CRYPTO_MDEBUG
+#if defined(CRYPTO_MDEBUG) && !defined(OPENSSL_FIPS)
 /* use default functions from mem_dbg.c */
 static void (*malloc_debug_func)(void *,int,const char *,int,int)
         = CRYPTO_dbg_malloc;
@@ -110,6 +110,14 @@ static void (*realloc_debug_func)(void *,void *,int,const char *,int,int)
 static void (*free_debug_func)(void *,int) = CRYPTO_dbg_free;
 static void (*set_debug_options_func)(long) = CRYPTO_dbg_set_options;
 static long (*get_debug_options_func)(void) = CRYPTO_dbg_get_options;
+
+static int  (*push_info_func)(const char *info, const char *file, int line)
+        = CRYPTO_dbg_push_info;
+static int  (*pop_info_func)(void)
+        = CRYPTO_dbg_pop_info;
+static int (*remove_all_info_func)(void)
+        = CRYPTO_dbg_remove_all_info;
+
 #else
 /* applications can use CRYPTO_malloc_debug_init() to select above case
  * at run-time */
@@ -119,6 +127,13 @@ static void (*realloc_debug_func)(void *,void *,int,const char *,int,int)
 static void (*free_debug_func)(void *,int) = NULL;
 static void (*set_debug_options_func)(long) = NULL;
 static long (*get_debug_options_func)(void) = NULL;
+
+
+static int  (*push_info_func)(const char *info, const char *file, int line)
+        = NULL;
+static int  (*pop_info_func)(void) = NULL;
+static int (*remove_all_info_func)(void) = NULL;
+
 #endif
 
 
@@ -194,6 +209,15 @@ int CRYPTO_set_mem_debug_functions(void (*m)(void *,int,const char *,int,int),
         return 1;
         }
 
+void CRYPTO_set_mem_info_functions(
+        int  (*push_info_fn)(const char *info, const char *file, int line),
+        int  (*pop_info_fn)(void),
+        int (*remove_all_info_fn)(void))
+        {
+        push_info_func = push_info_fn;
+        pop_info_func = pop_info_fn;
+        remove_all_info_func = remove_all_info_fn;
+        }
 
 void CRYPTO_get_mem_functions(void *(**m)(size_t), void *(**r)(void *, size_t),
         void (**f)(void *))
@@ -399,3 +423,24 @@ long CRYPTO_get_mem_debug_options(void)
                 return get_debug_options_func();
         return 0;
         }
+
+int CRYPTO_push_info_(const char *info, const char *file, int line)
+        {
+        if (push_info_func)
+                return push_info_func(info, file, line);
+        return 1;
+        }
+
+int CRYPTO_pop_info(void)
+        {
+        if (pop_info_func)
+                return pop_info_func();
+        return 1;
+        }
+
+int CRYPTO_remove_all_info(void)
+        {
+        if (remove_all_info_func)
+                return remove_all_info_func();
+        return 1;
+        }
diff --git a/src/lib/libcrypto/mem_dbg.c b/src/lib/libcrypto/mem_dbg.c
index 8316485217..dfeb084799 100644
--- a/src/lib/libcrypto/mem_dbg.c
+++ b/src/lib/libcrypto/mem_dbg.c
@@ -330,7 +330,7 @@ static APP_INFO *pop_info(void)
         return(ret);
         }
 
-int CRYPTO_push_info_(const char *info, const char *file, int line)
+int CRYPTO_dbg_push_info(const char *info, const char *file, int line)
         {
         APP_INFO *ami, *amim;
         int ret=0;
@@ -380,7 +380,7 @@ int CRYPTO_push_info_(const char *info, const char *file, int line)
         return(ret);
         }
 
-int CRYPTO_pop_info(void)
+int CRYPTO_dbg_pop_info(void)
         {
         int ret=0;
 
@@ -395,7 +395,7 @@ int CRYPTO_pop_info(void)
         return(ret);
         }
 
-int CRYPTO_remove_all_info(void)
+int CRYPTO_dbg_remove_all_info(void)
         {
         int ret=0;
 
@@ -793,3 +793,25 @@ void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb)
         lh_doall_arg(mh, LHASH_DOALL_ARG_FN(cb_leak), &cb);
         CRYPTO_w_unlock(CRYPTO_LOCK_MALLOC2);
         }
+
+void CRYPTO_malloc_debug_init(void)
+        {
+        CRYPTO_set_mem_debug_functions(
+                CRYPTO_dbg_malloc,
+                CRYPTO_dbg_realloc,
+                CRYPTO_dbg_free,
+                CRYPTO_dbg_set_options,
+                CRYPTO_dbg_get_options);
+        CRYPTO_set_mem_info_functions(
+                CRYPTO_dbg_push_info,
+                CRYPTO_dbg_pop_info,
+                CRYPTO_dbg_remove_all_info);
+        }
+
+char *CRYPTO_strdup(const char *str, const char *file, int line)
+        {
+        char *ret = CRYPTO_malloc(strlen(str)+1, file, line);
+
+        strcpy(ret, str);
+        return ret;
+        }
diff --git a/src/lib/libcrypto/objects/obj_dat.pl b/src/lib/libcrypto/objects/obj_dat.pl
index 8a09a46ee6..7de2f77afd 100644
--- a/src/lib/libcrypto/objects/obj_dat.pl
+++ b/src/lib/libcrypto/objects/obj_dat.pl
@@ -2,7 +2,9 @@
 
 # fixes bug in floating point emulation on sparc64 when
 # this script produces off-by-one output on sparc64
-use integer;
+eval 'use integer;';
+
+print STDERR "Warning: perl module integer not found.\n" if ($@);
 
 sub obj_cmp
         {
diff --git a/src/lib/libcrypto/objects/obj_mac.num b/src/lib/libcrypto/objects/obj_mac.num
index 53c9cb0d6a..e3f56bc52c 100644
--- a/src/lib/libcrypto/objects/obj_mac.num
+++ b/src/lib/libcrypto/objects/obj_mac.num
@@ -854,3 +854,5 @@ id_GostR3411_94_with_GostR3410_2001_cc		853
 id_GostR3410_2001_ParamSet_cc           854
 hmac            855
 LocalKeySet             856
+freshest_crl            857
+id_on_permanentIdentifier               858
diff --git a/src/lib/libcrypto/objects/objects.txt b/src/lib/libcrypto/objects/objects.txt
index e009702e55..a6a811b8e7 100644
--- a/src/lib/libcrypto/objects/objects.txt
+++ b/src/lib/libcrypto/objects/objects.txt
@@ -557,6 +557,7 @@ id-cmc 24		: id-cmc-confirmCertAcceptance
 
 # other names
 id-on 1                 : id-on-personalData
+id-on 3                 : id-on-permanentIdentifier : Permanent Identifier
 
 # personal data attributes
 id-pda 1                : id-pda-dateOfBirth
@@ -726,6 +727,8 @@ id-ce 35		: authorityKeyIdentifier : X509v3 Authority Key Identifier
 id-ce 36                : policyConstraints     : X509v3 Policy Constraints
 !Cname ext-key-usage
 id-ce 37                : extendedKeyUsage      : X509v3 Extended Key Usage
+!Cname freshest-crl
+id-ce 46                : freshestCRL           : X509v3 Freshest CRL
 !Cname inhibit-any-policy
 id-ce 54                : inhibitAnyPolicy      : X509v3 Inhibit Any Policy
 !Cname target-information
diff --git a/src/lib/libcrypto/ocsp/ocsp_asn.c b/src/lib/libcrypto/ocsp/ocsp_asn.c
index 39b7a1c568..bfe892ac70 100644
--- a/src/lib/libcrypto/ocsp/ocsp_asn.c
+++ b/src/lib/libcrypto/ocsp/ocsp_asn.c
@@ -1,5 +1,5 @@
 /* ocsp_asn.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/ocsp/ocsp_ht.c b/src/lib/libcrypto/ocsp/ocsp_ht.c
index a8e569b74a..6abb30b2c0 100644
--- a/src/lib/libcrypto/ocsp/ocsp_ht.c
+++ b/src/lib/libcrypto/ocsp/ocsp_ht.c
@@ -1,5 +1,5 @@
 /* ocsp_ht.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
 /* ====================================================================
@@ -56,11 +56,12 @@
  *
  */
 
-#include <openssl/asn1.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <ctype.h>
 #include <string.h>
+#include "e_os.h"
+#include <openssl/asn1.h>
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
 #include <openssl/buffer.h>
diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c
index fffa134e75..1c606dd0b6 100644
--- a/src/lib/libcrypto/ocsp/ocsp_srv.c
+++ b/src/lib/libcrypto/ocsp/ocsp_srv.c
@@ -1,5 +1,5 @@
 /* ocsp_srv.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c
index 23ea41c847..4a0c3870d8 100644
--- a/src/lib/libcrypto/ocsp/ocsp_vfy.c
+++ b/src/lib/libcrypto/ocsp/ocsp_vfy.c
@@ -1,5 +1,5 @@
 /* ocsp_vfy.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/opensslconf.h.in b/src/lib/libcrypto/opensslconf.h.in
index cee83acf98..1c77f03c3d 100644
--- a/src/lib/libcrypto/opensslconf.h.in
+++ b/src/lib/libcrypto/opensslconf.h.in
@@ -1,5 +1,20 @@
 /* crypto/opensslconf.h.in */
 
+#ifdef OPENSSL_DOING_MAKEDEPEND
+
+/* Include any symbols here that have to be explicitly set to enable a feature
+ * that should be visible to makedepend.
+ *
+ * [Our "make depend" doesn't actually look at this, we use actual build settings
+ * instead; we want to make it easy to remove subdirectories with disabled algorithms.]
+ */
+
+#ifndef OPENSSL_FIPS
+#define OPENSSL_FIPS
+#endif
+
+#endif
+
 /* Generate 80386 code? */
 #undef I386_ONLY
 
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index 5bdd370ac9..09687b5136 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER  0x0090809fL
+#define OPENSSL_VERSION_NUMBER  0x009080afL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8i-fips 15 Sep 2008"
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8j-fips 07 Jan 2009"
 #else
-#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8i 15 Sep 2008"
+#define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8j 07 Jan 2009"
 #endif
 #define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
diff --git a/src/lib/libcrypto/ossl_typ.h b/src/lib/libcrypto/ossl_typ.h
index 734200428f..0e7a380880 100644
--- a/src/lib/libcrypto/ossl_typ.h
+++ b/src/lib/libcrypto/ossl_typ.h
@@ -100,6 +100,8 @@ typedef int ASN1_NULL;
 #undef X509_EXTENSIONS
 #undef X509_CERT_PAIR
 #undef PKCS7_ISSUER_AND_SERIAL
+#undef OCSP_REQUEST
+#undef OCSP_RESPONSE
 #endif
 
 #ifdef BIGNUM
diff --git a/src/lib/libcrypto/pem/pem.h b/src/lib/libcrypto/pem/pem.h
index 670afa670b..6f8e01544b 100644
--- a/src/lib/libcrypto/pem/pem.h
+++ b/src/lib/libcrypto/pem/pem.h
@@ -125,6 +125,7 @@ extern "C" {
 #define PEM_STRING_DSA          "DSA PRIVATE KEY"
 #define PEM_STRING_DSA_PUBLIC   "DSA PUBLIC KEY"
 #define PEM_STRING_PKCS7        "PKCS7"
+#define PEM_STRING_PKCS7_SIGNED "PKCS #7 SIGNED DATA"
 #define PEM_STRING_PKCS8        "ENCRYPTED PRIVATE KEY"
 #define PEM_STRING_PKCS8INF     "PRIVATE KEY"
 #define PEM_STRING_DHPARAMS     "DH PARAMETERS"
diff --git a/src/lib/libcrypto/pem/pem_all.c b/src/lib/libcrypto/pem/pem_all.c
index 66cbc7eb82..69dd19bf2e 100644
--- a/src/lib/libcrypto/pem/pem_all.c
+++ b/src/lib/libcrypto/pem/pem_all.c
@@ -194,7 +194,49 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb,
 
 #endif
 
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+                return 0;
+        EVP_PKEY_set1_RSA(k, x);
+
+        ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+                return 0;
+
+        EVP_PKEY_set1_RSA(k, x);
+
+        ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+}
+#endif
+
+#else
+
 IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
+
+#endif
+
 IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
 IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
 
@@ -224,7 +266,47 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb,
         return pkey_get_dsa(pktmp, dsa);
 }
 
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+                return 0;
+        EVP_PKEY_set1_DSA(k, x);
+
+        ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+                return 0;
+        EVP_PKEY_set1_DSA(k, x);
+        ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+}
+#endif
+
+#else
+
 IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
+
+#endif
+
 IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
 
 #ifndef OPENSSL_NO_FP_API
@@ -270,8 +352,49 @@ EC_KEY *PEM_read_bio_ECPrivateKey(BIO *bp, EC_KEY **key, pem_password_cb *cb,
 
 IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKParameters)
 
+
+
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+                return 0;
+        EVP_PKEY_set1_EC_KEY(k, x);
+
+        ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+        EVP_PKEY *k;
+        int ret;
+        k = EVP_PKEY_new();
+        if (!k)
+                return 0;
+        EVP_PKEY_set1_EC_KEY(k, x);
+        ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+        EVP_PKEY_free(k);
+        return ret;
+}
+#endif
+
+#else
+
 IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey)
 
+#endif
+
 IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY)
 
 #ifndef OPENSSL_NO_FP_API
@@ -301,8 +424,59 @@ IMPLEMENT_PEM_rw_const(DHparams, DH, PEM_STRING_DHPARAMS, DHparams)
  * (When reading, parameter PEM_STRING_EVP_PKEY is a wildcard for anything
  * appropriate.)
  */
+
+#ifdef OPENSSL_FIPS
+
+static const char *pkey_str(EVP_PKEY *x)
+        {
+        switch (x->type)
+                {
+                case EVP_PKEY_RSA:
+                return PEM_STRING_RSA;
+
+                case EVP_PKEY_DSA:
+                return PEM_STRING_DSA;
+
+                case EVP_PKEY_EC:
+                return PEM_STRING_ECPRIVATEKEY;
+
+                default:
+                return NULL;
+                }
+        }
+
+
+int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+        {
+                if (FIPS_mode())
+                        return PEM_write_bio_PKCS8PrivateKey(bp, x, enc,
+                                                (char *)kstr, klen, cb, u);
+                else
+                        return PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey,
+                        pkey_str(x), bp,(char *)x,enc,kstr,klen,cb,u);
+        }
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+        {
+                if (FIPS_mode())
+                        return PEM_write_PKCS8PrivateKey(fp, x, enc,
+                                                (char *)kstr, klen, cb, u);
+                else
+                        return PEM_ASN1_write((i2d_of_void *)i2d_PrivateKey,
+                        pkey_str(x), fp,(char *)x,enc,kstr,klen,cb,u);
+        }
+#endif
+
+#else
 IMPLEMENT_PEM_write_cb(PrivateKey, EVP_PKEY, ((x->type == EVP_PKEY_DSA)?PEM_STRING_DSA:\
                         (x->type == EVP_PKEY_RSA)?PEM_STRING_RSA:PEM_STRING_ECPRIVATEKEY), PrivateKey)
 
+#endif
+
 IMPLEMENT_PEM_rw(PUBKEY, EVP_PKEY, PEM_STRING_PUBLIC, PUBKEY)
 
diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c
index 9bae4c8850..cbafefe416 100644
--- a/src/lib/libcrypto/pem/pem_lib.c
+++ b/src/lib/libcrypto/pem/pem_lib.c
@@ -216,6 +216,9 @@ static int check_pem(const char *nm, const char *name)
         if(!strcmp(nm, PEM_STRING_X509) &&
                 !strcmp(name, PEM_STRING_PKCS7)) return 1;
 
+        if(!strcmp(nm, PEM_STRING_PKCS7_SIGNED) &&
+                !strcmp(name, PEM_STRING_PKCS7)) return 1;
+
         return 0;
 }
 
diff --git a/src/lib/libcrypto/pem/pem_x509.c b/src/lib/libcrypto/pem/pem_x509.c
index 19f88d8d3a..3f709f13e6 100644
--- a/src/lib/libcrypto/pem/pem_x509.c
+++ b/src/lib/libcrypto/pem/pem_x509.c
@@ -1,5 +1,5 @@
 /* pem_x509.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pem/pem_xaux.c b/src/lib/libcrypto/pem/pem_xaux.c
index 63ce660cf1..7cc7491009 100644
--- a/src/lib/libcrypto/pem/pem_xaux.c
+++ b/src/lib/libcrypto/pem/pem_xaux.c
@@ -1,5 +1,5 @@
 /* pem_xaux.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pkcs12/p12_add.c b/src/lib/libcrypto/pkcs12/p12_add.c
index 41bdc00551..1f3e378f5c 100644
--- a/src/lib/libcrypto/pkcs12/p12_add.c
+++ b/src/lib/libcrypto/pkcs12/p12_add.c
@@ -1,5 +1,5 @@
 /* p12_add.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pkcs12/p12_asn.c b/src/lib/libcrypto/pkcs12/p12_asn.c
index a3739fee1a..6e27633817 100644
--- a/src/lib/libcrypto/pkcs12/p12_asn.c
+++ b/src/lib/libcrypto/pkcs12/p12_asn.c
@@ -1,5 +1,5 @@
 /* p12_asn.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pkcs12/p12_attr.c b/src/lib/libcrypto/pkcs12/p12_attr.c
index 026cf3826a..68d6c5ad15 100644
--- a/src/lib/libcrypto/pkcs12/p12_attr.c
+++ b/src/lib/libcrypto/pkcs12/p12_attr.c
@@ -1,5 +1,5 @@
 /* p12_attr.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pkcs12/p12_crpt.c b/src/lib/libcrypto/pkcs12/p12_crpt.c
index 3ad33c49d8..f8b952e27e 100644
--- a/src/lib/libcrypto/pkcs12/p12_crpt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crpt.c
@@ -1,5 +1,5 @@
 /* p12_crpt.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c
index 9748256b6f..e863de52ce 100644
--- a/src/lib/libcrypto/pkcs12/p12_crt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crt.c
@@ -1,5 +1,5 @@
 /* p12_crt.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
 /* ====================================================================
@@ -59,6 +59,10 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include <openssl/pkcs12.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 
 
 static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag);
@@ -90,7 +94,14 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 
         /* Set defaults */
         if (!nid_cert)
+                {
+#ifdef OPENSSL_FIPS
+                if (FIPS_mode())
+                        nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+                else
+#endif
                 nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+                }
         if (!nid_key)
                 nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
         if (!iter)
diff --git a/src/lib/libcrypto/pkcs12/p12_decr.c b/src/lib/libcrypto/pkcs12/p12_decr.c
index 74c961a92b..ba77dbbe32 100644
--- a/src/lib/libcrypto/pkcs12/p12_decr.c
+++ b/src/lib/libcrypto/pkcs12/p12_decr.c
@@ -1,5 +1,5 @@
 /* p12_decr.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pkcs12/p12_init.c b/src/lib/libcrypto/pkcs12/p12_init.c
index 6bdc132631..d4d84b056a 100644
--- a/src/lib/libcrypto/pkcs12/p12_init.c
+++ b/src/lib/libcrypto/pkcs12/p12_init.c
@@ -1,5 +1,5 @@
 /* p12_init.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pkcs12/p12_key.c b/src/lib/libcrypto/pkcs12/p12_key.c
index 18e72d0a1b..9e57eee4a4 100644
--- a/src/lib/libcrypto/pkcs12/p12_key.c
+++ b/src/lib/libcrypto/pkcs12/p12_key.c
@@ -1,5 +1,5 @@
 /* p12_key.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pkcs12/p12_kiss.c b/src/lib/libcrypto/pkcs12/p12_kiss.c
index c2ee2cc6f3..5c4c6ec988 100644
--- a/src/lib/libcrypto/pkcs12/p12_kiss.c
+++ b/src/lib/libcrypto/pkcs12/p12_kiss.c
@@ -1,5 +1,5 @@
 /* p12_kiss.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c
index c408cc8ab8..70bfef6e5d 100644
--- a/src/lib/libcrypto/pkcs12/p12_mutl.c
+++ b/src/lib/libcrypto/pkcs12/p12_mutl.c
@@ -1,5 +1,5 @@
 /* p12_mutl.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pkcs12/p12_npas.c b/src/lib/libcrypto/pkcs12/p12_npas.c
index 48eacc5c49..47e5e9c377 100644
--- a/src/lib/libcrypto/pkcs12/p12_npas.c
+++ b/src/lib/libcrypto/pkcs12/p12_npas.c
@@ -1,5 +1,5 @@
 /* p12_npas.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pkcs12/p12_p8d.c b/src/lib/libcrypto/pkcs12/p12_p8d.c
index 3c6f377933..deba81e4a9 100644
--- a/src/lib/libcrypto/pkcs12/p12_p8d.c
+++ b/src/lib/libcrypto/pkcs12/p12_p8d.c
@@ -1,5 +1,5 @@
 /* p12_p8d.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pkcs12/p12_p8e.c b/src/lib/libcrypto/pkcs12/p12_p8e.c
index 3d47956652..bf20a77b4c 100644
--- a/src/lib/libcrypto/pkcs12/p12_p8e.c
+++ b/src/lib/libcrypto/pkcs12/p12_p8e.c
@@ -1,5 +1,5 @@
 /* p12_p8e.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pkcs12/p12_utl.c b/src/lib/libcrypto/pkcs12/p12_utl.c
index 243ec76be9..ca30ac4f6d 100644
--- a/src/lib/libcrypto/pkcs12/p12_utl.c
+++ b/src/lib/libcrypto/pkcs12/p12_utl.c
@@ -1,5 +1,5 @@
 /* p12_utl.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pkcs12/pkcs12.h b/src/lib/libcrypto/pkcs12/pkcs12.h
index a2d7e359a0..4bee605dc0 100644
--- a/src/lib/libcrypto/pkcs12/pkcs12.h
+++ b/src/lib/libcrypto/pkcs12/pkcs12.h
@@ -1,5 +1,5 @@
 /* pkcs12.h */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pkcs7/pk7_asn1.c b/src/lib/libcrypto/pkcs7/pk7_asn1.c
index 77931feeb4..1f70d31386 100644
--- a/src/lib/libcrypto/pkcs7/pk7_asn1.c
+++ b/src/lib/libcrypto/pkcs7/pk7_asn1.c
@@ -1,5 +1,5 @@
 /* pk7_asn.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pkcs7/pk7_attr.c b/src/lib/libcrypto/pkcs7/pk7_attr.c
index 735c8800e1..d549717169 100644
--- a/src/lib/libcrypto/pkcs7/pk7_attr.c
+++ b/src/lib/libcrypto/pkcs7/pk7_attr.c
@@ -1,5 +1,5 @@
 /* pk7_attr.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pkcs7/pk7_mime.c b/src/lib/libcrypto/pkcs7/pk7_mime.c
index 17b68992f7..bf190360d7 100644
--- a/src/lib/libcrypto/pkcs7/pk7_mime.c
+++ b/src/lib/libcrypto/pkcs7/pk7_mime.c
@@ -1,5 +1,5 @@
 /* pk7_mime.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/pkcs7/pk7_smime.c b/src/lib/libcrypto/pkcs7/pk7_smime.c
index 5c6b0fe24b..c34db1d6fe 100644
--- a/src/lib/libcrypto/pkcs7/pk7_smime.c
+++ b/src/lib/libcrypto/pkcs7/pk7_smime.c
@@ -1,5 +1,5 @@
 /* pk7_smime.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
 /* ====================================================================
@@ -282,6 +282,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
                         PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_MALLOC_FAILURE);
                         goto err;
                 }
+                BIO_set_mem_eof_return(tmpout, 0);
         } else tmpout = out;
 
         /* We now have to 'read' from p7bio to calculate digests etc. */
diff --git a/src/lib/libcrypto/rand/Makefile b/src/lib/libcrypto/rand/Makefile
index 27694aa664..30794305cb 100644
--- a/src/lib/libcrypto/rand/Makefile
+++ b/src/lib/libcrypto/rand/Makefile
@@ -17,9 +17,9 @@ TEST= randtest.c
 APPS=
 
 LIB=$(TOP)/libcrypto.a
-LIBSRC=md_rand.c randfile.c rand_lib.c rand_err.c rand_egd.c \
+LIBSRC=md_rand.c randfile.c rand_lib.c rand_eng.c rand_err.c rand_egd.c \
         rand_win.c rand_unix.c rand_os2.c rand_nw.c
-LIBOBJ=md_rand.o randfile.o rand_lib.o rand_err.o rand_egd.o \
+LIBOBJ=md_rand.o randfile.o rand_lib.o rand_eng.o rand_err.o rand_egd.o \
         rand_win.o rand_unix.o rand_os2.o rand_nw.o
 
 SRC= $(LIBSRC)
@@ -35,7 +35,7 @@ top:
 all:    lib
 
 lib:    $(LIBOBJ)
-        $(AR) $(LIB) $(LIBOBJ)
+        $(ARX) $(LIB) $(LIBOBJ)
         $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
@@ -79,17 +79,34 @@ clean:
 md_rand.o: ../../e_os.h ../../include/openssl/asn1.h
 md_rand.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
 md_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-md_rand.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-md_rand.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-md_rand.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-md_rand.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-md_rand.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-md_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-md_rand.o: md_rand.c rand_lcl.h
+md_rand.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+md_rand.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+md_rand.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+md_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+md_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+md_rand.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+md_rand.o: ../../include/openssl/symhacks.h md_rand.c rand_lcl.h
 rand_egd.o: ../../include/openssl/buffer.h ../../include/openssl/e_os2.h
 rand_egd.o: ../../include/openssl/opensslconf.h
 rand_egd.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
 rand_egd.o: rand_egd.c
+rand_eng.o: ../../e_os.h ../../include/openssl/asn1.h
+rand_eng.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+rand_eng.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+rand_eng.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
+rand_eng.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
+rand_eng.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
+rand_eng.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+rand_eng.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
+rand_eng.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+rand_eng.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rand_eng.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rand_eng.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+rand_eng.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+rand_eng.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rand_eng.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
+rand_eng.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
+rand_eng.o: ../cryptlib.h rand_eng.c rand_lcl.h
 rand_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
 rand_err.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 rand_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
@@ -99,34 +116,39 @@ rand_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 rand_err.o: rand_err.c
 rand_lib.o: ../../e_os.h ../../include/openssl/asn1.h
 rand_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-rand_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+rand_lib.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+rand_lib.o: ../../include/openssl/des_old.h ../../include/openssl/e_os2.h
 rand_lib.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
 rand_lib.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h
 rand_lib.o: ../../include/openssl/err.h ../../include/openssl/evp.h
+rand_lib.o: ../../include/openssl/fips.h ../../include/openssl/fips_rand.h
 rand_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
 rand_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 rand_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rand_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
 rand_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 rand_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rand_lib.o: ../../include/openssl/ui.h ../../include/openssl/ui_compat.h
 rand_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-rand_lib.o: ../cryptlib.h rand_lib.c
+rand_lib.o: ../cryptlib.h rand_lcl.h rand_lib.c
 rand_nw.o: ../../e_os.h ../../include/openssl/asn1.h
 rand_nw.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 rand_nw.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 rand_nw.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-rand_nw.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-rand_nw.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
-rand_nw.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-rand_nw.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
-rand_nw.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-rand_nw.o: ../../include/openssl/symhacks.h ../cryptlib.h rand_lcl.h rand_nw.c
+rand_nw.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+rand_nw.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+rand_nw.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+rand_nw.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
+rand_nw.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+rand_nw.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rand_nw.o: ../cryptlib.h rand_lcl.h rand_nw.c
 rand_os2.o: ../../e_os.h ../../include/openssl/asn1.h
 rand_os2.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 rand_os2.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 rand_os2.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-rand_os2.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-rand_os2.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rand_os2.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+rand_os2.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+rand_os2.o: ../../include/openssl/opensslconf.h
 rand_os2.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rand_os2.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 rand_os2.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
@@ -136,8 +158,8 @@ rand_unix.o: ../../e_os.h ../../include/openssl/asn1.h
 rand_unix.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 rand_unix.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 rand_unix.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-rand_unix.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-rand_unix.o: ../../include/openssl/objects.h
+rand_unix.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+rand_unix.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
 rand_unix.o: ../../include/openssl/opensslconf.h
 rand_unix.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rand_unix.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
@@ -148,8 +170,9 @@ rand_win.o: ../../e_os.h ../../include/openssl/asn1.h
 rand_win.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
 rand_win.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 rand_win.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-rand_win.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-rand_win.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rand_win.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+rand_win.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+rand_win.o: ../../include/openssl/opensslconf.h
 rand_win.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rand_win.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 rand_win.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
diff --git a/src/lib/libcrypto/rand/md_rand.c b/src/lib/libcrypto/rand/md_rand.c
index 9783d0c23e..0f8dd3e00f 100644
--- a/src/lib/libcrypto/rand/md_rand.c
+++ b/src/lib/libcrypto/rand/md_rand.c
@@ -126,6 +126,10 @@
 
 #include <openssl/crypto.h>
 #include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 
 #ifdef BN_DEBUG
 # define PREDICT
@@ -332,6 +336,14 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
 #endif
         int do_stir_pool = 0;
 
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode())
+            {
+            FIPSerr(FIPS_F_SSLEAY_RAND_BYTES,FIPS_R_NON_FIPS_METHOD);
+            return 0;
+            }
+#endif
+
 #ifdef PREDICT
         if (rand_predictable)
                 {
diff --git a/src/lib/libcrypto/rand/rand.h b/src/lib/libcrypto/rand/rand.h
index ac6c021763..ea89153cba 100644
--- a/src/lib/libcrypto/rand/rand.h
+++ b/src/lib/libcrypto/rand/rand.h
@@ -72,7 +72,7 @@ extern "C" {
 #endif
 
 #if defined(OPENSSL_FIPS)
-#define FIPS_RAND_SIZE_T size_t
+#define FIPS_RAND_SIZE_T int
 #endif
 
 /* Already defined in ossl_typ.h */
@@ -111,6 +111,15 @@ int RAND_query_egd_bytes(const char *path, unsigned char *buf, int bytes);
 int RAND_egd(const char *path);
 int RAND_egd_bytes(const char *path,int bytes);
 int RAND_poll(void);
+#ifndef OPENSSL_NO_ENGINE
+#ifdef OPENSSL_FIPS
+void int_RAND_init_engine_callbacks(void);
+void int_RAND_set_callbacks(
+        int (*set_rand_func)(const RAND_METHOD *meth,
+                                                const RAND_METHOD **pmeth),
+        const RAND_METHOD *(*get_rand_func)(const RAND_METHOD **pmeth));
+#endif
+#endif
 
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_WIN32)
 
@@ -128,11 +137,29 @@ void ERR_load_RAND_strings(void);
 /* Error codes for the RAND functions. */
 
 /* Function codes. */
+#define RAND_F_ENG_RAND_GET_RAND_METHOD                  108
+#define RAND_F_FIPS_RAND                                 103
+#define RAND_F_FIPS_RAND_BYTES                           102
+#define RAND_F_FIPS_RAND_GET_RAND_METHOD                 109
+#define RAND_F_FIPS_RAND_SET_DT                          106
+#define RAND_F_FIPS_SET_DT                               104
+#define RAND_F_FIPS_SET_PRNG_SEED                        107
+#define RAND_F_FIPS_SET_TEST_MODE                        105
 #define RAND_F_RAND_GET_RAND_METHOD                      101
 #define RAND_F_SSLEAY_RAND_BYTES                         100
 
 /* Reason codes. */
+#define RAND_R_NON_FIPS_METHOD                           105
+#define RAND_R_NOT_IN_TEST_MODE                          106
+#define RAND_R_NO_KEY_SET                                107
+#define RAND_R_PRNG_ASKING_FOR_TOO_MUCH                  101
+#define RAND_R_PRNG_ERROR                                108
+#define RAND_R_PRNG_KEYED                                109
+#define RAND_R_PRNG_NOT_REKEYED                          102
+#define RAND_R_PRNG_NOT_RESEEDED                         103
 #define RAND_R_PRNG_NOT_SEEDED                           100
+#define RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY              110
+#define RAND_R_PRNG_STUCK                                104
 
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/rand/rand_err.c b/src/lib/libcrypto/rand/rand_err.c
index 386934dcd1..829fb44d77 100644
--- a/src/lib/libcrypto/rand/rand_err.c
+++ b/src/lib/libcrypto/rand/rand_err.c
@@ -1,6 +1,6 @@
 /* crypto/rand/rand_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -70,6 +70,14 @@
 
 static ERR_STRING_DATA RAND_str_functs[]=
         {
+{ERR_FUNC(RAND_F_ENG_RAND_GET_RAND_METHOD),     "ENG_RAND_GET_RAND_METHOD"},
+{ERR_FUNC(RAND_F_FIPS_RAND),    "FIPS_RAND"},
+{ERR_FUNC(RAND_F_FIPS_RAND_BYTES),      "FIPS_RAND_BYTES"},
+{ERR_FUNC(RAND_F_FIPS_RAND_GET_RAND_METHOD),    "FIPS_RAND_GET_RAND_METHOD"},
+{ERR_FUNC(RAND_F_FIPS_RAND_SET_DT),     "FIPS_RAND_SET_DT"},
+{ERR_FUNC(RAND_F_FIPS_SET_DT),  "FIPS_SET_DT"},
+{ERR_FUNC(RAND_F_FIPS_SET_PRNG_SEED),   "FIPS_SET_PRNG_SEED"},
+{ERR_FUNC(RAND_F_FIPS_SET_TEST_MODE),   "FIPS_SET_TEST_MODE"},
 {ERR_FUNC(RAND_F_RAND_GET_RAND_METHOD), "RAND_get_rand_method"},
 {ERR_FUNC(RAND_F_SSLEAY_RAND_BYTES),    "SSLEAY_RAND_BYTES"},
 {0,NULL}
@@ -77,7 +85,17 @@ static ERR_STRING_DATA RAND_str_functs[]=
 
 static ERR_STRING_DATA RAND_str_reasons[]=
         {
+{ERR_REASON(RAND_R_NON_FIPS_METHOD)      ,"non fips method"},
+{ERR_REASON(RAND_R_NOT_IN_TEST_MODE)     ,"not in test mode"},
+{ERR_REASON(RAND_R_NO_KEY_SET)           ,"no key set"},
+{ERR_REASON(RAND_R_PRNG_ASKING_FOR_TOO_MUCH),"prng asking for too much"},
+{ERR_REASON(RAND_R_PRNG_ERROR)           ,"prng error"},
+{ERR_REASON(RAND_R_PRNG_KEYED)           ,"prng keyed"},
+{ERR_REASON(RAND_R_PRNG_NOT_REKEYED)     ,"prng not rekeyed"},
+{ERR_REASON(RAND_R_PRNG_NOT_RESEEDED)    ,"prng not reseeded"},
 {ERR_REASON(RAND_R_PRNG_NOT_SEEDED)      ,"PRNG not seeded"},
+{ERR_REASON(RAND_R_PRNG_SEED_MUST_NOT_MATCH_KEY),"prng seed must not match key"},
+{ERR_REASON(RAND_R_PRNG_STUCK)           ,"prng stuck"},
 {0,NULL}
         };
 
diff --git a/src/lib/libcrypto/rand/rand_lcl.h b/src/lib/libcrypto/rand/rand_lcl.h
index 618a8ec899..18cc9b1e4a 100644
--- a/src/lib/libcrypto/rand/rand_lcl.h
+++ b/src/lib/libcrypto/rand/rand_lcl.h
@@ -154,5 +154,16 @@
 #define MD(a,b,c)               EVP_Digest(a,b,c,NULL,EVP_md2(), NULL)
 #endif
 
+#ifndef OPENSSL_NO_ENGINE
+void int_RAND_set_callbacks(
+        int (*set_rand_func)(const RAND_METHOD *meth,
+                                                const RAND_METHOD **pmeth),
+        const RAND_METHOD *(*get_rand_func)
+                                                (const RAND_METHOD **pmeth));
+int eng_RAND_set_rand_method(const RAND_METHOD *meth,
+                                const RAND_METHOD **pmeth);
+const RAND_METHOD *eng_RAND_get_rand_method(const RAND_METHOD **pmeth);
+#endif
+
 
 #endif
diff --git a/src/lib/libcrypto/rand/rand_lib.c b/src/lib/libcrypto/rand/rand_lib.c
index 513e338985..da6b4e0e86 100644
--- a/src/lib/libcrypto/rand/rand_lib.c
+++ b/src/lib/libcrypto/rand/rand_lib.c
@@ -60,15 +60,82 @@
 #include <time.h>
 #include "cryptlib.h"
 #include <openssl/rand.h>
+#include "rand_lcl.h"
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#include <openssl/fips_rand.h>
+#endif
+
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
 
+static const RAND_METHOD *default_RAND_meth = NULL;
+
+#ifdef OPENSSL_FIPS
+
+static int fips_RAND_set_rand_method(const RAND_METHOD *meth,
+                                        const RAND_METHOD **pmeth)
+        {
+        *pmeth = meth;
+        return 1;
+        }
+
+static const RAND_METHOD *fips_RAND_get_rand_method(const RAND_METHOD **pmeth)
+        {
+        if (!*pmeth)
+                {
+                if(FIPS_mode())
+                        *pmeth=FIPS_rand_method();
+                else
+                        *pmeth = RAND_SSLeay();
+                }
+
+        if(FIPS_mode()
+                && *pmeth != FIPS_rand_check())
+            {
+            RANDerr(RAND_F_FIPS_RAND_GET_RAND_METHOD,RAND_R_NON_FIPS_METHOD);
+            return 0;
+            }
+
+        return *pmeth;
+        }
+
+static int (*RAND_set_rand_method_func)(const RAND_METHOD *meth,
+                                                const RAND_METHOD **pmeth)
+        = fips_RAND_set_rand_method;
+static const RAND_METHOD *(*RAND_get_rand_method_func)
+                                                (const RAND_METHOD **pmeth)
+        = fips_RAND_get_rand_method;
+
+#ifndef OPENSSL_NO_ENGINE
+void int_RAND_set_callbacks(
+        int (*set_rand_func)(const RAND_METHOD *meth,
+                                                const RAND_METHOD **pmeth),
+        const RAND_METHOD *(*get_rand_func)
+                                                (const RAND_METHOD **pmeth))
+        {
+        RAND_set_rand_method_func = set_rand_func;
+        RAND_get_rand_method_func = get_rand_func;
+        }
+#endif
+
+int RAND_set_rand_method(const RAND_METHOD *meth)
+        {
+        return RAND_set_rand_method_func(meth, &default_RAND_meth);
+        }
+
+const RAND_METHOD *RAND_get_rand_method(void)
+        {
+        return RAND_get_rand_method_func(&default_RAND_meth);
+        }
+
+#else
+
 #ifndef OPENSSL_NO_ENGINE
 /* non-NULL if default_RAND_meth is ENGINE-provided */
 static ENGINE *funct_ref =NULL;
 #endif
-static const RAND_METHOD *default_RAND_meth = NULL;
 
 int RAND_set_rand_method(const RAND_METHOD *meth)
         {
@@ -129,6 +196,8 @@ int RAND_set_rand_engine(ENGINE *engine)
         }
 #endif
 
+#endif
+
 void RAND_cleanup(void)
         {
         const RAND_METHOD *meth = RAND_get_rand_method();
diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c
index 005cb38cb0..f63fbc1731 100644
--- a/src/lib/libcrypto/rand/randfile.c
+++ b/src/lib/libcrypto/rand/randfile.c
@@ -81,10 +81,25 @@
 # include <sys/stat.h>
 #endif
 
+#ifdef _WIN32
+#define stat    _stat
+#define chmod   _chmod
+#define open    _open
+#define fdopen  _fdopen
+#endif
+
 #undef BUFSIZE
 #define BUFSIZE 1024
 #define RAND_DATA 1024
 
+#ifdef OPENSSL_SYS_VMS
+/* This declaration is a nasty hack to get around vms' extension to fopen
+ * for passing in sharing options being disabled by our /STANDARD=ANSI89 */
+static FILE *(*const vms_fopen)(const char *, const char *, ...) =
+    (FILE *(*)(const char *, const char *, ...))fopen;
+#define VMS_OPEN_ATTRS "shr=get,put,upd,del","ctx=bin,stm","rfm=stm","rat=none","mrs=0"
+#endif
+
 /* #define RFILE ".rnd" - defined in ../../e_os.h */
 
 /* Note that these functions are intended for seed files only.
@@ -106,7 +121,11 @@ int RAND_load_file(const char *file, long bytes)
         RAND_add(&sb,sizeof(sb),0.0);
         if (bytes == 0) return(ret);
 
+#ifdef OPENSSL_SYS_VMS
+        in=vms_fopen(file,"rb",VMS_OPEN_ATTRS);
+#else
         in=fopen(file,"rb");
+#endif
         if (in == NULL) goto err;
 #if defined(S_IFBLK) && defined(S_IFCHR)
         if (sb.st_mode & (S_IFBLK | S_IFCHR)) {
@@ -167,7 +186,7 @@ int RAND_write_file(const char *file)
 #endif
         }
 
-#if defined(O_CREAT) && !defined(OPENSSL_SYS_WIN32)
+#if defined(O_CREAT) && !defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_SYS_VMS)
         {
         /* For some reason Win32 can't write to files created this way */
         
@@ -178,8 +197,34 @@ int RAND_write_file(const char *file)
                 out = fdopen(fd, "wb");
         }
 #endif
+
+#ifdef OPENSSL_SYS_VMS
+        /* VMS NOTE: Prior versions of this routine created a _new_
+         * version of the rand file for each call into this routine, then
+         * deleted all existing versions named ;-1, and finally renamed
+         * the current version as ';1'. Under concurrent usage, this
+         * resulted in an RMS race condition in rename() which could
+         * orphan files (see vms message help for RMS$_REENT). With the
+         * fopen() calls below, openssl/VMS now shares the top-level
+         * version of the rand file. Note that there may still be
+         * conditions where the top-level rand file is locked. If so, this
+         * code will then create a new version of the rand file. Without
+         * the delete and rename code, this can result in ascending file
+         * versions that stop at version 32767, and this routine will then
+         * return an error. The remedy for this is to recode the calling
+         * application to avoid concurrent use of the rand file, or
+         * synchronize usage at the application level. Also consider
+         * whether or not you NEED a persistent rand file in a concurrent
+         * use situation. 
+         */
+
+        out = vms_fopen(file,"rb+",VMS_OPEN_ATTRS);
+        if (out == NULL)
+                out = vms_fopen(file,"wb",VMS_OPEN_ATTRS);
+#else
         if (out == NULL)
                 out = fopen(file,"wb");
+#endif
         if (out == NULL) goto err;
 
 #ifndef NO_CHMOD
@@ -201,25 +246,6 @@ int RAND_write_file(const char *file)
                 ret+=i;
                 if (n <= 0) break;
                 }
-#ifdef OPENSSL_SYS_VMS
-        /* Try to delete older versions of the file, until there aren't
-           any */
-        {
-        char *tmpf;
-
-        tmpf = OPENSSL_malloc(strlen(file) + 4);  /* to add ";-1" and a nul */
-        if (tmpf)
-                {
-                strcpy(tmpf, file);
-                strcat(tmpf, ";-1");
-                while(delete(tmpf) == 0)
-                        ;
-                rename(file,";1"); /* Make sure it's version 1, or we
-                                      will reach the limit (32767) at
-                                      some point... */
-                }
-        }
-#endif /* OPENSSL_SYS_VMS */
 
         fclose(out);
         OPENSSL_cleanse(buf,BUFSIZE);
diff --git a/src/lib/libcrypto/rc2/rc2.h b/src/lib/libcrypto/rc2/rc2.h
index 34c8362317..e542ec94ff 100644
--- a/src/lib/libcrypto/rc2/rc2.h
+++ b/src/lib/libcrypto/rc2/rc2.h
@@ -79,7 +79,9 @@ typedef struct rc2_key_st
         RC2_INT data[64];
         } RC2_KEY;
 
- 
+#ifdef OPENSSL_FIPS 
+void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits);
+#endif
 void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,int bits);
 void RC2_ecb_encrypt(const unsigned char *in,unsigned char *out,RC2_KEY *key,
                      int enc);
diff --git a/src/lib/libcrypto/rc2/rc2_skey.c b/src/lib/libcrypto/rc2/rc2_skey.c
index 4953642056..4e000e5b99 100644
--- a/src/lib/libcrypto/rc2/rc2_skey.c
+++ b/src/lib/libcrypto/rc2/rc2_skey.c
@@ -57,6 +57,11 @@
  */
 
 #include <openssl/rc2.h>
+#include <openssl/crypto.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 #include "rc2_locl.h"
 
 static unsigned char key_table[256]={
@@ -94,8 +99,20 @@ static unsigned char key_table[256]={
  * BSAFE uses the 'retarded' version.  What I previously shipped is
  * the same as specifying 1024 for the 'bits' parameter.  Bsafe uses
  * a version where the bits parameter is the same as len*8 */
+
+#ifdef OPENSSL_FIPS
 void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
         {
+        if (FIPS_mode())
+                FIPS_BAD_ABORT(RC2)
+        private_RC2_set_key(key, len, data, bits);
+        }
+void private_RC2_set_key(RC2_KEY *key, int len, const unsigned char *data,
+                                                                int bits)
+#else
+void RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
+#endif
+        {
         int i,j;
         unsigned char *k;
         RC2_INT *ki;
diff --git a/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl b/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl
index 92c52f3433..3a54623495 100755
--- a/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl
+++ b/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl
@@ -358,6 +358,8 @@ ___
 
 $code =~ s/#([bwd])/$1/gm;
 
+$code =~ s/RC4_set_key/private_RC4_set_key/g if ($ENV{FIPSCANLIB} ne "");
+
 print $code;
 
 close STDOUT;
diff --git a/src/lib/libcrypto/rc4/rc4.h b/src/lib/libcrypto/rc4/rc4.h
index 7aec04fe93..2d8620d33b 100644
--- a/src/lib/libcrypto/rc4/rc4.h
+++ b/src/lib/libcrypto/rc4/rc4.h
@@ -76,6 +76,9 @@ typedef struct rc4_key_st
 
  
 const char *RC4_options(void);
+#ifdef OPENSSL_FIPS
+void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
+#endif
 void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data);
 void RC4(RC4_KEY *key, unsigned long len, const unsigned char *indata,
                 unsigned char *outdata);
diff --git a/src/lib/libcrypto/rc4/rc4_skey.c b/src/lib/libcrypto/rc4/rc4_skey.c
index 46b77ec321..4478d1a4b3 100644
--- a/src/lib/libcrypto/rc4/rc4_skey.c
+++ b/src/lib/libcrypto/rc4/rc4_skey.c
@@ -59,6 +59,11 @@
 #include <openssl/rc4.h>
 #include "rc4_locl.h"
 #include <openssl/opensslv.h>
+#include <openssl/crypto.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 
 const char RC4_version[]="RC4" OPENSSL_VERSION_PTEXT;
 
@@ -85,7 +90,11 @@ const char *RC4_options(void)
  * Date: Wed, 14 Sep 1994 06:35:31 GMT
  */
 
+#ifdef OPENSSL_FIPS
+void private_RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
+#else
 void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
+#endif
         {
         register RC4_INT tmp;
         register int id1,id2;
@@ -127,7 +136,12 @@ void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
                  *
                  *                              <appro@fy.chalmers.se>
                  */
-                if (OPENSSL_ia32cap_P & (1<<20)) {
+#ifdef OPENSSL_FIPS
+                unsigned long *ia32cap_ptr = OPENSSL_ia32cap_loc();
+                if (ia32cap_ptr && (*ia32cap_ptr & (1<<28))) {
+#else
+                if (OPENSSL_ia32cap_P & (1<<28)) {
+#endif
                         unsigned char *cp=(unsigned char *)d;
 
                         for (i=0;i<256;i++) cp[i]=i;
diff --git a/src/lib/libcrypto/rc5/rc5.h b/src/lib/libcrypto/rc5/rc5.h
index 4b3c153b50..f73a2a02a4 100644
--- a/src/lib/libcrypto/rc5/rc5.h
+++ b/src/lib/libcrypto/rc5/rc5.h
@@ -94,7 +94,10 @@ typedef struct rc5_key_st
         RC5_32_INT data[2*(RC5_16_ROUNDS+1)];
         } RC5_32_KEY;
 
- 
+#ifdef OPENSSL_FIPS 
+void private_RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data,
+        int rounds);
+#endif
 void RC5_32_set_key(RC5_32_KEY *key, int len, const unsigned char *data,
         int rounds);
 void RC5_32_ecb_encrypt(const unsigned char *in,unsigned char *out,RC5_32_KEY *key,
diff --git a/src/lib/libcrypto/ripemd/ripemd.h b/src/lib/libcrypto/ripemd/ripemd.h
index 033a5965b5..3b6d04386d 100644
--- a/src/lib/libcrypto/ripemd/ripemd.h
+++ b/src/lib/libcrypto/ripemd/ripemd.h
@@ -90,7 +90,9 @@ typedef struct RIPEMD160state_st
         RIPEMD160_LONG data[RIPEMD160_LBLOCK];
         unsigned int   num;
         } RIPEMD160_CTX;
-
+#ifdef OPENSSL_FIPS
+int private_RIPEMD160_Init(RIPEMD160_CTX *c);
+#endif
 int RIPEMD160_Init(RIPEMD160_CTX *c);
 int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len);
 int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
diff --git a/src/lib/libcrypto/ripemd/rmd_dgst.c b/src/lib/libcrypto/ripemd/rmd_dgst.c
index 1f2401aa7e..a845e17ed8 100644
--- a/src/lib/libcrypto/ripemd/rmd_dgst.c
+++ b/src/lib/libcrypto/ripemd/rmd_dgst.c
@@ -59,6 +59,11 @@
 #include <stdio.h>
 #include "rmd_locl.h"
 #include <openssl/opensslv.h>
+#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 
 const char RMD160_version[]="RIPE-MD160" OPENSSL_VERSION_PTEXT;
 
@@ -69,7 +74,7 @@ const char RMD160_version[]="RIPE-MD160" OPENSSL_VERSION_PTEXT;
      void ripemd160_block(RIPEMD160_CTX *c, unsigned long *p,size_t num);
 #  endif
 
-int RIPEMD160_Init(RIPEMD160_CTX *c)
+FIPS_NON_FIPS_MD_Init(RIPEMD160)
         {
         c->A=RIPEMD160_A;
         c->B=RIPEMD160_B;
diff --git a/src/lib/libcrypto/ripemd/rmd_locl.h b/src/lib/libcrypto/ripemd/rmd_locl.h
index f14b346e66..ce12a8000e 100644
--- a/src/lib/libcrypto/ripemd/rmd_locl.h
+++ b/src/lib/libcrypto/ripemd/rmd_locl.h
@@ -72,7 +72,7 @@
  */
 #ifdef RMD160_ASM
 # if defined(__i386) || defined(__i386__) || defined(_M_IX86) || defined(__INTEL__)
-#  define ripemd160_block_data_order ripemd160_block_asm_data_order
+#  define ripemd160_block_host_order ripemd160_block_asm_data_order
 # endif
 #endif
 
diff --git a/src/lib/libcrypto/rsa/Makefile b/src/lib/libcrypto/rsa/Makefile
index 8f1c611800..7b1fd6428c 100644
--- a/src/lib/libcrypto/rsa/Makefile
+++ b/src/lib/libcrypto/rsa/Makefile
@@ -19,10 +19,10 @@ APPS=
 LIB=$(TOP)/libcrypto.a
 LIBSRC= rsa_eay.c rsa_gen.c rsa_lib.c rsa_sign.c rsa_saos.c rsa_err.c \
         rsa_pk1.c rsa_ssl.c rsa_none.c rsa_oaep.c rsa_chk.c rsa_null.c \
-        rsa_pss.c rsa_x931.c rsa_asn1.c rsa_depr.c
+        rsa_pss.c rsa_x931.c rsa_x931g.c rsa_asn1.c rsa_depr.c rsa_eng.c
 LIBOBJ= rsa_eay.o rsa_gen.o rsa_lib.o rsa_sign.o rsa_saos.o rsa_err.o \
         rsa_pk1.o rsa_ssl.o rsa_none.o rsa_oaep.o rsa_chk.o rsa_null.o \
-        rsa_pss.o rsa_x931.o rsa_asn1.o rsa_depr.o
+        rsa_pss.o rsa_x931.o rsa_x931g.o rsa_asn1.o rsa_depr.o rsa_eng.o
 
 SRC= $(LIBSRC)
 
@@ -37,7 +37,7 @@ top:
 all:    lib
 
 lib:    $(LIBOBJ)
-        $(AR) $(LIB) $(LIBOBJ)
+        $(ARX) $(LIB) $(LIBOBJ)
         $(RANLIB) $(LIB) || echo Never mind.
         @touch lib
 
@@ -114,6 +114,21 @@ rsa_eay.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_eay.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_eay.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rsa_eay.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_eay.c
+rsa_eng.o: ../../e_os.h ../../include/openssl/asn1.h
+rsa_eng.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+rsa_eng.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+rsa_eng.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+rsa_eng.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
+rsa_eng.o: ../../include/openssl/engine.h ../../include/openssl/err.h
+rsa_eng.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+rsa_eng.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+rsa_eng.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rsa_eng.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_eng.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+rsa_eng.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_eng.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rsa_eng.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+rsa_eng.o: ../../include/openssl/x509_vfy.h ../cryptlib.h rsa_eng.c
 rsa_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 rsa_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 rsa_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
@@ -136,15 +151,15 @@ rsa_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rsa_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 rsa_lib.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 rsa_lib.o: ../../include/openssl/engine.h ../../include/openssl/err.h
-rsa_lib.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-rsa_lib.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-rsa_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-rsa_lib.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
-rsa_lib.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
-rsa_lib.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
-rsa_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-rsa_lib.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h
-rsa_lib.o: ../cryptlib.h rsa_lib.c
+rsa_lib.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+rsa_lib.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+rsa_lib.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rsa_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_lib.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h
+rsa_lib.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_lib.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
+rsa_lib.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+rsa_lib.o: ../../include/openssl/x509_vfy.h ../cryptlib.h rsa_lib.c
 rsa_none.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_none.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_none.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@@ -167,9 +182,9 @@ rsa_oaep.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_oaep.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_oaep.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rsa_oaep.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-rsa_oaep.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-rsa_oaep.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-rsa_oaep.o: ../../include/openssl/opensslconf.h
+rsa_oaep.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+rsa_oaep.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+rsa_oaep.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
 rsa_oaep.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_oaep.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_oaep.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
@@ -188,21 +203,23 @@ rsa_pss.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_pss.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_pss.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rsa_pss.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-rsa_pss.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-rsa_pss.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-rsa_pss.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
-rsa_pss.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rand.h
-rsa_pss.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-rsa_pss.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-rsa_pss.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_pss.c
+rsa_pss.o: ../../include/openssl/evp.h ../../include/openssl/fips.h
+rsa_pss.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
+rsa_pss.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rsa_pss.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_pss.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
+rsa_pss.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
+rsa_pss.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rsa_pss.o: ../cryptlib.h rsa_pss.c
 rsa_saos.o: ../../e_os.h ../../include/openssl/asn1.h
 rsa_saos.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 rsa_saos.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rsa_saos.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 rsa_saos.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 rsa_saos.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-rsa_saos.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-rsa_saos.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rsa_saos.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+rsa_saos.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+rsa_saos.o: ../../include/openssl/opensslconf.h
 rsa_saos.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_saos.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 rsa_saos.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
@@ -215,8 +232,9 @@ rsa_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 rsa_sign.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
 rsa_sign.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h
 rsa_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h
-rsa_sign.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h
-rsa_sign.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h
+rsa_sign.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h
+rsa_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
+rsa_sign.o: ../../include/openssl/opensslconf.h
 rsa_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h
 rsa_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
@@ -242,3 +260,11 @@ rsa_x931.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 rsa_x931.o: ../../include/openssl/rand.h ../../include/openssl/rsa.h
 rsa_x931.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 rsa_x931.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_x931.c
+rsa_x931g.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+rsa_x931g.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
+rsa_x931g.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+rsa_x931g.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
+rsa_x931g.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
+rsa_x931g.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
+rsa_x931g.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+rsa_x931g.o: rsa_x931g.c
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index 3699afaaaf..5bb932ae15 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -74,6 +74,25 @@
 #error RSA is disabled.
 #endif
 
+/* If this flag is set the RSA method is FIPS compliant and can be used
+ * in FIPS mode. This is set in the validated module method. If an
+ * application sets this flag in its own methods it is its reposibility
+ * to ensure the result is compliant.
+ */
+
+#define RSA_FLAG_FIPS_METHOD                    0x0400
+
+/* If this flag is set the operations normally disabled in FIPS mode are
+ * permitted it is then the applications responsibility to ensure that the
+ * usage is compliant.
+ */
+
+#define RSA_FLAG_NON_FIPS_ALLOW                 0x0400
+
+#ifdef OPENSSL_FIPS
+#define FIPS_RSA_SIZE_T int
+#endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
@@ -163,6 +182,8 @@ struct rsa_st
 # define OPENSSL_RSA_MAX_MODULUS_BITS   16384
 #endif
 
+#define OPENSSL_RSA_FIPS_MIN_MODULUS_BITS 1024
+
 #ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
 # define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
 #endif
@@ -240,6 +261,11 @@ RSA *	RSA_generate_key(int bits, unsigned long e,void
 
 /* New version */
 int     RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
+int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2,
+                        const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *Xp,
+                        const BIGNUM *Xq1, const BIGNUM *Xq2, const BIGNUM *Xq,
+                        const BIGNUM *e, BN_GENCB *cb);
+int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e, BN_GENCB *cb);
 
 int     RSA_check_key(const RSA *);
         /* next 4 return -1 on error */
@@ -257,6 +283,11 @@ int	RSA_up_ref(RSA *r);
 
 int     RSA_flags(const RSA *r);
 
+#ifdef OPENSSL_FIPS
+RSA *FIPS_rsa_new(void);
+void FIPS_rsa_free(RSA *r);
+#endif
+
 void RSA_set_default_method(const RSA_METHOD *meth);
 const RSA_METHOD *RSA_get_default_method(void);
 const RSA_METHOD *RSA_get_method(const RSA *rsa);
@@ -370,6 +401,8 @@ void ERR_load_RSA_strings(void);
 /* Error codes for the RSA functions. */
 
 /* Function codes. */
+#define RSA_F_FIPS_RSA_SIGN                              140
+#define RSA_F_FIPS_RSA_VERIFY                            141
 #define RSA_F_MEMORY_LOCK                                100
 #define RSA_F_RSA_BUILTIN_KEYGEN                         129
 #define RSA_F_RSA_CHECK_KEY                              123
@@ -401,7 +434,11 @@ void ERR_load_RSA_strings(void);
 #define RSA_F_RSA_PADDING_CHECK_X931                     128
 #define RSA_F_RSA_PRINT                                  115
 #define RSA_F_RSA_PRINT_FP                               116
+#define RSA_F_RSA_PRIVATE_ENCRYPT                        137
+#define RSA_F_RSA_PUBLIC_DECRYPT                         138
 #define RSA_F_RSA_SETUP_BLINDING                         136
+#define RSA_F_RSA_SET_DEFAULT_METHOD                     139
+#define RSA_F_RSA_SET_METHOD                             142
 #define RSA_F_RSA_SIGN                                   117
 #define RSA_F_RSA_SIGN_ASN1_OCTET_STRING                 118
 #define RSA_F_RSA_VERIFY                                 119
@@ -435,10 +472,12 @@ void ERR_load_RSA_strings(void);
 #define RSA_R_KEY_SIZE_TOO_SMALL                         120
 #define RSA_R_LAST_OCTET_INVALID                         134
 #define RSA_R_MODULUS_TOO_LARGE                          105
+#define RSA_R_NON_FIPS_METHOD                            141
 #define RSA_R_NO_PUBLIC_EXPONENT                         140
 #define RSA_R_NULL_BEFORE_BLOCK_MISSING                  113
 #define RSA_R_N_DOES_NOT_EQUAL_P_Q                       127
 #define RSA_R_OAEP_DECODING_ERROR                        121
+#define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE         142
 #define RSA_R_PADDING_CHECK_FAILED                       114
 #define RSA_R_P_NOT_PRIME                                128
 #define RSA_R_Q_NOT_PRIME                                129
diff --git a/src/lib/libcrypto/rsa/rsa_asn1.c b/src/lib/libcrypto/rsa/rsa_asn1.c
index bbbf26d50e..6e8a803e81 100644
--- a/src/lib/libcrypto/rsa/rsa_asn1.c
+++ b/src/lib/libcrypto/rsa/rsa_asn1.c
@@ -1,5 +1,5 @@
 /* rsa_asn1.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 5a6eda7961..04ec789ee9 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -115,7 +115,7 @@
 #include <openssl/rsa.h>
 #include <openssl/rand.h>
 
-#ifndef RSA_NULL
+#if !defined(RSA_NULL) && !defined(OPENSSL_FIPS)
 
 static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
                 unsigned char *to, RSA *rsa,int padding);
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
index fe3ba1b44b..501f5ea389 100644
--- a/src/lib/libcrypto/rsa/rsa_err.c
+++ b/src/lib/libcrypto/rsa/rsa_err.c
@@ -1,6 +1,6 @@
 /* crypto/rsa/rsa_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2005 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -70,6 +70,8 @@
 
 static ERR_STRING_DATA RSA_str_functs[]=
         {
+{ERR_FUNC(RSA_F_FIPS_RSA_SIGN), "FIPS_RSA_SIGN"},
+{ERR_FUNC(RSA_F_FIPS_RSA_VERIFY),       "FIPS_RSA_VERIFY"},
 {ERR_FUNC(RSA_F_MEMORY_LOCK),   "MEMORY_LOCK"},
 {ERR_FUNC(RSA_F_RSA_BUILTIN_KEYGEN),    "RSA_BUILTIN_KEYGEN"},
 {ERR_FUNC(RSA_F_RSA_CHECK_KEY), "RSA_check_key"},
@@ -101,7 +103,11 @@ static ERR_STRING_DATA RSA_str_functs[]=
 {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_X931),        "RSA_padding_check_X931"},
 {ERR_FUNC(RSA_F_RSA_PRINT),     "RSA_print"},
 {ERR_FUNC(RSA_F_RSA_PRINT_FP),  "RSA_print_fp"},
+{ERR_FUNC(RSA_F_RSA_PRIVATE_ENCRYPT),   "RSA_private_encrypt"},
+{ERR_FUNC(RSA_F_RSA_PUBLIC_DECRYPT),    "RSA_public_decrypt"},
 {ERR_FUNC(RSA_F_RSA_SETUP_BLINDING),    "RSA_setup_blinding"},
+{ERR_FUNC(RSA_F_RSA_SET_DEFAULT_METHOD),        "RSA_set_default_method"},
+{ERR_FUNC(RSA_F_RSA_SET_METHOD),        "RSA_set_method"},
 {ERR_FUNC(RSA_F_RSA_SIGN),      "RSA_sign"},
 {ERR_FUNC(RSA_F_RSA_SIGN_ASN1_OCTET_STRING),    "RSA_sign_ASN1_OCTET_STRING"},
 {ERR_FUNC(RSA_F_RSA_VERIFY),    "RSA_verify"},
@@ -138,10 +144,12 @@ static ERR_STRING_DATA RSA_str_reasons[]=
 {ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL)    ,"key size too small"},
 {ERR_REASON(RSA_R_LAST_OCTET_INVALID)    ,"last octet invalid"},
 {ERR_REASON(RSA_R_MODULUS_TOO_LARGE)     ,"modulus too large"},
+{ERR_REASON(RSA_R_NON_FIPS_METHOD)       ,"non fips method"},
 {ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT)    ,"no public exponent"},
 {ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
 {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q)  ,"n does not equal p q"},
 {ERR_REASON(RSA_R_OAEP_DECODING_ERROR)   ,"oaep decoding error"},
+{ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE),"operation not allowed in fips mode"},
 {ERR_REASON(RSA_R_PADDING_CHECK_FAILED)  ,"padding check failed"},
 {ERR_REASON(RSA_R_P_NOT_PRIME)           ,"p not prime"},
 {ERR_REASON(RSA_R_Q_NOT_PRIME)           ,"q not prime"},
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index 767f7ab682..41278f83c6 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -68,6 +68,8 @@
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 
+#ifndef OPENSSL_FIPS
+
 static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
 
 /* NB: this wrapper would normally be placed in rsa_lib.c and the static
@@ -217,3 +219,4 @@ err:
         return ok;
         }
 
+#endif
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
index 104aa4c1f2..5714841f4c 100644
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -67,215 +67,6 @@
 #include <openssl/engine.h>
 #endif
 
-const char RSA_version[]="RSA" OPENSSL_VERSION_PTEXT;
-
-static const RSA_METHOD *default_RSA_meth=NULL;
-
-RSA *RSA_new(void)
-        {
-        RSA *r=RSA_new_method(NULL);
-
-        return r;
-        }
-
-void RSA_set_default_method(const RSA_METHOD *meth)
-        {
-        default_RSA_meth = meth;
-        }
-
-const RSA_METHOD *RSA_get_default_method(void)
-        {
-        if (default_RSA_meth == NULL)
-                {
-#ifdef RSA_NULL
-                default_RSA_meth=RSA_null_method();
-#else
-#if 0 /* was: #ifdef RSAref */
-                default_RSA_meth=RSA_PKCS1_RSAref();
-#else
-                default_RSA_meth=RSA_PKCS1_SSLeay();
-#endif
-#endif
-                }
-
-        return default_RSA_meth;
-        }
-
-const RSA_METHOD *RSA_get_method(const RSA *rsa)
-        {
-        return rsa->meth;
-        }
-
-int RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
-        {
-        /* NB: The caller is specifically setting a method, so it's not up to us
-         * to deal with which ENGINE it comes from. */
-        const RSA_METHOD *mtmp;
-        mtmp = rsa->meth;
-        if (mtmp->finish) mtmp->finish(rsa);
-#ifndef OPENSSL_NO_ENGINE
-        if (rsa->engine)
-                {
-                ENGINE_finish(rsa->engine);
-                rsa->engine = NULL;
-                }
-#endif
-        rsa->meth = meth;
-        if (meth->init) meth->init(rsa);
-        return 1;
-        }
-
-RSA *RSA_new_method(ENGINE *engine)
-        {
-        RSA *ret;
-
-        ret=(RSA *)OPENSSL_malloc(sizeof(RSA));
-        if (ret == NULL)
-                {
-                RSAerr(RSA_F_RSA_NEW_METHOD,ERR_R_MALLOC_FAILURE);
-                return NULL;
-                }
-
-        ret->meth = RSA_get_default_method();
-#ifndef OPENSSL_NO_ENGINE
-        if (engine)
-                {
-                if (!ENGINE_init(engine))
-                        {
-                        RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB);
-                        OPENSSL_free(ret);
-                        return NULL;
-                        }
-                ret->engine = engine;
-                }
-        else
-                ret->engine = ENGINE_get_default_RSA();
-        if(ret->engine)
-                {
-                ret->meth = ENGINE_get_RSA(ret->engine);
-                if(!ret->meth)
-                        {
-                        RSAerr(RSA_F_RSA_NEW_METHOD,
-                                ERR_R_ENGINE_LIB);
-                        ENGINE_finish(ret->engine);
-                        OPENSSL_free(ret);
-                        return NULL;
-                        }
-                }
-#endif
-
-        ret->pad=0;
-        ret->version=0;
-        ret->n=NULL;
-        ret->e=NULL;
-        ret->d=NULL;
-        ret->p=NULL;
-        ret->q=NULL;
-        ret->dmp1=NULL;
-        ret->dmq1=NULL;
-        ret->iqmp=NULL;
-        ret->references=1;
-        ret->_method_mod_n=NULL;
-        ret->_method_mod_p=NULL;
-        ret->_method_mod_q=NULL;
-        ret->blinding=NULL;
-        ret->mt_blinding=NULL;
-        ret->bignum_data=NULL;
-        ret->flags=ret->meth->flags;
-        CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
-        if ((ret->meth->init != NULL) && !ret->meth->init(ret))
-                {
-#ifndef OPENSSL_NO_ENGINE
-                if (ret->engine)
-                        ENGINE_finish(ret->engine);
-#endif
-                CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
-                OPENSSL_free(ret);
-                ret=NULL;
-                }
-        return(ret);
-        }
-
-void RSA_free(RSA *r)
-        {
-        int i;
-
-        if (r == NULL) return;
-
-        i=CRYPTO_add(&r->references,-1,CRYPTO_LOCK_RSA);
-#ifdef REF_PRINT
-        REF_PRINT("RSA",r);
-#endif
-        if (i > 0) return;
-#ifdef REF_CHECK
-        if (i < 0)
-                {
-                fprintf(stderr,"RSA_free, bad reference count\n");
-                abort();
-                }
-#endif
-
-        if (r->meth->finish)
-                r->meth->finish(r);
-#ifndef OPENSSL_NO_ENGINE
-        if (r->engine)
-                ENGINE_finish(r->engine);
-#endif
-
-        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
-
-        if (r->n != NULL) BN_clear_free(r->n);
-        if (r->e != NULL) BN_clear_free(r->e);
-        if (r->d != NULL) BN_clear_free(r->d);
-        if (r->p != NULL) BN_clear_free(r->p);
-        if (r->q != NULL) BN_clear_free(r->q);
-        if (r->dmp1 != NULL) BN_clear_free(r->dmp1);
-        if (r->dmq1 != NULL) BN_clear_free(r->dmq1);
-        if (r->iqmp != NULL) BN_clear_free(r->iqmp);
-        if (r->blinding != NULL) BN_BLINDING_free(r->blinding);
-        if (r->mt_blinding != NULL) BN_BLINDING_free(r->mt_blinding);
-        if (r->bignum_data != NULL) OPENSSL_free_locked(r->bignum_data);
-        OPENSSL_free(r);
-        }
-
-int RSA_up_ref(RSA *r)
-        {
-        int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_RSA);
-#ifdef REF_PRINT
-        REF_PRINT("RSA",r);
-#endif
-#ifdef REF_CHECK
-        if (i < 2)
-                {
-                fprintf(stderr, "RSA_up_ref, bad reference count\n");
-                abort();
-                }
-#endif
-        return ((i > 1) ? 1 : 0);
-        }
-
-int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
-             CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
-        {
-        return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RSA, argl, argp,
-                                new_func, dup_func, free_func);
-        }
-
-int RSA_set_ex_data(RSA *r, int idx, void *arg)
-        {
-        return(CRYPTO_set_ex_data(&r->ex_data,idx,arg));
-        }
-
-void *RSA_get_ex_data(const RSA *r, int idx)
-        {
-        return(CRYPTO_get_ex_data(&r->ex_data,idx));
-        }
-
-int RSA_size(const RSA *r)
-        {
-        return(BN_num_bytes(r->n));
-        }
-
 int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
              RSA *rsa, int padding)
         {
@@ -285,6 +76,13 @@ int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
 int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
              RSA *rsa, int padding)
         {
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
+                {
+                RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+                return 0;
+                }
+#endif
         return(rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding));
         }
 
@@ -297,12 +95,19 @@ int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
 int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
              RSA *rsa, int padding)
         {
+#ifdef OPENSSL_FIPS
+        if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
+                {
+                RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+                return 0;
+                }
+#endif
         return(rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding));
         }
 
-int RSA_flags(const RSA *r)
+int RSA_size(const RSA *r)
         {
-        return((r == NULL)?0:r->meth->flags);
+        return(BN_num_bytes(r->n));
         }
 
 void RSA_blinding_off(RSA *rsa)
@@ -427,48 +232,3 @@ err:
 
         return ret;
 }
-
-int RSA_memory_lock(RSA *r)
-        {
-        int i,j,k,off;
-        char *p;
-        BIGNUM *bn,**t[6],*b;
-        BN_ULONG *ul;
-
-        if (r->d == NULL) return(1);
-        t[0]= &r->d;
-        t[1]= &r->p;
-        t[2]= &r->q;
-        t[3]= &r->dmp1;
-        t[4]= &r->dmq1;
-        t[5]= &r->iqmp;
-        k=sizeof(BIGNUM)*6;
-        off=k/sizeof(BN_ULONG)+1;
-        j=1;
-        for (i=0; i<6; i++)
-                j+= (*t[i])->top;
-        if ((p=OPENSSL_malloc_locked((off+j)*sizeof(BN_ULONG))) == NULL)
-                {
-                RSAerr(RSA_F_RSA_MEMORY_LOCK,ERR_R_MALLOC_FAILURE);
-                return(0);
-                }
-        bn=(BIGNUM *)p;
-        ul=(BN_ULONG *)&(p[off]);
-        for (i=0; i<6; i++)
-                {
-                b= *(t[i]);
-                *(t[i])= &(bn[i]);
-                memcpy((char *)&(bn[i]),(char *)b,sizeof(BIGNUM));
-                bn[i].flags=BN_FLG_STATIC_DATA;
-                bn[i].d=ul;
-                memcpy((char *)ul,b->d,sizeof(BN_ULONG)*b->top);
-                ul+=b->top;
-                BN_clear_free(b);
-                }
-        
-        /* I should fix this so it can still be done */
-        r->flags&= ~(RSA_FLAG_CACHE_PRIVATE|RSA_FLAG_CACHE_PUBLIC);
-
-        r->bignum_data=p;
-        return(1);
-        }
diff --git a/src/lib/libcrypto/rsa/rsa_null.c b/src/lib/libcrypto/rsa/rsa_null.c
index 491572c82b..2f2202f142 100644
--- a/src/lib/libcrypto/rsa/rsa_null.c
+++ b/src/lib/libcrypto/rsa/rsa_null.c
@@ -1,5 +1,5 @@
 /* rsa_null.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
index 3652677a99..4d30c9d2d3 100644
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -187,7 +187,7 @@ int PKCS1_MGF1(unsigned char *mask, long len,
         int mdlen;
 
         EVP_MD_CTX_init(&c);
-        mdlen = EVP_MD_size(dgst);
+        mdlen = M_EVP_MD_size(dgst);
         for (i = 0; outlen < len; i++)
                 {
                 cnt[0] = (unsigned char)((i >> 24) & 255);
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index 71aabeea1b..5488c06f6d 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -90,6 +90,14 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
                 i = SSL_SIG_LENGTH;
                 s = m;
         } else {
+        /* NB: in FIPS mode block anything that isn't a TLS signature */
+#ifdef OPENSSL_FIPS
+                if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
+                        {
+                        RSAerr(RSA_F_RSA_SIGN, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+                        return 0;
+                        }
+#endif
                 sig.algor= &algor;
                 sig.algor->algorithm=OBJ_nid2obj(type);
                 if (sig.algor->algorithm == NULL)
@@ -167,10 +175,22 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
                 RSAerr(RSA_F_RSA_VERIFY,ERR_R_MALLOC_FAILURE);
                 goto err;
                 }
-        if((dtype == NID_md5_sha1) && (m_len != SSL_SIG_LENGTH) ) {
+        if(dtype == NID_md5_sha1)
+                {
+                if (m_len != SSL_SIG_LENGTH)
+                        {
                         RSAerr(RSA_F_RSA_VERIFY,RSA_R_INVALID_MESSAGE_LENGTH);
                         goto err;
-        }
+                        }
+                }
+        /* NB: in FIPS mode block anything that isn't a TLS signature */
+#ifdef OPENSSL_FIPS
+        else if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
+                {
+                RSAerr(RSA_F_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
+                return 0;
+                }
+#endif
         i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
 
         if (i <= 0) goto err;
diff --git a/src/lib/libcrypto/sha/sha.h b/src/lib/libcrypto/sha/sha.h
index eed44d7f94..47a2c29f66 100644
--- a/src/lib/libcrypto/sha/sha.h
+++ b/src/lib/libcrypto/sha/sha.h
@@ -106,6 +106,9 @@ typedef struct SHAstate_st
         } SHA_CTX;
 
 #ifndef OPENSSL_NO_SHA0
+#ifdef OPENSSL_FIPS
+int private_SHA_Init(SHA_CTX *c);
+#endif
 int SHA_Init(SHA_CTX *c);
 int SHA_Update(SHA_CTX *c, const void *data, size_t len);
 int SHA_Final(unsigned char *md, SHA_CTX *c);
diff --git a/src/lib/libcrypto/sha/sha1_one.c b/src/lib/libcrypto/sha/sha1_one.c
index 7c65b60276..4831174198 100644
--- a/src/lib/libcrypto/sha/sha1_one.c
+++ b/src/lib/libcrypto/sha/sha1_one.c
@@ -61,7 +61,7 @@
 #include <openssl/sha.h>
 #include <openssl/crypto.h>
 
-#ifndef OPENSSL_NO_SHA1
+#if !defined(OPENSSL_NO_SHA1)
 unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md)
         {
         SHA_CTX c;
diff --git a/src/lib/libcrypto/sha/sha1dgst.c b/src/lib/libcrypto/sha/sha1dgst.c
index 50d1925cde..d31f0781a0 100644
--- a/src/lib/libcrypto/sha/sha1dgst.c
+++ b/src/lib/libcrypto/sha/sha1dgst.c
@@ -63,6 +63,10 @@
 #define SHA_1
 
 #include <openssl/opensslv.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
 
 const char SHA1_version[]="SHA1" OPENSSL_VERSION_PTEXT;
 
diff --git a/src/lib/libcrypto/sha/sha_dgst.c b/src/lib/libcrypto/sha/sha_dgst.c
index 70eb56032c..598f4d721a 100644
--- a/src/lib/libcrypto/sha/sha_dgst.c
+++ b/src/lib/libcrypto/sha/sha_dgst.c
@@ -57,6 +57,12 @@
  */
 
 #include <openssl/opensslconf.h>
+#include <openssl/crypto.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
+#include <openssl/err.h>
 #if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA)
 
 #undef  SHA_1
diff --git a/src/lib/libcrypto/sha/sha_locl.h b/src/lib/libcrypto/sha/sha_locl.h
index e37e5726e3..da46ddfe79 100644
--- a/src/lib/libcrypto/sha/sha_locl.h
+++ b/src/lib/libcrypto/sha/sha_locl.h
@@ -122,8 +122,15 @@ void sha1_block_data_order (SHA_CTX *c, const void *p,size_t num);
 #define INIT_DATA_h3 0x10325476UL
 #define INIT_DATA_h4 0xc3d2e1f0UL
 
+#if defined(SHA_0) && defined(OPENSSL_FIPS)
+FIPS_NON_FIPS_MD_Init(SHA)
+#else
 int HASH_INIT (SHA_CTX *c)
+#endif
         {
+#if defined(SHA_1) && defined(OPENSSL_FIPS)
+        FIPS_selftest_check();
+#endif
         c->h0=INIT_DATA_h0;
         c->h1=INIT_DATA_h1;
         c->h2=INIT_DATA_h2;
diff --git a/src/lib/libcrypto/symhacks.h b/src/lib/libcrypto/symhacks.h
index 64528ad5c2..6cfb5fe479 100644
--- a/src/lib/libcrypto/symhacks.h
+++ b/src/lib/libcrypto/symhacks.h
@@ -179,6 +179,11 @@
 #define ENGINE_set_load_privkey_function        ENGINE_set_load_privkey_fn
 #undef ENGINE_get_load_privkey_function
 #define ENGINE_get_load_privkey_function        ENGINE_get_load_privkey_fn
+#undef ENGINE_set_load_ssl_client_cert_function
+#define ENGINE_set_load_ssl_client_cert_function \
+                                                ENGINE_set_ld_ssl_clnt_cert_fn
+#undef ENGINE_get_ssl_client_cert_function
+#define ENGINE_get_ssl_client_cert_function     ENGINE_get_ssl_client_cert_fn
 
 /* Hack some long OCSP names */
 #undef OCSP_REQUEST_get_ext_by_critical
diff --git a/src/lib/libcrypto/ui/ui_openssl.c b/src/lib/libcrypto/ui/ui_openssl.c
index 8446673ed4..5fbedf6ff8 100644
--- a/src/lib/libcrypto/ui/ui_openssl.c
+++ b/src/lib/libcrypto/ui/ui_openssl.c
@@ -678,6 +678,8 @@ static int noecho_fgets(char *buf, int size, FILE *tty)
                 size--;
 #ifdef WIN16TTY
                 i=_inchar();
+#elif defined(_WIN32)
+                i=_getch();
 #else
                 i=getch();
 #endif
diff --git a/src/lib/libcrypto/util/libeay.num b/src/lib/libcrypto/util/libeay.num
index 62664f3c37..0eb54ddc89 100644
--- a/src/lib/libcrypto/util/libeay.num
+++ b/src/lib/libcrypto/util/libeay.num
@@ -2804,12 +2804,12 @@ OPENSSL_cleanse                         3245	EXIST::FUNCTION:
 ENGINE_setup_bsd_cryptodev              3246    EXIST:__FreeBSD__:FUNCTION:ENGINE
 ERR_release_err_state_table             3247    EXIST::FUNCTION:LHASH
 EVP_aes_128_cfb8                        3248    EXIST::FUNCTION:AES
-FIPS_corrupt_rsa                        3249    NOEXIST::FUNCTION:
-FIPS_selftest_des                       3250    NOEXIST::FUNCTION:
+FIPS_corrupt_rsa                        3249    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_selftest_des                       3250    EXIST:OPENSSL_FIPS:FUNCTION:
 EVP_aes_128_cfb1                        3251    EXIST::FUNCTION:AES
 EVP_aes_192_cfb8                        3252    EXIST::FUNCTION:AES
-FIPS_mode_set                           3253    NOEXIST::FUNCTION:
-FIPS_selftest_dsa                       3254    NOEXIST::FUNCTION:
+FIPS_mode_set                           3253    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_selftest_dsa                       3254    EXIST:OPENSSL_FIPS:FUNCTION:
 EVP_aes_256_cfb8                        3255    EXIST::FUNCTION:AES
 FIPS_allow_md5                          3256    NOEXIST::FUNCTION:
 DES_ede3_cfb_encrypt                    3257    EXIST::FUNCTION:DES
@@ -2817,44 +2817,44 @@ EVP_des_ede3_cfb8                       3258	EXIST::FUNCTION:DES
 FIPS_rand_seeded                        3259    NOEXIST::FUNCTION:
 AES_cfbr_encrypt_block                  3260    EXIST::FUNCTION:AES
 AES_cfb8_encrypt                        3261    EXIST::FUNCTION:AES
-FIPS_rand_seed                          3262    NOEXIST::FUNCTION:
-FIPS_corrupt_des                        3263    NOEXIST::FUNCTION:
+FIPS_rand_seed                          3262    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_corrupt_des                        3263    EXIST:OPENSSL_FIPS:FUNCTION:
 EVP_aes_192_cfb1                        3264    EXIST::FUNCTION:AES
-FIPS_selftest_aes                       3265    NOEXIST::FUNCTION:
+FIPS_selftest_aes                       3265    EXIST:OPENSSL_FIPS:FUNCTION:
 FIPS_set_prng_key                       3266    NOEXIST::FUNCTION:
 EVP_des_cfb8                            3267    EXIST::FUNCTION:DES
-FIPS_corrupt_dsa                        3268    NOEXIST::FUNCTION:
+FIPS_corrupt_dsa                        3268    EXIST:OPENSSL_FIPS:FUNCTION:
 FIPS_test_mode                          3269    NOEXIST::FUNCTION:
-FIPS_rand_method                        3270    NOEXIST::FUNCTION:
+FIPS_rand_method                        3270    EXIST:OPENSSL_FIPS:FUNCTION:
 EVP_aes_256_cfb1                        3271    EXIST::FUNCTION:AES
-ERR_load_FIPS_strings                   3272    NOEXIST::FUNCTION:
-FIPS_corrupt_aes                        3273    NOEXIST::FUNCTION:
-FIPS_selftest_sha1                      3274    NOEXIST::FUNCTION:
-FIPS_selftest_rsa                       3275    NOEXIST::FUNCTION:
-FIPS_corrupt_sha1                       3276    NOEXIST::FUNCTION:
+ERR_load_FIPS_strings                   3272    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_corrupt_aes                        3273    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_selftest_sha1                      3274    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_selftest_rsa                       3275    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_corrupt_sha1                       3276    EXIST:OPENSSL_FIPS:FUNCTION:
 EVP_des_cfb1                            3277    EXIST::FUNCTION:DES
 FIPS_dsa_check                          3278    NOEXIST::FUNCTION:
 AES_cfb1_encrypt                        3279    EXIST::FUNCTION:AES
 EVP_des_ede3_cfb1                       3280    EXIST::FUNCTION:DES
-FIPS_rand_check                         3281    NOEXIST::FUNCTION:
+FIPS_rand_check                         3281    EXIST:OPENSSL_FIPS:FUNCTION:
 FIPS_md5_allowed                        3282    NOEXIST::FUNCTION:
-FIPS_mode                               3283    NOEXIST::FUNCTION:
-FIPS_selftest_failed                    3284    NOEXIST::FUNCTION:
+FIPS_mode                               3283    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_selftest_failed                    3284    EXIST:OPENSSL_FIPS:FUNCTION:
 sk_is_sorted                            3285    EXIST::FUNCTION:
 X509_check_ca                           3286    EXIST::FUNCTION:
-private_idea_set_encrypt_key            3287    NOEXIST::FUNCTION:
+private_idea_set_encrypt_key            3287    EXIST:OPENSSL_FIPS:FUNCTION:IDEA
 HMAC_CTX_set_flags                      3288    EXIST::FUNCTION:HMAC
-private_SHA_Init                        3289    NOEXIST::FUNCTION:
-private_CAST_set_key                    3290    NOEXIST::FUNCTION:
-private_RIPEMD160_Init                  3291    NOEXIST::FUNCTION:
-private_RC5_32_set_key                  3292    NOEXIST::FUNCTION:
-private_MD5_Init                        3293    NOEXIST::FUNCTION:
-private_RC4_set_key                     3294    NOEXIST::FUNCTION:
-private_MDC2_Init                       3295    NOEXIST::FUNCTION:
-private_RC2_set_key                     3296    NOEXIST::FUNCTION:
-private_MD4_Init                        3297    NOEXIST::FUNCTION:
-private_BF_set_key                      3298    NOEXIST::FUNCTION:
-private_MD2_Init                        3299    NOEXIST::FUNCTION:
+private_SHA_Init                        3289    EXIST:OPENSSL_FIPS:FUNCTION:SHA,SHA0
+private_CAST_set_key                    3290    EXIST:OPENSSL_FIPS:FUNCTION:CAST
+private_RIPEMD160_Init                  3291    EXIST:OPENSSL_FIPS:FUNCTION:RIPEMD
+private_RC5_32_set_key                  3292    EXIST:OPENSSL_FIPS:FUNCTION:RC5
+private_MD5_Init                        3293    EXIST:OPENSSL_FIPS:FUNCTION:MD5
+private_RC4_set_key                     3294    EXIST:OPENSSL_FIPS:FUNCTION:RC4
+private_MDC2_Init                       3295    EXIST:OPENSSL_FIPS:FUNCTION:MDC2
+private_RC2_set_key                     3296    EXIST:OPENSSL_FIPS:FUNCTION:RC2
+private_MD4_Init                        3297    EXIST:OPENSSL_FIPS:FUNCTION:MD4
+private_BF_set_key                      3298    EXIST:OPENSSL_FIPS:FUNCTION:BF
+private_MD2_Init                        3299    EXIST:OPENSSL_FIPS:FUNCTION:MD2
 d2i_PROXY_CERT_INFO_EXTENSION           3300    EXIST::FUNCTION:
 PROXY_POLICY_it                         3301    EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PROXY_POLICY_it                         3301    EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
@@ -2868,13 +2868,13 @@ PROXY_CERT_INFO_EXTENSION_it            3307	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTI
 PROXY_POLICY_free                       3308    EXIST::FUNCTION:
 PROXY_POLICY_new                        3309    EXIST::FUNCTION:
 BN_MONT_CTX_set_locked                  3310    EXIST::FUNCTION:
-FIPS_selftest_rng                       3311    NOEXIST::FUNCTION:
+FIPS_selftest_rng                       3311    EXIST:OPENSSL_FIPS:FUNCTION:
 EVP_sha384                              3312    EXIST::FUNCTION:SHA,SHA512
 EVP_sha512                              3313    EXIST::FUNCTION:SHA,SHA512
 EVP_sha224                              3314    EXIST::FUNCTION:SHA,SHA256
 EVP_sha256                              3315    EXIST::FUNCTION:SHA,SHA256
-FIPS_selftest_hmac                      3316    NOEXIST::FUNCTION:
-FIPS_corrupt_rng                        3317    NOEXIST::FUNCTION:
+FIPS_selftest_hmac                      3316    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_corrupt_rng                        3317    EXIST:OPENSSL_FIPS:FUNCTION:
 BN_mod_exp_mont_consttime               3318    EXIST::FUNCTION:
 RSA_X931_hash_id                        3319    EXIST::FUNCTION:RSA
 RSA_padding_check_X931                  3320    EXIST::FUNCTION:RSA
@@ -2882,7 +2882,7 @@ RSA_verify_PKCS1_PSS                    3321	EXIST::FUNCTION:RSA
 RSA_padding_add_X931                    3322    EXIST::FUNCTION:RSA
 RSA_padding_add_PKCS1_PSS               3323    EXIST::FUNCTION:RSA
 PKCS1_MGF1                              3324    EXIST::FUNCTION:RSA
-BN_X931_generate_Xpq                    3325    NOEXIST::FUNCTION:
+BN_X931_generate_Xpq                    3325    EXIST::FUNCTION:
 RSA_X931_generate_key                   3326    NOEXIST::FUNCTION:
 BN_X931_derive_prime                    3327    NOEXIST::FUNCTION:
 BN_X931_generate_prime                  3328    NOEXIST::FUNCTION:
@@ -3652,51 +3652,75 @@ CMS_set1_eContentType                   4040	EXIST::FUNCTION:CMS
 CMS_ReceiptRequest_create0              4041    EXIST::FUNCTION:CMS
 CMS_add1_signer                         4042    EXIST::FUNCTION:CMS
 CMS_RecipientInfo_set0_pkey             4043    EXIST::FUNCTION:CMS
-ENGINE_set_load_ssl_client_cert_function 4044   EXIST::FUNCTION:ENGINE
-ENGINE_get_ssl_client_cert_function     4045    EXIST::FUNCTION:ENGINE
+ENGINE_set_load_ssl_client_cert_function 4044   EXIST:!VMS:FUNCTION:ENGINE
+ENGINE_set_ld_ssl_clnt_cert_fn          4044    EXIST:VMS:FUNCTION:ENGINE
+ENGINE_get_ssl_client_cert_function     4045    EXIST:!VMS:FUNCTION:ENGINE
+ENGINE_get_ssl_client_cert_fn           4045    EXIST:VMS:FUNCTION:ENGINE
 ENGINE_load_ssl_client_cert             4046    EXIST::FUNCTION:ENGINE
 ENGINE_load_capi                        4047    EXIST::FUNCTION:CAPIENG,ENGINE
 OPENSSL_isservice                       4048    EXIST::FUNCTION:
-FIPS_dsa_sig_decode                     4049    NOEXIST::FUNCTION:
-EVP_CIPHER_CTX_clear_flags              4050    NOEXIST::FUNCTION:
-FIPS_rand_status                        4051    NOEXIST::FUNCTION:
-FIPS_rand_set_key                       4052    NOEXIST::FUNCTION:
-CRYPTO_set_mem_info_functions           4053    NOEXIST::FUNCTION:
-RSA_X931_generate_key_ex                4054    NOEXIST::FUNCTION:
-int_ERR_set_state_func                  4055    NOEXIST::FUNCTION:
-int_EVP_MD_set_engine_callbacks         4056    NOEXIST::FUNCTION:
-int_CRYPTO_set_do_dynlock_callback      4057    NOEXIST::FUNCTION:
-FIPS_rng_stick                          4058    NOEXIST::FUNCTION:
-EVP_CIPHER_CTX_set_flags                4059    NOEXIST::FUNCTION:
-BN_X931_generate_prime_ex               4060    NOEXIST::FUNCTION:
-FIPS_selftest_check                     4061    NOEXIST::FUNCTION:
-FIPS_rand_set_dt                        4062    NOEXIST::FUNCTION:
-CRYPTO_dbg_pop_info                     4063    NOEXIST::FUNCTION:
-FIPS_dsa_free                           4064    NOEXIST::FUNCTION:
-RSA_X931_derive_ex                      4065    NOEXIST::FUNCTION:
-FIPS_rsa_new                            4066    NOEXIST::FUNCTION:
-FIPS_rand_bytes                         4067    NOEXIST::FUNCTION:
-fips_cipher_test                        4068    NOEXIST::FUNCTION:
-EVP_CIPHER_CTX_test_flags               4069    NOEXIST::FUNCTION:
-CRYPTO_malloc_debug_init                4070    NOEXIST::FUNCTION:
-CRYPTO_dbg_push_info                    4071    NOEXIST::FUNCTION:
-FIPS_corrupt_rsa_keygen                 4072    NOEXIST::FUNCTION:
-FIPS_dh_new                             4073    NOEXIST::FUNCTION:
-FIPS_corrupt_dsa_keygen                 4074    NOEXIST::FUNCTION:
-FIPS_dh_free                            4075    NOEXIST::FUNCTION:
-fips_pkey_signature_test                4076    NOEXIST::FUNCTION:
-EVP_add_alg_module                      4077    NOEXIST::FUNCTION:
-int_RAND_init_engine_callbacks          4078    NOEXIST::FUNCTION:
-int_EVP_CIPHER_set_engine_callbacks     4079    NOEXIST::FUNCTION:
-int_EVP_MD_init_engine_callbacks        4080    NOEXIST::FUNCTION:
-FIPS_rand_test_mode                     4081    NOEXIST::FUNCTION:
-FIPS_rand_reset                         4082    NOEXIST::FUNCTION:
-FIPS_dsa_new                            4083    NOEXIST::FUNCTION:
-int_RAND_set_callbacks                  4084    NOEXIST::FUNCTION:
-BN_X931_derive_prime_ex                 4085    NOEXIST::FUNCTION:
-int_ERR_lib_init                        4086    NOEXIST::FUNCTION:
-int_EVP_CIPHER_init_engine_callbacks    4087    NOEXIST::FUNCTION:
-FIPS_rsa_free                           4088    NOEXIST::FUNCTION:
-FIPS_dsa_sig_encode                     4089    NOEXIST::FUNCTION:
-CRYPTO_dbg_remove_all_info              4090    NOEXIST::FUNCTION:
-OPENSSL_init                            4091    NOEXIST::FUNCTION:
+FIPS_dsa_sig_decode                     4049    EXIST:OPENSSL_FIPS:FUNCTION:DSA
+EVP_CIPHER_CTX_clear_flags              4050    EXIST::FUNCTION:
+FIPS_rand_status                        4051    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_rand_set_key                       4052    EXIST:OPENSSL_FIPS:FUNCTION:
+CRYPTO_set_mem_info_functions           4053    EXIST::FUNCTION:
+RSA_X931_generate_key_ex                4054    EXIST::FUNCTION:RSA
+int_ERR_set_state_func                  4055    EXIST:OPENSSL_FIPS:FUNCTION:
+int_EVP_MD_set_engine_callbacks         4056    EXIST:OPENSSL_FIPS:FUNCTION:ENGINE
+int_CRYPTO_set_do_dynlock_callback      4057    EXIST::FUNCTION:
+FIPS_rng_stick                          4058    EXIST:OPENSSL_FIPS:FUNCTION:
+EVP_CIPHER_CTX_set_flags                4059    EXIST::FUNCTION:
+BN_X931_generate_prime_ex               4060    EXIST::FUNCTION:
+FIPS_selftest_check                     4061    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_rand_set_dt                        4062    EXIST:OPENSSL_FIPS:FUNCTION:
+CRYPTO_dbg_pop_info                     4063    EXIST::FUNCTION:
+FIPS_dsa_free                           4064    EXIST:OPENSSL_FIPS:FUNCTION:DSA
+RSA_X931_derive_ex                      4065    EXIST::FUNCTION:RSA
+FIPS_rsa_new                            4066    EXIST:OPENSSL_FIPS:FUNCTION:RSA
+FIPS_rand_bytes                         4067    EXIST:OPENSSL_FIPS:FUNCTION:
+fips_cipher_test                        4068    EXIST:OPENSSL_FIPS:FUNCTION:
+EVP_CIPHER_CTX_test_flags               4069    EXIST::FUNCTION:
+CRYPTO_malloc_debug_init                4070    EXIST::FUNCTION:
+CRYPTO_dbg_push_info                    4071    EXIST::FUNCTION:
+FIPS_corrupt_rsa_keygen                 4072    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_dh_new                             4073    EXIST:OPENSSL_FIPS:FUNCTION:DH
+FIPS_corrupt_dsa_keygen                 4074    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_dh_free                            4075    EXIST:OPENSSL_FIPS:FUNCTION:DH
+fips_pkey_signature_test                4076    EXIST:OPENSSL_FIPS:FUNCTION:
+EVP_add_alg_module                      4077    EXIST::FUNCTION:
+int_RAND_init_engine_callbacks          4078    EXIST:OPENSSL_FIPS:FUNCTION:ENGINE
+int_EVP_CIPHER_set_engine_callbacks     4079    EXIST:OPENSSL_FIPS:FUNCTION:ENGINE
+int_EVP_MD_init_engine_callbacks        4080    EXIST:OPENSSL_FIPS:FUNCTION:ENGINE
+FIPS_rand_test_mode                     4081    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_rand_reset                         4082    EXIST:OPENSSL_FIPS:FUNCTION:
+FIPS_dsa_new                            4083    EXIST:OPENSSL_FIPS:FUNCTION:DSA
+int_RAND_set_callbacks                  4084    EXIST:OPENSSL_FIPS:FUNCTION:ENGINE
+BN_X931_derive_prime_ex                 4085    EXIST::FUNCTION:
+int_ERR_lib_init                        4086    EXIST:OPENSSL_FIPS:FUNCTION:
+int_EVP_CIPHER_init_engine_callbacks    4087    EXIST:OPENSSL_FIPS:FUNCTION:ENGINE
+FIPS_rsa_free                           4088    EXIST:OPENSSL_FIPS:FUNCTION:RSA
+FIPS_dsa_sig_encode                     4089    EXIST:OPENSSL_FIPS:FUNCTION:DSA
+CRYPTO_dbg_remove_all_info              4090    EXIST::FUNCTION:
+OPENSSL_init                            4091    EXIST::FUNCTION:
+private_Camellia_set_key                4092    EXIST:OPENSSL_FIPS:FUNCTION:CAMELLIA
+CRYPTO_strdup                           4093    EXIST::FUNCTION:
+JPAKE_STEP3A_process                    4094    EXIST::FUNCTION:JPAKE
+JPAKE_STEP1_release                     4095    EXIST::FUNCTION:JPAKE
+JPAKE_get_shared_key                    4096    EXIST::FUNCTION:JPAKE
+JPAKE_STEP3B_init                       4097    EXIST::FUNCTION:JPAKE
+JPAKE_STEP1_generate                    4098    EXIST::FUNCTION:JPAKE
+JPAKE_STEP1_init                        4099    EXIST::FUNCTION:JPAKE
+JPAKE_STEP3B_process                    4100    EXIST::FUNCTION:JPAKE
+JPAKE_STEP2_generate                    4101    EXIST::FUNCTION:JPAKE
+JPAKE_CTX_new                           4102    EXIST::FUNCTION:JPAKE
+JPAKE_CTX_free                          4103    EXIST::FUNCTION:JPAKE
+JPAKE_STEP3B_release                    4104    EXIST::FUNCTION:JPAKE
+JPAKE_STEP3A_release                    4105    EXIST::FUNCTION:JPAKE
+JPAKE_STEP2_process                     4106    EXIST::FUNCTION:JPAKE
+JPAKE_STEP3B_generate                   4107    EXIST::FUNCTION:JPAKE
+JPAKE_STEP1_process                     4108    EXIST::FUNCTION:JPAKE
+JPAKE_STEP3A_generate                   4109    EXIST::FUNCTION:JPAKE
+JPAKE_STEP2_release                     4110    EXIST::FUNCTION:JPAKE
+JPAKE_STEP3A_init                       4111    EXIST::FUNCTION:JPAKE
+ERR_load_JPAKE_strings                  4112    EXIST::FUNCTION:JPAKE
+JPAKE_STEP2_init                        4113    EXIST::FUNCTION:JPAKE
diff --git a/src/lib/libcrypto/util/mk1mf.pl b/src/lib/libcrypto/util/mk1mf.pl
index 7ba804ce33..4c16f1dc9e 100644
--- a/src/lib/libcrypto/util/mk1mf.pl
+++ b/src/lib/libcrypto/util/mk1mf.pl
@@ -15,6 +15,18 @@ my $engines = "";
 local $zlib_opt = 0;    # 0 = no zlib, 1 = static, 2 = dynamic
 local $zlib_lib = "";
 
+local $fips_canister_path = "";
+my $fips_premain_dso_exe_path = "";
+my $fips_premain_c_path = "";
+my $fips_sha1_exe_path = "";
+
+local $fipscanisterbuild = 0;
+local $fipsdso = 0;
+
+my $fipslibdir = "";
+my $baseaddr = "";
+
+my $ex_l_libs = "";
 
 open(IN,"<Makefile") || die "unable to open Makefile!\n";
 while(<IN>) {
@@ -221,6 +233,7 @@ $cflags.=" -DOPENSSL_NO_SSL2" if $no_ssl2;
 $cflags.=" -DOPENSSL_NO_SSL3" if $no_ssl3;
 $cflags.=" -DOPENSSL_NO_TLSEXT" if $no_tlsext;
 $cflags.=" -DOPENSSL_NO_CMS" if $no_cms;
+$cflags.=" -DOPENSSL_NO_JPAKE" if $no_jpake;
 $cflags.=" -DOPENSSL_NO_CAPIENG" if $no_capieng;
 $cflags.=" -DOPENSSL_NO_ERR"  if $no_err;
 $cflags.=" -DOPENSSL_NO_KRB5" if $no_krb5;
@@ -229,7 +242,7 @@ $cflags.=" -DOPENSSL_NO_ECDSA" if $no_ecdsa;
 $cflags.=" -DOPENSSL_NO_ECDH" if $no_ecdh;
 $cflags.=" -DOPENSSL_NO_ENGINE"   if $no_engine;
 $cflags.=" -DOPENSSL_NO_HW"   if $no_hw;
-
+$cflags.=" -DOPENSSL_FIPS"    if $fips;
 $cflags.= " -DZLIB" if $zlib_opt;
 $cflags.= " -DZLIB_SHARED" if $zlib_opt == 2;
 
@@ -251,9 +264,9 @@ else
 
 $ex_libs="$l_flags$ex_libs" if ($l_flags ne "");
 
-
 %shlib_ex_cflags=("SSL" => " -DOPENSSL_BUILD_SHLIBSSL",
-                  "CRYPTO" => " -DOPENSSL_BUILD_SHLIBCRYPTO");
+                  "CRYPTO" => " -DOPENSSL_BUILD_SHLIBCRYPTO",
+                  "FIPS" => " -DOPENSSL_BUILD_SHLIBCRYPTO");
 
 if ($msdos)
         {
@@ -281,11 +294,21 @@ for (;;)
                 {
                 if ($lib ne "")
                         {
-                        $uc=$lib;
-                        $uc =~ s/^lib(.*)\.a/$1/;
-                        $uc =~ tr/a-z/A-Z/;
-                        $lib_nam{$uc}=$uc;
-                        $lib_obj{$uc}.=$libobj." ";
+                        if ($fips && $dir =~ /^fips/)
+                                {
+                                $uc = "FIPS";
+                                }
+                        else
+                                {
+                                $uc=$lib;
+                                $uc =~ s/^lib(.*)\.a/$1/;
+                                $uc =~ tr/a-z/A-Z/;
+                                }
+                        if (($uc ne "FIPS") || $fipscanisterbuild)
+                                {
+                                $lib_nam{$uc}=$uc;
+                                $lib_obj{$uc}.=$libobj." ";
+                                }
                         }
                 last if ($val eq "FINISHED");
                 $lib="";
@@ -328,11 +351,130 @@ for (;;)
         if ($key eq "LIBNAMES" && $dir eq "engines" && $no_static_engine)
                 { $engines.=$val }
 
+        if ($key eq "FIPS_EX_OBJ")
+                { 
+                $fips_ex_obj=&var_add("crypto",$val,0);
+                }
+
+        if ($key eq "FIPSLIBDIR")
+                {
+                $fipslibdir=$val;
+                $fipslibdir =~ s/\/$//;
+                $fipslibdir =~ s/\//$o/g;
+                }
+
+        if ($key eq "BASEADDR")
+                { $baseaddr=$val;}
+
         if (!($_=<IN>))
                 { $_="RELATIVE_DIRECTORY=FINISHED\n"; }
         }
 close(IN);
 
+if ($fips)
+        {
+         
+        foreach (split " ", $fips_ex_obj)
+                {
+                $fips_exclude_obj{$1} = 1 if (/\/([^\/]*)$/);
+                }
+
+        $fips_exclude_obj{"cpu_win32"} = 1;
+        $fips_exclude_obj{"bn_asm"} = 1;
+        $fips_exclude_obj{"des_enc"} = 1;
+        $fips_exclude_obj{"fcrypt_b"} = 1;
+        $fips_exclude_obj{"aes_core"} = 1;
+        $fips_exclude_obj{"aes_cbc"} = 1;
+
+        my @ltmp = split " ", $lib_obj{"CRYPTO"};
+
+
+        $lib_obj{"CRYPTO"} = "";
+
+        foreach(@ltmp)
+                {
+                if (/\/([^\/]*)$/ && exists $fips_exclude_obj{$1})
+                        {
+                        if ($fipscanisterbuild)
+                                {
+                                $lib_obj{"FIPS"} .= "$_ ";
+                                }
+                        }
+                else
+                        {
+                        $lib_obj{"CRYPTO"} .= "$_ ";
+                        }
+                }
+
+        }
+
+if ($fipscanisterbuild)
+        {
+        $fips_canister_path = "\$(LIB_D)${o}fipscanister.lib" if $fips_canister_path eq "";
+        $fips_premain_c_path = "\$(LIB_D)${o}fips_premain.c";
+        }
+else
+        {
+        if ($fips_canister_path eq "")
+                {
+                $fips_canister_path = "\$(FIPSLIB_D)${o}fipscanister.lib";
+                }
+
+        if ($fips_premain_c_path eq "")
+                {
+                $fips_premain_c_path = "\$(FIPSLIB_D)${o}fips_premain.c";
+                }
+        }
+
+if ($fips)
+        {
+        if ($fips_sha1_exe_path eq "")
+                {
+                $fips_sha1_exe_path =
+                        "\$(BIN_D)${o}fips_standalone_sha1$exep";
+                }
+        }
+        else
+        {
+        $fips_sha1_exe_path = "";
+        }
+
+if ($fips_premain_dso_exe_path eq "")
+        {
+        $fips_premain_dso_exe_path = "\$(BIN_D)${o}fips_premain_dso$exep";
+        }
+
+#       $ex_build_targets .= "\$(BIN_D)${o}\$(E_PREMAIN_DSO)$exep" if ($fips);
+
+#$ex_l_libs .= " \$(L_FIPS)" if $fipsdso;
+
+if ($fips)
+        {
+        if (!$shlib)
+                {
+                $ex_build_targets .= " \$(LIB_D)$o$crypto_compat \$(PREMAIN_DSO_EXE)";
+                $ex_l_libs .= " \$(O_FIPSCANISTER)";
+                $ex_libs_dep .= " \$(O_FIPSCANISTER)" if $fipscanisterbuild;
+                }
+        if ($fipscanisterbuild)
+                {
+                $fipslibdir = "\$(LIB_D)";
+                }
+        else
+                {
+                if ($fipslibdir eq "")
+                        {
+                        open (IN, "util/fipslib_path.txt") || fipslib_error();
+                        $fipslibdir = <IN>;
+                        chomp $fipslibdir;
+                        close IN;
+                        }
+                fips_check_files($fipslibdir,
+                                "fipscanister.lib", "fipscanister.lib.sha1",
+                                "fips_premain.c", "fips_premain.c.sha1");
+                }
+        }
+
 if ($shlib)
         {
         $extra_install= <<"EOF";
@@ -398,6 +540,7 @@ SRC_D=$src_dir
 LINK=$link
 LFLAGS=$lflags
 RSC=$rsc
+FIPSLINK=\$(PERL) util${o}fipslink.pl
 
 AES_ASM_OBJ=$aes_asm_obj
 AES_ASM_SRC=$aes_asm_src
@@ -441,6 +584,17 @@ MKLIB=$bin_dir$mklib
 MLFLAGS=$mlflags
 ASM=$bin_dir$asm
 
+# FIPS validated module and support file locations
+
+E_PREMAIN_DSO=fips_premain_dso
+
+FIPSLIB_D=$fipslibdir
+BASEADDR=$baseaddr
+FIPS_PREMAIN_SRC=$fips_premain_c_path
+O_FIPSCANISTER=$fips_canister_path
+FIPS_SHA1_EXE=$fips_sha1_exe_path
+PREMAIN_DSO_EXE=$fips_premain_dso_exe_path
+
 ######################################################
 # You should not need to touch anything below this point
 ######################################################
@@ -448,6 +602,7 @@ ASM=$bin_dir$asm
 E_EXE=openssl
 SSL=$ssl
 CRYPTO=$crypto
+LIBFIPS=libosslfips
 
 # BIN_D  - Binary output directory
 # TEST_D - Binary test file output directory
@@ -468,12 +623,14 @@ INCL_D=\$(TMP_D)
 
 O_SSL=     \$(LIB_D)$o$plib\$(SSL)$shlibp
 O_CRYPTO=  \$(LIB_D)$o$plib\$(CRYPTO)$shlibp
+O_FIPS=    \$(LIB_D)$o$plib\$(LIBFIPS)$shlibp
 SO_SSL=    $plib\$(SSL)$so_shlibp
 SO_CRYPTO= $plib\$(CRYPTO)$so_shlibp
 L_SSL=     \$(LIB_D)$o$plib\$(SSL)$libp
 L_CRYPTO=  \$(LIB_D)$o$plib\$(CRYPTO)$libp
+L_FIPS=    \$(LIB_D)$o$plib\$(LIBFIPS)$libp
 
-L_LIBS= \$(L_SSL) \$(L_CRYPTO)
+L_LIBS= \$(L_SSL) \$(L_CRYPTO) $ex_l_libs
 
 ######################################################
 # Don't touch anything below this point
@@ -483,13 +640,13 @@ INC=-I\$(INC_D) -I\$(INCL_D)
 APP_CFLAGS=\$(INC) \$(CFLAG) \$(APP_CFLAG)
 LIB_CFLAGS=\$(INC) \$(CFLAG) \$(LIB_CFLAG)
 SHLIB_CFLAGS=\$(INC) \$(CFLAG) \$(LIB_CFLAG) \$(SHLIB_CFLAG)
-LIBS_DEP=\$(O_CRYPTO) \$(O_SSL)
+LIBS_DEP=\$(O_CRYPTO) \$(O_SSL) $ex_libs_dep
 
 #############################################
 EOF
 
 $rules=<<"EOF";
-all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) headers lib exe
+all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) headers \$(FIPS_SHA1_EXE) lib exe $ex_build_targets
 
 banner:
 $banner
@@ -604,6 +761,26 @@ $rules.=&do_compile_rule("\$(OBJ_D)",$test,"\$(APP_CFLAGS)");
 $defs.=&do_defs("E_OBJ",$e_exe,"\$(OBJ_D)",$obj);
 $rules.=&do_compile_rule("\$(OBJ_D)",$e_exe,'-DMONOLITH $(APP_CFLAGS)');
 
+# Special case rules for fips_start and fips_end fips_premain_dso
+
+if ($fips)
+        {
+        if ($fipscanisterbuild)
+                {
+                $rules.=&cc_compile_target("\$(OBJ_D)${o}fips_start$obj",
+                        "fips${o}fips_canister.c",
+                        "-DFIPS_START \$(SHLIB_CFLAGS)");
+                $rules.=&cc_compile_target("\$(OBJ_D)${o}fips_end$obj",
+                        "fips${o}fips_canister.c", "\$(SHLIB_CFLAGS)");
+                }
+        $rules.=&cc_compile_target("\$(OBJ_D)${o}fips_standalone_sha1$obj",
+                "fips${o}sha${o}fips_standalone_sha1.c",
+                "\$(SHLIB_CFLAGS)");
+        $rules.=&cc_compile_target("\$(OBJ_D)${o}\$(E_PREMAIN_DSO)$obj",
+                "fips${o}fips_premain.c",
+                "-DFINGERPRINT_PREMAIN_DSO_LOAD \$(SHLIB_CFLAGS)");
+        }
+
 foreach (values %lib_nam)
         {
         $lib_obj=$lib_obj{$_};
@@ -614,27 +791,41 @@ foreach (values %lib_nam)
                 $rules.="\$(O_SSL):\n\n"; 
                 next;
                 }
-        if (($aes_asm_obj ne "") && ($_ eq "CRYPTO"))
-                {
-                $lib_obj =~ s/\s(\S*\/aes_core\S*)/ \$(AES_ASM_OBJ)/;
-                $lib_obj =~ s/\s\S*\/aes_cbc\S*//;
-                $rules.=&do_asm_rule($aes_asm_obj,$aes_asm_src);
-                }
-        if (($bn_asm_obj ne "") && ($_ eq "CRYPTO"))
-                {
-                $lib_obj =~ s/\s\S*\/bn_asm\S*/ \$(BN_ASM_OBJ)/;
-                $rules.=&do_asm_rule($bn_asm_obj,$bn_asm_src);
-                }
-        if (($bnco_asm_obj ne "") && ($_ eq "CRYPTO"))
-                {
-                $lib_obj .= "\$(BNCO_ASM_OBJ)";
-                $rules.=&do_asm_rule($bnco_asm_obj,$bnco_asm_src);
-                }
-        if (($des_enc_obj ne "") && ($_ eq "CRYPTO"))
+
+        if ((!$fips && ($_ eq "CRYPTO")) || ($fips && ($_ eq "FIPS")))
                 {
-                $lib_obj =~ s/\s\S*des_enc\S*/ \$(DES_ENC_OBJ)/;
-                $lib_obj =~ s/\s\S*\/fcrypt_b\S*\s*/ /;
-                $rules.=&do_asm_rule($des_enc_obj,$des_enc_src);
+                if ($cpuid_asm_obj ne "")
+                        {
+                        $lib_obj =~ s/(\S*\/cryptlib\S*)/$1 \$(CPUID_ASM_OBJ)/;
+                        $rules.=&do_asm_rule($cpuid_asm_obj,$cpuid_asm_src);
+                        }
+                if ($aes_asm_obj ne "")
+                        {
+                        $lib_obj =~ s/\s(\S*\/aes_core\S*)/ \$(AES_ASM_OBJ)/;
+                        $lib_obj =~ s/\s\S*\/aes_cbc\S*//;
+                        $rules.=&do_asm_rule($aes_asm_obj,$aes_asm_src);
+                        }
+                if ($sha1_asm_obj ne "")
+                        {
+                        $lib_obj =~ s/\s(\S*\/sha1dgst\S*)/ $1 \$(SHA1_ASM_OBJ)/;
+                        $rules.=&do_asm_rule($sha1_asm_obj,$sha1_asm_src);
+                        }
+                if ($bn_asm_obj ne "")
+                        {
+                        $lib_obj =~ s/\s\S*\/bn_asm\S*/ \$(BN_ASM_OBJ)/;
+                        $rules.=&do_asm_rule($bn_asm_obj,$bn_asm_src);
+                        }
+                if ($bnco_asm_obj ne "")
+                        {
+                        $lib_obj .= "\$(BNCO_ASM_OBJ)";
+                        $rules.=&do_asm_rule($bnco_asm_obj,$bnco_asm_src);
+                        }
+                if ($des_enc_obj ne "")
+                        {
+                        $lib_obj =~ s/\s\S*des_enc\S*/ \$(DES_ENC_OBJ)/;
+                        $lib_obj =~ s/\s\S*\/fcrypt_b\S*\s*/ /;
+                        $rules.=&do_asm_rule($des_enc_obj,$des_enc_src);
+                        }
                 }
         if (($bf_enc_obj ne "") && ($_ eq "CRYPTO"))
                 {
@@ -661,21 +852,11 @@ foreach (values %lib_nam)
                 $lib_obj =~ s/\s(\S*\/md5_dgst\S*)/ $1 \$(MD5_ASM_OBJ)/;
                 $rules.=&do_asm_rule($md5_asm_obj,$md5_asm_src);
                 }
-        if (($sha1_asm_obj ne "") && ($_ eq "CRYPTO"))
-                {
-                $lib_obj =~ s/\s(\S*\/sha1dgst\S*)/ $1 \$(SHA1_ASM_OBJ)/;
-                $rules.=&do_asm_rule($sha1_asm_obj,$sha1_asm_src);
-                }
         if (($rmd160_asm_obj ne "") && ($_ eq "CRYPTO"))
                 {
                 $lib_obj =~ s/\s(\S*\/rmd_dgst\S*)/ $1 \$(RMD160_ASM_OBJ)/;
                 $rules.=&do_asm_rule($rmd160_asm_obj,$rmd160_asm_src);
                 }
-        if (($cpuid_asm_obj ne "") && ($_ eq "CRYPTO"))
-                {
-                $lib_obj =~ s/\s(\S*\/cversion\S*)/ $1 \$(CPUID_ASM_OBJ)/;
-                $rules.=&do_asm_rule($cpuid_asm_obj,$cpuid_asm_src);
-                }
         $defs.=&do_defs(${_}."OBJ",$lib_obj,"\$(OBJ_D)",$obj);
         $lib=($slib)?" \$(SHLIB_CFLAGS)".$shlib_ex_cflags{$_}:" \$(LIB_CFLAGS)";
         $rules.=&do_compile_rule("\$(OBJ_D)",$lib_obj{$_},$lib);
@@ -690,15 +871,43 @@ if (($platform eq "VC-WIN32") || ($platform eq "VC-NT")) {
 \$(OBJ_D)\\\$(SSL).res: ms\\version32.rc
         \$(RSC) /fo"\$(OBJ_D)\\\$(SSL).res" /d SSL ms\\version32.rc
 
+\$(OBJ_D)\\\$(LIBFIPS).res: ms\\version32.rc
+        \$(RSC) /fo"\$(OBJ_D)\\\$(LIBFIPS).res" /d FIPS ms\\version32.rc
+
 EOF
 }
 
 $defs.=&do_defs("T_EXE",$test,"\$(TEST_D)",$exep);
 foreach (split(/\s+/,$test))
         {
+        my $t_libs;
         $t=&bname($_);
+        my $ltype;
+        # Check to see if test program is FIPS
+        if ($fips && /fips/)
+                {
+                # If fipsdso link to libosslfips.dll 
+                # otherwise perform static link to 
+                # $(O_FIPSCANISTER)
+                if ($fipsdso)
+                        {
+                        $t_libs = "\$(L_FIPS)";
+                        $ltype = 0;
+                        }
+                else
+                        {
+                        $t_libs = "\$(O_FIPSCANISTER)";
+                        $ltype = 2;
+                        }
+                }
+        else
+                {
+                $t_libs = "\$(L_LIBS)";
+                $ltype = 0;
+                }
+
         $tt="\$(OBJ_D)${o}$t${obj}";
-        $rules.=&do_link_rule("\$(TEST_D)$o$t$exep",$tt,"\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
+        $rules.=&do_link_rule("\$(TEST_D)$o$t$exep",$tt,"\$(LIBS_DEP)","$t_libs \$(EX_LIBS)", $ltype);
         }
 
 $defs.=&do_defs("E_SHLIB",$engines,"\$(ENG_D)",$shlibp);
@@ -712,9 +921,69 @@ foreach (split(/\s+/,$engines))
 
 
 $rules.= &do_lib_rule("\$(SSLOBJ)","\$(O_SSL)",$ssl,$shlib,"\$(SO_SSL)");
-$rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)");
 
-$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)");
+if ($fips)
+        {
+        if ($shlib)
+                {
+                if ($fipsdso)
+                        {
+                        $rules.= &do_lib_rule("\$(CRYPTOOBJ)",
+                                        "\$(O_CRYPTO)", "$crypto",
+                                        $shlib, "", "");
+                        $rules.= &do_lib_rule(
+                                "\$(O_FIPSCANISTER)",
+                                "\$(O_FIPS)", "\$(LIBFIPS)",
+                                $shlib, "\$(SO_CRYPTO)", "\$(BASEADDR)");
+                        $rules.= &do_sdef_rule();
+                        }
+                else
+                        {
+                        $rules.= &do_lib_rule(
+                                "\$(CRYPTOOBJ) \$(O_FIPSCANISTER)",
+                                "\$(O_CRYPTO)", "$crypto",
+                                $shlib, "\$(SO_CRYPTO)", "\$(BASEADDR)");
+                        }
+                }
+        else
+                {
+                $rules.= &do_lib_rule("\$(CRYPTOOBJ)",
+                        "\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)", "");
+                $rules.= &do_lib_rule("\$(CRYPTOOBJ) \$(FIPSOBJ)",
+                        "\$(LIB_D)$o$crypto_compat",$crypto,$shlib,"\$(SO_CRYPTO)", "");
+                }
+        }
+        else
+        {
+        $rules.= &do_lib_rule("\$(CRYPTOOBJ)","\$(O_CRYPTO)",$crypto,$shlib,
+                                                        "\$(SO_CRYPTO)");
+        }
+
+if ($fips)
+        {
+        if ($fipscanisterbuild)
+                {
+                $rules.= &do_rlink_rule("\$(O_FIPSCANISTER)",
+                                        "\$(OBJ_D)${o}fips_start$obj",
+                                        "\$(FIPSOBJ)",
+                                        "\$(OBJ_D)${o}fips_end$obj",
+                                        "\$(FIPS_SHA1_EXE)", "");
+                $rules.=&do_link_rule("\$(FIPS_SHA1_EXE)",
+                                        "\$(OBJ_D)${o}fips_standalone_sha1$obj \$(OBJ_D)${o}sha1dgst$obj \$(SHA1_ASM_OBJ)",
+                                        "","\$(EX_LIBS)", 1);
+                }
+        else
+                {
+                $rules.=&do_link_rule("\$(FIPS_SHA1_EXE)",
+                                        "\$(OBJ_D)${o}fips_standalone_sha1$obj \$(O_FIPSCANISTER)",
+                                        "","", 1);
+
+                }
+        $rules.=&do_link_rule("\$(PREMAIN_DSO_EXE)","\$(OBJ_D)${o}\$(E_PREMAIN_DSO)$obj \$(CRYPTOOBJ) \$(O_FIPSCANISTER)","","\$(EX_LIBS)", 1);
+        
+        }
+
+$rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)", ($fips && !$shlib) ? 2 : 0);
 
 print $defs;
 
@@ -752,6 +1021,8 @@ sub var_add
         return("") if $no_dh   && $dir =~ /\/dh/;
         return("") if $no_ec   && $dir =~ /\/ec/;
         return("") if $no_cms  && $dir =~ /\/cms/;
+        return("") if $no_jpake  && $dir =~ /\/jpake/;
+        return("") if !$fips   && $dir =~ /^fips/;
         if ($no_des && $dir =~ /\/des/)
                 {
                 if ($val =~ /read_pwd/)
@@ -1011,6 +1282,7 @@ sub read_options
                 "no-hmac" => \$no_hmac,
                 "no-asm" => \$no_asm,
                 "nasm" => \$nasm,
+                "ml64" => \$ml64,
                 "nw-nasm" => \$nw_nasm,
                 "nw-mwasm" => \$nw_mwasm,
                 "gaswin" => \$gaswin,
@@ -1018,6 +1290,7 @@ sub read_options
                 "no-ssl3" => \$no_ssl3,
                 "no-tlsext" => \$no_tlsext,
                 "no-cms" => \$no_cms,
+                "no-jpake" => \$no_jpake,
                 "no-capieng" => \$no_capieng,
                 "no-err" => \$no_err,
                 "no-sock" => \$no_sock,
@@ -1045,6 +1318,9 @@ sub read_options
                 "no-shared" => 0,
                 "no-zlib" => 0,
                 "no-zlib-dynamic" => 0,
+                "fips" => \$fips,
+                "fipscanisterbuild" => [\$fips, \$fipscanisterbuild],
+                "fipsdso" => [\$fips, \$fipscanisterbuild, \$fipsdso],
                 );
 
         if (exists $valid_options{$_})
@@ -1086,6 +1362,18 @@ sub read_options
                         {return 1;}
                 return 0;
                 }
+        # experimental-xxx is mostly like enable-xxx, but opensslconf.v
+        # will still set OPENSSL_NO_xxx unless we set OPENSSL_EXPERIMENTAL_xxx.
+        # (No need to fail if we don't know the algorithm -- this is for adventurous users only.)
+        elsif (/^experimental-/)
+                {
+                my $algo, $ALGO;
+                ($algo = $_) =~ s/^experimental-//;
+                ($ALGO = $algo) =~ tr/[a-z]/[A-Z]/;
+
+                $xcflags="-DOPENSSL_EXPERIMENTAL_$ALGO $xcflags";
+                
+                }
         elsif (/^--with-krb5-flavor=(.*)$/)
                 {
                 my $krb5_flavor = $1;
@@ -1109,3 +1397,31 @@ sub read_options
         else { return(0); }
         return(1);
         }
+
+sub fipslib_error
+        {
+        print STDERR "***FIPS module directory sanity check failed***\n";
+        print STDERR "FIPS module build failed, or was deleted\n";
+        print STDERR "Please rebuild FIPS module.\n"; 
+        exit 1;
+        }
+
+sub fips_check_files
+        {
+        my $dir = shift @_;
+        my $ret = 1;
+        if (!-d $dir)
+                {
+                print STDERR "FIPS module directory $dir does not exist\n";
+                fipslib_error();
+                }
+        foreach (@_)
+                {
+                if (!-f "$dir${o}$_")
+                        {
+                        print STDERR "FIPS module file $_ does not exist!\n";
+                        $ret = 0;
+                        }
+                }
+        fipslib_error() if ($ret == 0);
+        }
diff --git a/src/lib/libcrypto/util/mkdef.pl b/src/lib/libcrypto/util/mkdef.pl
index 8ecfde1848..5ae9ebb619 100644
--- a/src/lib/libcrypto/util/mkdef.pl
+++ b/src/lib/libcrypto/util/mkdef.pl
@@ -79,7 +79,7 @@ my $OS2=0;
 my $safe_stack_def = 0;
 
 my @known_platforms = ( "__FreeBSD__", "PERL5", "NeXT",
-                        "EXPORT_VAR_AS_FUNCTION", "ZLIB" );
+                        "EXPORT_VAR_AS_FUNCTION", "ZLIB", "OPENSSL_FIPS"); 
 my @known_ossl_platforms = ( "VMS", "WIN16", "WIN32", "WINNT", "OS2" );
 my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                          "CAST", "MD2", "MD4", "MD5", "SHA", "SHA0", "SHA1",
@@ -102,6 +102,8 @@ my @known_algorithms = ( "RC2", "RC4", "RC5", "IDEA", "DES", "BF",
                          "CMS",
                          # CryptoAPI Engine
                          "CAPIENG",
+                         # JPAKE
+                         "JPAKE",
                          # Deprecated functions
                          "DEPRECATED" );
 
@@ -122,7 +124,8 @@ my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5;
 my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw; my $no_camellia;
 my $no_seed;
 my $no_fp_api; my $no_static_engine; my $no_gmp; my $no_deprecated;
-my $no_rfc3779; my $no_tlsext; my $no_cms; my $no_capieng;
+my $no_rfc3779; my $no_tlsext; my $no_cms; my $no_capieng; my $no_jpake;
+my $fips;
 
 
 foreach (@ARGV, split(/ /, $options))
@@ -144,12 +147,13 @@ foreach (@ARGV, split(/ /, $options))
         }
         $VMS=1 if $_ eq "VMS";
         $OS2=1 if $_ eq "OS2";
+        $fips=1 if /^fips/;
+
         if ($_ eq "zlib" || $_ eq "zlib-dynamic"
-                         || $_ eq "enable-zlib-dynamic") {
-                $zlib = 1;
+                         || $_ eq "enable-zlib-dynamic") {
+                $zlib = 1;
         }
 
-
         $do_ssl=1 if $_ eq "ssleay";
         if ($_ eq "ssl") {
                 $do_ssl=1; 
@@ -209,6 +213,7 @@ foreach (@ARGV, split(/ /, $options))
         elsif (/^no-tlsext$/)   { $no_tlsext=1; }
         elsif (/^no-cms$/)      { $no_cms=1; }
         elsif (/^no-capieng$/)  { $no_capieng=1; }
+        elsif (/^no-jpake$/)    { $no_jpake=1; }
         }
 
 
@@ -305,6 +310,8 @@ $crypto.=" crypto/tmdiff.h";
 $crypto.=" crypto/store/store.h";
 $crypto.=" crypto/pqueue/pqueue.h";
 $crypto.=" crypto/cms/cms.h";
+$crypto.=" crypto/jpake/jpake.h";
+$crypto.=" fips/fips.h fips/rand/fips_rand.h";
 
 my $symhacks="crypto/symhacks.h";
 
@@ -1090,6 +1097,9 @@ sub is_valid
                         if ($keyword eq "EXPORT_VAR_AS_FUNCTION" && ($VMSVAX || $W32 || $W16)) {
                                 return 1;
                         }
+                        if ($keyword eq "OPENSSL_FIPS" && $fips) {
+                                return 1;
+                        }
                         if ($keyword eq "ZLIB" && $zlib) { return 1; }
                         return 0;
                 } else {
@@ -1135,6 +1145,7 @@ sub is_valid
                         if ($keyword eq "TLSEXT" && $no_tlsext) { return 0; }
                         if ($keyword eq "CMS" && $no_cms) { return 0; }
                         if ($keyword eq "CAPIENG" && $no_capieng) { return 0; }
+                        if ($keyword eq "JPAKE" && $no_jpake) { return 0; }
                         if ($keyword eq "DEPRECATED" && $no_deprecated) { return 0; }
 
                         # Nothing recognise as true
diff --git a/src/lib/libcrypto/util/mkerr.pl b/src/lib/libcrypto/util/mkerr.pl
index 53e14ab4df..554bebb159 100644
--- a/src/lib/libcrypto/util/mkerr.pl
+++ b/src/lib/libcrypto/util/mkerr.pl
@@ -44,7 +44,8 @@ while (@ARGV) {
 }
 
 if($recurse) {
-        @source = (<crypto/*.c>, <crypto/*/*.c>, <ssl/*.c>);
+        @source = ( <crypto/*.c>, <crypto/*/*.c>, <ssl/*.c>,
+                        <fips/*.c>, <fips/*/*.c>);
 } else {
         @source = @ARGV;
 }
diff --git a/src/lib/libcrypto/util/mkfiles.pl b/src/lib/libcrypto/util/mkfiles.pl
index 1282392fea..67fb8694c8 100644
--- a/src/lib/libcrypto/util/mkfiles.pl
+++ b/src/lib/libcrypto/util/mkfiles.pl
@@ -47,6 +47,7 @@ my @dirs = (
 "crypto/x509",
 "crypto/x509v3",
 "crypto/conf",
+"crypto/jpake",
 "crypto/txt_db",
 "crypto/pkcs7",
 "crypto/pkcs12",
@@ -58,6 +59,15 @@ my @dirs = (
 "crypto/store",
 "crypto/pqueue",
 "crypto/cms",
+"fips",
+"fips/aes",
+"fips/des",
+"fips/dsa",
+"fips/dh",
+"fips/hmac",
+"fips/rand",
+"fips/rsa",
+"fips/sha",
 "ssl",
 "apps",
 "engines",
diff --git a/src/lib/libcrypto/util/mklink.pl b/src/lib/libcrypto/util/mklink.pl
index d9bc98aab8..eacc327882 100644
--- a/src/lib/libcrypto/util/mklink.pl
+++ b/src/lib/libcrypto/util/mklink.pl
@@ -15,13 +15,21 @@
 # Apart from this, this script should be able to handle even the most
 # pathological cases.
 
-use Cwd;
+my $pwd;
+eval 'use Cwd;';
+if ($@)
+        {
+        $pwd = `pwd`;
+        }
+else
+        {
+        $pwd = getcwd();
+        }
 
 my $from = shift;
 my @files = @ARGV;
 
 my @from_path = split(/[\\\/]/, $from);
-my $pwd = getcwd();
 chomp($pwd);
 my @pwd_path = split(/[\\\/]/, $pwd);
 
diff --git a/src/lib/libcrypto/util/pl/VC-32.pl b/src/lib/libcrypto/util/pl/VC-32.pl
index 1e254119e6..166785db8d 100644
--- a/src/lib/libcrypto/util/pl/VC-32.pl
+++ b/src/lib/libcrypto/util/pl/VC-32.pl
@@ -4,12 +4,26 @@
 #
 
 $ssl=   "ssleay32";
-$crypto="libeay32";
+
+if ($fips && !$shlib)
+        {
+        $crypto="libeayfips32";
+        $crypto_compat = "libeaycompat32.lib";
+        }
+else
+        {
+        $crypto="libeay32";
+        }
+
+if ($fipscanisterbuild)
+        {
+        $fips_canister_path = "\$(LIB_D)\\fipscanister.lib";
+        }
 
 $o='\\';
 $cp='$(PERL) util/copy.pl';
 $mkdir='$(PERL) util/mkdir-p.pl';
-$rm='del';
+$rm='del /Q';
 
 $zlib_lib="zlib1.lib";
 
@@ -96,7 +110,7 @@ else	# Win32
     $base_cflags=' /W3 /WX /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32';
     $base_cflags.=' -D_CRT_SECURE_NO_DEPRECATE';        # shut up VC8
     $base_cflags.=' -D_CRT_NONSTDC_NO_DEPRECATE';       # shut up VC8
-    my $f = $shlib?' /MD':' /MT';
+    my $f = $shlib || $fips ?' /MD':' /MT';
     $lib_cflag='/Zl' if (!$shlib);      # remove /DEFAULTLIBs from static lib
     $opt_cflags=$f.' /Ox /O2 /Ob2';
     $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG';
@@ -165,12 +179,17 @@ if ($nasm) {
         # pick newest version
         $asm=($ver gt $vew?"nasm":"nasmw")." -f win32";
         $afile='-o ';
+} elsif ($ml64) {
+        $asm='ml64 /c /Cp /Cx';
+        $asm.=' /Zi' if $debug;
+        $afile='/Fo';
 } else {
         $asm='ml /Cp /coff /c /Cx';
         $asm.=" /Zi" if $debug;
         $afile='/Fo';
 }
 
+$aes_asm_obj='';
 $bn_asm_obj='';
 $bn_asm_src='';
 $des_enc_obj='';
@@ -179,11 +198,13 @@ $bf_enc_obj='';
 $bf_enc_src='';
 
 if (!$no_asm)
+    {
+    if ($FLAVOR =~ "WIN32")
         {
         $aes_asm_obj='crypto\aes\asm\a_win32.obj';
         $aes_asm_src='crypto\aes\asm\a_win32.asm';
-        $bn_asm_obj='crypto\bn\asm\bn_win32.obj';
-        $bn_asm_src='crypto\bn\asm\bn_win32.asm';
+        $bn_asm_obj='crypto\bn\asm\bn_win32.obj crypto\bn\asm\mt_win32.obj';
+        $bn_asm_src='crypto\bn\asm\bn_win32.asm crypto\bn\asm\mt_win32.asm';
         $bnco_asm_obj='crypto\bn\asm\co_win32.obj';
         $bnco_asm_src='crypto\bn\asm\co_win32.asm';
         $des_enc_obj='crypto\des\asm\d_win32.obj crypto\des\asm\y_win32.obj';
@@ -204,12 +225,26 @@ if (!$no_asm)
         $rmd160_asm_src='crypto\ripemd\asm\rm_win32.asm';
         $cpuid_asm_obj='crypto\cpu_win32.obj';
         $cpuid_asm_src='crypto\cpu_win32.asm';
-        $cflags.=" -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DAES_ASM -DBN_ASM -DOPENSSL_BN_ASM_PART_WORDS -DMD5_ASM -DSHA1_ASM -DRMD160_ASM";
+        $cflags.=" -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DAES_ASM -DBN_ASM -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DMD5_ASM -DSHA1_ASM -DRMD160_ASM";
         }
+    elsif ($FLAVOR =~ "WIN64A")
+        {
+        $aes_asm_obj='$(OBJ_D)\aes-x86_64.obj';
+        $aes_asm_src='crypto\aes\asm\aes-x86_64.asm';
+        $bn_asm_obj='$(OBJ_D)\x86_64-mont.obj $(OBJ_D)\bn_asm.obj';
+        $bn_asm_src='crypto\bn\asm\x86_64-mont.asm';
+        $sha1_asm_obj='$(OBJ_D)\sha1-x86_64.obj $(OBJ_D)\sha256-x86_64.obj $(OBJ_D)\sha512-x86_64.obj';
+        $sha1_asm_src='crypto\sha\asm\sha1-x86_64.asm crypto\sha\asm\sha256-x86_64.asm crypto\sha\asm\sha512-x86_64.asm';
+        $cpuid_asm_obj='$(OBJ_D)\cpuid-x86_64.obj';
+        $cpuid_asm_src='crypto\cpuid-x86_64.asm';
+        $cflags.=" -DOPENSSL_CPUID_OBJ -DAES_ASM -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM";
+        }
+    }
 
 if ($shlib && $FLAVOR !~ /CE/)
         {
         $mlflags.=" $lflags /dll";
+#       $cflags =~ s| /MD| /MT|;
         $lib_cflag=" -D_WINDLL";
         $out_def="out32dll";
         $tmp_def="tmp32dll";
@@ -232,8 +267,8 @@ $(INCO_D)\applink.c:	ms\applink.c
 EXHEADER= $(EXHEADER) $(INCO_D)\applink.c
 
 LIBS_DEP=$(LIBS_DEP) $(OBJ_D)\applink.obj
-CRYPTOOBJ=$(OBJ_D)\uplink.obj $(CRYPTOOBJ)
 ___
+$banner .= "CRYPTOOBJ=\$(OBJ_D)\\uplink.obj \$(CRYPTOOBJ)\n";
         $banner.=<<'___' if ($FLAVOR =~ /WIN64/);
 CRYPTOOBJ=ms\uptable.obj $(CRYPTOOBJ)
 ___
@@ -250,26 +285,56 @@ $cflags.=" /Fd$out_def";
 
 sub do_lib_rule
         {
-        local($objs,$target,$name,$shlib)=@_;
+        my($objs,$target,$name,$shlib,$ign,$base_addr) = @_;
         local($ret);
 
         $taget =~ s/\//$o/g if $o ne '/';
-        if ($name ne "")
+        my $base_arg;
+        if ($base_addr ne "")
+                {
+                $base_arg= " /base:$base_addr";
+                }
+        else
+                {
+                $base_arg = "";
+                }
+        if ($target =~ /O_CRYPTO/ && $fipsdso)
+                {
+                $name = "/def:ms/libeayfips.def";
+                }
+        elsif ($name ne "")
                 {
                 $name =~ tr/a-z/A-Z/;
                 $name = "/def:ms/${name}.def";
                 }
 #       $target="\$(LIB_D)$o$target";
-        $ret.="$target: $objs\n";
+#       $ret.="$target: $objs\n";
         if (!$shlib)
                 {
 #               $ret.="\t\$(RM) \$(O_$Name)\n";
                 $ex =' ';
+                $ret.="$target: $objs\n";
                 $ret.="\t\$(MKLIB) $lfile$target @<<\n  $objs $ex\n<<\n";
                 }
         else
                 {
-                local($ex)=($target =~ /O_CRYPTO/)?'':' $(L_CRYPTO)';
+                my $ex = "";            
+                if ($target =~ /O_SSL/)
+                        {
+                        $ex .= " \$(L_CRYPTO)";
+                        #$ex .= " \$(L_FIPS)" if $fipsdso;
+                        }
+                my $fipstarget;
+                if ($fipsdso)
+                        {
+                        $fipstarget = "O_FIPS";
+                        }
+                else
+                        {
+                        $fipstarget = "O_CRYPTO";
+                        }
+
+
                 if ($name eq "")
                         {
                         $ex.=' bufferoverflowu.lib' if ($FLAVOR =~ /WIN64/);
@@ -290,7 +355,39 @@ sub do_lib_rule
                         $ex.=' bufferoverflowu.lib' if ($FLAVOR =~ /WIN64/);
                         }
                 $ex.=" $zlib_lib" if $zlib_opt == 1 && $target =~ /O_CRYPTO/;
-                $ret.="\t\$(LINK) \$(MLFLAGS) $efile$target $name @<<\n  \$(SHLIB_EX_OBJ) $objs $ex\n<<\n";
+
+                if ($fips && $target =~ /$fipstarget/)
+                        {
+                        $ex.= $mwex unless $fipscanisterbuild;
+                        $ret.="$target: $objs \$(PREMAIN_DSO_EXE)";
+                        if ($fipsdso)
+                                {
+                                $ex.=" \$(OBJ_D)\\\$(LIBFIPS).res";
+                                $ret.=" \$(OBJ_D)\\\$(LIBFIPS).res";
+                                $ret.=" ms/\$(LIBFIPS).def";
+                                }
+                        $ret.="\n\tSET FIPS_LINK=\$(LINK)\n";
+                        $ret.="\tSET FIPS_CC=\$(CC)\n";
+                        $ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\n";
+                        $ret.="\tSET PREMAIN_DSO_EXE=\$(PREMAIN_DSO_EXE)\n";
+                        $ret.="\tSET FIPS_SHA1_EXE=\$(FIPS_SHA1_EXE)\n";
+                        $ret.="\tSET FIPS_TARGET=$target\n";
+                        $ret.="\tSET FIPSLIB_D=\$(FIPSLIB_D)\n";
+                        $ret.="\t\$(FIPSLINK) \$(MLFLAGS) /map $base_arg $efile$target ";
+                        $ret.="$name @<<\n  \$(SHLIB_EX_OBJ) $objs ";
+                        $ret.="\$(OBJ_D)${o}fips_premain.obj $ex\n<<\n";
+                        }
+                else
+                        {
+                        $ret.="$target: $objs";
+                        if ($target =~ /O_CRYPTO/ && $fipsdso)
+                                {
+                                $ret .= " \$(O_FIPS)";
+                                $ex .= " \$(L_FIPS)";
+                                }
+                        $ret.="\n\t\$(LINK) \$(MLFLAGS) $efile$target $name @<<\n  \$(SHLIB_EX_OBJ) $objs $ex\n<<\n";
+                        }
+
         $ret.="\tIF EXIST \$@.manifest mt -nologo -manifest \$@.manifest -outputresource:\$@;2\n\n";
                 }
         $ret.="\n";
@@ -299,16 +396,64 @@ sub do_lib_rule
 
 sub do_link_rule
         {
-        local($target,$files,$dep_libs,$libs)=@_;
+        my($target,$files,$dep_libs,$libs,$standalone)=@_;
         local($ret,$_);
-        
         $file =~ s/\//$o/g if $o ne '/';
         $n=&bname($targer);
         $ret.="$target: $files $dep_libs\n";
-        $ret.="\t\$(LINK) \$(LFLAGS) $efile$target @<<\n";
-        $ret.="  \$(APP_EX_OBJ) $files $libs\n<<\n";
-    $ret.="\tIF EXIST \$@.manifest mt -nologo -manifest \$@.manifest -outputresource:\$@;1\n\n";
+        if ($standalone == 1)
+                {
+                $ret.="  \$(LINK) \$(LFLAGS) $efile$target @<<\n\t";
+                $ret.= "$mwex advapi32.lib " if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild);
+                $ret.="$files $libs\n<<\n";
+                }
+        elsif ($standalone == 2)
+                {
+                $ret.="\tSET FIPS_LINK=\$(LINK)\n";
+                $ret.="\tSET FIPS_CC=\$(CC)\n";
+                $ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\n";
+                $ret.="\tSET PREMAIN_DSO_EXE=\n";
+                $ret.="\tSET FIPS_TARGET=$target\n";
+                $ret.="\tSET FIPS_SHA1_EXE=\$(FIPS_SHA1_EXE)\n";
+                $ret.="\tSET FIPSLIB_D=\$(FIPSLIB_D)\n";
+                $ret.="\t\$(FIPSLINK) \$(LFLAGS) /map $efile$target @<<\n";
+                $ret.="\t\$(APP_EX_OBJ) $files \$(OBJ_D)${o}fips_premain.obj $libs\n<<\n";
+                }
+        else
+                {
+                $ret.="\t\$(LINK) \$(LFLAGS) $efile$target @<<\n";
+                $ret.="\t\$(APP_EX_OBJ) $files $libs\n<<\n";
+                }
+        $ret.="\tIF EXIST \$@.manifest mt -nologo -manifest \$@.manifest -outputresource:\$@;1\n\n";
         return($ret);
         }
 
+sub do_rlink_rule
+        {
+        local($target,$rl_start, $rl_mid, $rl_end,$dep_libs,$libs)=@_;
+        local($ret,$_);
+        my $files = "$rl_start $rl_mid $rl_end";
+
+        $file =~ s/\//$o/g if $o ne '/';
+        $n=&bname($targer);
+        $ret.="$target: $files $dep_libs \$(FIPS_SHA1_EXE)\n";
+        $ret.="\t\$(PERL) ms\\segrenam.pl \$\$a $rl_start\n";
+        $ret.="\t\$(PERL) ms\\segrenam.pl \$\$b $rl_mid\n";
+        $ret.="\t\$(PERL) ms\\segrenam.pl \$\$c $rl_end\n";
+        $ret.="\t\$(MKLIB) $lfile$target @<<\n\t$files\n<<\n";
+        $ret.="\t\$(FIPS_SHA1_EXE) $target > ${target}.sha1\n";
+        $ret.="\t\$(PERL) util${o}copy.pl -stripcr fips${o}fips_premain.c \$(LIB_D)${o}fips_premain.c\n";
+        $ret.="\t\$(CP) fips${o}fips_premain.c.sha1 \$(LIB_D)${o}fips_premain.c.sha1\n";
+        $ret.="\n";
+        return($ret);
+        }
+
+sub do_sdef_rule
+        {
+        my $ret = "ms/\$(LIBFIPS).def: \$(O_FIPSCANISTER)\n";
+        $ret.="\t\$(PERL) util/mksdef.pl \$(MLFLAGS) /out:dummy.dll /def:ms/libeay32.def @<<\n  \$(O_FIPSCANISTER)\n<<\n";
+        $ret.="\n";
+        return $ret;
+        }
+
 1;
diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
index 37f9a48206..341e0ba6a4 100644
--- a/src/lib/libcrypto/x509/by_dir.c
+++ b/src/lib/libcrypto/x509/by_dir.c
@@ -74,6 +74,10 @@
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 
+#ifdef _WIN32
+#define stat    _stat
+#endif
+
 typedef struct lookup_dir_st
         {
         BUF_MEM *buffer;
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index 0d6bc653b2..e4c682fc44 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -322,10 +322,16 @@ unsigned long X509_NAME_hash(X509_NAME *x)
         {
         unsigned long ret=0;
         unsigned char md[16];
+        EVP_MD_CTX md_ctx;
 
         /* Make sure X509_NAME structure contains valid cached encoding */
         i2d_X509_NAME(x,NULL);
-        EVP_Digest(x->bytes->data, x->bytes->length, md, NULL, EVP_md5(), NULL);
+        EVP_MD_CTX_init(&md_ctx);
+        EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+        EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL);
+        EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length);
+        EVP_DigestFinal_ex(&md_ctx,md,NULL);
+        EVP_MD_CTX_cleanup(&md_ctx);
 
         ret=(   ((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
                 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
diff --git a/src/lib/libcrypto/x509/x509_trs.c b/src/lib/libcrypto/x509/x509_trs.c
index 9c84a59d52..ed18700585 100644
--- a/src/lib/libcrypto/x509/x509_trs.c
+++ b/src/lib/libcrypto/x509/x509_trs.c
@@ -1,5 +1,5 @@
 /* x509_trs.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509/x509cset.c b/src/lib/libcrypto/x509/x509cset.c
index 9d1646d5c8..7f4004b291 100644
--- a/src/lib/libcrypto/x509/x509cset.c
+++ b/src/lib/libcrypto/x509/x509cset.c
@@ -1,5 +1,5 @@
 /* crypto/x509/x509cset.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509/x509spki.c b/src/lib/libcrypto/x509/x509spki.c
index ed868b838e..02a203d72c 100644
--- a/src/lib/libcrypto/x509/x509spki.c
+++ b/src/lib/libcrypto/x509/x509spki.c
@@ -1,5 +1,5 @@
 /* x509spki.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
index 5c063ac65d..3eaec46f8a 100644
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ b/src/lib/libcrypto/x509v3/ext_dat.h
@@ -1,5 +1,5 @@
 /* ext_dat.h */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/pcy_data.c b/src/lib/libcrypto/x509v3/pcy_data.c
index 4711b1ee92..fb392b901f 100644
--- a/src/lib/libcrypto/x509v3/pcy_data.c
+++ b/src/lib/libcrypto/x509v3/pcy_data.c
@@ -1,5 +1,5 @@
 /* pcy_data.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2004.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/pcy_tree.c b/src/lib/libcrypto/x509v3/pcy_tree.c
index b1ce77b9af..6c87a7f506 100644
--- a/src/lib/libcrypto/x509v3/pcy_tree.c
+++ b/src/lib/libcrypto/x509v3/pcy_tree.c
@@ -1,5 +1,5 @@
 /* pcy_tree.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2004.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/tabtest.c b/src/lib/libcrypto/x509v3/tabtest.c
index dad0d38dd5..5ed6eb6891 100644
--- a/src/lib/libcrypto/x509v3/tabtest.c
+++ b/src/lib/libcrypto/x509v3/tabtest.c
@@ -1,5 +1,5 @@
 /* tabtest.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_addr.c b/src/lib/libcrypto/x509v3/v3_addr.c
index c6730ab3fd..a37f844d3c 100644
--- a/src/lib/libcrypto/x509v3/v3_addr.c
+++ b/src/lib/libcrypto/x509v3/v3_addr.c
@@ -878,6 +878,7 @@ int v3_addr_canonize(IPAddrBlocks *addr)
                                     v3_addr_get_afi(f)))
       return 0;
   }
+  (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
   sk_IPAddressFamily_sort(addr);
   assert(v3_addr_is_canonical(addr));
   return 1;
diff --git a/src/lib/libcrypto/x509v3/v3_akey.c b/src/lib/libcrypto/x509v3/v3_akey.c
index ac0548b775..c6b68ee221 100644
--- a/src/lib/libcrypto/x509v3/v3_akey.c
+++ b/src/lib/libcrypto/x509v3/v3_akey.c
@@ -1,5 +1,5 @@
 /* v3_akey.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_akeya.c b/src/lib/libcrypto/x509v3/v3_akeya.c
index 2aafa26ba7..2c50f7360e 100644
--- a/src/lib/libcrypto/x509v3/v3_akeya.c
+++ b/src/lib/libcrypto/x509v3/v3_akeya.c
@@ -1,5 +1,5 @@
 /* v3_akey_asn1.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_alt.c b/src/lib/libcrypto/x509v3/v3_alt.c
index ac3139d1e6..75fda7f268 100644
--- a/src/lib/libcrypto/x509v3/v3_alt.c
+++ b/src/lib/libcrypto/x509v3/v3_alt.c
@@ -1,5 +1,5 @@
 /* v3_alt.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
 /* ====================================================================
@@ -527,7 +527,8 @@ GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
         return gen;
 
         err:
-        GENERAL_NAME_free(gen);
+        if (!out)
+                GENERAL_NAME_free(gen);
         return NULL;
         }
 
diff --git a/src/lib/libcrypto/x509v3/v3_bcons.c b/src/lib/libcrypto/x509v3/v3_bcons.c
index 74b1233071..82aa488f75 100644
--- a/src/lib/libcrypto/x509v3/v3_bcons.c
+++ b/src/lib/libcrypto/x509v3/v3_bcons.c
@@ -1,5 +1,5 @@
 /* v3_bcons.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_bitst.c b/src/lib/libcrypto/x509v3/v3_bitst.c
index cf31f0816e..058d0d4dce 100644
--- a/src/lib/libcrypto/x509v3/v3_bitst.c
+++ b/src/lib/libcrypto/x509v3/v3_bitst.c
@@ -1,5 +1,5 @@
 /* v3_bitst.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_conf.c b/src/lib/libcrypto/x509v3/v3_conf.c
index 2b867305fb..11eb6b7fd5 100644
--- a/src/lib/libcrypto/x509v3/v3_conf.c
+++ b/src/lib/libcrypto/x509v3/v3_conf.c
@@ -1,5 +1,5 @@
 /* v3_conf.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_cpols.c b/src/lib/libcrypto/x509v3/v3_cpols.c
index a40f490aa9..95596055ab 100644
--- a/src/lib/libcrypto/x509v3/v3_cpols.c
+++ b/src/lib/libcrypto/x509v3/v3_cpols.c
@@ -1,5 +1,5 @@
 /* v3_cpols.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_crld.c b/src/lib/libcrypto/x509v3/v3_crld.c
index c6e3ebae7b..181a8977b1 100644
--- a/src/lib/libcrypto/x509v3/v3_crld.c
+++ b/src/lib/libcrypto/x509v3/v3_crld.c
@@ -1,5 +1,5 @@
 /* v3_crld.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_enum.c b/src/lib/libcrypto/x509v3/v3_enum.c
index a236cb22e1..36576eaa4d 100644
--- a/src/lib/libcrypto/x509v3/v3_enum.c
+++ b/src/lib/libcrypto/x509v3/v3_enum.c
@@ -1,5 +1,5 @@
 /* v3_enum.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_extku.c b/src/lib/libcrypto/x509v3/v3_extku.c
index a4efe0031e..c0d14500ed 100644
--- a/src/lib/libcrypto/x509v3/v3_extku.c
+++ b/src/lib/libcrypto/x509v3/v3_extku.c
@@ -1,5 +1,5 @@
 /* v3_extku.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_genn.c b/src/lib/libcrypto/x509v3/v3_genn.c
index 650b510980..84b4b1c881 100644
--- a/src/lib/libcrypto/x509v3/v3_genn.c
+++ b/src/lib/libcrypto/x509v3/v3_genn.c
@@ -1,5 +1,5 @@
 /* v3_genn.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_ia5.c b/src/lib/libcrypto/x509v3/v3_ia5.c
index b739ccd036..4ff12b52b5 100644
--- a/src/lib/libcrypto/x509v3/v3_ia5.c
+++ b/src/lib/libcrypto/x509v3/v3_ia5.c
@@ -1,5 +1,5 @@
 /* v3_ia5.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_info.c b/src/lib/libcrypto/x509v3/v3_info.c
index e0ef69de42..e1b8699f92 100644
--- a/src/lib/libcrypto/x509v3/v3_info.c
+++ b/src/lib/libcrypto/x509v3/v3_info.c
@@ -1,5 +1,5 @@
 /* v3_info.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_int.c b/src/lib/libcrypto/x509v3/v3_int.c
index 9a48dc1508..4bfd14cf46 100644
--- a/src/lib/libcrypto/x509v3/v3_int.c
+++ b/src/lib/libcrypto/x509v3/v3_int.c
@@ -1,5 +1,5 @@
 /* v3_int.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_lib.c b/src/lib/libcrypto/x509v3/v3_lib.c
index f3015ea610..df3a48f43e 100644
--- a/src/lib/libcrypto/x509v3/v3_lib.c
+++ b/src/lib/libcrypto/x509v3/v3_lib.c
@@ -1,5 +1,5 @@
 /* v3_lib.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_ocsp.c b/src/lib/libcrypto/x509v3/v3_ocsp.c
index 62aac06335..e426ea930c 100644
--- a/src/lib/libcrypto/x509v3/v3_ocsp.c
+++ b/src/lib/libcrypto/x509v3/v3_ocsp.c
@@ -1,5 +1,5 @@
 /* v3_ocsp.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_pku.c b/src/lib/libcrypto/x509v3/v3_pku.c
index 5c4626e89b..076f3ff48e 100644
--- a/src/lib/libcrypto/x509v3/v3_pku.c
+++ b/src/lib/libcrypto/x509v3/v3_pku.c
@@ -1,5 +1,5 @@
 /* v3_pku.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_prn.c b/src/lib/libcrypto/x509v3/v3_prn.c
index 20bd9bda19..c1bb17f105 100644
--- a/src/lib/libcrypto/x509v3/v3_prn.c
+++ b/src/lib/libcrypto/x509v3/v3_prn.c
@@ -1,5 +1,5 @@
 /* v3_prn.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index c54e7887c7..e18751e01c 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -1,5 +1,5 @@
 /* v3_purp.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_skey.c b/src/lib/libcrypto/x509v3/v3_skey.c
index da0a3558f6..202c9e4896 100644
--- a/src/lib/libcrypto/x509v3/v3_skey.c
+++ b/src/lib/libcrypto/x509v3/v3_skey.c
@@ -1,5 +1,5 @@
 /* v3_skey.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_sxnet.c b/src/lib/libcrypto/x509v3/v3_sxnet.c
index eaea9ea01b..2a6bf11b65 100644
--- a/src/lib/libcrypto/x509v3/v3_sxnet.c
+++ b/src/lib/libcrypto/x509v3/v3_sxnet.c
@@ -1,5 +1,5 @@
 /* v3_sxnet.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3_utl.c b/src/lib/libcrypto/x509v3/v3_utl.c
index 57be441399..2cb53008e3 100644
--- a/src/lib/libcrypto/x509v3/v3_utl.c
+++ b/src/lib/libcrypto/x509v3/v3_utl.c
@@ -1,5 +1,5 @@
 /* v3_utl.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
 /* ====================================================================
@@ -736,17 +736,20 @@ static int ipv6_from_asc(unsigned char *v6, const char *in)
 
         /* Format result */
 
-        /* Copy initial part */
-        if (v6stat.zero_pos > 0)
+        if (v6stat.zero_pos >= 0)
+                {
+                /* Copy initial part */
                 memcpy(v6, v6stat.tmp, v6stat.zero_pos);
-        /* Zero middle */
-        if (v6stat.total != 16)
+                /* Zero middle */
                 memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
-        /* Copy final part */
-        if (v6stat.total != v6stat.zero_pos)
-                memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
-                        v6stat.tmp + v6stat.zero_pos,
-                        v6stat.total - v6stat.zero_pos);
+                /* Copy final part */
+                if (v6stat.total != v6stat.zero_pos)
+                        memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
+                                v6stat.tmp + v6stat.zero_pos,
+                                v6stat.total - v6stat.zero_pos);
+                }
+        else
+                memcpy(v6, v6stat.tmp, 16);
 
         return 1;
         }
diff --git a/src/lib/libcrypto/x509v3/v3conf.c b/src/lib/libcrypto/x509v3/v3conf.c
index 00cf5b4a5b..a9e6ca3542 100644
--- a/src/lib/libcrypto/x509v3/v3conf.c
+++ b/src/lib/libcrypto/x509v3/v3conf.c
@@ -1,5 +1,5 @@
 /* v3conf.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/v3prin.c b/src/lib/libcrypto/x509v3/v3prin.c
index b529814319..d5ff268296 100644
--- a/src/lib/libcrypto/x509v3/v3prin.c
+++ b/src/lib/libcrypto/x509v3/v3prin.c
@@ -1,5 +1,5 @@
 /* v3prin.c */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
index 5ba59f71c9..9ef83da755 100644
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ b/src/lib/libcrypto/x509v3/x509v3.h
@@ -1,5 +1,5 @@
 /* x509v3.h */
-/* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
 /* ====================================================================